add reverse proxy for Widevine provisioning

nginx/nginx.conf

@@ -62,6 +62,7 @@ http {
     limit_conn_zone $binary_remote_addr zone=http-limit:10m;
     limit_conn http-limit 32;
     limit_conn_zone 0 zone=remoteprovisioning-global-limit:32k;
+    limit_conn_zone 0 zone=widevineprovisioning-global-limit:32k;
     limit_conn_zone 0 zone=vanadium-update-global-limit:32k;
 
     ssl_protocols TLSv1.2 TLSv1.3;
@@ -278,6 +279,54 @@ http {
         }
     }
 
+    server {
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+        server_name widevineprovisioning.grapheneos.org;
+
+        # needed to handle long signedRequest
+        large_client_header_buffers 4 8k;
+
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+
+        location /certificateprovisioning/v1 {
+            if ($request_method != POST) {
+                return 405;
+            }
+            set $target https://www.googleapis.com;
+            proxy_pass $target;
+
+            # note; location block keepalive configuration does not work for HTTP/2
+            keepalive_timeout 15s;
+
+            limit_conn widevineprovisioning-global-limit 1024;
+
+            client_max_body_size 16k;
+            client_body_buffer_size 16k;
+
+            add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+            add_header X-Robots-Tag "none" always;
+
+            proxy_hide_header Strict-Transport-Security;
+            proxy_hide_header X-Robots-Tag;
+
+            proxy_hide_header Alt-Svc;
+
+            proxy_ignore_headers Set-Cookie;
+            proxy_hide_header Set-Cookie;
+
+            proxy_max_temp_file_size 8m;
+        }
+
+        location = / {
+            return 301 https://grapheneos.org/faq#default-connections;
+        }
+
+        location / {
+            return 404;
+        }
+    }
+
     server {
         listen 443 ssl http2;
         listen [::]:443 ssl http2;