0xgeert · July 17, 2025 15:04
diff --git a/gistfile1.txt b/gistfile1.txt
                                                                                                                                                  
 server {
    listen 443 ssl;
    server_name e.somedomain.xyz;

    ssl_certificate     /etc/letsencrypt/live/e.somedomain.xyz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/e.somedomain.xyz/privkey.pem;
    include             /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam         /etc/letsencrypt/ssl-dhparams.pem;

    # Specify DNS resolver for variables, this is Google Public DNS
    # You should adjust this to a DNS resolver of your choice
    resolver 8.8.8.8 8.8.4.4 [2001:4860:4860::]:8888 [2001:4860:4860::]:8844 valid=300s;
    resolver_timeout 5s;  # Timeout for DNS resolution

    # Check Referer header
    set $valid_referer 0;
    if ($http_referer ~* "^https?://(localhost|([a-zA-Z0-9-]+)\.somedomain\.xyz)") {
        set $valid_referer 1;
    }

    if ($valid_referer = 0) {
        return 403;  # Return forbidden if the Referer header is invalid
    }

    location ~ ^/static/(.*)$ {
        set $posthog_static "https://eu-assets.i.posthog.com/static/";
        proxy_pass $posthog_static$1$is_args$args;
        proxy_set_header Host "eu-assets.i.posthog.com";
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_ssl_server_name on;
        proxy_redirect off;
    }

    # https://eu-assets.i.posthog.com/array/phc_xxx/config.js is NOT part of /static but still needs to be proxied to the static asset domain
    location ~ ^/array/(.*)$ {
        set $posthog_static "https://eu-assets.i.posthog.com/array/";
        proxy_pass $posthog_static$1$is_args$args;
        proxy_set_header Host "eu-assets.i.posthog.com";
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_ssl_server_name on;
        proxy_redirect off;
    }

    location ~ ^/(.*)$ {
        set $posthog_main "https://eu.i.posthog.com/";
        proxy_pass $posthog_main$1$is_args$args;
        proxy_set_header Host "eu.i.posthog.com";
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_ssl_server_name on;
        proxy_redirect off;
    }
 }

 server {
    listen 80;
    server_name e.somedomain.xyz;

    return 301 https://$host$request_uri;
 }

	server {
	listen 443 ssl;
	server_name e.somedomain.xyz;

	ssl_certificate /etc/letsencrypt/live/e.somedomain.xyz/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/e.somedomain.xyz/privkey.pem;
	include /etc/letsencrypt/options-ssl-nginx.conf;
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

	# Specify DNS resolver for variables, this is Google Public DNS
	# You should adjust this to a DNS resolver of your choice
	resolver 8.8.8.8 8.8.4.4 [2001:4860:4860::]:8888 [2001:4860:4860::]:8844 valid=300s;
	resolver_timeout 5s; # Timeout for DNS resolution

	# Check Referer header
	set $valid_referer 0;
	if ($http_referer ~* "^https?://(localhost\|([a-zA-Z0-9-]+)\.somedomain\.xyz)") {
	set $valid_referer 1;
	}

	if ($valid_referer = 0) {
	return 403; # Return forbidden if the Referer header is invalid
	}

	location ~ ^/static/(.*)$ {
	set $posthog_static "https://eu-assets.i.posthog.com/static/";
	proxy_pass $posthog_static$1$is_args$args;
	proxy_set_header Host "eu-assets.i.posthog.com";
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_ssl_server_name on;
	proxy_redirect off;
	}

	# https://eu-assets.i.posthog.com/array/phc_xxx/config.js is NOT part of /static but still needs to be proxied to the static asset domain
	location ~ ^/array/(.*)$ {
	set $posthog_static "https://eu-assets.i.posthog.com/array/";
	proxy_pass $posthog_static$1$is_args$args;
	proxy_set_header Host "eu-assets.i.posthog.com";
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_ssl_server_name on;
	proxy_redirect off;
	}

	location ~ ^/(.*)$ {
	set $posthog_main "https://eu.i.posthog.com/";
	proxy_pass $posthog_main$1$is_args$args;
	proxy_set_header Host "eu.i.posthog.com";
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_ssl_server_name on;
	proxy_redirect off;
	}
	}

	server {
	listen 80;
	server_name e.somedomain.xyz;

	return 301 https://$host$request_uri;
	}