-
-
Notifications
You must be signed in to change notification settings - Fork 92
Expand file tree
/
Copy pathrawgithack.conf
More file actions
284 lines (241 loc) · 10 KB
/
rawgithack.conf
File metadata and controls
284 lines (241 loc) · 10 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
# rawgithack
# server configuration
gzip on;
gzip_types *;
gzip_comp_level 6;
resolver 1.1.1.1 1.0.0.1;
error_log logs/error.log warn;
log_not_found off;
proxy_cache_path /var/cache/nginx/rawgithack
use_temp_path=off levels=1:2
min_free=3g inactive=30d
keys_zone=rawgithack.cache:100m;
map $host $is_cdn {
~*^\w+cdn\.githack\.com$ 1;
default 0;
}
# file extension to mime-type mapping
# kind of workaround because nginx can detect mime-type only for local file
map $extension $detect_content_type {
~*^(?:appcache|manifest)$ text/cache-manifest;
~*^atom$ application/atom+xml;
~*^bat$ application/x-msdownload;
~*^coffee$ text/coffeescript;
~*^css$ text/css;
~*^csv$ text/csv;
~*^eot$ application/vnd.ms-fontobject;
~*^geojson$ application/vnd.geo+json;
~*^(?:hbs|handlebars)$ text/x-handlebars-template;
~*^htc$ text/x-component;
~*^html?$ text/html;
~*^ics$ text/calendar;
~*^jscad$ application/javascript;
~*^json$ application/json;
~*^jsonld$ application/ld+json;
~*^kml$ application/vnd.google-earth.kml+xml;
~*^(?:md|markdown)$ text/markdown;
~*^m?js$ application/javascript;
~*^mhtml$ multipart/related;
~*^n3$ text/n3;
~*^nt$ application/n-triples;
~*^otf$ font/otf;
~*^(?:owl|rdf)$ application/rdf+xml;
~*^pdf$ application/pdf;
~*^rss$ application/rss+xml;
~*^shexc?$ text/shex;
~*^svg$ image/svg+xml;
~*^swf$ application/x-shockwave-flash;
~*^stl$ model/stl;
~*^tt(?:c|f)$ application/x-font-ttf;
~*^ttl$ text/turtle;
~*^vcard$ text/vcard;
~*^vcf$ text/x-vcard;
~*^vtt$ text/vtt;
~*^woff$ application/font-woff;
~*^woff2$ application/font-woff2;
~*^xht(?:ml)?$ application/xhtml+xml;
~*^xml$ text/xml;
~*^txt$ text/plain;
~*^(?:xsl|xsd)$ application/xml;
~*^xslt$ application/xslt+xml;
~*^ya?ml$ text/yaml;
~*^wasm$ application/wasm;
~*^(?:d|s)?rpm$ application/x-redhat-package-manager;
}
# defines which extensions should include charset definition
map $extension $content_type_charset_string {
~*^(?:bat|eot|htc|kml|nt|otf|pdf|svg|swf|ttc|ttf|woff2?|wasm|rpm|drpm|srpm)$ '';
default '; charset=utf-8';
}
map $host $origin {
~*^gl(?:cdn)?\.githack\.com$ gitlab.com;
~*^bb(?:cdn)?\.githack\.com$ bitbucket.org;
~*^raw(?:cdn)?\.githack\.com$ raw.githubusercontent.com;
~*^gist(?:cdn)?\.githack\.com$ gist.githubusercontent.com;
~*^gt(?:cdn)?\.githack\.com$ gitea.com;
~*^cb(?:cdn)?\.githack\.com$ codeberg.org;
}
map $status:$is_cdn:$detect_content_type:$limit_req_status $cache_control {
~*^410: 'max-age=31536000, public, immutable';
~*^[23]\d\d:1:(?!text/html) 'max-age=31536000, public, immutable';
~*^[23]\d\d:1:text/html 'max-age=86400, private';
~*^[23]\d\d:0:text/html 'max-age=60, private';
~*^[23]\d\d:0:.*:REJECTED_DRY_RUN 'max-age=3600, public, stale-while-revalidate=60, stale-if-error=604800';
~*^[23]\d\d:0:.*:DELAYED_DRY_RUN 'max-age=300, public, stale-while-revalidate=60, stale-if-error=604800';
default 'max-age=60, public, stale-while-revalidate=60, stale-if-error=604800';
}
map "$detect_content_type:$http_sec_fetch_dest:$http_cookie" $show_phishing_notice {
"~^text/html:document:(?:.*;\s?)?__Http-phish=" 0;
"~^text/html:document:" 1;
default 0;
}
map "$request_method $http_referer $http_host$request_uri" $phish_proceed {
"~^POST https?://([^ ]+) \1$" 1;
default 0;
}
limit_req_zone $http_cf_connecting_ip$binary_remote_addr zone=purge:1m rate=5r/m;
limit_req_zone $origin$uri zone=hotfile:10m rate=10r/m;
limit_req_log_level notice;
lua_package_path '/etc/nginx/rawgithack/?.lua;;';
lua_ssl_verify_depth 2;
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
server {
listen 80 default_server;
listen [::]:80 default_server;
return 301 $scheme://raw.githack.com$request_uri;
}
server {
listen 80;
listen [::]:80;
server_name *.githack.com;
error_page 460 = /internal/phishing-notice.html;
error_page
400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 421 422 423 424 426 428 429 431 451
500 501 503 504 505 506 507 508 510 511
/internal/error.html;
root /etc/nginx/rawgithack/web;
rewrite ^/index(\.html)?$ / permanent;
rewrite ^(/[^/]+/[^/]+/[^/]+/(?:[^/]+/)*)$ ${uri}index.html;
merge_slashes off;
# this really merges slashes
rewrite ^(.*)//+(.*)$ $1/$2 permanent;
include rawgithack/blacklist*;
ssi_silent_errors on;
location = / {
limit_except GET { deny all; }
if ($host != 'raw.githack.com') {
return 301 https://raw.githack.com/$is_args$args;
}
ssi on;
add_header Cache-Control 'max-age=86400, private';
try_files /index.html =404;
}
location /internal/ {
ssi on;
internal;
add_header Cache-Control $cache_control always;
location = /internal/phishing-notice.html {
add_header Vary 'Cookie' always;
add_header Cache-Control 'no-store' always;
}
}
location ~* ^(?<repo>/[^/]+/[^/]+)/[^/]+/.+?(?:\.(?<extension>[a-zA-Z0-9]+))?$ {
limit_except GET POST { deny all; }
if ($phish_proceed) {
add_header Cache-Control 'no-store' always;
add_header Set-Cookie '__Http-phish=1; Path=$repo/; Max-Age=86400; SameSite=Lax; HttpOnly; Secure' always;
return 303 https://$http_host$request_uri;
}
if ($request_method = POST) { return 403; }
if ($show_phishing_notice) { return 460; }
if ($detect_content_type = '') {
add_header X-Robots-Tag none;
add_header Cache-Control 'max-age=86400, public';
add_header Access-Control-Allow-Origin *;
return 301 https://$origin$request_uri;
}
limit_req_dry_run on;
limit_req zone=hotfile burst=10;
proxy_read_timeout 30s;
proxy_cache_lock_timeout 35s;
# caching
proxy_cache rawgithack.cache;
proxy_cache_key "$origin$uri";
proxy_cache_revalidate on;
proxy_cache_valid any 1m;
proxy_cache_use_stale updating;
proxy_cache_background_update on;
proxy_cache_lock on;
proxy_buffer_size 16k;
proxy_buffers 8 16k;
proxy_busy_buffers_size 16k;
proxy_force_ranges on;
proxy_http_version 1.1;
proxy_set_header "Connection" "";
proxy_ignore_headers
X-Accel-Limit-Rate
X-Accel-Buffering
X-Accel-Redirect
X-Accel-Expires
X-Accel-Charset
Cache-Control
Set-Cookie
Expires
Vary;
proxy_intercept_errors on;
proxy_ssl_server_name on;
proxy_pass https://$origin;
proxy_redirect https://$origin $scheme://$host;
# we need to hide these headers in order to redefine them
# if we don't, they will be set twice
proxy_hide_header Status;
proxy_hide_header Expires;
proxy_hide_header Set-Cookie;
proxy_hide_header Content-Type;
proxy_hide_header Cache-Control;
proxy_hide_header X-Frame-Options;
proxy_hide_header X-XSS-Protection;
proxy_hide_header Content-Disposition;
proxy_hide_header X-Content-Type-Options;
proxy_hide_header Content-Security-Policy;
proxy_hide_header Strict-Transport-Security;
proxy_hide_header Access-Control-Allow-Origin;
add_header Cache-Control $cache_control always;
add_header X-Robots-Tag none;
add_header Access-Control-Allow-Origin *;
add_header X-Githack-Cache-Status $upstream_cache_status always;
add_header Content-Type $detect_content_type$content_type_charset_string;
}
location = /purge {
limit_except DELETE { deny all; }
limit_req zone=purge burst=5 nodelay;
limit_req_status 429;
content_by_lua_block {
local json = require("cjson.safe")
local cfg = require("config")
local function fail(desc)
ngx.status = ngx.HTTP_BAD_REQUEST
ngx.say(desc)
ngx.exit(ngx.status)
end
local url = ngx.unescape_uri(ngx.var.arg_url or '')
if url == '' then fail("missing url parameter") end
local res = require("resty.http").new():request_uri(
'https://api.cloudflare.com/client/v4/zones/' .. cfg.cf.zone .. '/purge_cache', {
method = 'POST',
body = json.encode({ files = { url } }),
headers = {
['Content-Type'] = 'application/json',
['X-Auth-Email'] = cfg.cf.username,
['X-Auth-Key'] = cfg.cf.api_key
}
})
local body = json.decode(res.body)
if type(body) ~= 'table' or not body.success then
ngx.log(ngx.ERR, "CDN error: " .. res.body)
fail("CDN response error")
end
ngx.exit(ngx.HTTP_OK)
}
}
}