proxy_default.conf

# nginx.vh.default.conf  --  docker-openresty
#
# This file is installed to:
#   `/etc/nginx/conf.d/default.conf`
#
# It tracks the `server` section of the upstream OpenResty's `nginx.conf`.
#
# This config (and any other configs in `etc/nginx/conf.d/`) is loaded by
# default by the `include` directive in `/usr/local/openresty/nginx/conf/nginx.conf`.
#
# See https://github.com/openresty/docker-openresty/blob/master/README.md#nginx-config-files
#

lua_package_path "/lua-resty-cookie/lib/?.lua;;";

# anonymize ip address for logs and x-forwarded-for
map $remote_addr $remote_addr_anon {
	~(?P<ip>\d+\.\d+)$	0.0.$ip;
 	~(?P<ip>[^:]+:[^:]+)$	::$ip; # TODO - test out ipv6
	default			0.0.0.0;
}
	
server {
	listen       80;
  	server_name  localhost;

	# TODO - put something reasonable here
  	#access_log  /var/log/nginx/host.access.log  main;

	location / {
		#
		# TODO - Ability to set specific cookies if they aren't set in the request
		# TODO - Generic User-Agent string
		# TODO - code for multiple X-Forwarded-For request headers 
		#
	
		proxy_pass http://webserver;
		proxy_cookie_domain ~(.*) $host;
		proxy_redirect default;
		proxy_set_header Host $host;
		proxy_buffering off;
		proxy_request_buffering off;
		proxy_http_version 1.1;
		proxy_intercept_errors on;
		proxy_connect_timeout 5s;
		proxy_ignore_headers X-Accel-Expires X-Accel-Redirect X-Accel-Limit-Rate X-Accel-Buffering X-Accel-Charset;
		proxy_next_upstream_tries 3;
		
		proxy_set_header X-GuardBear v0.1.0;
		add_header X-GuardBear v0.1.0;
		
		set $allow_cookie_prefix 'guardbear_';
		set $allow_cookie_prefix_len 10;
		
		access_by_lua_block {

			-- anonymize ip address in X-Forwarded-For header
			local x_forwarded_for = ngx.req.get_headers()['X-Forwarded-For']

			if ( x_forwarded_for ) then
				ngx.req.set_header('X-Forwarded-For', x_forwarded_for .. ', ' .. ngx.var.remote_addr_anon);
			else
				ngx.req.set_header('X-Forwarded-For', ngx.var.remote_addr_anon)
			end

			
			-- scrub referer header
			local referer = ngx.req.get_headers()['referer']

			if ( referer ) then
				local scrubbed_referer = referer:match( '^(https?://[^/]+/)' )
	
				if ( scrubbed_referer ) then
					ngx.req.set_header('Referer', scrubbed_referer)
				end
			end

			-- only allow flagged cookies
			local ck = require 'resty.cookie'
               		local cookie, err = ck:new()

       		        local fields, err = cookie:get_all()
    			if fields then
				local allowed_cookies = {}
				local all_cookies = {}
 
               			for k, v in pairs( fields ) do
					if ( string.sub( k, 1, ngx.var.allow_cookie_prefix_len ) == ngx.var.allow_cookie_prefix ) then
						allowed_cookies[ string.sub( k, ngx.var.allow_cookie_prefix_len + 1, string.len( k ) )  ] = v
					else
						all_cookies[ k ] = v
					end
               	 		end

				ngx.req.clear_header('Cookie')

				local filtered_cookie_header = ''

				for k, v in pairs( allowed_cookies ) do
					if ( all_cookies[ k ] ) then
						if ( filtered_cookie_header ~= '' ) then
							filtered_cookie_header = filtered_cookie_header .. '; '
						end
					
						filtered_cookie_header = filtered_cookie_header .. k .. '=' .. all_cookies[ k ]	
					end
               	 		end

				ngx.req.set_header('Cookie', filtered_cookie_header)
			end
		}

		header_filter_by_lua_block {
			-- set flag for cookies set by origin
			if ( ngx.header['Set-Cookie'] ) then
				local set_cookies_table = ngx.header['Set-Cookie']

				if type( set_cookies_table ) ~= 'table' then
					set_cookies_table = { ngx.header['Set-Cookie'] }
				end

				for k, v in pairs( set_cookies_table ) do
					if ( string.sub( v, 1, ngx.var.allow_cookie_prefix_len ) ~= ngx.var.allow_cookie_prefix ) then
						v = string.gsub( v, "^([^=]+)=[^;]+;", "%1=1;", 1)
						table.insert( set_cookies_table, ngx.var.allow_cookie_prefix .. v )
					end
				end

				ngx.header['Set-Cookie'] = set_cookies_table
			end
		}

	
	}

	# redirect server error pages to the static page /50x.html
	#
	error_page   500 502 503 504  /50x.html;
	location = /50x.html {
		root   /usr/local/openresty/nginx/html;
	}
}