利用Nginx反代加速Github服务

基于nginx搭建github加速服务，nginx配置代码如下

hub

    location / {
        proxy_hide_header referrer-policy;
        proxy_hide_header content-security-policy;
        proxy_hide_header Strict-Transport-Security;
        proxy_hide_header x-pjax-url;

        proxy_set_header Host github.com;
        proxy_set_header Accept-Encoding "";
        proxy_set_header Referer https://github.com/;
        proxy_set_header Origin https://github.com;
        #proxy_set_header Connection "";

        add_header x-pjax-url "https://hub.fastgit.ixmu.net$request_uri";
        add_header X-FastGit-Node "azure-ea-0";

        proxy_http_version 1.1;
        proxy_connect_timeout 10s;
        proxy_read_timeout 10s;
        
        # Not supported when installed from Debian source
        # proxy_socket_keepalive on;
        
        proxy_ssl_server_name on;
        
        sub_filter "\"https://raw.githubusercontent.com" "\"https://raw.fastgit.ixmu.net";
        sub_filter "\"https://github.com" "\"https://hub.fastgit.ixmu.net";
        sub_filter "\"https://github.githubassets.com" "\"https://assets.fastgit.ixmu.net";
        sub_filter "\"https://github.githubassets.com" "\"https://assets.fastgit.ixmu.net";
        sub_filter "https://customer-stories-feed.github.com" "https://customer-stories-feed.fastgit.org";
        sub_filter_once off;
        
        proxy_cookie_domain github.com hub.fastgit.ixmu.net;

        proxy_redirect https://github.com https://hub.fastgit.ixmu.net;
        proxy_redirect https://raw.githubusercontent.com https://raw.fastgit.ixmu.net;
        proxy_redirect https://github.githubassets.com https://assets.fastgit.ixmu.net;
        proxy_redirect https://customer-stories-feed.github.com https://customer-stories-feed.fastgit.org;
        proxy_redirect https://codeload.github.com https://codeload.fastgit.org;

        proxy_pass https://github.com;
    }

     Block search engine
     if ($http_user_agent ~* "qihoobot|Baiduspider|Bingbot|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot")
     {
         return 403;
     }

     Anti Agent Bot DDoS
     If behind CDN, use folloing commented code
     if ($http_x_forwarded_for != $remote_addr) {
         return 503;
     }
    if ($proxy_add_x_forwarded_for != $remote_addr) {
        return 503;
    }

Archive

    location / {

    }
    
    location ~ ^/[^/]+/[^/]+/releases(/latest)?/download/ {
        return 301 https://download.fastgit.ixmu.net$request_uri;
    }
    
    location ~ ^/[^/]+/[^/]+/suites/[^/]+/artifacts/ {
        return 301 https://download.fastgit.ixmu.net$request_uri;
    }
    
    location ~ ^/[^/]+/[^/]+/archive/ {
        recursive_error_pages on;
        proxy_pass https://github.com;
        proxy_intercept_errors on;
        error_page 301 302 307 = @handle_redirect;
    }

    location @handle_redirect {
        resolver 8.8.8.8;
        recursive_error_pages on;
        set $saved_redirect_location '$upstream_http_location';
        proxy_pass $saved_redirect_location;
        proxy_intercept_errors on;
        error_page 301 302 307 = @handle_redirect;
    }
    
    # Block search engine
    if ($http_user_agent ~* "qihoobot|Baiduspider|Bingbot|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot") {
        return 403;
    }

Download

upstream GithubDownload {
    server github.com:443;
    keepalive 32;
}

server {
    listen 443 ssl http2;
    server_name fastdownload.ixnic.net;
    root /home/wwwroot/fastdownload.ixnic.net;
    index index.html;

    ssl_stapling on;
    ssl_stapling_verify on;

    ssl_certificate /usr/local/nginx/conf/ssl/fastdownload.ixnic.net/fullchain.cer;
    ssl_certificate_key /usr/local/nginx/conf/ssl/fastdownload.ixnic.net/fastdownload.ixnic.net.key;

    # Run following command & set permission before configuring
    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /usr/local/nginx/conf/ssl/dhparam.pem
    ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_session_tickets off;

    error_page 497  https://$host$request_uri;
    
    # include /etc/nginx/snippets/anti-floc.conf;
    add_header Permissions-Policy interest-cohort=();

    # SSL
    location ~ \.well-known{
        allow all;
    }
    
    location / {

    }
    
    location ~ ^/[^/]+/[^/]+/releases(/latest)?/download/ {
        proxy_cache_valid 206 120m;
        proxy_cache_valid 200 120m;
        recursive_error_pages on;
        proxy_pass https://GithubDownload;
        proxy_intercept_errors on;
        error_page 301 302 307 = @handle_redirect;
    }
    
    location ~ ^/[^/]+/[^/]+/suites/[^/]+/artifacts/ {
        proxy_cache_valid 206 120m;
        proxy_cache_valid 200 120m;
        recursive_error_pages on;
        proxy_pass https://GithubDownload;
        proxy_intercept_errors on;
        error_page 301 302 307 = @handle_redirect;
    }
    
    location ~ ^/[^/]+/[^/]+/archive/ {
        return 301 https://fastarchive.ixnic.net$request_uri;
    }

    location @handle_redirect {
        resolver 8.8.8.8;
        recursive_error_pages on;
        set $saved_redirect_location '$upstream_http_location';
        proxy_pass $saved_redirect_location;
        proxy_intercept_errors on;
        error_page 301 302 307 = @handle_redirect;
    }
    
    # Block search engine
    if ($http_user_agent ~* "qihoobot|Baiduspider|Bingbot|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot") {
        return 403;
    }

    access_log  /home/wwwlogs/fastdownload.ixnic.net.log;
    error_log  /home/wwwlogs/erroe.log;
}

Assets

    # Fuck Search Engine
    location /robots.txt {
        allow all;
    }
    
    #PROXY-START/
    location ~* \.(php|jsp|cgi|asp|aspx)$
    {
        proxy_pass https://github.githubassets.com;
        proxy_set_header Host github.githubassets.com;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header REMOTE-HOST $remote_addr;
    }
    
    location /
    {
        proxy_pass https://github.githubassets.com;
        proxy_set_header Host github.githubassets.com;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header REMOTE-HOST $remote_addr;
        add_header X-Cache $upstream_cache_status;
        proxy_ignore_headers Set-Cookie Cache-Control expires;
        # proxy_cache cache_one;
        proxy_cache_key $host$uri$is_args$args;
        proxy_cache_valid 200 304 301 302 480m;
        expires 12h;
    }

    # Block search engine
     if ($http_user_agent ~* "qihoobot|Baiduspider|Bingbot|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot")
     {
         return 403;
     }

     Anti Agent Bot DDoS
     If behind CDN, use folloing commented code
     if ($http_x_forwarded_for != $remote_addr) {
         return 503;
     }
    if ($proxy_add_x_forwarded_for != $remote_addr) {
        return 503;
    }

Raw

   # Fuck Search Engine
    location /robots.txt {
        allow all;
    }
    
    location / {
        valid_referers none blocked *.fastgit.ixmu.net  raw.githubusercontent.com github.com;
        if ($invalid_referer){
            return 403;
        }
        proxy_hide_header content-security-policy;
        proxy_hide_header Strict-Transport-Security;
        proxy_hide_header set-cookie;
        proxy_hide_header x-pjax-url;

        proxy_set_header Host raw.githubusercontent.com;
        # proxy_set_header Connection "";

        add_header X-FastGit-Node "dogyun-de-1";

        proxy_http_version 1.1;
        proxy_connect_timeout 5s;
        proxy_read_timeout 5s;

        proxy_pass https://raw.githubusercontent.com;
    }
    
    location ~ .*\.(jpg|jpeg|gif|png|js|css)$
    {
        valid_referers none blocked *.fastgit.org raw.githubusercontent.com github.com;
        if ($invalid_referer){
           return 403;
        }
        proxy_hide_header content-security-policy;
        proxy_hide_header Strict-Transport-Security;
        proxy_hide_header set-cookie;
        proxy_hide_header x-pjax-url;
    
        proxy_set_header Host raw.githubusercontent.com;
        proxy_set_header Accept-Encoding "";
        proxy_set_header Connection "";
    
        add_header x-fastgit-node "dogyun-de-1";
    
        proxy_http_version 1.1;
        proxy_connect_timeout 5s;
        proxy_read_timeout 5s;
    
        proxy_pass https://rawgithub;
    }

     Block search engine
     if ($http_user_agent ~* "qihoobot|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot")
     {
         return 403;
     }

robots.txt

User-Agent: *
Disallow: /