nginx-gists/cookie_flags.conf

## cookie_flags.conf
map $scheme $secure_flag {
    http  '';
    https 'Secure';
}

server {
    #...
    location / {
        proxy_cookie_flags appcookie HttpOnly SameSite=strict $secure_flag;
        proxy_pass http://my_backend;
    }
}

# vim: syntax=nginx

## cookies.js
function jar(r) {
    // Replace Set-Cookie response headers with an opaque reference
    if (r.headersOut['Set-Cookie'].length) {
        var kvs = [];
        r.headersOut['Set-Cookie'].forEach(c => kvs.push(c.split(';')[0])); // Omit cookie flags
        r.variables.new_session = kvs.join('; '); // Store in keyval cookie jar
        r.headersOut['Set-Cookie'] = "session=" + r.variables.request_id + "; SameSite=Lax";
    }
}

export default { jar }

## filter.js
var response = "";

function maskAwsKeys(r, data, flags) {
    response += data; // Collect the entire response,
    if (flags.last) { //  until we get the last byte.
        var masked = response.replace(/([^A-Z0-9]|^)(AKIA|A3T|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)([A-Z0-9]{12,})/g,
            function ($0, $1) {
                return $1 + (new Array($0.length).join('*'));
            }
        );
        r.sendBuffer(masked, flags);
    }
}

export default { maskAwsKeys }

## jwe.conf
location /private/ {
    auth_jwt          "Private";
    auth_jwt_type     encrypted;
    auth_jwt_key_file conf/api_secret.jwk;

    proxy_pass http://my_backend;
    }

# vim: syntax=nginx

## persistent.conf
upstream my_backend {
    zone my_backend 64k;
    server 10.0.0.1;
    server 10.0.0.2;
}

server {
    #...
    location / {
        proxy_pass http://my_backend;
        health_check mandatory persistent;
     }
}

# vim: syntax=nginx

## proxy.conf
js_import conf.d/cookies.js;

keyval_zone zone=cookie_jar:16M;
keyval $cookie_session $cookies zone=cookie_jar;
keyval $request_id $new_session zone=cookie_jar;

server {
    listen 80;

    location / {
        proxy_pass http://my_backend;
        proxy_set_header Cookie $cookies; # Replace reference cookie with original
        js_header_filter cookies.jar;     # Intercept and replace Set-Cookie
    }
}

# vim: syntax=nginx

## proxy_mask.conf
js_import conf.d/filter.js;

server {
    listen 80;
    location / {
        proxy_pass http://my_backend;
        js_body_filter filter.maskAwsKeys;
    }
}

# vim: syntax=nginx

## stream.conf
stream {
    js_import stream.js;

    server {
        listen 3306; # MySQL default port

        js_access  stream.access;
        proxy_pass mysql_backend;
    }
}

# vim: syntax=nginx

## stream.js
function access(s) {
  ngx.fetch('http://127.0.0.1:8085/')
    .then(response => {
        if (response.ok) {
          s.allow();
          return;
        }
     })
    .then(body => {})
    .catch(e => r.return(501, e.message))

   s.deny();
   return;
}

export default { access }
	map $scheme $secure_flag {
	http '';
	https 'Secure';
	}

	server {
	#...
	location / {
	proxy_cookie_flags appcookie HttpOnly SameSite=strict $secure_flag;
	proxy_pass http://my_backend;
	}
	}

	# vim: syntax=nginx
	function jar(r) {
	// Replace Set-Cookie response headers with an opaque reference
	if (r.headersOut['Set-Cookie'].length) {
	var kvs = [];
	r.headersOut['Set-Cookie'].forEach(c => kvs.push(c.split(';')[0])); // Omit cookie flags
	r.variables.new_session = kvs.join('; '); // Store in keyval cookie jar
	r.headersOut['Set-Cookie'] = "session=" + r.variables.request_id + "; SameSite=Lax";
	}
	}

	export default { jar }
	var response = "";

	function maskAwsKeys(r, data, flags) {
	response += data; // Collect the entire response,
	if (flags.last) { // until we get the last byte.
	var masked = response.replace(/([^A-Z0-9]\|^)(AKIA\|A3T\|AGPA\|AIDA\|AROA\|AIPA\|ANPA\|ANVA\|ASIA)([A-Z0-9]{12,})/g,
	function ($0, $1) {
	return $1 + (new Array($0.length).join('*'));
	}
	);
	r.sendBuffer(masked, flags);
	}
	}

	export default { maskAwsKeys }
	location /private/ {
	auth_jwt "Private";
	auth_jwt_type encrypted;
	auth_jwt_key_file conf/api_secret.jwk;

	proxy_pass http://my_backend;
	}

	# vim: syntax=nginx
	upstream my_backend {
	zone my_backend 64k;
	server 10.0.0.1;
	server 10.0.0.2;
	}

	server {
	#...
	location / {
	proxy_pass http://my_backend;
	health_check mandatory persistent;
	}
	}

	# vim: syntax=nginx
	js_import conf.d/cookies.js;

	keyval_zone zone=cookie_jar:16M;
	keyval $cookie_session $cookies zone=cookie_jar;
	keyval $request_id $new_session zone=cookie_jar;

	server {
	listen 80;

	location / {
	proxy_pass http://my_backend;
	proxy_set_header Cookie $cookies; # Replace reference cookie with original
	js_header_filter cookies.jar; # Intercept and replace Set-Cookie
	}
	}

	# vim: syntax=nginx
	js_import conf.d/filter.js;

	server {
	listen 80;
	location / {
	proxy_pass http://my_backend;
	js_body_filter filter.maskAwsKeys;
	}
	}

	# vim: syntax=nginx
	stream {
	js_import stream.js;

	server {
	listen 3306; # MySQL default port

	js_access stream.access;
	proxy_pass mysql_backend;
	}
	}

	# vim: syntax=nginx
	function access(s) {
	ngx.fetch('http://127.0.0.1:8085/')
	.then(response => {
	if (response.ok) {
	s.allow();
	return;
	}
	})
	.then(body => {})
	.catch(e => r.return(501, e.message))

	s.deny();
	return;
	}

	export default { access }