Created
December 11, 2024 19:13
-
-
Save serverok/398be818c064893dd59eeb7ecd49a591 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Implement TLS 1.3 0-RTT anti-replay for NGINX | |
| # Requires: NGINX directive "ssl_early_data" on | |
| # Usage: | |
| # Make sure these "map" blocks are included in "http" block | |
| # Put the following two lines in SSL "server" block, before any "location" blocks | |
| # if ($anti_replay = 307) { return 307 https://$host$request_uri; } | |
| # if ($anti_replay = 425) { return 425; } | |
| # Pass "Early-Data" header to backend/upstream | |
| # Only for 0-RTT requests from clients that understand 425 status code (RFC 8470) | |
| # fastcgi_param HTTP_EARLY_DATA $rfc_early_data if_not_empty; | |
| # proxy_set_header Early-Data $rfc_early_data; | |
| # Copyright © myrevery | |
| # Copyright © 7677333 (An anagram of a Anonymous Cybersecurity Research Team) | |
| map "$request_method:$is_args" $ar_idempotent { | |
| default 0; | |
| "~^GET:$|^(HEAD|OPTIONS|TRACE):\?*$" 1; | |
| } | |
| map $http_user_agent $ar_support_425 { | |
| default 0; | |
| "~Firefox/((58|59)|([6-9]\d)|([1-9]\d{2,}))\.\d+" 1; | |
| } | |
| map "$ssl_early_data:$ar_idempotent:$ar_support_425" $anti_replay { | |
| 1:0:0 307; | |
| 1:0:1 425; | |
| } | |
| map "$ssl_early_data:$ar_support_425" $rfc_early_data { | |
| 1:1 1; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment