diff options
-rw-r--r-- | content/_index.md | 2 | ||||
-rw-r--r-- | content/blog/OpenBSD/relayd-httpd-example.md | 96 | ||||
-rw-r--r-- | content/blog/_index.md | 2 | ||||
-rw-r--r-- | content/blog/commands/qemu.md | 2 | ||||
-rw-r--r-- | content/blog/gentoo/get-zoom-to-work.md | 2 | ||||
-rw-r--r-- | content/blog/gentoo/steam.md | 4 | ||||
-rw-r--r-- | content/blog/hugo/adding-custom-shortcode-age.md | 2 | ||||
-rw-r--r-- | content/blog/hugo/ditching-the-heavy-hugo-theme.md | 2 | ||||
-rw-r--r-- | content/docs/_index.md | 2 | ||||
-rw-r--r-- | content/docs/adyxax.org/_index.md | 4 |
10 files changed, 107 insertions, 11 deletions
diff --git a/content/_index.md b/content/_index.md index 9ae8f2b..8558939 100644 --- a/content/_index.md +++ b/content/_index.md @@ -6,7 +6,7 @@ Hello, My name is Julien Dessaux, also known by my pseudonym Adyxax : welcome to my personal website! -These pages are as an aggregation of various thoughts and tutorials I accumulated over my years of service as a system and network administrator and architect. Topics covered are open source, BSD and GNU/Linux system administration, and networking. It is a personal space that I try to fill up with my experience and knowledge of computer systems and network administration in the hope it serves others. You can learn more about me [on this page]({{< relref "/docs/about-me/_index.md" >}}) +These pages are as an aggregation of various thoughts and tutorials I accumulated over my years of service as a system and network administrator and architect. Topics covered are open source, BSD and GNU/Linux system administration, and networking. It is a personal space that I try to fill up with my experience and knowledge of computer systems and network administration in the hope it serves others. You can learn more about me [on this page]({{< ref "about-me" >}}) I hope you feel welcome here, do not hesitate to leave a message at julien -DOT- dessaux -AT- adyxax -DOT- org. You can ask for a translation, some more details on a topic covered here, or just say hi or whatever ;-) diff --git a/content/blog/OpenBSD/relayd-httpd-example.md b/content/blog/OpenBSD/relayd-httpd-example.md new file mode 100644 index 0000000..71212b2 --- /dev/null +++ b/content/blog/OpenBSD/relayd-httpd-example.md @@ -0,0 +1,96 @@ +--- +title: OpenBSD relayd/httpd web server example +date: 2021-02-10 +description: a detailed answer to a question on reddit +tags: + - OpenBSD +--- + +## Introduction + +[Someone on reddit had trouble](https://www.reddit.com/r/openbsd/comments/lh4yl9/relaydhttpd_reverse_proxy_for_synapse_with/) with how `relayd` and `httpd` work together on OpenBSD. Those are two great components of the OpenBSD base system that take a different approach than the traditional web servers like `Nginx` or `Apache`, I wrote a complete example adapted from my own working configurations. + +The goal was to have a relayd configuration that would serve urls like `https://example.com/` with the static website content from httpd, and proxy traffic to urls like https://chat.example.com/ to a synapse server running on `localhost:8008`. Hopefully my working example can provide a better understanding of the idea behind the couple relayd/httpd. + +## The httpd configuration + +{{< highlight txt >}} +prefork 5 + +server "example.com" { + alias "chat.example.com" + listen on * port 80 + location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 + } + location * { + block return 301 "https://$HTTP_HOST$REQUEST_URI" + } +} + +server "example.com" { + listen on * port 8080 + location * { + root "/htdocs/www/public/" + } +} +{{< /highlight >}} + +## The relayd configuration + +{{< highlight txt >}} +log state changes +log connection errors +prefork 5 + +table <httpd> { 127.0.0.1 } +table <synapse> { 127.0.0.1 } + +http protocol "wwwsecure" { + tls keypair "example.com" + tls keypair "chat.example.com" + + # Return HTTP/HTML error pages to the client + return error + # you may want to remove this depending on your use case + #match request header set "Connection" value "close" + + # your web application might need these headers + match request header set "X-Forwarded-For" value "$REMOTE_ADDR" + match request header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" + + # set best practice security headers + # use https://securityheaders.com to check + # and modify as needed + match response header remove "Server" + match response header append "Strict-Transport-Security" value "max-age=31536000; includeSubDomains" + match response header append "X-Frame-Options" value "SAMEORIGIN" + match response header append "X-XSS-Protection" value "1; mode=block" + match response header append "X-Content-Type-Options" value "nosniff" + match response header append "Referrer-Policy" value "strict-origin" + match response header append "Content-Security-Policy" value "default-src https:; style-src 'self' \ + 'unsafe-inline'; font-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'" + match response header append "Permissions-Policy" value "accelerometer=(none), camera=(none), \ + geolocation=(none), gyroscope=(none), magnetometer=(none), microphone=(none), payment=(none), usb=(none)" + + # set recommended tcp options + tcp { nodelay, sack, socket buffer 65536, backlog 100 } + + pass request quick header "Host" value "example.com" forward to <httpd> + pass request quick header "Host" value "chat.example.com" forward to <synapse> +} + +relay "wwwsecure" { + listen on 0.0.0.0 port 443 tls + protocol wwwsecure + forward to <httpd> port 8080 + forward to <synapse> port 8008 +} +relay "wwwsecure6" { + listen on :: port 443 tls + protocol wwwsecure + forward to <httpd> port 8080 + forward to <synapse> port 8008 +} +{{< /highlight >}} diff --git a/content/blog/_index.md b/content/blog/_index.md index a464453..eebca49 100644 --- a/content/blog/_index.md +++ b/content/blog/_index.md @@ -5,4 +5,4 @@ menu: weight: 4 --- -This is the blog section of this website. It is an heritage of the old wiki I maintained before switching to a static website generated with [hugo]({{< relref "/tags/hugo/" >}}), so articles before 2021 can be a little short and are more like notes than regular articles. +This is the blog section of this website. It is an heritage of the old wiki I maintained before switching to a static website generated with [hugo]({{< ref "hugo" >}}), so articles before 2021 can be a little short and are more like notes than regular articles. diff --git a/content/blog/commands/qemu.md b/content/blog/commands/qemu.md index 2a982e0..74afc5e 100644 --- a/content/blog/commands/qemu.md +++ b/content/blog/commands/qemu.md @@ -3,7 +3,7 @@ title: "Qemu" date: 2019-06-10 description: Some simple qemu command usage tags: - - linux + - Linux - virtualization --- diff --git a/content/blog/gentoo/get-zoom-to-work.md b/content/blog/gentoo/get-zoom-to-work.md index c2124ae..c275ece 100644 --- a/content/blog/gentoo/get-zoom-to-work.md +++ b/content/blog/gentoo/get-zoom-to-work.md @@ -3,7 +3,7 @@ title: "Get zoom to work" date: 2018-01-02 description: How to get the zoom video conferencing tool to work on gentoo tags: - - gentoo + - Gentoo --- ## The problem diff --git a/content/blog/gentoo/steam.md b/content/blog/gentoo/steam.md index 4793525..97e2ae4 100644 --- a/content/blog/gentoo/steam.md +++ b/content/blog/gentoo/steam.md @@ -3,9 +3,9 @@ title: "Steam" date: 2019-02-16 description: How to make steam work seamlessly on gentoo with a chroot tags: - - gentoo + - Gentoo --- I am not using a multilib profile on gentoo (I use amd64 only everywhere), so when the time came to install steam I had to get a little creative. Overall I believe this is the perfect way to install and use steam as it self contains it cleanly while not limiting the functionalities. In particular sound works, as does the hardware acceleration in games. I tried to achieve that with containers but didn't quite made it work as well as this chroot setup. -[Here is the link to the full article describing how I achieved that.]({{< relref "/docs/gentoo/steam.md" >}}) +[Here is the link to the full article describing how I achieved that.]({{< ref "/docs/gentoo/steam" >}}) diff --git a/content/blog/hugo/adding-custom-shortcode-age.md b/content/blog/hugo/adding-custom-shortcode-age.md index d694813..13cc4a5 100644 --- a/content/blog/hugo/adding-custom-shortcode-age.md +++ b/content/blog/hugo/adding-custom-shortcode-age.md @@ -8,7 +8,7 @@ tags: ## Introduction -On the [about-me]({{< relref "/docs/about-me/_index.md" >}}) page I had hardcoded my age. I wanted a way to calculate it automatically when building the site, here is how to do this. +On the [about-me]({{< ref "about-me" >}}) page I had hardcoded my age. I wanted a way to calculate it automatically when building the site, here is how to do this. ## Adding the shortcode diff --git a/content/blog/hugo/ditching-the-heavy-hugo-theme.md b/content/blog/hugo/ditching-the-heavy-hugo-theme.md index 8c56d0c..a4274ff 100644 --- a/content/blog/hugo/ditching-the-heavy-hugo-theme.md +++ b/content/blog/hugo/ditching-the-heavy-hugo-theme.md @@ -8,7 +8,7 @@ tags: ## Introduction -I felt a need for minimalism. I felt uneasy at the thought of 11 requests totalling about 750KB of minified files just to display a home page without any images, all that because of the docsy theme I went with when I [switched to hugo]({{< relref "/blog/hugo/switching-to-hugo" >}}) two years ago. +I felt a need for minimalism. I felt uneasy at the thought of 11 requests totalling about 750KB of minified files just to display a home page without any images, all that because of the docsy theme I went with when I [switched to hugo]({{< ref "switching-to-hugo" >}}) two years ago. I am not complaining about the theme which served me well when I needed to switch and was so focused on manually importing 10 years worth of wiki articles, but this uneasiness prevented me from updating this blog as often as I wanted. I was a bit ashamed about how heavy it was, and in some way prevented me from adding content to this website. diff --git a/content/docs/_index.md b/content/docs/_index.md index 740a710..ccd78bf 100644 --- a/content/docs/_index.md +++ b/content/docs/_index.md @@ -5,6 +5,6 @@ menu: weight: 2 --- -This is the Docs section of this website. It is an heritage of the old wiki I maintained before switching to a static website generated with [hugo]({{< relref "/tags/hugo/" >}}), with information that does not really fit in a blog format. +This is the Docs section of this website. It is an heritage of the old wiki I maintained before switching to a static website generated with [hugo]({{< ref "hugo" >}}), with information that does not really fit in a blog format. It is organised in the following sections : diff --git a/content/docs/adyxax.org/_index.md b/content/docs/adyxax.org/_index.md index 51a8161..ce4a209 100644 --- a/content/docs/adyxax.org/_index.md +++ b/content/docs/adyxax.org/_index.md @@ -9,10 +9,10 @@ adyxax.org is very much like a small personnal cloud of inexpensive servers host sysadmin to make it all work and provide various services that are useful to me and people that are close to me. As a good sysadmin, I am trying to be lazy and build the most self maintainable solution, with as little maintenance overhead as possible. -It used to rely on mostly gentoo (and some optional openbsd) servers interconnected with point to point openvpn links. Services ran inside lxd on alpine linux containers. Communications between all those services work +It used to rely on mostly [Gentoo]({{< ref "/tags/Gentoo" >}}) (and some optional [OpenBSD]({{< ref "/tags/OpenBSD" >}})) servers interconnected with point to point openvpn links. Services ran inside lxd on alpine linux containers. Communications between all those services work thanks to dynamic routing with bird and ospf along those openvpn links. I made extensive use of ansible to orchestrate all that, deploy the containers and manage them. -Even though it worked really well for years, I do not plan to blog a lot about this setup unless someone interested writes me to request information about it. On this new documentation site I plan to focus on how I am migrating the most stable and boring parts on OpenBSD hosts (so without containerisation). The less important or more changing services will be migrated on [kubernetes]({{< relref "/tags/kubernetes/" >}}) as a learning experience. Even though my custom setup with lxd on gentoo has always worked well it still was a rather unusual design that sometimes required maintenance following updates. Even if I am proud of its stability and reliability... It is not good for me to not look deeper into new technologies. Gentoo, OpenBSD and LXD is not the most popular combination out there. I will not abandon it completely (I do not imagine my laptop running anything other than gentoo), but working on more employable skills will do me good. +Even though it worked really well for years, I do not plan to blog a lot about this setup unless someone interested writes me to request information about it. On this new documentation site I plan to focus on how I am migrating the most stable and boring parts on OpenBSD hosts (so without containerisation). The less important or more changing services will be migrated on [kubernetes]({{< ref "kubernetes" >}}) as a learning experience. Even though my custom setup with lxd on gentoo has always worked well it still was a rather unusual design that sometimes required maintenance following updates. Even if I am proud of its stability and reliability... It is not good for me to not look deeper into new technologies. Gentoo, OpenBSD and LXD is not the most popular combination out there. I will not abandon it completely (I do not imagine my laptop running anything other than gentoo), but working on more employable skills will do me good. ## Why write about it? |