listings / mastodon_reverser_proxy.conf
map $http_origin $bgme_me_origin {
    default $http_origin;
    https://mstdn.0x77.cf https://bgme.me;
}
map $http_referrer $bgme_me_referrer {
    default '';
    ~^https://mstdn.0x77.cf/(?<referrer_path>.*)$ https://bgme.me/$referrer_path;
}
map $request_uri $bgme_me_content_security_policy {
    default "CSP_rules";
    ~^/api.* '';
    ~^/system.* '';
}
server {
    listen 80;
    listen [::]:80;
    server_name mstdn.0x77.cf;
    if ($host = mstdn.0x77.cf) {
        return 301 https://$host$request_uri;
    }
}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    set $origin_domain bgme.me;
    server_name mstdn.0x77.cf;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    keepalive_timeout    70;
    sendfile             on;
    client_max_body_size 80m;
    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
    resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220;
    resolver_timeout 5s;
    location / {
        try_files $uri @proxy;
    }
    location @proxy {
        # 开启 SNI
        proxy_ssl_server_name on;
        proxy_ssl_protocols TLSv1.2 TLSv1.3;
        proxy_ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
        # 把返回的 302 重定向的域名替换成你的。
        proxy_redirect https://$origin_domain https://$server_name;
        # 替换指定字符串
        sub_filter '<a href="https://$origin_domain' '<a href="https://$server_name';
        sub_filter '<a class="selected" href="https://$origin_domain' '<a class="selected" href="https://$server_name';
        sub_filter '<a target="sidekiq" href="https://$origin_domain' '<a target="sidekiq" href="https://$server_name';
        sub_filter '<a target="pghero" href="https://$origin_domain' '<a target="pghero" href="https://$server_name';
        sub_filter '<a data-method="delete" href="https://$origin_domain/auth/sign_out">' '<a data-method="delete" href="https://$server_name/auth/sign_out">';
        
        sub_filter '"streaming_api_base_url":"wss://$origin_domain"' '"streaming_api_base_url":"wss://$server_name"';
        sub_filter 'https://bgme.me/avatars/original/missing.png' 'https://mstdn.0x77.cf/avatars/original/missing.png';
        sub_filter 'https://$origin_domain/system/' 'https://$server_name/system/';
        #字符串只进行一次替换,即只替换第一个被匹配的字符串。这里关闭。
        sub_filter_once off;
        #替换的请求类型,增加 application/json 。
        sub_filter_types application/json;
        # 指定头部:
        proxy_hide_header Alt-Svc;
        proxy_hide_header Content-Security-Policy;
        proxy_set_header Origin $bgme_me_origin;
        proxy_set_header Referer $bgme_me_referrer;
        proxy_set_header Host $origin_domain;
        proxy_set_header X-Real-IP $x_real_ip_ip;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header User-Agent $http_user_agent;
        proxy_set_header X-Forwarded-Proto https;
        #防止返回压缩的内容,因为压缩的内容无法替换字符串
        proxy_set_header Accept-Encoding "";
        # 传递相关字段
        proxy_pass_header Server;
        # 把 cookie 的作用域替换成你的域名
        proxy_cookie_domain $origin_domain $server_name;
        proxy_pass https://$origin_domain;
        # 开启缓存
        proxy_buffering on;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_cache CACHE;
        proxy_cache_valid 200 7d;
        proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
        add_header X-Cached $upstream_cache_status;
        add_header X-Robots-Tag "noindex, nofollow";
        add_header Content-Security-Policy $bgme_me_content_security_policy;
        tcp_nodelay on;
    }
    # 将 inbox、.well-known、proxy 重定向至源站
    location ~ inbox$ {
        return 307 https://$origin_domain$request_uri;
    }
    location /.well-known {
        return 307 https://$origin_domain$request_uri;
    }
    location /proxy {
        return 307 https://$origin_domain$request_uri;
    }
    # 反代 streaming api
    location /api/v1/streaming {
        proxy_ssl_server_name on;
        proxy_ssl_protocols TLSv1.2 TLSv1.3;
        proxy_ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
        proxy_set_header Host $origin_domain;
        proxy_set_header X-Real-IP $x_real_ip_ip;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Proxy "";
        proxy_pass https://$origin_domain;
        proxy_buffering off;
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        tcp_nodelay on;
    }
}