2020-06-09 19:29:24 +00:00
|
|
|
#!/bin/sh
|
|
|
|
exec perl -x $0 "$@";
|
|
|
|
#!perl
|
|
|
|
# eotk (c) 2017-2020 Alec Muffett
|
2017-11-29 13:45:52 +00:00
|
|
|
|
2017-12-02 10:33:03 +00:00
|
|
|
$warning = "(generated)";
|
2020-06-04 15:25:14 +00:00
|
|
|
$begin = "# ---- BEGIN CODE GENERATED BY $0 ---- -*- awk -*-\n\n";
|
|
|
|
$end = "# ---- END CODE GENERATED BY $0 ----\n";
|
2017-12-02 11:12:59 +00:00
|
|
|
|
2017-12-02 10:33:03 +00:00
|
|
|
$indent = " ";
|
|
|
|
@polite = ();
|
2017-12-02 11:53:23 +00:00
|
|
|
@redirect = ();
|
2017-11-29 13:45:52 +00:00
|
|
|
@black = ();
|
|
|
|
@white = ();
|
|
|
|
@tail = ();
|
|
|
|
|
2020-06-05 10:37:34 +00:00
|
|
|
$dont_onion = "set \$dont_onionify_response_headers 1; # dest URL must not be rewritten, prevent loops; cookies may migrate.";
|
|
|
|
|
2017-12-02 12:42:58 +00:00
|
|
|
sub blackwhite {
|
|
|
|
my ($operator, $lc_what, $a, $b) = @_;
|
|
|
|
my $uc_what = uc($lc_what);
|
|
|
|
my $condition = "if ( $a $operator $b )";
|
|
|
|
|
|
|
|
if ($operator eq "~*") {
|
|
|
|
$uc_bl = "${uc_what}_BLACKLIST_RE";
|
|
|
|
$uc_wl = "${uc_what}_WHITELIST_RE";
|
2017-12-02 17:30:59 +00:00
|
|
|
$flag = "\$fail_${lc_what}_whitelist_re";
|
2017-12-02 12:42:58 +00:00
|
|
|
}
|
|
|
|
elsif ($operator eq "=") {
|
|
|
|
$uc_bl = "${uc_what}_BLACKLIST";
|
|
|
|
$uc_wl = "${uc_what}_WHITELIST";
|
2017-12-02 17:30:59 +00:00
|
|
|
$flag = "\$fail_${lc_what}_whitelist";
|
2017-12-02 12:42:58 +00:00
|
|
|
}
|
|
|
|
else {
|
|
|
|
die "bad blackwhite operator";
|
|
|
|
}
|
|
|
|
|
|
|
|
$lc_bl = lc($uc_bl);
|
|
|
|
$lc_wl = lc($uc_wl);
|
|
|
|
|
|
|
|
push(@black, "%%IF %$uc_bl%\n");
|
|
|
|
push(@black, "# check $lc_bl $warning\n");
|
|
|
|
push(@black, "%%CSV %$uc_bl%\n");
|
|
|
|
push(@black, "$condition { %NGINX_ACTION_ABORT%; }\n");
|
|
|
|
push(@black, "%%ENDCSV\n");
|
|
|
|
push(@black, "%%ELSE\n");
|
2017-12-02 14:04:58 +00:00
|
|
|
push(@black, "# no $lc_bl\n");
|
2017-12-02 12:42:58 +00:00
|
|
|
push(@black, "%%ENDIF\n");
|
|
|
|
|
|
|
|
push(@white, "%%IF %$uc_wl%\n");
|
|
|
|
push(@white, "# check $lc_wl $warning\n");
|
|
|
|
push(@white, "set $flag 1;\n");
|
|
|
|
push(@white, "%%CSV %$uc_wl%\n");
|
|
|
|
push(@white, "$condition { set $flag 0; }\n");
|
|
|
|
push(@white, "%%ENDCSV\n");
|
|
|
|
push(@white, "%%ELSE\n");
|
2017-12-02 14:04:58 +00:00
|
|
|
push(@white, "# no $lc_wl\n");
|
2017-12-02 12:42:58 +00:00
|
|
|
push(@white, "%%ENDIF\n");
|
|
|
|
|
|
|
|
push(@tail, "%%IF %$uc_wl%\n");
|
|
|
|
push(@tail, "# check success of $lc_wl $warning\n");
|
|
|
|
push(@tail, "if ( $flag ) { %NGINX_ACTION_ABORT%; }\n");
|
|
|
|
push(@tail, "%%ELSE\n");
|
2017-12-02 14:04:58 +00:00
|
|
|
push(@tail, "# no $lc_wl\n");
|
2017-12-02 12:42:58 +00:00
|
|
|
push(@tail, "%%ENDIF\n");
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2017-11-29 13:45:52 +00:00
|
|
|
while (<DATA>) {
|
2017-12-02 09:40:40 +00:00
|
|
|
next if /^#/;
|
2017-11-29 13:45:52 +00:00
|
|
|
next if /^\s*$/;
|
2017-12-02 09:40:40 +00:00
|
|
|
|
2017-11-29 13:45:52 +00:00
|
|
|
chomp;
|
|
|
|
s/\s+/ /g;
|
2017-12-02 09:40:40 +00:00
|
|
|
($how, $lc_what, $condition) = split(/\s+/, $_, 3);
|
|
|
|
|
|
|
|
if ($how eq "bwlist") {
|
2017-12-02 12:45:52 +00:00
|
|
|
&blackwhite("=", $lc_what, split(" ", $condition));
|
2017-12-02 12:42:58 +00:00
|
|
|
&blackwhite("~*", $lc_what, split(" ", $condition));
|
2017-12-02 09:40:40 +00:00
|
|
|
}
|
2017-12-02 10:33:03 +00:00
|
|
|
elsif ($how eq "block") {
|
2017-12-02 12:42:58 +00:00
|
|
|
my $uc_what = uc($lc_what);
|
2017-12-02 10:33:03 +00:00
|
|
|
push(@polite, "%%IF %$uc_what%\n");
|
2017-12-02 11:12:59 +00:00
|
|
|
push(@polite, "# polite block for $lc_what $warning\n");
|
2017-12-02 10:33:03 +00:00
|
|
|
push(@polite, "%%CSV %$uc_what%\n");
|
|
|
|
push(@polite, "$condition { return 403 \"%BLOCK_ERR%\"; }\n");
|
|
|
|
push(@polite, "%%ENDCSV\n");
|
|
|
|
push(@polite, "%%ELSE\n");
|
2017-12-02 14:04:58 +00:00
|
|
|
push(@polite, "# no $lc_what\n");
|
2017-12-02 10:33:03 +00:00
|
|
|
push(@polite, "%%ENDIF\n");
|
|
|
|
}
|
2017-12-02 11:53:23 +00:00
|
|
|
elsif ($how eq "redirect") {
|
2017-12-02 12:42:58 +00:00
|
|
|
my $uc_what = uc($lc_what);
|
2017-12-02 11:53:23 +00:00
|
|
|
push(@redirect, "%%IF %$uc_what%\n");
|
2020-06-04 15:25:14 +00:00
|
|
|
push(@redirect, "# redirect $lc_what: 1=regexp,2=code,3=dest (REQUEST_URI will be appended) $warning\n");
|
2017-12-03 20:35:05 +00:00
|
|
|
push(@redirect, "%%CSV %$uc_what%\n");
|
2020-06-04 15:25:14 +00:00
|
|
|
push(@redirect, "$condition {\n");
|
2020-06-05 10:37:34 +00:00
|
|
|
push(@redirect, " $dont_onion\n") if ($uc_what =~ /_HOST/); # this is a horrible kludge
|
2020-06-04 15:25:14 +00:00
|
|
|
push(@redirect, " return %2% %3%\$request_uri;\n");
|
|
|
|
push(@redirect, "}\n");
|
2017-12-03 20:35:05 +00:00
|
|
|
push(@redirect, "%%ENDCSV\n");
|
|
|
|
push(@redirect, "%%ELSE\n");
|
|
|
|
push(@redirect, "# no $lc_what\n");
|
|
|
|
push(@redirect, "%%ENDIF\n");
|
|
|
|
}
|
2019-10-26 17:00:36 +00:00
|
|
|
elsif ($how eq "fixed-redirect") {
|
|
|
|
my $uc_what = uc($lc_what);
|
|
|
|
push(@redirect, "%%IF %$uc_what%\n");
|
2020-06-04 15:25:14 +00:00
|
|
|
push(@redirect, "# fixed_redirect $lc_what: 1=regexp,2=code,3=dest (REQUEST_URI will NOT be appended) $warning\n");
|
2019-10-26 17:00:36 +00:00
|
|
|
push(@redirect, "%%CSV %$uc_what%\n");
|
2020-06-04 15:25:14 +00:00
|
|
|
push(@redirect, "$condition {\n");
|
2020-06-05 10:37:34 +00:00
|
|
|
push(@redirect, " $dont_onion\n") if ($uc_what =~ /_HOST/); # this is a horrible kludge
|
2020-06-04 15:25:14 +00:00
|
|
|
push(@redirect, " return %2% %3%;\n");
|
|
|
|
push(@redirect, "}\n");
|
2017-12-02 11:53:23 +00:00
|
|
|
push(@redirect, "%%ENDCSV\n");
|
|
|
|
push(@redirect, "%%ELSE\n");
|
2017-12-02 14:04:58 +00:00
|
|
|
push(@redirect, "# no $lc_what\n");
|
2017-12-02 11:53:23 +00:00
|
|
|
push(@redirect, "%%ENDIF\n");
|
|
|
|
}
|
2017-12-02 09:40:40 +00:00
|
|
|
else {
|
|
|
|
die "bad config line at line $.: $_\n";
|
|
|
|
}
|
2017-11-29 13:45:52 +00:00
|
|
|
}
|
|
|
|
|
2017-12-02 23:30:53 +00:00
|
|
|
##################################################################
|
|
|
|
|
2017-12-02 11:12:59 +00:00
|
|
|
open(OUT, ">nginx-generated-blocks.conf") || die;
|
|
|
|
print OUT $indent x 2, $begin;
|
2017-12-02 23:30:53 +00:00
|
|
|
|
|
|
|
# things we hate
|
|
|
|
print OUT $indent x 2, "# blacklists $warning\n";
|
|
|
|
foreach $x (@black) {
|
2017-12-02 11:53:23 +00:00
|
|
|
print OUT $indent x 2 if ($x !~ /^\s*$/);
|
|
|
|
print OUT $x;
|
2017-12-02 10:33:03 +00:00
|
|
|
}
|
2017-12-02 11:12:59 +00:00
|
|
|
print OUT "\n";
|
2017-11-29 13:45:52 +00:00
|
|
|
|
2017-12-02 23:30:53 +00:00
|
|
|
# things we dislike
|
|
|
|
print OUT $indent x 2, "# polite blocks $warning\n";
|
|
|
|
foreach $x (@polite) {
|
2017-12-02 11:53:23 +00:00
|
|
|
print OUT $indent x 2 if ($x !~ /^\s*$/);
|
|
|
|
print OUT $x;
|
|
|
|
}
|
|
|
|
print OUT "\n";
|
|
|
|
|
2017-12-02 23:30:53 +00:00
|
|
|
# things that should be somewhere else
|
2017-12-02 13:35:24 +00:00
|
|
|
print OUT $indent x 2, "# redirects $warning\n";
|
2017-12-02 11:53:23 +00:00
|
|
|
foreach $x (@redirect) {
|
|
|
|
print OUT $indent x 2 if ($x !~ /^\s*$/);
|
|
|
|
print OUT $x;
|
2017-11-29 13:45:52 +00:00
|
|
|
}
|
2017-12-02 11:12:59 +00:00
|
|
|
print OUT "\n";
|
2017-11-29 13:45:52 +00:00
|
|
|
|
2017-12-02 23:30:53 +00:00
|
|
|
# possibly okay things
|
2017-12-02 13:35:24 +00:00
|
|
|
print OUT $indent x 2, "# whitelists $warning\n";
|
2017-11-29 13:45:52 +00:00
|
|
|
foreach $x (@white) {
|
2017-12-02 11:53:23 +00:00
|
|
|
print OUT $indent x 2 if ($x !~ /^\s*$/);
|
|
|
|
print OUT $x;
|
2017-11-29 13:45:52 +00:00
|
|
|
}
|
2017-12-02 11:12:59 +00:00
|
|
|
print OUT "\n";
|
2017-12-02 23:30:53 +00:00
|
|
|
|
2017-12-02 11:12:59 +00:00
|
|
|
print OUT $indent x 2, $end;
|
|
|
|
close(OUT);
|
2017-11-29 13:45:52 +00:00
|
|
|
|
2017-12-02 23:30:53 +00:00
|
|
|
##################################################################
|
|
|
|
|
2017-12-02 11:12:59 +00:00
|
|
|
open(OUT, ">nginx-generated-checks.conf") || die;
|
|
|
|
print OUT $indent x 3, $begin;
|
2017-12-02 23:30:53 +00:00
|
|
|
|
2017-12-02 13:35:24 +00:00
|
|
|
print OUT $indent x 3, "# whitelist checks $warning\n";
|
2017-11-29 13:45:52 +00:00
|
|
|
foreach $x (@tail) {
|
2017-12-02 11:53:23 +00:00
|
|
|
print OUT $indent x 3 if ($x !~ /^\s*$/);
|
|
|
|
print OUT $x;
|
2017-11-29 13:45:52 +00:00
|
|
|
}
|
2017-12-02 11:12:59 +00:00
|
|
|
print OUT "\n";
|
2017-12-02 23:30:53 +00:00
|
|
|
|
2017-12-02 11:12:59 +00:00
|
|
|
print OUT $indent x 3, $end;
|
|
|
|
close(OUT);
|
2017-11-29 13:45:52 +00:00
|
|
|
|
2017-12-02 23:30:53 +00:00
|
|
|
##################################################################
|
|
|
|
|
2017-12-09 01:20:18 +00:00
|
|
|
# NOTES:
|
|
|
|
# 1) DEPRECATE `location` BECAUSE IT TRIGGERS A PAGE HANDLER.
|
|
|
|
# 2) THE ORDER OF ITEMS BELOW IS MEANINGFUL, DO NOT SORT THEM.
|
|
|
|
|
2017-11-29 13:45:52 +00:00
|
|
|
__END__;
|
|
|
|
|
2017-12-02 10:33:03 +00:00
|
|
|
# blocks: issue a 403
|
|
|
|
block suppress_tor2web if ( $http_x_tor2web )
|
2017-12-09 01:20:18 +00:00
|
|
|
block block_user_agent if ( $http_user_agent = "%0%" )
|
|
|
|
block block_user_agent_re if ( $http_user_agent ~* "%0%" )
|
2017-12-02 17:47:57 +00:00
|
|
|
block block_referer if ( $http_referer = "%0%" )
|
|
|
|
block block_referer_re if ( $http_referer ~* "%0%" )
|
|
|
|
block block_origin if ( $http_origin = "%0%" )
|
|
|
|
block block_origin_re if ( $http_origin ~* "%0%" )
|
|
|
|
block block_host if ( $http_host = "%0%" )
|
|
|
|
block block_host_re if ( $http_host ~* "%0%" )
|
2017-12-02 10:33:03 +00:00
|
|
|
block block_path if ( $uri = "%0%" )
|
|
|
|
block block_path_re if ( $uri ~* "%0%" )
|
|
|
|
block block_location location %0%
|
|
|
|
block block_location_re location ~* "%0%"
|
2020-06-04 15:25:14 +00:00
|
|
|
|
|
|
|
# blocks on query parameters
|
2017-12-02 12:15:06 +00:00
|
|
|
block block_param if ( $arg_%1% = "%2%" )
|
|
|
|
block block_param_re if ( $arg_%1% ~* "%2%" )
|
2017-12-02 10:33:03 +00:00
|
|
|
|
2019-12-18 00:22:51 +00:00
|
|
|
# redirects preserving the request_uri path
|
2017-12-03 20:35:05 +00:00
|
|
|
redirect redirect_host if ( $host ~* "%1%" )
|
|
|
|
redirect redirect_path if ( $uri ~* "%1%" )
|
2020-06-04 15:25:14 +00:00
|
|
|
|
2019-12-18 00:22:51 +00:00
|
|
|
# redirects to a fixed url/path
|
2019-10-26 17:00:36 +00:00
|
|
|
fixed-redirect redirect_fixed_host if ( $host ~* "%1%" )
|
|
|
|
fixed-redirect redirect_fixed_path if ( $uri ~* "%1%" )
|
2017-12-02 11:53:23 +00:00
|
|
|
|
2017-12-02 10:33:03 +00:00
|
|
|
# blacklists and whitelists: issue a 500
|
|
|
|
# nb: second argument gets interpolated into variablenames
|
2017-12-02 12:42:58 +00:00
|
|
|
bwlist user_agent $http_user_agent "%0%"
|
|
|
|
bwlist referer $http_referer "%0%"
|
2017-12-02 17:47:57 +00:00
|
|
|
bwlist origin $http_origin "%0%"
|
2017-12-02 12:42:58 +00:00
|
|
|
bwlist host $http_host "%0%"
|
|
|
|
bwlist path $uri "%0%"
|
|
|
|
bwlist param $arg_%1% "%2%"
|