kopia lustrzana https://github.com/alecmuffett/eotk
248 wiersze
8.4 KiB
Plaintext
248 wiersze
8.4 KiB
Plaintext
# -*- conf -*-
|
|
|
|
# ---- INTERNAL STUFF && STUFF YET TO BE DOC'D, DON'T MESS WITH THIS ----
|
|
|
|
# set debug_trap
|
|
# set foreignmap_csv
|
|
# set nginx_action_abort
|
|
# set preserve_after
|
|
# set preserve_before
|
|
# set project
|
|
# set projects_home
|
|
# set ssl_tool
|
|
# set template_tool
|
|
# set tor_worker_prefix
|
|
# nonce128_1
|
|
# nonce128_2
|
|
# nonce128_3
|
|
# nonce128_4
|
|
# nonce128_5
|
|
# nonce256_1
|
|
# nonce256_2
|
|
# nonce256_3
|
|
# nonce256_4
|
|
# nonce256_5
|
|
|
|
# ---- CUTE HACKS ----
|
|
|
|
# create a URL which must be hit BEFORE the onion will work (sets a
|
|
# cookie, cheap/hacky form of access control)
|
|
#
|
|
# set cookie_lock /open-sesame
|
|
|
|
# EOTK sets a header (X-From-Onion) to pass to Origin; default value is "1"
|
|
#
|
|
# set x_from_onion_value 1
|
|
|
|
# Other headers to pass upstream to Origin in order to enable
|
|
# whitelisting, etc; be careful not to tread on any which are
|
|
# controlled elsewhere / by other means, such as "Host" or
|
|
# "Accept-Encoding", as those MUST win. It is preferred for the
|
|
# Origin to detect and whitelist "X-From-Onion", but this provides an
|
|
# alternative. See "nginx.conf.txt" for relevant code.
|
|
#
|
|
# set inject_headers_upstream header-name,header-value [...]
|
|
|
|
# When you're proving SSL ownership, you may want arbitrary text
|
|
# strings to be returned for a GET upon an arbitrary "/path"
|
|
#
|
|
# set ssl_proof_csv \
|
|
# /.well_known/fookey1,fooval1 \
|
|
# /.well_known/fookey2,fooval2
|
|
|
|
# ...and a similar, more generic, regular-expression-based solution
|
|
# for fixed strings to be returned for a GET upon an arbitrary
|
|
# location (restricted to HTTPS-only)
|
|
#
|
|
# set hardcoded_endpoint_csv ^/regexp/pattern/?$,stringvalue ...
|
|
|
|
# ---- PRESERVE_CSV ----
|
|
|
|
# EOTK uses a search-and-replace strategy for editing content on the
|
|
# fly; one side-effect of this is that some instances of domain names
|
|
# may be rewritten unwantedly (eg: email addresses like
|
|
# foo@facebook.com become foo@facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion)
|
|
|
|
# `preserve_csv` uses a very simple heuristic to try and protect
|
|
# plaintext domain names from being rewritten.
|
|
|
|
# set preserve_csv uniquetoken,regexp,regexpcaseflag,replacement ...
|
|
|
|
# eg: `set preserve_csv fbtld,facebook\\.com,i,facebook.com` ... will
|
|
# canonicalise FOO@FACEBOOK.COM to FOO@facebook.com (because the 'i'
|
|
# flag implies case-insensitive) but at least it won't be onionified.
|
|
|
|
# ---- REDIRECTS BY HOST OR URL-PATH ----
|
|
|
|
# ...redirects which preserve the trailing request URI
|
|
# set redirect_host regexp,code,destination ...
|
|
# set redirect_path regexp,code,destination ...
|
|
# ...redirects which DO NOT preserve the trailing request URI
|
|
# set redirect_fixed_host regexp,code,destination ...
|
|
# set redirect_fixed_path regexp,code,destination ...
|
|
|
|
# ---- BLOCKING SITES BY NAME OR REGEXP ----
|
|
|
|
# you can use either/both of the re/non-re forms of host-blocking and
|
|
# location-blocking, however the variables are single-valued so be
|
|
# careful of polluting multiple projects. If your site needs
|
|
# different blocking for different onions, consider splitting your
|
|
# config into multiple files and using `foreignmap` to stitch the
|
|
# hostname rewrites together. Blocks generally cause a 403.
|
|
|
|
# set block_err "This action is not supported over Onion yet sorry."
|
|
# set block_host value ...
|
|
# set block_host_re regexp ...
|
|
# set block_location value # DEPRECATED DO NOT USE
|
|
# set block_location_re # DEPRECATED DO NOT USE
|
|
# set block_origin value ...
|
|
# set block_origin_re regexp ...
|
|
# set block_param value ...
|
|
# set block_param_re regexp ...
|
|
# set block_path value ...
|
|
# set block_path_re regexp ...
|
|
# set block_referer value ...
|
|
# set block_referer_re regexp ...
|
|
# set block_user_agent value ...
|
|
# set block_user_agent_re regexp ...
|
|
|
|
# ---- BLACKLISTS AND WHITELISTS ----
|
|
|
|
# You may blacklist or whitelist characteristics of requests;
|
|
# blacklists are applied first, whitelists second. Whitelists are
|
|
# "all requests not matching <foo> will fail". Blacklists are "all
|
|
# requests matching <foo> will fail". Failures are generally 500
|
|
# because it presents the least attack surface to a penetration
|
|
# tester. All black/whitelists are multi-valued (you may specify
|
|
# several values on one line, space-separated)
|
|
|
|
# set host_blacklist value ...
|
|
# set host_blacklist_re regexp ...
|
|
# set host_whitelist value ...
|
|
# set host_whitelist_re regexp ...
|
|
# set origin_blacklist value ...
|
|
# set origin_blacklist_re regexp ...
|
|
# set origin_whitelist value ...
|
|
# set origin_whitelist_re regexp ...
|
|
# set param_blacklist value ...
|
|
# set param_blacklist_re regexp ...
|
|
# set param_whitelist value ...
|
|
# set param_whitelist_re regexp ...
|
|
# set path_blacklist value ...
|
|
# set path_blacklist_re regexp ...
|
|
# set path_whitelist value ...
|
|
# set path_whitelist_re regexp ...
|
|
# set referer_blacklist value ...
|
|
# set referer_blacklist_re regexp ...
|
|
# set referer_whitelist value ...
|
|
# set referer_whitelist_re regexp ...
|
|
# set user_agent_blacklist value ...
|
|
# set user_agent_blacklist_re regexp ...
|
|
# set user_agent_whitelist value ...
|
|
# set user_agent_whitelist_re regexp ...
|
|
|
|
# ---- "EXTRA PROCESSING" ----
|
|
|
|
# By default, EOTK rewrites application/javascript application/json
|
|
# application/x-javascript text/css text/html text/javascript
|
|
# text/xml; you can add to this list, if necessary ...
|
|
#
|
|
# set extra_subs_filter_types xml/foo+bar ...
|
|
|
|
# This is a list of "content-type,uri-regexp" patterns of content to
|
|
# apply "extra processing" (ie: content hostname rewrites) too; if for
|
|
# instance your CMS emits JSON as "application/octet-stream" in file
|
|
# URIs ending with ".jblob" then you could try something like:
|
|
#
|
|
# set extra_processing_csv type/subtype,regexp ...
|
|
# set extra_processing_csv application/octet-stream,\\.jblob$
|
|
|
|
# ---- NGINX TUNABLES ----
|
|
|
|
# set nginx_block_busy_size 32k
|
|
# set nginx_block_count 32
|
|
# set nginx_block_size 16k
|
|
# set nginx_hash_bucket_size 128
|
|
# set nginx_resolver 8.8.8.8
|
|
# set nginx_rlim 256
|
|
# set nginx_syslog error
|
|
# set nginx_template $here/templates.d/nginx.conf.txt
|
|
# set nginx_timeout 15
|
|
# set nginx_tmpfile_size 256m
|
|
# set nginx_workers auto
|
|
# set softmap_nginx_workers auto
|
|
|
|
# ---- CREATE A HELLO_ONION PAGE ----
|
|
|
|
# set nginx_hello_onion 1
|
|
|
|
# ---- NGINX CACHING ----
|
|
|
|
# Setting nginx_cache_seconds to a value greater than zero will enable
|
|
# caching; after that the other variables will come into play.
|
|
|
|
# set nginx_cache_seconds 0
|
|
# set nginx_cache_min_uses 1
|
|
# set nginx_cache_size 256m
|
|
# set no_cache_content_type
|
|
# set no_cache_host
|
|
|
|
# ---- SSL CERTIFICATE DIRECTORY ----
|
|
|
|
# Probably wisest not to mess with this value, but instead to drop
|
|
# your relevant certificates into projects.d/PROJECTNAME.d/ssl.d and
|
|
# check your file permissions very carefully, because (eg:) softmap
|
|
# and rsync will need/replicate this data. Make sure you have safe
|
|
# copies stored elsewhere.
|
|
|
|
# set ssl_dir $ENV{PROJECT_DIR}/ssl.d
|
|
|
|
# ---- HTTP/S security options ----
|
|
|
|
# THIS ONE IS IMPORTANT: `force_https` is enabled by default and
|
|
# prevents EOTK from making cleartext HTTP requests over the internet,
|
|
# instead it requests the user to retry the request as HTTPS; setting
|
|
# this by default WILL BREAK SOME SITES however it's proper to have it
|
|
# as default behaviour. If you experience "too many redirects" errors
|
|
# when connecting over the onion, this may be the cause, and although
|
|
# you can disable it, it would be better to fix your site to be HTTPS.
|
|
|
|
# set force_https 1 # `on` by default
|
|
|
|
# We delete HPKP and HSTS completely (TorBrowser does not support them
|
|
# because anonymity issues) and CSP by default we attempt to rewrite,
|
|
# but you can likewise disable.
|
|
|
|
# set suppress_header_csp 0 # 0 = try rewriting; 1 = elide completely
|
|
# set suppress_header_hpkp 1 # 1 = elide completely
|
|
# set suppress_header_hsts 1 # 1 = elide completely
|
|
# set suppress_methods_except_get 0 # 1 = GET/HEAD Only
|
|
# set suppress_tor2web 1 # 1 = suppress (let them use clearnet)
|
|
|
|
# ---- TOR TUNING ----
|
|
|
|
# set tor_intros_per_daemon 3
|
|
# set tor_single_onion 1
|
|
# set tor_syslog notice
|
|
# set tor_template $here/templates.d/tor.conf.txt
|
|
# set softmap_tor_workers 2
|
|
|
|
# ---- PROJECTS & MAPPINGS ----
|
|
|
|
# foreignmaps are onion-to-site mappings that exist outside of this
|
|
# particular configuration file, eg: for some other site.
|
|
foreignmap facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd facebook.com
|
|
|
|
# hardmaps use tor daemon configs with onions hard-coded in them
|
|
|
|
set project hardexample
|
|
hardmap %NEW_V3_ONION% foo.local
|
|
hardmap %NEW_V3_ONION% bar.local
|
|
|
|
# softmaps use onionbalance software to loadbalance across workers
|
|
|
|
set project softexample
|
|
softmap %NEW_V3_ONION% example.com
|
|
softmap %NEW_V3_ONION% example.org
|
|
softmap %NEW_V3_ONION% example.net
|