forked from aly-lmao/womginx
-
Notifications
You must be signed in to change notification settings - Fork 1
/
nginx.conf
269 lines (239 loc) · 13.2 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
user nginx nginx;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
resolver 1.1.1.1;
# resolver 1.1.1.3; # <-- uncomment this and comment out the above to block malware and adult sites
# ddos protection
client_body_timeout 10s;
client_header_timeout 10s;
proxy_connect_timeout 20s;
# these are very lenient limtis. there should be no reason why a
# client will request 60 requests per second for a straight 8.33 seconds
limit_req_zone $binary_remote_addr zone=limitreq:20m rate=30r/s;
limit_req zone=limitreq burst=500 nodelay;
limit_req_status 429;
limit_conn_zone $binary_remote_addr zone=limitconn:20m;
limit_conn limitconn 10;
# domain blacklist. blacklisting www.example.com as an example
map $dest_host $blacklist {
default 0;
'www.example.com' 1;
}
# set scheme appropriately in case nginx is sitting behind servers like heroku
map $http_x_forwarded_proto $relativescheme {
default $http_x_forwarded_proto;
'' $scheme;
}
# websocket headers
map $http_upgrade $connection_upgrade {
default Upgrade;
'' close;
}
map '' $proxy_prefix {
default $relativescheme://$host;
}
map $targeturl $dest_host {
default '';
~^https?://([^/]+) $1;
}
# convert wss://domain.com to https://domain.com
map $targeturl $dest_fullwebsocketurl {
default $targeturl;
~^ws(s)?://(.+) http$1://$2;
}
# get targeturl destination from referrer
map $http_referer $dest_referrerhost {
default '';
~^https?://[^/]+/trump2020(/[^_/]+_)?/(?<targeturl>https?://[^/]+) $targeturl;
}
# use $request_uri for proxy cookie rewriting where there is no $targeturl variable
map $request_uri $dest_hostwithscheme {
default '';
~^/trump2020(/[^_/]+_)?/(https?://[^/]+) $2;
}
# header rewrites
map $http_referer $rewrite_referer {
default $http_referer;
~^https?://[^/]+/trump2020(/[^_/]+_)?/(?<targeturl>.*) $targeturl;
}
map $http_origin $rewrite_origin {
default $dest_hostwithscheme;
'' '';
}
server {
server_name womginx.synricha.org;
listen 80;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/womginx.synricha.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/womginx.synricha.org/privkey.pem;
merge_slashes off;
proxy_ssl_server_name on;
error_page 404 = @referrer-handler;
# reason for putting rewrites here is putting them in parent of nested locations will
# not apply to child locations
# use undecoded uri as location for proxying encoded urls
rewrite ^ $request_uri;
# convert /trump2020/http://domain.com to /main/http://domain.com/
# convert /trump2020/http://domain.com?a to /main/http://domain.com/?a
rewrite ^(/trump2020/https?://[^/?]*)/?(.*) $1/$2;
#### static file requests handling ####
# serve static files, disallow access to .git directories, and ignore prefixes starting with /main/
location ~^((?!/\.git|^/trump2020/).)*$ {
alias /home/binary/womginx/public$uri;
# if no file is found, pass it to @referrer-handler
}
location = / {
if ($dest_referrerhost = '') {
rewrite ^ /index.html last;
}
# if referrer is valid, pass it to @referrer-handler
return 404;
}
# catch links like '/assets.png' and redirect them by their referrer if referrer is valid
location @referrer-handler {
# if referrer doesn't exist, send 404 page
if ($dest_referrerhost = '') {
return 404;
}
# if it exists, send appropriate redirection
return 302 $proxy_prefix/trump2020/$dest_referrerhost$request_uri;
}
#### proxy requests handling ####
location /trump2020{
# reason for including all proxy header modifications here is because apparently,
# using proxy_set_header in a child block automatically negates all parent proxy_set_header
# directives.
# disable disabling inline scripts (if proxy sends a content-security-policy like that over)
proxy_hide_header Content-Security-Policy;
# force proxy to send non-compressed for sub_filter to work
proxy_set_header Accept-Encoding 'identity;q=1, *;q=0';
# prevent proxied servers' HSTS headers from affecting the client
proxy_hide_header Strict-Transport-Security;
# enable support for embedding proxy site in an iframe
proxy_hide_header X-Frame-Options;
# rewrite referer header
proxy_set_header Referer $rewrite_referer;
# rewrite origin header
proxy_set_header Origin $rewrite_origin;
# rewrite cookie domain and path
proxy_cookie_domain ~(.*) $host;
# rewrite cookie path
proxy_cookie_path ~(/.*) /main/$dest_hostwithscheme$1;
# websocket headers
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# fix "upstream sent too big header/body"
proxy_buffer_size 16k;
# proxy_buffer_size + 8k
proxy_busy_buffers_size 24k;
# numOfBuffers * bufferSize >= proxy_buffer_size
proxy_buffers 4 16k;
# client can only upload files less than 100M
client_max_body_size 100M;
# rewrite relative urls like /main/// to /main/https:// internally without redirect
location ~^/trump2020(/[^_/]+_)?///(?<protocol_relative_url>.+) {
rewrite ^/trump2020(/[^_/]+_)?///(?<protocol_relative_url>.+) /trump2020$1/$relativescheme://$protocol_relative_url last;
}
# redirect any url with /main/google.com to /main/https://google.com
location ~^/trump2020(/[^/_]+_)?(?!(/[^/_]+_)?/(http|ws)s?://|//)/(?<rewrite_url_with_scheme>.*) {
return 302 $proxy_prefix/trump2020$1/$relativescheme://$rewrite_url_with_scheme;
}
# handle websocket connections
location ~^/trump2020/\d*ws_/(?<targeturl>.+){
proxy_http_version 1.1;
proxy_pass $dest_fullwebsocketurl;
}
# serve assets
location ~^/trump2020/\d*(im|oe)_/(?<targeturl>.+) {
proxy_pass $targeturl;
}
# serve web and service workers. rewrites are done client side
location ~^/trump2020/\d*(wkr|sw)_/(?<targeturl>.+) {
proxy_pass $targeturl;
}
# rewrite js files
location ~^/trump2020/\d*js_/(?<targeturl>.+) {
sub_filter_once off;
sub_filter_types *;
sub_filter '.postMessage(' '.__WB_pmw(self.window).postMessage(';
sub_filter '.postMessage (' '.__WB_pmw(self.window).postMessage (';
sub_filter 'window.location' 'window.currentLocation';
proxy_pass $targeturl;
}
# redirect any url with /main/unsupportedmod_/blahblah to /main/blahblah
location ~^/trump2020/[^_/]+_/(?<redirecttargeturl>.+) {
return 302 $proxy_prefix/trump2020/$redirecttargeturl;
}
location ~^/trump2020/(?<targeturl>.*)$ {
# blacklist urls
if ($blacklist) {
return 403 'Sorry. The owner of this proxy decided to disallow access to this content.';
}
# handle proxy sending redirection requests
proxy_redirect ~^(https?://.+) $proxy_prefix/trump2020/$1;
sub_filter_once off;
# sub_filter_types text/html; already text/html by default but leaving it here for clarity
# and commenting it out to suppress duplicate warnings
# wrap href,src,poster,action,srcset,data,codebase links.
# and add a womginx-processed attribute to the tag to notify client js it is already handled.
# since we're not using subs_filter module for simplicity of installation, we are going to
# list every possible combination. However, we only need to do src and script src tags
# because they cannot be handled by wombat, and for the rest of the attributes, we can
# let the client handle it for offloading the CPU load to the client and maintaining
# the integrity of the html document (so we reduce chances of replacing an attribute at a
# wrong place)
set $processed_flag_attribute 'womginx-processed';
# 1. change 'href="//domain/image.png' to 'womginx-processed href="/trump2020/$relativescheme://domain/image.png'
# for scripts, serve under /trump2020/js_/http://domain.com/script.js to inject wombat code
sub_filter '<script src="//' '<script $processed_flag_attribute src="/trump2020/js_/$relativescheme://';
sub_filter '<script type="text/javascript" src="//' '<script type="text/javascript" $processed_flag_attribute src="/trump2020/js_/$relativescheme://';
sub_filter 'src="//' '$processed_flag_attribute src="/trump2020/$relativescheme://';
# 2. change 'href="/image.png' to 'womginx-processed href="/trump2020/$dest_hostwithscheme/image.png'
sub_filter '<script src="/' '<script $processed_flag_attribute src="/trump2020/js_/$dest_hostwithscheme/';
sub_filter '<script type="text/javascript" src="/' '<script type="text/javascript" $processed_flag_attribute src="/trump2020/js_/$dest_hostwithscheme/';
sub_filter 'src="/' '$processed_flag_attribute src="/trump2020/$dest_hostwithscheme/';
# 3. change 'href="https://domain.com/image.png"' to 'womginx-processed href="/trump2020/https://domain.com/image.png"'
sub_filter '<script src="https://' '<script $processed_flag_attribute src="/trump2020/js_/https://';
sub_filter '<script type="text/javascript" src="https://' '<script type="text/javascript" $processed_flag_attribute src="/trump2020/js_/https://';
sub_filter 'src="https://' '$processed_flag_attribute src="/trump2020/https://';
# 4. same as above but with http:// instead of https://
sub_filter '<script src="http://' '<script $processed_flag_attribute src="/trump2020/js_/http://';
sub_filter '<script type="text/javascript" src="http://' '<script type="text/javascript" $processed_flag_attribute src="/trump2020/js_/http://';
sub_filter 'src="http://' '$processed_flag_attribute src="/trump2020/http://';
# 5. rewrite 'integrity="' to 'nointegrity=' to disable script integrity checking
sub_filter 'integrity="' 'nointegrity="';
# do the same thing but instead of ", do '
# # 1.
sub_filter "<script src='//" "<script $processed_flag_attribute src='/trump2020/js_/$relativescheme://";
sub_filter "<script type='text/javascript' src='//" "<script type='text/javascript' $processed_flag_attribute src='/main/js_/$relativescheme://";
sub_filter "src='//" "$processed_flag_attribute src='/trump2020/$relativescheme://";
# # 2.
sub_filter "<script src='/" "<script $processed_flag_attribute src='/trump2020/js_/$dest_hostwithscheme/";
sub_filter "<script type='text/javascript' src='/" "<script type='text/javascript' $processed_flag_attribute src='/trump2020/js_/$dest_hostwithscheme/";
sub_filter "src='/" "$processed_flag_attribute src='/trump2020/$dest_hostwithscheme/";
# # 3.
sub_filter "<script src='https://" "<script $processed_flag_attribute src='/trump2020/js_/https://";
sub_filter "<script type='text/javascript' src='https://" "<script type='text/javascript' $processed_flag_attribute src='/trump2020/js_/https://";
sub_filter "src='https://" "$processed_flag_attribute src='/trump2020/https://";
# # 4.
sub_filter "<script src='http://" "<script $processed_flag_attribute src='/trump2020/js_/http://";
sub_filter "<script type='text/javascript' src='http://" "<script type='text/javascript' $processed_flag_attribute src='/trump2020/js_/http://";
sub_filter "src='http://" "$processed_flag_attribute src='/trump2020/http://";
# # 5.
sub_filter "integrity='" "nointegrity='";
# insert wombat.js and wombat-handler.js scripts
sub_filter '<head>' '<head>
<script $processed_flag_attribute src="/wombat/dist/wombat.js"></script>
<script $processed_flag_attribute src="/wombat-handler.js" processed-attribute="$processed_flag_attribute">
</script>';
proxy_pass $targeturl;
}
}
}
}