src

sauce
git clone ssh://anon@src.dalliard.ch/src
log | files | refs
commit 8407b596fc4a4d1ab0760e8e1b80565745346e25
parent 52eee844ab412f6fd90f4e39efe64dd1be0eb11d
author: nathanael <nathanael@dalliard.ch>
date:   Tue, 11 Nov 2025 18:05:23 +0000

s2: add mollysocket

diffstat:

Ms2/packages | 1+


Ms2/sysfiles/acme-client.conf | 1+


Ms2/sysfiles/relayd.conf | 8+++++++-


3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/s2/packages b/s2/packages
@@ -2,3 +2,4 @@ git--
 got--
 gotd--
 hugo--
+mollysocket--
diff --git a/s2/sysfiles/acme-client.conf b/s2/sysfiles/acme-client.conf
@@ -5,6 +5,7 @@ authority letsencrypt {
 domain s2.dalliard.ch {
 	alternative names {
 		src.dalliard.ch
+		ms.dalliard.ch
 	}
 	domain key "/etc/ssl/private/s2.dalliard.ch.key"
 	domain full chain certificate "/etc/ssl/s2.dalliard.ch.crt"
diff --git a/s2/sysfiles/relayd.conf b/s2/sysfiles/relayd.conf
@@ -1,6 +1,7 @@
 ipv4="152.53.196.107"
 ipv6="2a03:4000:0:170d::1"
 table <httpd> { 127.0.0.1 }
+table <molly> { 127.0.0.1 }
 http protocol https {
 	tls { no tlsv1.0, tlsv1.1, ciphers "ECDHE+AESGCM:ECDHE+CHACHA20:!aNULL:!MD5:!DSS" }
 	tls keypair "s2.dalliard.ch"
@@ -13,18 +14,23 @@ http protocol https {
 	match response header set "X-Frame-Options" value "deny"
 	match response header set "Referrer-Policy" value "no-referrer"
 	match response header set "Content-Security-Policy" value \
-		"default-src 'self'; base-uri 'none'; img-src 'self' data:; form-action 'none'; frame-ancestors 'none'"
+		"default-src 'self'; base-uri 'none'; img-src 'self' data:; form-action 'none'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'"
 
 	match request path "/*.css" tag "static"
 	match response tagged "static" header set "Cache-Control" value "public, max-age=31536000, immutable"
+
+	pass request quick header "Host" value "ms.dalliard.ch" forward to <molly>
+	pass request forward to <httpd>
 }
 relay wwwtls4 {
 	listen on $ipv4 port https tls
 	protocol https
 	forward to <httpd> port https
+	forward to <molly> port 8020
 }
 relay wwwtls6 {
 	listen on $ipv6 port https tls
 	protocol https
 	forward to <httpd> port https
+	forward to <molly> port 8020
 }