aboutsummaryrefslogtreecommitdiffstats
path: root/roles/web
diff options
context:
space:
mode:
authorAaron LI <aly@aaronly.me>2018-12-01 16:13:36 +0800
committerAaron LI <aly@aaronly.me>2018-12-01 16:13:36 +0800
commitf02635560560f7093d3c5c86ed7aa91147afd86e (patch)
tree27331fd12f5e3fd2acccc43279aa89376389700a /roles/web
parente0c4c5f5de5d488d40ad34f630e4c7dc93f92587 (diff)
downloadansible-dfly-vps-f02635560560f7093d3c5c86ed7aa91147afd86e.tar.bz2
web/sites: Add 233233.d.conf to proxy to duckduckgo.com
Diffstat (limited to 'roles/web')
-rw-r--r--roles/web/templates/sites/233233.d.conf.j278
1 files changed, 78 insertions, 0 deletions
diff --git a/roles/web/templates/sites/233233.d.conf.j2 b/roles/web/templates/sites/233233.d.conf.j2
new file mode 100644
index 0000000..f709040
--- /dev/null
+++ b/roles/web/templates/sites/233233.d.conf.j2
@@ -0,0 +1,78 @@
+{% set domain = "233233.xyz" %}
+#
+# nginx/sites: reverse proxy to DuckDuckGo: duckduckgo.com
+#
+# Aaron LI
+# 2018-12-01
+#
+
+{% if domains_hascert[domain] %}
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name d.{{ domain }};
+
+ # SSL/TLS Certificate kindly provided by Let's Encrypt
+ ssl_certificate /usr/local/etc/ssl/acme/{{ domain }}/fullchain.pem;
+ ssl_certificate_key /usr/local/etc/ssl/acme/private/{{ domain }}.pem;
+
+ # Enable caching
+ #proxy_cache CACHE;
+
+ # Replace cookie domain
+ proxy_cookie_domain duckduckgo.com $host;
+
+ # Hide some upstream headers to avoid duplicates/overrideing
+ proxy_hide_header Strict-Transport-Security;
+ proxy_hide_header Content-Security-Policy;
+ proxy_hide_header X-Frame-Options;
+ proxy_hide_header X-XSS-Protection;
+ proxy_hide_header X-Content-Type-Options;
+ proxy_hide_header Referrer-Policy;
+
+ # Substitute links in contents
+ # NOTE: Require to set Accept-Encoding="" header in order to request
+ # *uncompressed* data from upstream, otherwise won't work!
+ sub_filter_types text/css text/javascript application/json;
+ sub_filter_once off;
+ sub_filter //duckduckgo.com/ //$host/;
+ sub_filter //proxy.duckduckgo.com/ //$host/__proxy/;
+
+ # Reverse proxy to duckduckgo.com
+ location / {
+ proxy_pass https://duckduckgo.com;
+ proxy_set_header Host duckduckgo.com;
+ proxy_set_header Referer https://duckduckgo.com;
+
+ # NOTE: Set `Accept-Encoding=""` to request *uncompressed* data
+ # from upstream, so that `sub_filter` works.
+ {% block proxy_set_header_common %}
+ proxy_set_header User-Agent $http_user_agent;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header Cookie "";
+ proxy_set_header Accept-Encoding "";
+ proxy_set_header Accept-Language $http_accept_language;
+ {% endblock %}
+ }
+
+ # `/__proxy/` -> `proxy.duckduckgo.com`
+ location ^~ /__proxy/ {
+ proxy_pass https://proxy.duckduckgo.com;
+ proxy_set_header Host proxy.duckduckgo.com;
+ proxy_set_header Referer https://proxy.duckduckgo.com;
+ {{ self.proxy_set_header_common() }}
+ }
+
+ # Forbid spider
+ if ($http_user_agent ~* "qihoobot|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot") {
+ return 403;
+ }
+
+ location /robots.txt {
+ default_type text/plain;
+ return 200 "User-agent: *\nDisallow: /\n";
+ }
+}
+{% endif %}