danydodson/cookie_signing.js

## cookie_signing.js
function signCookie(r) {
	if (r.headers["set-cookie"].length) {
		// Response includes a new cookie
		var cookie_data = r.headers["set-cookie"].split(";")
		var c = require('crypto')
		var h = c.createHmac('sha256').update(cookie_data[0] + r.remoteAddress)
		return "signature=" + h.digest('hex')
	}
	return ""
}

function validateCookieSignature(r) {
	var raw_cookie = r.variables["cookie_" + r.variables.cookie_name]
	if (raw_cookie.length) {
		// Cookie is present, ensure signed version
		var sig_cookie = r.variables["cookie_signature"]
		if (sig_cookie.length) {
			// Signature presented, check for match
			var c = require('crypto')
			var h = c.createHmac('sha256').update(r.variables.cookie_name + "=" + raw_cookie + r.remoteAddress)
			if (h.digest('hex') == sig_cookie) {
				return "" // Success
			}
		}
	} else {
		return "" // No cookie presented therefore no validation
	}
	return "1" // Failure
}

## fastest_wins.js
function sendFastest(r) {
	var n = 0
	function done(reply) { // Callback for completed subrequests
		if (n++ == 0) {
			r.log("WINNER is " + reply.uri)
			r.return(reply.status, reply.body)
		}
	}
	r.subrequest("/server_one", r.variables.args, done)
	r.subrequest("/server_two", r.variables.args, done)
}

## http_push.conf
server {
  # Ensure that HTTP/2 is enabled for the server
  listen 443 ssl http2;

  ssl_certificate ssl/certificate.pem;
  ssl_certificate_key ssl/key.pem;

  root /var/www/html;

  # when a client requests demo.html, also push
  # /style.css, /image1.jpg and /image2.jpg
  location = /demo.html {
    http2_push /style.css;
    http2_push /image1.jpg;
    http2_push /image2.jpg;
  }
}

## http_push_preload.conf
server {
  listen 443 ssl http2;

  ssl_certificate ssl/certificate.pem;
  ssl_certificate_key ssl/key.pem;

  root /var/www/html;

  http2_push_preload on;
}

## log_upstream_queueing.conf
log_format timing '$remote_addr - $remote_user [$time_local] "$request" $status '
'$body_bytes_sent "$http_referer" "$http_user_agent" '
'$request_time $upstream_queue_time $upstream_response_time';

upstream my_backend {
  zone my_backend 64k;
  server backends.example.com resolve max_conns=250;
  queue 20 timeout=5s; # Queue up to 20 requests when no backends available
}

server {
  listen 80;
  location / {
    proxy_pass http://my_backend;
    access_log /var/log/nginx/access.log timing;
  }
}

## njs_hash_functions.conf
js_include cookie_signing.js
js_set $signature_error validateCookieSignature;
js_set $signed_cookie signCookie;

server {
  listen 80;

  set $cookie_name "session"; # The cookie name to be signature-checked
  location / {
    if ($signature_error) {
      return 403; # Unauthorized
    }
    proxy_pass http://my_backend;
    add_header Set-Cookie $signed_cookie;
  }
}

## njs_subrequest.conf
js_include fastest_wins.js;

server {
  listen 80;

  location / {
    js_content sendFastest;
  }

  location /server_one {
    proxy_pass http://10.0.0.1$request_uri; # Pass the original URI
  }

  location /server_two {
    proxy_pass http://10.0.0.2$request_uri;
  }
}

## stream_alpn.conf
stream {
  map $ssl_preread_alpn_protocols $upstream {
    "xmpp-client" xmpp_backend;
    "~\bh2\b" grpc_backend; # 'h2' appears within word boundaries (\b)
    default http_backend; # Treat all other clients as HTTP
  }

  upstream xmpp_backend {
    #...
  }
  upstream grpc_backend {
    #...
  }
  upstream http_backend {
    #...
  }

  server {
    listen 443 ssl;
    # Set ssl_certificate and ciphers here

    ssl_preread on;
    proxy_pass $upstream;
  }
}

## zone_sync_basic.conf
stream {
    resolver 10.0.0.53 valid=20s;

    server {
        listen 9000;
        zone_sync;
        zone_sync_server nginx-cluster.example.com:9000 resolve;
    }
}

## zone_sync_production.conf
stream {
  resolver 10.0.0.53 valid=20s;

  server {
    zone_sync;
    zone_sync_server nginx-cluster.example.com:9000 resolve;

    # Listen on internal IP address, require TLS
    listen 10.0.0.1:9000 ssl;
    ssl_certificate_key /etc/ssl/nginx-1.example.com.key.pem;
    ssl_certificate /etc/ssl/nginx-1.example.com.server_cert.pem;

    allow 10.0.0.0/24; # Only accept connections from internal network
    deny all;

    zone_sync_ssl_verify on; # Peers must connect with client cert
    zone_sync_ssl_trusted_certificate /etc/ssl/ca_chain.crt.pem;
    zone_sync_ssl_verify_depth 2;

    zone_sync_ssl on; # Connect to peers with TLS, offer client cert
    zone_sync_ssl_certificate /etc/ssl/nginx-1.example.com.client_cert.pem;
    zone_sync_ssl_certificate_key /etc/ssl/nginx-1.example.com.key.pem;
  }
}

## zone_sync_sticky_learn.conf
upstream my_backend {
  zone my_backend 64k;
  server backends.example.com resolve;
  sticky learn zone=sessions:1m
  create=$upstream_cookie_session
  lookup=$cookie_session
  sync;
}

server {
  listen 80;
  location / {
    proxy_pass http://my_backend;
  }
}
	function signCookie(r) {
	if (r.headers["set-cookie"].length) {
	// Response includes a new cookie
	var cookie_data = r.headers["set-cookie"].split(";")
	var c = require('crypto')
	var h = c.createHmac('sha256').update(cookie_data[0] + r.remoteAddress)
	return "signature=" + h.digest('hex')
	}
	return ""
	}

	function validateCookieSignature(r) {
	var raw_cookie = r.variables["cookie_" + r.variables.cookie_name]
	if (raw_cookie.length) {
	// Cookie is present, ensure signed version
	var sig_cookie = r.variables["cookie_signature"]
	if (sig_cookie.length) {
	// Signature presented, check for match
	var c = require('crypto')
	var h = c.createHmac('sha256').update(r.variables.cookie_name + "=" + raw_cookie + r.remoteAddress)
	if (h.digest('hex') == sig_cookie) {
	return "" // Success
	}
	}
	} else {
	return "" // No cookie presented therefore no validation
	}
	return "1" // Failure
	}
	function sendFastest(r) {
	var n = 0
	function done(reply) { // Callback for completed subrequests
	if (n++ == 0) {
	r.log("WINNER is " + reply.uri)
	r.return(reply.status, reply.body)
	}
	}
	r.subrequest("/server_one", r.variables.args, done)
	r.subrequest("/server_two", r.variables.args, done)
	}
	server {
	# Ensure that HTTP/2 is enabled for the server
	listen 443 ssl http2;

	ssl_certificate ssl/certificate.pem;
	ssl_certificate_key ssl/key.pem;

	root /var/www/html;

	# when a client requests demo.html, also push
	# /style.css, /image1.jpg and /image2.jpg
	location = /demo.html {
	http2_push /style.css;
	http2_push /image1.jpg;
	http2_push /image2.jpg;
	}
	}
	log_format timing '$remote_addr - $remote_user [$time_local] "$request" $status '
	'$body_bytes_sent "$http_referer" "$http_user_agent" '
	'$request_time $upstream_queue_time $upstream_response_time';

	upstream my_backend {
	zone my_backend 64k;
	server backends.example.com resolve max_conns=250;
	queue 20 timeout=5s; # Queue up to 20 requests when no backends available
	}

	server {
	listen 80;
	location / {
	proxy_pass http://my_backend;
	access_log /var/log/nginx/access.log timing;
	}
	}
	js_include cookie_signing.js
	js_set $signature_error validateCookieSignature;
	js_set $signed_cookie signCookie;

	server {
	listen 80;

	set $cookie_name "session"; # The cookie name to be signature-checked
	location / {
	if ($signature_error) {
	return 403; # Unauthorized
	}
	proxy_pass http://my_backend;
	add_header Set-Cookie $signed_cookie;
	}
	}
	js_include fastest_wins.js;

	server {
	listen 80;

	location / {
	js_content sendFastest;
	}

	location /server_one {
	proxy_pass http://10.0.0.1$request_uri; # Pass the original URI
	}

	location /server_two {
	proxy_pass http://10.0.0.2$request_uri;
	}
	}
	stream {
	map $ssl_preread_alpn_protocols $upstream {
	"xmpp-client" xmpp_backend;
	"~\bh2\b" grpc_backend; # 'h2' appears within word boundaries (\b)
	default http_backend; # Treat all other clients as HTTP
	}

	upstream xmpp_backend {
	#...
	}
	upstream grpc_backend {
	#...
	}
	upstream http_backend {
	#...
	}

	server {
	listen 443 ssl;
	# Set ssl_certificate and ciphers here

	ssl_preread on;
	proxy_pass $upstream;
	}
	}
	stream {
	resolver 10.0.0.53 valid=20s;

	server {
	listen 9000;
	zone_sync;
	zone_sync_server nginx-cluster.example.com:9000 resolve;
	}
	}
	upstream my_backend {
	zone my_backend 64k;
	server backends.example.com resolve;
	sticky learn zone=sessions:1m
	create=$upstream_cookie_session
	lookup=$cookie_session
	sync;
	}

	server {
	listen 80;
	location / {
	proxy_pass http://my_backend;
	}
	}