nginx-gists · November 11, 2022 00:13 · nginx-gists · Nov 11, 2022
diff --git a/alpn_logging.conf b/alpn_logging.conf
 log_format alpn '$time_iso8601 client=$remote_addr method=$request_method '
                'uri=$request_uri status=$status alpn=$ssl_alpn_protocol';

 server {
    listen 443 ssl http2;
    ssl_certificate      /etc/ssl/www.example.com.crt;
    ssl_certificate_key  /etc/ssl/www.example.com.key;

    root /usr/share/nginx/html;
    access_log /var/log/nginx/access.log alpn;
 }

 # vim: syntax=nginx
diff --git a/alpn_protocols.conf b/alpn_protocols.conf
 stream {
    upstream filer {
        server 10.0.0.100:990;
        server 10.0.0.110:990;
    }

    server {
        listen 990 ssl;
        ssl_certificate     /usr/local/nginx/conf/cert.pem;
        ssl_certificate_key /usr/local/nginx/conf/cert.key;
        proxy_pass  filer;
        ssl_alpn    ftp; # Accept only ALPN/FTP connections
    }
 }

 # vim: syntax=nginx
diff --git a/async_timeouts.js b/async_timeouts.js
 let msg = [];
 
 function test(r) {
        setTimeout(() => {msg.push('a')}, 100);
        setTimeout(() => {msg.push('b')}, 20);
        setTimeout(() => {msg.push('c')}, 0);
        r.return(200, msg.join('-'));
 }

 export default {test}
diff --git a/async_timeouts_wrapped.js b/async_timeouts_wrapped.js
 function test(r) {
        let p1 = new Promise((resolve) => {
                setTimeout(() => {msg.push("a"); resolve()}, 100, resolve)
        });
 
        let p2 = new Promise((resolve) => {
                setTimeout(() => {msg.push("b"); resolve()}, 20, resolve)
        });

        Promise.all([p1, p2]).then(() => {
                r.return(200, `${msg.join()}\n`)
        })
 }
diff --git a/host.conf b/host.conf
 js_import host from conf.d/host.js;
 js_set $hosthash host.host_hash;

 server {
    listen 80;

    location / {
        return 200 $hosthash;
    }
 }

 # vim: syntax=nginx
diff --git a/host.js b/host.js
 async function host_hash(r) {
        let hash = await crypto.subtle.digest('SHA-512', r.headersIn.host);
        r.setReturnValue(Buffer.from(hash).toString('hex'));
 }

 export default { host_hash }
diff --git a/jwks_content_caching.conf b/jwks_content_caching.conf
 http {
    proxy_cache_path /var/cache/nginx/jwk levels=1 keys_zone=jwk:64k max_size=1m;

    server {
        listen       127.0.0.1:8080;

        auth_jwt "closed site";
        auth_jwt_key_cache 3h; 
        auth_jwt_key_request /_jwks_uri;
  
        location / {
            proxy_pass http://my_backend;
        }
        location = /_jwks_uri {
            internal;
            proxy_cache jwk;                              # Cache the JWK Set recieved from IdP
            proxy_cache_valid 200 12h;                    # How long to consider keys "fresh"
            proxy_cache_use_stale error timeout updating; # Use old JWK Set if cannot reach IdP
            proxy_ssl_server_name on;                     # For SNI to the IdP
            proxy_method GET;                             # In case client request was non-GET
            proxy_set_header Content-Length "";           # ''
            proxy_pass https://idp-jwk-endpoint;
            proxy_ignore_headers Cache-Control Expires Set-Cookie; # Does not influence caching
        }
    }
 }

 # vim: syntax=nginx
diff --git a/jwks_memory_caching.conf b/jwks_memory_caching.conf
 http {
    server {
        listen       127.0.0.1:8080;

        auth_jwt "closed site";
        auth_jwt_key_cache 3h; 
        auth_jwt_key_file conf.d/jwk.json;
  
        location / {
            proxy_pass http://my_backend;
        }	
    }
 }

 # vim: syntax=nginx
diff --git a/promise.js b/promise.js
 const fs = require('fs').promises;

 function test(r) {
        myFileread('user.txt').then((data) => r.return(200, data)).catch((msg) => r.return(400, msg))
 }

 let myFileread = async(filename) => {
        if (filename != "user.txt") {
                throw new Error(`Filename not allowed`);
        } 
        else {
                let r = await fs.readFile(`/etc/nginx/conf.d/${filename}`);
                return r;
        }	
 }
diff --git a/promise_rejected.js b/promise_rejected.js
 const fs = require('fs').promises;

 function test(r) {
        myFileread('user.txt').then((data) => r.return(200, data)).catch((msg) => r.return(400, msg))
 }

 let myFileread = async(filename) => {
        if (filename != "user.txt") {
                return Promise.reject("Error: Filename not allowed");
        } 
        else {
                let r = await fs.readFile(`/etc/nginx/conf.d/${filename}`);
                return r;
        }	
 }
diff --git a/random_number.conf b/random_number.conf
 js_import conf.d/random_number.js;

 server {
    listen 80;
    location / {
        js_content random_number.random;
    }
 }

 # vim: syntax=nginx
diff --git a/random_number.js b/random_number.js
 require('crypto');

 function random(r) {
        const buffer = crypto.getRandomValues(new Uint32Array(8));
        return r.return(200, buffer.toString());
 }

 export default { random }
	log_format alpn '$time_iso8601 client=$remote_addr method=$request_method '
	'uri=$request_uri status=$status alpn=$ssl_alpn_protocol';

	server {
	listen 443 ssl http2;
	ssl_certificate /etc/ssl/www.example.com.crt;
	ssl_certificate_key /etc/ssl/www.example.com.key;

	root /usr/share/nginx/html;
	access_log /var/log/nginx/access.log alpn;
	}

	# vim: syntax=nginx
	stream {
	upstream filer {
	server 10.0.0.100:990;
	server 10.0.0.110:990;
	}

	server {
	listen 990 ssl;
	ssl_certificate /usr/local/nginx/conf/cert.pem;
	ssl_certificate_key /usr/local/nginx/conf/cert.key;
	proxy_pass filer;
	ssl_alpn ftp; # Accept only ALPN/FTP connections
	}
	}

	# vim: syntax=nginx
	let msg = [];

	function test(r) {
	setTimeout(() => {msg.push('a')}, 100);
	setTimeout(() => {msg.push('b')}, 20);
	setTimeout(() => {msg.push('c')}, 0);
	r.return(200, msg.join('-'));
	}

	export default {test}
	function test(r) {
	let p1 = new Promise((resolve) => {
	setTimeout(() => {msg.push("a"); resolve()}, 100, resolve)
	});

	let p2 = new Promise((resolve) => {
	setTimeout(() => {msg.push("b"); resolve()}, 20, resolve)
	});

	Promise.all([p1, p2]).then(() => {
	r.return(200, `${msg.join()}\n`)
	})
	}
	js_import host from conf.d/host.js;
	js_set $hosthash host.host_hash;

	server {
	listen 80;

	location / {
	return 200 $hosthash;
	}
	}

	# vim: syntax=nginx
	async function host_hash(r) {
	let hash = await crypto.subtle.digest('SHA-512', r.headersIn.host);
	r.setReturnValue(Buffer.from(hash).toString('hex'));
	}

	export default { host_hash }
	http {
	proxy_cache_path /var/cache/nginx/jwk levels=1 keys_zone=jwk:64k max_size=1m;

	server {
	listen 127.0.0.1:8080;

	auth_jwt "closed site";
	auth_jwt_key_cache 3h;
	auth_jwt_key_request /_jwks_uri;

	location / {
	proxy_pass http://my_backend;
	}
	location = /_jwks_uri {
	internal;
	proxy_cache jwk; # Cache the JWK Set recieved from IdP
	proxy_cache_valid 200 12h; # How long to consider keys "fresh"
	proxy_cache_use_stale error timeout updating; # Use old JWK Set if cannot reach IdP
	proxy_ssl_server_name on; # For SNI to the IdP
	proxy_method GET; # In case client request was non-GET
	proxy_set_header Content-Length ""; # ''
	proxy_pass https://idp-jwk-endpoint;
	proxy_ignore_headers Cache-Control Expires Set-Cookie; # Does not influence caching
	}
	}
	}

	# vim: syntax=nginx
	const fs = require('fs').promises;

	function test(r) {
	myFileread('user.txt').then((data) => r.return(200, data)).catch((msg) => r.return(400, msg))
	}

	let myFileread = async(filename) => {
	if (filename != "user.txt") {
	throw new Error(`Filename not allowed`);
	}
	else {
	let r = await fs.readFile(`/etc/nginx/conf.d/${filename}`);
	return r;
	}
	}
	js_import conf.d/random_number.js;

	server {
	listen 80;
	location / {
	js_content random_number.random;
	}
	}

	# vim: syntax=nginx
	require('crypto');

	function random(r) {
	const buffer = crypto.getRandomValues(new Uint32Array(8));
	return r.return(200, buffer.toString());
	}

	export default { random }