# -*- conf -*- # ---- INTERNAL STUFF && STUFF YET TO BE DOC'D, DON'T MESS WITH THIS ---- # set debug_trap # set foreignmap_csv # set nginx_action_abort # set preserve_after # set preserve_before # set project # set projects_home # set ssl_tool # set template_tool # set tor_worker_prefix # nonce128_1 # nonce128_2 # nonce128_3 # nonce128_4 # nonce128_5 # nonce256_1 # nonce256_2 # nonce256_3 # nonce256_4 # nonce256_5 # ---- CUTE HACKS ---- # create a URL which must be hit BEFORE the onion will work (sets a # cookie, cheap/hacky form of access control) # # set cookie_lock /open-sesame # EOTK sets a header (X-From-Onion) to pass to Origin; default value is "1" # # set x_from_onion_value 1 # When you're proving SSL ownership, you may want arbitrary text # strings to be returned for a GET upon an arbitrary "/path" # # set ssl_proof_csv \ # /.well_known/fookey1,fooval1 \ # /.well_known/fookey2,fooval2 # ...and a similar, more generic, regular-expression-based solution # for fixed strings to be returned for a GET upon an arbitrary # location (restricted to HTTPS-only) # # set hardcoded_endpoint_csv ^/regexp/pattern/?$,stringvalue ... # ---- PRESERVE_CSV ---- # EOTK uses a search-and-replace strategy for editing content on the # fly; one side-effect of this is that some instances of domain names # may be rewritten unwantedly (eg: email addresses like # foo@facebook.com become foo@facebookcorewwwi.onion) # `preserve_csv` uses a very simple heuristic to try and protect # plaintext domain names from being rewritten. # set preserve_csv uniquetoken,regexp,regexpcaseflag,replacement ... # eg: `set preserve_csv fbtld,facebook\\.com,i,facebook.com` ... will # canonicalise FOO@FACEBOOK.COM to FOO@facebook.com (because the 'i' # flag implies case-insensitive) but at least it won't be onionified. # ---- REDIRECTS BY HOST OR URL-PATH ---- # ...redirects which preserve the trailing request URI # set redirect_host regexp,code,destination ... # set redirect_path regexp,code,destination ... # ...redirects which DO NOT preserve the trailing request URI # set redirect_fixed_host regexp,code,destination ... # set redirect_fixed_path regexp,code,destination ... # ---- BLOCKING SITES BY NAME OR REGEXP ---- # you can use either/both of the re/non-re forms of host-blocking and # location-blocking, however the variables are single-valued so be # careful of polluting multiple projects. If your site needs # different blocking for different onions, consider splitting your # config into multiple files and using `foreignmap` to stitch the # hostname rewrites together. Blocks generally cause a 403. # set block_err "This action is not supported over Onion yet sorry." # set block_host value ... # set block_host_re regexp ... # set block_location value # DEPRECATED DO NOT USE # set block_location_re # DEPRECATED DO NOT USE # set block_origin value ... # set block_origin_re regexp ... # set block_param value ... # set block_param_re regexp ... # set block_path value ... # set block_path_re regexp ... # set block_referer value ... # set block_referer_re regexp ... # set block_user_agent value ... # set block_user_agent_re regexp ... # ---- BLACKLISTS AND WHITELISTS ---- # You may blacklist or whitelist characteristics of requests; # blacklists are applied first, whitelists second. Whitelists are # "all requests not matching will fail". Blacklists are "all # requests matching will fail". Failures are generally 500 # because it presents the least attack surface to a penetration # tester. All black/whitelists are multi-valued (you may specify # several values on one line, space-separated) # set host_blacklist value ... # set host_blacklist_re regexp ... # set host_whitelist value ... # set host_whitelist_re regexp ... # set origin_blacklist value ... # set origin_blacklist_re regexp ... # set origin_whitelist value ... # set origin_whitelist_re regexp ... # set param_blacklist value ... # set param_blacklist_re regexp ... # set param_whitelist value ... # set param_whitelist_re regexp ... # set path_blacklist value ... # set path_blacklist_re regexp ... # set path_whitelist value ... # set path_whitelist_re regexp ... # set referer_blacklist value ... # set referer_blacklist_re regexp ... # set referer_whitelist value ... # set referer_whitelist_re regexp ... # set user_agent_blacklist value ... # set user_agent_blacklist_re regexp ... # set user_agent_whitelist value ... # set user_agent_whitelist_re regexp ... # ---- "EXTRA PROCESSING" ---- # By default, EOTK rewrites application/javascript application/json # application/x-javascript text/css text/html text/javascript # text/xml; you can add to this list, if necessary ... # # set extra_subs_filter_types xml/foo+bar ... # This is a list of "content-type,uri-regexp" patterns of content to # apply "extra processing" (ie: content hostname rewrites) too; if for # instance your CMS emits JSON as "application/octet-stream" in file # URIs ending with ".jblob" then you could try something like: # # set extra_processing_csv type/subtype,regexp ... # set extra_processing_csv application/octet-stream,\\.jblob$ # ---- NGINX TUNABLES ---- # set nginx_block_busy_size 32k # set nginx_block_count 32 # set nginx_block_size 16k # set nginx_hash_bucket_size 128 # set nginx_resolver 8.8.8.8 # set nginx_rlim 256 # set nginx_syslog error # set nginx_template $here/templates.d/nginx.conf.txt # set nginx_timeout 15 # set nginx_tmpfile_size 256m # set nginx_workers auto # set softmap_nginx_workers auto # ---- CREATE A HELLO_ONION PAGE ---- # set nginx_hello_onion 1 # ---- NGINX CACHING ---- # Setting nginx_cache_seconds to a value greater than zero will enable # caching; after that the other variables will come into play. # set nginx_cache_seconds 0 # set nginx_cache_min_uses 1 # set nginx_cache_size 256m # set no_cache_content_type # set no_cache_host # ---- SSL CERTIFICATE DIRECTORY ---- # Probably wisest not to mess with this value, but instead to drop # your relevant certificates into projects.d/PROJECTNAME.d/ssl.d and # check your file permissions very carefully, because (eg:) softmap # and rsync will need/replicate this data. Make sure you have safe # copies stored elsewhere. # set ssl_dir $ENV{PROJECT_DIR}/ssl.d # ---- HTTP/S security options ---- # THIS ONE IS IMPORTANT: `force_https` is enabled by default and # prevents EOTK from making cleartext HTTP requests over the internet, # instead it requests the user to retry the request as HTTPS; setting # this by default WILL BREAK SOME SITES however it's proper to have it # as default behaviour. If you experience "too many redirects" errors # when connecting over the onion, this may be the cause, and although # you can disable it, it would be better to fix your site to be HTTPS. # set force_https 1 # `on` by default # We delete HPKP and HSTS completely (TorBrowser does not support them # because anonymity issues) and CSP by default we attempt to rewrite, # but you can likewise disable. # set suppress_header_csp 0 # 0 = try rewriting; 1 = elide completely # set suppress_header_hpkp 1 # 1 = elide completely # set suppress_header_hsts 1 # 1 = elide completely # set suppress_methods_except_get 0 # 1 = GET/HEAD Only # set suppress_tor2web 1 # 1 = suppress (let them use clearnet) # ---- TOR TUNING ---- # set tor_intros_per_daemon 3 # set tor_single_onion 1 # set tor_syslog notice # set tor_template $here/templates.d/tor.conf.txt # set softmap_tor_workers 2 # ---- PROJECTS & MAPPINGS ---- # foreignmaps are onion-to-site mappings that exist outside of this # particular configuration file, eg: for some other site. foreignmap facebookcorewwwi.onion facebook.com # hardmaps use tor daemon configs with onions hard-coded in them set project hardexample hardmap %NEW_V3_ONION% foo.local hardmap %NEW_V3_ONION% bar.local # softmaps use onionbalance software to loadbalance across workers set project softexample softmap %NEW_V3_ONION% example.com softmap %NEW_V3_ONION% example.org softmap %NEW_V3_ONION% example.net