diff --git a/documentation/manuals/server.1.man b/documentation/manuals/server.1.man index 6544e28..e705f9e 100644 --- a/documentation/manuals/server.1.man +++ b/documentation/manuals/server.1.man @@ -76,8 +76,9 @@ kawipiko -- blazingly fast static HTTP server \- kawipiko-server \-\-hosts\-disable (ignore \(gaHost\(ga header) -\-\-security\-headers\-tls +\-\-special\-pages\-disable \-\-security\-headers\-disable +\-\-security\-headers\-tls \-\-limit\-memory \-\-timeout\-disable @@ -217,24 +218,21 @@ Disables the virtual\-hosts feature by ignoring the \fIHost\fP header. .UNINDENT .UNINDENT .sp -\fB\-\-security\-headers\-tls\fP +\fB\-\-special\-pages\-disable\fP .INDENT 0.0 .INDENT 3.5 -Enables adding the following TLS related headers to the response: +Disables serving a few special pages internal to the server like: .INDENT 0.0 .INDENT 3.5 -.sp -.nf -.ft C -Strict\-Transport\-Security: max\-age=31536000 -Content\-Security\-Policy: upgrade\-insecure\-requests -.ft P -.fi +/__/about +/__/version +/__/heartbeat +/__/sources.md5 +/__/sources.cpio +/__/banners/errors/403 +/__/banners/errors/... .UNINDENT .UNINDENT -.sp -These instruct the browser to always use HTTPS for the served domain. -(Useful even without HTTPS, when used behind a TLS terminator, load\-balancer or proxy that do support HTTPS.) .UNINDENT .UNINDENT .sp @@ -258,6 +256,27 @@ X\-Frame\-Options: sameorigin .UNINDENT .UNINDENT .sp +\fB\-\-security\-headers\-tls\fP +.INDENT 0.0 +.INDENT 3.5 +Enables adding the following TLS related headers to the response: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +Strict\-Transport\-Security: max\-age=31536000 +Content\-Security\-Policy: upgrade\-insecure\-requests +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +These instruct the browser to always use HTTPS for the served domain. +(Useful even without HTTPS, when used behind a TLS terminator, load\-balancer or proxy that do support HTTPS.) +.UNINDENT +.UNINDENT +.sp \fB\-\-report\fP .INDENT 0.0 .INDENT 3.5 diff --git a/documentation/manuals/server.rst b/documentation/manuals/server.rst index 6ed9488..1d4d604 100644 --- a/documentation/manuals/server.rst +++ b/documentation/manuals/server.rst @@ -47,8 +47,9 @@ kawipiko -- blazingly fast static HTTP server --hosts-disable (ignore `Host` header) - --security-headers-tls + --special-pages-disable --security-headers-disable + --security-headers-tls --limit-memory --timeout-disable @@ -150,15 +151,17 @@ Flags Disables the virtual-hosts feature by ignoring the `Host` header. -``--security-headers-tls`` +``--special-pages-disable`` - Enables adding the following TLS related headers to the response: :: + Disables serving a few special pages internal to the server like: - Strict-Transport-Security: max-age=31536000 - Content-Security-Policy: upgrade-insecure-requests - - These instruct the browser to always use HTTPS for the served domain. - (Useful even without HTTPS, when used behind a TLS terminator, load-balancer or proxy that do support HTTPS.) + /__/about + /__/version + /__/heartbeat + /__/sources.md5 + /__/sources.cpio + /__/banners/errors/403 + /__/banners/errors/... ``--security-headers-disable`` @@ -169,6 +172,16 @@ Flags X-XSS-Protection: 1; mode=block X-Frame-Options: sameorigin +``--security-headers-tls`` + + Enables adding the following TLS related headers to the response: :: + + Strict-Transport-Security: max-age=31536000 + Content-Security-Policy: upgrade-insecure-requests + + These instruct the browser to always use HTTPS for the served domain. + (Useful even without HTTPS, when used behind a TLS terminator, load-balancer or proxy that do support HTTPS.) + ``--report`` Enables periodic reporting of various metrics. diff --git a/documentation/manuals/server.txt b/documentation/manuals/server.txt index b23ac6f..f155b2a 100644 --- a/documentation/manuals/server.txt +++ b/documentation/manuals/server.txt @@ -38,8 +38,9 @@ NAME --hosts-disable (ignore `Host` header) - --security-headers-tls + --special-pages-disable --security-headers-disable + --security-headers-tls --limit-memory --timeout-disable @@ -180,6 +181,19 @@ FLAGS --hosts-disable Disables the virtual-hosts feature by ignoring the Host header. + --special-pages-disable + Disables serving a few special pages internal to the server like: + /__/about /__/version /__/heartbeat /__/sources.md5 + /__/sources.cpio /__/banners/errors/403 /__/banners/errors/... + + --security-headers-disable + Disables adding a few security related headers: + + Referrer-Policy: strict-origin-when-cross-origin + X-Content-Type-Options: nosniff + X-XSS-Protection: 1; mode=block + X-Frame-Options: sameorigin + --security-headers-tls Enables adding the following TLS related headers to the response: @@ -190,14 +204,6 @@ FLAGS domain. (Useful even without HTTPS, when used behind a TLS terminator, load-balancer or proxy that do support HTTPS.) - --security-headers-disable - Disables adding a few security related headers: - - Referrer-Policy: strict-origin-when-cross-origin - X-Content-Type-Options: nosniff - X-XSS-Protection: 1; mode=block - X-Frame-Options: sameorigin - --report Enables periodic reporting of various metrics. Also enables reporting a selection of metrics if certain thresholds are matched diff --git a/sources/cmd/server/manual.txt b/sources/cmd/server/manual.txt index b23ac6f..f155b2a 100644 --- a/sources/cmd/server/manual.txt +++ b/sources/cmd/server/manual.txt @@ -38,8 +38,9 @@ NAME --hosts-disable (ignore `Host` header) - --security-headers-tls + --special-pages-disable --security-headers-disable + --security-headers-tls --limit-memory --timeout-disable @@ -180,6 +181,19 @@ FLAGS --hosts-disable Disables the virtual-hosts feature by ignoring the Host header. + --special-pages-disable + Disables serving a few special pages internal to the server like: + /__/about /__/version /__/heartbeat /__/sources.md5 + /__/sources.cpio /__/banners/errors/403 /__/banners/errors/... + + --security-headers-disable + Disables adding a few security related headers: + + Referrer-Policy: strict-origin-when-cross-origin + X-Content-Type-Options: nosniff + X-XSS-Protection: 1; mode=block + X-Frame-Options: sameorigin + --security-headers-tls Enables adding the following TLS related headers to the response: @@ -190,14 +204,6 @@ FLAGS domain. (Useful even without HTTPS, when used behind a TLS terminator, load-balancer or proxy that do support HTTPS.) - --security-headers-disable - Disables adding a few security related headers: - - Referrer-Policy: strict-origin-when-cross-origin - X-Content-Type-Options: nosniff - X-XSS-Protection: 1; mode=block - X-Frame-Options: sameorigin - --report Enables periodic reporting of various metrics. Also enables reporting a selection of metrics if certain thresholds are matched diff --git a/sources/cmd/server/server.go b/sources/cmd/server/server.go index 759c900..705dfe8 100644 --- a/sources/cmd/server/server.go +++ b/sources/cmd/server/server.go @@ -55,6 +55,7 @@ type server struct { cachedDataMeta map[uint64][]byte cachedDataContent map[uint64][]byte hostsDisabled bool + specialPagesEnabled bool securityHeadersEnabled bool securityHeadersTls bool http1Disabled bool @@ -130,6 +131,10 @@ func (_server *server) ServeUnwrapped (_context *fasthttp.RequestCtx) () { } if bytes.HasPrefix (_path, StringToBytes ("/__/")) { + if !_server.specialPagesEnabled { + _server.ServeError (_context, http.StatusForbidden, nil, false) + return + } if bytes.Equal (_path, StringToBytes ("/__/heartbeat")) || bytes.HasPrefix (_path, StringToBytes ("/__/heartbeat/")) { _server.ServeStatic (_context, http.StatusOK, HeartbeatDataOk, HeartbeatContentType, HeartbeatContentEncoding, false) return @@ -757,6 +762,7 @@ func main_0 () (error) { var _indexDataMeta bool var _indexDataContent bool var _hostsDisabled bool + var _specialPagesEnabled bool var _securityHeadersEnabled bool var _securityHeadersTls bool var _timeoutDisabled bool @@ -802,8 +808,9 @@ func main_0 () (error) { _indexDataContent_0 := _flags.Bool ("index-data-content", false, "") _timeoutDisabled_0 := _flags.Bool ("timeout-disable", false, "") _hostsDisabled_0 := _flags.Bool ("hosts-disable", false, "") - _securityHeadersTls_0 := _flags.Bool ("security-headers-tls", false, "") + _specialPagesDisabled_0 := _flags.Bool ("special-pages-disable", false, "") _securityHeadersDisabled_0 := _flags.Bool ("security-headers-disable", false, "") + _securityHeadersTls_0 := _flags.Bool ("security-headers-tls", false, "") _tlsPrivate_0 := _flags.String ("tls-private", "", "") _tlsPublic_0 := _flags.String ("tls-public", "", "") _tlsBundle_0 := _flags.String ("tls-bundle", "", "") @@ -841,8 +848,9 @@ func main_0 () (error) { _indexDataMeta = _indexAll || *_indexDataMeta_0 _indexDataContent = _indexAll || *_indexDataContent_0 _hostsDisabled = *_hostsDisabled_0 - _securityHeadersTls = *_securityHeadersTls_0 + _specialPagesEnabled = ! *_specialPagesDisabled_0 _securityHeadersEnabled = ! *_securityHeadersDisabled_0 + _securityHeadersTls = *_securityHeadersTls_0 _timeoutDisabled = *_timeoutDisabled_0 _processes = *_processes_0 _threads = *_threads_0 @@ -1070,12 +1078,15 @@ func main_0 () (error) { if _hostsDisabled { _processArguments = append (_processArguments, "--hosts-disabled") } - if _securityHeadersTls { - _processArguments = append (_processArguments, "--security-headers-tls") + if !_specialPagesEnabled { + _processArguments = append (_processArguments, "--special-pages-disable") } if !_securityHeadersEnabled { _processArguments = append (_processArguments, "--security-headers-disable") } + if _securityHeadersTls { + _processArguments = append (_processArguments, "--security-headers-tls") + } if _tlsPrivate != "" { _processArguments = append (_processArguments, "--tls-private", _tlsPrivate) } @@ -1550,8 +1561,9 @@ func main_0 () (error) { cachedDataMeta : _cachedDataMeta, cachedDataContent : _cachedDataContent, hostsDisabled : _hostsDisabled, - securityHeadersTls : _securityHeadersTls, + specialPagesEnabled : _specialPagesEnabled, securityHeadersEnabled : _securityHeadersEnabled, + securityHeadersTls : _securityHeadersTls, http1Disabled : _http1Disabled, http2Disabled : _http2Disabled, http3AltSvc : _http3AltSvc, diff --git a/sources/cmd/server/usage.txt b/sources/cmd/server/usage.txt index a69c6a5..b2252d1 100644 --- a/sources/cmd/server/usage.txt +++ b/sources/cmd/server/usage.txt @@ -32,8 +32,9 @@ --hosts-disable (ignore `Host` header) - --security-headers-tls + --special-pages-disable --security-headers-disable + --security-headers-tls --limit-memory --timeout-disable