xrforge-v2/soakbean/middleware/rproxy.lua

--if IsDaemon() then
--    ProgramPort(443)
--    ProgramUid(65534)
--    ProgramUid(65534)
--    ProgramLogPath('/var/log/turfbean.log')
--    ProgramPidPath('/var/log/turfbean.pid')
--    ProgramTrustedIp(ParseIp(Slurp('/etc/justine-ip.txt')), 32);
--    ProgramCertificate(Slurp('/etc/letsencrypt/live/ipv4.games-ecdsa/fullchain.pem'))
--    ProgramPrivateKey(Slurp('/etc/letsencrypt/live/ipv4.games-ecdsa/privkey.pem'))
--end
--
--RELAY_HEADERS_TO_CLIENT = {
--    'Access-Control-Allow-Origin',
--    'Cache-Control',
--    'Connection',
--    'Content-Type',
--    'Last-Modified',
--    'Referrer-Policy',
--}
--
--function OnServerStart()
--    ProgramTokenBucket()
--    assert(unix.setrlimit(unix.RLIMIT_NPROC, 1000, 1000))
--end
--
--function OnWorkerStart()
--    assert(unix.setrlimit(unix.RLIMIT_RSS, 2*1024*1024))
--    assert(unix.setrlimit(unix.RLIMIT_CPU, 2))
--    assert(unix.unveil(nil, nil))
--    assert(unix.pledge("stdio inet unix", nil, unix.PLEDGE_PENALTY_RETURN_EPERM))
--end
--
--function OnHttpRequest()
--    local ip = GetClientAddr()
--    if not IsTrustedIp(ip) then
--        local tok = AcquireToken(ip)
--        if tok < 2 then
--            if Blackhole(ip) then
--                Log(kLogWarn, "banned %s" % {FormatIp(ip)})
--            else
--                Log(kLogWarn, "failed to ban %s" % {FormatIp(ip)})
--            end
--        end
--        if tok < 30 then
--            ServeError(429)
--            SetHeader('Connection', 'close')
--            Log(kLogWarn, "warned %s who has %d tokens" % {FormatIp(ip), tok})
--            return
--        end
--    end
--    local url = 'http://127.0.0.1' .. EscapePath(GetPath())
--    local name = GetParam('name')
--    if name then
--        url = url .. '?name=' .. EscapeParam(name)
--    end
--    local status, headers, body =
--        Fetch(url,
--              {method = GetMethod(),
--               headers = {
--                   ['Accept'] = GetHeader('Accept'),
--                   ['CF-IPCountry'] = GetHeader('CF-IPCountry'),
--                   ['If-Modified-Since'] = GetHeader('If-Modified-Since'),
--                   ['Referer'] = GetHeader('Referer'),
--                   ['Sec-CH-UA-Platform'] = GetHeader('Sec-CH-UA-Platform'),
--                   ['User-Agent'] = GetHeader('User-Agent'),
--                   ['X-Forwarded-For'] = FormatIp(ip)}})
--    if status then
--        SetStatus(status)
--        for k,v in pairs(RELAY_HEADERS_TO_CLIENT) do
--            SetHeader(v, headers[v])
--        end
--        Write(body)
--    else
--        local err = headers
--        Log(kLogError, "proxy failed %s" % {err})
--        ServeError(503)
--    end
--end
🔧 master: work in progress [might break] 2026-05-15 23:47:59 +02:00			`--if IsDaemon() then`
			`-- ProgramPort(443)`
			`-- ProgramUid(65534)`
			`-- ProgramUid(65534)`
			`-- ProgramLogPath('/var/log/turfbean.log')`
			`-- ProgramPidPath('/var/log/turfbean.pid')`
			`-- ProgramTrustedIp(ParseIp(Slurp('/etc/justine-ip.txt')), 32);`
			`-- ProgramCertificate(Slurp('/etc/letsencrypt/live/ipv4.games-ecdsa/fullchain.pem'))`
			`-- ProgramPrivateKey(Slurp('/etc/letsencrypt/live/ipv4.games-ecdsa/privkey.pem'))`
			`--end`
			`--`
			`--RELAY_HEADERS_TO_CLIENT = {`
			`-- 'Access-Control-Allow-Origin',`
			`-- 'Cache-Control',`
			`-- 'Connection',`
			`-- 'Content-Type',`
			`-- 'Last-Modified',`
			`-- 'Referrer-Policy',`
			`--}`
			`--`
			`--function OnServerStart()`
			`-- ProgramTokenBucket()`
			`-- assert(unix.setrlimit(unix.RLIMIT_NPROC, 1000, 1000))`
			`--end`
			`--`
			`--function OnWorkerStart()`
			`-- assert(unix.setrlimit(unix.RLIMIT_RSS, 210241024))`
			`-- assert(unix.setrlimit(unix.RLIMIT_CPU, 2))`
			`-- assert(unix.unveil(nil, nil))`
			`-- assert(unix.pledge("stdio inet unix", nil, unix.PLEDGE_PENALTY_RETURN_EPERM))`
			`--end`
			`--`
			`--function OnHttpRequest()`
			`-- local ip = GetClientAddr()`
			`-- if not IsTrustedIp(ip) then`
			`-- local tok = AcquireToken(ip)`
			`-- if tok < 2 then`
			`-- if Blackhole(ip) then`
			`-- Log(kLogWarn, "banned %s" % {FormatIp(ip)})`
			`-- else`
			`-- Log(kLogWarn, "failed to ban %s" % {FormatIp(ip)})`
			`-- end`
			`-- end`
			`-- if tok < 30 then`
			`-- ServeError(429)`
			`-- SetHeader('Connection', 'close')`
			`-- Log(kLogWarn, "warned %s who has %d tokens" % {FormatIp(ip), tok})`
			`-- return`
			`-- end`
			`-- end`
			`-- local url = 'http://127.0.0.1' .. EscapePath(GetPath())`
			`-- local name = GetParam('name')`
			`-- if name then`
			`-- url = url .. '?name=' .. EscapeParam(name)`
			`-- end`
			`-- local status, headers, body =`
			`-- Fetch(url,`
			`-- {method = GetMethod(),`
			`-- headers = {`
			`-- ['Accept'] = GetHeader('Accept'),`
			`-- ['CF-IPCountry'] = GetHeader('CF-IPCountry'),`
			`-- ['If-Modified-Since'] = GetHeader('If-Modified-Since'),`
			`-- ['Referer'] = GetHeader('Referer'),`
			`-- ['Sec-CH-UA-Platform'] = GetHeader('Sec-CH-UA-Platform'),`
			`-- ['User-Agent'] = GetHeader('User-Agent'),`
			`-- ['X-Forwarded-For'] = FormatIp(ip)}})`
			`-- if status then`
			`-- SetStatus(status)`
			`-- for k,v in pairs(RELAY_HEADERS_TO_CLIENT) do`
			`-- SetHeader(v, headers[v])`
			`-- end`
			`-- Write(body)`
			`-- else`
			`-- local err = headers`
			`-- Log(kLogError, "proxy failed %s" % {err})`
			`-- ServeError(503)`
			`-- end`
			`--end`