commit: refactor some checks out to generated template code

lib.d/do-configure.pl

@@ -406,11 +406,16 @@ sub DoProject {
 &SetEnv("suppress_tor2web", 1); # 1 = block access by tor2web sites
 
 &SetEnv("block_err", "This action is not supported over Onion yet, sorry.");
+
 &SetEnv("block_host", "");
 &SetEnv("block_host_re", "");
+
 &SetEnv("block_location", "");
 &SetEnv("block_location_re", "");
 
+&SetEnv("block_path", "");
+&SetEnv("block_path_re", "");
+
 &SetEnv("nginx_action_abort", "return 500");
 
 &SetEnv("referer_whitelist_re", "");

lib.d/expand-template.pl

@@ -449,6 +449,7 @@ do {
             push(@new_template, $line);
             next;
         }
+        &Warn("processing include: $line\n");
         $include_flag++;
         $include_count++;
         my @include_body = &Slurp($line);

templates.d/nginx.conf.txt

@@ -576,58 +576,8 @@ http {
     # no cookie_lock cookie setting
     %%ENDIF
 
-    %%IF %SUPPRESS_TOR2WEB%
-    # suppress tor2web traffic; "let them use clearnet"
-    if ( $http_x_tor2web ) {
-      return 403 "%BLOCK_ERR%";
-    }
-    %%ELSE
-    # tor2web not suppressed
-    %%ENDIF
-
-    %%IF %BLOCK_HOST%
-    # politely block hosts matching this name
-    %%CSV %BLOCK_HOST%
-    if ( $host = "%0%" ) {
-      return 403 "%BLOCK_ERR%";
-    }
-    %%ENDCSV
-    %%ELSE
-    # no polite named host blocking
-    %%ENDIF
-
-    %%IF %BLOCK_HOST_RE%
-    # politely block hosts matching this regular expression
-    %%CSV %BLOCK_HOST_RE%
-    if ( $host ~* "%0%" ) {
-      return 403 "%BLOCK_ERR%";
-    }
-    %%ENDCSV
-    %%ELSE
-    # no polite regular expression host blocking
-    %%ENDIF
-
-    %%IF %BLOCK_LOCATION%
-    # politely block locations by name
-    %%CSV %BLOCK_LOCATION%
-    location %0% {
-      return 403 "%BLOCK_ERR%";
-    }
-    %%ENDCSV
-    %%ELSE
-    # no polite named location blocking
-    %%ENDIF
-
-    %%IF %BLOCK_LOCATION_RE%
-    # politely block locations matching this regular expression
-    %%CSV %BLOCK_LOCATION_RE%
-    location ~* "%0%" {
-      return 403 "%BLOCK_ERR%";
-    }
-    %%ENDCSV
-    %%ELSE
-    # no polite regular expression location blocking
-    %%ENDIF
+    # include generated blocks
+    %%INCLUDE templates.d/nginx-generated-blocks.conf
 
     %%IF %REDIRECT_HOST_CSV%
     # redirect_hosts: 1=host_re,2=scheme://host.dom,3=code
@@ -721,115 +671,10 @@ http {
     # paths are assumed not to contain onionified hostnames
     %%ENDIF
 
-    # blacklists
-
-    %%IF %USER_AGENT_BLACKLIST_RE%
-    # check user_agent_blacklist_re
-    %%CSV %USER_AGENT_BLACKLIST_RE%
-    if ( $http_user_agent ~* "%0%" ) { %NGINX_ACTION_ABORT%; }
-    %%ENDCSV
-    %%ELSE
-    # no user_agent_blacklist_re
-    %%ENDIF
-
-    %%IF %REFERER_BLACKLIST_RE%
-    # check referer_blacklist_re
-    %%CSV %REFERER_BLACKLIST_RE%
-    if ( $http_referer ~* "%0%" ) { %NGINX_ACTION_ABORT%; }
-    %%ENDCSV
-    %%ELSE
-    # no referer_blacklist_re
-    %%ENDIF
-
-    %%IF %HOST_BLACKLIST_RE%
-    # check host_blacklist_re
-    %%CSV %HOST_BLACKLIST_RE%
-    if ( $http_host ~* "%0%" ) { %NGINX_ACTION_ABORT%; }
-    %%ENDCSV
-    %%ELSE
-    # no host_blacklist_re
-    %%ENDIF
-
-    %%IF %PATH_BLACKLIST_RE%
-    # check path_blacklist_re
-    %%CSV %PATH_BLACKLIST_RE%
-    if ( $uri ~* "%0%" ) { %NGINX_ACTION_ABORT%; }
-    %%ENDCSV
-    %%ELSE
-    # no path_blacklist_re
-    %%ENDIF
-
-    # whitelists
-
-    %%IF %USER_AGENT_WHITELIST_RE%
-    # check user_agent_whitelist_re
-    set $non_whitelist_user_agent 1;
-    %%CSV %USER_AGENT_WHITELIST_RE%
-    if ( $http_user_agent ~* "%0%" ) { set $non_whitelist_user_agent 0; }
-    %%ENDCSV
-    %%ELSE
-    # no user_agent_whitelist_re
-    %%ENDIF
-
-    %%IF %REFERER_WHITELIST_RE%
-    # check referer_whitelist_re
-    set $non_whitelist_referer 1;
-    %%CSV %REFERER_WHITELIST_RE%
-    if ( $http_referer ~* "%0%" ) { set $non_whitelist_referer 0; }
-    %%ENDCSV
-    %%ELSE
-    # no referer_whitelist_re
-    %%ENDIF
-
-    %%IF %HOST_WHITELIST_RE%
-    # check host_whitelist_re
-    set $non_whitelist_host 1;
-    %%CSV %HOST_WHITELIST_RE%
-    if ( $http_host ~* "%0%" ) { set $non_whitelist_host 0; }
-    %%ENDCSV
-    %%ELSE
-    # no host_whitelist_re
-    %%ENDIF
-
-    %%IF %PATH_WHITELIST_RE%
-    # check path_whitelist_re
-    set $non_whitelist_path 1;
-    %%CSV %PATH_WHITELIST_RE%
-    if ( $uri ~* "%0%" ) { set $non_whitelist_path 0; }
-    %%ENDCSV
-    %%ELSE
-    # no path_whitelist_re
-    %%ENDIF
-
     # for traffic
     location / {
-      %%IF %USER_AGENT_WHITELIST_RE%
-      # check success of user_agent_whitelist_re
-      if ( $non_whitelist_user_agent ) { %NGINX_ACTION_ABORT%; }
-      %%ELSE
-      # no check for success of user_agent_whitelist_re
-      %%ENDIF
-
-      %%IF %REFERER_WHITELIST_RE%
-      # check success of referer_whitelist_re
-      if ( $non_whitelist_referer ) { %NGINX_ACTION_ABORT%; }
-      %%ELSE
-      # no check for success of referer_whitelist_re
-      %%ENDIF
-
-      %%IF %HOST_WHITELIST_RE%
-      # check success of host_whitelist_re
-      if ( $non_whitelist_host ) { %NGINX_ACTION_ABORT%; }
-      %%ELSE
-      # no check for success of host_whitelist_re
-      %%ENDIF
-
-      %%IF %PATH_WHITELIST_RE%
-      # check success of path_whitelist_re
-      if ( $non_whitelist_path ) { %NGINX_ACTION_ABORT%; }
-      %%ELSE
-      # no check for success of path_whitelist_re
-      %%ENDIF
+      # include generated whitelist checks
+      %%INCLUDE templates.d/nginx-generated-checks.conf
 
       %%IF %COOKIE_LOCK%
       # check for cookie-lock