If you don't mind compiling nginx from source, you could install ngx_http_proxy_connect_module. The following worked for me in Debian 9 "Stretch" on a Raspberry Pi (after I added deb-src URLs to /etc/apt/sources.list and did apt-get update):
cd /tmp &&
apt-get source nginx &&
git clone https://github.com/chobits/ngx_http_proxy_connect_module &&
cd nginx-* &&
patch -p1 < ../ngx_http_proxy_connect_module/proxy_connect.patch &&
sudo apt-get install libpcre3-dev &&
./configure --add-module=/tmp/ngx_http_proxy_connect_module &&
make && sudo make install
Then edit /usr/local/nginx/conf/nginx.conf
and make it look like this (I've included an example of domains you want to block, which works with both SSL and non-SSL proxying):
user www-data;
worker_processes auto;
events { }
http {
server_names_hash_bucket_size 128;
server {
listen 8888;
server_name spam.example.com *.spam.example.com;
server_name spam2.example.com *.spam2.example.com;
access_log off;
return 404;
}
server {
listen 8888;
server_name ~.+;
proxy_connect;
proxy_max_temp_file_size 0;
resolver 8.8.8.8;
location / {
proxy_pass http://$http_host;
proxy_set_header Host $http_host;
}
}
}
Then run /usr/local/nginx/sbin/nginx
. It will quite happily coexist with Debian's stock nginx
package if you're also running a production webserver on port 80 and don't want to risk messing with that (but make sure to start the /usr/local
version separately on boot); alternatively, with more configuration you could run both services from the nginx you've compiled. But if you do set your compiled nginx to run on a port that your firewall allows traffic to, beware you'd have to check manually for nginx security updates as the Debian package system will no longer do it for you.