You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
40 lines
1.1 KiB
40 lines
1.1 KiB
# Implement TLS 1.3 0-RTT anti-replay for NGINX
|
|
|
|
# Requires: NGINX directive "ssl_early_data" on
|
|
|
|
# Usage:
|
|
|
|
# Make sure these "map" blocks are included in "http" block
|
|
# Put the following two lines in SSL "server" block, before any "location" blocks
|
|
|
|
# if ($anti_replay = 307) { return 307 https://$host$request_uri; }
|
|
# if ($anti_replay = 425) { return 425; }
|
|
|
|
# Pass "Early-Data" header to backend/upstream
|
|
# Only for 0-RTT requests from clients that understand 425 status code (RFC 8470)
|
|
|
|
# fastcgi_param HTTP_EARLY_DATA $rfc_early_data if_not_empty;
|
|
# proxy_set_header Early-Data $rfc_early_data;
|
|
|
|
# Copyright © myrevery
|
|
# Copyright © 7677333 (An anagram of a Anonymous Cybersecurity Research Team)
|
|
|
|
map "$request_method:$is_args" $ar_idempotent {
|
|
default 0;
|
|
"~^GET:$|^(HEAD|OPTIONS|TRACE):\?*$" 1;
|
|
}
|
|
|
|
map $http_user_agent $ar_support_425 {
|
|
default 0;
|
|
"~Firefox/((58|59)|([6-9]\d)|([1-9]\d{2,}))\.\d+" 1;
|
|
}
|
|
|
|
map "$ssl_early_data:$ar_idempotent:$ar_support_425" $anti_replay {
|
|
1:0:0 307;
|
|
1:0:1 425;
|
|
}
|
|
|
|
map "$ssl_early_data:$ar_support_425" $rfc_early_data {
|
|
1:1 1;
|
|
}
|