Hardening proxy settings: prevent default page from libravatar

This patch should prevent the libravatar default page from being proxied. As well as preventing libravatar.org from being an entrence for external JS into the libravatar-nginx domain.

Hardening proxy settings: prevent default page from libravatar
cfda8e68 · Sheogorath · 59fbbafc · cfda8e68
Verified Commit cfda8e68 authored 4 years ago by Sheogorath
--- a/default.conf
+++ b/default.conf
@@ -72,12 +72,25 @@ server {
        proxy_set_header User-Agent: "'Mozilla/5.0 (compatible; Libravatar-nginx/2.2.0; +https://git.shivering-isles.com/shivering-isles/libravatar-nginx)'";

        proxy_http_version 1.1;
-        proxy_pass https://seccdn.libravatar.org;

+
+        location /libravatarproxy/avatar/ {
+          proxy_pass https://seccdn.libravatar.org/avatar/;
+          proxy_redirect default;
+          proxy_redirect /avatar/ /libravatarproxy/avatar/;
+          proxy_redirect /static/img/ /libravatarproxy/static/img/;
+          proxy_redirect /gravatarproxy/ /libravatarproxy/gravatarproxy/;
+        }
+
+        location /libravatarproxy/static/img/ {
+          proxy_pass https://seccdn.libravatar.org/static/img/;
          proxy_redirect default;
-        proxy_redirect / /libravatarproxy/;
-        #proxy_redirect https://seccdn.libravatar.org/avatar/ /libravatarproxy/avatar/;
-        #proxy_redirect https://seccdn.libravatar.org/static/ /libravatarproxy/static/;
+        }
+
+        location /libravatarproxy/gravatarproxy/ {
+          proxy_pass https://seccdn.libravatar.org/gravatarproxy/;
+          proxy_redirect default;
+        }
    }

    location @defaultimage {