diff --git a/documentation/manuals/archiver.1.man b/documentation/manuals/archiver.1.man index c404234..6e5a54d 100644 --- a/documentation/manuals/archiver.1.man +++ b/documentation/manuals/archiver.1.man @@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "KAWIPIKO-ARCHIVER" "1" "2022-09-02" "volution.ro" "kawipiko" +.TH "KAWIPIKO-ARCHIVER" "1" "2022-09-11" "volution.ro" "kawipiko" .SH NAME kawipiko -- blazingly fast static HTTP server \- kawipiko-archiver .INDENT 0.0 @@ -47,12 +47,12 @@ kawipiko -- blazingly fast static HTTP server \- kawipiko-archiver .nf .ft C \-\-sources - \-\-archive \-\-compress \-\-compress\-level \-\-compress\-cache +\-\-sources\-cache \-\-exclude\-index \-\-exclude\-strip @@ -124,7 +124,7 @@ The compression level can be chosen, the value depending on the algorithm: .UNINDENT .UNINDENT .sp -\fB\-\-sources\-cache \fP, and \fB\-\-compress\-cache \fP +\fB\-\-compress\-cache \fP, and \fB\-\-sources\-cache \fP .INDENT 0.0 .INDENT 3.5 At the given path a single file is created (that is an BBolt database), that will be used to cache the following information: diff --git a/documentation/manuals/archiver.html b/documentation/manuals/archiver.html index 09a4d4e..fc7bb5a 100644 --- a/documentation/manuals/archiver.html +++ b/documentation/manuals/archiver.html @@ -370,12 +370,12 @@ ul.auto-toc { 
 --sources <path>
-
 --archive <path>
 
 --compress <gzip | zopfli | brotli | identity>
 --compress-level <number>
 --compress-cache <path>
+--sources-cache  <path>
 
 --exclude-index
 --exclude-strip
@@ -420,7 +420,7 @@ The path to the target CDB file that contains the archived static content.kawipiko by default uses the maximum compression level for each algorithm;  (i.e. 9 for gzip, 30 for zopfli, and -2 for brotli;)
 
 
-
--sources-cache <path>, and --compress-cache <path>

+
--compress-cache <path>, and --sources-cache <path>

 

 
At the given path a single file is created (that is an BBolt database), that will be used to cache the following information:

 
    
diff --git a/documentation/manuals/archiver.rst b/documentation/manuals/archiver.rst
index 1d86fdc..0c636ff 100644
--- a/documentation/manuals/archiver.rst
+++ b/documentation/manuals/archiver.rst
@@ -19,12 +19,12 @@ kawipiko -- blazingly fast static HTTP server
 ::
 
     --sources 
-
     --archive 
 
     --compress 
     --compress-level 
     --compress-cache 
+    --sources-cache  
 
     --exclude-index
     --exclude-strip
@@ -80,7 +80,7 @@ Flags
     * (by "algorithm default", it is meant "what that algorithm considers the recommended default compression level";)
     * ``kawipiko`` by default uses the maximum compression level for each algorithm;  (i.e. ``9`` for ``gzip``, ``30`` for ``zopfli``, and ``-2`` for ``brotli``;)
 
-``--sources-cache ``, and ``--compress-cache ``
+``--compress-cache ``, and ``--sources-cache ``
 
     At the given path a single file is created (that is an BBolt database), that will be used to cache the following information:
 
diff --git a/documentation/manuals/archiver.txt b/documentation/manuals/archiver.txt
index 5f47313..ac8470a 100644
--- a/documentation/manuals/archiver.txt
+++ b/documentation/manuals/archiver.txt
@@ -9,12 +9,12 @@ NAME
           >> kawipiko-archiver --man
 
           --sources 
-
           --archive 
 
           --compress 
           --compress-level 
           --compress-cache 
+          --sources-cache  
 
           --exclude-index
           --exclude-strip
@@ -80,7 +80,7 @@ FLAGS
           • kawipiko by default uses the maximum compression level for each
             algorithm;  (i.e. 9 for gzip, 30 for zopfli, and -2 for brotli;)
 
-       --sources-cache , and --compress-cache 
+       --compress-cache , and --sources-cache 
           At the given path a single file is created (that is an BBolt
           database), that will be used to cache the following information:
 
@@ -213,4 +213,4 @@ SYMLINKS, HARDLINKS, LOOPS, AND DUPLICATED FILES
 
 
 
-volution.ro                       2022-09-02              KAWIPIKO-ARCHIVER(1)
+volution.ro                       2022-09-11              KAWIPIKO-ARCHIVER(1)
diff --git a/documentation/manuals/server.1.man b/documentation/manuals/server.1.man
index eaeff8e..0025a62 100644
--- a/documentation/manuals/server.1.man
+++ b/documentation/manuals/server.1.man
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "KAWIPIKO-SERVER" "1" "2022-09-02" "volution.ro" "kawipiko"
+.TH "KAWIPIKO-SERVER" "1" "2022-09-11" "volution.ro" "kawipiko"
 .SH NAME
 kawipiko -- blazingly fast static HTTP server \- kawipiko-server
 .INDENT 0.0
@@ -69,6 +69,7 @@ kawipiko -- blazingly fast static HTTP server \- kawipiko-server
 
 \-\-processes        (of slave processes)
 \-\-threads          (of threads per process)
+
 \-\-index\-all
 \-\-index\-paths
 \-\-index\-data\-meta
@@ -80,7 +81,9 @@ kawipiko -- blazingly fast static HTTP server \- kawipiko-server
 \-\-security\-headers\-disable
 \-\-security\-headers\-tls
 
-\-\-limit\-memory 
+\-\-seccomp\-enable
+\-\-limit\-descriptors 
+\-\-limit\-memory      
 \-\-timeout\-disable
 
 \-\-report  \-\-quiet  \-\-debug
@@ -292,6 +295,25 @@ These instruct the browser to always use HTTPS for the served domain.
 .UNINDENT
 .UNINDENT
 .sp
+\fB\-\-seccomp\-enable\fP
+.INDENT 0.0
+.INDENT 3.5
+On Linux, and if supported, enable a strict \fBseccomp\fP filter to reduce the potential attack surface in case of a security issue.
+.sp
+The current filter is the minimal set of \fBsyscall\fP\(aqs required to have the server working (thus quite safe).
+At each stage (opening the archive, indexing the archive, serving the archive) the non\-required \fBsyscall\fP\(aqs are filtered.
+.sp
+(At the moment the filter is quite strict and determined by experimentation.  If you enable \fBseccomp\fP and the server is \fBkill\fP\-ed, check \fBauditd\fP logs for the problematic \fBsyscall\fP and open an issue report.)
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-\-limit\-descriptors\fP, and \fB\-\-limit\-memory\fP
+.INDENT 0.0
+.INDENT 3.5
+Constrains resource usage by configuring via \fBsetrlimit\fP either \fBRLIMIT_NOFILE\fP (in case of descriptors) or both \fBRLIMIT_DATA\fP and \fBRLIMIT_AS\fP (in case of memory).
+.UNINDENT
+.UNINDENT
+.sp
 \fB\-\-report\fP
 .INDENT 0.0
 .INDENT 3.5
diff --git a/documentation/manuals/server.html b/documentation/manuals/server.html
index 4c92f2d..681b6a0 100644
--- a/documentation/manuals/server.html
+++ b/documentation/manuals/server.html
@@ -392,6 +392,7 @@ ul.auto-toc {
 
 --processes <count>       (of slave processes)
 --threads <count>         (of threads per process)
+
 --index-all
 --index-paths
 --index-data-meta
@@ -403,7 +404,9 @@ ul.auto-toc {
 --security-headers-disable
 --security-headers-tls
 
---limit-memory <MiB>
+--seccomp-enable
+--limit-descriptors <count>
+--limit-memory      <MiB>
 --timeout-disable
 
 --report  --quiet  --debug
@@ -524,6 +527,16 @@ Content-Security-Policy: upgrade-insecure-requests
 
    These instruct the browser to always use HTTPS for the served domain.
 (Useful even without HTTPS, when used behind a TLS terminator, load-balancer or proxy that do support HTTPS.)
    
 

+
--seccomp-enable

+

+
On Linux, and if supported, enable a strict seccomp filter to reduce the potential attack surface in case of a security issue.

+
The current filter is the minimal set of syscall's required to have the server working (thus quite safe).
+At each stage (opening the archive, indexing the archive, serving the archive) the non-required syscall's are filtered.

+
(At the moment the filter is quite strict and determined by experimentation.  If you enable seccomp and the server is kill-ed, check auditd logs for the problematic syscall and open an issue report.)

+

+
--limit-descriptors, and --limit-memory

+

+Constrains resource usage by configuring via setrlimit either RLIMIT_NOFILE (in case of descriptors) or both RLIMIT_DATA and RLIMIT_AS (in case of memory).

 
--report

 

 Enables periodic reporting of various metrics.
diff --git a/documentation/manuals/server.rst b/documentation/manuals/server.rst
index b1a678e..195ff9f 100644
--- a/documentation/manuals/server.rst
+++ b/documentation/manuals/server.rst
@@ -40,6 +40,7 @@ kawipiko -- blazingly fast static HTTP server
 
     --processes        (of slave processes)
     --threads          (of threads per process)
+
     --index-all
     --index-paths
     --index-data-meta
@@ -51,7 +52,9 @@ kawipiko -- blazingly fast static HTTP server
     --security-headers-disable
     --security-headers-tls
 
-    --limit-memory 
+    --seccomp-enable
+    --limit-descriptors 
+    --limit-memory      
     --timeout-disable
 
     --report  --quiet  --debug
@@ -192,6 +195,19 @@ Flags
     These instruct the browser to always use HTTPS for the served domain.
     (Useful even without HTTPS, when used behind a TLS terminator, load-balancer or proxy that do support HTTPS.)
 
+``--seccomp-enable``
+
+    On Linux, and if supported, enable a strict ``seccomp`` filter to reduce the potential attack surface in case of a security issue.
+
+    The current filter is the minimal set of ``syscall``'s required to have the server working (thus quite safe).
+    At each stage (opening the archive, indexing the archive, serving the archive) the non-required ``syscall``'s are filtered.
+
+    (At the moment the filter is quite strict and determined by experimentation.  If you enable ``seccomp`` and the server is ``kill``-ed, check ``auditd`` logs for the problematic ``syscall`` and open an issue report.)
+
+``--limit-descriptors``, and ``--limit-memory``
+
+    Constrains resource usage by configuring via ``setrlimit`` either ``RLIMIT_NOFILE`` (in case of descriptors) or both ``RLIMIT_DATA`` and ``RLIMIT_AS`` (in case of memory).
+
 ``--report``
 
     Enables periodic reporting of various metrics.
diff --git a/documentation/manuals/server.txt b/documentation/manuals/server.txt
index 2437089..af6f901 100644
--- a/documentation/manuals/server.txt
+++ b/documentation/manuals/server.txt
@@ -31,6 +31,7 @@ NAME
 
           --processes        (of slave processes)
           --threads          (of threads per process)
+
           --index-all
           --index-paths
           --index-data-meta
@@ -42,7 +43,9 @@ NAME
           --security-headers-disable
           --security-headers-tls
 
-          --limit-memory 
+          --seccomp-enable
+          --limit-descriptors 
+          --limit-memory      
           --timeout-disable
 
           --report  --quiet  --debug
@@ -220,6 +223,25 @@ FLAGS
           domain.  (Useful even without HTTPS, when used behind a TLS
           terminator, load-balancer or proxy that do support HTTPS.)
 
+       --seccomp-enable
+          On Linux, and if supported, enable a strict seccomp filter to reduce
+          the potential attack surface in case of a security issue.
+
+          The current filter is the minimal set of syscall's required to have
+          the server working (thus quite safe).  At each stage (opening the
+          archive, indexing the archive, serving the archive) the non-required
+          syscall's are filtered.
+
+          (At the moment the filter is quite strict and determined by
+          experimentation.  If you enable seccomp and the server is kill-ed,
+          check auditd logs for the problematic syscall and open an issue
+          report.)
+
+       --limit-descriptors, and --limit-memory
+          Constrains resource usage by configuring via setrlimit either
+          RLIMIT_NOFILE (in case of descriptors) or both RLIMIT_DATA and
+          RLIMIT_AS (in case of memory).
+
        --report
           Enables periodic reporting of various metrics.  Also enables
           reporting a selection of metrics if certain thresholds are matched
@@ -258,4 +280,4 @@ FLAGS
 
 
 
-volution.ro                       2022-09-02                KAWIPIKO-SERVER(1)
+volution.ro                       2022-09-11                KAWIPIKO-SERVER(1)
diff --git a/sources/cmd/archiver/manual.txt b/sources/cmd/archiver/manual.txt
index 5f47313..ac8470a 100644
--- a/sources/cmd/archiver/manual.txt
+++ b/sources/cmd/archiver/manual.txt
@@ -9,12 +9,12 @@ NAME
           >> kawipiko-archiver --man
 
           --sources 
-
           --archive 
 
           --compress 
           --compress-level 
           --compress-cache 
+          --sources-cache  
 
           --exclude-index
           --exclude-strip
@@ -80,7 +80,7 @@ FLAGS
           • kawipiko by default uses the maximum compression level for each
             algorithm;  (i.e. 9 for gzip, 30 for zopfli, and -2 for brotli;)
 
-       --sources-cache , and --compress-cache 
+       --compress-cache , and --sources-cache 
           At the given path a single file is created (that is an BBolt
           database), that will be used to cache the following information:
 
@@ -213,4 +213,4 @@ SYMLINKS, HARDLINKS, LOOPS, AND DUPLICATED FILES
 
 
 
-volution.ro                       2022-09-02              KAWIPIKO-ARCHIVER(1)
+volution.ro                       2022-09-11              KAWIPIKO-ARCHIVER(1)
diff --git a/sources/cmd/archiver/usage.txt b/sources/cmd/archiver/usage.txt
index a25159b..e2caa81 100644
--- a/sources/cmd/archiver/usage.txt
+++ b/sources/cmd/archiver/usage.txt
@@ -2,14 +2,12 @@
   kawipiko-archiver
 
     --sources 
-
     --archive 
 
     --compress 
     --compress-level 
-
-    --sources-cache 
     --compress-cache 
+    --sources-cache  
 
     --exclude-index
     --exclude-strip
diff --git a/sources/cmd/server/manual.html b/sources/cmd/server/manual.html
index 4c92f2d..681b6a0 100644
--- a/sources/cmd/server/manual.html
+++ b/sources/cmd/server/manual.html
@@ -392,6 +392,7 @@ ul.auto-toc {
 
 --processes <count>       (of slave processes)
 --threads <count>         (of threads per process)
+
 --index-all
 --index-paths
 --index-data-meta
@@ -403,7 +404,9 @@ ul.auto-toc {
 --security-headers-disable
 --security-headers-tls
 
---limit-memory <MiB>
+--seccomp-enable
+--limit-descriptors <count>
+--limit-memory      <MiB>
 --timeout-disable
 
 --report  --quiet  --debug
@@ -524,6 +527,16 @@ Content-Security-Policy: upgrade-insecure-requests
 
These instruct the browser to always use HTTPS for the served domain.
 (Useful even without HTTPS, when used behind a TLS terminator, load-balancer or proxy that do support HTTPS.)

 

+
--seccomp-enable

+

+
On Linux, and if supported, enable a strict seccomp filter to reduce the potential attack surface in case of a security issue.

+
The current filter is the minimal set of syscall's required to have the server working (thus quite safe).
+At each stage (opening the archive, indexing the archive, serving the archive) the non-required syscall's are filtered.

+
(At the moment the filter is quite strict and determined by experimentation.  If you enable seccomp and the server is kill-ed, check auditd logs for the problematic syscall and open an issue report.)

+

+
--limit-descriptors, and --limit-memory

+

+Constrains resource usage by configuring via setrlimit either RLIMIT_NOFILE (in case of descriptors) or both RLIMIT_DATA and RLIMIT_AS (in case of memory).

 
--report

 

 Enables periodic reporting of various metrics.
diff --git a/sources/cmd/server/manual.txt b/sources/cmd/server/manual.txt
index 2437089..af6f901 100644
--- a/sources/cmd/server/manual.txt
+++ b/sources/cmd/server/manual.txt
@@ -31,6 +31,7 @@ NAME
 
           --processes        (of slave processes)
           --threads          (of threads per process)
+
           --index-all
           --index-paths
           --index-data-meta
@@ -42,7 +43,9 @@ NAME
           --security-headers-disable
           --security-headers-tls
 
-          --limit-memory 
+          --seccomp-enable
+          --limit-descriptors 
+          --limit-memory      
           --timeout-disable
 
           --report  --quiet  --debug
@@ -220,6 +223,25 @@ FLAGS
           domain.  (Useful even without HTTPS, when used behind a TLS
           terminator, load-balancer or proxy that do support HTTPS.)
 
+       --seccomp-enable
+          On Linux, and if supported, enable a strict seccomp filter to reduce
+          the potential attack surface in case of a security issue.
+
+          The current filter is the minimal set of syscall's required to have
+          the server working (thus quite safe).  At each stage (opening the
+          archive, indexing the archive, serving the archive) the non-required
+          syscall's are filtered.
+
+          (At the moment the filter is quite strict and determined by
+          experimentation.  If you enable seccomp and the server is kill-ed,
+          check auditd logs for the problematic syscall and open an issue
+          report.)
+
+       --limit-descriptors, and --limit-memory
+          Constrains resource usage by configuring via setrlimit either
+          RLIMIT_NOFILE (in case of descriptors) or both RLIMIT_DATA and
+          RLIMIT_AS (in case of memory).
+
        --report
           Enables periodic reporting of various metrics.  Also enables
           reporting a selection of metrics if certain thresholds are matched
@@ -258,4 +280,4 @@ FLAGS
 
 
 
-volution.ro                       2022-09-02                KAWIPIKO-SERVER(1)
+volution.ro                       2022-09-11                KAWIPIKO-SERVER(1)
diff --git a/sources/cmd/server/usage.txt b/sources/cmd/server/usage.txt
index 4892d46..a3449cd 100644
--- a/sources/cmd/server/usage.txt
+++ b/sources/cmd/server/usage.txt
@@ -36,7 +36,9 @@
     --security-headers-disable
     --security-headers-tls
 
-    --limit-memory 
+    --secomp-enable
+    --limit-descriptors 
+    --limit-memory      
     --timeout-disable
 
     --report  --quiet  --debug