diff options
author | Aaron LI <aly@aaronly.me> | 2018-12-01 16:13:36 +0800 |
---|---|---|
committer | Aaron LI <aly@aaronly.me> | 2018-12-01 16:13:36 +0800 |
commit | f02635560560f7093d3c5c86ed7aa91147afd86e (patch) | |
tree | 27331fd12f5e3fd2acccc43279aa89376389700a /roles/web | |
parent | e0c4c5f5de5d488d40ad34f630e4c7dc93f92587 (diff) | |
download | ansible-dfly-vps-f02635560560f7093d3c5c86ed7aa91147afd86e.tar.bz2 |
web/sites: Add 233233.d.conf to proxy to duckduckgo.com
Diffstat (limited to 'roles/web')
-rw-r--r-- | roles/web/templates/sites/233233.d.conf.j2 | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/roles/web/templates/sites/233233.d.conf.j2 b/roles/web/templates/sites/233233.d.conf.j2 new file mode 100644 index 0000000..f709040 --- /dev/null +++ b/roles/web/templates/sites/233233.d.conf.j2 @@ -0,0 +1,78 @@ +{% set domain = "233233.xyz" %} +# +# nginx/sites: reverse proxy to DuckDuckGo: duckduckgo.com +# +# Aaron LI +# 2018-12-01 +# + +{% if domains_hascert[domain] %} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name d.{{ domain }}; + + # SSL/TLS Certificate kindly provided by Let's Encrypt + ssl_certificate /usr/local/etc/ssl/acme/{{ domain }}/fullchain.pem; + ssl_certificate_key /usr/local/etc/ssl/acme/private/{{ domain }}.pem; + + # Enable caching + #proxy_cache CACHE; + + # Replace cookie domain + proxy_cookie_domain duckduckgo.com $host; + + # Hide some upstream headers to avoid duplicates/overrideing + proxy_hide_header Strict-Transport-Security; + proxy_hide_header Content-Security-Policy; + proxy_hide_header X-Frame-Options; + proxy_hide_header X-XSS-Protection; + proxy_hide_header X-Content-Type-Options; + proxy_hide_header Referrer-Policy; + + # Substitute links in contents + # NOTE: Require to set Accept-Encoding="" header in order to request + # *uncompressed* data from upstream, otherwise won't work! + sub_filter_types text/css text/javascript application/json; + sub_filter_once off; + sub_filter //duckduckgo.com/ //$host/; + sub_filter //proxy.duckduckgo.com/ //$host/__proxy/; + + # Reverse proxy to duckduckgo.com + location / { + proxy_pass https://duckduckgo.com; + proxy_set_header Host duckduckgo.com; + proxy_set_header Referer https://duckduckgo.com; + + # NOTE: Set `Accept-Encoding=""` to request *uncompressed* data + # from upstream, so that `sub_filter` works. + {% block proxy_set_header_common %} + proxy_set_header User-Agent $http_user_agent; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Cookie ""; + proxy_set_header Accept-Encoding ""; + proxy_set_header Accept-Language $http_accept_language; + {% endblock %} + } + + # `/__proxy/` -> `proxy.duckduckgo.com` + location ^~ /__proxy/ { + proxy_pass https://proxy.duckduckgo.com; + proxy_set_header Host proxy.duckduckgo.com; + proxy_set_header Referer https://proxy.duckduckgo.com; + {{ self.proxy_set_header_common() }} + } + + # Forbid spider + if ($http_user_agent ~* "qihoobot|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot") { + return 403; + } + + location /robots.txt { + default_type text/plain; + return 200 "User-agent: *\nDisallow: /\n"; + } +} +{% endif %} |