From d820581ec2fb15662b7af606b03d984970478c72 Mon Sep 17 00:00:00 2001
From: Ciprian Dorin Craciun <ciprian@volution.ro>
Date: Fri, 2 Sep 2022 15:15:29 +0300
Subject: [PATCH] [server][documentation]  Add support for disabling special
 pages (like `/__/about`).

---
 documentation/manuals/server.1.man | 45 +++++++++++++++++++++---------
 documentation/manuals/server.rst   | 29 +++++++++++++------
 documentation/manuals/server.txt   | 24 ++++++++++------
 sources/cmd/server/manual.txt      | 24 ++++++++++------
 sources/cmd/server/server.go       | 22 +++++++++++----
 sources/cmd/server/usage.txt       |  3 +-
 6 files changed, 102 insertions(+), 45 deletions(-)

diff --git a/documentation/manuals/server.1.man b/documentation/manuals/server.1.man
index 6544e28..e705f9e 100644
--- a/documentation/manuals/server.1.man
+++ b/documentation/manuals/server.1.man
@@ -76,8 +76,9 @@ kawipiko -- blazingly fast static HTTP server \- kawipiko-server
 
 \-\-hosts\-disable           (ignore \(gaHost\(ga header)
 
-\-\-security\-headers\-tls
+\-\-special\-pages\-disable
 \-\-security\-headers\-disable
+\-\-security\-headers\-tls
 
 \-\-limit\-memory <MiB>
 \-\-timeout\-disable
@@ -217,24 +218,21 @@ Disables the virtual\-hosts feature by ignoring the \fIHost\fP header.
 .UNINDENT
 .UNINDENT
 .sp
-\fB\-\-security\-headers\-tls\fP
+\fB\-\-special\-pages\-disable\fP
 .INDENT 0.0
 .INDENT 3.5
-Enables adding the following TLS related headers to the response:
+Disables serving a few special pages internal to the server like:
 .INDENT 0.0
 .INDENT 3.5
-.sp
-.nf
-.ft C
-Strict\-Transport\-Security: max\-age=31536000
-Content\-Security\-Policy: upgrade\-insecure\-requests
-.ft P
-.fi
+/__/about
+/__/version
+/__/heartbeat
+/__/sources.md5
+/__/sources.cpio
+/__/banners/errors/403
+/__/banners/errors/...
 .UNINDENT
 .UNINDENT
-.sp
-These instruct the browser to always use HTTPS for the served domain.
-(Useful even without HTTPS, when used behind a TLS terminator, load\-balancer or proxy that do support HTTPS.)
 .UNINDENT
 .UNINDENT
 .sp
@@ -258,6 +256,27 @@ X\-Frame\-Options: sameorigin
 .UNINDENT
 .UNINDENT
 .sp
+\fB\-\-security\-headers\-tls\fP
+.INDENT 0.0
+.INDENT 3.5
+Enables adding the following TLS related headers to the response:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+Strict\-Transport\-Security: max\-age=31536000
+Content\-Security\-Policy: upgrade\-insecure\-requests
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+These instruct the browser to always use HTTPS for the served domain.
+(Useful even without HTTPS, when used behind a TLS terminator, load\-balancer or proxy that do support HTTPS.)
+.UNINDENT
+.UNINDENT
+.sp
 \fB\-\-report\fP
 .INDENT 0.0
 .INDENT 3.5
diff --git a/documentation/manuals/server.rst b/documentation/manuals/server.rst
index 6ed9488..1d4d604 100644
--- a/documentation/manuals/server.rst
+++ b/documentation/manuals/server.rst
@@ -47,8 +47,9 @@ kawipiko -- blazingly fast static HTTP server
 
     --hosts-disable           (ignore `Host` header)
 
-    --security-headers-tls
+    --special-pages-disable
     --security-headers-disable
+    --security-headers-tls
 
     --limit-memory <MiB>
     --timeout-disable
@@ -150,15 +151,17 @@ Flags
 
     Disables the virtual-hosts feature by ignoring the `Host` header.
 
-``--security-headers-tls``
+``--special-pages-disable``
 
-    Enables adding the following TLS related headers to the response: ::
+    Disables serving a few special pages internal to the server like:
 
-      Strict-Transport-Security: max-age=31536000
-      Content-Security-Policy: upgrade-insecure-requests
-
-    These instruct the browser to always use HTTPS for the served domain.
-    (Useful even without HTTPS, when used behind a TLS terminator, load-balancer or proxy that do support HTTPS.)
+      /__/about
+      /__/version
+      /__/heartbeat
+      /__/sources.md5
+      /__/sources.cpio
+      /__/banners/errors/403
+      /__/banners/errors/...
 
 ``--security-headers-disable``
 
@@ -169,6 +172,16 @@ Flags
       X-XSS-Protection: 1; mode=block
       X-Frame-Options: sameorigin
 
+``--security-headers-tls``
+
+    Enables adding the following TLS related headers to the response: ::
+
+      Strict-Transport-Security: max-age=31536000
+      Content-Security-Policy: upgrade-insecure-requests
+
+    These instruct the browser to always use HTTPS for the served domain.
+    (Useful even without HTTPS, when used behind a TLS terminator, load-balancer or proxy that do support HTTPS.)
+
 ``--report``
 
     Enables periodic reporting of various metrics.
diff --git a/documentation/manuals/server.txt b/documentation/manuals/server.txt
index b23ac6f..f155b2a 100644
--- a/documentation/manuals/server.txt
+++ b/documentation/manuals/server.txt
@@ -38,8 +38,9 @@ NAME
 
           --hosts-disable           (ignore `Host` header)
 
-          --security-headers-tls
+          --special-pages-disable
           --security-headers-disable
+          --security-headers-tls
 
           --limit-memory <MiB>
           --timeout-disable
@@ -180,6 +181,19 @@ FLAGS
        --hosts-disable
           Disables the virtual-hosts feature by ignoring the Host header.
 
+       --special-pages-disable
+          Disables serving a few special pages internal to the server like:
+             /__/about /__/version /__/heartbeat /__/sources.md5
+             /__/sources.cpio /__/banners/errors/403 /__/banners/errors/...
+
+       --security-headers-disable
+          Disables adding a few security related headers:
+
+             Referrer-Policy: strict-origin-when-cross-origin
+             X-Content-Type-Options: nosniff
+             X-XSS-Protection: 1; mode=block
+             X-Frame-Options: sameorigin
+
        --security-headers-tls
           Enables adding the following TLS related headers to the response:
 
@@ -190,14 +204,6 @@ FLAGS
           domain.  (Useful even without HTTPS, when used behind a TLS
           terminator, load-balancer or proxy that do support HTTPS.)
 
-       --security-headers-disable
-          Disables adding a few security related headers:
-
-             Referrer-Policy: strict-origin-when-cross-origin
-             X-Content-Type-Options: nosniff
-             X-XSS-Protection: 1; mode=block
-             X-Frame-Options: sameorigin
-
        --report
           Enables periodic reporting of various metrics.  Also enables
           reporting a selection of metrics if certain thresholds are matched
diff --git a/sources/cmd/server/manual.txt b/sources/cmd/server/manual.txt
index b23ac6f..f155b2a 100644
--- a/sources/cmd/server/manual.txt
+++ b/sources/cmd/server/manual.txt
@@ -38,8 +38,9 @@ NAME
 
           --hosts-disable           (ignore `Host` header)
 
-          --security-headers-tls
+          --special-pages-disable
           --security-headers-disable
+          --security-headers-tls
 
           --limit-memory <MiB>
           --timeout-disable
@@ -180,6 +181,19 @@ FLAGS
        --hosts-disable
           Disables the virtual-hosts feature by ignoring the Host header.
 
+       --special-pages-disable
+          Disables serving a few special pages internal to the server like:
+             /__/about /__/version /__/heartbeat /__/sources.md5
+             /__/sources.cpio /__/banners/errors/403 /__/banners/errors/...
+
+       --security-headers-disable
+          Disables adding a few security related headers:
+
+             Referrer-Policy: strict-origin-when-cross-origin
+             X-Content-Type-Options: nosniff
+             X-XSS-Protection: 1; mode=block
+             X-Frame-Options: sameorigin
+
        --security-headers-tls
           Enables adding the following TLS related headers to the response:
 
@@ -190,14 +204,6 @@ FLAGS
           domain.  (Useful even without HTTPS, when used behind a TLS
           terminator, load-balancer or proxy that do support HTTPS.)
 
-       --security-headers-disable
-          Disables adding a few security related headers:
-
-             Referrer-Policy: strict-origin-when-cross-origin
-             X-Content-Type-Options: nosniff
-             X-XSS-Protection: 1; mode=block
-             X-Frame-Options: sameorigin
-
        --report
           Enables periodic reporting of various metrics.  Also enables
           reporting a selection of metrics if certain thresholds are matched
diff --git a/sources/cmd/server/server.go b/sources/cmd/server/server.go
index 759c900..705dfe8 100644
--- a/sources/cmd/server/server.go
+++ b/sources/cmd/server/server.go
@@ -55,6 +55,7 @@ type server struct {
 	cachedDataMeta map[uint64][]byte
 	cachedDataContent map[uint64][]byte
 	hostsDisabled bool
+	specialPagesEnabled bool
 	securityHeadersEnabled bool
 	securityHeadersTls bool
 	http1Disabled bool
@@ -130,6 +131,10 @@ func (_server *server) ServeUnwrapped (_context *fasthttp.RequestCtx) () {
 	}
 	
 	if bytes.HasPrefix (_path, StringToBytes ("/__/")) {
+		if !_server.specialPagesEnabled {
+			_server.ServeError (_context, http.StatusForbidden, nil, false)
+			return
+		}
 		if bytes.Equal (_path, StringToBytes ("/__/heartbeat")) || bytes.HasPrefix (_path, StringToBytes ("/__/heartbeat/")) {
 			_server.ServeStatic (_context, http.StatusOK, HeartbeatDataOk, HeartbeatContentType, HeartbeatContentEncoding, false)
 			return
@@ -757,6 +762,7 @@ func main_0 () (error) {
 	var _indexDataMeta bool
 	var _indexDataContent bool
 	var _hostsDisabled bool
+	var _specialPagesEnabled bool
 	var _securityHeadersEnabled bool
 	var _securityHeadersTls bool
 	var _timeoutDisabled bool
@@ -802,8 +808,9 @@ func main_0 () (error) {
 		_indexDataContent_0 := _flags.Bool ("index-data-content", false, "")
 		_timeoutDisabled_0 := _flags.Bool ("timeout-disable", false, "")
 		_hostsDisabled_0 := _flags.Bool ("hosts-disable", false, "")
-		_securityHeadersTls_0 := _flags.Bool ("security-headers-tls", false, "")
+		_specialPagesDisabled_0 := _flags.Bool ("special-pages-disable", false, "")
 		_securityHeadersDisabled_0 := _flags.Bool ("security-headers-disable", false, "")
+		_securityHeadersTls_0 := _flags.Bool ("security-headers-tls", false, "")
 		_tlsPrivate_0 := _flags.String ("tls-private", "", "")
 		_tlsPublic_0 := _flags.String ("tls-public", "", "")
 		_tlsBundle_0 := _flags.String ("tls-bundle", "", "")
@@ -841,8 +848,9 @@ func main_0 () (error) {
 		_indexDataMeta = _indexAll || *_indexDataMeta_0
 		_indexDataContent = _indexAll || *_indexDataContent_0
 		_hostsDisabled = *_hostsDisabled_0
-		_securityHeadersTls = *_securityHeadersTls_0
+		_specialPagesEnabled = ! *_specialPagesDisabled_0
 		_securityHeadersEnabled = ! *_securityHeadersDisabled_0
+		_securityHeadersTls = *_securityHeadersTls_0
 		_timeoutDisabled = *_timeoutDisabled_0
 		_processes = *_processes_0
 		_threads = *_threads_0
@@ -1070,12 +1078,15 @@ func main_0 () (error) {
 		if _hostsDisabled {
 			_processArguments = append (_processArguments, "--hosts-disabled")
 		}
-		if _securityHeadersTls {
-			_processArguments = append (_processArguments, "--security-headers-tls")
+		if !_specialPagesEnabled {
+			_processArguments = append (_processArguments, "--special-pages-disable")
 		}
 		if !_securityHeadersEnabled {
 			_processArguments = append (_processArguments, "--security-headers-disable")
 		}
+		if _securityHeadersTls {
+			_processArguments = append (_processArguments, "--security-headers-tls")
+		}
 		if _tlsPrivate != "" {
 			_processArguments = append (_processArguments, "--tls-private", _tlsPrivate)
 		}
@@ -1550,8 +1561,9 @@ func main_0 () (error) {
 			cachedDataMeta : _cachedDataMeta,
 			cachedDataContent : _cachedDataContent,
 			hostsDisabled : _hostsDisabled,
-			securityHeadersTls : _securityHeadersTls,
+			specialPagesEnabled : _specialPagesEnabled,
 			securityHeadersEnabled : _securityHeadersEnabled,
+			securityHeadersTls : _securityHeadersTls,
 			http1Disabled : _http1Disabled,
 			http2Disabled : _http2Disabled,
 			http3AltSvc : _http3AltSvc,
diff --git a/sources/cmd/server/usage.txt b/sources/cmd/server/usage.txt
index a69c6a5..b2252d1 100644
--- a/sources/cmd/server/usage.txt
+++ b/sources/cmd/server/usage.txt
@@ -32,8 +32,9 @@
 
     --hosts-disable           (ignore `Host` header)
 
-    --security-headers-tls
+    --special-pages-disable
     --security-headers-disable
+    --security-headers-tls
 
     --limit-memory <MiB>
     --timeout-disable