diff --git a/Proxy-examples.md b/Proxy-examples.md index fb00a19..36a5535 100644 --- a/Proxy-examples.md +++ b/Proxy-examples.md @@ -868,4 +868,51 @@ spec: number: 80 host: vaultwarden ``` + +
+relayd on openbsd (by olliestrickland)
+```gateway+vs +table { localhost } +table { localhost } + +# protocol definition for vaultwarden with tls + +http protocol vaultwarden-https { + # add a header vaultwarden needs + match request header append "X-Real-IP" value "$REMOTE_ADDR" + + # add a few headers vaultwarden may not need + match request header append "Host" value "$HOST" + match request header append "X-Forwarded-For" value "$REMOTE_ADDR" + match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" + + # most general rule - forward connections to vaultwarden rocket + match request path "/*" forward to + + # forward the path used for websocket to the vaultwarden websocket port + match request path "/notifications/hub" forward to + + # save most specific path for last - this path should not forward to the websocket server + match request path "/notifications/hub/negotiate" forward to + + # various TCP options + tcp { nodelay, sack, backlog 128 } + + # tls config + tls keypair bitwarden.example.tld + tls { no tlsv1.0, ciphers HIGH } + + # allow websockets - this is nice it handles all the headers no need for manual header edits + http websockets +} + +# relay definition for vaultwarden - forward inbound 443 tls on the egress interface to rocket on default port 8000 and websocket on 3012 + +relay vaultwarden-https-relay { + listen on egress port 443 tls + protocol vaultwarden-https + forward to port 8000 + forward to port 3012 +} +```
\ No newline at end of file