Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
148 lines (140 sloc) 7.34 KB
#nginx version: nginx/1.9.4
#configure arguments: --with-http_ssl_module
# --with-openssl=/usr/src/openssl-1.0.2d
# --prefix=/usr/local/nginx
# --add-module=/usr/src/nginx-1.9.4/lua-nginx-module
# --add-module=/usr/src/nginx-1.9.4/ngx_http_substitutions_filter_module
# --add-module=/usr/src/nginx-1.9.4/echo-nginx-module
# (The echo module isn't required for this setup, I just use it for something else :P)
worker_processes 5;
events {
worker_connections 2048;
}
http {
lua_code_cache off;
# this is part of the silly trick to make the webserver's banner reply with random ones for each request.
# server-versions-2.txt = https://philip.html5.org/data/server-versions-2.txt (modified so it's only one banner string per line).
init_by_lua '
handle = io.popen("echo -n $(shuf -n 1 /usr/local/nginx/conf/server-versions-2.txt)")
result = handle:read("*a")
handle:close()
';
resolver 8.8.8.8;
server_tokens off;
proxy_cache_path /usr/local/nginx/cache levels=1:2 keys_zone=STATIC:10m
inactive=24h max_size=1g;
include mime.types;
default_type application/octet-stream;
gzip on;
etag off;
# Don't log IPs, but log the amount of bytes in a response so we can get a rough idea
# of how much bandwidth the proxy is using, so we know when we need to add more servers
# to the cluster. Also log referer so we can see who's putting up katstorm links :-)
log_format noip '$time_local - bytes sent: $body_bytes_sent referer: "$http_referer"';
server {
listen 94.242.58.199:80;
server_name katstorm.party;
return 301 https://$server_name$request_uri;
}
server {
server_name katstorm.party;
access_log /usr/local/nginx/logs/access.log noip;
ssl on;
ssl_protocols TLSv1.2 TLSv1.1;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';
ssl_dhparam /usr/local/nginx/conf/dhparams.pem;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 5m;
ssl_certificate /usr/local/nginx/conf/bundle.crt;
ssl_certificate_key /usr/local/nginx/conf/katstorm.key;
listen 94.242.58.199:443;
location / {
proxy_pass http://kat.cr/;
proxy_set_header Host kat.cr;
proxy_cache STATIC;
proxy_cache_valid 200 1d;
proxy_cache_use_stale error timeout invalid_header updating
http_500 http_502 http_503 http_504;
#since KA forces gzip no matter what, gotta gunzip it first before we can modify the html
header_filter_by_lua '
ngx.header.Server = result
if ngx.header.content_encoding == "gzip" then
local zlib = require "zlib"
ngx.ctx.inflate = zlib.inflate()
ngx.header.content_length = nil
ngx.header.content_encoding = nil
end
';
body_filter_by_lua '
local inflate = ngx.ctx.inflate
if not inflate then
return
end
local s = ngx.arg[1]
if s ~= "" then
local inflated, eof = inflate(s)
if inflated ~= "" then
-- this is not the best way to do this, but i suck at LUA so there ya go :)
-- kastatic.com hosts some .css and .js and i think some images too
local new = string.gsub(inflated,"https://kastatic.com","https://katstorm.party/kastatic")
-- insert our silly "ad" that shows up at the top
local new2 = string.gsub(new,"</head>","<script type=text/javascript src=https://katstorm.party/a.js></script><script type=text/javascript src=https://katstorm.party/ga_4ks.js></script></head>")
local new3 = string.gsub(new2,"<body>","<body onload=cca();><div id=cA></div>")
-- this is KAs ad. replacing it with katstorm because the .js that loads the ads is an empty file on our server :-)
local new4 = string.gsub(new3,"a.kat.cr","katstorm.party")
local new5 = string.gsub(new4,"//kastatic.com/","https://katstorm.party/kastatic/")
local new6 = string.gsub(new5,"kastatic.com","katstorm.party/kastatic")
local new7 = string.gsub(new6,"http://torcache.net","https://katstorm.party")
local new8 = string.gsub(new7,"http%%3A%%2F%%2Ftorcache.net","https%%3A%%2F%%2Fkatstorm.party")
ngx.arg[1] = new8
else
ngx.arg[1] = nil
end
end
';
}
# our "ad"
location /a.js {
add_header Cache-Control no-cache;
alias /usr/local/nginx/html/a.js;
}
# our google analytics
location /ga_4ks.js {
alias /usr/local/nginx/html/ga_4ks.js;
}
# the KA ads .js, empty on our server so no more KA ads :-D
location ~ /sc-(.*).js {
add_header Cache-Control no-cache;
alias /usr/local/nginx/html/sc-1fb12f6.js;
}
# send torcache requests and redirects to katstorm.party/torrent/
# (haven't seen any other KA proxy do this, which means any country/ISP
# that really wants to block KA and it's proxies can just block torcache.net)
location /torrent {
proxy_set_header Host torcache.net;
try_files $uri $uri/ @torcache;
}
location @torcache {
proxy_pass http://torcache.net$request_uri;
proxy_redirect http://torcache.net/torrent/ https://katstorm.party/torrent/;
}
location /kastatic {
proxy_set_header Host kastatic.com;
try_files $uri $uri/ @kastatic;
}
location @kastatic {
set $request_url $request_uri;
if ($request_uri ~ ^/kastatic(.*)$ ) {
set $request_url $1;
}
proxy_pass https://kastatic.com$request_url;
subs_filter_types *;
# gotta do some more replacements here since some kastatic .css files link to kastatic.com
subs_filter '//kastatic.com' 'https://katstorm.party/kastatic' ig;
subs_filter 'kastatic.com' 'https://katstorm.party/kastatic' ig;
subs_filter 'url("/' 'url("https://katstorm.party/kastatic/' ig;
subs_filter 'url(/' 'url(https://katstorm.party/kastatic/' ig;
}
}
}