Home Explore Help
Sign In
yosoyhendrix
/
hestiacp
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: docs/fix-cli-gendocs-errors
Branches Tags
hestiacp
/
install
/
deb
/
nginx
/
0rtt-anti-replay.conf

0rtt-anti-replay.conf 1.1 KB
Permalink History Raw

12345678910111213141516171819202122232425262728293031 
  1. # Implement TLS 1.3 0-RTT anti-replay for NGINX
    2. 

  2. # Requires: NGINX directive "ssl_early_data" on
    3. 

  3. # Usage:
    4. 

  4. # Make sure these "map" blocks are included in "http" block
    5. 

  5. # Put the following two lines in SSL "server" block, before any "location" blocks
    6. 

  6. # if ($anti_replay = 307) { return 307 https://$host$request_uri; }
    7. 

  7. # if ($anti_replay = 425) { return 425; }
    8. 

  8. # Pass "Early-Data" header to backend/upstream
    9. 

  9. # Only for 0-RTT requests from clients that understand 425 status code (RFC 8470)
    10. 

  10. # fastcgi_param HTTP_EARLY_DATA $rfc_early_data if_not_empty;
    11. 

  11. # proxy_set_header Early-Data $rfc_early_data;
    12. 

  12. # Copyright © myrevery
    13. 

  13. # Copyright © 7677333 (An anagram of a Anonymous Cybersecurity Research Team)
    14. 

  14. map "$request_method:$is_args" $ar_idempotent {
    15. 

  15. 	default                              0;
    16. 

  16. 	"~^GET:$|^(HEAD|OPTIONS|TRACE):\?*$" 1;
    17. 

  17. }
    18. 

  18. 

  19. map $http_user_agent $ar_support_425 {
    20. 

  20. 	default                                           0;
    21. 

  21. 	"~Firefox/((58|59)|([6-9]\d)|([1-9]\d{2,}))\.\d+" 1;
    22. 

  22. }
    23. 

  23. 

  24. map "$ssl_early_data:$ar_idempotent:$ar_support_425" $anti_replay {
    25. 

  25. 	1:0:0 307;
    26. 

  26. 	1:0:1 425;
    27. 

  27. }
    28. 

  28. 

  29. map "$ssl_early_data:$ar_support_425" $rfc_early_data {
    30. 

  30. 	1:1 1;
    31. 

  31. }
    32.