Compare commits
3 Commits
64b03a032e
...
11d36de0a2
Author | SHA1 | Date |
---|---|---|
André Kugland | 11d36de0a2 | |
André Kugland | 6d5299e7da | |
André Kugland | defc1e8ce9 |
27
Dockerfile
27
Dockerfile
|
@ -3,14 +3,35 @@ FROM alpine AS build
|
|||
RUN apk add --no-cache build-base
|
||||
WORKDIR /src
|
||||
COPY . .
|
||||
|
||||
# Hardening GCC opts taken from these sources:
|
||||
# https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/
|
||||
# https://security.stackexchange.com/q/24444/204684
|
||||
ENV CFLAGS=" \
|
||||
-static \
|
||||
-O2 \
|
||||
-flto \
|
||||
-D_FORTIFY_SOURCE=2 \
|
||||
-fstack-clash-protection \
|
||||
-fstack-protector-strong \
|
||||
-pipe \
|
||||
-Wall \
|
||||
-Werror=format-security \
|
||||
-Werror=implicit-function-declaration \
|
||||
-Wl,-z,defs \
|
||||
-Wl,-z,now \
|
||||
-Wl,-z,relro \
|
||||
-Wl,-z,noexecstack \
|
||||
"
|
||||
RUN make darkhttpd-static \
|
||||
&& strip darkhttpd-static
|
||||
|
||||
# Just the static binary
|
||||
FROM scratch
|
||||
WORKDIR /var/www/htdocs
|
||||
COPY --from=build /src/darkhttpd-static /darkhttpd
|
||||
COPY --from=build --chown=0:0 /src/darkhttpd-static /darkhttpd
|
||||
COPY --chown=0:0 passwd /etc/passwd
|
||||
COPY --chown=0:0 group /etc/group
|
||||
EXPOSE 80
|
||||
ENTRYPOINT ["/darkhttpd"]
|
||||
CMD ["."]
|
||||
|
||||
CMD [".", "--chroot", "--uid", "nobody", "--gid", "nobody"]
|
||||
|
|
|
@ -19,6 +19,7 @@ Features:
|
|||
* Supports If-Modified-Since.
|
||||
* Supports Keep-Alive connections.
|
||||
* Supports IPv6.
|
||||
* Support arbitrary custom response headers.
|
||||
* Can serve 301 redirects based on Host header.
|
||||
* Uses sendfile() on FreeBSD, Solaris and Linux.
|
||||
* Can use acceptfilter on FreeBSD.
|
||||
|
@ -139,6 +140,13 @@ Web forward (301) requests for all hosts:
|
|||
--forward-all http://catchall.example.com
|
||||
```
|
||||
|
||||
Arbitrary custom response headers (in this case, allow all cross-origin
|
||||
requests):
|
||||
|
||||
```
|
||||
./darkhttpd /var/www/htdocs --header 'Access-Control-Allow-Origin: *'
|
||||
```
|
||||
|
||||
Commandline options can be combined:
|
||||
|
||||
```
|
||||
|
|
53
darkhttpd.c
53
darkhttpd.c
|
@ -305,6 +305,7 @@ static int want_chroot = 0, want_daemon = 0, want_accf = 0,
|
|||
want_keepalive = 1, want_server_id = 1;
|
||||
static char *server_hdr = NULL;
|
||||
static char *auth_key = NULL;
|
||||
static char *custom_hdrs = NULL;
|
||||
static uint64_t num_requests = 0, total_in = 0, total_out = 0;
|
||||
static int accepting = 1; /* set to 0 to stop accept()ing */
|
||||
static int syslog_enabled = 0;
|
||||
|
@ -318,26 +319,36 @@ static gid_t drop_gid = INVALID_GID;
|
|||
|
||||
/* Default mimetype mappings - make sure this array is NULL terminated. */
|
||||
static const char *default_extension_map[] = {
|
||||
"application/ogg" " ogg",
|
||||
"application/json" " json",
|
||||
"application/pdf" " pdf",
|
||||
"application/wasm" " wasm",
|
||||
"application/xml" " xsl xml",
|
||||
"application/xml-dtd" " dtd",
|
||||
"application/xslt+xml" " xslt",
|
||||
"application/zip" " zip",
|
||||
"audio/flac" " flac",
|
||||
"audio/mpeg" " mp2 mp3 mpga",
|
||||
"audio/ogg" " ogg opus oga spx",
|
||||
"audio/wav" " wav",
|
||||
"audio/x-m4a" " m4a",
|
||||
"font/woff" " woff",
|
||||
"font/woff2" " woff2",
|
||||
"image/apng" " apng",
|
||||
"image/avif" " avif",
|
||||
"image/gif" " gif",
|
||||
"image/jpeg" " jpeg jpe jpg",
|
||||
"image/png" " png",
|
||||
"image/svg+xml" " svg",
|
||||
"image/webp" " webp",
|
||||
"text/css" " css",
|
||||
"text/html" " html htm",
|
||||
"text/javascript" " js",
|
||||
"text/plain" " txt asc",
|
||||
"video/mpeg" " mpeg mpe mpg",
|
||||
"video/quicktime" " qt mov",
|
||||
"video/webm" " webm",
|
||||
"video/x-msvideo" " avi",
|
||||
"video/mp4" " mp4",
|
||||
"video/mp4" " mp4 m4v",
|
||||
NULL
|
||||
};
|
||||
|
||||
|
@ -935,6 +946,10 @@ static void usage(const char *argv0) {
|
|||
"\t\tIf the client requested HTTP, forward to HTTPS.\n"
|
||||
"\t\tThis is useful if darkhttpd is behind a reverse proxy\n"
|
||||
"\t\tthat supports SSL.\n\n");
|
||||
printf("\t--header 'Header: Value'\n"
|
||||
"\t\tAdd a custom header to all responses.\n"
|
||||
"\t\tThis option can be specified multiple times, in which case\n"
|
||||
"\t\tthe headers are added in order of appearance.\n\n");
|
||||
#ifdef HAVE_INET6
|
||||
printf("\t--ipv6\n"
|
||||
"\t\tListen on IPv6 address.\n\n");
|
||||
|
@ -1025,6 +1040,8 @@ static void parse_commandline(const int argc, char *argv[]) {
|
|||
if (getuid() == 0)
|
||||
bindport = 80;
|
||||
|
||||
custom_hdrs = strdup("");
|
||||
|
||||
wwwroot = xstrdup(argv[1]);
|
||||
/* Strip ending slash. */
|
||||
len = strlen(wwwroot);
|
||||
|
@ -1151,6 +1168,15 @@ static void parse_commandline(const int argc, char *argv[]) {
|
|||
else if (strcmp(argv[i], "--forward-https") == 0) {
|
||||
forward_to_https = 1;
|
||||
}
|
||||
else if (strcmp(argv[i], "--header") == 0) {
|
||||
if (++i >= argc)
|
||||
errx(1, "missing argument after --header");
|
||||
if (strchr(argv[i], '\n') != NULL || strstr(argv[i], ": ") == NULL)
|
||||
errx(1, "malformed argument after --header");
|
||||
char *old_custom_hdrs = custom_hdrs;
|
||||
xasprintf(&custom_hdrs, "%s%s\r\n", old_custom_hdrs, argv[i]);
|
||||
free(old_custom_hdrs);
|
||||
}
|
||||
#ifdef HAVE_INET6
|
||||
else if (strcmp(argv[i], "--ipv6") == 0) {
|
||||
inet6 = 1;
|
||||
|
@ -1347,7 +1373,7 @@ static void log_connection(const struct connection *conn) {
|
|||
use_safe(user_agent)
|
||||
);
|
||||
fflush(logfile);
|
||||
}
|
||||
}
|
||||
#define free_safe(x) if (safe_##x) free(safe_##x)
|
||||
|
||||
free_safe(method);
|
||||
|
@ -1536,12 +1562,13 @@ static void default_reply(struct connection *conn,
|
|||
"%s" /* server */
|
||||
"Accept-Ranges: bytes\r\n"
|
||||
"%s" /* keep-alive */
|
||||
"%s" /* custom headers */
|
||||
"Content-Length: %llu\r\n"
|
||||
"Content-Type: text/html; charset=UTF-8\r\n"
|
||||
"%s"
|
||||
"\r\n",
|
||||
errcode, errname, date, server_hdr, keep_alive(conn),
|
||||
llu(conn->reply_length),
|
||||
custom_hdrs, llu(conn->reply_length),
|
||||
(auth_key != NULL ? auth_header : ""));
|
||||
|
||||
conn->reply_type = REPLY_GENERATED;
|
||||
|
@ -1580,10 +1607,12 @@ static void redirect(struct connection *conn, const char *format, ...) {
|
|||
/* "Accept-Ranges: bytes\r\n" - not relevant here */
|
||||
"Location: %s\r\n"
|
||||
"%s" /* keep-alive */
|
||||
"%s" /* custom headers */
|
||||
"Content-Length: %llu\r\n"
|
||||
"Content-Type: text/html; charset=UTF-8\r\n"
|
||||
"\r\n",
|
||||
date, server_hdr, where, keep_alive(conn), llu(conn->reply_length));
|
||||
date, server_hdr, where, keep_alive(conn),
|
||||
custom_hdrs, llu(conn->reply_length));
|
||||
|
||||
free(where);
|
||||
conn->reply_type = REPLY_GENERATED;
|
||||
|
@ -2015,10 +2044,12 @@ static void generate_dir_listing(struct connection *conn, const char *path,
|
|||
"%s" /* server */
|
||||
"Accept-Ranges: bytes\r\n"
|
||||
"%s" /* keep-alive */
|
||||
"%s" /* custom headers */
|
||||
"Content-Length: %llu\r\n"
|
||||
"Content-Type: text/html; charset=UTF-8\r\n"
|
||||
"\r\n",
|
||||
date, server_hdr, keep_alive(conn), llu(conn->reply_length));
|
||||
date, server_hdr, keep_alive(conn), custom_hdrs,
|
||||
llu(conn->reply_length));
|
||||
|
||||
conn->reply_type = REPLY_GENERATED;
|
||||
conn->http_code = 200;
|
||||
|
@ -2158,8 +2189,10 @@ static void process_get(struct connection *conn) {
|
|||
"%s" /* server */
|
||||
"Accept-Ranges: bytes\r\n"
|
||||
"%s" /* keep-alive */
|
||||
"%s" /* custom headers */
|
||||
"\r\n",
|
||||
rfc1123_date(date, now), server_hdr, keep_alive(conn));
|
||||
rfc1123_date(date, now), server_hdr, keep_alive(conn),
|
||||
custom_hdrs);
|
||||
conn->reply_length = 0;
|
||||
conn->reply_type = REPLY_GENERATED;
|
||||
conn->header_only = 1;
|
||||
|
@ -2219,6 +2252,7 @@ static void process_get(struct connection *conn) {
|
|||
"%s" /* server */
|
||||
"Accept-Ranges: bytes\r\n"
|
||||
"%s" /* keep-alive */
|
||||
"%s" /* custom headers */
|
||||
"Content-Length: %llu\r\n"
|
||||
"Content-Range: bytes %llu-%llu/%llu\r\n"
|
||||
"Content-Type: %s\r\n"
|
||||
|
@ -2226,6 +2260,7 @@ static void process_get(struct connection *conn) {
|
|||
"\r\n"
|
||||
,
|
||||
rfc1123_date(date, now), server_hdr, keep_alive(conn),
|
||||
custom_hdrs,
|
||||
llu(conn->reply_length), llu(from), llu(to),
|
||||
llu(filestat.st_size), mimetype, lastmod
|
||||
);
|
||||
|
@ -2243,13 +2278,14 @@ static void process_get(struct connection *conn) {
|
|||
"%s" /* server */
|
||||
"Accept-Ranges: bytes\r\n"
|
||||
"%s" /* keep-alive */
|
||||
"%s" /* custom headers */
|
||||
"Content-Length: %llu\r\n"
|
||||
"Content-Type: %s\r\n"
|
||||
"Last-Modified: %s\r\n"
|
||||
"\r\n"
|
||||
,
|
||||
rfc1123_date(date, now), server_hdr, keep_alive(conn),
|
||||
llu(conn->reply_length), mimetype, lastmod
|
||||
custom_hdrs, llu(conn->reply_length), mimetype, lastmod
|
||||
);
|
||||
conn->http_code = 200;
|
||||
}
|
||||
|
@ -2880,6 +2916,7 @@ int main(int argc, char **argv) {
|
|||
free(wwwroot);
|
||||
free(server_hdr);
|
||||
free(auth_key);
|
||||
free(custom_hdrs);
|
||||
}
|
||||
|
||||
/* usage stats */
|
||||
|
|
|
@ -120,6 +120,22 @@ runtests() {
|
|||
kill $PID
|
||||
wait $PID
|
||||
|
||||
echo "===> run --header tests"
|
||||
# Wrong flags:
|
||||
./a.out . --header >/dev/null 2>/dev/null
|
||||
./a.out . --header missing_colon >/dev/null 2>/dev/null
|
||||
./a.out . --header $'X-Header: Abusive\r\n\r\nBody' >/dev/null 2>/dev/null
|
||||
# Correct flags:
|
||||
./a.out $DIR --port $PORT \
|
||||
--header 'X-Header-A: First Value' --header 'X-Header-B: Second Value' \
|
||||
--forward example.com http://www.example.com \
|
||||
>>test.out.stdout 2>>test.out.stderr &
|
||||
PID=$!
|
||||
kill -0 $PID || exit 1
|
||||
python3 test_custom_headers.py
|
||||
kill $PID
|
||||
wait $PID
|
||||
|
||||
echo "===> run --forward-https tests"
|
||||
./a.out $DIR --port $PORT --forward-https \
|
||||
>>test.out.stdout 2>>test.out.stderr &
|
||||
|
|
|
@ -0,0 +1,95 @@
|
|||
#!/usr/bin/env python3
|
||||
# This is run by the "run-tests" script.
|
||||
import unittest
|
||||
import os
|
||||
from test import WWWROOT, TestHelper, parse, random_bytes
|
||||
|
||||
class TestCustomHeaders(TestHelper):
|
||||
def setUp(self):
|
||||
self.datalen = 2345
|
||||
self.data = random_bytes(self.datalen)
|
||||
self.url = '/data.jpeg'
|
||||
self.not_found = '/not_found.jpeg'
|
||||
self.fn = WWWROOT + self.url
|
||||
with open(self.fn, 'wb') as f:
|
||||
f.write(self.data)
|
||||
|
||||
def tearDown(self):
|
||||
os.unlink(self.fn)
|
||||
|
||||
def test_custom_headers(self):
|
||||
resp = self.get(self.url)
|
||||
status, hdrs, body = parse(resp)
|
||||
self.assertContains(status, '200 OK')
|
||||
self.assertEqual(hdrs["Accept-Ranges"], "bytes")
|
||||
self.assertEqual(hdrs["Content-Length"], str(self.datalen))
|
||||
self.assertEqual(hdrs["Content-Type"], "image/jpeg")
|
||||
self.assertEqual(hdrs["X-Header-A"], "First Value")
|
||||
self.assertEqual(hdrs["X-Header-B"], "Second Value")
|
||||
self.assertContains(hdrs["Server"], "darkhttpd/")
|
||||
assert body == self.data, [self.url, resp, status, hdrs, body]
|
||||
self.assertEqual(body, self.data)
|
||||
|
||||
def test_custom_headers_not_found(self):
|
||||
resp = self.get(self.not_found)
|
||||
status, hdrs, body = parse(resp)
|
||||
self.assertContains(status, '404 Not Found')
|
||||
self.assertContains(hdrs["Server"], "darkhttpd/")
|
||||
self.assertEqual(hdrs["X-Header-A"], "First Value")
|
||||
self.assertEqual(hdrs["X-Header-B"], "Second Value")
|
||||
|
||||
def test_custom_headers_listing(self):
|
||||
resp = self.get("/")
|
||||
status, hdrs, body = parse(resp)
|
||||
self.assertContains(status, '200 OK')
|
||||
self.assertContains(body, '<a href="data.jpeg">data.jpeg</a>')
|
||||
self.assertContains(body, 'Generated by darkhttpd/')
|
||||
self.assertEqual(hdrs["Accept-Ranges"], "bytes")
|
||||
self.assertEqual(hdrs["Content-Type"], "text/html; charset=UTF-8")
|
||||
self.assertEqual(hdrs["X-Header-A"], "First Value")
|
||||
self.assertEqual(hdrs["X-Header-B"], "Second Value")
|
||||
self.assertContains(hdrs["Server"], "darkhttpd/")
|
||||
|
||||
def test_custom_headers_range(self):
|
||||
resp = self.get(self.url, req_hdrs={'Range': 'bytes=0-99'})
|
||||
status, hdrs, body = parse(resp)
|
||||
self.assertContains(status, '206 Partial Content')
|
||||
self.assertEqual(hdrs["Accept-Ranges"], "bytes")
|
||||
self.assertEqual(hdrs["Content-Length"], '100')
|
||||
self.assertEqual(hdrs["Content-Type"], "image/jpeg")
|
||||
self.assertEqual(hdrs["X-Header-A"], "First Value")
|
||||
self.assertEqual(hdrs["X-Header-B"], "Second Value")
|
||||
self.assertContains(hdrs["Server"], "darkhttpd/")
|
||||
assert body == self.data[0:100], [self.url, resp, status, hdrs, body]
|
||||
self.assertEqual(body, self.data[0:100])
|
||||
|
||||
def test_custom_header_if_modified_since(self):
|
||||
resp1 = self.get(self.url, method="HEAD")
|
||||
status, hdrs, body = parse(resp1)
|
||||
lastmod = hdrs["Last-Modified"]
|
||||
|
||||
resp2 = self.get(self.url, method="GET", req_hdrs=
|
||||
{"If-Modified-Since": lastmod })
|
||||
status, hdrs, body = parse(resp2)
|
||||
self.assertContains(status, "304 Not Modified")
|
||||
self.assertEqual(hdrs["Accept-Ranges"], "bytes")
|
||||
self.assertFalse("Last-Modified" in hdrs)
|
||||
self.assertFalse("Content-Length" in hdrs)
|
||||
self.assertFalse("Content-Type" in hdrs)
|
||||
self.assertEqual(hdrs["X-Header-A"], "First Value")
|
||||
self.assertEqual(hdrs["X-Header-B"], "Second Value")
|
||||
|
||||
def test_custom_header_forward(self):
|
||||
resp = self.get('/', req_hdrs={'Host': 'example.com'})
|
||||
status, hdrs, body = parse(resp)
|
||||
self.assertEqual(hdrs["X-Header-A"], "First Value")
|
||||
self.assertEqual(hdrs["X-Header-B"], "Second Value")
|
||||
self.assertContains(status, "301 Moved Permanently")
|
||||
expect = "http://www.example.com/"
|
||||
self.assertEqual(hdrs["Location"], expect)
|
||||
self.assertContains(body, expect)
|
||||
|
||||
if __name__ == '__main__':
|
||||
unittest.main()
|
||||
|
||||
# vim:set ts=4 sw=4 et:
|
Loading…
Reference in New Issue