mirror
/
darkhttpd
mirror of https://github.com/emikulic/darkhttpd.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Compare commits

base: mirror:64b03a032e4c41873bd6b18111f61cf489980d32
Branches Tags
mirror:master
mirror:v1.14
mirror:v1.13
...
compare: mirror:11d36de0a2c94f21270877a7f6ea0050f4b9a346
Branches Tags
mirror:master
mirror:v1.14
mirror:v1.13

3 Commits
64b03a032e ... 11d36de0a2

Author SHA1 Message Date
André Kugland 11d36de0a2 Changes in default mimetypes 
* Added mimetypes for image formats apng, avif, webp, webm.
 * Added mimetype for .json files.
 * Added default mimetypes for font/woff and font/woff2.
 * Changed .ogg from application/ogg to audio/ogg, which is more common.
 * Added audio/flac, audio/wav.
 * Added opus, oga, spx to audio/ogg.

Sources:
 * https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types
 * https://wiki.xiph.org/MIME_Types_and_File_Extensions
 2022-12-12 13:34:44 +11:00
André Kugland 6d5299e7da More secure Dockerfile 
* Drop privileges and run as `nobody:nobody`.
* Chroot into `/var/www/htdocs`.
* Compile with hardening options.
 2022-12-06 21:51:37 +11:00
André Kugland defc1e8ce9
Custom headers with the CLI option `--header` (#28) 
These changes add a command-line option --header, e.g. --header 'Access-Control-Allow-Origin: *'.

Basic tests are included for this option.

When accepting the argument, a very simple sanitization is made, the string is required to contain ": ", and can’t contain a '\n' character. These checks are far from what is required to truly validate a HTTP header, but will at least detect simple mistakes and forbid the abuse of having arguments that include more than one header, or, worse, that include a body for the response (after "\r\n\r\n").

This should also close the Issue #16 and PR #27, I think, since CORS functionality can be obtained by specifying a custom header.
 2022-12-06 21:46:52 +11:00
7 changed files with 190 additions and 11 deletions
Show Stats Expand all files Collapse all files

27
Dockerfile
View File

@ -3,14 +3,35 @@ FROM alpine AS build
RUN apk add --no-cache build-base
WORKDIR /src
COPY . .
# Hardening GCC opts taken from these sources:
# https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/
# https://security.stackexchange.com/q/24444/204684
ENV CFLAGS=" \
-static \
-O2 \
-flto \
-D_FORTIFY_SOURCE=2 \
-fstack-clash-protection \
-fstack-protector-strong \
-pipe \
-Wall \
-Werror=format-security \
-Werror=implicit-function-declaration \
-Wl,-z,defs \
-Wl,-z,now \
-Wl,-z,relro \
-Wl,-z,noexecstack \
"
RUN make darkhttpd-static \
&& strip darkhttpd-static
# Just the static binary
FROM scratch
WORKDIR /var/www/htdocs
COPY --from=build /src/darkhttpd-static /darkhttpd
COPY --from=build --chown=0:0 /src/darkhttpd-static /darkhttpd
COPY --chown=0:0 passwd /etc/passwd
COPY --chown=0:0 group /etc/group
EXPOSE 80
ENTRYPOINT ["/darkhttpd"]
CMD ["."]
CMD [".", "--chroot", "--uid", "nobody", "--gid", "nobody"]

8
README.md
View File

@ -19,6 +19,7 @@ Features:
* Supports If-Modified-Since.
* Supports Keep-Alive connections.
* Supports IPv6.
* Support arbitrary custom response headers.
* Can serve 301 redirects based on Host header.
* Uses sendfile() on FreeBSD, Solaris and Linux.
* Can use acceptfilter on FreeBSD.
@ -139,6 +140,13 @@ Web forward (301) requests for all hosts:
--forward-all http://catchall.example.com
```
Arbitrary custom response headers (in this case, allow all cross-origin
requests):
```
./darkhttpd /var/www/htdocs --header 'Access-Control-Allow-Origin: *'
```
Commandline options can be combined:
```

53
darkhttpd.c
View File

@ -305,6 +305,7 @@ static int want_chroot = 0, want_daemon = 0, want_accf = 0,
want_keepalive = 1, want_server_id = 1;
static char *server_hdr = NULL;
static char *auth_key = NULL;
static char *custom_hdrs = NULL;
static uint64_t num_requests = 0, total_in = 0, total_out = 0;
static int accepting = 1; /* set to 0 to stop accept()ing */
static int syslog_enabled = 0;
@ -318,26 +319,36 @@ static gid_t drop_gid = INVALID_GID;
/* Default mimetype mappings - make sure this array is NULL terminated. */
static const char *default_extension_map[] = {
"application/ogg" " ogg",
"application/json" " json",
"application/pdf" " pdf",
"application/wasm" " wasm",
"application/xml" " xsl xml",
"application/xml-dtd" " dtd",
"application/xslt+xml" " xslt",
"application/zip" " zip",
"audio/flac" " flac",
"audio/mpeg" " mp2 mp3 mpga",
"audio/ogg" " ogg opus oga spx",
"audio/wav" " wav",
"audio/x-m4a" " m4a",
"font/woff" " woff",
"font/woff2" " woff2",
"image/apng" " apng",
"image/avif" " avif",
"image/gif" " gif",
"image/jpeg" " jpeg jpe jpg",
"image/png" " png",
"image/svg+xml" " svg",
"image/webp" " webp",
"text/css" " css",
"text/html" " html htm",
"text/javascript" " js",
"text/plain" " txt asc",
"video/mpeg" " mpeg mpe mpg",
"video/quicktime" " qt mov",
"video/webm" " webm",
"video/x-msvideo" " avi",
"video/mp4" " mp4",
"video/mp4" " mp4 m4v",
NULL
};
@ -935,6 +946,10 @@ static void usage(const char *argv0) {
"\t\tIf the client requested HTTP, forward to HTTPS.\n"
"\t\tThis is useful if darkhttpd is behind a reverse proxy\n"
"\t\tthat supports SSL.\n\n");
printf("\t--header 'Header: Value'\n"
"\t\tAdd a custom header to all responses.\n"
"\t\tThis option can be specified multiple times, in which case\n"
"\t\tthe headers are added in order of appearance.\n\n");
#ifdef HAVE_INET6
printf("\t--ipv6\n"
"\t\tListen on IPv6 address.\n\n");
@ -1025,6 +1040,8 @@ static void parse_commandline(const int argc, char *argv[]) {
if (getuid() == 0)
bindport = 80;
custom_hdrs = strdup("");
wwwroot = xstrdup(argv[1]);
/* Strip ending slash. */
len = strlen(wwwroot);
@ -1151,6 +1168,15 @@ static void parse_commandline(const int argc, char *argv[]) {
else if (strcmp(argv[i], "--forward-https") == 0) {
forward_to_https = 1;
}
else if (strcmp(argv[i], "--header") == 0) {
if (++i >= argc)
errx(1, "missing argument after --header");
if (strchr(argv[i], '\n') != NULL || strstr(argv[i], ": ") == NULL)
errx(1, "malformed argument after --header");
char *old_custom_hdrs = custom_hdrs;
xasprintf(&custom_hdrs, "%s%s\r\n", old_custom_hdrs, argv[i]);
free(old_custom_hdrs);
}
#ifdef HAVE_INET6
else if (strcmp(argv[i], "--ipv6") == 0) {
inet6 = 1;
@ -1347,7 +1373,7 @@ static void log_connection(const struct connection *conn) {
use_safe(user_agent)
);
fflush(logfile);
}
}
#define free_safe(x) if (safe_##x) free(safe_##x)
free_safe(method);
@ -1536,12 +1562,13 @@ static void default_reply(struct connection *conn,
"%s" /* server */
"Accept-Ranges: bytes\r\n"
"%s" /* keep-alive */
"%s" /* custom headers */
"Content-Length: %llu\r\n"
"Content-Type: text/html; charset=UTF-8\r\n"
"%s"
"\r\n",
errcode, errname, date, server_hdr, keep_alive(conn),
llu(conn->reply_length),
custom_hdrs, llu(conn->reply_length),
(auth_key != NULL ? auth_header : ""));
conn->reply_type = REPLY_GENERATED;
@ -1580,10 +1607,12 @@ static void redirect(struct connection *conn, const char *format, ...) {
/* "Accept-Ranges: bytes\r\n" - not relevant here */
"Location: %s\r\n"
"%s" /* keep-alive */
"%s" /* custom headers */
"Content-Length: %llu\r\n"
"Content-Type: text/html; charset=UTF-8\r\n"
"\r\n",
date, server_hdr, where, keep_alive(conn), llu(conn->reply_length));
date, server_hdr, where, keep_alive(conn),
custom_hdrs, llu(conn->reply_length));
free(where);
conn->reply_type = REPLY_GENERATED;
@ -2015,10 +2044,12 @@ static void generate_dir_listing(struct connection *conn, const char *path,
"%s" /* server */
"Accept-Ranges: bytes\r\n"
"%s" /* keep-alive */
"%s" /* custom headers */
"Content-Length: %llu\r\n"
"Content-Type: text/html; charset=UTF-8\r\n"
"\r\n",
date, server_hdr, keep_alive(conn), llu(conn->reply_length));
date, server_hdr, keep_alive(conn), custom_hdrs,
llu(conn->reply_length));
conn->reply_type = REPLY_GENERATED;
conn->http_code = 200;
@ -2158,8 +2189,10 @@ static void process_get(struct connection *conn) {
"%s" /* server */
"Accept-Ranges: bytes\r\n"
"%s" /* keep-alive */
"%s" /* custom headers */
"\r\n",
rfc1123_date(date, now), server_hdr, keep_alive(conn));
rfc1123_date(date, now), server_hdr, keep_alive(conn),
custom_hdrs);
conn->reply_length = 0;
conn->reply_type = REPLY_GENERATED;
conn->header_only = 1;
@ -2219,6 +2252,7 @@ static void process_get(struct connection *conn) {
"%s" /* server */
"Accept-Ranges: bytes\r\n"
"%s" /* keep-alive */
"%s" /* custom headers */
"Content-Length: %llu\r\n"
"Content-Range: bytes %llu-%llu/%llu\r\n"
"Content-Type: %s\r\n"
@ -2226,6 +2260,7 @@ static void process_get(struct connection *conn) {
"\r\n"
,
rfc1123_date(date, now), server_hdr, keep_alive(conn),
custom_hdrs,
llu(conn->reply_length), llu(from), llu(to),
llu(filestat.st_size), mimetype, lastmod
);
@ -2243,13 +2278,14 @@ static void process_get(struct connection *conn) {
"%s" /* server */
"Accept-Ranges: bytes\r\n"
"%s" /* keep-alive */
"%s" /* custom headers */
"Content-Length: %llu\r\n"
"Content-Type: %s\r\n"
"Last-Modified: %s\r\n"
"\r\n"
,
rfc1123_date(date, now), server_hdr, keep_alive(conn),
llu(conn->reply_length), mimetype, lastmod
custom_hdrs, llu(conn->reply_length), mimetype, lastmod
);
conn->http_code = 200;
}
@ -2880,6 +2916,7 @@ int main(int argc, char **argv) {
free(wwwroot);
free(server_hdr);
free(auth_key);
free(custom_hdrs);
}
/* usage stats */

16
devel/run-tests
View File

@ -120,6 +120,22 @@ runtests() {
kill $PID
wait $PID
echo "===> run --header tests"
# Wrong flags:
./a.out . --header >/dev/null 2>/dev/null
./a.out . --header missing_colon >/dev/null 2>/dev/null
./a.out . --header $'X-Header: Abusive\r\n\r\nBody' >/dev/null 2>/dev/null
# Correct flags:
./a.out $DIR --port $PORT \
--header 'X-Header-A: First Value' --header 'X-Header-B: Second Value' \
--forward example.com http://www.example.com \
>>test.out.stdout 2>>test.out.stderr &
PID=$!
kill -0 $PID || exit 1
python3 test_custom_headers.py
kill $PID
wait $PID
echo "===> run --forward-https tests"
./a.out $DIR --port $PORT --forward-https \
>>test.out.stdout 2>>test.out.stderr &

95
devel/test_custom_headers.py Normal file
View File

@ -0,0 +1,95 @@
#!/usr/bin/env python3
# This is run by the "run-tests" script.
import unittest
import os
from test import WWWROOT, TestHelper, parse, random_bytes
class TestCustomHeaders(TestHelper):
def setUp(self):
self.datalen = 2345
self.data = random_bytes(self.datalen)
self.url = '/data.jpeg'
self.not_found = '/not_found.jpeg'
self.fn = WWWROOT + self.url
with open(self.fn, 'wb') as f:
f.write(self.data)
def tearDown(self):
os.unlink(self.fn)
def test_custom_headers(self):
resp = self.get(self.url)
status, hdrs, body = parse(resp)
self.assertContains(status, '200 OK')
self.assertEqual(hdrs["Accept-Ranges"], "bytes")
self.assertEqual(hdrs["Content-Length"], str(self.datalen))
self.assertEqual(hdrs["Content-Type"], "image/jpeg")
self.assertEqual(hdrs["X-Header-A"], "First Value")
self.assertEqual(hdrs["X-Header-B"], "Second Value")
self.assertContains(hdrs["Server"], "darkhttpd/")
assert body == self.data, [self.url, resp, status, hdrs, body]
self.assertEqual(body, self.data)
def test_custom_headers_not_found(self):
resp = self.get(self.not_found)
status, hdrs, body = parse(resp)
self.assertContains(status, '404 Not Found')
self.assertContains(hdrs["Server"], "darkhttpd/")
self.assertEqual(hdrs["X-Header-A"], "First Value")
self.assertEqual(hdrs["X-Header-B"], "Second Value")
def test_custom_headers_listing(self):
resp = self.get("/")
status, hdrs, body = parse(resp)
self.assertContains(status, '200 OK')
self.assertContains(body, '<a href="data.jpeg">data.jpeg</a>')
self.assertContains(body, 'Generated by darkhttpd/')
self.assertEqual(hdrs["Accept-Ranges"], "bytes")
self.assertEqual(hdrs["Content-Type"], "text/html; charset=UTF-8")
self.assertEqual(hdrs["X-Header-A"], "First Value")
self.assertEqual(hdrs["X-Header-B"], "Second Value")
self.assertContains(hdrs["Server"], "darkhttpd/")
def test_custom_headers_range(self):
resp = self.get(self.url, req_hdrs={'Range': 'bytes=0-99'})
status, hdrs, body = parse(resp)
self.assertContains(status, '206 Partial Content')
self.assertEqual(hdrs["Accept-Ranges"], "bytes")
self.assertEqual(hdrs["Content-Length"], '100')
self.assertEqual(hdrs["Content-Type"], "image/jpeg")
self.assertEqual(hdrs["X-Header-A"], "First Value")
self.assertEqual(hdrs["X-Header-B"], "Second Value")
self.assertContains(hdrs["Server"], "darkhttpd/")
assert body == self.data[0:100], [self.url, resp, status, hdrs, body]
self.assertEqual(body, self.data[0:100])
def test_custom_header_if_modified_since(self):
resp1 = self.get(self.url, method="HEAD")
status, hdrs, body = parse(resp1)
lastmod = hdrs["Last-Modified"]
resp2 = self.get(self.url, method="GET", req_hdrs=
{"If-Modified-Since": lastmod })
status, hdrs, body = parse(resp2)
self.assertContains(status, "304 Not Modified")
self.assertEqual(hdrs["Accept-Ranges"], "bytes")
self.assertFalse("Last-Modified" in hdrs)
self.assertFalse("Content-Length" in hdrs)
self.assertFalse("Content-Type" in hdrs)
self.assertEqual(hdrs["X-Header-A"], "First Value")
self.assertEqual(hdrs["X-Header-B"], "Second Value")
def test_custom_header_forward(self):
resp = self.get('/', req_hdrs={'Host': 'example.com'})
status, hdrs, body = parse(resp)
self.assertEqual(hdrs["X-Header-A"], "First Value")
self.assertEqual(hdrs["X-Header-B"], "Second Value")
self.assertContains(status, "301 Moved Permanently")
expect = "http://www.example.com/"
self.assertEqual(hdrs["Location"], expect)
self.assertContains(body, expect)
if __name__ == '__main__':
unittest.main()
# vim:set ts=4 sw=4 et:

1
group Normal file
View File

@ -0,0 +1 @@
nobody:x:65534:

1
passwd Normal file
View File

@ -0,0 +1 @@
nobody:x:65534:65534:nobody:/var/www/htdocs:/darkhttpd