mirror of https://git.kore.io/kore.git
Add http_hsts_enable (enabled by default with max-age=31536000) to Kore's configuration file.
If enabled Kore adds the HSTS header to every response. - Additionally, fix some typos in the example configuration. - Change default SSL cipher list again, no more RC4 and almost PFS for all browsers.
This commit is contained in:
parent
b75ac15e50
commit
8b47863cd4
|
@ -17,6 +17,7 @@
|
|||
#ifndef __H_HTTP_H
|
||||
#define __H_HTTP_H
|
||||
|
||||
#define HTTP_HSTS_ENABLE 31536000
|
||||
#define HTTP_HEADER_MAX_LEN 4096
|
||||
#define HTTP_POSTBODY_MAX_LEN 10240000
|
||||
#define HTTP_URI_LEN 2000
|
||||
|
@ -80,6 +81,7 @@ struct http_request {
|
|||
extern int http_request_count;
|
||||
extern u_int16_t http_header_max;
|
||||
extern u_int64_t http_postbody_max;
|
||||
extern u_int64_t http_hsts_enable;
|
||||
|
||||
void http_init(void);
|
||||
void http_process(void);
|
||||
|
|
|
@ -46,7 +46,7 @@
|
|||
|
||||
#define KORE_DOMAINNAME_LEN 254
|
||||
#define KORE_PIDFILE_DEFAULT "/var/run/kore.pid"
|
||||
#define KORE_DEFAULT_CIPHER_LIST "EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5"
|
||||
#define KORE_DEFAULT_CIPHER_LIST "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
|
||||
|
||||
#if defined(KORE_DEBUG)
|
||||
#define kore_debug(fmt, ...) \
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
bind 127.0.0.1 443
|
||||
bind ::1 443
|
||||
|
||||
# The path worker processes will chroot too after starting.
|
||||
# The path worker processes will chroot into after starting.
|
||||
chroot /home/joris/src/kore
|
||||
|
||||
# Worker processes will run as the specified user.
|
||||
|
@ -25,7 +25,7 @@ workers 4
|
|||
#onload myinit
|
||||
|
||||
# You can define a callback Kore calls from its parent process or
|
||||
# workers everytime # the kore_cb_interval timer (in milliseconds) is reached.
|
||||
# workers everytime the kore_cb_interval timer (in milliseconds) is reached.
|
||||
#
|
||||
# NOTE: Remember that the parent process runs as root and is not chroot().
|
||||
# NOTE: If you want the cb to run on a worker, be sure to set kore_cb_worker.
|
||||
|
@ -36,21 +36,25 @@ workers 4
|
|||
# HTTP specific settings.
|
||||
# http_header_max Maximum size of HTTP headers (in bytes).
|
||||
# http_postbody_max Maximum size of an HTTP POST body (in bytes).
|
||||
# http_hsts_enable Send Strict Transport Security header in
|
||||
# all responses. Parameter is the age.
|
||||
# Set age to 0 to disable sending this header.
|
||||
#http_header_max 4096
|
||||
#http_postbody_max 10240000
|
||||
#http_hsts_enable 31536000
|
||||
|
||||
# Specifies what module to be loaded.
|
||||
load modules/example/example.module
|
||||
|
||||
# Specify the SSL ciphers that will be used.
|
||||
#ssl_cipher EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
|
||||
#ssl_cipher ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
|
||||
|
||||
# If you wish to use EDH / ECDH specify a file containing
|
||||
# a generated DH key (See OpenSSL dhparam).
|
||||
#ssl_dhparam dh2048.pem
|
||||
|
||||
# Set this if you want to disable SSL zlib compression.
|
||||
#ssl_no_compression
|
||||
ssl_no_compression
|
||||
|
||||
# Specify the amount of seconds a SPDY connection is kept open.
|
||||
# You can keep it open indefinately by setting this to 0.
|
||||
|
@ -78,6 +82,8 @@ domain localhost {
|
|||
certfile cert/server.crt
|
||||
certkey cert/server.key
|
||||
accesslog /var/log/kore_access.log
|
||||
|
||||
# Page handlers
|
||||
static /css/style.css serve_style_css
|
||||
static / serve_index
|
||||
static /intro.jpg serve_intro
|
||||
|
|
24
src/config.c
24
src/config.c
|
@ -44,6 +44,7 @@ static int configure_kore_cb_interval(char **);
|
|||
static int configure_kore_cb_worker(char **);
|
||||
static int configure_http_header_max(char **);
|
||||
static int configure_http_postbody_max(char **);
|
||||
static int configure_http_hsts_enable(char **);
|
||||
static void domain_sslstart(void);
|
||||
|
||||
static struct {
|
||||
|
@ -73,6 +74,7 @@ static struct {
|
|||
{ "kore_cb_interval", configure_kore_cb_interval },
|
||||
{ "http_header_max", configure_http_header_max },
|
||||
{ "http_postbody_max", configure_http_postbody_max },
|
||||
{ "http_hsts_enable", configure_http_hsts_enable },
|
||||
{ NULL, NULL },
|
||||
};
|
||||
|
||||
|
@ -551,6 +553,28 @@ configure_http_postbody_max(char **argv)
|
|||
return (KORE_RESULT_OK);
|
||||
}
|
||||
|
||||
static int
|
||||
configure_http_hsts_enable(char **argv)
|
||||
{
|
||||
int err;
|
||||
|
||||
if (argv[1] == NULL)
|
||||
return (KORE_RESULT_ERROR);
|
||||
|
||||
if (http_hsts_enable != HTTP_HSTS_ENABLE) {
|
||||
kore_debug("http_hsts_enable already set");
|
||||
return (KORE_RESULT_ERROR);
|
||||
}
|
||||
|
||||
http_hsts_enable = kore_strtonum(argv[1], 10, 1, ULONG_MAX, &err);
|
||||
if (err != KORE_RESULT_OK) {
|
||||
printf("bad http_hsts_enable value: %s\n", argv[1]);
|
||||
return (KORE_RESULT_ERROR);
|
||||
}
|
||||
|
||||
return (KORE_RESULT_OK);
|
||||
}
|
||||
|
||||
static void
|
||||
domain_sslstart(void)
|
||||
{
|
||||
|
|
15
src/http.c
15
src/http.c
|
@ -31,6 +31,7 @@ static struct kore_pool http_request_pool;
|
|||
static struct kore_pool http_header_pool;
|
||||
|
||||
int http_request_count;
|
||||
u_int64_t http_hsts_enable = HTTP_HSTS_ENABLE;
|
||||
u_int16_t http_header_max = HTTP_HEADER_MAX_LEN;
|
||||
u_int64_t http_postbody_max = HTTP_POSTBODY_MAX_LEN;
|
||||
|
||||
|
@ -258,6 +259,14 @@ http_response(struct http_request *req, int status, u_int8_t *d, u_int32_t len)
|
|||
spdy_header_block_add(hblock, ":status", sbuf);
|
||||
spdy_header_block_add(hblock, ":version", "HTTP/1.1");
|
||||
spdy_header_block_add(hblock, ":server", KORE_NAME_STRING);
|
||||
|
||||
if (http_hsts_enable) {
|
||||
snprintf(sbuf, sizeof(sbuf),
|
||||
"max-age=%lu", http_hsts_enable);
|
||||
spdy_header_block_add(hblock,
|
||||
":strict-transport-security", sbuf);
|
||||
}
|
||||
|
||||
TAILQ_FOREACH(hdr, &(req->resp_headers), list)
|
||||
spdy_header_block_add(hblock, hdr->header, hdr->value);
|
||||
|
||||
|
@ -293,6 +302,12 @@ http_response(struct http_request *req, int status, u_int8_t *d, u_int32_t len)
|
|||
kore_buf_appendf(buf, "Keep-Alive: timeout=20\r\n");
|
||||
kore_buf_appendf(buf, "Server: %s\r\n", KORE_NAME_STRING);
|
||||
|
||||
if (http_hsts_enable) {
|
||||
kore_buf_appendf(buf,
|
||||
"Strict-Transport-Security: max-age=%lu\r\n",
|
||||
http_hsts_enable);
|
||||
}
|
||||
|
||||
TAILQ_FOREACH(hdr, &(req->resp_headers), list) {
|
||||
kore_buf_appendf(buf, "%s: %s\r\n",
|
||||
hdr->header, hdr->value);
|
||||
|
|
Loading…
Reference in New Issue