lazd · October 12, 2023 15:55
diff --git a/nginx.conf b/nginx.conf

 #user  nobody;
 worker_processes  1;

 # error_log  /usr/local/var/log/nginx/error.log;
 # error_log  /usr/local/var/log/nginx/error.log notice;
 error_log  /usr/local/var/log/nginx/error.log info;

 #pid        logs/nginx.pid;


 events {
 	worker_connections  1024;
 }

 http {
 	include       mime.types;
 	default_type  application/octet-stream;

 	#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
 	#                  '$status $body_bytes_sent "$http_referer" '
 	#                  '"$http_user_agent" "$http_x_forwarded_for"';

 	#access_log  logs/access.log  main;

 	sendfile        on;
 	#tcp_nopush     on;

 	#keepalive_timeout  0;
 	keepalive_timeout  65;

 	#gzip  on;

 	map $upstream_http_location $m_replaceHTTPS {
 		""  "";
 		"~^https://(.*)$" "http://$1";
 		"~.*" "";
 	}

 	map $upstream_http_set_cookie $m_replaceCookie {
 		""  "";
 		"~secure;?$" "";
 		"~.*" "";
 	}

 	server {
 		listen 8080 default_server;

 		location / {
 			resolver 8.8.8.8;
 			proxy_pass https://$host;			
 			
 			# Ensure all content goes to http
 			sub_filter_once off;
 			sub_filter_types application/xhtml+xml application/xml text/xml application/rss+xml application/atom+xml text/plain text/javascript text/css application/json;
 			sub_filter 'https://' 'http://';

 			# Ensure redirects go to http
 			proxy_hide_header location;
 			add_header location $m_replaceHTTPS always;

 			# Make the first cookie insecure
 			proxy_hide_header set-cookie;
 			add_header set-cookie $m_replaceCookie always;

 			# don't allow gzip so sub_filter works
 			proxy_set_header Accept-Encoding "";

 			# spoof UA
 			proxy_set_header User-Agent "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A";

 			# run down redirects to avoid confusing the browser
 			proxy_intercept_errors on;
 			error_page 301 302 307 = @handle_redirect;
 		}

 		location @handle_redirect {
 			resolver 8.8.8.8;
 			set $saved_redirect_location '$upstream_http_location';
 			proxy_pass $saved_redirect_location;

 			sub_filter_once off;
 			sub_filter_types application/xhtml+xml application/xml text/xml text/plain text/javascript text/css application/json;
 			sub_filter 'https://' 'http://';

 			# don't allow gzip so sub_filter works
 			proxy_set_header Accept-Encoding "";

 			proxy_hide_header location;
 			add_header location $m_replaceHTTPS always;
 		}
 	}
 	
 	server {
 		listen 4343 ssl;

 		ssl_certificate nginx-selfsigned.crt;
 		ssl_certificate_key nginx-selfsigned.key;
 		ssl_dhparam dhparam.pem;
 		
 		ssl_prefer_server_ciphers on;
 		ssl_protocols SSLv3 TLSv1;
 		ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
 		
 		ssl_session_timeout 1d;
 		ssl_session_cache shared:SSL:10m;
 		ssl_session_tickets off;

 		location / {
 			proxy_pass http://127.0.0.1:8080;
 			proxy_set_header Host $host;
 			proxy_set_header X-Real-IP $remote_addr;
 			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 			proxy_set_header X-Forwarded-Proto https;
 		}
 	}

 	# server {
 		# listen 4343 ssl;
 		# 
 		# ssl_certificate nginx-selfsigned.crt;
 		# ssl_certificate_key nginx-selfsigned.key;
 		# ssl_dhparam dhparam.pem;
 		# 
 		# ssl_session_timeout 1d;
 		# ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
 		# ssl_session_tickets off;
 		# 
 		# ssl_verify_client off;
 		# proxy_ssl_session_reuse off;

 		# old configuration
 		# ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
 		# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
 		# ssl_prefer_server_ciphers off;
 		# 
 		# add_header Strict-Transport-Security "max-age=63072000" always;

 		# ssl_prefer_server_ciphers off;
 		# ssl_protocols SSLv3 TLSv1;
 		# ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

 		# ssl_ecdh_curve secp384r1;
 		# ssl_session_cache shared:SSL:10m;
 		# ssl_session_tickets off;
 		# ssl_stapling on;
 		# ssl_stapling_verify on;

 		# location / {
 		# 	resolver 8.8.8.8;
 		# 	proxy_pass https://$host;
 		# }
 	# }

 	include servers/*;
 }

	#user nobody;
	worker_processes 1;

	# error_log /usr/local/var/log/nginx/error.log;
	# error_log /usr/local/var/log/nginx/error.log notice;
	error_log /usr/local/var/log/nginx/error.log info;

	#pid logs/nginx.pid;


	events {
	worker_connections 1024;
	}

	http {
	include mime.types;
	default_type application/octet-stream;

	#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	# '$status $body_bytes_sent "$http_referer" '
	# '"$http_user_agent" "$http_x_forwarded_for"';

	#access_log logs/access.log main;

	sendfile on;
	#tcp_nopush on;

	#keepalive_timeout 0;
	keepalive_timeout 65;

	#gzip on;

	map $upstream_http_location $m_replaceHTTPS {
	"" "";
	"~^https://(.*)$" "http://$1";
	"~.*" "";
	}

	map $upstream_http_set_cookie $m_replaceCookie {
	"" "";
	"~secure;?$" "";
	"~.*" "";
	}

	server {
	listen 8080 default_server;

	location / {
	resolver 8.8.8.8;
	proxy_pass https://$host;

	# Ensure all content goes to http
	sub_filter_once off;
	sub_filter_types application/xhtml+xml application/xml text/xml application/rss+xml application/atom+xml text/plain text/javascript text/css application/json;
	sub_filter 'https://' 'http://';

	# Ensure redirects go to http
	proxy_hide_header location;
	add_header location $m_replaceHTTPS always;

	# Make the first cookie insecure
	proxy_hide_header set-cookie;
	add_header set-cookie $m_replaceCookie always;

	# don't allow gzip so sub_filter works
	proxy_set_header Accept-Encoding "";

	# spoof UA
	proxy_set_header User-Agent "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A";

	# run down redirects to avoid confusing the browser
	proxy_intercept_errors on;
	error_page 301 302 307 = @handle_redirect;
	}

	location @handle_redirect {
	resolver 8.8.8.8;
	set $saved_redirect_location '$upstream_http_location';
	proxy_pass $saved_redirect_location;

	sub_filter_once off;
	sub_filter_types application/xhtml+xml application/xml text/xml text/plain text/javascript text/css application/json;
	sub_filter 'https://' 'http://';

	# don't allow gzip so sub_filter works
	proxy_set_header Accept-Encoding "";

	proxy_hide_header location;
	add_header location $m_replaceHTTPS always;
	}
	}

	server {
	listen 4343 ssl;

	ssl_certificate nginx-selfsigned.crt;
	ssl_certificate_key nginx-selfsigned.key;
	ssl_dhparam dhparam.pem;

	ssl_prefer_server_ciphers on;
	ssl_protocols SSLv3 TLSv1;
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;

	location / {
	proxy_pass http://127.0.0.1:8080;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto https;
	}
	}

	# server {
	# listen 4343 ssl;
	#
	# ssl_certificate nginx-selfsigned.crt;
	# ssl_certificate_key nginx-selfsigned.key;
	# ssl_dhparam dhparam.pem;
	#
	# ssl_session_timeout 1d;
	# ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
	# ssl_session_tickets off;
	#
	# ssl_verify_client off;
	# proxy_ssl_session_reuse off;

	# old configuration
	# ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
	# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
	# ssl_prefer_server_ciphers off;
	#
	# add_header Strict-Transport-Security "max-age=63072000" always;

	# ssl_prefer_server_ciphers off;
	# ssl_protocols SSLv3 TLSv1;
	# ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

	# ssl_ecdh_curve secp384r1;
	# ssl_session_cache shared:SSL:10m;
	# ssl_session_tickets off;
	# ssl_stapling on;
	# ssl_stapling_verify on;

	# location / {
	# resolver 8.8.8.8;
	# proxy_pass https://$host;
	# }
	# }

	include servers/*;
	}