Solderpunk
d67f896b84
Add AllowTLS12 option to switch minimum TLS version between 1.2 and 1.3.
2023-02-23 19:31:16 +01:00
Solderpunk
67386cd118
Update README to reflect movement of unix security stuff out of config file into command line switches.
2023-02-23 18:57:56 +01:00
Solderpunk
212c9f79fb
A rather extensive refactor.
...
Basically the function formerly known as do_main() in main.go has
been renamed launch() and moved into launch.go. Now there are
main.go and main_unix.go files implementing minmial main()
functions which load a config and pass it to launch. This allows
separating unix-specific security stuff (both the actual system
calls which won't compile on other platforms and the definition
of command line switches) out from the platform agnostic
implementation of the main server logic. It also simplifies the
interaction of relative paths in config files with chrooting.
Docs still need updating...
2023-02-23 18:49:15 +01:00
Solderpunk
8d1a04cb27
Fix minor bugs on OpenBSD-only code, after discovering easy of cross-compilation in Go.
2023-02-22 21:16:11 +01:00
Solderpunk
40203a8856
Use net/http.DetectContentType as a last resort for MIME, rather than hardcoding application/octet-stream.
2023-02-21 19:22:19 +01:00
Solderpunk
75c283fc74
Restore documented setuid behaviour.
2023-02-19 18:28:52 +01:00
Solderpunk
f63fcdb6d1
Do not request client certificates if we're never going to need them.
2023-02-19 15:17:45 +01:00
Solderpunk
7a89b307a1
Just use the log package's default logger as the error log.
2023-02-19 15:04:34 +01:00
Solderpunk
072669a167
Avoid use of log.Fatal() or os.Exit() in main so defers are guaranteed to run.
2023-02-19 14:40:54 +01:00
Solderpunk
7fad754ff2
Drop privileges much more thoroughly, thanks nervuri! (see issue #16 )
2023-02-19 13:17:24 +01:00
Solderpunk
182e58ffe3
Make unprivileged user configurable, thanks nervuri! (see issue #16 )
2023-02-15 21:16:49 +01:00
Solderpunk
c0c67f7ba6
Whoops, don't ignore error from filepath.Abs.
2023-02-15 21:15:14 +01:00
Solderpunk
8372142843
Add support for chroot()ing server early after startup, more work toward issue #16 .
2023-02-15 21:10:22 +01:00
Solderpunk
06c6d190a6
Guard against symbolic links escaping the document base.
2023-02-13 22:15:42 +01:00
Solderpunk
bb0a04d2c7
Add a little bit of extra security advice to the README, a tiny extra step toward closing issue #16 .
2023-02-13 21:52:08 +01:00
Solderpunk
4e6a8fcd05
Use setuid() systemcall wherever possible to reduce privileges before accepting network connections. First step toward solving issue #16 .
2023-02-13 20:26:52 +01:00
Solderpunk
5258b29c6b
Big ol' gofmt.
2023-02-10 17:19:21 +01:00
Solderpunk
56d8dde14a
Chdir to / so that Molly doesn't interfere with unmounting.
2023-02-10 16:16:57 +01:00
Solderpunk
b16fe0b8d4
Absolutise DocBase before trying to absolutise anything else relative to it.
2023-02-08 20:32:17 +01:00
Solderpunk
17d17a1629
Catch SIGTERM and shutdown gracefully.
2023-02-08 19:56:27 +01:00
Solderpunk
86720131d3
Declare dependenc upon x/sys to support OpenBSD security features.
2023-02-08 19:54:58 +01:00
Solderpunk
b16a8584a6
Merge pull request 'Added pledge(2) and unveil(2) system calls to improve security on OpenBSD.' ( #13 ) from kvothe/molly-brown:master into master
...
Reviewed-on: #13
2023-02-08 17:54:29 +00:00
Solderpunk
0d5d67c86d
Forcibly ingest Kool-Aid.
2023-02-08 18:53:29 +01:00
Solderpunk
3be10b82d7
Allow no access logging with empty string log file path.
2023-02-07 19:59:43 +01:00
Solderpunk
443bfd4bbd
Change to error logging behaviour (stderr instead of stdout, by default).
2023-02-07 19:33:14 +01:00
Solderpunk
16bf8e0534
Refuse to use a world-readable TLS key.
2023-02-07 19:23:35 +01:00
Solderpunk
c0d0c0991c
Update date and email address in LICENSE.
2023-02-07 19:12:24 +01:00
Solderpunk
8541b6194b
Resolve non-absolute values of CGIPaths relative to DocBase. Closes #24 .
2023-02-05 16:54:07 +01:00
Solderpunk
2d6f4db38e
Add -v flag to print version and exit. Closes #23 .
2023-02-05 15:36:18 +01:00
Solderpunk
d9e0fed193
Tidy up DirectorySubdirsFirst sorting code by doing two consecutive sorts. Closes #30 .
2023-02-05 15:04:49 +01:00
Solderpunk
8446885f56
Rename DirectoriesFirst option to DirectorySubdirsFirst and document in README.
2023-02-05 14:35:29 +01:00
Russ Magee
67d509a234
Sort directory listings with directories before files
2023-02-05 13:36:16 +01:00
Solderpunk
733e518392
Accept requests where the URL has a FQDN hostname with a trailing dot. Closes #20 .
2023-01-29 12:29:01 +01:00
Solderpunk
a41898b012
Add DefaultEncoding option to config/.molly files. Closes #19 .
2023-01-29 12:07:52 +01:00
Solderpunk
f05bab2b73
Make test of request URL hostname against configured hostname case insensitive. Closes #29 .
2023-01-28 19:22:31 +01:00
Solderpunk
16ed9e5cff
Allow redirects to other hosts. Closes #26 .
2023-01-28 19:16:11 +01:00
Solderpunk
e42c366565
Merge pull request 'Add FreeBSD example rc script' ( #25 ) from ecliptik/molly-brown:freebsd-rc-example into master
...
Reviewed-on: #25
2021-05-01 14:48:48 +00:00
Micheal Waltz
b73e10ad58
Add FreeBSD example rc script
2021-04-25 01:11:15 -07:00
Solderpunk
92cd40db12
Allow access and error logging to stdout by configuring a path of "-".
...
Thanks to @icedquinn@blob.cat for the suggestion.
2021-01-24 17:09:47 +01:00
Solderpunk
e06f8bddbc
Fix infinite redirect bug.
...
Previously, URLs without trailing slashes in the path which
resolved to directories caused infinite redirects if there was
anything in the URL after the path (like a query).
Thanks to both Luke Emmet and Stephane Bortzmeyer for reporting
this!
2021-01-24 16:27:53 +01:00
Solderpunk
3d4d830e98
Merge pull request 'Add "AUTH_TYPE" environment variable when client cert is present' ( #14 ) from khuxkm/molly-brown:master into master
...
Reviewed-on: #14
2020-12-27 20:21:49 +00:00
Solderpunk
2e4a10297e
Merge pull request 'Don't include port in REMOTE_ADDR' ( #18 ) from makeworld/molly-brown:master into master
...
Reviewed-on: #18
2020-12-27 17:40:18 +00:00
makeworld
99ba34c2b7
Merge branch 'master' into master
2020-12-26 23:33:41 +00:00
makeworld
e0e0cf7dd6
Don't include port in REMOTE_ADDR
2020-12-26 18:23:36 -05:00
Solderpunk
34e05cc0b5
Merge pull request 'Use io.Copy over ioutil.ReadFile' ( #17 ) from makeworld/molly-brown:master into master
...
Reviewed-on: #17
2020-12-10 07:12:26 +00:00
makeworld
c6c6e544d6
Use io.Copy over ioutil.ReadFile
2020-12-09 17:59:00 -05:00
Robert Miles
06ae7c0442
Add "AUTH_TYPE" environment variable when client cert is present
...
This makes it easier to detect when a client cert is available without having to look before you leap and attempt to access any of the TLS_* variables.
2020-11-28 10:07:27 +00:00
kvothe.
1c0fb0d856
Fixed a typo in the OpenBSD enableSecurityRestrictions docs.
2020-09-16 23:49:03 -04:00
kvothe.
a8f59868f3
Update requirements list for OpenBSD.
2020-09-16 23:32:35 -04:00
kvothe.
fb77a13088
Finished the OpenBSD pledge/unveil implementation after testing SCGI procs.
2020-09-16 23:24:41 -04:00