rawgithack.conf

# rawgithack

# server configuration
gzip on;

resolver 1.1.1.1 1.0.0.1;

error_log logs/error.log warn;
proxy_cache_path /var/cache/nginx/rawgithack
         use_temp_path=off levels=1:2
         max_size=10g inactive=7d
         keys_zone=rawgithack.cache:20m;

limit_req_zone $throttle zone=throttling:10m rate=10r/s;
limit_req_log_level notice;

map $host $is_cdn {
    ~*^\w+cdn\.githack\.com$ 1;
    default 0;
}

map $is_cdn:$host $cdnize {
    ~*^0:([a-z]+)\.githack\.com$ $1cdn.githack.com;
    default $host;
}

map $http_referer $throttle {
    ~*^https?://\w+\.githack\.com "";
    ~*^https?://(?<domain>[^/]+) $domain/$origin$uri;
}

# file extension to mime-type mapping
# kind of workaround because nginx can detect mime-type only for local file
map $extension $detect_content_type {
    ~*^(?:appcache|manifest)$    text/cache-manifest;
    ~*^atom$                     application/atom+xml;
    ~*^bat$                      application/x-msdownload;
    ~*^coffee$                   text/coffeescript;
    ~*^css$                      text/css;
    ~*^csv$                      text/csv;
    ~*^eot$                      application/vnd.ms-fontobject;
    ~*^geojson$                  application/vnd.geo+json;
    ~*^(?:hbs|handlebars)$       text/x-handlebars-template;
    ~*^htc$                      text/x-component;
    ~*^html?$                    text/html;
    ~*^ics$                      text/calendar;
    ~*^jscad$                    application/javascript;
    ~*^json$                     application/json;
    ~*^jsonld$                   application/ld+json;
    ~*^kml$                      application/vnd.google-earth.kml+xml;
    ~*^(?:md|markdown)$          text/markdown;
    ~*^m?js$                     application/javascript;
    ~*^mhtml$                    multipart/related;
    ~*^n3$                       text/n3;
    ~*^nt$                       application/n-triples;
    ~*^otf$                      font/otf;
    ~*^(?:owl|rdf)$              application/rdf+xml;
    ~*^pdf$                      application/pdf;
    ~*^rss$                      application/rss+xml;
    ~*^shexc?$                   text/shex;
    ~*^svg$                      image/svg+xml;
    ~*^swf$                      application/x-shockwave-flash;
    ~*^stl$                      model/stl;
    ~*^tt(?:c|f)$                application/x-font-ttf;
    ~*^ttl$                      text/turtle;
    ~*^vcard$                    text/vcard;
    ~*^vcf$                      text/x-vcard;
    ~*^vtt$                      text/vtt;
    ~*^woff$                     application/font-woff;
    ~*^woff2$                    application/font-woff2;
    ~*^xht(?:ml)?$               application/xhtml+xml;
    ~*^xml$                      text/xml;
    ~*^txt$                      text/plain;
    ~*^(?:xsl|xsd)$              application/xml;
    ~*^xslt$                     application/xslt+xml;
    ~*^ya?ml$                    text/yaml;
    ~*^wasm$                     application/wasm;
    ~*^(?:d|s)?rpm$              application/x-redhat-package-manager;
    default                      '';
}

# defines which extensions should include charset definition
map $extension $content_type_charset_string {
    ~*^(?:bat|eot|htc|kml|nt|otf|pdf|svg|swf|ttc|ttf|woff2?|wasm|rpm|drpm|srpm)$ '';
    default '; charset=utf-8';
}

map $host $origin {
    ~*^gl(?:cdn)?\.githack\.com$ gitlab.com;
    ~*^bb(?:cdn)?\.githack\.com$ bitbucket.org;
    ~*^raw(?:cdn)?\.githack\.com$ raw.githubusercontent.com;
    ~*^gist(?:cdn)?\.githack\.com$ gist.githubusercontent.com;
    ~*^srht(?:cdn)?\.githack\.com$ git.sr.ht;
    ~*^srhgt(?:cdn)?\.githack\.com$ hg.sr.ht;
}

map $detect_content_type:$is_cdn $check_redirect {
    ~*:1$ 0;
    ~*^.+: 0;
    default 1;
}

map $status:$is_cdn $cache_control {
    ~*^[23]\d\d:1$ 'max-age=31536000, public, immutable';
    default 'max-age=60, public';
}

lua_package_path '/etc/nginx/rawgithack/?.lua;;';
lua_ssl_verify_depth 2;
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
init_worker_by_lua_block { require("rawgithack").init() }

server {
    listen [::]:80 ipv6only=off;
    server_name _;

    root /etc/nginx/rawgithack/www;

    rewrite ^/$ /index last;
    rewrite ^/index(\.html)?$ / permanent;
    rewrite ^/([^/]+)\.html$ /$1 permanent;
    rewrite ^/.+/.+/.+/(.+/)*$ $uri/index.html;

    merge_slashes off;
    # this really merges slashes
    rewrite (.*?)//+(.*) $1/$2 permanent;

    location ~ ^/(?<page>[a-z-]+)$ {
        limit_except GET { deny all; }
        if ($host != 'raw.githack.com') {
            return 301 $scheme://raw.githack.com$uri$is_args$args;
        }
        ssi on;
        add_header Cache-Control 'max-age=86400, public';
        try_files $uri.html =404;
    }

    location = /purge {
        limit_except POST { deny all; }
        default_type text/html;
        lua_need_request_body on;
        # lua_code_cache off;
        content_by_lua_block { require("rawgithack").purge_request() }
    } 

    location ~* ^/[^/]+/[^/]+/[^/]+/.+?(?:\.(?<extension>[a-zA-Z0-9]+))?$ {
        limit_except GET { deny all; }

        if ($check_redirect) {
            add_header Cache-Control 'max-age=86400, public';
            add_header Access-Control-Allow-Origin *;
            return 301 https://$origin$request_uri;
        }

        limit_req zone=throttling nodelay;
        limit_req_status 418;
        error_page 418 = @cdnize;

        proxy_read_timeout 10s;

        # caching
        proxy_cache rawgithack.cache;
        proxy_cache_key "$origin$uri";
        proxy_cache_revalidate on;
        proxy_cache_valid any 5m;
        proxy_cache_use_stale updating;
        proxy_cache_background_update on;
        proxy_cache_lock on;

        proxy_buffer_size 16k;
        proxy_buffers 8 16k;
        proxy_busy_buffers_size 16k;

        proxy_force_ranges on;
        proxy_http_version 1.1;
        proxy_ignore_headers
            X-Accel-Limit-Rate
            X-Accel-Buffering
            X-Accel-Redirect
            X-Accel-Expires
            X-Accel-Charset
            Cache-Control
            Set-Cookie
            Expires
            Vary;
        proxy_intercept_errors on;
        proxy_ssl_server_name on;

        proxy_pass https://$origin;

        proxy_redirect https://$origin $scheme://$host;

        # we need to hide these headers in order to redefine them
        # if we don't, they will be set twice
        proxy_hide_header Status;
        proxy_hide_header Expires;
        proxy_hide_header Content-Type;
        proxy_hide_header Cache-Control;
        proxy_hide_header X-Frame-Options;
        proxy_hide_header X-XSS-Protection;
        proxy_hide_header Content-Disposition;
        proxy_hide_header X-Content-Type-Options;
        proxy_hide_header Content-Security-Policy;
        proxy_hide_header Strict-Transport-Security;
        proxy_hide_header Access-Control-Allow-Origin;

        add_header Cache-Control $cache_control always;

        add_header X-Robots-Tag none; # robots, go away!
        add_header Access-Control-Allow-Origin *;
        add_header X-Githack-Cache-Status $upstream_cache_status always;
        add_header Content-Type $detect_content_type$content_type_charset_string;
    }

    location @cdnize {
        add_header Cache-Control 'max-age=86400, private';
        add_header Access-Control-Allow-Origin *;
        return 302 https://$cdnize$request_uri;
    }
}