mirror of https://git.kore.io/kore.git
Add http_hsts_enable (enabled by default with max-age=31536000) to Kore's configuration file.
If enabled Kore adds the HSTS header to every response. - Additionally, fix some typos in the example configuration. - Change default SSL cipher list again, no more RC4 and almost PFS for all browsers.
This commit is contained in:
parent
b75ac15e50
commit
8b47863cd4
|
@ -17,6 +17,7 @@
|
||||||
#ifndef __H_HTTP_H
|
#ifndef __H_HTTP_H
|
||||||
#define __H_HTTP_H
|
#define __H_HTTP_H
|
||||||
|
|
||||||
|
#define HTTP_HSTS_ENABLE 31536000
|
||||||
#define HTTP_HEADER_MAX_LEN 4096
|
#define HTTP_HEADER_MAX_LEN 4096
|
||||||
#define HTTP_POSTBODY_MAX_LEN 10240000
|
#define HTTP_POSTBODY_MAX_LEN 10240000
|
||||||
#define HTTP_URI_LEN 2000
|
#define HTTP_URI_LEN 2000
|
||||||
|
@ -80,6 +81,7 @@ struct http_request {
|
||||||
extern int http_request_count;
|
extern int http_request_count;
|
||||||
extern u_int16_t http_header_max;
|
extern u_int16_t http_header_max;
|
||||||
extern u_int64_t http_postbody_max;
|
extern u_int64_t http_postbody_max;
|
||||||
|
extern u_int64_t http_hsts_enable;
|
||||||
|
|
||||||
void http_init(void);
|
void http_init(void);
|
||||||
void http_process(void);
|
void http_process(void);
|
||||||
|
|
|
@ -46,7 +46,7 @@
|
||||||
|
|
||||||
#define KORE_DOMAINNAME_LEN 254
|
#define KORE_DOMAINNAME_LEN 254
|
||||||
#define KORE_PIDFILE_DEFAULT "/var/run/kore.pid"
|
#define KORE_PIDFILE_DEFAULT "/var/run/kore.pid"
|
||||||
#define KORE_DEFAULT_CIPHER_LIST "EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5"
|
#define KORE_DEFAULT_CIPHER_LIST "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
|
||||||
|
|
||||||
#if defined(KORE_DEBUG)
|
#if defined(KORE_DEBUG)
|
||||||
#define kore_debug(fmt, ...) \
|
#define kore_debug(fmt, ...) \
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
bind 127.0.0.1 443
|
bind 127.0.0.1 443
|
||||||
bind ::1 443
|
bind ::1 443
|
||||||
|
|
||||||
# The path worker processes will chroot too after starting.
|
# The path worker processes will chroot into after starting.
|
||||||
chroot /home/joris/src/kore
|
chroot /home/joris/src/kore
|
||||||
|
|
||||||
# Worker processes will run as the specified user.
|
# Worker processes will run as the specified user.
|
||||||
|
@ -25,7 +25,7 @@ workers 4
|
||||||
#onload myinit
|
#onload myinit
|
||||||
|
|
||||||
# You can define a callback Kore calls from its parent process or
|
# You can define a callback Kore calls from its parent process or
|
||||||
# workers everytime # the kore_cb_interval timer (in milliseconds) is reached.
|
# workers everytime the kore_cb_interval timer (in milliseconds) is reached.
|
||||||
#
|
#
|
||||||
# NOTE: Remember that the parent process runs as root and is not chroot().
|
# NOTE: Remember that the parent process runs as root and is not chroot().
|
||||||
# NOTE: If you want the cb to run on a worker, be sure to set kore_cb_worker.
|
# NOTE: If you want the cb to run on a worker, be sure to set kore_cb_worker.
|
||||||
|
@ -36,21 +36,25 @@ workers 4
|
||||||
# HTTP specific settings.
|
# HTTP specific settings.
|
||||||
# http_header_max Maximum size of HTTP headers (in bytes).
|
# http_header_max Maximum size of HTTP headers (in bytes).
|
||||||
# http_postbody_max Maximum size of an HTTP POST body (in bytes).
|
# http_postbody_max Maximum size of an HTTP POST body (in bytes).
|
||||||
|
# http_hsts_enable Send Strict Transport Security header in
|
||||||
|
# all responses. Parameter is the age.
|
||||||
|
# Set age to 0 to disable sending this header.
|
||||||
#http_header_max 4096
|
#http_header_max 4096
|
||||||
#http_postbody_max 10240000
|
#http_postbody_max 10240000
|
||||||
|
#http_hsts_enable 31536000
|
||||||
|
|
||||||
# Specifies what module to be loaded.
|
# Specifies what module to be loaded.
|
||||||
load modules/example/example.module
|
load modules/example/example.module
|
||||||
|
|
||||||
# Specify the SSL ciphers that will be used.
|
# Specify the SSL ciphers that will be used.
|
||||||
#ssl_cipher EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
|
#ssl_cipher ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
|
||||||
|
|
||||||
# If you wish to use EDH / ECDH specify a file containing
|
# If you wish to use EDH / ECDH specify a file containing
|
||||||
# a generated DH key (See OpenSSL dhparam).
|
# a generated DH key (See OpenSSL dhparam).
|
||||||
#ssl_dhparam dh2048.pem
|
#ssl_dhparam dh2048.pem
|
||||||
|
|
||||||
# Set this if you want to disable SSL zlib compression.
|
# Set this if you want to disable SSL zlib compression.
|
||||||
#ssl_no_compression
|
ssl_no_compression
|
||||||
|
|
||||||
# Specify the amount of seconds a SPDY connection is kept open.
|
# Specify the amount of seconds a SPDY connection is kept open.
|
||||||
# You can keep it open indefinately by setting this to 0.
|
# You can keep it open indefinately by setting this to 0.
|
||||||
|
@ -78,6 +82,8 @@ domain localhost {
|
||||||
certfile cert/server.crt
|
certfile cert/server.crt
|
||||||
certkey cert/server.key
|
certkey cert/server.key
|
||||||
accesslog /var/log/kore_access.log
|
accesslog /var/log/kore_access.log
|
||||||
|
|
||||||
|
# Page handlers
|
||||||
static /css/style.css serve_style_css
|
static /css/style.css serve_style_css
|
||||||
static / serve_index
|
static / serve_index
|
||||||
static /intro.jpg serve_intro
|
static /intro.jpg serve_intro
|
||||||
|
|
24
src/config.c
24
src/config.c
|
@ -44,6 +44,7 @@ static int configure_kore_cb_interval(char **);
|
||||||
static int configure_kore_cb_worker(char **);
|
static int configure_kore_cb_worker(char **);
|
||||||
static int configure_http_header_max(char **);
|
static int configure_http_header_max(char **);
|
||||||
static int configure_http_postbody_max(char **);
|
static int configure_http_postbody_max(char **);
|
||||||
|
static int configure_http_hsts_enable(char **);
|
||||||
static void domain_sslstart(void);
|
static void domain_sslstart(void);
|
||||||
|
|
||||||
static struct {
|
static struct {
|
||||||
|
@ -73,6 +74,7 @@ static struct {
|
||||||
{ "kore_cb_interval", configure_kore_cb_interval },
|
{ "kore_cb_interval", configure_kore_cb_interval },
|
||||||
{ "http_header_max", configure_http_header_max },
|
{ "http_header_max", configure_http_header_max },
|
||||||
{ "http_postbody_max", configure_http_postbody_max },
|
{ "http_postbody_max", configure_http_postbody_max },
|
||||||
|
{ "http_hsts_enable", configure_http_hsts_enable },
|
||||||
{ NULL, NULL },
|
{ NULL, NULL },
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -551,6 +553,28 @@ configure_http_postbody_max(char **argv)
|
||||||
return (KORE_RESULT_OK);
|
return (KORE_RESULT_OK);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
configure_http_hsts_enable(char **argv)
|
||||||
|
{
|
||||||
|
int err;
|
||||||
|
|
||||||
|
if (argv[1] == NULL)
|
||||||
|
return (KORE_RESULT_ERROR);
|
||||||
|
|
||||||
|
if (http_hsts_enable != HTTP_HSTS_ENABLE) {
|
||||||
|
kore_debug("http_hsts_enable already set");
|
||||||
|
return (KORE_RESULT_ERROR);
|
||||||
|
}
|
||||||
|
|
||||||
|
http_hsts_enable = kore_strtonum(argv[1], 10, 1, ULONG_MAX, &err);
|
||||||
|
if (err != KORE_RESULT_OK) {
|
||||||
|
printf("bad http_hsts_enable value: %s\n", argv[1]);
|
||||||
|
return (KORE_RESULT_ERROR);
|
||||||
|
}
|
||||||
|
|
||||||
|
return (KORE_RESULT_OK);
|
||||||
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
domain_sslstart(void)
|
domain_sslstart(void)
|
||||||
{
|
{
|
||||||
|
|
15
src/http.c
15
src/http.c
|
@ -31,6 +31,7 @@ static struct kore_pool http_request_pool;
|
||||||
static struct kore_pool http_header_pool;
|
static struct kore_pool http_header_pool;
|
||||||
|
|
||||||
int http_request_count;
|
int http_request_count;
|
||||||
|
u_int64_t http_hsts_enable = HTTP_HSTS_ENABLE;
|
||||||
u_int16_t http_header_max = HTTP_HEADER_MAX_LEN;
|
u_int16_t http_header_max = HTTP_HEADER_MAX_LEN;
|
||||||
u_int64_t http_postbody_max = HTTP_POSTBODY_MAX_LEN;
|
u_int64_t http_postbody_max = HTTP_POSTBODY_MAX_LEN;
|
||||||
|
|
||||||
|
@ -258,6 +259,14 @@ http_response(struct http_request *req, int status, u_int8_t *d, u_int32_t len)
|
||||||
spdy_header_block_add(hblock, ":status", sbuf);
|
spdy_header_block_add(hblock, ":status", sbuf);
|
||||||
spdy_header_block_add(hblock, ":version", "HTTP/1.1");
|
spdy_header_block_add(hblock, ":version", "HTTP/1.1");
|
||||||
spdy_header_block_add(hblock, ":server", KORE_NAME_STRING);
|
spdy_header_block_add(hblock, ":server", KORE_NAME_STRING);
|
||||||
|
|
||||||
|
if (http_hsts_enable) {
|
||||||
|
snprintf(sbuf, sizeof(sbuf),
|
||||||
|
"max-age=%lu", http_hsts_enable);
|
||||||
|
spdy_header_block_add(hblock,
|
||||||
|
":strict-transport-security", sbuf);
|
||||||
|
}
|
||||||
|
|
||||||
TAILQ_FOREACH(hdr, &(req->resp_headers), list)
|
TAILQ_FOREACH(hdr, &(req->resp_headers), list)
|
||||||
spdy_header_block_add(hblock, hdr->header, hdr->value);
|
spdy_header_block_add(hblock, hdr->header, hdr->value);
|
||||||
|
|
||||||
|
@ -293,6 +302,12 @@ http_response(struct http_request *req, int status, u_int8_t *d, u_int32_t len)
|
||||||
kore_buf_appendf(buf, "Keep-Alive: timeout=20\r\n");
|
kore_buf_appendf(buf, "Keep-Alive: timeout=20\r\n");
|
||||||
kore_buf_appendf(buf, "Server: %s\r\n", KORE_NAME_STRING);
|
kore_buf_appendf(buf, "Server: %s\r\n", KORE_NAME_STRING);
|
||||||
|
|
||||||
|
if (http_hsts_enable) {
|
||||||
|
kore_buf_appendf(buf,
|
||||||
|
"Strict-Transport-Security: max-age=%lu\r\n",
|
||||||
|
http_hsts_enable);
|
||||||
|
}
|
||||||
|
|
||||||
TAILQ_FOREACH(hdr, &(req->resp_headers), list) {
|
TAILQ_FOREACH(hdr, &(req->resp_headers), list) {
|
||||||
kore_buf_appendf(buf, "%s: %s\r\n",
|
kore_buf_appendf(buf, "%s: %s\r\n",
|
||||||
hdr->header, hdr->value);
|
hdr->header, hdr->value);
|
||||||
|
|
Loading…
Reference in New Issue