# set your external IP addresses
external_ipv4 = "46.23.94.141"

# this needs to be the expanded IPv6 address
external_ipv6 = "2a03:6000:6f68:602::141"

http protocol "wwwsecure" {
  # you may want to remove this depending on your use case
  match request header set "Connection" value "close"

  # your web application might need these headers
  match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
  match request header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"

  # set best practice security headers
  # use https://securityheaders.com to check
  # and modify as needed
  match response header remove "Server"
  match response header set "X-Frame-Options" value "SAMEORIGIN"
  match response header set "X-XSS-Protection" value "1; mode=block"
  match response header set "X-Content-Type-Options" value "nosniff"
  match response header set "Referrer-Policy" value "strict-origin"
  #match response header set "Content-Security-Policy" value "default-src 'self'"
  match response header set "Feature-Policy" value "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'"

  # set recommended tcp options
  tcp { nodelay, sack, socket buffer 65536, backlog 100 }

  tls keypair "graph.openshift.tips"
}

# split IPv4 and IPv6 so they can
# be distinguished in the access log
relay "wwwsecure4" {
  listen on $external_ipv4 port 443 tls
  protocol wwwsecure
  forward to 127.0.0.1 port 8080
}

relay "wwwsecure6" {
  listen on $external_ipv6 port 443 tls
  protocol wwwsecure
  forward to 127.0.0.1 port 8080
}