-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathproxy_default.conf
142 lines (112 loc) · 4 KB
/
proxy_default.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
# nginx.vh.default.conf -- docker-openresty
#
# This file is installed to:
# `/etc/nginx/conf.d/default.conf`
#
# It tracks the `server` section of the upstream OpenResty's `nginx.conf`.
#
# This config (and any other configs in `etc/nginx/conf.d/`) is loaded by
# default by the `include` directive in `/usr/local/openresty/nginx/conf/nginx.conf`.
#
# See https://github.com/openresty/docker-openresty/blob/master/README.md#nginx-config-files
#
lua_package_path "/lua-resty-cookie/lib/?.lua;;";
# anonymize ip address for logs and x-forwarded-for
map $remote_addr $remote_addr_anon {
~(?P<ip>\d+\.\d+)$ 0.0.$ip;
~(?P<ip>[^:]+:[^:]+)$ ::$ip; # TODO - test out ipv6
default 0.0.0.0;
}
server {
listen 80;
server_name localhost;
# TODO - put something reasonable here
#access_log /var/log/nginx/host.access.log main;
location / {
#
# TODO - Ability to set specific cookies if they aren't set in the request
# TODO - Generic User-Agent string
# TODO - code for multiple X-Forwarded-For request headers
#
proxy_pass http://webserver;
proxy_cookie_domain ~(.*) $host;
proxy_redirect default;
proxy_set_header Host $host;
proxy_buffering off;
proxy_request_buffering off;
proxy_http_version 1.1;
proxy_intercept_errors on;
proxy_connect_timeout 5s;
proxy_ignore_headers X-Accel-Expires X-Accel-Redirect X-Accel-Limit-Rate X-Accel-Buffering X-Accel-Charset;
proxy_next_upstream_tries 3;
proxy_set_header X-GuardBear v0.1.0;
add_header X-GuardBear v0.1.0;
set $allow_cookie_prefix 'guardbear_';
set $allow_cookie_prefix_len 10;
access_by_lua_block {
-- anonymize ip address in X-Forwarded-For header
local x_forwarded_for = ngx.req.get_headers()['X-Forwarded-For']
if ( x_forwarded_for ) then
ngx.req.set_header('X-Forwarded-For', x_forwarded_for .. ', ' .. ngx.var.remote_addr_anon);
else
ngx.req.set_header('X-Forwarded-For', ngx.var.remote_addr_anon)
end
-- scrub referer header
local referer = ngx.req.get_headers()['referer']
if ( referer ) then
local scrubbed_referer = referer:match( '^(https?://[^/]+/)' )
if ( scrubbed_referer ) then
ngx.req.set_header('Referer', scrubbed_referer)
end
end
-- only allow flagged cookies
local ck = require 'resty.cookie'
local cookie, err = ck:new()
local fields, err = cookie:get_all()
if fields then
local allowed_cookies = {}
local all_cookies = {}
for k, v in pairs( fields ) do
if ( string.sub( k, 1, ngx.var.allow_cookie_prefix_len ) == ngx.var.allow_cookie_prefix ) then
allowed_cookies[ string.sub( k, ngx.var.allow_cookie_prefix_len + 1, string.len( k ) ) ] = v
else
all_cookies[ k ] = v
end
end
ngx.req.clear_header('Cookie')
local filtered_cookie_header = ''
for k, v in pairs( allowed_cookies ) do
if ( all_cookies[ k ] ) then
if ( filtered_cookie_header ~= '' ) then
filtered_cookie_header = filtered_cookie_header .. '; '
end
filtered_cookie_header = filtered_cookie_header .. k .. '=' .. all_cookies[ k ]
end
end
ngx.req.set_header('Cookie', filtered_cookie_header)
end
}
header_filter_by_lua_block {
-- set flag for cookies set by origin
if ( ngx.header['Set-Cookie'] ) then
local set_cookies_table = ngx.header['Set-Cookie']
if type( set_cookies_table ) ~= 'table' then
set_cookies_table = { ngx.header['Set-Cookie'] }
end
for k, v in pairs( set_cookies_table ) do
if ( string.sub( v, 1, ngx.var.allow_cookie_prefix_len ) ~= ngx.var.allow_cookie_prefix ) then
v = string.gsub( v, "^([^=]+)=[^;]+;", "%1=1;", 1)
table.insert( set_cookies_table, ngx.var.allow_cookie_prefix .. v )
end
end
ngx.header['Set-Cookie'] = set_cookies_table
end
}
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/openresty/nginx/html;
}
}