ip4="193.26.157.243"

table <www> { 127.0.0.1 }
table <chat> { 127.0.0.1 }
table <text> { REPLACEME }
table <git> { REPLACEME }

log connection

http protocol https {
    match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
    match request header append "X-Forwarded-By" \
        value "$SERVER_ADDR:$SERVER_PORT"
    match request header set "Connection" value "close"

    tcp { sack, backlog 128 }

    tls { keypair iwakura.page }
    tls { keypair text.iwakura.page }
    tls { keypair git.iwakura.page }
    tls { keypair chat.iwakura.page }

    match request header "Host" value "iwakura.page" forward to <www>
    match request header "Host" value "www.iwakura.page" forward to <www>
    match request header "Host" value "chat.iwakura.page" forward to <chat>
    match request header "Host" value "text.iwakura.page" forward to <text>
    match request header "Host" value "git.iwakura.page" forward to <git>
    match response header append "Strict-Transport-Security" value "max-age=31536000; includeSubDomains; preload"
    match response header append "Cache-Control" value "public, max-age=86400"
    match response header append "Content-Security-Policy" value "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; object-src 'none';"
    match response header append "X-Content-Type-Options" value "nosniff"
    match response header append "X-Frame-Options" value "SAMEORIGIN"
    match response header append "Referrer-Policy" value "no-referrer"
    match response header append "Permissions-Policy" value "interest-cohort=()"

    match request header set "Accept-Encoding" value "gzip, deflate"
}

relay wwwtls {
    listen on $ip4 port 443 tls
    protocol https

    forward to <www> port 8080 check tcp
    forward to <chat> port 7070 check tcp
    forward to <text> port 8834 check tcp
    forward to <git> port 8855 check tcp
}

relay gitdaemon {
    listen on $ip4 port 9418
    forward to <git> port 9418 check tcp
}