@@ -103,6 +103,8 @@ If no source URLs are specified, task file is used to determine sources: previou
103103 Css files output path
104104-d DOMAIN, --domainCSS=DOMAIN
105105 Domain of CSS web server (required for Element Hide functionality)
106+ -u, --useHTTP
107+ Use HTTP for CSS web server; the default is HTTPS to avoid mixed content
106108-t PATH, --taskFile=PATH
107109 Path to task file containing urls to process and options.
108110-f, --forced
@@ -183,16 +185,35 @@ Nginx config: add following lines into http section of `nginx.conf` file
183185
184186```
185187server {
186- listen 80 ;
188+ listen www.example.com:443 ;
187189 #ab2p css domain name (optional, should be equal to --domainCSS parameter)
188190 server_name www.example.com;
189191
192+ ssl on;
193+ ssl_certificate certs/adblock2privoxy-nginx.chain.pem;
194+ ssl_certificate_key certs/adblock2privoxy-nginx.key.pem.decrypted;
195+ # use modern crypto
196+ # https://ssl-config.mozilla.org
197+ ssl_protocols TLSv1.3;
198+ ssl_prefer_server_ciphers on;
199+ ssl_dhparam certs/dhparam.pem;
200+ ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:EECDH+AESGCM:EDH+AESGCM;
201+ ssl_ecdh_curve secp384r1;
202+ ssl_session_timeout 180m;
203+ ssl_session_cache shared:SSL:20m;
204+ ssl_session_tickets off;
205+ add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
206+
207+ # comply with Content Security policy
208+ add_header Content-Type "text/css";
209+ add_header X-Content-Type-Options nosniff;
210+
190211 #root = --webDir parameter value
191212 root /var/www/privoxy;
192213
193214 location ~ ^/[^/.]+\..+/ab2p.css$ {
194215 # first reverse domain names order
195- rewrite ^/([^/]*?)\.([^/.]+)(?:\.([^/.]+))?(?:\.([^/.]+))?(?:\.([^/.]+))?(?:\.([^/.]+))?(?:\.([^/.]+))?(?:\.([^/.]+))?(?:\.([^/.]+))?/ab2p.css$ /$9/$8/$7/$6/$5/$4/$3/$2/$1/ab2p.css last;
216+ rewrite ^/([^/]*?)\.([^/.]+)(?:\.([^/.]+))?(?:\.([^/.]+))?(?:\.([^/.]+))?(?:\.([^/.]+))?(?:\.([^/.]+))?(?:\.([^/.]+))?(?:\.([^/.]+))?/ab2p.css$ /$9/$8/$7/$6/$5/$4/$3/$2/$1/ab2p.css last;
196217 }
197218
198219 location ~ (^.*/+)[^/]+/+ab2p.css {
@@ -203,6 +224,82 @@ server {
203224}
204225```
205226
227+ The CSS web server must use HTTPS to comply with standard Content
228+ Security policies that prohibit mixed content. Example
229+ [ nginx.conf] ( ./nginx.conf ) and [ openssl.cnf] ( openssl.cnf ) files are
230+ included in this repo that generate the necessary PKI. Modify
231+ these as appropriate. Example ` openssl ` commands:
232+ ``` bash
233+ mkdir certs && cd certs
234+ touch index.txt
235+ echo 1000 > serial
236+
237+ # CA certificate encrypted key passphrase, both -passin and -passout
238+ sf-pwgen --algorithm memorable --count 2 --length 24 2> /dev/null | paste -s -d -- ' -'
239+ 1> passphrase.txt || true
240+ if [ $( head -1 passphrase.txt | wc -c) < 20 ]; then \
241+ openssl rand -base64 23 1> passphrase.txt 2> /dev/null; fi
242+ cat passphrase.txt passphrase.txt > passphrase-dbl.txt \
243+ && mv passphrase-dbl.txt passphrase.txt \
244+ || rm -f passphrase-dbl.txt
245+ chmod go-rwx passphrase.txt
246+
247+ # CA encrypted key
248+ # EC
249+ openssl genpkey -out ca.key.pem -algorithm EC \
250+ -pkeyopt ec_paramgen_curve:P-256 -aes256 \
251+ -pass file:passphrase.txt
252+
253+ # RSA
254+ # # openssl genpkey -out ca.key.pem -algorithm RSA \
255+ # # -pkeyopt rsa_keygen_bits:2048 -aes256 \
256+ # # -pass file:passphrase.txt
257+
258+ # CA certificate
259+ openssl req -config openssl.cnf \
260+ -new -x509 -days 3650 -sha256 -extensions v3_ca -out certs/ca.cert.pem \
261+ -key ca.key.pem -passin file:passphrase.txt -batch
262+
263+ # CA certificate text verification
264+ openssl x509 -text -noout -in ca.cert.pem
265+
266+ # CA certificate openssl self-verification
267+ openssl verify -CAfile ca.cert.pem ca.cert.pem
268+
269+ # Server certificate encrypted key and decrypted key
270+ openssl genpkey -out adblock2privoxy-nginx.key.pem \
271+ -algorithm EC -pkeyopt ec_paramgen_curve:P-384 -aes256 \
272+ -pass file:passphrase.txt
273+ openssl ec -in adblock2privoxy-nginx.key.pem -passin file:passphrase.txt \
274+ -out adblock2privoxy-nginx.key.pem.decrypted
275+ chmod go-rwx adblock2privoxy-nginx.key.pem.decrypted
276+
277+ # Server certificate CSR
278+ openssl req -config openssl.cnf -new -sha256 -extensions server_cert \
279+ -key adblock2privoxy-nginx.key.pem -passin file:passphrase.txt \
280+ -out adblock2privoxy-nginx.csr.pem -batch
281+
282+ # Server certificate (825 days maximum validity)
283+ # https://support.apple.com/en-us/HT210176
284+ openssl ca -config openssl.cnf -days 825 -notext -md sha256 \
285+ -extensions server_cert -in adblock2privoxy-nginx.csr.pem \
286+ -out adblock2privoxy-nginx.cert.pem -passin file:passphrase.txt \
287+ -subj ' /CN=adblock2privoxy-nginx'
288+
289+ # Server certificate chain of trust
290+ cat adblock2privoxy-nginx.cert.pem ca.cert.pem > adblock2privoxy-nginx.chain.pem
291+
292+ # Server certificate text
293+ openssl x509 -in adblock2privoxy-nginx.cert.pem -text -noout
294+
295+ # Server certificate and chain validity
296+ openssl verify -CAfile ca.cert.pem adblock2privoxy-nginx.cert.pem
297+ openssl verify -CAfile ca.cert.pem adblock2privoxy-nginx.chain.pem
298+
299+ # DH params
300+ openssl dhparam -out dhparam.pem 2048
301+ ```
302+
206303Apache config: put following lines into
207304
208305 * for linux: ` /etc/apache2/sites-available/000-default.conf ` (replace existing content)
0 commit comments