diff --git a/installation/openbsd/httpd.conf b/installation/openbsd/httpd.conf index 82f4803fd..912a541af 100644 --- a/installation/openbsd/httpd.conf +++ b/installation/openbsd/httpd.conf @@ -4,8 +4,9 @@ # 1. Place file in /etc # 2. Replace with your public IP address # 3. If using IPv6, uncomment IPv6 lines and replace with your public IPv6 address -# 4. Check file using 'doas httpd -n' -# 5. Enable and start httpd: +# 4. Replace all occurences of example.tld with your instance's domain name. +# 5. Check file using 'doas httpd -n' +# 6. Enable and start httpd: # # doas rcctl enable httpd # # doas rcctl start httpd # @@ -13,7 +14,7 @@ ext_inet="" #ext_inet6="" -server "default" { +server "example.tld" { listen on $ext_inet port 80 # Comment to disable listening on IPv4 # listen on $ext_inet6 port 80 # Comment to disable listening on IPv6 listen on 127.0.0.1 port 80 # Do NOT comment this line @@ -26,10 +27,18 @@ server "default" { request strip 2 } - location "/robots.txt" { root "/htdocs/local/" } location "/*" { block return 302 "https://$HTTP_HOST$REQUEST_URI" } } +# Example of serving a basic static website besides Pleroma using the example configuration in relayd +#server "site.example.tld" { +# listen on 127.0.0.1 port 8080 +# +# location "/*" { +# root "/website" +# } +#} + types { include "/usr/share/misc/mime.types" } diff --git a/installation/openbsd/relayd.conf b/installation/openbsd/relayd.conf index 31c2c1129..816de6de7 100644 --- a/installation/openbsd/relayd.conf +++ b/installation/openbsd/relayd.conf @@ -4,8 +4,9 @@ # 1. Place in /etc # 2. Replace with your public IPv4 address # 3. If using IPv6i, uncomment IPv6 lines and replace with your public IPv6 address -# 4. Check file using 'doas relayd -n' -# 5. Reload/start relayd +# 4. Replace all occurrences of example.tld with your instance's domain +# 5. Check file using 'doas relayd -n' +# 6. Reload/start relayd # # doas rcctl enable relayd # # doas rcctl start relayd # @@ -14,31 +15,54 @@ ext_inet="" #ext_inet6="" table { 127.0.0.1 } -table { 127.0.0.1 } -http protocol plerup { # Protocol for upstream pleroma server +# Uncomment next line when you want to serve other services than Pleroma. +# In this example tables are used only as way to differentiate between Pleroma and other services. +# Feel free to rename "httpd_server" everywhere to fit your setup. +#table { 127.0.0.1 } + +http protocol pleroma { # Protocol for upstream Pleroma server #tcp { nodelay, sack, socket buffer 65536, backlog 128 } # Uncomment and adjust as you see fit - tls ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA0-POLY1305" - tls ecdhe secp384r1 + tls ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4" + tls ecdhe "X25519,P-256,P-384,secp521r1" # relayd default+secp521r1 - # Forward some paths to the local server (as pleroma won't respond to them as you might want) - pass request quick path "/robots.txt" forward to + return error - # Append a bunch of headers - match request header append "X-Forwarded-For" value "$REMOTE_ADDR" # This two header and the next one are not strictl required by pleroma but adding them won't hurt - match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" + # When serving multiple services with different certificates, specify multiple "tls keypair" keywords + # and add forwards to those services before the block keyword near the bottom of the protocol and relay configurations. + # The string in quotes must match the fullchain certificate file create by acme-client. + # For example: + # tls keypair "pleroma.example.tld" + # tls keypair "example.tld" + tls keypair "example.tld" + match request header append "X-Forwarded-For" value "$REMOTE_ADDR" match request header append "Connection" value "upgrade" + # When hosting Pleroma on a subdomain, replace example.tld accordingly (not the base domain). + # From the above example, "example.tld" should be replaced with "pleroma.example.tld" instead. + pass request quick header "Host" value "example.tld" forward to + + # Uncomment when serving media uploads on a different (sub)domain. + # Keep media proxy disabled, as it will NOT work under relayd/httpd. If you want to also setup media proxy, use nginx instead. + #pass request quick header "Host" value "media.example.tld" forward to + + # When serving multiple services, add the forwards here. + # Example: + #pass request quick header "Host" value "example.tld" forward to + + block } relay wwwtls { listen on $ext_inet port https tls # Comment to disable listening on IPv4 -# listen on $ext_inet6 port https tls # Comment to disable listening on IPv6 + #listen on $ext_inet6 port https tls # Comment to disable listening on IPv6 - protocol plerup + protocol pleroma - forward to port 4000 check http "/" code 200 - forward to port 80 check http "/robots.txt" code 200 + forward to port 4000 check tcp timeout 500 # Adjust timeout accordingly when relayd returns 502 while Pleroma is running without problems. + + # When serving multiple services, add the forwards here. + # Example: + #forward to port 8080 } -