Enterprise-Onion-Toolkit/templates.d/nginx.conf.txt

# -*- awk -*-
# eotk (c) 2017 Alec Muffett

# EMACS awk mode works quite well for nginx configs

# logs and pids
pid %PROJECT_DIR%/nginx.pid;
error_log %LOG_DIR%/nginx-error.log debug;

# performance
%%IF %IS_SOFTMAP%
worker_processes %SOFTMAP_NGINX_WORKERS%; # softmap
%%ELSE
worker_processes %NGINX_WORKERS%; # hardmap
%%ENDIF
worker_rlimit_nofile %NGINX_RLIM%;
events {
  worker_connections %NGINX_RLIM%;
}

http {
  # dns for proxy (sigh)
  resolver %NGINX_RESOLVER% valid=%NGINX_TIMEOUT%s; # should be able to do `ipv6=off` here, but problems
  resolver_timeout %NGINX_TIMEOUT%s;

  proxy_buffering on;
  proxy_buffers 16 64k;
  proxy_buffer_size 64k;
  proxy_busy_buffers_size 512k;
  proxy_max_temp_file_size 2048k;
  proxy_temp_file_write_size 64k;
  proxy_temp_path "/tmp";

  # logs
  access_log %LOG_DIR%/nginx-access.log;

  # global settings
  server_tokens off;

  # allow/deny (first wins)
  allow "unix:";
  deny all;

  # rewrite these content types; text/html is implicit
  subs_filter_types
  application/javascript
  application/json
  application/x-javascript
  text/css
  text/javascript
  text/xml
  ;

  # subs filters
  %%BEGIN
  subs_filter \b%DNS_DOMAIN%\b %ONION_ADDRESS% ri;
  %%END

  # fix the cookies
  %%BEGIN
  proxy_cookie_domain %DNS_DOMAIN% %ONION_ADDRESS%;
  %%END

  # fix the header-redirects
  %%BEGIN
  proxy_redirect ~*^(.*?)\b%DNS_DOMAIN_RE%\b(.*)$ $1%ONION_ADDRESS%$2;
  %%END

  # o2d_lookup -> if cannot remap, return input.
  init_by_lua_block {
    slog = function (s) -- in case of manual debugging
      ngx.log(ngx.ERR, "\n<<", s, ">>\n")
      return
    end

    o2d_mappings = {}
    %%BEGIN
    o2d_mappings["%ONION_ADDRESS%"] = "%DNS_DOMAIN%"
    %%END

    o2d_lookup = function (o)
      return ( o2d_mappings[o[1]] or o[1] )
    end

    onion2dns = function (i)
      if i == nil then
        return nil
      end
      local o, num, errs = ngx.re.gsub(i, "\\b([a-z2-7]{16}\\.onion)\\b", o2d_lookup, "io")
      return o
    end

    dns2onion = function (i) -- inherently a bit flaky because ordering, boundaries; avoid
      local num, errs
      %%BEGIN
      i, num, errs = ngx.re.gsub(i, "\\b(%DNS_DOMAIN_RE2%)\\b", "%ONION_ADDRESS%", "io")
      %%END
      return i
    end
  }

  %%IF %HEADER_CSP_SUPPRESS%
  # csp suppression
  proxy_hide_header "Content-Security-Policy";
  proxy_hide_header "Content-Security-Policy-Report-Only";
  %%ELSE
  # csp not suppressed
  %%ENDIF

  %%IF %HEADER_HSTS_SUPPRESS%
  # hsts suppression
  proxy_hide_header "Strict-Transport-Security";
  %%ELSE
  # hsts not suppressed
  %%ENDIF

  %%IF %HEADER_HPKP_SUPPRESS%
  # hpkp suppression
  proxy_hide_header "Public-Key-Pins";
  proxy_hide_header "Public-Key-Pins-Report-Only";
  %%ELSE
  # hpkp not suppressed
  %%ENDIF

  # global proxy settings
  proxy_read_timeout %NGINX_TIMEOUT%;
  proxy_connect_timeout %NGINX_TIMEOUT%;

  # SSL config
  ssl_certificate %SSL_DIR%/%CERT_PREFIX%.cert;
  ssl_certificate_key %SSL_DIR%/%CERT_PREFIX%.pem;
  #ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES256'; ## LibreSSL, OpenSSL 1.1.0+
  ssl_ciphers 'EECDH+AESGCM:EECDH+AES256'; ## OpenSSL 1.0.1% to 1.0.2%
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;
  ssl_buffer_size 4k;
  ssl_prefer_server_ciphers on;
  ssl_ecdh_curve prime256v1;
  #ssl_ecdh_curve secp384r1:prime256v1; ## NGINX nginx 1.11.0 and later

  # websockets
  map $http_upgrade $connection_upgrade {
    default "upgrade";
    "" "";
  }

  %%BEGIN
  # for %ONION_ADDRESS% -> %DNS_DOMAIN%
  server {
    %%IF %IS_SOFTMAP%
    %%RANGE I 1 %SOFTMAP_TOR_WORKERS%
    # softmap onion %I%
    listen unix:%PROJECT_DIR%/%TOR_WORKER_PREFIX%-%I%.d/port-80.sock;
    listen unix:%PROJECT_DIR%/%TOR_WORKER_PREFIX%-%I%.d/port-443.sock ssl;
    %%ENDRANGE
    %%ELSE
    # hardmap
    # unix sockets; use <ONION_ADDRESS>.d as a naming convention
    listen unix:%PROJECT_DIR%/%ONION_ADDRESS%.d/port-80.sock;
    listen unix:%PROJECT_DIR%/%ONION_ADDRESS%.d/port-443.sock ssl;
    %%ENDIF

    # subdomain regexp captures trailing dot, use carefully
    server_name
    %ONION_ADDRESS%
    ~^(?<subdomain>.+\.)%ONION_ADDRESS_RE%$
    ;

    %%IF %NGINX_HELLO_ONION%
    # for test & to help SSL certificate acceptance
    location ~ ^/hello[-_]onion/?$ {
      return 200 "Hello, Onion User!";
    }
    %%ENDIF

    # for traffic
    location / {
      proxy_pass "$scheme://${subdomain}%DNS_DOMAIN%"; # note $scheme
      proxy_http_version 1.1;
      proxy_set_header Host "${subdomain}%DNS_DOMAIN%";
      proxy_set_header Accept-Encoding ""; # but putting this in `http` fails?
      proxy_set_header Connection $connection_upgrade; # SSL
      proxy_set_header Upgrade $http_upgrade; # SSL
      proxy_ssl_server_name on; # SSL

      set_by_lua_block $referer2 {
        return onion2dns(ngx.var.http_referer)
      }
      proxy_set_header Referer $referer2;

      set_by_lua_block $origin2 {
        return onion2dns(ngx.var.http_origin)
      }
      proxy_set_header Origin $origin2;
    }
  }

  %%END

  # header purge
  more_clear_headers "Age";
  more_clear_headers "Server";
  more_clear_headers "Via";
  more_clear_headers "X-From-Nginx";
  more_clear_headers "X-NA";
  more_clear_headers "X-Powered-By";
  more_clear_headers "X-Request-Id";
  more_clear_headers "X-Runtime";
  more_clear_headers "X-Varnish";
}