summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreas Baumann <mail@andreasbaumann.cc>2017-10-19 14:07:37 +0200
committerAndreas Baumann <mail@andreasbaumann.cc>2017-10-19 14:07:37 +0200
commit5247a4900bb79588094f9422833217ba78c3abc1 (patch)
treec9579164fd89604d8d313fd3b5d074bebf3c2165
parent545207c6738fe5dc93f4db46705f5a2890c3024e (diff)
downloadOpenBSD-firewall-5247a4900bb79588094f9422833217ba78c3abc1.tar.gz
OpenBSD-firewall-5247a4900bb79588094f9422833217ba78c3abc1.tar.bz2
for now disabled https relayd (as we need multi SAN certificates for domains via LetsEncrypt
-rw-r--r--config/obr/pf.conf2
-rw-r--r--config/obr/relayd.conf25
2 files changed, 1 insertions, 26 deletions
diff --git a/config/obr/pf.conf b/config/obr/pf.conf
index ac62be4..f60828c 100644
--- a/config/obr/pf.conf
+++ b/config/obr/pf.conf
@@ -85,10 +85,10 @@ pass on $WLAN_if all
# relayd and bruteforce attack scrubbing
pass in on $ext_if proto tcp from any to port 80
-pass in on $ext_if proto tcp from any to port 443
# reroute public services to their machines in the LAN
pass in on $ext_if proto tcp from any to port 25 rdr-to $euroweb
+pass in on $ext_if proto tcp from any to port 443 rdr-to $euroweb
pass in on $ext_if proto tcp from any to port 587 rdr-to $euroweb
pass in on $ext_if proto tcp from any to port 110 rdr-to $euroweb
pass in on $ext_if proto tcp from any to port 143 rdr-to $euroweb
diff --git a/config/obr/relayd.conf b/config/obr/relayd.conf
index 5857464..6be42f6 100644
--- a/config/obr/relayd.conf
+++ b/config/obr/relayd.conf
@@ -49,24 +49,6 @@ http protocol "http_protocol" {
block request tagged disallowed_host label "BAD host"
}
-http protocol "https_protocol" {
-
- return error
-
- match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
- match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
- match request header set "Connection" value "close"
- match request header set "Keep-Alive" value "$TIMEOUT"
-
- match response header set "Server" value "None of your business"
-
- tcp { nodelay, sack, socket buffer 65536, backlog 128 }
-
-# tls ca key "/etc/ssl/private/webmail.andreasbaumann.cc.key" password ""
-# tls ca cert "/etc/ssl/webmail.andreasbaumann.cc.crt"
-# tls ca file "/etc/ssl/webmail.andreasbaumann.cc.intermediate.crt"
-}
-
relay http_relay {
listen on $EXT_IF port 80
protocol http_protocol
@@ -74,11 +56,4 @@ relay http_relay {
forward to <euroweb> port 80
forward to <euroserver> port 80
}
-
-relay https_relay {
- listen on $EXT_IF port 443 tls
- protocol https_protocol
-
- forward with tls to <euroweb> port 443
-}