kopia lustrzana https://github.com/alecmuffett/eotk
commit: first cut.
rodzic
60404dc68f
commit
a7cb73e387
|
@ -9,7 +9,6 @@
|
|||
|
||||
__*
|
||||
*~
|
||||
?
|
||||
.DS_Store
|
||||
|
||||
!demo.d/*.tconf
|
||||
|
|
|
@ -35,7 +35,15 @@
|
|||
# set x_from_onion_value 1
|
||||
|
||||
# When you're proving SSL ownership, you may want arbitrary text
|
||||
# strings to be returned for a GET upon an arbitrary "/path" regexp
|
||||
# strings to be returned for a GET upon an arbitrary "/path"
|
||||
#
|
||||
# set ssl_proof_csv \
|
||||
# /.well_known/fookey1,fooval1 \
|
||||
# /.well_known/fookey2,fooval2
|
||||
|
||||
# ...and a similar, more generic, regular-expression-based solution
|
||||
# for fixed strings to be returned for a GET upon an arbitrary
|
||||
# location (restricted to HTTPS-only)
|
||||
#
|
||||
# set hardcoded_endpoint_csv ^/regexp/pattern/?$,stringvalue ...
|
||||
|
||||
|
|
|
@ -1,80 +0,0 @@
|
|||
# -*- conf -*-
|
||||
# eotk (c) 2017 Alec Muffett
|
||||
|
||||
# CSVs of canonical domains (eg: email) to preserve (todo: more here?)
|
||||
# nb: you must explicitly list all domains that are of preservation;
|
||||
# "foo.com" & "www.foo.com" are treated as separate, for this purpose
|
||||
set preserve_csv \
|
||||
tld-wp,wikipedia\\.org,i,wikipedia.org \
|
||||
tld-wm,wikimedia\\.org,i,wikimedia.org
|
||||
|
||||
# FIX THIS TO USE A LOCAL RESOLVER, BECAUSE PERFORMANCE
|
||||
set nginx_resolver \
|
||||
8.8.8.8 \
|
||||
8.8.4.4 \
|
||||
ipv6=off
|
||||
|
||||
# cache persistence & size; sized for RaspberryPi (256m)
|
||||
set nginx_cache_seconds 60
|
||||
set nginx_cache_size 256m
|
||||
set nginx_tmpfile_size 64m
|
||||
|
||||
# proof-of-concept: let's make this read-only:
|
||||
set suppress_methods_except_get 1
|
||||
|
||||
# proof-of-concept: block access to some hosts
|
||||
set block_host_re \
|
||||
^(login|donate)\\.
|
||||
|
||||
# proof-of-concept: block access to some paths
|
||||
set block_path_re \
|
||||
/User: \
|
||||
/Special:(UserLogin|(Create|Merge)Account|RenameRequest)\\b
|
||||
|
||||
# proof-of-concept: block requests where parameters have certain values
|
||||
set block_param_re \
|
||||
title,^User: \
|
||||
title,^Special:(UserLogin|(Create|Merge)Account|RenameRequest)\\b
|
||||
|
||||
# proof-of-concept: blacklist requests to some paths
|
||||
set path_blacklist_re \
|
||||
^\\. \
|
||||
^\\w+\\.php$ \
|
||||
\\.(sql|gz|tgz|zip|bz2)$ \
|
||||
^server-status$
|
||||
|
||||
# proof-of-concept: whitelist reasonable user-agents (anything else => ded)
|
||||
set user_agent_whitelist_re \
|
||||
^Mozilla.*Gecko
|
||||
|
||||
# suggestion: you might want to investigate "no_cache_content_type" or
|
||||
# "no_cache_host" if you want limitations on caching...
|
||||
|
||||
# demo: CSV list to implement ownership proof URIs for EV SSL issuance
|
||||
# set hardcoded_endpoint_csv \
|
||||
# ^/proof/foo/?$,"FOOPROOF" \
|
||||
# ^/proof/bar/?$,"BARPROOF"
|
||||
|
||||
# demo: magic cookie-issuing URL to restrict access until ready to launch
|
||||
# set cookie_lock /open-sesame
|
||||
|
||||
# index of other onion sites ("what happens in onion, should stay in onion")
|
||||
foreignmap facebookcorewwwi facebook.com
|
||||
foreignmap nytimes3xbfgragh nytimes.com
|
||||
|
||||
# the Wikimedia Foundation have lots of sites
|
||||
set project wikipedia
|
||||
hardmap %NEW_ONION% mediawiki.org
|
||||
hardmap %NEW_ONION% wikidata.org
|
||||
hardmap %NEW_ONION% wikimedia.org
|
||||
hardmap %NEW_ONION% wikimediafoundation.org
|
||||
# the following have an `m` subdomain
|
||||
hardmap %NEW_ONION% wikibooks.org m
|
||||
hardmap %NEW_ONION% wikinews.org m
|
||||
hardmap %NEW_ONION% wikipedia.org m
|
||||
hardmap %NEW_ONION% wikiquote.org m
|
||||
hardmap %NEW_ONION% wikisource.org m
|
||||
hardmap %NEW_ONION% wikiversity.org m
|
||||
hardmap %NEW_ONION% wikivoyage.org m
|
||||
hardmap %NEW_ONION% wiktionary.org m
|
||||
# nb: by subdomain we mean FOO in en.FOO.wikipedia.org, etc.
|
|
@ -121,20 +121,28 @@ rendering these issues moot.
|
|||
|
||||
## IMPORTANT: if all of your "proof" URLs have DIFFERENT pathnames?
|
||||
|
||||
Small amounts of plain-text page content may be embedded using
|
||||
regular-expressions for pathnames; this is done using
|
||||
`hardcoded_endpoint_csv` and the following example will emit
|
||||
`FOOPROOF` (or `BARPROOF`) for accesses to `/www/.well_known/foo` or
|
||||
`../.well_known/bar` respectively, ignoring trailing slashes. Note
|
||||
the use of double-backslash to escape "dots" in the regular
|
||||
expression, and use of backslash-indent to continue/enable several
|
||||
such paths.
|
||||
Small amounts of plain-text page content may be embedded using small,
|
||||
fixed pathname strings; this is done using `ssl_proof_csv` and the
|
||||
following example will emit `FOOPROOF` (or `BARPROOF`) for accesses to
|
||||
`/www/.well_known/foo` (or `.../bar`) respectively.
|
||||
|
||||
Note: unlike the previous mechanism which was based on the
|
||||
regular-expression-based `hardcoded_endpoint_csv`, these strings are
|
||||
checked verbatim against the location, so that `/.well_known/FOO`
|
||||
becomes `location = "/.well_known/FOO" {...}` in the NGINX
|
||||
configuration.
|
||||
|
||||
Also, as an improvement to the previous mechanism, these endpoints are
|
||||
available in **both** HTTP and HTTPS, irrespective of the state of
|
||||
the `force_ssl` setting.
|
||||
|
||||
Example code:
|
||||
|
||||
```
|
||||
# demo: CSV list to implement ownership proof URIs for EV SSL issuance
|
||||
set hardcoded_endpoint_csv \
|
||||
^/www/\\.well_known/foo/?$,"FOOPROOF" \
|
||||
^/www/\\.well_known/bar/?$,"BARPROOF"
|
||||
set ssl_proof_csv \
|
||||
/.well_known/FOO,FOOPROOF \
|
||||
/.well_known/BAR,BARPROOF
|
||||
```
|
||||
|
||||
## IMPORTANT: if all your "proof" URLs have THE SAME pathname?
|
||||
|
|
|
@ -619,6 +619,7 @@ my @set_blank = qw(
|
|||
referer_blacklist_re
|
||||
referer_whitelist
|
||||
referer_whitelist_re
|
||||
ssl_proof_csv
|
||||
tor_intros_per_daemon
|
||||
user_agent_blacklist
|
||||
user_agent_blacklist_re
|
||||
|
|
|
@ -129,6 +129,7 @@ my %known =
|
|||
'SOFTMAP_TOR_WORKERS' => 1,
|
||||
'SSL_DIR' => 1, # where ssl certs for the current project live
|
||||
'SSL_MKCERT' => 1,
|
||||
'SSL_PROOF_CSV' => 1,
|
||||
'SSL_TOOL' => 1,
|
||||
'SUPPRESS_HEADER_CSP' => 1,
|
||||
'SUPPRESS_HEADER_HPKP' => 1,
|
||||
|
|
|
@ -608,6 +608,17 @@ http {
|
|||
# tor2web not suppressed
|
||||
%%ENDIF
|
||||
|
||||
%%IF %SSL_PROOF_CSV%
|
||||
# ssl_proof: 1=fixed_path,2=response
|
||||
%%CSV %SSL_PROOF_CSV%
|
||||
location = "%1%" {
|
||||
return 200 "%2%";
|
||||
}
|
||||
%%ENDCSV
|
||||
%%ELSE
|
||||
# no ssl_proof
|
||||
%%ENDIF
|
||||
|
||||
# tell the client to try again as HTTPS without ever leaving the onion
|
||||
# use 307 / temporary redirect because your URIs may change in future
|
||||
# use $host (not $server) to copy-over subdomains, etc, transparently
|
||||
|
@ -670,15 +681,26 @@ http {
|
|||
# no "hello-onion" endpoint
|
||||
%%ENDIF
|
||||
|
||||
%%IF %HARDCODED_ENDPOINT_CSV%
|
||||
# hardcoded_endpoints: 1=path_re,2=response
|
||||
%%CSV %HARDCODED_ENDPOINT_CSV%
|
||||
location ~ "%1%" {
|
||||
return 200 %2%;
|
||||
%%IF %SSL_PROOF_CSV%
|
||||
# ssl_proof: 1=fixed_path,2=response
|
||||
%%CSV %SSL_PROOF_CSV%
|
||||
location = "%1%" {
|
||||
return 200 "%2%";
|
||||
}
|
||||
%%ENDCSV
|
||||
%%ELSE
|
||||
# no hardcoded_endpoints
|
||||
# no ssl_proof
|
||||
%%ENDIF
|
||||
|
||||
%%IF %HARDCODED_ENDPOINT_CSV%
|
||||
# hardcoded_endpoint: 1=path_re,2=response
|
||||
%%CSV %HARDCODED_ENDPOINT_CSV%
|
||||
location ~ "%1%" {
|
||||
return 200 "%2%";
|
||||
}
|
||||
%%ENDCSV
|
||||
%%ELSE
|
||||
# no hardcoded_endpoint
|
||||
%%ENDIF
|
||||
|
||||
%%IF exists templates.d/nginx-site-%ONION_ADDRESS%.conf
|
||||
|
|
Ładowanie…
Reference in New Issue