2017-03-17 08:17:23 +00:00
|
|
|
# -*- conf -*-
|
|
|
|
|
# eotk (c) 2017 Alec Muffett
|
|
|
|
|
|
2017-11-23 13:59:52 +00:00
|
|
|
# use brute-force "search and replace" strategy
|
|
|
|
|
set nginx_template templates.d/nginx-hard.conf.txt
|
|
|
|
|
|
|
|
|
|
# CSVs of canonical domains (eg: email addresses) to preserve
|
|
|
|
|
set preserve_csv tld-wp,wikipedia\\.org,i,wikipedia.org tld-wm,wikimedia\\.org,i,wikimedia.org
|
|
|
|
|
|
|
|
|
|
# FIX THIS TO USE A LOCAL RESOLVER, BECAUSE PERFORMANCE
|
|
|
|
|
set nginx_resolver 8.8.8.8 8.8.4.4
|
2017-03-17 08:17:23 +00:00
|
|
|
|
2017-11-23 13:59:52 +00:00
|
|
|
# cache persistence & size; sized for RaspberryPi (256m)
|
2017-03-17 08:31:57 +00:00
|
|
|
set nginx_cache_seconds 60
|
2017-11-23 13:59:52 +00:00
|
|
|
set nginx_cache_size 256m
|
|
|
|
|
set nginx_tmpfile_size 64m
|
2017-03-17 08:31:57 +00:00
|
|
|
|
2017-11-23 13:59:52 +00:00
|
|
|
# ARE YOU CONFIDENT IN THE COMPLETENESS OF YOUR 100% HTTPS SOLUTION?
|
|
|
|
|
# let's assume not, for the moment; else you will see a lot of 307 redirects
|
|
|
|
|
set force_https 0
|
|
|
|
|
|
2017-11-23 15:40:46 +00:00
|
|
|
# wikipedia occasionally puts .../foo.wikipedia.org/... in paths;
|
|
|
|
|
# these got onionified, and so need to be deonionified upon request
|
|
|
|
|
set paths_contain_onions 1
|
|
|
|
|
|
2017-11-23 13:59:52 +00:00
|
|
|
# proof-of-concept: let's make this read-only:
|
|
|
|
|
set suppress_methods_except_get 1
|
2017-03-17 08:31:57 +00:00
|
|
|
|
2017-11-23 13:59:52 +00:00
|
|
|
# proof-of-concept: block logins by blocking access to login.*
|
|
|
|
|
set block_host_re ^login\\.
|
|
|
|
|
|
|
|
|
|
# proof-of-concept: block logins by blocking access to login.*
|
|
|
|
|
set block_location_re ^/login/
|
|
|
|
|
|
|
|
|
|
# blocking access to query parameter lists is more complex, but given
|
|
|
|
|
# this is a read-only proof of concept with POST blocked, ignore that
|
|
|
|
|
# for the moment. Wikipedia block edits from Tor anyway, so...
|
|
|
|
|
|
|
|
|
|
# nb: you might want to investigate "no_cache_content_type" or
|
|
|
|
|
# "no_cache_host" in the instances that you want limitations upon
|
2017-03-17 08:31:57 +00:00
|
|
|
# some kinds of caching...
|
|
|
|
|
|
2017-11-23 13:59:52 +00:00
|
|
|
# demo: CSV list to implement ownership proof URIs for SSL issuance
|
|
|
|
|
# set hardcoded_endpoint_csv ^/proof/foo/?$,"FOOPROOF" ^/proof/bar/?$,"BARPROOF"
|
|
|
|
|
|
|
|
|
|
# demo: magic cookie-issuing URL to restrict access until ready to launch
|
|
|
|
|
# set cookie_lock /vice-open-sesame
|
|
|
|
|
|
|
|
|
|
# index of other onion sites ("what happens in onion, should stay in onion")
|
|
|
|
|
foreignmap facebookcorewwwi facebook.com
|
|
|
|
|
foreignmap nytimes3xbfgragh nytimes.com
|
|
|
|
|
|
|
|
|
|
# the Wikimedia Foundation have lots of sites
|
|
|
|
|
# most of which have an `m` subdomain
|
2017-03-17 08:17:23 +00:00
|
|
|
set project wikipedia
|
2017-11-23 13:59:52 +00:00
|
|
|
|
|
|
|
|
softmap %NEW_SOFT_ONION% mediawiki.org
|
|
|
|
|
softmap %NEW_SOFT_ONION% wikidata.org
|
|
|
|
|
softmap %NEW_SOFT_ONION% wikimedia.org
|
|
|
|
|
softmap %NEW_SOFT_ONION% wikimediafoundation.org
|
|
|
|
|
|
2017-03-17 08:17:23 +00:00
|
|
|
softmap %NEW_SOFT_ONION% wikibooks.org m
|
|
|
|
|
softmap %NEW_SOFT_ONION% wikinews.org m
|
2017-11-23 13:59:52 +00:00
|
|
|
softmap %NEW_SOFT_ONION% wikipedia.org m
|
2017-03-17 08:17:23 +00:00
|
|
|
softmap %NEW_SOFT_ONION% wikiquote.org m
|
|
|
|
|
softmap %NEW_SOFT_ONION% wikisource.org m
|
|
|
|
|
softmap %NEW_SOFT_ONION% wikiversity.org m
|
|
|
|
|
softmap %NEW_SOFT_ONION% wikivoyage.org m
|
|
|
|
|
softmap %NEW_SOFT_ONION% wiktionary.org m
|
2017-11-23 13:59:52 +00:00
|
|
|
|
2017-03-17 08:17:23 +00:00
|
|
|
# more?
|
2017-11-23 13:59:52 +00:00
|
|
|
|
|
|
|
|
# nb: by subdomain we mean FOO in en.FOO.wikipedia.org, etc.
|
