[meek/master] Add Yawning's Nginx reflector configuration. - tor-commits

7 Dec 2014

commit 2cce35a5624cc0d93d1c2919c74519a854608c81
Author: David Fifield david@bamsoftware.com
Date:   Sat Dec 6 18:37:43 2014 -0800
Add Yawning's Nginx reflector configuration.
Copied from https://trac.torproject.org/projects/tor/wiki/doc/meek#UsingnginxinsteadofGo...,
    which I am about to delete.
---
 README                   |    3 +++
 nginx/README             |    9 ++++++++
 nginx/nginx.conf.example |   53 ++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 65 insertions(+)

diff --git a/README b/README
index 4348942..72b8cb7 100644
--- a/README
+++ b/README
@@ -58,6 +58,9 @@ latencytest:
 A test program for App Engine that measures roundtrip times to different
 destinations.
+nginx:
+A reflector configuration for Nginx.
+
 php:
 A php reflector similar to the appengine one above. Ideally, it can be run on
 any platform that supports php. A public instance is at:
diff --git a/nginx/README b/nginx/README
new file mode 100644
index 0000000..24a224d
--- /dev/null
+++ b/nginx/README
@@ -0,0 +1,9 @@
+The file nginx.conf.example is an example configuration file for Nginx
+that shows how to run multiple virtual-host domain names, with one of
+them reflecting to an instance of meek-server. Clients can front behind
+one of the ordinary domain names in order to reach the reflector domain.
+
+Here is the matching client torrc configuration:
+	UseBridges 1
+	Bridge meek 0.0.2.0:1 url=https://meek-reflect.example.com/ front=www.example.com
+	ClientTransportPlugin meek exec ./meek-client --log meek-client.log
diff --git a/nginx/nginx.conf.example b/nginx/nginx.conf.example
new file mode 100644
index 0000000..0f0b4db
--- /dev/null
+++ b/nginx/nginx.conf.example
@@ -0,0 +1,53 @@
+# The configuration for the normal HTTPS server
+server {
+	# Set default_server so that real content gets served by default
+#	listen 443 default_server;
+	listen [::]:443 default_server;
+	server_name www.example.com;
+
+	# Boilerplate for SSL, adjust as appropriate.
+	ssl on;
+	ssl_certificate /etc/ssl/nginx/example.com.crt;
+	ssl_certificate_key /etc/ssl/nginx/example.com.key;
+	ssl_session_timeout 5m;
+	ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
+	ssl_ciphers !RC4:HIGH:!MD5:!aNULL:!DH;
+	ssl_prefer_server_ciphers on;
+
+	# Blah blah blah, normal site specific config
+	root /usr/share/nginx/www;
+	index index.html index.htm;
+	location / {
+		index index.html;
+	}
+}
+
+# Configuration for the reflector
+server {
+#	listen 443;
+	listen [::]:443;
+
+	# This does not need to be a real name, but it MUST be distinct from
+	# the host used for real content.
+	server_name meek-reflect.example.com;
+
+	# Boilerplate for SSL/TLS (copy/paste from the other server block)
+	ssl on;
+	ssl_certificate /etc/ssl/nginx/example.com.crt;
+	ssl_certificate_key /etc/ssl/nginx/example.com.key;
+	ssl_session_timeout 5m;
+	ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
+	ssl_ciphers !RC4:HIGH:!MD5:!aNULL:!DH;
+	ssl_prefer_server_ciphers on;
+
+	# This is where the magic happens
+	location / {
+		# Proxy traffic all traffic received with the meek Host to
+		# a meek-server instance.
+		proxy_pass http://meek.bamsoftware.com:7002;
+
+		# Disable logging for the reflector.
+		access_log off;
+		error_log /dev/null;
+	}
+}

    