# no-ranges.conf

# Disables ranges and adds a simple lua block
# that will immediately fail requests.

# "max_ranges 0" doesn't seem to really work the way you'd expect
# which is kind of why I'm making this include..
# This will actually properly not allow ranged connections.

# Do the obligatory first
max_ranges 0;

# Add a Lua header filter that will explicitly 400
# any HTTP requests with the "Range" header; regardless of
# if they contain a valid range, set of ranges, or an invalid
# range.
#
# We also add the "Accept-Ranges" header here, because unlike
# nginx's native "add_header", it's not terminally broken and won't append
# a duplicate header in certain contexts... Don't ask how I had to find that out.

header_filter_by_lua_block {
	local req_headers = ngx.req.get_headers();
	ngx.header["Accept-Ranges"] = "none"

	if req_headers["Range"] ~= nil then
		ngx.log(ngx.ERR, "Request with ranges! Blocking")
		return ngx.exit(400)
	end
}