kopia lustrzana https://github.com/alecmuffett/eotk
referer whitelisting
rebased tor and nginx source code tor down to 3.0.x nginx up to currentpull/29/head
rodzic
70a788ab81
commit
937b4b1162
|
@ -1,6 +1,9 @@
|
|||
# Stuff To Consider / Implement
|
||||
|
||||
* 020-generate-init-script.sh
|
||||
* does onionbalance-tor use opt.d/tor in preference, or not?
|
||||
* eotk script: refactor so that there's a separate ob-start which does NOT call ob-gather
|
||||
* consider downgrade of RPi scripts to 3.0.x series Tor
|
||||
* revisit o2d methods in lua
|
||||
* make the case-insensitivity (a) work && (b) be optional
|
||||
* at the moment it does a case-insensitive match AND THEN a case-sensitive lookup in a dictionary
|
||||
|
|
|
@ -407,6 +407,11 @@ sub DoProject {
|
|||
&SetEnv("block_location", "");
|
||||
&SetEnv("block_location_re", "");
|
||||
|
||||
&SetEnv("nginx_action_abort", "return 500");
|
||||
|
||||
&SetEnv("referer_whitelist_re", "");
|
||||
&SetEnv("referer_blacklist_re", "");
|
||||
|
||||
&SetEnv("user_agent_whitelist_re", "");
|
||||
&SetEnv("user_agent_blacklist_re", "");
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/sh -x
|
||||
|
||||
keyserver=keyserver.ubuntu.com
|
||||
ngxversion=1.13.6
|
||||
ngxversion=1.13.7
|
||||
ngxsigningkey=B0F4253373F8F6F510D42178520A9993A1C052F8
|
||||
|
||||
LUAJITURL="http://luajit.org/download/LuaJIT-2.0.5.tar.gz"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/sh -x
|
||||
|
||||
keyserver=keyserver.ubuntu.com
|
||||
torversion=0.3.1.7
|
||||
torversion=0.3.0.9
|
||||
torsigningkey=6AFEE6D49E92B601
|
||||
|
||||
here=`dirname $0`
|
||||
|
|
|
@ -575,6 +575,8 @@ http {
|
|||
# paths are assumed not to contain onionified hostnames
|
||||
%%ENDIF
|
||||
|
||||
# blacklists
|
||||
|
||||
%%IF %USER_AGENT_BLACKLIST_RE%
|
||||
# check user_agent_blacklist_re
|
||||
%%CSV %USER_AGENT_BLACKLIST_RE%
|
||||
|
@ -586,18 +588,6 @@ http {
|
|||
# no user_agent_blacklist_re
|
||||
%%ENDIF
|
||||
|
||||
%%IF %USER_AGENT_WHITELIST_RE%
|
||||
# check user_agent_whitelist_re
|
||||
set $ua_is_bad 1;
|
||||
%%CSV %USER_AGENT_WHITELIST_RE%
|
||||
if ( $http_user_agent ~* "%0%" ) {
|
||||
set $ua_is_bad 0;
|
||||
}
|
||||
%%ENDCSV
|
||||
%%ELSE
|
||||
# no user_agent_whitelist_re
|
||||
%%ENDIF
|
||||
|
||||
%%IF %LOCATION_BLACKLIST_RE%
|
||||
# check location_blacklist_re
|
||||
%%CSV %LOCATION_BLACKLIST_RE%
|
||||
|
@ -609,23 +599,60 @@ http {
|
|||
# no location_blacklist_re
|
||||
%%ENDIF
|
||||
|
||||
%%IF %REFERER_BLACKLIST_RE%
|
||||
# check referer_blacklist_re
|
||||
%%CSV %REFERER_BLACKLIST_RE%
|
||||
if ( $http_referer ~* "%0%" ) {
|
||||
%NGINX_ACTION_ABORT%;
|
||||
}
|
||||
%%ENDCSV
|
||||
%%ELSE
|
||||
# no referer_blacklist_re
|
||||
%%ENDIF
|
||||
|
||||
# whitelists
|
||||
|
||||
%%IF %USER_AGENT_WHITELIST_RE%
|
||||
# check user_agent_whitelist_re
|
||||
set $non_whitelist_user_agent 1;
|
||||
%%CSV %USER_AGENT_WHITELIST_RE%
|
||||
if ( $http_user_agent ~* "%0%" ) {
|
||||
set $non_whitelist_user_agent 0;
|
||||
}
|
||||
%%ENDCSV
|
||||
%%ELSE
|
||||
# no user_agent_whitelist_re
|
||||
%%ENDIF
|
||||
|
||||
%%IF %LOCATION_WHITELIST_RE%
|
||||
# check location_whitelist_re
|
||||
set $location_is_bad 1;
|
||||
set $non_whitelist_location 1;
|
||||
%%CSV %LOCATION_WHITELIST_RE%
|
||||
location ~* "%0%" {
|
||||
set $location_is_bad 0;
|
||||
set $non_whitelist_location 0;
|
||||
}
|
||||
%%ENDCSV
|
||||
%%ELSE
|
||||
# no location_whitelist_re
|
||||
%%ENDIF
|
||||
|
||||
%%IF %REFERER_WHITELIST_RE%
|
||||
# check referer_whitelist_re
|
||||
set $non_whitelist_referer 1;
|
||||
%%CSV %REFERER_WHITELIST_RE%
|
||||
if ( $http_referer ~* "%0%" ) {
|
||||
set $non_whitelist_referer 0;
|
||||
}
|
||||
%%ENDCSV
|
||||
%%ELSE
|
||||
# no referer_whitelist_re
|
||||
%%ENDIF
|
||||
|
||||
# for traffic
|
||||
location / {
|
||||
%%IF %USER_AGENT_WHITELIST_RE%
|
||||
# check success of user_agent_whitelist_re
|
||||
if ( $ua_is_bad ) {
|
||||
if ( $non_whitelist_user_agent ) {
|
||||
%NGINX_ACTION_ABORT%;
|
||||
}
|
||||
%%ELSE
|
||||
|
@ -634,13 +661,22 @@ http {
|
|||
|
||||
%%IF %LOCATION_WHITELIST_RE%
|
||||
# check success of location_whitelist_re
|
||||
if ( $location_is_bad ) {
|
||||
if ( $non_whitelist_location ) {
|
||||
%NGINX_ACTION_ABORT%;
|
||||
}
|
||||
%%ELSE
|
||||
# no check for success of location_whitelist_re
|
||||
%%ENDIF
|
||||
|
||||
%%IF %REFERER_WHITELIST_RE%
|
||||
# check success of referer_whitelist_re
|
||||
if ( $non_whitelist_referer ) {
|
||||
%NGINX_ACTION_ABORT%;
|
||||
}
|
||||
%%ELSE
|
||||
# no check for success of referer_whitelist_re
|
||||
%%ENDIF
|
||||
|
||||
%%IF %COOKIE_LOCK%
|
||||
# check for cookie-lock
|
||||
if ( $cookie_eotk_lock != "%COOKIE_LOCK%" ) {
|
||||
|
|
|
@ -597,6 +597,8 @@ http {
|
|||
# paths are assumed not to contain onionified hostnames
|
||||
%%ENDIF
|
||||
|
||||
# blacklists
|
||||
|
||||
%%IF %USER_AGENT_BLACKLIST_RE%
|
||||
# check user_agent_blacklist_re
|
||||
%%CSV %USER_AGENT_BLACKLIST_RE%
|
||||
|
@ -608,18 +610,6 @@ http {
|
|||
# no user_agent_blacklist_re
|
||||
%%ENDIF
|
||||
|
||||
%%IF %USER_AGENT_WHITELIST_RE%
|
||||
# check user_agent_whitelist_re
|
||||
set $ua_is_bad 1;
|
||||
%%CSV %USER_AGENT_WHITELIST_RE%
|
||||
if ( $http_user_agent ~* "%0%" ) {
|
||||
set $ua_is_bad 0;
|
||||
}
|
||||
%%ENDCSV
|
||||
%%ELSE
|
||||
# no user_agent_whitelist_re
|
||||
%%ENDIF
|
||||
|
||||
%%IF %LOCATION_BLACKLIST_RE%
|
||||
# check location_blacklist_re
|
||||
%%CSV %LOCATION_BLACKLIST_RE%
|
||||
|
@ -631,23 +621,60 @@ http {
|
|||
# no location_blacklist_re
|
||||
%%ENDIF
|
||||
|
||||
%%IF %REFERER_BLACKLIST_RE%
|
||||
# check referer_blacklist_re
|
||||
%%CSV %REFERER_BLACKLIST_RE%
|
||||
if ( $http_referer ~* "%0%" ) {
|
||||
%NGINX_ACTION_ABORT%;
|
||||
}
|
||||
%%ENDCSV
|
||||
%%ELSE
|
||||
# no referer_blacklist_re
|
||||
%%ENDIF
|
||||
|
||||
# whitelists
|
||||
|
||||
%%IF %USER_AGENT_WHITELIST_RE%
|
||||
# check user_agent_whitelist_re
|
||||
set $non_whitelist_user_agent 1;
|
||||
%%CSV %USER_AGENT_WHITELIST_RE%
|
||||
if ( $http_user_agent ~* "%0%" ) {
|
||||
set $non_whitelist_user_agent 0;
|
||||
}
|
||||
%%ENDCSV
|
||||
%%ELSE
|
||||
# no user_agent_whitelist_re
|
||||
%%ENDIF
|
||||
|
||||
%%IF %LOCATION_WHITELIST_RE%
|
||||
# check location_whitelist_re
|
||||
set $location_is_bad 1;
|
||||
set $non_whitelist_location 1;
|
||||
%%CSV %LOCATION_WHITELIST_RE%
|
||||
location ~* "%0%" {
|
||||
set $location_is_bad 0;
|
||||
set $non_whitelist_location 0;
|
||||
}
|
||||
%%ENDCSV
|
||||
%%ELSE
|
||||
# no location_whitelist_re
|
||||
%%ENDIF
|
||||
|
||||
%%IF %REFERER_WHITELIST_RE%
|
||||
# check referer_whitelist_re
|
||||
set $non_whitelist_referer 1;
|
||||
%%CSV %REFERER_WHITELIST_RE%
|
||||
if ( $http_referer ~* "%0%" ) {
|
||||
set $non_whitelist_referer 0;
|
||||
}
|
||||
%%ENDCSV
|
||||
%%ELSE
|
||||
# no referer_whitelist_re
|
||||
%%ENDIF
|
||||
|
||||
# for traffic
|
||||
location / {
|
||||
%%IF %USER_AGENT_WHITELIST_RE%
|
||||
# check success of user_agent_whitelist_re
|
||||
if ( $ua_is_bad ) {
|
||||
if ( $non_whitelist_user_agent ) {
|
||||
%NGINX_ACTION_ABORT%;
|
||||
}
|
||||
%%ELSE
|
||||
|
@ -656,13 +683,22 @@ http {
|
|||
|
||||
%%IF %LOCATION_WHITELIST_RE%
|
||||
# check success of location_whitelist_re
|
||||
if ( $location_is_bad ) {
|
||||
if ( $non_whitelist_location ) {
|
||||
%NGINX_ACTION_ABORT%;
|
||||
}
|
||||
%%ELSE
|
||||
# no check for success of location_whitelist_re
|
||||
%%ENDIF
|
||||
|
||||
%%IF %REFERER_WHITELIST_RE%
|
||||
# check success of referer_whitelist_re
|
||||
if ( $non_whitelist_referer ) {
|
||||
%NGINX_ACTION_ABORT%;
|
||||
}
|
||||
%%ELSE
|
||||
# no check for success of referer_whitelist_re
|
||||
%%ENDIF
|
||||
|
||||
%%IF %COOKIE_LOCK%
|
||||
# check for cookie-lock
|
||||
if ( $cookie_eotk_lock != "%COOKIE_LOCK%" ) {
|
||||
|
|
Ładowanie…
Reference in New Issue