Enterprise-Onion-Toolkit/templates.d/nginx.conf.txt

# -*- awk -*-
# eotk (c) 2017 Alec Muffett

# EMACS awk mode works quite well for nginx configs

# logs and pids
pid %PROJECT_DIR%/nginx.pid;
error_log %LOG_DIR%/nginx-error.log %NGINX_SYSLOG%;

# TODO: notes for custom 403 error-handling pages:
# https://www.cyberciti.biz/faq/unix-linux-nginx-custom-error-403-page-configuration/
# https://nginx.org/en/docs/http/ngx_http_core_module.html#error_page

# performance
%%IF %IS_SOFTMAP%
worker_processes %SOFTMAP_NGINX_WORKERS%; # softmap
%%ELSE
worker_processes %NGINX_WORKERS%; # hardmap
%%ENDIF
worker_rlimit_nofile %NGINX_RLIM%;
events {
  worker_connections %NGINX_RLIM%;
}

http {
  # dns for proxy (sigh)
  # we should do `ipv6=off` here, but compat issues, hence NGINX_RESOLVER_FLAGS
  resolver %NGINX_RESOLVER% valid=%NGINX_TIMEOUT%s %NGINX_RESOLVER_FLAGS%;
  resolver_timeout %NGINX_TIMEOUT%s;

  # internal connection buffers; these are quite large, need space to
  # swallow entire SSL headers because we're being a MITM...
  proxy_buffering on;
  proxy_buffers 16 64k;
  proxy_buffer_size 64k;
  proxy_busy_buffers_size 512k;
  proxy_max_temp_file_size 2048k;
  proxy_temp_file_write_size 64k;
  proxy_temp_path "/tmp";

  %%IF %NGINX_CACHE_SECONDS%
  # nginx caching static responses for %NGINX_CACHE_SECONDS% seconds
  # - this is a lightweight cache to reduce "storms", hence the global
  # approch of "cache everything for a small number of seconds"
  # https://nginx.org/en/docs/http/ngx_http_proxy_module.html
  proxy_cache_path /tmp/nginx-cache-%PROJECT% levels=1:2 keys_zone=%PROJECT%:%NGINX_CACHE_SIZE%;
  proxy_cache %PROJECT%;
  proxy_cache_revalidate on;
  proxy_cache_use_stale timeout updating;
  # "proxy_cache_valid any" includes things like 404s
  proxy_cache_valid any %NGINX_CACHE_SECONDS%s;
  %%ELSE
  # nginx caching disabled
  %%ENDIF

  # logs
  access_log %LOG_DIR%/nginx-access.log;

  # global settings
  server_tokens off;

  # allow/deny (first wins)
  allow "unix:";
  deny all;

  # rewrite these content types; text/html is implicit
  subs_filter_types
  application/javascript
  application/json
  application/x-javascript
  text/css
  text/javascript
  text/xml
  ;

  # subs_filter: these patterns bear some explanation; the goal is to
  # work regular expressions really hard in order to minimise the
  # number of expressions which are used in the basic config, so the
  # basic pattern is to capture zero/more "sub." in "//sub.foo.com"
  # and interpolate that into "//sub.xxxxxxxx.onion"; so far?

  # but it turns out that some JSON libraries like to "escape" the
  # forward slashes in JSON content, leading to input like (literal)
  # "http:\/\/sub.foo.com\/foo.html" - so you need to add the
  # backslashes, but then you need to escape the backslashes, except
  # they need double-escaping in the regexp because of string
  # interpolation; hence 4x backslash -> 1x matched character

  # likewise we use the "_RE2" form of the re-escaped domain name in
  # order to coerce the regexp to match literal dots, not wildcards.

  # there seems to be some sort of shortcut at play here; the trailing
  # "\\b" also seems to work as "\b" however that would apparently
  # break the double-escaping that is necessary/works everywhere else
  # in subs_filter.

  # also, regrettably, named capture groups appear not to work, we're
  # fortunate that there appear not to be more than 9 capture groups
  # by default, lest "$1" bleed into the subsequent digits of an onion
  # address: $1234567abcdefghij.onion

  %%BEGIN
  subs_filter
  //(([-0-9a-z]+\\.)+)?%DNS_DOMAIN_RE2%\\b
  //$1%ONION_ADDRESS%
  gir;

  subs_filter
  \\\\/\\\\/(([-0-9a-z]+\\.)+)?%DNS_DOMAIN_RE2%\\b
  \\/\\/$1%ONION_ADDRESS%
  gir;

  %%END

  # fix the cookies
  %%BEGIN
  proxy_cookie_domain
  %DNS_DOMAIN%
  %ONION_ADDRESS%
  ;
  %%END

  # fix the header-redirects
  %%BEGIN
  proxy_redirect
  ~*^(.*?)\\b%DNS_DOMAIN_RE2%\\b(.*)$
  $1%ONION_ADDRESS%$2
  ;
  %%END

  # o2d_lookup -> if cannot remap, return input.  note: old versions
  # of lua-plugin cannot cope with code like o2d_mappings[o[1]]
  # because of `long bracket syntax`; the `[o[` freaks it out.
  # See: https://github.com/openresty/lua-nginx-module/issues/748
  init_by_lua_block {
    slog = function (s) -- in case of manual debugging
      ngx.log(ngx.ERR, "\n<<", s, ">>\n")
      return
    end

    o2d_mappings = {}
    %%BEGIN
    o2d_mappings["%ONION_ADDRESS%"] = "%DNS_DOMAIN%"
    %%END

    o2d_lookup = function (o)
      local k = o[1]
      return ( o2d_mappings[k] or k )
    end

    onion2dns = function (i)
      if i == nil then
        return nil
      end
      local o, num, errs = ngx.re.gsub(i, "\\b([a-z2-7]{16}\\.onion)\\b", o2d_lookup, "io")
      return o
    end

    dns2onion = function (i) -- inherently a bit flaky because ordering, boundaries; avoid
      local num, errs
      %%BEGIN
      i, num, errs = ngx.re.gsub(i, "\\b(%DNS_DOMAIN_RE2%)\\b", "%ONION_ADDRESS%", "io")
      %%END
      return i
    end
  }

  %%IF %SUPPRESS_HEADER_CSP%
  # csp suppression
  proxy_hide_header "Content-Security-Policy";
  proxy_hide_header "Content-Security-Policy-Report-Only";
  %%ELSE
  # csp not suppressed
  %%ENDIF

  %%IF %SUPPRESS_HEADER_HSTS%
  # hsts suppression
  proxy_hide_header "Strict-Transport-Security";
  %%ELSE
  # hsts not suppressed
  %%ENDIF

  %%IF %SUPPRESS_HEADER_HPKP%
  # hpkp suppression
  proxy_hide_header "Public-Key-Pins";
  proxy_hide_header "Public-Key-Pins-Report-Only";
  %%ELSE
  # hpkp not suppressed
  %%ENDIF

  # global proxy settings
  proxy_read_timeout %NGINX_TIMEOUT%;
  proxy_connect_timeout %NGINX_TIMEOUT%;

  # SSL config
  ssl_certificate %SSL_DIR%/%CERT_PREFIX%.cert;
  ssl_certificate_key %SSL_DIR%/%CERT_PREFIX%.pem;
  ssl_buffer_size 4k;
  #ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES256'; ## LibreSSL, OpenSSL 1.1.0+
  ssl_ciphers 'EECDH+AESGCM:EECDH+AES256'; ## OpenSSL 1.0.1% to 1.0.2%
  ssl_ecdh_curve prime256v1;
  #ssl_ecdh_curve secp384r1:prime256v1; ## NGINX nginx 1.11.0 and later
  ssl_prefer_server_ciphers on;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;

  # websockets: on the basis of http_upgrade, set connection_upgrade:
  # empty -> empty
  # default -> "upgrade"
  map $http_upgrade $connection_upgrade {
    default "upgrade";
    "" "";
  }

  %%BEGIN
  # for %ONION_ADDRESS% -> %DNS_DOMAIN%
  server {
    %%IF %IS_SOFTMAP%
    %%RANGE I 1 %SOFTMAP_TOR_WORKERS%
    # softmap onion %I%
    listen unix:%PROJECT_DIR%/%TOR_WORKER_PREFIX%-%I%.d/port-80.sock;
    listen unix:%PROJECT_DIR%/%TOR_WORKER_PREFIX%-%I%.d/port-443.sock ssl;
    %%ENDRANGE
    %%ELSE
    # hardmap
    # unix sockets; use <ONION_ADDRESS>.d as a naming convention
    listen unix:%PROJECT_DIR%/%ONION_ADDRESS%.d/port-80.sock;
    listen unix:%PROJECT_DIR%/%ONION_ADDRESS%.d/port-443.sock ssl;
    %%ENDIF

    # subdomain regexp captures trailing dot, use carefully; does not need "~*"
    server_name
    %ONION_ADDRESS%
    ~^(?<snsd>([-0-9a-z]+\\.)+)%ONION_ADDRESS_RE2%$
    ;

    %%IF %NGINX_HELLO_ONION%
    # for test & to help SSL certificate acceptance
    location ~* ^/hello[-_]onion/?$ {
      return 200 "Hello, Onion User!";
    }
    %%ELSE
    # no "hello-onion" endpoint
    %%ENDIF

    %%IF %BLOCK_LOCATION%
    # block locations by name
    location %BLOCK_LOCATION% {
      return 403 "URI not supported over Onion. Sorry.";
    }
    %%ELSE
    # no named location blocking
    %%ENDIF

    %%IF %BLOCK_LOCATION_RE%
    # block locations matching this regular expression
    location ~* %BLOCK_LOCATION_RE% {
      return 403 "URI not supported over Onion. Sorry.";
    }
    %%ELSE
    # no location regular expression blocking
    %%ENDIF

    # for traffic
    location / {
      proxy_pass "$scheme://${snsd}%DNS_DOMAIN%"; # note $scheme
      proxy_http_version 1.1;
      proxy_set_header Host "${snsd}%DNS_DOMAIN%";
      proxy_set_header Accept-Encoding ""; # but putting this in `http` fails?
      proxy_set_header Connection $connection_upgrade; # SSL
      proxy_set_header Upgrade $http_upgrade; # SSL
      proxy_ssl_server_name on; # SSL

      set_by_lua_block $referer2 {
        return onion2dns(ngx.var.http_referer)
      }
      proxy_set_header Referer $referer2;

      set_by_lua_block $origin2 {
        return onion2dns(ngx.var.http_origin)
      }
      proxy_set_header Origin $origin2;

      %%IF %SUPPRESS_METHODS_EXCEPT_GET%
      # suppress non-GET methods (e.g.: POST)
      limit_except GET {
        deny all;
      }
      %%ELSE
      # non-GET methods (e.g.: POST) are not suppressed
      %%ENDIF

      %%IF %BLOCK_HOST%
      # block hosts matching this name
      if ( $host = %BLOCK_HOST% ) {
        # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
        return 403 "Host not supported over Onion. Sorry.";
      }
      %%ELSE
      # no named host blocking
      %%ENDIF

      %%IF %BLOCK_HOST_RE%
      # block hosts matching this regular expression
      if ( $host ~* %BLOCK_HOST_RE% ) {
          # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
          return 403 "Host not supported over Onion. Sorry.";
      }
      %%ELSE
      # no host regular expression blocking
      %%ENDIF
    }
  }

  %%END

  # header purge
  more_clear_headers "Age";
  more_clear_headers "Server";
  more_clear_headers "Via";
  more_clear_headers "X-From-Nginx";
  more_clear_headers "X-NA";
  more_clear_headers "X-Powered-By";
  more_clear_headers "X-Request-Id";
  more_clear_headers "X-Runtime";
  more_clear_headers "X-Varnish";
}