1
0
mirror of https://git.kore.io/kore.git synced 2024-11-16 15:06:37 +01:00
Commit Graph

1649 Commits

Author SHA1 Message Date
Joris Vink
dcb34033fa trailing whitespace 2020-05-08 22:43:12 +02:00
Joris Vink
40dddbc769 whitespace 2020-04-27 09:07:37 +02:00
Joris Vink
e53de1cf4f mark kore_worker_entry as noreturn. 2020-03-25 13:35:02 +01:00
Joris Vink
c83f34c938 Rework http_pretty_error a tiny bit. 2020-03-04 08:36:10 +01:00
Frederic Cambus
fe43ed09ac Add the http_pretty_error configuration option.
When enabled, Kore returns HTML error pages for status codes 4xx and
5xx instead of empty content.
2020-03-04 08:22:51 +01:00
Joris Vink
db31f37ab0 Add a "return" configuration option.
This hooks into the existing redirection framework but allows you
to quickly deny certain paths with a 403 or other status code.

The snippet below would for example declare a filemap served from 'www'
directory but denying all access to the files under the 'data' directory:

filemap		/	www
deny		/data	403
2020-03-03 11:28:16 +01:00
Joris Vink
9e5e698e4b only count TLS enabled domains as primary_dom.
Otherwise one can run into trouble with ACME if it was enabled on
domains but the first domain in the configuration was a non TLS domain.
2020-02-21 13:58:03 +01:00
Joris Vink
82d7b58405 Add trailing byte in http_token and http_field_content. 2020-02-19 10:38:41 +01:00
Joris Vink
1a64d202de Mention http_server_version 2020-02-19 08:28:03 +01:00
Frederic Cambus
b4ebee5913 Add the http_server_version configuration option.
This allows setting a custom server header from the config file, for
example to mask the version number.
2020-02-19 08:07:02 +01:00
Frederic Cambus
cc6ab4f05d Allow the stat syscall in keymgr, it is used in keymgr_save_randfile(). 2020-02-13 15:10:58 +01:00
Joris Vink
4115df69f6 adjust for configuration changes 2020-02-11 11:04:10 +01:00
Frederic Cambus
b24bc43051 Variable ‘c’ was set but not used so remove it, broke the build with GCC 9.2.0. 2020-02-10 15:43:46 +01:00
Joris Vink
6ba56bb8f6 adjust copyright years 2020-02-10 15:35:41 +01:00
Joris Vink
9d0aef0079 bump copyright 2020-02-10 14:47:33 +01:00
Joris Vink
fa2e8ef0b6 Add support for config based redirection.
Inside the domain contexts a 'redirect' rule will allow you to redirect
a request to another URI.

Ex:

Redirect all requests with a 301 to example.com

	redirect ^/.*$ 301 https://example.com

Using capture groups

	redirect ^/account/(.*)$ 301 https://example.com/account/$1

Adding the query string in the mix

	redirect ^/(.*)$ 301 https://example.com/$1?$qs
2020-02-07 06:42:33 +01:00
Joris Vink
6072828d8f Improve BSD platform event code.
Instead of adding all listening sockets into the kqueue at platform init,
do it in the first call to kore_platform_enable_accept().

This way a worker process can still call kore_server_create() in its
kore_worker_configure() hook.
2020-01-24 19:36:32 +01:00
Joris Vink
d86a10afa1 allow use udata in kore.timer() via the data kwarg. 2020-01-22 09:42:41 +01:00
Joris Vink
2d380cac3f Expose our async libcurl support to the Python api.
Kore already exposed parts of this via the kore.httpclient() method but
this commit takes it a bit further and exposes the libcurl interface
completely (including the setopt options).

tldr:

handle = kore.curl("ftp://ftp.eu.openbsd.org/pub/OpenBSD/README")
handle.setopt(kore.CURLOPT_TIMEOUT, 5)

data = await handle.run()
print("%s" % data.decode())
2020-01-18 19:43:38 +01:00
Joris Vink
6f31e14e83 sprinkle kore_quiet around 2020-01-17 22:25:52 +01:00
Joris Vink
01cc981632 Improve waiting on workers to exit take 2.
Keep track of what workers are running and account for those when things
exit. Somewhat reverts the entire last commit, that was the wrong approach.
2020-01-17 21:48:55 +01:00
Joris Vink
d8ff8e2c18 Improve waiting on children to exit.
If waitpid() returns -1 check if errno is ECHILD, just mark the worker
process as exited.

This could happen if Kore starts without keymgr/acme but those would still
be accounted for.
2020-01-17 21:43:56 +01:00
Joris Vink
445163f7c5 Add support for setting an email for ACME.
Can be configured via the acme_email configuration option.

eg:

	acme_email john@example.com
2020-01-13 11:00:40 +01:00
Frederic Cambus
ff40f04693 Remove forgotten debug message. 2020-01-07 21:46:19 +01:00
Joris Vink
14095a7702 Revert chunk that snuck in last commit. 2019-12-13 20:30:13 +01:00
Joris Vink
243cd4e6a0 kore_listener_init() returns KORE_RESULT_OK or KORE_RESULT_ERROR. 2019-12-13 09:14:26 +01:00
Joris Vink
1d30760aa0 use X509_NAME_ENTRY* functions directly. 2019-11-19 13:00:17 +01:00
Joris Vink
ca70f9d726 TLS improvements.
These changes improve the constraint kore had with client authentication and
multiple domains.

- Add kore_x509_subject_name() which will return a C string containing
  the x509 subject name in full (in utf8).

- Log TLS errors if client authentication was turned on, will help debug
  issues with client authentication in the future.

- If SNI was present in the TLS handshake, check it against the host specified
  in the HTTP request and send a 421 in case they mismatch.

- Throw a 403 if client authentication was enabled but no client certificate
  was specified.
2019-11-19 11:09:24 +01:00
Joris Vink
283cd6da54 allow NULL pointers to cleanup/free calls. 2019-11-19 09:44:13 +01:00
Joris Vink
56c33f85d4 change client_authority to client_verify. 2019-11-18 20:30:52 +01:00
Joris Vink
31c0caf901 tasks example is now built as a single binary 2019-11-16 19:45:32 +01:00
Frederic Cambus
c6dbf16b65 Account for the change from 'static' to 'route' in the CLI tool as well. 2019-11-16 12:34:57 +01:00
Joris Vink
f8accef3f7 allow access/accessat at all times in keymgr. 2019-11-15 09:28:33 +01:00
Joris Vink
f6cd16c567 Replace static/dynamic with a single option: route
Kore will automatically detect if a route is a dynamic or static one
so there is no need for the configuration options to differ anymore.
2019-11-15 08:11:02 +01:00
Joris Vink
73757a29d5 Make dumb compilers happy. 2019-11-15 07:49:16 +01:00
Joris Vink
0aa4769777 its about time LDFLAGS are appended instead of set. 2019-11-14 23:48:27 +01:00
Joris Vink
b3b5aa37b7 Allow acme config via python api 2019-11-13 23:01:24 +01:00
Joris Vink
9bcf6fdf6d wording 2019-11-13 15:57:07 +01:00
Joris Vink
7c78526e82 pull in ptrace.h 2019-11-13 15:56:36 +01:00
Joris Vink
7cf0006f52 fix potential NULL dereferences.
found by clang --analyze, reminded by fahlgren@
2019-11-13 11:23:02 +01:00
Joris Vink
ff2d961be7 add ACME mention 2019-11-07 12:25:14 +01:00
Joris Vink
e2930f29c1 wrap pledge stuff into an ifdef __OpenBSD__ block. 2019-11-07 08:29:38 +01:00
Joris Vink
bb39643b48 small acme fixes.
- don't create the NID for the acme extension several times
- add missing pledges for openbsd keymgr (it will write+create files)
2019-11-07 07:56:13 +01:00
Joris Vink
c78535aa5d Add acmev2 (RFC8555) support to Kore.
A new acme process is created that communicates with the acme servers.

This process does not hold any of your private keys (no account keys,
no domain keys etc).

Whenever the acme process requires a signed payload it will ask the keymgr
process to do the signing with the relevant keys.

This process is also sandboxed with pledge+unveil on OpenBSD and seccomp
syscall filtering on Linux.

The implementation only supports the tls-alpn-01 challenge. This means that
you do not need to open additional ports on your machine.

http-01 and dns-01 are currently not supported (no wildcard support).

A new configuration option "acme_provider" is available and can be set
to the acme server its directory. By default this will point to the
live letsencrypt environment:
    https://acme-v02.api.letsencrypt.org/directory

The acme process can be controlled via the following config options:
  - acme_root (where the acme process will chroot/chdir into).
  - acme_runas (the user the acme process will run as).

  If none are set, the values from 'root' and 'runas' are taken.

If you want to turn on acme for domains you do it as follows:

domain kore.io {
	acme yes
}

You do not need to specify certkey/certfile anymore, if they are present
still
they will be overwritten by the acme system.

The keymgr will store all certificates and keys under its root
(keymgr_root), the account key is stored as "/account-key.pem" and all
obtained certificates go under "certificates/<domain>/fullchain.pem" while
keys go under "certificates/<domain>/key.pem".

Kore will automatically renew certificates if they will expire in 7 days
or less.
2019-11-06 19:43:48 +01:00
Joris Vink
eef1a05868 Change the way the linux syscall maps are made.
Use the syscall.h.in files from musl and generate the syscall maps
from there. Now we have proper support for x86_64, i386, arm and aarch64
to have syscall maps.
2019-11-06 11:57:25 +01:00
Joris Vink
b226b6ca89 Allow seccomp to work on arm64 and i386. 2019-11-05 13:12:43 +01:00
Joris Vink
aa01e5e504 If OPENSSL_PATH is set, append lib to it. 2019-11-04 21:16:00 +01:00
Joris Vink
68ce436fa7 expand previous commit further, check proto as well. 2019-11-04 07:23:21 +01:00
Joris Vink
0eab72f4cd Only call http_check_timeout on established clients. 2019-11-03 22:28:48 +01:00
Joris Vink
068b295427 remove error pledge, die hard. 2019-11-03 19:52:47 +01:00