|
# /etc/nginx/sites-enabled/propubonion.conf |
|
# |
|
# Note that all of our hostnames listen to a unix socket instead |
|
# of "127.0.0.1:xxxxx". |
|
# Docs: http://nginx.org/en/docs/http/ngx_http_core_module.html#listen |
|
|
|
map $http_upgrade $connection_upgrade { |
|
default "upgrade"; |
|
"" ""; |
|
} |
|
|
|
# HTTP BARE ONION |
|
server { |
|
listen unix:/var/run/nginx-pponion-80.sock; |
|
server_name propub3r6espa33w.onion; |
|
#allow 127.0.0.1; |
|
allow "unix:"; |
|
deny all; |
|
server_tokens off; |
|
rewrite ^/(.*) http://www.propub3r6espa33w.onion/$1 permanent; |
|
} |
|
|
|
# HTTPS BARE ONION |
|
server { |
|
listen unix:/var/run/nginx-pponion-443.sock ssl spdy; |
|
server_name propub3r6espa33w.onion; |
|
#allow 127.0.0.1; |
|
allow "unix:"; |
|
deny all; |
|
server_tokens off; |
|
ssl_certificate www.propub3r6espa33w.onion.pem; |
|
ssl_certificate_key www.propub3r6espa33w.onion.key; |
|
rewrite ^/(.*) https://www.propub3r6espa33w.onion/$1 permanent; |
|
} |
|
|
|
# WWW ONION |
|
server { |
|
listen unix:/var/run/nginx-pponion-80.sock; |
|
listen unix:/var/run/nginx-pponion-443.sock ssl spdy; |
|
|
|
server_name www.propub3r6espa33w.onion; |
|
|
|
ssl_certificate www.propub3r6espa33w.onion.pem; |
|
ssl_certificate_key www.propub3r6espa33w.onion.key; |
|
|
|
#allow 127.0.0.1; |
|
allow "unix:"; |
|
deny all; |
|
|
|
root /usr/local/opt/nginx/html; |
|
|
|
# Set a short cache on this nginx end so that we avoid fetching from |
|
# the real infrastructure when possible. |
|
proxy_cache propubonion; |
|
proxy_cache_valid any 5m; |
|
proxy_cache_revalidate on; |
|
proxy_cache_use_stale timeout updating; |
|
proxy_cache_key $request_uri; |
|
proxy_ignore_headers expires set-cookie; |
|
|
|
access_log /var/log/nginx/access-propublica_hidserv.log; |
|
|
|
server_tokens off; |
|
|
|
# Blocking access to some possible abuses |
|
location /donate { rewrite .* https://www.propublica.org/site/donate permanent; } |
|
location /donate/ { rewrite .* https://www.propublica.org/site/donate permanent; } |
|
location /site/donate { rewrite .* https://www.propublica.org/site/donate permanent; } |
|
location /site/donate/ { rewrite .* https://www.propublica.org/site/donate permanent; } |
|
location /xxxxxxxxxxxxxx { return 403; } # deny CMS |
|
location /xxxxxxxxxxxxxx/ { return 403; } # deny CMS for now |
|
location /site/email { return 403; } |
|
location /site/email/ { return 403; } |
|
|
|
subs_filter_types text/css text/xml application/x-javascript application/javascript text/javascript application/json; |
|
|
|
location / { |
|
#proxy_pass https://192.168.xxx.xxx; # gist note: internal ip address |
|
proxy_pass https://www.propublica.org; |
|
proxy_http_version 1.1; |
|
proxy_set_header Host "www.propublica.org"; |
|
proxy_set_header Connection $connection_upgrade; |
|
proxy_set_header Upgrade $http_upgrade; |
|
proxy_ssl_server_name on; |
|
proxy_read_timeout 30; |
|
proxy_connect_timeout 30; |
|
|
|
# Don't compress data, since the subs module can't replace |
|
proxy_set_header Accept-Encoding ""; |
|
|
|
# TODO: currently denying non-GET requests due to some bot-related |
|
# abuse on some endpoints that poorly handle that. |
|
limit_except GET { |
|
deny all; |
|
} |
|
|
|
### SUBS https://github.com/yaoweibin/ngx_http_substitutions_filter_module ### |
|
# We're rewriting links, but we need to preserve rel=canonical for analytics. |
|
# So rewrite it to a special value and re-rewrite it back to real value later. |
|
subs_filter "rel=\"canonical\" href=\"http://www.propublica.org" "-----CANONICALHTTPPROPUBLICADOTORG-----" i; |
|
subs_filter "rel=\"canonical\" href=\"https://www.propublica.org" "-----CANONICALHTTPSPROPUBLICADOTORG-----" i; |
|
subs_filter "rel=\"canonical\" href=\"http://projects.propublica.org" "-----CANONICALHTTPPROJECTSPROPUBLICA-----" i; |
|
subs_filter "rel=\"canonical\" href=\"https://projects.propublica.org" "-----CANONICALHTTPSPROJECTSPROPUBLICA-----" i; |
|
# Keep in .onion |
|
subs_filter http://www.propublica.org/ //www.propub3r6espa33w.onion/ i; |
|
subs_filter https://www.propublica.org/ //www.propub3r6espa33w.onion/ i; |
|
subs_filter "http://www.propublica.org" "//www.propub3r6espa33w.onion" i; |
|
subs_filter "https://www.propublica.org" "//www.propub3r6espa33w.onion" i; |
|
subs_filter 'http://www.propublica.org' '//www.propub3r6espa33w.onion' i; |
|
subs_filter 'https://www.propublica.org' '//www.propub3r6espa33w.onion' i; |
|
subs_filter http://projects.propublica.org/ //projects.propub3r6espa33w.onion/ i; |
|
subs_filter https://projects.propublica.org/ //projects.propub3r6espa33w.onion/ i; |
|
subs_filter http://static.propublica.org/ //static.propub3r6espa33w.onion/ i; |
|
subs_filter https://static.propublica.org/ //static.propub3r6espa33w.onion/ i; |
|
subs_filter (http:|https:)?//(www\.)?propublica\.org/ //www.propub3r6espa33w.onion/ gir; |
|
#subs_filter (http:|https:)?//projects\.propublica\.org/ //projects.propub3r6espa33w.onion/ gir; |
|
subs_filter (http:|https:)?//static\.propublica\.org/ //static.propub3r6espa33w.onion/ gir; |
|
subs_filter http://tiles-[abcd].propublica.org/ https://d3i4wq2ul46tvd.cloudfront.net/ ir; |
|
subs_filter http://tiles-\{s}.propublica.org/ https://d3i4wq2ul46tvd.cloudfront.net/ i; |
|
subs_filter (http:|https:)//securedrop.propublica.org http://pubdrop4dw6rk3aq.onion i; |
|
subs_filter http://feeds.propublica.org/ //feeds.propub3r6espa33w.onion/ i; |
|
subs_filter https://feeds.propublica.org/ //feeds.propub3r6espa33w.onion/ i; |
|
subs_filter (http:|https:)?//feeds\.propublica\.org/ //feeds.propub3r6espa33w.onion/ gir; |
|
subs_filter (http:|https:)//propublica.s3.amazonaws.com/ //static.propub3r6espa33w.onion/ i; |
|
subs_filter //propublica.s3.amazonaws.com/ //static.propub3r6espa33w.onion/ i; |
|
subs_filter (http:|https:)//cdn.propublica.net.s3.amazonaws.com/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter //cdn.propublica.net.s3.amazonaws.com/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter (http:|https:)//cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter //cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter (http:|https:)//s3.amazonaws.com/cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter //s3.amazonaws.com/cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter (http:|https:)//d1t8xfi7n2gbr1.cloudfront.net/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter //d1t8xfi7n2gbr1.cloudfront.net/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter http://s3.amazonaws.com/ https://s3.amazonaws.com/ i; |
|
subs_filter \"//s3.amazonaws.com/ \"https://s3.amazonaws.com/ i; |
|
# Restore the rel="canonical" tag |
|
subs_filter "-----CANONICALHTTPPROPUBLICADOTORG-----" "rel=\"canonical\" href=\"http://www.propublica.org" i; |
|
subs_filter "-----CANONICALHTTPSPROPUBLICADOTORG-----" "rel=\"canonical\" href=\"https://www.propublica.org" i; |
|
subs_filter "-----CANONICALHTTPPROJECTSPROPUBLICA-----" "rel=\"canonical\" href=\"http://projects.propublica.org" i; |
|
subs_filter "-----CANONICALHTTPSPROJECTSPROPUBLICA-----" "rel=\"canonical\" href=\"https://projects.propublica.org" i; |
|
### /SUBS ### |
|
|
|
### HEADERS http://wiki.nginx.org/HttpHeadersMoreModule ### |
|
more_set_headers "Access-Control-Allow-Origin: https://www.propublica.org, https://projects.propublica.org, https://static.propublica.org, http://www.propub3r6espa33w.onion, http://projects.propub3r6espa33w.onion, http://static.propub3r6espa33w.onion" |
|
more_clear_headers "Age"; |
|
more_clear_headers "Server"; |
|
more_clear_headers "Via"; |
|
more_clear_headers "X-From-Nginx"; |
|
more_clear_headers "X-NA"; |
|
more_clear_headers "X-Powered-By"; |
|
more_clear_headers "X-Request-Id"; |
|
more_clear_headers "X-Runtime"; |
|
more_clear_headers "X-Varnish"; |
|
|
|
more_clear_headers "Content-Security-Policy-Report-Only"; |
|
### /HEADERS ### |
|
} |
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
# PROJECTS ONION |
|
server { |
|
listen 127.0.0.1:33170; |
|
listen 127.0.0.1:33180 ssl; |
|
server_name projects.propub3r6espa33w.onion; |
|
|
|
#allow 127.0.0.1; |
|
allow "unix:"; |
|
deny all; |
|
|
|
access_log /var/log/nginx/access-projects_hidserv.log; |
|
|
|
server_tokens off; |
|
|
|
ssl_certificate www.propub3r6espa33w.onion.pem; |
|
ssl_certificate_key www.propub3r6espa33w.onion.key; |
|
|
|
rewrite ^/$ https://www.propub3r6espa33w.onion/data/; |
|
|
|
# temporarily redirecting this to projects.propublica.org (which works) |
|
# until we can until we can get better routing rules (and figure out |
|
# anti-abuse) |
|
rewrite ^/(.*) https://projects.propublica.org/$1 redirect; |
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# STATIC ONION |
|
server { |
|
listen unix:/var/run/nginx-pponion-80.sock; |
|
listen unix:/var/run/nginx-pponion-443.sock ssl spdy; |
|
server_name static.propub3r6espa33w.onion; |
|
|
|
#allow 127.0.0.1; |
|
allow "unix:"; |
|
deny all; |
|
|
|
access_log /var/log/nginx/access-assets_hidserv.log; |
|
|
|
server_tokens off; |
|
|
|
ssl_certificate www.propub3r6espa33w.onion.pem; |
|
ssl_certificate_key www.propub3r6espa33w.onion.key; |
|
|
|
rewrite ^/$ http://www.propub3r6espa33w.onion/; |
|
|
|
subs_filter_types text/css text/xml application/x-javascript application/javascript text/javascript application/json; |
|
|
|
location / { |
|
proxy_pass https://static.propublica.org; |
|
proxy_http_version 1.1; |
|
proxy_set_header Host "static.propublica.org"; |
|
proxy_set_header Connection $connection_upgrade; |
|
proxy_set_header Upgrade $http_upgrade; |
|
proxy_ssl_server_name on; |
|
proxy_read_timeout 30; |
|
proxy_connect_timeout 30; |
|
|
|
# Don't compress data, since the subs module can't replace |
|
proxy_set_header Accept-Encoding ""; |
|
|
|
### SUBS https://github.com/yaoweibin/ngx_http_substitutions_filter_module ### |
|
# We're rewriting links, but we need to preserve rel=canonical for analytics. |
|
# So rewrite it to a special value and re-rewrite it back to real value later. |
|
subs_filter "rel=\"canonical\" href=\"http://www.propublica.org" "-----CANONICALHTTPPROPUBLICADOTORG-----" i; |
|
subs_filter "rel=\"canonical\" href=\"https://www.propublica.org" "-----CANONICALHTTPSPROPUBLICADOTORG-----" i; |
|
subs_filter "rel=\"canonical\" href=\"http://projects.propublica.org" "-----CANONICALHTTPPROJECTSPROPUBLICA-----" i; |
|
subs_filter "rel=\"canonical\" href=\"https://projects.propublica.org" "-----CANONICALHTTPSPROJECTSPROPUBLICA-----" i; |
|
# Keep in .onion |
|
subs_filter http://www.propublica.org/ //www.propub3r6espa33w.onion/ i; |
|
subs_filter https://www.propublica.org/ //www.propub3r6espa33w.onion/ i; |
|
subs_filter "http://www.propublica.org" "//www.propub3r6espa33w.onion" i; |
|
subs_filter "https://www.propublica.org" "//www.propub3r6espa33w.onion" i; |
|
subs_filter 'http://www.propublica.org' '//www.propub3r6espa33w.onion' i; |
|
subs_filter 'https://www.propublica.org' '//www.propub3r6espa33w.onion' i; |
|
subs_filter http://projects.propublica.org/ //projects.propub3r6espa33w.onion/ i; |
|
subs_filter https://projects.propublica.org/ //projects.propub3r6espa33w.onion/ i; |
|
subs_filter http://static.propublica.org/ //static.propub3r6espa33w.onion/ i; |
|
subs_filter https://static.propublica.org/ //static.propub3r6espa33w.onion/ i; |
|
subs_filter (http:|https:)?//(www\.)?propublica\.org/ //www.propub3r6espa33w.onion/ gir; |
|
#subs_filter (http:|https:)?//projects\.propublica\.org/ //projects.propub3r6espa33w.onion/ gir; |
|
subs_filter (http:|https:)?//static\.propublica\.org/ //static.propub3r6espa33w.onion/ gir; |
|
subs_filter http://tiles-[abcd].propublica.org/ https://d3i4wq2ul46tvd.cloudfront.net/ ir; |
|
subs_filter http://tiles-\{s}.propublica.org/ https://d3i4wq2ul46tvd.cloudfront.net/ i; |
|
subs_filter (http:|https:)//securedrop.propublica.org http://pubdrop4dw6rk3aq.onion i; |
|
subs_filter http://feeds.propublica.org/ //feeds.propub3r6espa33w.onion/ i; |
|
subs_filter https://feeds.propublica.org/ //feeds.propub3r6espa33w.onion/ i; |
|
subs_filter (http:|https:)?//feeds\.propublica\.org/ //feeds.propub3r6espa33w.onion/ gir; |
|
subs_filter (http:|https:)//propublica.s3.amazonaws.com/ //static.propub3r6espa33w.onion/ i; |
|
subs_filter //propublica.s3.amazonaws.com/ //static.propub3r6espa33w.onion/ i; |
|
subs_filter (http:|https:)//cdn.propublica.net.s3.amazonaws.com/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter //cdn.propublica.net.s3.amazonaws.com/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter (http:|https:)//cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter //cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter (http:|https:)//s3.amazonaws.com/cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter //s3.amazonaws.com/cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter (http:|https:)//d1t8xfi7n2gbr1.cloudfront.net/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter //d1t8xfi7n2gbr1.cloudfront.net/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter http://s3.amazonaws.com/ https://s3.amazonaws.com/ i; |
|
subs_filter \"//s3.amazonaws.com/ \"https://s3.amazonaws.com/ i; |
|
# Restore the rel="canonical" tag |
|
subs_filter "-----CANONICALHTTPPROPUBLICADOTORG-----" "rel=\"canonical\" href=\"http://www.propublica.org" i; |
|
subs_filter "-----CANONICALHTTPSPROPUBLICADOTORG-----" "rel=\"canonical\" href=\"https://www.propublica.org" i; |
|
subs_filter "-----CANONICALHTTPPROJECTSPROPUBLICA-----" "rel=\"canonical\" href=\"http://projects.propublica.org" i; |
|
subs_filter "-----CANONICALHTTPSPROJECTSPROPUBLICA-----" "rel=\"canonical\" href=\"https://projects.propublica.org" i; |
|
### /SUBS ### |
|
|
|
### HEADERS http://wiki.nginx.org/HttpHeadersMoreModule ### |
|
more_set_input_headers "Host: static.propublica.org" |
|
more_set_headers "Access-Control-Allow-Origin: https://www.propublica.org, https://projects.propublica.org, https://static.propublica.org, http://www.propub3r6espa33w.onion, http://projects.propub3r6espa33w.onion, http://static.propub3r6espa33w.onion" |
|
more_clear_headers "Age"; |
|
more_clear_headers "Server"; |
|
more_clear_headers "Via"; |
|
more_clear_headers "X-From-Nginx"; |
|
more_clear_headers "X-NA"; |
|
more_clear_headers "X-Powered-By"; |
|
more_clear_headers "X-Request-Id"; |
|
more_clear_headers "X-Runtime"; |
|
more_clear_headers "X-Varnish"; |
|
|
|
more_clear_headers "Content-Security-Policy-Report-Only"; |
|
### /HEADERS ### |
|
} |
|
} |
|
|
|
|
|
# CDN ONION |
|
server { |
|
listen unix:/var/run/nginx-pponion-80.sock; |
|
listen unix:/var/run/nginx-pponion-443.sock ssl spdy; |
|
server_name cdn.propub3r6espa33w.onion; |
|
|
|
#allow 127.0.0.1; |
|
allow "unix:"; |
|
deny all; |
|
|
|
access_log /var/log/nginx/access-cdn_hidserv.log; |
|
|
|
server_tokens off; |
|
|
|
ssl_certificate www.propub3r6espa33w.onion.pem; |
|
ssl_certificate_key www.propub3r6espa33w.onion.key; |
|
|
|
rewrite ^/$ http://www.propub3r6espa33w.onion/; |
|
|
|
subs_filter_types text/css text/xml application/x-javascript application/javascript text/javascript application/json; |
|
|
|
location / { |
|
proxy_pass https://d1t8xfi7n2gbr1.cloudfront.net; |
|
proxy_http_version 1.1; |
|
proxy_set_header Host "d1t8xfi7n2gbr1.cloudfront.net"; |
|
proxy_set_header Connection $connection_upgrade; |
|
proxy_set_header Upgrade $http_upgrade; |
|
proxy_ssl_server_name on; |
|
proxy_read_timeout 30; |
|
proxy_connect_timeout 30; |
|
|
|
# Don't compress data, since the subs module can't replace |
|
proxy_set_header Accept-Encoding ""; |
|
|
|
### SUBS https://github.com/yaoweibin/ngx_http_substitutions_filter_module ### |
|
# We're rewriting links, but we need to preserve rel=canonical for analytics. |
|
# So rewrite it to a special value and re-rewrite it back to real value later. |
|
subs_filter "rel=\"canonical\" href=\"http://www.propublica.org" "-----CANONICALHTTPPROPUBLICADOTORG-----" i; |
|
subs_filter "rel=\"canonical\" href=\"https://www.propublica.org" "-----CANONICALHTTPSPROPUBLICADOTORG-----" i; |
|
subs_filter "rel=\"canonical\" href=\"http://projects.propublica.org" "-----CANONICALHTTPPROJECTSPROPUBLICA-----" i; |
|
subs_filter "rel=\"canonical\" href=\"https://projects.propublica.org" "-----CANONICALHTTPSPROJECTSPROPUBLICA-----" i; |
|
# Keep in .onion |
|
subs_filter http://www.propublica.org/ //www.propub3r6espa33w.onion/ i; |
|
subs_filter https://www.propublica.org/ //www.propub3r6espa33w.onion/ i; |
|
subs_filter "http://www.propublica.org" "//www.propub3r6espa33w.onion" i; |
|
subs_filter "https://www.propublica.org" "//www.propub3r6espa33w.onion" i; |
|
subs_filter 'http://www.propublica.org' '//www.propub3r6espa33w.onion' i; |
|
subs_filter 'https://www.propublica.org' '//www.propub3r6espa33w.onion' i; |
|
subs_filter http://projects.propublica.org/ //projects.propub3r6espa33w.onion/ i; |
|
subs_filter https://projects.propublica.org/ //projects.propub3r6espa33w.onion/ i; |
|
subs_filter http://static.propublica.org/ //static.propub3r6espa33w.onion/ i; |
|
subs_filter https://static.propublica.org/ //static.propub3r6espa33w.onion/ i; |
|
subs_filter (http:|https:)?//(www\.)?propublica\.org/ //www.propub3r6espa33w.onion/ gir; |
|
#subs_filter (http:|https:)?//projects\.propublica\.org/ //projects.propub3r6espa33w.onion/ gir; |
|
subs_filter (http:|https:)?//static\.propublica\.org/ //static.propub3r6espa33w.onion/ gir; |
|
subs_filter http://tiles-[abcd].propublica.org/ https://d3i4wq2ul46tvd.cloudfront.net/ ir; |
|
subs_filter http://tiles-\{s}.propublica.org/ https://d3i4wq2ul46tvd.cloudfront.net/ i; |
|
subs_filter (http:|https:)//securedrop.propublica.org http://pubdrop4dw6rk3aq.onion i; |
|
subs_filter http://feeds.propublica.org/ //feeds.propub3r6espa33w.onion/ i; |
|
subs_filter https://feeds.propublica.org/ //feeds.propub3r6espa33w.onion/ i; |
|
subs_filter (http:|https:)?//feeds\.propublica\.org/ //feeds.propub3r6espa33w.onion/ gir; |
|
subs_filter (http:|https:)//propublica.s3.amazonaws.com/ //static.propub3r6espa33w.onion/ i; |
|
subs_filter //propublica.s3.amazonaws.com/ //static.propub3r6espa33w.onion/ i; |
|
subs_filter (http:|https:)//cdn.propublica.net.s3.amazonaws.com/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter //cdn.propublica.net.s3.amazonaws.com/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter (http:|https:)//cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter //cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter (http:|https:)//s3.amazonaws.com/cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter //s3.amazonaws.com/cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter (http:|https:)//d1t8xfi7n2gbr1.cloudfront.net/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter //d1t8xfi7n2gbr1.cloudfront.net/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter http://s3.amazonaws.com/ https://s3.amazonaws.com/ i; |
|
subs_filter \"//s3.amazonaws.com/ \"https://s3.amazonaws.com/ i; |
|
# Restore the rel="canonical" tag |
|
subs_filter "-----CANONICALHTTPPROPUBLICADOTORG-----" "rel=\"canonical\" href=\"http://www.propublica.org" i; |
|
subs_filter "-----CANONICALHTTPSPROPUBLICADOTORG-----" "rel=\"canonical\" href=\"https://www.propublica.org" i; |
|
subs_filter "-----CANONICALHTTPPROJECTSPROPUBLICA-----" "rel=\"canonical\" href=\"http://projects.propublica.org" i; |
|
subs_filter "-----CANONICALHTTPSPROJECTSPROPUBLICA-----" "rel=\"canonical\" href=\"https://projects.propublica.org" i; |
|
### /SUBS ### |
|
|
|
### HEADERS http://wiki.nginx.org/HttpHeadersMoreModule ### |
|
more_set_input_headers "Host: d1t8xfi7n2gbr1.cloudfront.net" |
|
more_set_headers "Access-Control-Allow-Origin: https://www.propublica.org, https://projects.propublica.org, https://static.propublica.org, http://www.propub3r6espa33w.onion, http://projects.propub3r6espa33w.onion, http://static.propub3r6espa33w.onion" |
|
more_clear_headers "Age"; |
|
more_clear_headers "Server"; |
|
more_clear_headers "Via"; |
|
more_clear_headers "X-From-Nginx"; |
|
more_clear_headers "X-NA"; |
|
more_clear_headers "X-Powered-By"; |
|
more_clear_headers "X-Request-Id"; |
|
more_clear_headers "X-Runtime"; |
|
more_clear_headers "X-Varnish"; |
|
|
|
more_clear_headers "Content-Security-Policy-Report-Only"; |
|
### /HEADERS ### |
|
} |
|
} |
|
|
|
# FEEDS ONION |
|
server { |
|
listen unix:/var/run/nginx-pponion-80.sock; |
|
listen unix:/var/run/nginx-pponion-443.sock ssl spdy; |
|
server_name feeds.propub3r6espa33w.onion; |
|
|
|
#allow 127.0.0.1; |
|
allow "unix:"; |
|
deny all; |
|
|
|
access_log /var/log/nginx/access-feeds_hidserv.log; |
|
|
|
server_tokens off; |
|
|
|
ssl_certificate www.propub3r6espa33w.onion.pem; |
|
ssl_certificate_key www.propub3r6espa33w.onion.key; |
|
|
|
rewrite ^/$ http://www.propub3r6espa33w.onion/; |
|
|
|
subs_filter_types text/css text/xml application/x-javascript application/javascript text/javascript application/json; |
|
|
|
location / { |
|
proxy_pass https://feeds.propublica.org; |
|
proxy_http_version 1.1; |
|
proxy_set_header Host "feeds.propublica.org"; |
|
proxy_set_header Connection $connection_upgrade; |
|
proxy_set_header Upgrade $http_upgrade; |
|
proxy_ssl_server_name on; |
|
proxy_read_timeout 30; |
|
proxy_connect_timeout 30; |
|
|
|
# Don't compress data, since the subs module can't replace |
|
proxy_set_header Accept-Encoding ""; |
|
|
|
### SUBS https://github.com/yaoweibin/ngx_http_substitutions_filter_module ### |
|
# We're rewriting links, but we need to preserve rel=canonical for analytics. |
|
# So rewrite it to a special value and re-rewrite it back to real value later. |
|
subs_filter "rel=\"canonical\" href=\"http://www.propublica.org" "-----CANONICALHTTPPROPUBLICADOTORG-----" i; |
|
subs_filter "rel=\"canonical\" href=\"https://www.propublica.org" "-----CANONICALHTTPSPROPUBLICADOTORG-----" i; |
|
subs_filter "rel=\"canonical\" href=\"http://projects.propublica.org" "-----CANONICALHTTPPROJECTSPROPUBLICA-----" i; |
|
subs_filter "rel=\"canonical\" href=\"https://projects.propublica.org" "-----CANONICALHTTPSPROJECTSPROPUBLICA-----" i; |
|
# Keep in .onion |
|
subs_filter http://www.propublica.org/ //www.propub3r6espa33w.onion/ i; |
|
subs_filter https://www.propublica.org/ //www.propub3r6espa33w.onion/ i; |
|
subs_filter "http://www.propublica.org" "//www.propub3r6espa33w.onion" i; |
|
subs_filter "https://www.propublica.org" "//www.propub3r6espa33w.onion" i; |
|
subs_filter 'http://www.propublica.org' '//www.propub3r6espa33w.onion' i; |
|
subs_filter 'https://www.propublica.org' '//www.propub3r6espa33w.onion' i; |
|
subs_filter http://projects.propublica.org/ //projects.propub3r6espa33w.onion/ i; |
|
subs_filter https://projects.propublica.org/ //projects.propub3r6espa33w.onion/ i; |
|
subs_filter http://static.propublica.org/ //static.propub3r6espa33w.onion/ i; |
|
subs_filter https://static.propublica.org/ //static.propub3r6espa33w.onion/ i; |
|
subs_filter (http:|https:)?//(www\.)?propublica\.org/ //www.propub3r6espa33w.onion/ gir; |
|
#subs_filter (http:|https:)?//projects\.propublica\.org/ //projects.propub3r6espa33w.onion/ gir; |
|
subs_filter (http:|https:)?//static\.propublica\.org/ //static.propub3r6espa33w.onion/ gir; |
|
subs_filter http://tiles-[abcd].propublica.org/ https://d3i4wq2ul46tvd.cloudfront.net/ ir; |
|
subs_filter http://tiles-\{s}.propublica.org/ https://d3i4wq2ul46tvd.cloudfront.net/ i; |
|
subs_filter (http:|https:)//securedrop.propublica.org http://pubdrop4dw6rk3aq.onion i; |
|
subs_filter http://feeds.propublica.org/ //feeds.propub3r6espa33w.onion/ i; |
|
subs_filter https://feeds.propublica.org/ //feeds.propub3r6espa33w.onion/ i; |
|
subs_filter (http:|https:)?//feeds\.propublica\.org/ //feeds.propub3r6espa33w.onion/ gir; |
|
subs_filter (http:|https:)//propublica.s3.amazonaws.com/ //static.propub3r6espa33w.onion/ i; |
|
subs_filter //propublica.s3.amazonaws.com/ //static.propub3r6espa33w.onion/ i; |
|
subs_filter (http:|https:)//cdn.propublica.net.s3.amazonaws.com/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter //cdn.propublica.net.s3.amazonaws.com/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter (http:|https:)//cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter //cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter (http:|https:)//s3.amazonaws.com/cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter //s3.amazonaws.com/cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter (http:|https:)//d1t8xfi7n2gbr1.cloudfront.net/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter //d1t8xfi7n2gbr1.cloudfront.net/ //cdn.propub3r6espa33w.onion/ i; |
|
subs_filter http://s3.amazonaws.com/ https://s3.amazonaws.com/ i; |
|
subs_filter \"//s3.amazonaws.com/ \"https://s3.amazonaws.com/ i; |
|
# Restore the rel="canonical" tag |
|
subs_filter "-----CANONICALHTTPPROPUBLICADOTORG-----" "rel=\"canonical\" href=\"http://www.propublica.org" i; |
|
subs_filter "-----CANONICALHTTPSPROPUBLICADOTORG-----" "rel=\"canonical\" href=\"https://www.propublica.org" i; |
|
subs_filter "-----CANONICALHTTPPROJECTSPROPUBLICA-----" "rel=\"canonical\" href=\"http://projects.propublica.org" i; |
|
subs_filter "-----CANONICALHTTPSPROJECTSPROPUBLICA-----" "rel=\"canonical\" href=\"https://projects.propublica.org" i; |
|
### /SUBS ### |
|
|
|
### HEADERS http://wiki.nginx.org/HttpHeadersMoreModule ### |
|
more_set_input_headers "Host: feeds.propublica.org" |
|
more_set_headers "Access-Control-Allow-Origin: https://www.propublica.org, https://projects.propublica.org, https://static.propublica.org, http://www.propub3r6espa33w.onion, http://projects.propub3r6espa33w.onion, http://static.propub3r6espa33w.onion" |
|
more_clear_headers "Age"; |
|
more_clear_headers "Server"; |
|
more_clear_headers "Via"; |
|
more_clear_headers "X-From-Nginx"; |
|
more_clear_headers "X-NA"; |
|
more_clear_headers "X-Powered-By"; |
|
more_clear_headers "X-Request-Id"; |
|
more_clear_headers "X-Runtime"; |
|
more_clear_headers "X-Varnish"; |
|
|
|
more_clear_headers "Content-Security-Policy-Report-Only"; |
|
### /HEADERS ### |
|
} |
|
} |
@mtigas For a little security boost that shouldn't hurt, I recommend putting 'Sandbox 1' in your torrc.