Nulo/kawipiko
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

[server][documentation] Add support for disabling special pages (like /__/about).

Browse source
This commit is contained in:
Ciprian Dorin Craciun 2022-09-02 15:15:29 +03:00
parent 8431181a36
commit d820581ec2
6 changed files with 102 additions and 45 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
documentation/manuals/server.1.man
View file

@ -76,8 +76,9 @@ kawipiko -- blazingly fast static HTTP server \- kawipiko-server
\-\-hosts\-disable (ignore \(gaHost\(ga header) \-\-hosts\-disable (ignore \(gaHost\(ga header)
\-\-security\-headers\-tls \-\-special\-pages\-disable
\-\-security\-headers\-disable \-\-security\-headers\-disable
\-\-security\-headers\-tls
\-\-limit\-memory <MiB> \-\-limit\-memory <MiB>
\-\-timeout\-disable \-\-timeout\-disable
@ -217,24 +218,21 @@ Disables the virtual\-hosts feature by ignoring the \fIHost\fP header.
.UNINDENT .UNINDENT
.UNINDENT .UNINDENT
.sp .sp
\fB\-\-security\-headers\-tls\fP \fB\-\-special\-pages\-disable\fP
.INDENT 0.0 .INDENT 0.0
.INDENT 3.5 .INDENT 3.5
Enables adding the following TLS related headers to the response: Disables serving a few special pages internal to the server like:
.INDENT 0.0 .INDENT 0.0
.INDENT 3.5 .INDENT 3.5
.sp /__/about
.nf /__/version
.ft C /__/heartbeat
Strict\-Transport\-Security: max\-age=31536000 /__/sources.md5
Content\-Security\-Policy: upgrade\-insecure\-requests /__/sources.cpio
.ft P /__/banners/errors/403
.fi /__/banners/errors/...
.UNINDENT .UNINDENT
.UNINDENT .UNINDENT
.sp
These instruct the browser to always use HTTPS for the served domain.
(Useful even without HTTPS, when used behind a TLS terminator, load\-balancer or proxy that do support HTTPS.)
.UNINDENT .UNINDENT
.UNINDENT .UNINDENT
.sp .sp
@ -258,6 +256,27 @@ X\-Frame\-Options: sameorigin
.UNINDENT .UNINDENT
.UNINDENT .UNINDENT
.sp .sp
\fB\-\-security\-headers\-tls\fP
.INDENT 0.0
.INDENT 3.5
Enables adding the following TLS related headers to the response:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
Strict\-Transport\-Security: max\-age=31536000
Content\-Security\-Policy: upgrade\-insecure\-requests
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
These instruct the browser to always use HTTPS for the served domain.
(Useful even without HTTPS, when used behind a TLS terminator, load\-balancer or proxy that do support HTTPS.)
.UNINDENT
.UNINDENT
.sp
\fB\-\-report\fP \fB\-\-report\fP
.INDENT 0.0 .INDENT 0.0
.INDENT 3.5 .INDENT 3.5

29
documentation/manuals/server.rst
View file

@ -47,8 +47,9 @@ kawipiko -- blazingly fast static HTTP server
--hosts-disable (ignore `Host` header) --hosts-disable (ignore `Host` header)
--security-headers-tls --special-pages-disable
--security-headers-disable --security-headers-disable
--security-headers-tls
--limit-memory <MiB> --limit-memory <MiB>
--timeout-disable --timeout-disable
@ -150,15 +151,17 @@ Flags
Disables the virtual-hosts feature by ignoring the `Host` header. Disables the virtual-hosts feature by ignoring the `Host` header.
``--security-headers-tls`` ``--special-pages-disable``
Enables adding the following TLS related headers to the response: :: Disables serving a few special pages internal to the server like:
Strict-Transport-Security: max-age=31536000 /__/about
Content-Security-Policy: upgrade-insecure-requests /__/version
/__/heartbeat
These instruct the browser to always use HTTPS for the served domain. /__/sources.md5
(Useful even without HTTPS, when used behind a TLS terminator, load-balancer or proxy that do support HTTPS.) /__/sources.cpio
/__/banners/errors/403
/__/banners/errors/...
``--security-headers-disable`` ``--security-headers-disable``
@ -169,6 +172,16 @@ Flags
X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; mode=block
X-Frame-Options: sameorigin X-Frame-Options: sameorigin
``--security-headers-tls``
Enables adding the following TLS related headers to the response: ::
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: upgrade-insecure-requests
These instruct the browser to always use HTTPS for the served domain.
(Useful even without HTTPS, when used behind a TLS terminator, load-balancer or proxy that do support HTTPS.)
``--report`` ``--report``
Enables periodic reporting of various metrics. Enables periodic reporting of various metrics.

24
documentation/manuals/server.txt
View file

@ -38,8 +38,9 @@ NAME
--hosts-disable (ignore `Host` header) --hosts-disable (ignore `Host` header)
--security-headers-tls --special-pages-disable
--security-headers-disable --security-headers-disable
--security-headers-tls
--limit-memory <MiB> --limit-memory <MiB>
--timeout-disable --timeout-disable
@ -180,6 +181,19 @@ FLAGS
--hosts-disable --hosts-disable
Disables the virtual-hosts feature by ignoring the Host header. Disables the virtual-hosts feature by ignoring the Host header.
--special-pages-disable
Disables serving a few special pages internal to the server like:
/__/about /__/version /__/heartbeat /__/sources.md5
/__/sources.cpio /__/banners/errors/403 /__/banners/errors/...
--security-headers-disable
Disables adding a few security related headers:
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: sameorigin
--security-headers-tls --security-headers-tls
Enables adding the following TLS related headers to the response: Enables adding the following TLS related headers to the response:
@ -190,14 +204,6 @@ FLAGS
domain. (Useful even without HTTPS, when used behind a TLS domain. (Useful even without HTTPS, when used behind a TLS
terminator, load-balancer or proxy that do support HTTPS.) terminator, load-balancer or proxy that do support HTTPS.)
--security-headers-disable
Disables adding a few security related headers:
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: sameorigin
--report --report
Enables periodic reporting of various metrics. Also enables Enables periodic reporting of various metrics. Also enables
reporting a selection of metrics if certain thresholds are matched reporting a selection of metrics if certain thresholds are matched

24
sources/cmd/server/manual.txt
View file

@ -38,8 +38,9 @@ NAME
--hosts-disable (ignore `Host` header) --hosts-disable (ignore `Host` header)
--security-headers-tls --special-pages-disable
--security-headers-disable --security-headers-disable
--security-headers-tls
--limit-memory <MiB> --limit-memory <MiB>
--timeout-disable --timeout-disable
@ -180,6 +181,19 @@ FLAGS
--hosts-disable --hosts-disable
Disables the virtual-hosts feature by ignoring the Host header. Disables the virtual-hosts feature by ignoring the Host header.
--special-pages-disable
Disables serving a few special pages internal to the server like:
/__/about /__/version /__/heartbeat /__/sources.md5
/__/sources.cpio /__/banners/errors/403 /__/banners/errors/...
--security-headers-disable
Disables adding a few security related headers:
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: sameorigin
--security-headers-tls --security-headers-tls
Enables adding the following TLS related headers to the response: Enables adding the following TLS related headers to the response:
@ -190,14 +204,6 @@ FLAGS
domain. (Useful even without HTTPS, when used behind a TLS domain. (Useful even without HTTPS, when used behind a TLS
terminator, load-balancer or proxy that do support HTTPS.) terminator, load-balancer or proxy that do support HTTPS.)
--security-headers-disable
Disables adding a few security related headers:
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: sameorigin
--report --report
Enables periodic reporting of various metrics. Also enables Enables periodic reporting of various metrics. Also enables
reporting a selection of metrics if certain thresholds are matched reporting a selection of metrics if certain thresholds are matched

22
sources/cmd/server/server.go
View file

@ -55,6 +55,7 @@ type server struct {
cachedDataMeta map[uint64][]byte cachedDataMeta map[uint64][]byte
cachedDataContent map[uint64][]byte cachedDataContent map[uint64][]byte
hostsDisabled bool hostsDisabled bool
specialPagesEnabled bool
securityHeadersEnabled bool securityHeadersEnabled bool
securityHeadersTls bool securityHeadersTls bool
http1Disabled bool http1Disabled bool
@ -130,6 +131,10 @@ func (_server *server) ServeUnwrapped (_context *fasthttp.RequestCtx) () {
} }
if bytes.HasPrefix (_path, StringToBytes ("/__/")) { if bytes.HasPrefix (_path, StringToBytes ("/__/")) {
if !_server.specialPagesEnabled {
_server.ServeError (_context, http.StatusForbidden, nil, false)
return
}
if bytes.Equal (_path, StringToBytes ("/__/heartbeat")) || bytes.HasPrefix (_path, StringToBytes ("/__/heartbeat/")) { if bytes.Equal (_path, StringToBytes ("/__/heartbeat")) || bytes.HasPrefix (_path, StringToBytes ("/__/heartbeat/")) {
_server.ServeStatic (_context, http.StatusOK, HeartbeatDataOk, HeartbeatContentType, HeartbeatContentEncoding, false) _server.ServeStatic (_context, http.StatusOK, HeartbeatDataOk, HeartbeatContentType, HeartbeatContentEncoding, false)
return return
@ -757,6 +762,7 @@ func main_0 () (error) {
var _indexDataMeta bool var _indexDataMeta bool
var _indexDataContent bool var _indexDataContent bool
var _hostsDisabled bool var _hostsDisabled bool
var _specialPagesEnabled bool
var _securityHeadersEnabled bool var _securityHeadersEnabled bool
var _securityHeadersTls bool var _securityHeadersTls bool
var _timeoutDisabled bool var _timeoutDisabled bool
@ -802,8 +808,9 @@ func main_0 () (error) {
_indexDataContent_0 := _flags.Bool ("index-data-content", false, "") _indexDataContent_0 := _flags.Bool ("index-data-content", false, "")
_timeoutDisabled_0 := _flags.Bool ("timeout-disable", false, "") _timeoutDisabled_0 := _flags.Bool ("timeout-disable", false, "")
_hostsDisabled_0 := _flags.Bool ("hosts-disable", false, "") _hostsDisabled_0 := _flags.Bool ("hosts-disable", false, "")
_securityHeadersTls_0 := _flags.Bool ("security-headers-tls", false, "") _specialPagesDisabled_0 := _flags.Bool ("special-pages-disable", false, "")
_securityHeadersDisabled_0 := _flags.Bool ("security-headers-disable", false, "") _securityHeadersDisabled_0 := _flags.Bool ("security-headers-disable", false, "")
_securityHeadersTls_0 := _flags.Bool ("security-headers-tls", false, "")
_tlsPrivate_0 := _flags.String ("tls-private", "", "") _tlsPrivate_0 := _flags.String ("tls-private", "", "")
_tlsPublic_0 := _flags.String ("tls-public", "", "") _tlsPublic_0 := _flags.String ("tls-public", "", "")
_tlsBundle_0 := _flags.String ("tls-bundle", "", "") _tlsBundle_0 := _flags.String ("tls-bundle", "", "")
@ -841,8 +848,9 @@ func main_0 () (error) {
_indexDataMeta = _indexAll || *_indexDataMeta_0 _indexDataMeta = _indexAll || *_indexDataMeta_0
_indexDataContent = _indexAll || *_indexDataContent_0 _indexDataContent = _indexAll || *_indexDataContent_0
_hostsDisabled = *_hostsDisabled_0 _hostsDisabled = *_hostsDisabled_0
_securityHeadersTls = *_securityHeadersTls_0 _specialPagesEnabled = ! *_specialPagesDisabled_0
_securityHeadersEnabled = ! *_securityHeadersDisabled_0 _securityHeadersEnabled = ! *_securityHeadersDisabled_0
_securityHeadersTls = *_securityHeadersTls_0
_timeoutDisabled = *_timeoutDisabled_0 _timeoutDisabled = *_timeoutDisabled_0
_processes = *_processes_0 _processes = *_processes_0
_threads = *_threads_0 _threads = *_threads_0
@ -1070,12 +1078,15 @@ func main_0 () (error) {
if _hostsDisabled { if _hostsDisabled {
_processArguments = append (_processArguments, "--hosts-disabled") _processArguments = append (_processArguments, "--hosts-disabled")
} }
if _securityHeadersTls { if !_specialPagesEnabled {
_processArguments = append (_processArguments, "--security-headers-tls") _processArguments = append (_processArguments, "--special-pages-disable")
} }
if !_securityHeadersEnabled { if !_securityHeadersEnabled {
_processArguments = append (_processArguments, "--security-headers-disable") _processArguments = append (_processArguments, "--security-headers-disable")
} }
if _securityHeadersTls {
_processArguments = append (_processArguments, "--security-headers-tls")
}
if _tlsPrivate != "" { if _tlsPrivate != "" {
_processArguments = append (_processArguments, "--tls-private", _tlsPrivate) _processArguments = append (_processArguments, "--tls-private", _tlsPrivate)
} }
@ -1550,8 +1561,9 @@ func main_0 () (error) {
cachedDataMeta : _cachedDataMeta, cachedDataMeta : _cachedDataMeta,
cachedDataContent : _cachedDataContent, cachedDataContent : _cachedDataContent,
hostsDisabled : _hostsDisabled, hostsDisabled : _hostsDisabled,
securityHeadersTls : _securityHeadersTls, specialPagesEnabled : _specialPagesEnabled,
securityHeadersEnabled : _securityHeadersEnabled, securityHeadersEnabled : _securityHeadersEnabled,
securityHeadersTls : _securityHeadersTls,
http1Disabled : _http1Disabled, http1Disabled : _http1Disabled,
http2Disabled : _http2Disabled, http2Disabled : _http2Disabled,
http3AltSvc : _http3AltSvc, http3AltSvc : _http3AltSvc,

3
sources/cmd/server/usage.txt
View file

@ -32,8 +32,9 @@
--hosts-disable (ignore `Host` header) --hosts-disable (ignore `Host` header)
--security-headers-tls --special-pages-disable
--security-headers-disable --security-headers-disable
--security-headers-tls
--limit-memory <MiB> --limit-memory <MiB>
--timeout-disable --timeout-disable