tjvr/nginx.conf

## nginx.conf
server {
    listen 80;
    server_name cors.tjvr.org;

    root /usr/share/nginx/html;
    index index.html;

    client_max_body_size 1m;
    client_body_buffer_size 64k;

    error_log /var/log/nginx/error-d.log debug;

    if ($request_method ~ ^OPTIONS$) {
        rewrite ^.*$ /__OPTIONS last;
    }

    location ~* ^/http(s?)\:\/(.*)$ {
        # use filtered(?) OpenDNS
        resolver 208.67.222.123;
        # I think bad domains will get 403 ?

        # CORS :-)
        add_header Access-Control-Allow-Origin *;

        # Disable casual browswing
        if ($http_origin = "") {
            return 412;
        }

        # TODO redirect if CORS is already present

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Cookie '';
        proxy_pass http$1://$2;
        proxy_redirect off;

	# optimise downloads
	proxy_connect_timeout 30;
	proxy_send_timeout 30;
	proxy_read_timeout 30;
	proxy_max_temp_file_size 0; # don't buffer responses to disk
	proxy_buffering off;

	# TODO limit download size

        # don't forward weird headers
        proxy_hide_header Access-Control-Allow-Origin;
        proxy_hide_header Set-Cookie;
        proxy_hide_header X-Frame-Options; # controversial!!
        proxy_hide_header X-XSS-Protection;

	# if ($sent_http_content_length ~ "[0-9]{7}") {
	#     return 403;
	# }
    }

    location = /__OPTIONS {
        if ($request_method != OPTIONS ) {
            return 405;
        }
        add_header Access-Control-Allow-Origin *;
        add_header Access-Control-Allow-Methods "GET, OPTIONS, POST, PUT, DELETE";
        add_header Access-Control-Allow-Headers $http_access_control_request_headers;
        add_header Access-Control-Allow-Credentials true;
        add_header Content-Length 0;
        add_header Content-Type text/plain;
        return 200;
    }

    location = /index.html {
        expires 1d;
        access_log off;
        add_header Cache-Control "public";
    }
    location = /favicon.ico {
        expires 1M;
        access_log off;
        add_header Cache-Control "public";
    }

}
	server {
	listen 80;
	server_name cors.tjvr.org;

	root /usr/share/nginx/html;
	index index.html;

	client_max_body_size 1m;
	client_body_buffer_size 64k;

	error_log /var/log/nginx/error-d.log debug;

	if ($request_method ~ ^OPTIONS$) {
	rewrite ^.*$ /__OPTIONS last;
	}

	location ~* ^/http(s?)\:\/(.*)$ {
	# use filtered(?) OpenDNS
	resolver 208.67.222.123;
	# I think bad domains will get 403 ?

	# CORS :-)
	add_header Access-Control-Allow-Origin *;

	# Disable casual browswing
	if ($http_origin = "") {
	return 412;
	}

	# TODO redirect if CORS is already present

	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Cookie '';
	proxy_pass http$1://$2;
	proxy_redirect off;

	# optimise downloads
	proxy_connect_timeout 30;
	proxy_send_timeout 30;
	proxy_read_timeout 30;
	proxy_max_temp_file_size 0; # don't buffer responses to disk
	proxy_buffering off;

	# TODO limit download size

	# don't forward weird headers
	proxy_hide_header Access-Control-Allow-Origin;
	proxy_hide_header Set-Cookie;
	proxy_hide_header X-Frame-Options; # controversial!!
	proxy_hide_header X-XSS-Protection;

	# if ($sent_http_content_length ~ "[0-9]{7}") {
	# return 403;
	# }
	}

	location = /__OPTIONS {
	if ($request_method != OPTIONS ) {
	return 405;
	}
	add_header Access-Control-Allow-Origin *;
	add_header Access-Control-Allow-Methods "GET, OPTIONS, POST, PUT, DELETE";
	add_header Access-Control-Allow-Headers $http_access_control_request_headers;
	add_header Access-Control-Allow-Credentials true;
	add_header Content-Length 0;
	add_header Content-Type text/plain;
	return 200;
	}

	location = /index.html {
	expires 1d;
	access_log off;
	add_header Cache-Control "public";
	}
	location = /favicon.ico {
	expires 1M;
	access_log off;
	add_header Cache-Control "public";
	}

	}