From 5ea2e2e7ce34be3957e918eb18c079cb79df3df4 Mon Sep 17 00:00:00 2001 From: single-right-quote <34298117+single-right-quote@users.noreply.github.com> Date: Tue, 11 Aug 2020 17:56:45 -0400 Subject: [PATCH] initial commit --- LICENSE | 661 ++++++++++++++++++++++ README.md | 163 ++++++ binaries/get-line-from-client.execline | 12 + binaries/headers.execline | 0 binaries/http-error-response.execline | 59 ++ binaries/http-header-parse.execline | 191 +++++++ binaries/http-start-line-parse.execline | 50 ++ binaries/httpd.execline | 269 +++++++++ binaries/log.execline | 13 + binaries/supported-hostname-test.execline | 54 ++ data/Content-Type_table/c | 1 + data/Content-Type_table/css | 1 + data/Content-Type_table/execline | 1 + data/Content-Type_table/html | 1 + data/Content-Type_table/ico | 1 + data/Content-Type_table/jpeg | 1 + data/Content-Type_table/jpg | 1 + data/Content-Type_table/js | 1 + data/Content-Type_table/market | 1 + data/Content-Type_table/png | 1 + data/Content-Type_table/txt | 1 + data/Content-Type_table/xhtml | 1 + data/extra_headers/default.example | 2 + log/run | 4 + run.template | 37 ++ 25 files changed, 1527 insertions(+) create mode 100644 LICENSE create mode 100644 README.md create mode 100755 binaries/get-line-from-client.execline create mode 100755 binaries/headers.execline create mode 100755 binaries/http-error-response.execline create mode 100755 binaries/http-header-parse.execline create mode 100755 binaries/http-start-line-parse.execline create mode 100755 binaries/httpd.execline create mode 100755 binaries/log.execline create mode 100755 binaries/supported-hostname-test.execline create mode 100644 data/Content-Type_table/c create mode 100644 data/Content-Type_table/css create mode 100644 data/Content-Type_table/execline create mode 100644 data/Content-Type_table/html create mode 100644 data/Content-Type_table/ico create mode 100644 data/Content-Type_table/jpeg create mode 100644 data/Content-Type_table/jpg create mode 100644 data/Content-Type_table/js create mode 100644 data/Content-Type_table/market create mode 100644 data/Content-Type_table/png create mode 100644 data/Content-Type_table/txt create mode 100644 data/Content-Type_table/xhtml create mode 100644 data/extra_headers/default.example create mode 100755 log/run create mode 100755 run.template diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..0ad25db --- /dev/null +++ b/LICENSE @@ -0,0 +1,661 @@ + GNU AFFERO GENERAL PUBLIC LICENSE + Version 3, 19 November 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU Affero General Public License is a free, copyleft license for +software and other kinds of works, specifically designed to ensure +cooperation with the community in the case of network server software. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +our General Public Licenses are intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + Developers that use our General Public Licenses protect your rights +with two steps: (1) assert copyright on the software, and (2) offer +you this License which gives you legal permission to copy, distribute +and/or modify the software. + + A secondary benefit of defending all users' freedom is that +improvements made in alternate versions of the program, if they +receive widespread use, become available for other developers to +incorporate. Many developers of free software are heartened and +encouraged by the resulting cooperation. However, in the case of +software used on network servers, this result may fail to come about. +The GNU General Public License permits making a modified version and +letting the public access it on a server without ever releasing its +source code to the public. + + The GNU Affero General Public License is designed specifically to +ensure that, in such cases, the modified source code becomes available +to the community. It requires the operator of a network server to +provide the source code of the modified version running there to the +users of that server. Therefore, public use of a modified version, on +a publicly accessible server, gives the public access to the source +code of the modified version. + + An older license, called the Affero General Public License and +published by Affero, was designed to accomplish similar goals. This is +a different license, not a version of the Affero GPL, but Affero has +released a new version of the Affero GPL which permits relicensing under +this license. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU Affero General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Remote Network Interaction; Use with the GNU General Public License. + + Notwithstanding any other provision of this License, if you modify the +Program, your modified version must prominently offer all users +interacting with it remotely through a computer network (if your version +supports such interaction) an opportunity to receive the Corresponding +Source of your version by providing access to the Corresponding Source +from a network server at no charge, through some standard or customary +means of facilitating copying of software. This Corresponding Source +shall include the Corresponding Source for any work covered by version 3 +of the GNU General Public License that is incorporated pursuant to the +following paragraph. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the work with which it is combined will remain governed by version +3 of the GNU General Public License. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU Affero General Public License from time to time. Such new versions +will be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU Affero General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU Affero General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU Affero General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published + by the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If your software can interact with users remotely through a computer +network, you should also make sure that it provides a way for users to +get its source. For example, if your program is a web application, its +interface could display a "Source" link that leads users to an archive +of the code. There are many ways you could offer source, and different +solutions will be better for different programs; see section 13 for the +specific requirements. + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU AGPL, see +. diff --git a/README.md b/README.md new file mode 100644 index 0000000..1a31099 --- /dev/null +++ b/README.md @@ -0,0 +1,163 @@ +# httpd.execline: a simple\* static webserver ### + +`httpd.execline` performs the business logic of a a static HTTP mirror. it is +implemented in [execline](https://skarnet.org/software/execline/), in the same +sense that you could implement the business logic of a static HTTP server in +POSIX `sh(1)`, by wrangling Unix tools together which will actually perform the +useful tasks you want to get done. (the advantage of POSIX `sh(1)` for this job +is that it is far less verbose.) + +it takes a lot of inspiration from +[publicfile](https://cr.yp.to/publicfile.html), while trying to allow some level +of customization (custom HTTP headers, file-extension/MIME-type mapping +adjustments) without requiring you to edit code; here we use using a +filesystem-driven configuration where the hierarchical file structure amounts to +a simple structured key-value store. + +\* “simple” here better describes functionality than implementation. + +## usage ### + +if you’ve ever used the publicfile `httpd`, then the setup is familiar: +`httpd.execline` expects to be run in a directory where there is a subdirectory +matching every hostname the dæmon serves requests for; it will simply mirror the +contents of every file in that subdirectory it is allowed to read. + +in short: if `example.org` routed to your machine, then place a directory named +`./example.org` in the directory you’re running `./httpd.execline` from +(normally, this one). + +(you should consider ensuring `httpd.execline` not have any write permissions +for the hostname-directories and their contents.) + +if you’re using `daemontools`-style process supervision (runit, daemontools, s6, +or the like), *and* you already have all the dependencies (see below), including +statically linked binaries in `./binaries` (see below), then adjust +paramaterized values in `./run.template` and rename it to `./run`, and drop this +directory into wherever your process supervision suite is looking for service +directories. (if you’re not using `s6`, you should replace `s6-log` in +`./log/run.) + +i haven’t used `systemd` for years, and as such, haven’t gotten around to +writing an equivalent unit file yet. + +### dependencies ### + +you will need a superserver to actually perform any networking; i use +[`s6-tlsserver`](https://skarnet.org/software/s6-networking/s6-tlsserver.html) +(which itself uses +[`s6-tcpserver`](https://skarnet.org/software/s6-networking/s6-tcpserver.html), +which you could use if you *don’t* need TLS), from +[`s6-networking`](https://skarnet.org/software/s6-networking/). + +furthermore, we assume your kernel supports `chroot`, and that you have +userspace-level access to the feature, like GNU coreutils `chroot(1)`. + +#### `./binaries` ### + +`httpd.execline` normally chroots into the directory it runs from, making it +difficult to use dynamically linked versions of its hard dependencies. a +feasible configuration is to place statically linked dependencies into +`./binaries`: + ++ [s6-portable-utils](https://skaret.org/software/s6-portable-utils/) +`s6-applyuidgid`, `s6-test` ++ [9base](https://tools.suckless.org/9base/): +`tr(1)` `read(1)`, `hoc(1)`, `sed(1)`, `grep(1)`, `urlencode(1)`, +`cleanname(1)`, `cat(1)` + [toybox](http://www.landley.net/toybox/): `wc(1)`, +`date(1p)`, `printenv(1)`, `stat(1)` + +we heavily rely on plan 9 regular expression semantics for `sed(1)` and +`grep(1)`; i expect translating them to coreutils or \*BSD userspace would be an +effort. so long as i am writing this code for myself, i will not perform that +effort for you. + +i would like to note that **s6-test receives information controlled by the +client** and is thus **difficult to replace with a different take on +`test(1p)`**; the use of `s6-test` here relies on the (non-standard! but very +useful) functionality that an argument escaped with an initial backslash is +never interpreted as an option to the program. without s6-test, handling +user-controlled input *robustly* probably requires a workaround (piping into +`grep -s`, perhaps?) + +### additional, somewhat esoteric, functionality ### + +#### `Content-Type`s ### + +`httpd.execline` expects to see a subdirectory `./data/Content-Type_table`, +where files named after file extensions contain the MIME type such files should +be served as. for example, `data/Content-Type_table/html` should probably +contain the string `text/html`. + +this feature can be overriden on a per-file basis by making its extension have +the form `${1}=${2}`; such files will be served with a `Content-Type` of +`{1}/${2}` (with colons in `${1}` or `${2}` converted to periods). (for example, +a file named `index.text=x:market` will always be served with a `Content-Type` +of `text/x.market`.) + +if no `Content-Type` can be determined, `httpd.execline` falls back on +`application/octet-stream`. + +#### HTTP headers ### + +`httpd.execline` expects `./data/` to have another subdirectory named +`extra_headers`; and a file inside it named `default`, which may contain a +series of `\r\n`-terminated HTTP-heades inside. `default` can be overriden on a +per-file basis as follows: + +say you have a client-side webapp at `${YOUR_SITE_HERE}/webapp/index.html` and +you need a Content Security Policy that differs from the one specified in +`./data/extra_headers/default`; create a file named +`./data/extra_headers/${YOUR_SITE_HERE}/webapp/index.html` containing +`\r\n`-separated headers as necessary. + +the UI for this is not convenient. + +#### HTTP status codes ### + +a subdirectory of `./data/` named `status_override` can override HTTP status +codes on a per-file basis the same way you can override HTTP headers. i use this +for 301 redirects. + +again, the interface to this feature in inconvenient. + +## implementatoin details ### + +### the subscripts ### + +as mentioned, this script relies on several smaller subscripts, themselves often +depedent on other subscripts. we list all subscripts in the implementation +below, along with their dependencies: + ++ `./get-line-from-client.execline`: read a line from the client, timing out +after 60 seconds + `./log.execline`: log, adding information useful for +debugging + `./http-error-resonse.execline`: send an http resposne indicating +error, halt(, and, optionally, log that we errored) ++ `./http-start-line-parse.execline`: parse the start line and export its +components into the environment + `./http-header-parse.execline`: parse the +headers and export them into the environment ++ `./supported-hostname-test.execline`: test if the first argument is a supported +hostname, to signal whether to short-circuiting during header parsing + +`./http-error-response.execline` depends on: + ++ `./log.execline` + +`./http-start-line-parse.execline` depends on: + ++ `./get-line-from-client.execline` + `./http-error-response.execline`: and thus ++ `./log.execline` + +`./http-header-parse.execline` depends on: + ++ `./get-line-from-client.execline` + `./http-error-response.execline`: and thus ++ `./log.execline` + +`./supported-hostname-test.execline` depends on: + ++ `./http-error-response.execline`: and thus + `./log.execline` + +looking at the dependencies, we observe that `get-line-from-client.execline` and +`http-error-response.execline` are fundamental building blocks for the rest of +the script. it seems worth considering consolidating the logger into the error +response script. diff --git a/binaries/get-line-from-client.execline b/binaries/get-line-from-client.execline new file mode 100755 index 0000000..f8c18c0 --- /dev/null +++ b/binaries/get-line-from-client.execline @@ -0,0 +1,12 @@ +#!/binaries/execlineb -WP +# wrapper around plan 9 read(1) to timeout after 60 seconds +# returns read(1)'s exit status + +trap -x -t 60000 { + timeout { + importas -i -u ! ! + kill -- ${!} + } +} +pipeline -w { tr -d "\r" } +read diff --git a/binaries/headers.execline b/binaries/headers.execline new file mode 100755 index 0000000..e69de29 diff --git a/binaries/http-error-response.execline b/binaries/http-error-response.execline new file mode 100755 index 0000000..f1e9f49 --- /dev/null +++ b/binaries/http-error-response.execline @@ -0,0 +1,59 @@ +#!/binaries/execlineb -WS2 +# http-error-response.execline STATUS_CODE STATUS_MESSAGE [LOG_MESSAGE] + +fdclose 0 +foreground { + if -t { s6-test \${#} = 3 } + log.execline "fatal: ??"${1}"??: "${3} +} + +# (why does `hoc -e` not work?) +backtick -i -n Content-Length { + backtick -i -n message_length { + pipeline { s6-echo -n -- ${2} } + wc -c + } + importas -i -u message_length message_length + + pipeline { s6-echo -- ${message_length}"*2 + 288" } + hoc +} + +backtick -i -n Date { date -u "+%a, %d %b %Y %T GMT" } + +backtick -i -n extra_headers { cat data/extra_headers/default } + +multisubstitute { + importas -i -u Content-Length Content-Length + importas -i -u Date Date + importas -i -u extra_headers extra_headers +} + +if { + s6-echo -n -- "HTTP/1.1 "${1}" "${2}"\r +Content-Type: application/xhtml+xml; charset=utf-8\r +Content-Length: "${Content-Length}"\r +Date: "${Date}"\r +"${extra_headers}"\r +\r + + + + + "${2}" + + + +

"${2}"

+ + +" +} +# hack: write(3p) is unsafe +# +s6-sleep -m 512 diff --git a/binaries/http-header-parse.execline b/binaries/http-header-parse.execline new file mode 100755 index 0000000..09d9a58 --- /dev/null +++ b/binaries/http-header-parse.execline @@ -0,0 +1,191 @@ +#!/binaries/execlineb -W +## `http-header-parse.execline supported-hostname-test [rest of program]` +# +# expects a series of http headers from standard input +# exits syntax error otherwise +# +# current hard dependencies on external ./httpd.execline subscripts: +# +# + ./get-line-from-client.execline +# + ./http-error-response.execline: and thus, +# + ./log.execline +# +# the first argument is a program to call when parsing a `Host` header +# for the first time (usually the first line, but this convention is not +# required); it should exit zero on a hostname the program supports, +# and nonzero otherwise (in which case this program halts execution +# immediately.) +# +# on a successful parse, we export environment variables of the form +# `http_header_parse_${http_header}` and exec(3ps) into the remaining +# program (excluding the first argument, of course!) +# if we do not exec(3p) into that argument list, the program will halt +# completely, and **the currently exported environment variables will be +# unavailable**; thus the expectation that the remaining script will be +# passed as arguments, execline-style. +# this makes handling error cases difficult to do without hard depending +# on other `httpd.execline` subscripts. +# TODO: [hard, design problem]: export failure information into the +# environment, exec(3p)ing into the remaining program instead of exiting +# immediately +# +# dealing with Host headers makes this script much more complicated than +# it already needed to be. (turns out, existing servers often just ignore +# some of the MUSTs we respect here! dammit…) +# + +# the remaining program is supplied **after an initial argument we must +# preserve and use**. we have not found a way to handle this without losing +# efficiency (see the shebang (the "#!" line, on line 1)) +# +importas supported_hostname_test 1 +shift +elgetpositionals +emptyenv -P + +# the overall plan is a simple recursive(!) script: +# +# + on an empty line, exec into the remaining program +# + on a nomempty line, parse for a single header +# +# we use recursion to permanently modify the environment of the current +# process for the remaining script (passed as arugments) to read from; we +# simply cannot do this with execline’s built-in looping construct (which +# performs the equivalent of spawning a *subshell* on every iteration) +# this is a heavy weakness for implementing actual program logic; we expect +# the author of execline to never provide a convenient way to circumvent this +# problem, as supporting Actual Programming Logic is out of scope for the +# language (for example: see all the use of external tools `grep` and `sed` +# throughout `httpd.execline`, as execline’s string manipulation tools are +# (deliberately) very underpowered) +# + +backtick -i -n current_line { get-line-from-client.execline } + +### terminating case: empty line +# +# exec(3p) the remaining program +# +ifelse { + pipeline { printenv current_line } + grep -s "^ *$" +} +{ + # the client MUST send a Host header, halt otherwise + # + ifelse { s6-test ! -v http_header_parse_Host } + { + http-error-response.execline + 400 + "syntax error" + "client request lacking Host header" + } + + unexport current_line + unexport header_name + unexport header_contents + ${@} +} + +### recursive case: parse for a header +# +# after parsing, exec(3p) this script with the hostname validating +# subscript, then the remaing program, as arguments +# +backtick -I -n header_name { + pipeline { printenv current_line } + pipeline { sed -n "s/^([^ :]+):.*/\\1/p" } + read +} +backtick -I -n header_contents { + pipeline { printenv current_line } + # strip spaces or tabs from end of line + # then print the second token verbatim + # + # whitespace between header name and contents is optional + # + pipeline { sed -n "s/( )*$//; s/^[^ ]+ *([^ ].*)/\\1/p" } + read +} +ifelse { + s6-test ! -v header_name -o + ! -v header_contents +} +{ + importas -i current_line current_line + http-error-response.execline + 400 + "syntax error" + "http-header-parse.execline: bad header line: \""${current_line}\" +} + +multisubstitute { + importas -i -u header_name header_name + importas -i -u header_contents header_contents +} + +#### special case: host header +# +# short circuits the program +# TODO: [hard, design problem]: short circuit but exec(3p) into the +# remaining program +# +ifelse { s6-test \${header_name} = Host } +{ + # we MUST 400 on multiple Host headers + # + ifelse { s6-test -v http_header_parse_Host } + { + http-error-response.execline + 400 + "syntax error" + "http-header-parse.execline: multiple Host headers!??" + } + + # validate hostnames, exiting on syntactically illegal ones + # + ifelse { + define hexadecimal "[0-9a-fA-F]" + multisubstitute { + # + dns-resolved hostname + define domain_name "[a-zA-Z0-9\-.]+" + + # + ipv6 address (TODO: handle robustly) + define approximate_ipv6 "("${hexadecimal}"+)?(::"${hexadecimal}")+" + + # + port string + define port ":[0-9]+" + } + # + # as we understand it, a valid ipv4 address is always a valid + # domain name address, so we do not actually have to handle + # that… + # + pipeline { s6-echo -n -- ${header_contents} } + grep -sv "^ *(("${domain_name}")|("${approximate_ipv6}"))("${port}")? *$" + } + { + http-error-response.execline + 400 + "syntax error" + "illegal host: "\"${header_contents}\" + } + + # short circuit on unsupported hostnames + # + ifelse -n { ${supported_hostname_test} ${header_contents} } + { + fdclose 0 + exit 0 + + } + export http_header_parse_${header_name} ${header_contents} + ${0} + ${supported_hostname_test} + ${@} +} + +export http_header_parse_${header_name} ${header_contents} +${0} + ${supported_hostname_test} + ${@} diff --git a/binaries/http-start-line-parse.execline b/binaries/http-start-line-parse.execline new file mode 100755 index 0000000..e76fd3c --- /dev/null +++ b/binaries/http-start-line-parse.execline @@ -0,0 +1,50 @@ +#!/binaries/execlineb -WS1 +# expects a start line from an http request from standard input +# exits syntax error otherwise +# +# current hard dependencies on `httpd.execline` subscripts: +# +# + ./get-line-from-client.execline +# + ./http-error-response.execline: and, thus +# + ./log.execline +# +# on success, exports +# +# + http_start_line_parse_method +# + http_start_line_parse_resource +# + http_start_line_parse_version +# +# containing the request's method, requested resource, and http version +# it then exec(3p)s into its command line + +backtick -i -n start_line { get-line-from-client.execline } +backtick -I -n http_start_line_parse_method { + pipeline { printenv start_line } + pipeline { sed -n "s@^(CONNECT|DELETE|GET|HEAD|OPTIONS|PATCH|POST|PUT|TRACE) +.*@\\1@p" } + read +} +backtick -I -n http_start_line_parse_resource { + pipeline { printenv start_line } + pipeline { sed -n "s@^[^ ]+ +(/[^ ]*) +.*@\\1@p" } + read +} +backtick -I -n http_start_line_parse_version { + pipeline { printenv start_line } + pipeline { sed -n "s@.*HTTP/([0-9]\.[0-9]) *@\\1@p" } + read +} + +importas -i -u start_line start_line +ifelse { + s6-test ! -v http_start_line_parse_method -o + ! -v http_start_line_parse_resource -o + ! -v http_start_line_parse_version +} +{ + http-error-response.execline + 400 + "syntax error" + "http-start-line-parse.execline: (bad) start line: \""${start_line}\" +} + +${@} diff --git a/binaries/httpd.execline b/binaries/httpd.execline new file mode 100755 index 0000000..a7a6e93 --- /dev/null +++ b/binaries/httpd.execline @@ -0,0 +1,269 @@ +#!/usr/local/skarnet/bin/execlineb -WP +## `httpd.execline`: a simple static web server ### +# +# i would like to note that simplicity is relative; the *implementation* of +# this simple functionality is not exactly simple. there are several subscripts +# with sufficently complex and (in all but one case) reusable functionality +# that we separate them out. +# unfortunately, many themselves are (currently )dependent on other subscripts. + +### the http/1.1 protocol, oversimplified ### +# +# a client sends a request that normally looks something like +# +# ``` +# > [http_method] [resource] [http version]\r +# > Host: [hostname]\r +# > [quite possibly many other headers]\r +# > \r +# ``` +# +# (note the `\r`s before newlines. +# (also: the Host header does not *have* to be the second line) +# +# we respond to the client appropriately, using to the following template: +# +# ``` +# < HTTP/1.1 [status code] [status message]\r +# < Content-Type: [MIME type of the message body]\r +# < Content-Length: [size of message body in bytes]\r +# < Date: [the time as of this response]\r +# < [Last-Modified: [date of the resource’s last revision]]\r +# < \r +# < [content, sent verbatim] +# ``` +# +# we do not follow the http/1.1 protocol precisely, but it is enough to satisfy +# web browsers and tools like `curl(1)`, and to handle misbehaving clients. +# + +### brief httpd.execline overview ## +# +# 1. sandboxing (paranoia?) +# 2. read, validate the start line and Host header sent by the client +# 3. find resource, determine its filetype +# 4. send response to client +# + +#### 1. sandboxing ### +# +# this recreates a security measure we picked up from `publicfile`: if this +# server should somehow be hijacked, it will not be able to escape the +# directory it runs in, and it will be running as an unpriveleged user +# in the setup of this server, the user `httpd` owns no files or directories in +# the change-rooted directory, nor does it have any write permissions for those +# files and directories, so a hijacked process will not be able to do very much +export PATH /binaries +chroot . +s6-applyuidgid -U -z + +# see `./log.execline` +export program_name httpd.execline + +# see end of script: handle crashes (or syntax errors in this script,) cleanly +if -X -n -t { + #### 2. read from client, with interspersed validation ### + ##### 2.1. start line ### + http-start-line-parse.execline + multisubstitute { + importas -i -u method http_start_line_parse_method + importas -i -u requested_resource http_start_line_parse_resource + } + ifelse -n { + s6-test \${method} = HEAD -o + \${method} = GET + } + { + http-error-response.execline + 501 + "method not implemented" + "unsupported method: \""${method}\" + } + + ##### 2.2. headers ### + http-header-parse.execline + supported-hostname-test.execline + # if we reach this point, all headers from the client request will be + # available in environment variables named after the header, in the form + # http_header_parse_${Header_Name}. + # that said, we use only `Host` here. + # `/http-header-parse.execline` is implemented in a wonderfully silly way + importas -i -u hostname http_header_parse_Host + + # we don’t need to read anything more from the client + fdclose 0 + + foreground { + log.execline + "info:" + "client request:" + "for \""${hostname}\"":" + \"${method}\" + \"${requested_resource}\" + } + + #### 3. process requested resource ### + backtick -i -n resource { + backtick -i -n candidate_resource { + backtick -in with_dot_and_dot_dot { + pipeline { s6-echo -n -- ${requested_resource} } + # + # strip query string, or resource location + # + pipeline { sed "s/[?#].*//; s@/\\.\\.?/@/@g" } + # decode url-encodings, if any + urlencode -d + } + importas -i -u with_dot_and_dot_dot with_dot_and_dot_dot + # include the hostname in the final resource name + # + if { s6-echo -n -- ${hostname} } + # handle dot and dot-dot directory semantics + # we prepend the hostname to the result, ensuring + # `${resource}` will route to somewhere inside the + # subdirectory named after the host + cleanname ${with_dot_and_dot_dot} + } + importas -i -u candidate_resource candidate_resource + + # `${directory}` -> `${directory}/index.xhtml` + ifelse { s6-test -d \${candidate_resource} } + { + s6-echo -n -- ${candidate_resource}/index.xhtml + } + s6-echo -n -- ${candidate_resource} + } + importas -i resource resource + ifelse { s6-test ! -r \${resource} } + { + http-error-response.execline + 404 + "not found" + "attempted: \""${resource}\" + } + + #### 4. send response ### + ##### 4.1. determine found resource's Content-Type ### + # + backtick -i -n Content-Type { + backtick -D "no.extension" -n extension { + pipeline { printenv resource } + # strip everything up to the non-periods after the final + # period in the string + # + pipeline { sed -n "s/.+\\.([^.]+)$/\\1/p" } + read + } + + # publicfile-style custom filetypes: `file.{1}={2}` is served + # with `Content-Type` `${1}/${2}`. colons in the extension are + # transformed into periods, allowing files like + # `index.text=x:market` being served as `text/x.market` + # + # this overrides any other Content-Type determination mechanism + ifelse { + pipeline { printenv extension } + # this regex matches exactly what `publicfile` does + # + grep -s "[a-zA-Z0-9]+=[^=]+$" + } + { + pipeline { printenv extension } + tr := ./ + } + + # use `./data/Content-Type_table` as a key-value store: files with + # the name ${extension} map to the `Content-Type` embedded in + # their contents. for example, `./data/Content-Type_table/xhtml` + # contains the text “application/xhtml+xml” (with no newline) + # (it is fine if the file contains a single newline at the end) + # + # if no key exists with the extension’s name, we fall back on + # “application/octet-stream”, as we should + importas -i -u extension extension + ifelse { s6-test -r \\./data/Content-Type_table/${extension} } + { + cat ./data/Content-Type_table/${extension} + } + s6-echo -n -- application/octet-stream + } + + ##### 4.2. miscellaneous headers ### + # TODO: separate this out, ideally make reusable + + # file length in bytes: SHOULD be provided + backtick -i -n Content-Length { stat -c%s -- ${resource} } + + # "[weekday], [month-day] [month] [year] [hours:minutes:seconds] GMT" + # (example: "Tue, 03 Mar 2020 21:06:08 GMT") + define date_format "+%a, %d %b %Y %T GMT" + + # the date the resource was last modified SHOULD be provided + backtick -i -n Last-Modified { + backtick -i -n seconds_since_epoch { stat -c%Y -- ${resource} } + importas -i -u seconds_since_epoch seconds_since_epoch + date -d @${seconds_since_epoch} -u ${date_format} + } + + # current time of response: SHOULD be provided (why?) + backtick -i -n Date { date -u ${date_format} } + + + # allow for arbitrary HTTP header and HTTP status code overrides. + # for an example where the former might be useful, consider Content + # Security Policy; for the latter, consider HTTP 301 redirects + # + # be warned!! we do not validate these overrides! + backtick -i -n extra_headers { + ifelse { s6-test -r \\data/extra_headers/override/${resource} } + { + cat data/extra_headers/override/${resource} + } + cat data/extra_headers/default + } + + backtick -D "200 ok" -n status_code_and_message { + if { s6-test -r \\data/status_override/${resource} } + cat data/status_override/${resource} + } + + ##### 4.3. send the response ### + multisubstitute { + importas -i -u status_code_and_message status_code_and_message + importas -i -u Content-Length Content-Length + importas -i -u Content-Type Content-Type + importas -i -u Date Date + importas -i -u Last-Modified Last-Modified + importas -i -u extra_headers extra_headers + } + if { + s6-echo -n -- "HTTP/1.1 "${status_code_and_message}"\r +Content-Type: "${Content-Type}"\r +Content-Length: "${Content-Length}"\r +Last-Modified: "${Last-Modified}"\r +Date: "${Date}"\r +"${extra_headers}"\r +\r +" + } + foreground { + if -t { s6-test \${method} = GET } + cat ${resource} + } + # hack: write(3p) does not guarantee that all the + # content actually gets written before this process + # closes, and will not indicate in any way if a full + # write did not happen. a half second seems to be + # Long Enough to protect against this… hopefully… + s6-sleep -m 512 + # TODO: (?) persistent connections? (recursion??) +} + ##### end of script + # catches crashes (and syntax errors,,), and other unexpected things + # useful for debugging! otherwise, clients might do strange things + # + # probably a bad sign this is still left in lol + http-error-response.execline + 500 + "internal server error" + "(i/o error? timeout?)" diff --git a/binaries/log.execline b/binaries/log.execline new file mode 100755 index 0000000..aecc5d1 --- /dev/null +++ b/binaries/log.execline @@ -0,0 +1,13 @@ +#!/binaries/execlineb -WS1 + +multisubstitute { + importas -D "" program_name program_name + importas -D "no client process id?" process_id process_id + importas -D "no remote ip address (not being run from an UCPSI server?)" remote_ip TCPREMOTEIP + importas -D "no remote port (not being run from an UCPSI server?)" remote_port TCPREMOTEPORT +} + +fdmove -c 1 2 +s6-echo -- + ${program_name}": pid "${process_id}" ip "${remote_ip}":"${remote_port}":" + ${@} diff --git a/binaries/supported-hostname-test.execline b/binaries/supported-hostname-test.execline new file mode 100755 index 0000000..80a7af9 --- /dev/null +++ b/binaries/supported-hostname-test.execline @@ -0,0 +1,54 @@ +#!/binaries/execlineb -WS1 +# `supported-hostname-test.execline hostname` +# +# tests if `hostname` is supported by this server, by checking if +# a directory by that exact name exists in the current working directory +# immediately 404s otherwise +# +# hard depends on these external `httpd.execline` subscripts: +# +# + ./http-error-response.execline: and thus, +# + ./log.execline +# + +# protect Special Subdirectories +# +# + `/binaries` is change root--available static binaries and helper scripts +# + `tcp-access-rules` for the pseudo-firewall +# + `.` and `..` are to disallow clients being Naughty +# + the other directories are for process supervision things +# +# note: general policy for this server is to 404 where we "should" 403. +# +ifelse { + s6-test \${1} = binaries -o + \${1} = data -o + \${1} = event -o + \${1} = log -o + \${1} = supervise -o + \${1} = tcp-access-rules -o + \${1} = . -o + \${1} = .. +} +{ + if { + http-error-response.execline + 404 + "not found" + "illegal host: \""${1}\" + } + exit 1 +} +# reject unsupported hostnames +# +ifelse { s6-test ! -d \${1} } +{ + if { + http-error-response.execline + 404 + "not found" + "unsupported host: \""${1}\" + } + exit 1 +} +exit 0 diff --git a/data/Content-Type_table/c b/data/Content-Type_table/c new file mode 100644 index 0000000..4eed93f --- /dev/null +++ b/data/Content-Type_table/c @@ -0,0 +1 @@ +text/x.c; charset=utf-8 \ No newline at end of file diff --git a/data/Content-Type_table/css b/data/Content-Type_table/css new file mode 100644 index 0000000..5bc394d --- /dev/null +++ b/data/Content-Type_table/css @@ -0,0 +1 @@ +text/css \ No newline at end of file diff --git a/data/Content-Type_table/execline b/data/Content-Type_table/execline new file mode 100644 index 0000000..1ce14d2 --- /dev/null +++ b/data/Content-Type_table/execline @@ -0,0 +1 @@ +text/x.execline; charset=utf-8 \ No newline at end of file diff --git a/data/Content-Type_table/html b/data/Content-Type_table/html new file mode 100644 index 0000000..f79d269 --- /dev/null +++ b/data/Content-Type_table/html @@ -0,0 +1 @@ +text/html; charset=utf-8 \ No newline at end of file diff --git a/data/Content-Type_table/ico b/data/Content-Type_table/ico new file mode 100644 index 0000000..cadc3b9 --- /dev/null +++ b/data/Content-Type_table/ico @@ -0,0 +1 @@ +image/png \ No newline at end of file diff --git a/data/Content-Type_table/jpeg b/data/Content-Type_table/jpeg new file mode 100644 index 0000000..29e455a --- /dev/null +++ b/data/Content-Type_table/jpeg @@ -0,0 +1 @@ +image/jpeg \ No newline at end of file diff --git a/data/Content-Type_table/jpg b/data/Content-Type_table/jpg new file mode 100644 index 0000000..29e455a --- /dev/null +++ b/data/Content-Type_table/jpg @@ -0,0 +1 @@ +image/jpeg \ No newline at end of file diff --git a/data/Content-Type_table/js b/data/Content-Type_table/js new file mode 100644 index 0000000..54eef4f --- /dev/null +++ b/data/Content-Type_table/js @@ -0,0 +1 @@ +application/js \ No newline at end of file diff --git a/data/Content-Type_table/market b/data/Content-Type_table/market new file mode 100644 index 0000000..70a0914 --- /dev/null +++ b/data/Content-Type_table/market @@ -0,0 +1 @@ +text/x.market; charset=utf-8 \ No newline at end of file diff --git a/data/Content-Type_table/png b/data/Content-Type_table/png new file mode 100644 index 0000000..cadc3b9 --- /dev/null +++ b/data/Content-Type_table/png @@ -0,0 +1 @@ +image/png \ No newline at end of file diff --git a/data/Content-Type_table/txt b/data/Content-Type_table/txt new file mode 100644 index 0000000..a2ef29a --- /dev/null +++ b/data/Content-Type_table/txt @@ -0,0 +1 @@ +text/plain; charset=utf-8 \ No newline at end of file diff --git a/data/Content-Type_table/xhtml b/data/Content-Type_table/xhtml new file mode 100644 index 0000000..1140ed9 --- /dev/null +++ b/data/Content-Type_table/xhtml @@ -0,0 +1 @@ +application/xhtml+xml; charset=utf-8 \ No newline at end of file diff --git a/data/extra_headers/default.example b/data/extra_headers/default.example new file mode 100644 index 0000000..12184e2 --- /dev/null +++ b/data/extra_headers/default.example @@ -0,0 +1,2 @@ +Strict-Transport-Security: max-age=2175984000 +X-Clacks-Overhead: GNU Natalie Nguyen diff --git a/log/run b/log/run new file mode 100755 index 0000000..330b8e6 --- /dev/null +++ b/log/run @@ -0,0 +1,4 @@ +#!/usr/local/skarnet/bin/execlineb -WP + +s6-setuidgid httpd +s6-log t /log/httpd diff --git a/run.template b/run.template new file mode 100755 index 0000000..342814e --- /dev/null +++ b/run.template @@ -0,0 +1,37 @@ +#!/bin/execlineb -WP +# +# example `run` script for daemontools-style process supervision +# replace contents in `${}` and copy to `./run` + +# for logging: redirect standard error to standard output +fdmove -c 2 1 + +# clear the entire environment except for PATH +emptyenv -p + +# required by `s6-tld` +export CERTFILE /etc/letsencrypt/live/${YOUR_SITE_HERE}/fullchain.pem +export KEYFILE /etc/letsencrypt/live/${YOUR_SITE_HERE}/privkey.pem + +# we run as root until very early in `./binaries/httpd.execline` and `s6-tlsd`; this sets up environment variables for dropping priveleges +# +# sample numerical user ID for user `s6-tlsd` runs as (after reading certificate) +export TLS_UID ${YOUR_TLS_USER_USER_ID_HERE} +export TLS_GID ${YOUR_TLS_USER_GROUP_ID_HERE} +# user for ./binaries/httpd.execline (after `chroot(8)`) +s6-envuidgid ${YOUR_HTTP_USER_NAME_HERE} + +# somewhat verbose command line to make the httpd able to log the PID reported by s6-tcpserver +# (s6-tcpserver prints the pid of `s6-tlsd`, but `./httpd.execline` is a child of said PID) +s6-tcpserver4 + # for logging: log beginning and end of every connection + -v 2 + # allow 1000 simultaneous connections; allow them all to be from the same ip address + -c 1000 -C 1000 + -- + ${YOUR_IP_ADDRESS_HERE} + 443 + getpid process_id # for logging + s6-tlsd + -- + ./binaries/httpd.execline -- 2.47.3