Resync master w/upstream #2

Merged

Russtopia merged 70 commits from solderpunk/molly-brown:master into master 2023-09-07 02:07:32 +00:00

Conversation 0 Commits 70 Files Changed 19 +1175 -323

Russtopia commented 2023-09-07 02:07:09 +00:00

Owner

Copy Link

No description provided.

Russtopia added 70 commits 2023-09-07 02:07:10 +00:00

03ca12d0c1 First pass at a pledge/unveil implementation for OpenBSD.

69a253f820 Tested unveiling CGI dirs and globs as executable.

fb77a13088 Finished the OpenBSD pledge/unveil implementation after testing SCGI procs.

a8f59868f3 Update requirements list for OpenBSD.

1c0fb0d856 Fixed a typo in the OpenBSD enableSecurityRestrictions docs.

16ed9e5cff Allow redirects to other hosts. Closes #26.

f05bab2b73 Make test of request URL hostname against configured hostname case insensitive. Closes #29.

a41898b012 Add DefaultEncoding option to config/.molly files. Closes #19.

733e518392 Accept requests where the URL has a FQDN hostname with a trailing dot. Closes #20.

67d509a234 Sort directory listings with directories before files

8446885f56 Rename DirectoriesFirst option to DirectorySubdirsFirst and document in README.

d9e0fed193 Tidy up DirectorySubdirsFirst sorting code by doing two consecutive sorts. Closes #30.

2d6f4db38e Add -v flag to print version and exit. Closes #23.

8541b6194b Resolve non-absolute values of CGIPaths relative to DocBase. Closes #24.

c0d0c0991c Update date and email address in LICENSE.

16bf8e0534 Refuse to use a world-readable TLS key.

443bfd4bbd Change to error logging behaviour (stderr instead of stdout, by default).

3be10b82d7 Allow no access logging with empty string log file path.

0d5d67c86d Forcibly ingest Kool-Aid.

b16a8584a6 Merge pull request 'Added pledge(2) and unveil(2) system calls to improve security on OpenBSD.' (#13) from kvothe/molly-brown:master into master ...

Reviewed-on: solderpunk/molly-brown#13

86720131d3 Declare dependenc upon x/sys to support OpenBSD security features.

17d17a1629 Catch SIGTERM and shutdown gracefully.

b16fe0b8d4 Absolutise DocBase before trying to absolutise anything else relative to it.

56d8dde14a Chdir to / so that Molly doesn't interfere with unmounting.

5258b29c6b Big ol' gofmt.

4e6a8fcd05 Use setuid() systemcall wherever possible to reduce privileges before accepting network connections. First step toward solving issue #16.

bb0a04d2c7 Add a little bit of extra security advice to the README, a tiny extra step toward closing issue #16.

06c6d190a6 Guard against symbolic links escaping the document base.

8372142843 Add support for chroot()ing server early after startup, more work toward issue #16.

c0c67f7ba6 Whoops, don't ignore error from filepath.Abs.

182e58ffe3 Make unprivileged user configurable, thanks nervuri! (see issue #16)

7fad754ff2 Drop privileges much more thoroughly, thanks nervuri! (see issue #16)

072669a167 Avoid use of log.Fatal() or os.Exit() in main so defers are guaranteed to run.

7a89b307a1 Just use the log package's default logger as the error log.

f63fcdb6d1 Do not request client certificates if we're never going to need them.

75c283fc74 Restore documented setuid behaviour.

40203a8856 Use net/http.DetectContentType as a last resort for MIME, rather than hardcoding application/octet-stream.

8d1a04cb27 Fix minor bugs on OpenBSD-only code, after discovering easy of cross-compilation in Go.

212c9f79fb A rather extensive refactor. ...

Basically the function formerly known as do_main() in main.go has
been renamed launch() and moved into launch.go.  Now there are
main.go and main_unix.go files implementing minmial main()
functions which load a config and pass it to launch.  This allows
separating unix-specific security stuff (both the actual system
calls which won't compile on other platforms and the definition
of command line switches) out from the platform agnostic
implementation of the main server logic.  It also simplifies the
interaction of relative paths in config files with chrooting.

Docs still need updating...

67386cd118 Update README to reflect movement of unix security stuff out of config file into command line switches.

d67f896b84 Add AllowTLS12 option to switch minimum TLS version between 1.2 and 1.3.

800c181668 Ensure supplied TLS certificate is valid for configured hostname.

0274ef8f35 Print warning about expired certificates.

c50accfaec Only drop supplementary groups if root is amongst them.

a9dab7b48c Argh, fix stupid typo.

bff3d6d486 Restore logging functionality after some subtle variable declaration scoping bugs wiped it out!

e70ec82594 Don't try to be clever about when to request client certs: we never know what could be in a .molly file.

eb85a6e94c Another big refactor, splitting the Config struct in two. ...

The split reflects that between variables which can and cannot be
overridden by .molly files, and this greatly simplifies the
processing of said files, getting rid of the need for lots of
ugly temporary variable thrashing.

f9585ff2b7 Rearrange the logic of handling requests without changing behaviour. ...

The new order handles certificate zones and redirects defined in the
system-wide config file as well as SCGI paths as early as possible
without doing any unecessary filesystem operations and especially
without the potentially expensive search for .molly files.

eefb1bc3a6 Further simplifications of config parsing code.

d3d415b612 Add missing return.

81b4f1dcc0 Fix small variable name error.

bd07cb3507 Check for errors when parsing TLS certificates even after successful PEM decoding.

3a03995f26 Actually, be *more* clever about client certs...(see e70ec)

e30f39b196 Fix typo in error message.

72a94cab00 Restore Go 1.15 compatibility.

c4866d2965 Check for a CGI path prefix before insisting that an exact path exists on disk. Closes #36.

5016f40edb Initial implementation of leaky bucket rate limiting.

a6170a355d Make rate limiting configurable.

3c5835f033 Continue to increment drips once bucket is overflowing.

efde852c54 Refactor rate limiting to have soft and hard limits, block clients exceeding hard limits for one hour.

4b9a7e8ad5 Correctly implement bans for clients exceeding hard limit.

8e618a6304 Double hard limit ban durations each time.

4b54eb6134 Set 30 second deadline for reading requests. See #35.

2c3225c1c0 Fix crash when CGI processes end without writing anything at all to stdout. Closes #38.

6f0865447d Adds leaky token bucket rate limiting with bans for non-compliant clients.

051df29604 Add a write deadline with maximum allowed download time derived from filesize. See #35.

1b7d661abd Type trashing to fix last commit.

64a4ff72f0 Remove debugging Println.

2068c3b02a Allow to disable directory listing ...

Signed-off-by: Solderpunk <solderpunk@posteo.net>

Russtopia merged commit 27bbae5418 into master 2023-09-07 02:07:32 +00:00

Russtopia referenced this issue from a commit 2023-09-07 02:07:33 +00:00

Merge pull request 'Resync master w/upstream' (#2) from solderpunk/molly-brown:master into master

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No Label

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: Russtopia/molly-brown#2

No description provided.