Added an openbsd article and simplified all useless relref

2021-03-23 21:33:26 +01:00 · 2021-03-23 21:33:26 +01:00 · a807111238
commit a807111238
parent 85e74c8ea0
10 changed files with 107 additions and 11 deletions
--- a/content/blog/OpenBSD/relayd-httpd-example.md
+++ b/content/blog/OpenBSD/relayd-httpd-example.md
@ -0,0 +1,96 @@
+---
+title: OpenBSD relayd/httpd web server example
+date: 2021-02-10
+description: a detailed answer to a question on reddit
+tags:
+  - OpenBSD
+---
+
+## Introduction
+
+[Someone on reddit had trouble](https://www.reddit.com/r/openbsd/comments/lh4yl9/relaydhttpd_reverse_proxy_for_synapse_with/) with how `relayd` and `httpd` work together on OpenBSD. Those are two great components of the OpenBSD base system that take a different approach than the traditional web servers like `Nginx` or `Apache`, I wrote a complete example adapted from my own working configurations.
+
+The goal was to have a relayd configuration that would serve urls like `https://example.com/` with the static website content from httpd, and proxy traffic to urls like https://chat.example.com/ to a synapse server running on `localhost:8008`. Hopefully my working example can provide a better understanding of the idea behind the couple relayd/httpd.
+
+## The httpd configuration
+
+{{< highlight txt >}}
+prefork 5
+
+server "example.com" {
+    alias "chat.example.com"
+    listen on * port 80
+    location "/.well-known/acme-challenge/*" {
+            root "/acme"
+            request strip 2
+    }
+    location * {
+            block return 301 "https://$HTTP_HOST$REQUEST_URI"
+    }
+}
+
+server "example.com" {
+    listen on * port 8080
+    location * {
+            root "/htdocs/www/public/"
+    }
+}
+{{< /highlight >}}
+
+## The relayd configuration
+
+{{< highlight txt >}}
+log state changes
+log connection errors
+prefork 5
+
+table <httpd> { 127.0.0.1 }
+table <synapse> { 127.0.0.1 }
+
+http protocol "wwwsecure" {
+    tls keypair "example.com"
+    tls keypair "chat.example.com"
+
+    # Return HTTP/HTML error pages to the client
+    return error
+    # you may want to remove this depending on your use case
+    #match request header set "Connection" value "close"
+
+    # your web application might need these headers
+    match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
+    match request header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
+
+    # set best practice security headers
+    # use https://securityheaders.com to check
+    # and modify as needed
+    match response header remove "Server"
+    match response header append "Strict-Transport-Security" value "max-age=31536000; includeSubDomains"
+    match response header append "X-Frame-Options" value "SAMEORIGIN"
+    match response header append "X-XSS-Protection" value "1; mode=block"
+    match response header append "X-Content-Type-Options" value "nosniff"
+    match response header append "Referrer-Policy" value "strict-origin"
+    match response header append "Content-Security-Policy" value "default-src https:; style-src 'self' \
+      'unsafe-inline'; font-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'"
+    match response header append "Permissions-Policy" value "accelerometer=(none), camera=(none), \
+      geolocation=(none), gyroscope=(none), magnetometer=(none), microphone=(none), payment=(none), usb=(none)"
+
+    # set recommended tcp options
+    tcp { nodelay, sack, socket buffer 65536, backlog 100 }
+
+    pass  request  quick  header  "Host"  value  "example.com"       forward  to  <httpd>
+    pass  request  quick  header  "Host"  value  "chat.example.com"  forward  to  <synapse>
+}
+
+relay "wwwsecure" {
+    listen on 0.0.0.0 port 443 tls
+    protocol wwwsecure
+    forward to <httpd> port 8080
+    forward to <synapse> port 8008
+}
+relay "wwwsecure6" {
+    listen on :: port 443 tls
+    protocol wwwsecure
+    forward to <httpd> port 8080
+    forward to <synapse> port 8008
+}
+{{< /highlight >}}
--- a/content/blog/_index.md
+++ b/content/blog/_index.md
@ -5,4 +5,4 @@ menu:
    weight: 4
 ---

-This is the blog section of this website. It is an heritage of the old wiki I maintained before switching to a static website generated with [hugo]({{< relref "/tags/hugo/" >}}), so articles before 2021 can be a little short and are more like notes than regular articles.
+This is the blog section of this website. It is an heritage of the old wiki I maintained before switching to a static website generated with [hugo]({{< ref "hugo" >}}), so articles before 2021 can be a little short and are more like notes than regular articles.
--- a/content/blog/commands/qemu.md
+++ b/content/blog/commands/qemu.md
@ -3,7 +3,7 @@ title: "Qemu"
 date: 2019-06-10
 description: Some simple qemu command usage
 tags:
-  - linux
+  - Linux
  - virtualization
 ---

--- a/content/blog/gentoo/get-zoom-to-work.md
+++ b/content/blog/gentoo/get-zoom-to-work.md
@ -3,7 +3,7 @@ title: "Get zoom to work"
 date: 2018-01-02
 description: How to get the zoom video conferencing tool to work on gentoo
 tags:
-  - gentoo
+  - Gentoo
 ---

 ## The problem
--- a/content/blog/gentoo/steam.md
+++ b/content/blog/gentoo/steam.md
@ -3,9 +3,9 @@ title: "Steam"
 date: 2019-02-16
 description: How to make steam work seamlessly on gentoo with a chroot
 tags:
-  - gentoo
+  - Gentoo
 ---

 I am not using a multilib profile on gentoo (I use amd64 only everywhere), so when the time came to install steam I had to get a little creative. Overall I believe this is the perfect way to install and use steam as it self contains it cleanly while not limiting the functionalities. In particular sound works, as does the hardware acceleration in games. I tried to achieve that with containers but didn't quite made it work as well as this chroot setup.

-[Here is the link to the full article describing how I achieved that.]({{< relref "/docs/gentoo/steam.md" >}})
+[Here is the link to the full article describing how I achieved that.]({{< ref "/docs/gentoo/steam" >}})
--- a/content/blog/hugo/adding-custom-shortcode-age.md
+++ b/content/blog/hugo/adding-custom-shortcode-age.md
@ -8,7 +8,7 @@ tags:

 ## Introduction

-On the [about-me]({{< relref "/docs/about-me/_index.md" >}}) page I had hardcoded my age. I wanted a way to calculate it automatically when building the site, here is how to do this.
+On the [about-me]({{< ref "about-me" >}}) page I had hardcoded my age. I wanted a way to calculate it automatically when building the site, here is how to do this.

 ## Adding the shortcode

--- a/content/blog/hugo/ditching-the-heavy-hugo-theme.md
+++ b/content/blog/hugo/ditching-the-heavy-hugo-theme.md
@ -8,7 +8,7 @@ tags:

 ## Introduction

-I felt a need for minimalism. I felt uneasy at the thought of 11 requests totalling about 750KB of minified files just to display a home page without any images, all that because of the docsy theme I went with when I [switched to hugo]({{< relref "/blog/hugo/switching-to-hugo" >}}) two years ago.
+I felt a need for minimalism. I felt uneasy at the thought of 11 requests totalling about 750KB of minified files just to display a home page without any images, all that because of the docsy theme I went with when I [switched to hugo]({{< ref "switching-to-hugo" >}}) two years ago.

 I am not complaining about the theme which served me well when I needed to switch and was so focused on manually importing 10 years worth of wiki articles, but this uneasiness prevented me from updating this blog as often as I wanted. I was a bit ashamed about how heavy it was, and in some way prevented me from adding content to this website.