From e732061e072784c87e79355422cf703c9660379e Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 23 Nov 2021 10:21:26 +0000 Subject: [PATCH 1/5] Specify signing algorithm --- tests.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/tests.py b/tests.py index 704accece..e7bf0bb70 100644 --- a/tests.py +++ b/tests.py @@ -5880,7 +5880,8 @@ def _testValidEmojiContent() -> None: assert validEmojiContent('😄') -def _testHttpsigBaseNew(withDigest: bool, baseDir: str): +def _testHttpsigBaseNew(withDigest: bool, baseDir: str, + algorithm: str) -> None: print('testHttpsigNew(' + str(withDigest) + ')') debug = True @@ -5926,7 +5927,7 @@ def _testHttpsigBaseNew(withDigest: bool, baseDir: str): domain, port, hostDomain, port, boxpath, httpPrefix, messageBodyJsonStr, - 'rsa-sha256', debug) + algorithm, debug) else: bodyDigest = messageContentDigest(messageBodyJsonStr) contentLength = len(messageBodyJsonStr) @@ -5942,7 +5943,7 @@ def _testHttpsigBaseNew(withDigest: bool, baseDir: str): domain, port, hostDomain, port, boxpath, httpPrefix, messageBodyJsonStr, - 'rsa-sha256', debug) + algorithm, debug) headers['signature'] = signatureHeader headers['signature-input'] = signatureIndexHeader @@ -6069,8 +6070,8 @@ def runAllTests(): _testHttpsig(baseDir) _testHttpSignedGET(baseDir) _testHttpSigNew() - _testHttpsigBaseNew(True, baseDir) - _testHttpsigBaseNew(False, baseDir) + _testHttpsigBaseNew(True, baseDir, 'rsa-sha256') + _testHttpsigBaseNew(False, baseDir, 'rsa-sha256') _testCache() _testThreads() _testCreatePerson(baseDir) From 1b9277e323910be8fe57c1f5e21368f78398cfbf Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 23 Nov 2021 11:41:40 +0000 Subject: [PATCH 2/5] Specify signing algorithm in tests --- httpsig.py | 73 ++++++++++++++++++++++++++++++++++++++++++++---------- inbox.py | 4 ++- tests.py | 45 ++++++++++++++++++++++----------- 3 files changed, 94 insertions(+), 28 deletions(-) diff --git a/httpsig.py b/httpsig.py index 3b1623019..fb4794761 100644 --- a/httpsig.py +++ b/httpsig.py @@ -28,12 +28,41 @@ from utils import getSHA512 from utils import localActorUrl -def messageContentDigest(messageBodyJsonStr: str) -> str: +def messageContentDigest(messageBodyJsonStr: str, digestAlgorithm: str) -> str: + """Returns the digest for the message body + """ msg = messageBodyJsonStr.encode('utf-8') - hashResult = getSHA256(msg) + if digestAlgorithm == 'rsa-sha512' or \ + digestAlgorithm == 'rsa-pss-sha512': + hashResult = getSHA512(msg) + else: + hashResult = getSHA256(msg) return base64.b64encode(hashResult).decode('utf-8') +def getDigestPrefix(digestAlgorithm: str) -> str: + """Returns the prefix for the message body digest + """ + if digestAlgorithm == 'rsa-sha512' or \ + digestAlgorithm == 'rsa-pss-sha512': + return 'SHA-512' + return 'SHA-256' + + +def getDigestAlgorithmFromHeaders(httpHeaders: {}) -> str: + """Returns the digest algorithm from http headers + """ + digestStr = None + if httpHeaders.get('digest'): + digestStr = httpHeaders['digest'] + elif httpHeaders.get('Digest'): + digestStr = httpHeaders['Digest'] + if digestStr: + if digestStr.startswith('SHA-512'): + return 'rsa-sha512' + return 'rsa-sha256' + + def signPostHeaders(dateStr: str, privateKeyPem: str, nickname: str, domain: str, port: int, @@ -41,10 +70,15 @@ def signPostHeaders(dateStr: str, privateKeyPem: str, path: str, httpPrefix: str, messageBodyJsonStr: str, - contentType: str) -> str: + contentType: str, + algorithm: str) -> str: """Returns a raw signature string that can be plugged into a header and used to verify the authenticity of an HTTP transmission. """ + # it is assumed that the hash used for the digest will be the same + # as for the signature + digestAlgorithm = algorithm + domain = getFullDomain(domain, port) toDomain = getFullDomain(toDomain, toPort) @@ -65,13 +99,15 @@ def signPostHeaders(dateStr: str, privateKeyPem: str, 'accept': contentType } else: - bodyDigest = messageContentDigest(messageBodyJsonStr) + bodyDigest = \ + messageContentDigest(messageBodyJsonStr, digestAlgorithm) + digestPrefix = getDigestPrefix(digestAlgorithm) contentLength = len(messageBodyJsonStr) headers = { '(request-target)': f'post {path}', 'host': toDomain, 'date': dateStr, - 'digest': f'SHA-256={bodyDigest}', + 'digest': f'{digestPrefix}={bodyDigest}', 'content-type': 'application/activity+json', 'content-length': str(contentLength) } @@ -100,7 +136,7 @@ def signPostHeaders(dateStr: str, privateKeyPem: str, # Put it into a valid HTTP signature format signatureDict = { 'keyId': keyID, - 'algorithm': 'rsa-sha256', + 'algorithm': algorithm, 'headers': ' '.join(signedHeaderKeys), 'signature': signature } @@ -122,6 +158,10 @@ def signPostHeadersNew(dateStr: str, privateKeyPem: str, used to verify the authenticity of an HTTP transmission. See https://tools.ietf.org/html/draft-ietf-httpbis-message-signatures """ + # it is assumed that the hash used for the digest will be the same + # as for the signature + digestAlgorithm = algorithm + domain = getFullDomain(domain, port) toDomain = getFullDomain(toDomain, toPort) @@ -143,14 +183,15 @@ def signPostHeadersNew(dateStr: str, privateKeyPem: str, 'date': dateStr } else: - bodyDigest = messageContentDigest(messageBodyJsonStr) + bodyDigest = messageContentDigest(messageBodyJsonStr, digestAlgorithm) + digestPrefix = getDigestPrefix(digestAlgorithm) contentLength = len(messageBodyJsonStr) headers = { '@request-target': f'post {path}', '@created': str(secondsSinceEpoch), 'host': toDomain, 'date': dateStr, - 'digest': f'SHA-256={bodyDigest}', + 'digest': f'{digestPrefix}={bodyDigest}', 'content-type': 'application/activity+json', 'content-length': str(contentLength) } @@ -210,6 +251,8 @@ def createSignedHeader(dateStr: str, privateKeyPem: str, nickname: str, contentType: str) -> {}: """Note that the domain is the destination, not the sender """ + algorithm = 'rsa-sha256' + digestAlgorithm = 'rsa-sha256' headerDomain = getFullDomain(toDomain, toPort) # if no date is given then create one @@ -230,15 +273,17 @@ def createSignedHeader(dateStr: str, privateKeyPem: str, nickname: str, signatureHeader = \ signPostHeaders(dateStr, privateKeyPem, nickname, domain, port, toDomain, toPort, - path, httpPrefix, None, contentType) + path, httpPrefix, None, contentType, + algorithm) else: - bodyDigest = messageContentDigest(messageBodyJsonStr) + bodyDigest = messageContentDigest(messageBodyJsonStr, digestAlgorithm) + digestPrefix = getDigestPrefix(digestAlgorithm) contentLength = len(messageBodyJsonStr) headers = { '(request-target)': f'post {path}', 'host': headerDomain, 'date': dateStr, - 'digest': f'SHA-256={bodyDigest}', + 'digest': f'{digestPrefix}={bodyDigest}', 'content-length': str(contentLength), 'content-type': contentType } @@ -247,7 +292,7 @@ def createSignedHeader(dateStr: str, privateKeyPem: str, nickname: str, domain, port, toDomain, toPort, path, httpPrefix, messageBodyJsonStr, - contentType) + contentType, algorithm) headers['signature'] = signatureHeader return headers @@ -341,6 +386,7 @@ def verifyPostHeaders(httpPrefix: str, # body (if a digest was included) signedHeaderList = [] algorithm = 'rsa-sha256' + digestAlgorithm = 'rsa-sha256' for signedHeader in signatureDict[requestTargetKey].split(fieldSep2): signedHeader = signedHeader.strip() if debug: @@ -387,7 +433,8 @@ def verifyPostHeaders(httpPrefix: str, if messageBodyDigest: bodyDigest = messageBodyDigest else: - bodyDigest = messageContentDigest(messageBodyJsonStr) + bodyDigest = \ + messageContentDigest(messageBodyJsonStr, digestAlgorithm) signedHeaderList.append(f'digest: SHA-256={bodyDigest}') elif signedHeader == 'content-length': if headers.get(signedHeader): diff --git a/inbox.py b/inbox.py index d780530ff..db63e88b2 100644 --- a/inbox.py +++ b/inbox.py @@ -60,6 +60,7 @@ from utils import localActorUrl from utils import hasObjectStringType from categories import getHashtagCategories from categories import setHashtagCategory +from httpsig import getDigestAlgorithmFromHeaders from httpsig import verifyPostHeaders from session import createSession from follow import followerApprovalActive @@ -549,7 +550,8 @@ def savePostToInboxQueue(baseDir: str, httpPrefix: str, sharedInboxItem = True digestStartTime = time.time() - digest = messageContentDigest(messageBytes) + digestAlgorithm = getDigestAlgorithmFromHeaders(httpHeaders) + digest = messageContentDigest(messageBytes, digestAlgorithm) timeDiffStr = str(int((time.time() - digestStartTime) * 1000)) if debug: while len(timeDiffStr) < 6: diff --git a/tests.py b/tests.py index e7bf0bb70..b5b2df5eb 100644 --- a/tests.py +++ b/tests.py @@ -23,6 +23,8 @@ from shutil import copyfile from random import randint from time import gmtime, strftime from pprint import pprint +from httpsig import getDigestAlgorithmFromHeaders +from httpsig import getDigestPrefix from httpsig import createSignedHeader from httpsig import signPostHeaders from httpsig import signPostHeadersNew @@ -401,8 +403,11 @@ def _testHttpSigNew(): pathStr = "/" + nickname + "?param=value&pet=dog HTTP/1.1" domain = 'example.com' dateStr = 'Tue, 20 Apr 2021 02:07:55 GMT' - digestStr = 'SHA-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=' - bodyDigest = messageContentDigest(messageBodyJsonStr) + algorithm = 'rsa-sha256' + digestAlgorithm = 'rsa-sha256' + digestPrefix = getDigestPrefix(digestAlgorithm) + digestStr = digestPrefix + '=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=' + bodyDigest = messageContentDigest(messageBodyJsonStr, digestAlgorithm) assert bodyDigest in digestStr contentLength = 18 contentType = 'application/activity+json' @@ -477,7 +482,7 @@ def _testHttpSigNew(): headers = { "host": domain, "date": dateStr, - "digest": f'SHA-256={bodyDigest}', + "digest": f'{digestPrefix}={bodyDigest}', "content-type": contentType, "content-length": str(contentLength) } @@ -486,7 +491,7 @@ def _testHttpSigNew(): domain, port, domain, port, pathStr, httpPrefix, messageBodyJsonStr, - 'rsa-sha256', debug) + algorithm, debug) print('signatureIndexHeader1: ' + str(signatureIndexHeader)) print('signatureHeader1: ' + str(signatureHeader)) sigInput = "keyId=\"https://example.com/users/foo#main-key\"; " + \ @@ -528,6 +533,8 @@ def _testHttpsigBase(withDigest: bool, baseDir: str): os.mkdir(path) os.chdir(path) + algorithm = 'rsa-sha256' + digestAlgorithm = 'rsa-sha256' contentType = 'application/activity+json' nickname = 'socrates' hostDomain = 'someother.instance' @@ -563,23 +570,26 @@ def _testHttpsigBase(withDigest: bool, baseDir: str): signPostHeaders(dateStr, privateKeyPem, nickname, domain, port, hostDomain, port, - boxpath, httpPrefix, None, contentType) + boxpath, httpPrefix, None, contentType, + algorithm) else: - bodyDigest = messageContentDigest(messageBodyJsonStr) + digestPrefix = getDigestPrefix(digestAlgorithm) + bodyDigest = messageContentDigest(messageBodyJsonStr, digestAlgorithm) contentLength = len(messageBodyJsonStr) headers = { 'host': headersDomain, 'date': dateStr, - 'digest': f'SHA-256={bodyDigest}', + 'digest': f'{digestPrefix}={bodyDigest}', 'content-type': contentType, 'content-length': str(contentLength) } + assert getDigestAlgorithmFromHeaders(headers) == digestAlgorithm signatureHeader = \ signPostHeaders(dateStr, privateKeyPem, nickname, domain, port, hostDomain, port, boxpath, httpPrefix, messageBodyJsonStr, - contentType) + contentType, algorithm) headers['signature'] = signatureHeader GETmethod = not withDigest @@ -612,14 +622,16 @@ def _testHttpsigBase(withDigest: bool, baseDir: str): '{"a key": "a value", "another key": "Fake GNUs", ' + \ '"yet another key": "More Fake GNUs"}' contentLength = len(messageBodyJsonStr) - bodyDigest = messageContentDigest(messageBodyJsonStr) + digestPrefix = getDigestPrefix(digestAlgorithm) + bodyDigest = messageContentDigest(messageBodyJsonStr, digestAlgorithm) headers = { 'host': domain, 'date': dateStr, - 'digest': f'SHA-256={bodyDigest}', + 'digest': f'{digestPrefix}={bodyDigest}', 'content-type': contentType, 'content-length': str(contentLength) } + assert getDigestAlgorithmFromHeaders(headers) == digestAlgorithm headers['signature'] = signatureHeader assert verifyPostHeaders(httpPrefix, publicKeyPem, headers, boxpath, not GETmethod, None, @@ -5891,6 +5903,7 @@ def _testHttpsigBaseNew(withDigest: bool, baseDir: str, os.mkdir(path) os.chdir(path) + digestAlgorithm = algorithm contentType = 'application/activity+json' nickname = 'socrates' hostDomain = 'someother.instance' @@ -5929,15 +5942,17 @@ def _testHttpsigBaseNew(withDigest: bool, baseDir: str, boxpath, httpPrefix, messageBodyJsonStr, algorithm, debug) else: - bodyDigest = messageContentDigest(messageBodyJsonStr) + digestPrefix = getDigestPrefix(digestAlgorithm) + bodyDigest = messageContentDigest(messageBodyJsonStr, digestAlgorithm) contentLength = len(messageBodyJsonStr) headers = { 'host': headersDomain, 'date': dateStr, - 'digest': f'SHA-256={bodyDigest}', + 'digest': f'{digestPrefix}={bodyDigest}', 'content-type': contentType, 'content-length': str(contentLength) } + assert getDigestAlgorithmFromHeaders(headers) == digestAlgorithm signatureIndexHeader, signatureHeader = \ signPostHeadersNew(dateStr, privateKeyPem, nickname, domain, port, @@ -5980,14 +5995,16 @@ def _testHttpsigBaseNew(withDigest: bool, baseDir: str, '{"a key": "a value", "another key": "Fake GNUs", ' + \ '"yet another key": "More Fake GNUs"}' contentLength = len(messageBodyJsonStr) - bodyDigest = messageContentDigest(messageBodyJsonStr) + digestPrefix = getDigestPrefix(digestAlgorithm) + bodyDigest = messageContentDigest(messageBodyJsonStr, digestAlgorithm) headers = { 'host': domain, 'date': dateStr, - 'digest': f'SHA-256={bodyDigest}', + 'digest': f'{digestPrefix}={bodyDigest}', 'content-type': contentType, 'content-length': str(contentLength) } + assert getDigestAlgorithmFromHeaders(headers) == digestAlgorithm headers['signature'] = signatureHeader headers['signature-input'] = signatureIndexHeader pprint(headers) From 9dc4189d57bf0dc2823d1b90e6c3584e123d2450 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 23 Nov 2021 12:12:23 +0000 Subject: [PATCH 3/5] Separate signing and digest algorithms --- httpsig.py | 18 ++++++------------ tests.py | 23 ++++++++++------------- 2 files changed, 16 insertions(+), 25 deletions(-) diff --git a/httpsig.py b/httpsig.py index fb4794761..57ca9a4cf 100644 --- a/httpsig.py +++ b/httpsig.py @@ -71,14 +71,11 @@ def signPostHeaders(dateStr: str, privateKeyPem: str, httpPrefix: str, messageBodyJsonStr: str, contentType: str, - algorithm: str) -> str: + algorithm: str, + digestAlgorithm: str) -> str: """Returns a raw signature string that can be plugged into a header and used to verify the authenticity of an HTTP transmission. """ - # it is assumed that the hash used for the digest will be the same - # as for the signature - digestAlgorithm = algorithm - domain = getFullDomain(domain, port) toDomain = getFullDomain(toDomain, toPort) @@ -152,16 +149,13 @@ def signPostHeadersNew(dateStr: str, privateKeyPem: str, path: str, httpPrefix: str, messageBodyJsonStr: str, - algorithm: str, debug: bool) -> (str, str): + algorithm: str, digestAlgorithm: str, + debug: bool) -> (str, str): """Returns a raw signature strings that can be plugged into a header as "Signature-Input" and "Signature" used to verify the authenticity of an HTTP transmission. See https://tools.ietf.org/html/draft-ietf-httpbis-message-signatures """ - # it is assumed that the hash used for the digest will be the same - # as for the signature - digestAlgorithm = algorithm - domain = getFullDomain(domain, port) toDomain = getFullDomain(toDomain, toPort) @@ -274,7 +268,7 @@ def createSignedHeader(dateStr: str, privateKeyPem: str, nickname: str, signPostHeaders(dateStr, privateKeyPem, nickname, domain, port, toDomain, toPort, path, httpPrefix, None, contentType, - algorithm) + algorithm, None) else: bodyDigest = messageContentDigest(messageBodyJsonStr, digestAlgorithm) digestPrefix = getDigestPrefix(digestAlgorithm) @@ -292,7 +286,7 @@ def createSignedHeader(dateStr: str, privateKeyPem: str, nickname: str, domain, port, toDomain, toPort, path, httpPrefix, messageBodyJsonStr, - contentType, algorithm) + contentType, algorithm, digestAlgorithm) headers['signature'] = signatureHeader return headers diff --git a/tests.py b/tests.py index b5b2df5eb..9ed6a6506 100644 --- a/tests.py +++ b/tests.py @@ -392,7 +392,7 @@ def _testSignAndVerify() -> None: pubkey.verify(signature2, headerDigest, paddingStr, alg) -def _testHttpSigNew(): +def _testHttpSigNew(algorithm: str, digestAlgorithm: str): print('testHttpSigNew') httpPrefix = 'https' port = 443 @@ -403,8 +403,6 @@ def _testHttpSigNew(): pathStr = "/" + nickname + "?param=value&pet=dog HTTP/1.1" domain = 'example.com' dateStr = 'Tue, 20 Apr 2021 02:07:55 GMT' - algorithm = 'rsa-sha256' - digestAlgorithm = 'rsa-sha256' digestPrefix = getDigestPrefix(digestAlgorithm) digestStr = digestPrefix + '=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=' bodyDigest = messageContentDigest(messageBodyJsonStr, digestAlgorithm) @@ -491,7 +489,7 @@ def _testHttpSigNew(): domain, port, domain, port, pathStr, httpPrefix, messageBodyJsonStr, - algorithm, debug) + algorithm, digestAlgorithm, debug) print('signatureIndexHeader1: ' + str(signatureIndexHeader)) print('signatureHeader1: ' + str(signatureHeader)) sigInput = "keyId=\"https://example.com/users/foo#main-key\"; " + \ @@ -571,7 +569,7 @@ def _testHttpsigBase(withDigest: bool, baseDir: str): domain, port, hostDomain, port, boxpath, httpPrefix, None, contentType, - algorithm) + algorithm, None) else: digestPrefix = getDigestPrefix(digestAlgorithm) bodyDigest = messageContentDigest(messageBodyJsonStr, digestAlgorithm) @@ -589,7 +587,7 @@ def _testHttpsigBase(withDigest: bool, baseDir: str): domain, port, hostDomain, port, boxpath, httpPrefix, messageBodyJsonStr, - contentType, algorithm) + contentType, algorithm, digestAlgorithm) headers['signature'] = signatureHeader GETmethod = not withDigest @@ -5893,7 +5891,7 @@ def _testValidEmojiContent() -> None: def _testHttpsigBaseNew(withDigest: bool, baseDir: str, - algorithm: str) -> None: + algorithm: str, digestAlgorithm: str) -> None: print('testHttpsigNew(' + str(withDigest) + ')') debug = True @@ -5903,7 +5901,6 @@ def _testHttpsigBaseNew(withDigest: bool, baseDir: str, os.mkdir(path) os.chdir(path) - digestAlgorithm = algorithm contentType = 'application/activity+json' nickname = 'socrates' hostDomain = 'someother.instance' @@ -5940,7 +5937,7 @@ def _testHttpsigBaseNew(withDigest: bool, baseDir: str, domain, port, hostDomain, port, boxpath, httpPrefix, messageBodyJsonStr, - algorithm, debug) + algorithm, digestAlgorithm, debug) else: digestPrefix = getDigestPrefix(digestAlgorithm) bodyDigest = messageContentDigest(messageBodyJsonStr, digestAlgorithm) @@ -5958,7 +5955,7 @@ def _testHttpsigBaseNew(withDigest: bool, baseDir: str, domain, port, hostDomain, port, boxpath, httpPrefix, messageBodyJsonStr, - algorithm, debug) + algorithm, digestAlgorithm, debug) headers['signature'] = signatureHeader headers['signature-input'] = signatureIndexHeader @@ -6086,9 +6083,9 @@ def runAllTests(): _testActorParsing() _testHttpsig(baseDir) _testHttpSignedGET(baseDir) - _testHttpSigNew() - _testHttpsigBaseNew(True, baseDir, 'rsa-sha256') - _testHttpsigBaseNew(False, baseDir, 'rsa-sha256') + _testHttpSigNew('rsa-sha256', 'rsa-sha256') + _testHttpsigBaseNew(True, baseDir, 'rsa-sha256', 'rsa-sha256') + _testHttpsigBaseNew(False, baseDir, 'rsa-sha256', 'rsa-sha256') _testCache() _testThreads() _testCreatePerson(baseDir) From 950d49b06b21571f1faddcc0617c70eff236b782 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 23 Nov 2021 13:12:09 +0000 Subject: [PATCH 4/5] digest algorithm --- httpsig.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/httpsig.py b/httpsig.py index 57ca9a4cf..27383e844 100644 --- a/httpsig.py +++ b/httpsig.py @@ -538,12 +538,12 @@ def verifyPostHeaders(httpPrefix: str, else: alg = hazutils.Prehashed(hashes.SHA256()) - if algorithm == 'rsa-sha256' or algorithm == 'hs2019': + if digestAlgorithm == 'rsa-sha256': headerDigest = getSHA256(signedHeaderText.encode('ascii')) - elif algorithm == 'rsa-sha512': + elif digestAlgorithm == 'rsa-sha512': headerDigest = getSHA512(signedHeaderText.encode('ascii')) else: - print('Unknown http signature algorithm: ' + algorithm) + print('Unknown http digest algorithm: ' + digestAlgorithm) headerDigest = '' paddingStr = padding.PKCS1v15() From 4cb70ca5d4705c8e7f7d291154ad52b11a92e018 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 23 Nov 2021 15:03:40 +0000 Subject: [PATCH 5/5] Update nginx configurations --- deploy/i2p | 69 +++++++++++++++++++--------------------------------- deploy/onion | 62 +++++++++++++++------------------------------- 2 files changed, 44 insertions(+), 87 deletions(-) diff --git a/deploy/i2p b/deploy/i2p index a45658228..aabea5d18 100755 --- a/deploy/i2p +++ b/deploy/i2p @@ -352,51 +352,32 @@ echo "Creating nginx virtual host for http://${I2P_DOMAIN}" echo ' error_log /dev/null;'; echo ''; echo ' index index.html;'; + echo ''; + echo ' location /newsmirror {'; + echo " root /var/www/${I2P_DOMAIN}/htdocs;"; + echo ' try_files $uri =404;'; + echo ' }'; + echo ''; echo ' location / {'; - echo ' proxy_http_version 1.1;'; - echo ' client_max_body_size 31M;'; - echo " proxy_hide_header Upgrade;"; - echo ' proxy_hide_header Connection;'; - echo " proxy_set_header Host \$http_host;"; - echo " proxy_set_header X-Real-IP \$remote_addr;"; - echo " proxy_set_header X-Forward-For \$proxy_add_x_forwarded_for;"; - echo ' proxy_set_header X-Forward-Proto http;'; - echo ' proxy_set_header X-Nginx-Proxy true;'; - echo ' proxy_set_header Upgrade-Insecure-Requests false;'; - echo ' expires epoch;'; - echo ' proxy_no_cache 1;'; - echo ' proxy_temp_file_write_size 64k;'; - echo ' proxy_connect_timeout 10080s;'; - echo ' proxy_send_timeout 10080;'; - echo ' proxy_read_timeout 10080;'; - echo ' proxy_buffer_size 64k;'; - echo ' proxy_buffers 16 32k;'; - echo ' proxy_busy_buffers_size 64k;'; - echo ' proxy_redirect off;'; - echo ' proxy_request_buffering off;'; - echo ' proxy_buffering on;'; - echo ' proxy_cache my_cache;'; - echo ' proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;'; - echo " location ~ ^/(icons|images|media|emoji)/(.*)/(.*).(png|jpg|gif|webp|mp3|ogv|ogg|mp4) {"; - echo ' expires 7d;'; - echo " proxy_pass http://localhost:${EPICYON_PORT};"; - echo ' }'; - echo " location ~ ^/icons/(.*)/(like|repeat|calendar)(.*).(png|jpg|gif|webp|mp3|ogv|ogg|mp4) {"; - echo ' expires epoch;'; - echo ' proxy_no_cache 1;'; - echo " proxy_pass http://localhost:${EPICYON_PORT};"; - echo ' }'; - echo " location ~ ^/icons/(like|repeat|calendar)(.*).(png|jpg|gif|webp|mp3|ogv|ogg|mp4) {"; - echo ' expires epoch;'; - echo ' proxy_no_cache 1;'; - echo " proxy_pass http://localhost:${EPICYON_PORT};"; - echo ' }'; - echo " location ~ ^/users/(.*)/(image|banner).(png|jpg|gif|webp|mp3|ogv|ogg|mp4) {"; - echo ' expires epoch;'; - echo ' proxy_no_cache 1;'; - echo " proxy_pass http://localhost:${EPICYON_PORT};"; - echo ' }'; - echo " proxy_pass http://localhost:${EPICYON_PORT};"; + echo ' proxy_http_version 1.1;'; + echo ' client_max_body_size 31M;'; + echo " proxy_set_header Host \$http_host;"; + echo " proxy_set_header X-Real-IP \$remote_addr;"; + echo " proxy_set_header X-Forward-For \$proxy_add_x_forwarded_for;"; + echo ' proxy_set_header X-Forward-Proto http;'; + echo ' proxy_set_header X-Nginx-Proxy true;'; + echo ' proxy_temp_file_write_size 64k;'; + echo ' proxy_connect_timeout 10080s;'; + echo ' proxy_send_timeout 10080;'; + echo ' proxy_read_timeout 10080;'; + echo ' proxy_buffer_size 64k;'; + echo ' proxy_buffers 16 32k;'; + echo ' proxy_busy_buffers_size 64k;'; + echo ' proxy_redirect off;'; + echo ' proxy_request_buffering off;'; + echo ' proxy_buffering off;'; + echo " proxy_pass http://localhost:${EPICYON_PORT};"; + echo ' tcp_nodelay on;'; echo ' }'; echo '}'; } > /etc/nginx/sites-available/epicyon-i2p diff --git a/deploy/onion b/deploy/onion index da3a776dd..cc214f758 100755 --- a/deploy/onion +++ b/deploy/onion @@ -281,49 +281,25 @@ echo "Creating nginx virtual host for ${ONION_DOMAIN}" echo ' }'; echo ''; echo ' location / {'; - echo ' proxy_http_version 1.1;'; - echo ' client_max_body_size 31M;'; - echo " proxy_hide_header Upgrade;"; - echo ' proxy_hide_header Connection;'; - echo " proxy_set_header Host \$http_host;"; - echo " proxy_set_header X-Real-IP \$remote_addr;"; - echo " proxy_set_header X-Forward-For \$proxy_add_x_forwarded_for;"; - echo ' proxy_set_header X-Forward-Proto http;'; - echo ' proxy_set_header X-Nginx-Proxy true;'; - echo ' expires epoch;'; - echo ' proxy_no_cache 1;'; - echo ' proxy_temp_file_write_size 64k;'; - echo ' proxy_connect_timeout 10080s;'; - echo ' proxy_send_timeout 10080;'; - echo ' proxy_read_timeout 10080;'; - echo ' proxy_buffer_size 64k;'; - echo ' proxy_buffers 16 32k;'; - echo ' proxy_busy_buffers_size 64k;'; - echo ' proxy_redirect off;'; - echo ' proxy_request_buffering off;'; - echo ' proxy_buffering on;'; - echo ' proxy_cache my_cache;'; - echo ' proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;'; - echo " location ~ ^/(icons|images|media|emoji)/(.*)/(.*).(png|jpg|gif|webp|mp3|ogv|ogg|mp4) {"; - echo ' expires 7d;'; - echo " proxy_pass http://localhost:${EPICYON_PORT};"; - echo ' }'; - echo " location ~ ^/icons/(.*)/(like|repeat|calendar)(.*).(png|jpg|gif|webp|mp3|ogv|ogg|mp4) {"; - echo ' expires epoch;'; - echo ' proxy_no_cache 1;'; - echo " proxy_pass http://localhost:${EPICYON_PORT};"; - echo ' }'; - echo " location ~ ^/icons/(like|repeat|calendar)(.*).(png|jpg|gif|webp|mp3|ogv|ogg|mp4) {"; - echo ' expires epoch;'; - echo ' proxy_no_cache 1;'; - echo " proxy_pass http://localhost:${EPICYON_PORT};"; - echo ' }'; - echo " location ~ ^/users/(.*)/(image|banner).(png|jpg|gif|webp|mp3|ogv|ogg|mp4) {"; - echo ' expires epoch;'; - echo ' proxy_no_cache 1;'; - echo " proxy_pass http://localhost:${EPICYON_PORT};"; - echo ' }'; - echo " proxy_pass http://localhost:${EPICYON_PORT};"; + echo ' proxy_http_version 1.1;'; + echo ' client_max_body_size 31M;'; + echo " proxy_set_header Host \$http_host;"; + echo " proxy_set_header X-Real-IP \$remote_addr;"; + echo " proxy_set_header X-Forward-For \$proxy_add_x_forwarded_for;"; + echo ' proxy_set_header X-Forward-Proto http;'; + echo ' proxy_set_header X-Nginx-Proxy true;'; + echo ' proxy_temp_file_write_size 64k;'; + echo ' proxy_connect_timeout 10080s;'; + echo ' proxy_send_timeout 10080;'; + echo ' proxy_read_timeout 10080;'; + echo ' proxy_buffer_size 64k;'; + echo ' proxy_buffers 16 32k;'; + echo ' proxy_busy_buffers_size 64k;'; + echo ' proxy_redirect off;'; + echo ' proxy_request_buffering off;'; + echo ' proxy_buffering off;'; + echo " proxy_pass http://localhost:${EPICYON_PORT};"; + echo ' tcp_nodelay on;'; echo ' }'; echo '}'; } > "/etc/nginx/sites-available/${username}"