# Implement TLS 1.3 0-RTT anti-replay for NGINX

# Requires: NGINX directive "ssl_early_data" on

# Usage:

# Make sure these "map" blocks are included in "http" block
# Put the following two lines in SSL "server" block, before any "location" blocks

# if ($anti_replay = 307) { return 307 https://$host$request_uri; }
# if ($anti_replay = 425) { return 425; }

# Pass "Early-Data" header to backend/upstream
# Only for 0-RTT requests from clients that understand 425 status code (RFC 8470)

# fastcgi_param HTTP_EARLY_DATA $rfc_early_data if_not_empty;
# proxy_set_header Early-Data $rfc_early_data;

# Copyright © myrevery
# Copyright © 7677333 (An anagram of a Anonymous Cybersecurity Research Team)

map "$request_method:$is_args" $ar_idempotent {
	default 0;
	"~^GET:$|^(HEAD|OPTIONS|TRACE):\?*$" 1;
}

map $http_user_agent $ar_support_425 {
	default 0;
	"~Firefox/((58|59)|([6-9]\d)|([1-9]\d{2,}))\.\d+" 1;
}

map "$ssl_early_data:$ar_idempotent:$ar_support_425" $anti_replay {
	1:0:0 307;
	1:0:1 425;
}

map "$ssl_early_data:$ar_support_425" $rfc_early_data {
	1:1 1;
}