referer whitelisting

rebased tor and nginx source code
tor down to 3.0.x
nginx up to current

docs.d/TODO.md

@@ -1,6 +1,9 @@
 # Stuff To Consider / Implement
 
 * 020-generate-init-script.sh
+* does onionbalance-tor use opt.d/tor in preference, or not?
+* eotk script: refactor so that there's a separate ob-start which does NOT call ob-gather
+* consider downgrade of RPi scripts to 3.0.x series Tor
 * revisit o2d methods in lua
   * make the case-insensitivity (a) work && (b) be optional
   * at the moment it does a case-insensitive match AND THEN a case-sensitive lookup in a dictionary

lib.d/do-configure.pl

@@ -407,6 +407,11 @@ sub DoProject {
 &SetEnv("block_location", "");
 &SetEnv("block_location_re", "");
 
+&SetEnv("nginx_action_abort", "return 500");
+
+&SetEnv("referer_whitelist_re", "");
+&SetEnv("referer_blacklist_re", "");
+
 &SetEnv("user_agent_whitelist_re", "");
 &SetEnv("user_agent_blacklist_re", "");
 

opt.d/build-nginx-on-raspbian.sh

@@ -1,7 +1,7 @@
 #!/bin/sh -x
 
 keyserver=keyserver.ubuntu.com
-ngxversion=1.13.6
+ngxversion=1.13.7
 ngxsigningkey=B0F4253373F8F6F510D42178520A9993A1C052F8
 
 LUAJITURL="http://luajit.org/download/LuaJIT-2.0.5.tar.gz"

opt.d/build-tor-on-raspbian.sh

@@ -1,7 +1,7 @@
 #!/bin/sh -x
 
 keyserver=keyserver.ubuntu.com
-torversion=0.3.1.7
+torversion=0.3.0.9
 torsigningkey=6AFEE6D49E92B601
 
 here=`dirname $0`

templates.d/nginx-hard.conf.txt

@@ -575,6 +575,8 @@ http {
     # paths are assumed not to contain onionified hostnames
     %%ENDIF
 
+    # blacklists
+
     %%IF %USER_AGENT_BLACKLIST_RE%
     # check user_agent_blacklist_re
     %%CSV %USER_AGENT_BLACKLIST_RE%
@@ -586,18 +588,6 @@ http {
     # no user_agent_blacklist_re
     %%ENDIF
 
-    %%IF %USER_AGENT_WHITELIST_RE%
-    # check user_agent_whitelist_re
-    set $ua_is_bad 1;
-    %%CSV %USER_AGENT_WHITELIST_RE%
-    if ( $http_user_agent ~* "%0%" ) {
-      set $ua_is_bad 0;
-    }
-    %%ENDCSV
-    %%ELSE
-    # no user_agent_whitelist_re
-    %%ENDIF
-
     %%IF %LOCATION_BLACKLIST_RE%
     # check location_blacklist_re
     %%CSV %LOCATION_BLACKLIST_RE%
@@ -609,23 +599,60 @@ http {
     # no location_blacklist_re
     %%ENDIF
 
+    %%IF %REFERER_BLACKLIST_RE%
+    # check referer_blacklist_re
+    %%CSV %REFERER_BLACKLIST_RE%
+    if ( $http_referer ~* "%0%" ) {
+      %NGINX_ACTION_ABORT%;
+    }
+    %%ENDCSV
+    %%ELSE
+    # no referer_blacklist_re
+    %%ENDIF
+
+    # whitelists
+
+    %%IF %USER_AGENT_WHITELIST_RE%
+    # check user_agent_whitelist_re
+    set $non_whitelist_user_agent 1;
+    %%CSV %USER_AGENT_WHITELIST_RE%
+    if ( $http_user_agent ~* "%0%" ) {
+      set $non_whitelist_user_agent 0;
+    }
+    %%ENDCSV
+    %%ELSE
+    # no user_agent_whitelist_re
+    %%ENDIF
+
     %%IF %LOCATION_WHITELIST_RE%
     # check location_whitelist_re
-    set $location_is_bad 1;
+    set $non_whitelist_location 1;
     %%CSV %LOCATION_WHITELIST_RE%
     location ~* "%0%" {
-      set $location_is_bad 0;
+      set $non_whitelist_location 0;
     }
     %%ENDCSV
     %%ELSE
     # no location_whitelist_re
     %%ENDIF
 
+    %%IF %REFERER_WHITELIST_RE%
+    # check referer_whitelist_re
+    set $non_whitelist_referer 1;
+    %%CSV %REFERER_WHITELIST_RE%
+    if ( $http_referer ~* "%0%" ) {
+      set $non_whitelist_referer 0;
+    }
+    %%ENDCSV
+    %%ELSE
+    # no referer_whitelist_re
+    %%ENDIF
+
     # for traffic
     location / {
       %%IF %USER_AGENT_WHITELIST_RE%
       # check success of user_agent_whitelist_re
-      if ( $ua_is_bad ) {
+      if ( $non_whitelist_user_agent ) {
         %NGINX_ACTION_ABORT%;
       }
       %%ELSE
@@ -634,13 +661,22 @@ http {
 
       %%IF %LOCATION_WHITELIST_RE%
       # check success of location_whitelist_re
-      if ( $location_is_bad ) {
+      if ( $non_whitelist_location ) {
         %NGINX_ACTION_ABORT%;
       }
       %%ELSE
       # no check for success of location_whitelist_re
       %%ENDIF
 
+      %%IF %REFERER_WHITELIST_RE%
+      # check success of referer_whitelist_re
+      if ( $non_whitelist_referer ) {
+        %NGINX_ACTION_ABORT%;
+      }
+      %%ELSE
+      # no check for success of referer_whitelist_re
+      %%ENDIF
+
       %%IF %COOKIE_LOCK%
       # check for cookie-lock
       if ( $cookie_eotk_lock != "%COOKIE_LOCK%" ) {

templates.d/nginx.conf.txt

@@ -597,6 +597,8 @@ http {
     # paths are assumed not to contain onionified hostnames
     %%ENDIF
 
+    # blacklists
+
     %%IF %USER_AGENT_BLACKLIST_RE%
     # check user_agent_blacklist_re
     %%CSV %USER_AGENT_BLACKLIST_RE%
@@ -608,18 +610,6 @@ http {
     # no user_agent_blacklist_re
     %%ENDIF
 
-    %%IF %USER_AGENT_WHITELIST_RE%
-    # check user_agent_whitelist_re
-    set $ua_is_bad 1;
-    %%CSV %USER_AGENT_WHITELIST_RE%
-    if ( $http_user_agent ~* "%0%" ) {
-      set $ua_is_bad 0;
-    }
-    %%ENDCSV
-    %%ELSE
-    # no user_agent_whitelist_re
-    %%ENDIF
-
     %%IF %LOCATION_BLACKLIST_RE%
     # check location_blacklist_re
     %%CSV %LOCATION_BLACKLIST_RE%
@@ -631,23 +621,60 @@ http {
     # no location_blacklist_re
     %%ENDIF
 
+    %%IF %REFERER_BLACKLIST_RE%
+    # check referer_blacklist_re
+    %%CSV %REFERER_BLACKLIST_RE%
+    if ( $http_referer ~* "%0%" ) {
+      %NGINX_ACTION_ABORT%;
+    }
+    %%ENDCSV
+    %%ELSE
+    # no referer_blacklist_re
+    %%ENDIF
+
+    # whitelists
+
+    %%IF %USER_AGENT_WHITELIST_RE%
+    # check user_agent_whitelist_re
+    set $non_whitelist_user_agent 1;
+    %%CSV %USER_AGENT_WHITELIST_RE%
+    if ( $http_user_agent ~* "%0%" ) {
+      set $non_whitelist_user_agent 0;
+    }
+    %%ENDCSV
+    %%ELSE
+    # no user_agent_whitelist_re
+    %%ENDIF
+
     %%IF %LOCATION_WHITELIST_RE%
     # check location_whitelist_re
-    set $location_is_bad 1;
+    set $non_whitelist_location 1;
     %%CSV %LOCATION_WHITELIST_RE%
     location ~* "%0%" {
-      set $location_is_bad 0;
+      set $non_whitelist_location 0;
     }
     %%ENDCSV
     %%ELSE
     # no location_whitelist_re
     %%ENDIF
 
+    %%IF %REFERER_WHITELIST_RE%
+    # check referer_whitelist_re
+    set $non_whitelist_referer 1;
+    %%CSV %REFERER_WHITELIST_RE%
+    if ( $http_referer ~* "%0%" ) {
+      set $non_whitelist_referer 0;
+    }
+    %%ENDCSV
+    %%ELSE
+    # no referer_whitelist_re
+    %%ENDIF
+
     # for traffic
     location / {
       %%IF %USER_AGENT_WHITELIST_RE%
       # check success of user_agent_whitelist_re
-      if ( $ua_is_bad ) {
+      if ( $non_whitelist_user_agent ) {
         %NGINX_ACTION_ABORT%;
       }
       %%ELSE
@@ -656,13 +683,22 @@ http {
 
       %%IF %LOCATION_WHITELIST_RE%
       # check success of location_whitelist_re
-      if ( $location_is_bad ) {
+      if ( $non_whitelist_location ) {
         %NGINX_ACTION_ABORT%;
       }
       %%ELSE
       # no check for success of location_whitelist_re
       %%ENDIF
 
+      %%IF %REFERER_WHITELIST_RE%
+      # check success of referer_whitelist_re
+      if ( $non_whitelist_referer ) {
+        %NGINX_ACTION_ABORT%;
+      }
+      %%ELSE
+      # no check for success of referer_whitelist_re
+      %%ENDIF
+
       %%IF %COOKIE_LOCK%
       # check for cookie-lock
       if ( $cookie_eotk_lock != "%COOKIE_LOCK%" ) {