-
Notifications
You must be signed in to change notification settings - Fork 3
/
nl.robwu.pdfjs.conf
97 lines (85 loc) · 2.95 KB
/
nl.robwu.pdfjs.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
# This configuration creates a server that does nothing else besides logging
# some data as explained in https://github.com/mozilla/pdf.js/issues/7312.
#
# Method: POST
# Path : /logpdfjs
# Request headers:
# - Deduplication-ID: hexadecimal string of length 10.
# - User-Agent: At most 1000 characters.
# - Extension-Version: 1 - 24 characters (up to 4 uint16_t separated by dot).
#
# The following data is logged:
# - The above request headers.
#
#
# This design was chosen for the following reasons:
#
# - Third-party web pages cannot forge the request, because of the custom header
# requirement. This header can thus only be set through the XMLHttpRequest or
# fetch API. However, that is blocked unless the request is allowed via CORS.
# A custom header is a non-simple request, so the POST request will always be
# preceded by an OPTIONS request. This is rejected by the server.
#
# - The logged information is minimal to avoid any privacy risks.
#
# - Note that fake data (i.e. requests made via curl, etc.) are tolerated.
# First the fixed-format values, then the arbitrary-value UA string.
log_format pdfjs
'$http_deduplication_id '
'$http_extension_version '
'"$http_user_agent"';
map $http_user_agent $has_valid_headers_2 {
'~^.{1,1000}$' 1;
}
map $http_deduplication_id $has_valid_headers_1 {
'~^[0-9a-f]{10}$' $has_valid_headers_2;
}
map $http_extension_version $has_valid_headers {
# The number of parts must be between 1 and 4 (inclusive) and each part
# is separated by a dot. Each part must fit in a 16-bit integer, i.e.
# between 0 and 65535 (inclusive).
'~^(([0-5]?[0-9]{1,4}|6([0-4][0-9]{3}|5([0-4][0-9]{2}|5([0-2][0-9]|3[0-5]))))(\.(?!$)|$)){1,4}$' $has_valid_headers_1;
}
server {
listen 5.2.64.236:80;
listen [2a04:52c0:101:da::7312]:80;
listen 5.2.64.236:443 ssl;
listen [2a04:52c0:101:da::7312]:443 ssl;
server_name pdfjs.robwu.nl;
ssl_certificate /home/letsencrypt/keys/pdfjs.robwu.nl.crt;
ssl_certificate_key /home/letsencrypt/keys/pdfjs.robwu.nl.key;
ssl_trusted_certificate /home/letsencrypt/keys/pdfjs.robwu.nl.crt;
access_log off;
log_not_found off;
log_subrequest off;
max_ranges 0;
# Restrict length of headers. Only the User-Agent header has to fit in here.
client_header_buffer_size 1k;
large_client_header_buffers 4 1k;
# We don't expect a request body, so reject any value.
client_max_body_size 1;
keepalive_timeout 0;
location = /logpdfjs {
if ($request_method != POST) {
return 405;
}
if ($has_valid_headers) {
access_log /var/log/pdfjs/pdfjs.log pdfjs;
return 204;
}
return 400;
}
location = /robots.txt {
return 200 'User-Agent: *
Disallow: /
';
}
# For Let's encrypt.
location ^~ /.well-known/acme-challenge/ {
root /home/letsencrypt/public_html;
}
location / {
return 404;
}
}
# vim: syntax=nginx smartindent