openbsd: update relayd and httpd configuration files

* httpd: use proper server names
* httpd: add example of a very basic static website along with Pleroma
* httpd: let Pleroma serve robots.txt
* relayd: add example of forwarding to a basic httpd website
* relayd: remove appended response headers (most of them already served
  by Pleroma anyway)
* relayd: add comments about hosting Pleroma on subdomains
* relayd: reject request that don't belong to any forward
* relayd: add example of hosting media uploads on subdomain
* relayd: change forward timeout check to something sane that actually
  works

installation/openbsd/httpd.conf

@@ -4,8 +4,9 @@
 # 1. Place file in /etc
 # 2. Replace <IPv4 address> with your public IP address
 # 3. If using IPv6, uncomment IPv6 lines and replace <IPv6 address> with your public IPv6 address
-# 4. Check file using 'doas httpd -n'
-# 5. Enable and start httpd:
+# 4. Replace all occurences of example.tld with your instance's domain name.
+# 5. Check file using 'doas httpd -n'
+# 6. Enable and start httpd:
 #      # doas rcctl enable httpd
 #      # doas rcctl start httpd
 #
@@ -13,7 +14,7 @@
 ext_inet="<IPv4 address>"
 #ext_inet6="<IPv6 address>"
 
-server "default" {
+server "example.tld" {
     listen on $ext_inet port 80 # Comment to disable listening on IPv4
 #    listen on $ext_inet6 port 80 # Comment to disable listening on IPv6
     listen on 127.0.0.1 port 80 # Do NOT comment this line
@@ -26,10 +27,18 @@ server "default" {
         request strip 2
     }
 
-    location "/robots.txt" { root "/htdocs/local/" }
     location "/*" { block return 302 "https://$HTTP_HOST$REQUEST_URI" }
 }
 
+# Example of serving a basic static website besides Pleroma using the example configuration in relayd
+#server "site.example.tld" {
+#    listen on 127.0.0.1 port 8080
+#
+#    location "/*" {
+#        root "/website"
+#    }
+#}
+
 types {
     include "/usr/share/misc/mime.types"
 }

installation/openbsd/relayd.conf

@@ -4,8 +4,9 @@
 # 1. Place in /etc
 # 2. Replace <ipaddr> with your public IPv4 address
 # 3. If using IPv6i, uncomment IPv6 lines and replace <ip6addr> with your public IPv6 address
-# 4. Check file using 'doas relayd -n'
-# 5. Reload/start relayd
+# 4. Replace all occurrences of example.tld with your instance's domain
+# 5. Check file using 'doas relayd -n'
+# 6. Reload/start relayd
 #      # doas rcctl enable relayd
 #      # doas rcctl start relayd
 #
@@ -14,31 +15,54 @@ ext_inet="<ipaddr>"
 #ext_inet6="<ip6addr>"
 
 table <pleroma_server> { 127.0.0.1 }
-table <httpd_server> { 127.0.0.1 }
 
-http protocol plerup { # Protocol for upstream pleroma server
+# Uncomment next line when you want to serve other services than Pleroma.
+# In this example tables are used only as way to differentiate between Pleroma and other services.
+# Feel free to rename "httpd_server" everywhere to fit your setup.
+#table <httpd_server> { 127.0.0.1 }
+
+http protocol pleroma { # Protocol for upstream Pleroma server
     #tcp { nodelay, sack, socket buffer 65536, backlog 128 } # Uncomment and adjust as you see fit
-    tls ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA0-POLY1305"
-    tls ecdhe secp384r1
+    tls ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
+    tls ecdhe "X25519,P-256,P-384,secp521r1" # relayd default+secp521r1
 
-    # Forward some paths to the local server (as pleroma won't respond to them as you might want)
-    pass request quick path "/robots.txt" forward to <httpd_server>
+    return error
 
-    # Append a bunch of headers
-    match request header append "X-Forwarded-For" value "$REMOTE_ADDR" # This two header and the next one are not strictl required by pleroma but adding them won't hurt
-    match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
+    # When serving multiple services with different certificates, specify multiple "tls keypair" keywords
+    # and add forwards to those services before the block keyword near the bottom of the protocol and relay configurations.
+    # The string in quotes must match the fullchain certificate file create by acme-client.
+    # For example:
+    # tls keypair "pleroma.example.tld"
+    # tls keypair "example.tld"
+    tls keypair "example.tld"
 
+    match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
     match request header append "Connection" value "upgrade"
 
+    # When hosting Pleroma on a subdomain, replace example.tld accordingly (not the base domain).
+    # From the above example, "example.tld" should be replaced with "pleroma.example.tld" instead.
+    pass request quick header "Host" value "example.tld" forward to <pleroma_server>
+
+    # Uncomment when serving media uploads on a different (sub)domain.
+    # Keep media proxy disabled, as it will NOT work under relayd/httpd. If you want to also setup media proxy, use nginx instead.
+    #pass request quick header "Host" value "media.example.tld" forward to <pleroma_server>
+
+    # When serving multiple services, add the forwards here.
+    # Example:
+    #pass request quick header "Host" value "example.tld" forward to <httpd_server>
+
+    block
 }
 
 relay wwwtls {
     listen on $ext_inet port https tls # Comment to disable listening on IPv4
-#    listen on $ext_inet6 port https tls # Comment to disable listening on IPv6
+    #listen on $ext_inet6 port https tls # Comment to disable listening on IPv6
 
-    protocol plerup
+    protocol pleroma
 
-    forward to <pleroma_server> port 4000 check http "/" code 200
-    forward to <httpd_server> port 80 check http "/robots.txt" code 200
+    forward to <pleroma_server> port 4000 check tcp timeout 500 # Adjust timeout accordingly when relayd returns 502 while Pleroma is running without problems.
+
+    # When serving multiple services, add the forwards here.
+    # Example:
+    #forward to <httpd_server> port 8080
 }
-