commit: this might work

lib.d/do-configure.pl

@@ -590,6 +590,8 @@ my @set_blank = qw(
     host_blacklist_re
     host_whitelist
     host_whitelist_re
+    inject_origin
+    inject_referer
     log_separate
     nginx_modules_dirs
     no_cache_content_type
@@ -615,8 +617,6 @@ my @set_blank = qw(
     referer_blacklist_re
     referer_whitelist
     referer_whitelist_re
-    synthetic_origin
-    synthetic_referer
     user_agent_blacklist
     user_agent_blacklist_re
     user_agent_whitelist

lib.d/lint.pl

@@ -50,6 +50,8 @@ my %known =
      'HOST_BLACKLIST_RE' => 1,
      'HOST_WHITELIST' => 1,
      'HOST_WHITELIST_RE' => 1,
+     'INJECT_ORIGIN' => 1,
+     'INJECT_REFERER' => 1,
      'IS_SOFTMAP' => 1,
      'LEFT_TLD_RE' => 1,
      'LOG_DIR' => 1, # where logs for the current project live
@@ -130,8 +132,6 @@ my %known =
      'SUPPRESS_HEADER_HSTS' => 1,
      'SUPPRESS_METHODS_EXCEPT_GET' => 1,
      'SUPPRESS_TOR2WEB' => 1,
-     'SYNTHETIC_ORIGIN' => 1,
-     'SYNTHETIC_REFERER' => 1,
      'TEMPLATE_TOOL' => 1,
      'TOR_DIR' => 1, # where the current onion is being installed; subtle
      'TOR_INTROS_PER_DAEMON' => 1,

templates.d/nginx.conf.txt

@@ -284,6 +284,26 @@ http {
     -- d2o_mappings["%DNS_DOMAIN%"] = "%ONION_ADDRESS%"
     %%END
 
+    -- injected origins
+    origin_replacement = {}
+    %%IF %INJECT_ORIGIN%
+    %%CSV %INJECT_ORIGIN%
+    origin_replacement["%1%"] = "%2%"
+    %%ENDCSV
+    %%ELSE
+    -- no origin replacements
+    %%ENDIF
+
+    -- injected referers
+    referer_replacement = {}
+    %%IF %INJECT_REFERER%
+    %%CSV %INJECT_REFERER%
+    referer_replacement["%1%"] = "%2%"
+    %%ENDCSV
+    %%ELSE
+    -- no referer replacements
+    %%ENDIF
+
     -- EDITING FUNCTIONS
 
     -- 1st element is the LEFT_TLD_RE boundary prefix, probably an empty string, maybe '2f'
@@ -318,14 +338,14 @@ http {
 
     -- SHIMS
 
-    -- shim for referer rewrite, permitting injection
-    rewrite_referer_o2d = function (i, ctx)
-      return ApplyReplacement(i, o2d_search_and_replace)
-    end
-
     -- shim for origin rewrite, permitting injection
     rewrite_origin_o2d = function (i, ctx)
-      return ApplyReplacement(i, o2d_search_and_replace)
+      return origin_replacement[ctx] or ApplyReplacement(i, o2d_search_and_replace)
+    end
+
+    -- shim for referer rewrite, permitting injection
+    rewrite_referer_o2d = function (i, ctx)
+      return referer_replacement[ctx] or ApplyReplacement(i, o2d_search_and_replace)
     end
 
     -- shim for cookie rewrite, permitting injection
@@ -719,14 +739,23 @@ http {
       proxy_set_header Upgrade $http_upgrade; # SSL
       proxy_ssl_server_name on; # SSL
 
-      # rewrite/inject request referer TODO
-      set_by_lua_block $referer2 { return rewrite_referer_o2d(ngx.var.http_referer, "%DNS_DOMAIN%") }
-      proxy_set_header Referer $referer2;
+      # NB: it's very tempting to use `$http_host` / ngx.var.http_host
+      # (or similar per-request information) as the context for the
+      # call to `rewrite_origin_o2d` and its friends; my thinking at
+      # the moment is that that would be "too narrow" / "too easy to
+      # break" because wildcards/CDN-hosts would need to be matched,
+      # and that sort of thing.  Switching on the TLD of upstream
+      # currently seems cognitively easier to deal with; plus: Lua
+      # interns short strings, so it should be fast.
 
       # rewrite/inject request origin TODO
       set_by_lua_block $origin2 { return rewrite_origin_o2d(ngx.var.http_origin, "%DNS_DOMAIN%") }
       proxy_set_header Origin $origin2;
 
+      # rewrite/inject request referer TODO
+      set_by_lua_block $referer2 { return rewrite_referer_o2d(ngx.var.http_referer, "%DNS_DOMAIN%") }
+      proxy_set_header Referer $referer2;
+
       # rewrite request cookies
       set_by_lua_block $cookie2 { return rewrite_cookie_o2d(ngx.var.http_cookie, "%DNS_DOMAIN%") }
       proxy_set_header Cookie $cookie2;