server { listen 80; server_name cors.tjvr.org; root /usr/share/nginx/html; index index.html; client_max_body_size 1m; client_body_buffer_size 64k; error_log /var/log/nginx/error-d.log debug; if ($request_method ~ ^OPTIONS$) { rewrite ^.*$ /__OPTIONS last; } location ~* ^/http(s?)\:\/(.*)$ { # use filtered(?) OpenDNS resolver 208.67.222.123; # I think bad domains will get 403 ? # CORS :-) add_header Access-Control-Allow-Origin *; # Disable casual browswing if ($http_origin = "") { return 412; } # TODO redirect if CORS is already present proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Cookie ''; proxy_pass http$1://$2; proxy_redirect off; # optimise downloads proxy_connect_timeout 30; proxy_send_timeout 30; proxy_read_timeout 30; proxy_max_temp_file_size 0; # don't buffer responses to disk proxy_buffering off; # TODO limit download size # don't forward weird headers proxy_hide_header Access-Control-Allow-Origin; proxy_hide_header Set-Cookie; proxy_hide_header X-Frame-Options; # controversial!! proxy_hide_header X-XSS-Protection; # if ($sent_http_content_length ~ "[0-9]{7}") { # return 403; # } } location = /__OPTIONS { if ($request_method != OPTIONS ) { return 405; } add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Methods "GET, OPTIONS, POST, PUT, DELETE"; add_header Access-Control-Allow-Headers $http_access_control_request_headers; add_header Access-Control-Allow-Credentials true; add_header Content-Length 0; add_header Content-Type text/plain; return 200; } location = /index.html { expires 1d; access_log off; add_header Cache-Control "public"; } location = /favicon.ico { expires 1M; access_log off; add_header Cache-Control "public"; } }