openbsd: update relayd and httpd configuration files
* httpd: use proper server names * httpd: add example of a very basic static website along with Pleroma * httpd: let Pleroma serve robots.txt * relayd: add example of forwarding to a basic httpd website * relayd: remove appended response headers (most of them already served by Pleroma anyway) * relayd: add comments about hosting Pleroma on subdomains * relayd: reject request that don't belong to any forward * relayd: add example of hosting media uploads on subdomain * relayd: change forward timeout check to something sane that actually works
This commit is contained in:
Phantasm
parent
71c60aa9fe
commit
3dc2655f59
2 changed files with 53 additions and 20 deletions
|
|
@ -4,8 +4,9 @@
|
|||
# 1. Place in /etc
|
||||
# 2. Replace <ipaddr> with your public IPv4 address
|
||||
# 3. If using IPv6i, uncomment IPv6 lines and replace <ip6addr> with your public IPv6 address
|
||||
# 4. Check file using 'doas relayd -n'
|
||||
# 5. Reload/start relayd
|
||||
# 4. Replace all occurrences of example.tld with your instance's domain
|
||||
# 5. Check file using 'doas relayd -n'
|
||||
# 6. Reload/start relayd
|
||||
# # doas rcctl enable relayd
|
||||
# # doas rcctl start relayd
|
||||
#
|
||||
|
|
@ -14,31 +15,54 @@ ext_inet="<ipaddr>"
|
|||
#ext_inet6="<ip6addr>"
|
||||
|
||||
table <pleroma_server> { 127.0.0.1 }
|
||||
table <httpd_server> { 127.0.0.1 }
|
||||
|
||||
http protocol plerup { # Protocol for upstream pleroma server
|
||||
# Uncomment next line when you want to serve other services than Pleroma.
|
||||
# In this example tables are used only as way to differentiate between Pleroma and other services.
|
||||
# Feel free to rename "httpd_server" everywhere to fit your setup.
|
||||
#table <httpd_server> { 127.0.0.1 }
|
||||
|
||||
http protocol pleroma { # Protocol for upstream Pleroma server
|
||||
#tcp { nodelay, sack, socket buffer 65536, backlog 128 } # Uncomment and adjust as you see fit
|
||||
tls ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA0-POLY1305"
|
||||
tls ecdhe secp384r1
|
||||
tls ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
|
||||
tls ecdhe "X25519,P-256,P-384,secp521r1" # relayd default+secp521r1
|
||||
|
||||
# Forward some paths to the local server (as pleroma won't respond to them as you might want)
|
||||
pass request quick path "/robots.txt" forward to <httpd_server>
|
||||
return error
|
||||
|
||||
# Append a bunch of headers
|
||||
match request header append "X-Forwarded-For" value "$REMOTE_ADDR" # This two header and the next one are not strictl required by pleroma but adding them won't hurt
|
||||
match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
|
||||
# When serving multiple services with different certificates, specify multiple "tls keypair" keywords
|
||||
# and add forwards to those services before the block keyword near the bottom of the protocol and relay configurations.
|
||||
# The string in quotes must match the fullchain certificate file create by acme-client.
|
||||
# For example:
|
||||
# tls keypair "pleroma.example.tld"
|
||||
# tls keypair "example.tld"
|
||||
tls keypair "example.tld"
|
||||
|
||||
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
|
||||
match request header append "Connection" value "upgrade"
|
||||
|
||||
# When hosting Pleroma on a subdomain, replace example.tld accordingly (not the base domain).
|
||||
# From the above example, "example.tld" should be replaced with "pleroma.example.tld" instead.
|
||||
pass request quick header "Host" value "example.tld" forward to <pleroma_server>
|
||||
|
||||
# Uncomment when serving media uploads on a different (sub)domain.
|
||||
# Keep media proxy disabled, as it will NOT work under relayd/httpd. If you want to also setup media proxy, use nginx instead.
|
||||
#pass request quick header "Host" value "media.example.tld" forward to <pleroma_server>
|
||||
|
||||
# When serving multiple services, add the forwards here.
|
||||
# Example:
|
||||
#pass request quick header "Host" value "example.tld" forward to <httpd_server>
|
||||
|
||||
block
|
||||
}
|
||||
|
||||
relay wwwtls {
|
||||
listen on $ext_inet port https tls # Comment to disable listening on IPv4
|
||||
# listen on $ext_inet6 port https tls # Comment to disable listening on IPv6
|
||||
#listen on $ext_inet6 port https tls # Comment to disable listening on IPv6
|
||||
|
||||
protocol plerup
|
||||
protocol pleroma
|
||||
|
||||
forward to <pleroma_server> port 4000 check http "/" code 200
|
||||
forward to <httpd_server> port 80 check http "/robots.txt" code 200
|
||||
forward to <pleroma_server> port 4000 check tcp timeout 500 # Adjust timeout accordingly when relayd returns 502 while Pleroma is running without problems.
|
||||
|
||||
# When serving multiple services, add the forwards here.
|
||||
# Example:
|
||||
#forward to <httpd_server> port 8080
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue