diff options
author | Julien Dessaux | 2021-03-23 21:33:26 +0100 |
---|---|---|
committer | Julien Dessaux | 2021-03-23 21:33:26 +0100 |
commit | a80711123882723b010c6172213a0d4295265744 (patch) | |
tree | 309b4e7011fc2de47a4f3616578bf70d790fa108 /content/blog | |
parent | Small fixes with section titles (diff) | |
download | www-a80711123882723b010c6172213a0d4295265744.tar.gz www-a80711123882723b010c6172213a0d4295265744.tar.bz2 www-a80711123882723b010c6172213a0d4295265744.zip |
Added an openbsd article and simplified all useless relref
Diffstat (limited to 'content/blog')
-rw-r--r-- | content/blog/OpenBSD/relayd-httpd-example.md | 96 | ||||
-rw-r--r-- | content/blog/_index.md | 2 | ||||
-rw-r--r-- | content/blog/commands/qemu.md | 2 | ||||
-rw-r--r-- | content/blog/gentoo/get-zoom-to-work.md | 2 | ||||
-rw-r--r-- | content/blog/gentoo/steam.md | 4 | ||||
-rw-r--r-- | content/blog/hugo/adding-custom-shortcode-age.md | 2 | ||||
-rw-r--r-- | content/blog/hugo/ditching-the-heavy-hugo-theme.md | 2 |
7 files changed, 103 insertions, 7 deletions
diff --git a/content/blog/OpenBSD/relayd-httpd-example.md b/content/blog/OpenBSD/relayd-httpd-example.md new file mode 100644 index 0000000..71212b2 --- /dev/null +++ b/content/blog/OpenBSD/relayd-httpd-example.md @@ -0,0 +1,96 @@ +--- +title: OpenBSD relayd/httpd web server example +date: 2021-02-10 +description: a detailed answer to a question on reddit +tags: + - OpenBSD +--- + +## Introduction + +[Someone on reddit had trouble](https://www.reddit.com/r/openbsd/comments/lh4yl9/relaydhttpd_reverse_proxy_for_synapse_with/) with how `relayd` and `httpd` work together on OpenBSD. Those are two great components of the OpenBSD base system that take a different approach than the traditional web servers like `Nginx` or `Apache`, I wrote a complete example adapted from my own working configurations. + +The goal was to have a relayd configuration that would serve urls like `https://example.com/` with the static website content from httpd, and proxy traffic to urls like https://chat.example.com/ to a synapse server running on `localhost:8008`. Hopefully my working example can provide a better understanding of the idea behind the couple relayd/httpd. + +## The httpd configuration + +{{< highlight txt >}} +prefork 5 + +server "example.com" { + alias "chat.example.com" + listen on * port 80 + location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 + } + location * { + block return 301 "https://$HTTP_HOST$REQUEST_URI" + } +} + +server "example.com" { + listen on * port 8080 + location * { + root "/htdocs/www/public/" + } +} +{{< /highlight >}} + +## The relayd configuration + +{{< highlight txt >}} +log state changes +log connection errors +prefork 5 + +table <httpd> { 127.0.0.1 } +table <synapse> { 127.0.0.1 } + +http protocol "wwwsecure" { + tls keypair "example.com" + tls keypair "chat.example.com" + + # Return HTTP/HTML error pages to the client + return error + # you may want to remove this depending on your use case + #match request header set "Connection" value "close" + + # your web application might need these headers + match request header set "X-Forwarded-For" value "$REMOTE_ADDR" + match request header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" + + # set best practice security headers + # use https://securityheaders.com to check + # and modify as needed + match response header remove "Server" + match response header append "Strict-Transport-Security" value "max-age=31536000; includeSubDomains" + match response header append "X-Frame-Options" value "SAMEORIGIN" + match response header append "X-XSS-Protection" value "1; mode=block" + match response header append "X-Content-Type-Options" value "nosniff" + match response header append "Referrer-Policy" value "strict-origin" + match response header append "Content-Security-Policy" value "default-src https:; style-src 'self' \ + 'unsafe-inline'; font-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'" + match response header append "Permissions-Policy" value "accelerometer=(none), camera=(none), \ + geolocation=(none), gyroscope=(none), magnetometer=(none), microphone=(none), payment=(none), usb=(none)" + + # set recommended tcp options + tcp { nodelay, sack, socket buffer 65536, backlog 100 } + + pass request quick header "Host" value "example.com" forward to <httpd> + pass request quick header "Host" value "chat.example.com" forward to <synapse> +} + +relay "wwwsecure" { + listen on 0.0.0.0 port 443 tls + protocol wwwsecure + forward to <httpd> port 8080 + forward to <synapse> port 8008 +} +relay "wwwsecure6" { + listen on :: port 443 tls + protocol wwwsecure + forward to <httpd> port 8080 + forward to <synapse> port 8008 +} +{{< /highlight >}} diff --git a/content/blog/_index.md b/content/blog/_index.md index a464453..eebca49 100644 --- a/content/blog/_index.md +++ b/content/blog/_index.md @@ -5,4 +5,4 @@ menu: weight: 4 --- -This is the blog section of this website. It is an heritage of the old wiki I maintained before switching to a static website generated with [hugo]({{< relref "/tags/hugo/" >}}), so articles before 2021 can be a little short and are more like notes than regular articles. +This is the blog section of this website. It is an heritage of the old wiki I maintained before switching to a static website generated with [hugo]({{< ref "hugo" >}}), so articles before 2021 can be a little short and are more like notes than regular articles. diff --git a/content/blog/commands/qemu.md b/content/blog/commands/qemu.md index 2a982e0..74afc5e 100644 --- a/content/blog/commands/qemu.md +++ b/content/blog/commands/qemu.md @@ -3,7 +3,7 @@ title: "Qemu" date: 2019-06-10 description: Some simple qemu command usage tags: - - linux + - Linux - virtualization --- diff --git a/content/blog/gentoo/get-zoom-to-work.md b/content/blog/gentoo/get-zoom-to-work.md index c2124ae..c275ece 100644 --- a/content/blog/gentoo/get-zoom-to-work.md +++ b/content/blog/gentoo/get-zoom-to-work.md @@ -3,7 +3,7 @@ title: "Get zoom to work" date: 2018-01-02 description: How to get the zoom video conferencing tool to work on gentoo tags: - - gentoo + - Gentoo --- ## The problem diff --git a/content/blog/gentoo/steam.md b/content/blog/gentoo/steam.md index 4793525..97e2ae4 100644 --- a/content/blog/gentoo/steam.md +++ b/content/blog/gentoo/steam.md @@ -3,9 +3,9 @@ title: "Steam" date: 2019-02-16 description: How to make steam work seamlessly on gentoo with a chroot tags: - - gentoo + - Gentoo --- I am not using a multilib profile on gentoo (I use amd64 only everywhere), so when the time came to install steam I had to get a little creative. Overall I believe this is the perfect way to install and use steam as it self contains it cleanly while not limiting the functionalities. In particular sound works, as does the hardware acceleration in games. I tried to achieve that with containers but didn't quite made it work as well as this chroot setup. -[Here is the link to the full article describing how I achieved that.]({{< relref "/docs/gentoo/steam.md" >}}) +[Here is the link to the full article describing how I achieved that.]({{< ref "/docs/gentoo/steam" >}}) diff --git a/content/blog/hugo/adding-custom-shortcode-age.md b/content/blog/hugo/adding-custom-shortcode-age.md index d694813..13cc4a5 100644 --- a/content/blog/hugo/adding-custom-shortcode-age.md +++ b/content/blog/hugo/adding-custom-shortcode-age.md @@ -8,7 +8,7 @@ tags: ## Introduction -On the [about-me]({{< relref "/docs/about-me/_index.md" >}}) page I had hardcoded my age. I wanted a way to calculate it automatically when building the site, here is how to do this. +On the [about-me]({{< ref "about-me" >}}) page I had hardcoded my age. I wanted a way to calculate it automatically when building the site, here is how to do this. ## Adding the shortcode diff --git a/content/blog/hugo/ditching-the-heavy-hugo-theme.md b/content/blog/hugo/ditching-the-heavy-hugo-theme.md index 8c56d0c..a4274ff 100644 --- a/content/blog/hugo/ditching-the-heavy-hugo-theme.md +++ b/content/blog/hugo/ditching-the-heavy-hugo-theme.md @@ -8,7 +8,7 @@ tags: ## Introduction -I felt a need for minimalism. I felt uneasy at the thought of 11 requests totalling about 750KB of minified files just to display a home page without any images, all that because of the docsy theme I went with when I [switched to hugo]({{< relref "/blog/hugo/switching-to-hugo" >}}) two years ago. +I felt a need for minimalism. I felt uneasy at the thought of 11 requests totalling about 750KB of minified files just to display a home page without any images, all that because of the docsy theme I went with when I [switched to hugo]({{< ref "switching-to-hugo" >}}) two years ago. I am not complaining about the theme which served me well when I needed to switch and was so focused on manually importing 10 years worth of wiki articles, but this uneasiness prevented me from updating this blog as often as I wanted. I was a bit ashamed about how heavy it was, and in some way prevented me from adding content to this website. |