Nulo/kawipiko
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

[server][documentation] Add support for disabling special pages (like /__/about).

Browse source
This commit is contained in:
Ciprian Dorin Craciun 2022-09-02 15:15:29 +03:00
parent 8431181a36
commit d820581ec2
6 changed files with 102 additions and 45 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
documentation/manuals/server.1.man
View file

@ -76,8 +76,9 @@ kawipiko -- blazingly fast static HTTP server \- kawipiko-server
\-\-hosts\-disable (ignore \(gaHost\(ga header)
\-\-security\-headers\-tls
\-\-special\-pages\-disable
\-\-security\-headers\-disable
\-\-security\-headers\-tls
\-\-limit\-memory <MiB>
\-\-timeout\-disable
@ -217,24 +218,21 @@ Disables the virtual\-hosts feature by ignoring the \fIHost\fP header.
.UNINDENT
.UNINDENT
.sp
\fB\-\-security\-headers\-tls\fP
\fB\-\-special\-pages\-disable\fP
.INDENT 0.0
.INDENT 3.5
Enables adding the following TLS related headers to the response:
Disables serving a few special pages internal to the server like:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
Strict\-Transport\-Security: max\-age=31536000
Content\-Security\-Policy: upgrade\-insecure\-requests
.ft P
.fi
/__/about
/__/version
/__/heartbeat
/__/sources.md5
/__/sources.cpio
/__/banners/errors/403
/__/banners/errors/...
.UNINDENT
.UNINDENT
.sp
These instruct the browser to always use HTTPS for the served domain.
(Useful even without HTTPS, when used behind a TLS terminator, load\-balancer or proxy that do support HTTPS.)
.UNINDENT
.UNINDENT
.sp
@ -258,6 +256,27 @@ X\-Frame\-Options: sameorigin
.UNINDENT
.UNINDENT
.sp
\fB\-\-security\-headers\-tls\fP
.INDENT 0.0
.INDENT 3.5
Enables adding the following TLS related headers to the response:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
Strict\-Transport\-Security: max\-age=31536000
Content\-Security\-Policy: upgrade\-insecure\-requests
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
These instruct the browser to always use HTTPS for the served domain.
(Useful even without HTTPS, when used behind a TLS terminator, load\-balancer or proxy that do support HTTPS.)
.UNINDENT
.UNINDENT
.sp
\fB\-\-report\fP
.INDENT 0.0
.INDENT 3.5

29
documentation/manuals/server.rst
View file

@ -47,8 +47,9 @@ kawipiko -- blazingly fast static HTTP server
--hosts-disable (ignore `Host` header)
--security-headers-tls
--special-pages-disable
--security-headers-disable
--security-headers-tls
--limit-memory <MiB>
--timeout-disable
@ -150,15 +151,17 @@ Flags
Disables the virtual-hosts feature by ignoring the `Host` header.
``--security-headers-tls``
``--special-pages-disable``
Enables adding the following TLS related headers to the response: ::
Disables serving a few special pages internal to the server like:
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: upgrade-insecure-requests
These instruct the browser to always use HTTPS for the served domain.
(Useful even without HTTPS, when used behind a TLS terminator, load-balancer or proxy that do support HTTPS.)
/__/about
/__/version
/__/heartbeat
/__/sources.md5
/__/sources.cpio
/__/banners/errors/403
/__/banners/errors/...
``--security-headers-disable``
@ -169,6 +172,16 @@ Flags
X-XSS-Protection: 1; mode=block
X-Frame-Options: sameorigin
``--security-headers-tls``
Enables adding the following TLS related headers to the response: ::
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: upgrade-insecure-requests
These instruct the browser to always use HTTPS for the served domain.
(Useful even without HTTPS, when used behind a TLS terminator, load-balancer or proxy that do support HTTPS.)
``--report``
Enables periodic reporting of various metrics.

24
documentation/manuals/server.txt
View file

@ -38,8 +38,9 @@ NAME
--hosts-disable (ignore `Host` header)
--security-headers-tls
--special-pages-disable
--security-headers-disable
--security-headers-tls
--limit-memory <MiB>
--timeout-disable
@ -180,6 +181,19 @@ FLAGS
--hosts-disable
Disables the virtual-hosts feature by ignoring the Host header.
--special-pages-disable
Disables serving a few special pages internal to the server like:
/__/about /__/version /__/heartbeat /__/sources.md5
/__/sources.cpio /__/banners/errors/403 /__/banners/errors/...
--security-headers-disable
Disables adding a few security related headers:
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: sameorigin
--security-headers-tls
Enables adding the following TLS related headers to the response:
@ -190,14 +204,6 @@ FLAGS
domain. (Useful even without HTTPS, when used behind a TLS
terminator, load-balancer or proxy that do support HTTPS.)
--security-headers-disable
Disables adding a few security related headers:
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: sameorigin
--report
Enables periodic reporting of various metrics. Also enables
reporting a selection of metrics if certain thresholds are matched

24
sources/cmd/server/manual.txt
View file

@ -38,8 +38,9 @@ NAME
--hosts-disable (ignore `Host` header)
--security-headers-tls
--special-pages-disable
--security-headers-disable
--security-headers-tls
--limit-memory <MiB>
--timeout-disable
@ -180,6 +181,19 @@ FLAGS
--hosts-disable
Disables the virtual-hosts feature by ignoring the Host header.
--special-pages-disable
Disables serving a few special pages internal to the server like:
/__/about /__/version /__/heartbeat /__/sources.md5
/__/sources.cpio /__/banners/errors/403 /__/banners/errors/...
--security-headers-disable
Disables adding a few security related headers:
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: sameorigin
--security-headers-tls
Enables adding the following TLS related headers to the response:
@ -190,14 +204,6 @@ FLAGS
domain. (Useful even without HTTPS, when used behind a TLS
terminator, load-balancer or proxy that do support HTTPS.)
--security-headers-disable
Disables adding a few security related headers:
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: sameorigin
--report
Enables periodic reporting of various metrics. Also enables
reporting a selection of metrics if certain thresholds are matched

22
sources/cmd/server/server.go
View file

@ -55,6 +55,7 @@ type server struct {
cachedDataMeta map[uint64][]byte
cachedDataContent map[uint64][]byte
hostsDisabled bool
specialPagesEnabled bool
securityHeadersEnabled bool
securityHeadersTls bool
http1Disabled bool
@ -130,6 +131,10 @@ func (_server *server) ServeUnwrapped (_context *fasthttp.RequestCtx) () {
}
if bytes.HasPrefix (_path, StringToBytes ("/__/")) {
if !_server.specialPagesEnabled {
_server.ServeError (_context, http.StatusForbidden, nil, false)
return
}
if bytes.Equal (_path, StringToBytes ("/__/heartbeat")) || bytes.HasPrefix (_path, StringToBytes ("/__/heartbeat/")) {
_server.ServeStatic (_context, http.StatusOK, HeartbeatDataOk, HeartbeatContentType, HeartbeatContentEncoding, false)
return
@ -757,6 +762,7 @@ func main_0 () (error) {
var _indexDataMeta bool
var _indexDataContent bool
var _hostsDisabled bool
var _specialPagesEnabled bool
var _securityHeadersEnabled bool
var _securityHeadersTls bool
var _timeoutDisabled bool
@ -802,8 +808,9 @@ func main_0 () (error) {
_indexDataContent_0 := _flags.Bool ("index-data-content", false, "")
_timeoutDisabled_0 := _flags.Bool ("timeout-disable", false, "")
_hostsDisabled_0 := _flags.Bool ("hosts-disable", false, "")
_securityHeadersTls_0 := _flags.Bool ("security-headers-tls", false, "")
_specialPagesDisabled_0 := _flags.Bool ("special-pages-disable", false, "")
_securityHeadersDisabled_0 := _flags.Bool ("security-headers-disable", false, "")
_securityHeadersTls_0 := _flags.Bool ("security-headers-tls", false, "")
_tlsPrivate_0 := _flags.String ("tls-private", "", "")
_tlsPublic_0 := _flags.String ("tls-public", "", "")
_tlsBundle_0 := _flags.String ("tls-bundle", "", "")
@ -841,8 +848,9 @@ func main_0 () (error) {
_indexDataMeta = _indexAll || *_indexDataMeta_0
_indexDataContent = _indexAll || *_indexDataContent_0
_hostsDisabled = *_hostsDisabled_0
_securityHeadersTls = *_securityHeadersTls_0
_specialPagesEnabled = ! *_specialPagesDisabled_0
_securityHeadersEnabled = ! *_securityHeadersDisabled_0
_securityHeadersTls = *_securityHeadersTls_0
_timeoutDisabled = *_timeoutDisabled_0
_processes = *_processes_0
_threads = *_threads_0
@ -1070,12 +1078,15 @@ func main_0 () (error) {
if _hostsDisabled {
_processArguments = append (_processArguments, "--hosts-disabled")
}
if _securityHeadersTls {
_processArguments = append (_processArguments, "--security-headers-tls")
if !_specialPagesEnabled {
_processArguments = append (_processArguments, "--special-pages-disable")
}
if !_securityHeadersEnabled {
_processArguments = append (_processArguments, "--security-headers-disable")
}
if _securityHeadersTls {
_processArguments = append (_processArguments, "--security-headers-tls")
}
if _tlsPrivate != "" {
_processArguments = append (_processArguments, "--tls-private", _tlsPrivate)
}
@ -1550,8 +1561,9 @@ func main_0 () (error) {
cachedDataMeta : _cachedDataMeta,
cachedDataContent : _cachedDataContent,
hostsDisabled : _hostsDisabled,
securityHeadersTls : _securityHeadersTls,
specialPagesEnabled : _specialPagesEnabled,
securityHeadersEnabled : _securityHeadersEnabled,
securityHeadersTls : _securityHeadersTls,
http1Disabled : _http1Disabled,
http2Disabled : _http2Disabled,
http3AltSvc : _http3AltSvc,

3
sources/cmd/server/usage.txt
View file

@ -32,8 +32,9 @@
--hosts-disable (ignore `Host` header)
--security-headers-tls
--special-pages-disable
--security-headers-disable
--security-headers-tls
--limit-memory <MiB>
--timeout-disable