/etc/relayd.conf
ext_ip4 = "192.0.2.2"
ext_ip6 = "2001:db8::2
tcp protocol "tlsrelay" {
tls keypair si3t.ch
tcp { nodelay, sack }
}
relay "gemini" {
listen on $ext_ip4 port 1965 tls
protocol "tlsrelay"
forward to 127.0.0.1 port 11965
}
relay "gemini6" {
listen on $ext_ip6 port 1965 tls
protocol "tlsrelay"
forward to ::1 port 11965
}
http protocol "http" {
include "/etc/relayd.proxy.conf"
}
http protocol "https" {
include "/etc/relayd.proxy.conf"
match query hash "sessid"
tls keypair si3t.ch
}
relay "http" {
listen on $ext_ip4 port 80
protocol "http"
forward to 127.0.0.1 port 80
}
relay "http6" {
listen on $ext_ip6 port 80
protocol "http"
forward to ::1 port 80
}
relay "https" {
listen on $ext_ip4 port 443 tls
protocol "https"
forward with tls to 127.0.0.1 port 443
}
relay "tlsforward6" {
listen on $ext_ip6 port 443 tls
protocol "https"
forward with tls to ::1 port 443
}
/etc/relayd.proxy.conf :
return error
return error style "body { background: silver; color: black; text-align:center } hr {border:0;
background-color:silver; color:silver; height:1px; width:30%; margin-top:50px;}"
match request header set "X-Forwarded-For" \
value "$REMOTE_ADDR"
match request header set "X-Forwarded-By" \
value "$SERVER_ADDR:$SERVER_PORT"
match header set "Keep-Alive" value "$TIMEOUT"
block quick path "/wp-*" label '<em>Stop scanning for wordpress</em>.'
match request header remove "Proxy"
match response header set "X-Xss-Protection" value "1; mode=block"
match response header set "Frame-Options" value "SAMEORIGIN"
match response header set "X-Frame-Options" value "SAMEORIGIN"
match response header set "X-Robots-Tag" value "index,nofollow"
match response header set "X-Permitted-Cross-Domain-Policies" value "none"
match response header set "X-Download-Options" value "noopen"
match response header set "X-Content-Type-Options" value "nosniff"
match response header set "Referrer-Policy" value "no-referrer"
match response header set "Content-Security-Policy" value "upgrade-insecure-requests"
match response header set "Permissions-Policy" value "interest-cohort=()"
match response header set "X-Powered-By" value "Powered by OpenBSD"
match request path "/*.css" tag "CACHE"
match request path "/*.js" tag "CACHE"
match request path "/*.atom" tag "CACHE"
match request path "/*.rss" tag "CACHE"
match request path "/*.xml" tag "CACHE"
match request path "/*.jpg" tag "CACHE"
match request path "/*.png" tag "CACHE"
match request path "/*.svg" tag "CACHE"
match request path "/*.gif" tag "CACHE"
match request path "/*.ico" tag "CACHE"
match request path "/*.html" tag "CACHE"
match request path "/*.gmi" tag "CACHE"
match request path "*/" tag "CACHE"
match response tagged "CACHE" header set "Cache-Control" value \
"public, max-age=86400"
match request path "/*.html" tag "HTML"
match response tagged "HTML" header set "Content-Type" value "text/html; charset=utf-8"
match request path "/*.txt" tag "TXT"
match request path "/*.md" tag "TXT"
match request path "/*.gmi" tag "TXT"
match response tagged "TXT" header set "Content-Type" value "text/plain; charset=utf-8"
pass