# -*- awk -*- # eotk (c) 2017 Alec Muffett # EMACS awk mode works quite well for nginx configs # logs and pids pid %PROJECT_DIR%/nginx.pid; error_log %LOG_DIR%/nginx-error.log %NGINX_SYSLOG%; # performance %%IF %IS_SOFTMAP% worker_processes %SOFTMAP_NGINX_WORKERS%; # softmap %%ELSE worker_processes %NGINX_WORKERS%; # hardmap %%ENDIF worker_rlimit_nofile %NGINX_RLIM%; events { worker_connections %NGINX_RLIM%; } http { # dns for proxy (sigh) resolver %NGINX_RESOLVER% valid=%NGINX_TIMEOUT%s; # should be able to do `ipv6=off` here, but problems resolver_timeout %NGINX_TIMEOUT%s; proxy_buffering on; proxy_buffers 16 64k; proxy_buffer_size 64k; proxy_busy_buffers_size 512k; proxy_max_temp_file_size 2048k; proxy_temp_file_write_size 64k; proxy_temp_path "/tmp"; # logs access_log %LOG_DIR%/nginx-access.log; # global settings server_tokens off; # allow/deny (first wins) allow "unix:"; deny all; # rewrite these content types; text/html is implicit subs_filter_types application/javascript application/json application/x-javascript text/css text/javascript text/xml ; # subs filters # - named capture groups appear not to work # - anchor slightly more firmly with a single slash # -- double-slash would break https:\/\/foo.net\/ weirdness %%BEGIN subs_filter /(([-0-9a-z]+\.)+)?%DNS_DOMAIN_RE%\b /$1%ONION_ADDRESS% gir; %%END # fix the cookies %%BEGIN proxy_cookie_domain %DNS_DOMAIN% %ONION_ADDRESS% ; %%END # fix the header-redirects %%BEGIN proxy_redirect ~*^(.*?)\b%DNS_DOMAIN_RE%\b(.*)$ $1%ONION_ADDRESS%$2 ; %%END # o2d_lookup -> if cannot remap, return input. note: old versions # of lua-plugin cannot cope with code like o2d_mappings[o[1]] # because of `long bracket syntax`; the `[o[` freaks it out. # See: https://github.com/openresty/lua-nginx-module/issues/748 init_by_lua_block { slog = function (s) -- in case of manual debugging ngx.log(ngx.ERR, "\n<<", s, ">>\n") return end o2d_mappings = {} %%BEGIN o2d_mappings["%ONION_ADDRESS%"] = "%DNS_DOMAIN%" %%END o2d_lookup = function (o) local k = o[1] return ( o2d_mappings[k] or k ) end onion2dns = function (i) if i == nil then return nil end local o, num, errs = ngx.re.gsub(i, "\\b([a-z2-7]{16}\\.onion)\\b", o2d_lookup, "io") return o end dns2onion = function (i) -- inherently a bit flaky because ordering, boundaries; avoid local num, errs %%BEGIN i, num, errs = ngx.re.gsub(i, "\\b(%DNS_DOMAIN_RE2%)\\b", "%ONION_ADDRESS%", "io") %%END return i end } %%IF %HEADER_CSP_SUPPRESS% # csp suppression proxy_hide_header "Content-Security-Policy"; proxy_hide_header "Content-Security-Policy-Report-Only"; %%ELSE # csp not suppressed %%ENDIF %%IF %HEADER_HSTS_SUPPRESS% # hsts suppression proxy_hide_header "Strict-Transport-Security"; %%ELSE # hsts not suppressed %%ENDIF %%IF %HEADER_HPKP_SUPPRESS% # hpkp suppression proxy_hide_header "Public-Key-Pins"; proxy_hide_header "Public-Key-Pins-Report-Only"; %%ELSE # hpkp not suppressed %%ENDIF # global proxy settings proxy_read_timeout %NGINX_TIMEOUT%; proxy_connect_timeout %NGINX_TIMEOUT%; # SSL config ssl_certificate %SSL_DIR%/%CERT_PREFIX%.cert; ssl_certificate_key %SSL_DIR%/%CERT_PREFIX%.pem; #ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES256'; ## LibreSSL, OpenSSL 1.1.0+ ssl_ciphers 'EECDH+AESGCM:EECDH+AES256'; ## OpenSSL 1.0.1% to 1.0.2% ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_buffer_size 4k; ssl_prefer_server_ciphers on; ssl_ecdh_curve prime256v1; #ssl_ecdh_curve secp384r1:prime256v1; ## NGINX nginx 1.11.0 and later # websockets map $http_upgrade $connection_upgrade { default "upgrade"; "" ""; } %%BEGIN # for %ONION_ADDRESS% -> %DNS_DOMAIN% server { %%IF %IS_SOFTMAP% %%RANGE I 1 %SOFTMAP_TOR_WORKERS% # softmap onion %I% listen unix:%PROJECT_DIR%/%TOR_WORKER_PREFIX%-%I%.d/port-80.sock; listen unix:%PROJECT_DIR%/%TOR_WORKER_PREFIX%-%I%.d/port-443.sock ssl; %%ENDRANGE %%ELSE # hardmap # unix sockets; use .d as a naming convention listen unix:%PROJECT_DIR%/%ONION_ADDRESS%.d/port-80.sock; listen unix:%PROJECT_DIR%/%ONION_ADDRESS%.d/port-443.sock ssl; %%ENDIF # subdomain regexp captures trailing dot, use carefully; does not need "~*" server_name %ONION_ADDRESS% ~^(?([-0-9a-z]+\.)+)%ONION_ADDRESS_RE%$ ; %%IF %NGINX_HELLO_ONION% # for test & to help SSL certificate acceptance location ~*^/hello[-_]onion/?$ { return 200 "Hello, Onion User!"; } %%ENDIF # for traffic location / { proxy_pass "$scheme://${snsd}%DNS_DOMAIN%"; # note $scheme proxy_http_version 1.1; proxy_set_header Host "${snsd}%DNS_DOMAIN%"; proxy_set_header Accept-Encoding ""; # but putting this in `http` fails? proxy_set_header Connection $connection_upgrade; # SSL proxy_set_header Upgrade $http_upgrade; # SSL proxy_ssl_server_name on; # SSL set_by_lua_block $referer2 { return onion2dns(ngx.var.http_referer) } proxy_set_header Referer $referer2; set_by_lua_block $origin2 { return onion2dns(ngx.var.http_origin) } proxy_set_header Origin $origin2; } } %%END # header purge more_clear_headers "Age"; more_clear_headers "Server"; more_clear_headers "Via"; more_clear_headers "X-From-Nginx"; more_clear_headers "X-NA"; more_clear_headers "X-Powered-By"; more_clear_headers "X-Request-Id"; more_clear_headers "X-Runtime"; more_clear_headers "X-Varnish"; }