kopia lustrzana https://github.com/alecmuffett/eotk
212 wiersze
5.3 KiB
Awk
Executable File
212 wiersze
5.3 KiB
Awk
Executable File
# -*- awk -*-
|
|
# eotk (c) 2017 Alec Muffett
|
|
|
|
# EMACS awk mode works quite well for nginx configs
|
|
|
|
# logs and pids
|
|
pid %PROJECT_DIR%/nginx.pid;
|
|
error_log %LOG_DIR%/nginx-error.log debug;
|
|
|
|
# performance
|
|
%%IF %IS_SOFTMAP%
|
|
worker_processes %SOFTMAP_NGINX_WORKERS%; # softmap
|
|
%%ELSE
|
|
worker_processes %NGINX_WORKERS%; # hardmap
|
|
%%ENDIF
|
|
worker_rlimit_nofile %NGINX_RLIM%;
|
|
events {
|
|
worker_connections %NGINX_RLIM%;
|
|
}
|
|
|
|
http {
|
|
# dns for proxy (sigh)
|
|
resolver %NGINX_RESOLVER% valid=%NGINX_TIMEOUT%s; # should be able to do `ipv6=off` here, but problems
|
|
resolver_timeout %NGINX_TIMEOUT%s;
|
|
|
|
proxy_buffering on;
|
|
proxy_buffers 16 64k;
|
|
proxy_buffer_size 64k;
|
|
proxy_busy_buffers_size 512k;
|
|
proxy_max_temp_file_size 2048k;
|
|
proxy_temp_file_write_size 64k;
|
|
proxy_temp_path "/tmp";
|
|
|
|
# logs
|
|
access_log %LOG_DIR%/nginx-access.log;
|
|
|
|
# global settings
|
|
server_tokens off;
|
|
|
|
# allow/deny (first wins)
|
|
allow "unix:";
|
|
deny all;
|
|
|
|
# rewrite these content types; text/html is implicit
|
|
subs_filter_types
|
|
application/javascript
|
|
application/json
|
|
application/x-javascript
|
|
text/css
|
|
text/javascript
|
|
text/xml
|
|
;
|
|
|
|
# subs filters
|
|
%%BEGIN
|
|
subs_filter \b%DNS_DOMAIN%\b %ONION_ADDRESS% ri;
|
|
%%END
|
|
|
|
# fix the cookies
|
|
%%BEGIN
|
|
proxy_cookie_domain %DNS_DOMAIN% %ONION_ADDRESS%;
|
|
%%END
|
|
|
|
# fix the header-redirects
|
|
%%BEGIN
|
|
proxy_redirect ~*^(.*?)\b%DNS_DOMAIN_RE%\b(.*)$ $1%ONION_ADDRESS%$2;
|
|
%%END
|
|
|
|
# o2d_lookup -> if cannot remap, return input.
|
|
init_by_lua_block {
|
|
slog = function (s) -- in case of manual debugging
|
|
ngx.log(ngx.ERR, "\n<<", s, ">>\n")
|
|
return
|
|
end
|
|
|
|
o2d_mappings = {}
|
|
%%BEGIN
|
|
o2d_mappings["%ONION_ADDRESS%"] = "%DNS_DOMAIN%"
|
|
%%END
|
|
|
|
o2d_lookup = function (o)
|
|
return ( o2d_mappings[o[1]] or o[1] )
|
|
end
|
|
|
|
onion2dns = function (i)
|
|
if i == nil then
|
|
return nil
|
|
end
|
|
local o, num, errs = ngx.re.gsub(i, "\\b([a-z2-7]{16}\\.onion)\\b", o2d_lookup, "io")
|
|
return o
|
|
end
|
|
|
|
dns2onion = function (i) -- inherently a bit flaky because ordering, boundaries; avoid
|
|
local num, errs
|
|
%%BEGIN
|
|
i, num, errs = ngx.re.gsub(i, "\\b(%DNS_DOMAIN_RE2%)\\b", "%ONION_ADDRESS%", "io")
|
|
%%END
|
|
return i
|
|
end
|
|
}
|
|
|
|
%%IF %HEADER_CSP_SUPPRESS%
|
|
# csp suppression
|
|
proxy_hide_header "Content-Security-Policy";
|
|
proxy_hide_header "Content-Security-Policy-Report-Only";
|
|
%%ELSE
|
|
# csp not suppressed
|
|
%%ENDIF
|
|
|
|
%%IF %HEADER_HSTS_SUPPRESS%
|
|
# hsts suppression
|
|
proxy_hide_header "Strict-Transport-Security";
|
|
%%ELSE
|
|
# hsts not suppressed
|
|
%%ENDIF
|
|
|
|
%%IF %HEADER_HPKP_SUPPRESS%
|
|
# hpkp suppression
|
|
proxy_hide_header "Public-Key-Pins";
|
|
proxy_hide_header "Public-Key-Pins-Report-Only";
|
|
%%ELSE
|
|
# hpkp not suppressed
|
|
%%ENDIF
|
|
|
|
# global proxy settings
|
|
proxy_read_timeout %NGINX_TIMEOUT%;
|
|
proxy_connect_timeout %NGINX_TIMEOUT%;
|
|
|
|
# SSL config
|
|
ssl_certificate %SSL_DIR%/%CERT_PREFIX%.cert;
|
|
ssl_certificate_key %SSL_DIR%/%CERT_PREFIX%.pem;
|
|
#ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES256'; ## LibreSSL, OpenSSL 1.1.0+
|
|
ssl_ciphers 'EECDH+AESGCM:EECDH+AES256'; ## OpenSSL 1.0.1% to 1.0.2%
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_timeout 10m;
|
|
ssl_buffer_size 4k;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_ecdh_curve prime256v1;
|
|
#ssl_ecdh_curve secp384r1:prime256v1; ## NGINX nginx 1.11.0 and later
|
|
|
|
# websockets
|
|
map $http_upgrade $connection_upgrade {
|
|
default "upgrade";
|
|
"" "";
|
|
}
|
|
|
|
%%BEGIN
|
|
# for %ONION_ADDRESS% -> %DNS_DOMAIN%
|
|
server {
|
|
%%IF %IS_SOFTMAP%
|
|
%%RANGE I 1 %SOFTMAP_TOR_WORKERS%
|
|
# softmap onion %I%
|
|
listen unix:%PROJECT_DIR%/%TOR_WORKER_PREFIX%-%I%.d/port-80.sock;
|
|
listen unix:%PROJECT_DIR%/%TOR_WORKER_PREFIX%-%I%.d/port-443.sock ssl;
|
|
%%ENDRANGE
|
|
%%ELSE
|
|
# hardmap
|
|
# unix sockets; use <ONION_ADDRESS>.d as a naming convention
|
|
listen unix:%PROJECT_DIR%/%ONION_ADDRESS%.d/port-80.sock;
|
|
listen unix:%PROJECT_DIR%/%ONION_ADDRESS%.d/port-443.sock ssl;
|
|
%%ENDIF
|
|
|
|
# subdomain regexp captures trailing dot, use carefully
|
|
server_name
|
|
%ONION_ADDRESS%
|
|
~^(?<subdomain>.+\.)%ONION_ADDRESS_RE%$
|
|
;
|
|
|
|
%%IF %NGINX_HELLO_ONION%
|
|
# for test & to help SSL certificate acceptance
|
|
location ~ ^/hello[-_]onion/?$ {
|
|
return 200 "Hello, Onion User!";
|
|
}
|
|
%%ENDIF
|
|
|
|
# for traffic
|
|
location / {
|
|
proxy_pass "$scheme://${subdomain}%DNS_DOMAIN%"; # note $scheme
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host "${subdomain}%DNS_DOMAIN%";
|
|
proxy_set_header Accept-Encoding ""; # but putting this in `http` fails?
|
|
proxy_set_header Connection $connection_upgrade; # SSL
|
|
proxy_set_header Upgrade $http_upgrade; # SSL
|
|
proxy_ssl_server_name on; # SSL
|
|
|
|
set_by_lua_block $referer2 {
|
|
return onion2dns(ngx.var.http_referer)
|
|
}
|
|
proxy_set_header Referer $referer2;
|
|
|
|
set_by_lua_block $origin2 {
|
|
return onion2dns(ngx.var.http_origin)
|
|
}
|
|
proxy_set_header Origin $origin2;
|
|
}
|
|
}
|
|
|
|
%%END
|
|
|
|
# header purge
|
|
more_clear_headers "Age";
|
|
more_clear_headers "Server";
|
|
more_clear_headers "Via";
|
|
more_clear_headers "X-From-Nginx";
|
|
more_clear_headers "X-NA";
|
|
more_clear_headers "X-Powered-By";
|
|
more_clear_headers "X-Request-Id";
|
|
more_clear_headers "X-Runtime";
|
|
more_clear_headers "X-Varnish";
|
|
}
|