geofiltering-thruster 0.1.17-aarch64-linux → 0.1.19-aarch64-linux

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f543af5af6cfe69aabe15049058fd6339b76db668c5d2a787e9f27e405cc480a
-  data.tar.gz: 1b89e4648a92a5cabb0809dc94d1ea38e93278e1db5b8a2302250e0f0267c7b5
+  metadata.gz: 90d7099f402d8291a8f9057a1262685d22632068b9159b732c1bef76442667eb
+  data.tar.gz: 9406f63b55e8d58aae8b287c66321335c517f3ff18d9e59c3a77fdfc52f524ba
 SHA512:
-  metadata.gz: fda5395d7a5a91137400ca1417983a515a084bf775cc7a80796e202796c4f77b18b4a75be39ac2b6e71890f27a934ae5d68e326eb1462485ec5cdf114ad2bbd9
-  data.tar.gz: d67b80c47130716ee8eccdda2b3698b2f59d54bc41c5bddd2f4be8ee9103e404ef942a65a7bc2acd6ab4f33ae8426227569037934a2ff671f3bb02f278f9712c
+  metadata.gz: b3da5dd5c271a2535181c8ec525b5ed4554c4fd0fecff4d2a0acc4d491348a7202033ef2cef44364b7c1070ad19d794b5750f0196548c8acda83bb88cf48aaae
+  data.tar.gz: 1c208ce9b34f63eeb5d8bbd39358d4d622049438a744b9820e264e65b613677694220bcab8e40bc7d58bec5af2991b882ecaf9ffa41889b07bee638ee021b8ac

data/README.md

@@ -44,13 +44,13 @@ automatically fetch the appropriate binary for your platform.
 To install it, add it to your application's Gemfile:
 
 ```ruby
-gem 'thruster'
+gem 'geofiltering-thruster'
 ```
 
 Or install it globally:
 
 ```sh
-$ gem install thruster
+$ gem install geofiltering-thruster
 ```
 
 
@@ -82,7 +82,9 @@ environment variables that you can set.
 | `TARGET_PORT`               | The port that your Puma server should run on. Thruster will set `PORT` to this value when starting your server. | 3000 |
 | `CACHE_SIZE`                | The size of the HTTP cache in bytes. | 64MB |
 | `MAX_CACHE_ITEM_SIZE`       | The maximum size of a single item in the HTTP cache in bytes. | 1MB |
-| `GZIP_COMPRESSION_ENABLED`  | Whether to enable gzip compression for static assets. Set to `0` or `false` to disable. | Enabled |
+| `GZIP_COMPRESSION_ENABLED`  | Whether to enable gzip compression for responses. Set to `0` or `false` to disable. | Enabled |
+| `GZIP_COMPRESSION_DISABLE_ON_AUTH` | If set to `true`, disable gzip compression for authenticated requests with `Cookie`, `Authorization`, or `X-Csrf-Token` headers. | `false` |
+| `GZIP_COMPRESSION_JITTER`   | The amount of random jitter (in bytes) to add to the compressed response size to mitigate BREACH attacks. Set to `0` to disable. | 32 |
 | `X_SENDFILE_ENABLED`        | Whether to enable X-Sendfile support. Set to `0` or `false` to disable. | Enabled |
 | `MAX_REQUEST_BODY`          | The maximum size of a request body in bytes. Requests larger than this size will be refused; `0` means no maximum size is enforced. | `0` |
 | `STORAGE_PATH`              | The path to store Thruster's internal state. Provisioned TLS certificates will be stored here, so that they will not need to be requested every time your application is started. | `./storage/thruster` |
@@ -92,6 +94,7 @@ environment variables that you can set.
 | `HTTP_IDLE_TIMEOUT`         | The maximum time in seconds that a client can be idle before the connection is closed. | 60 |
 | `HTTP_READ_TIMEOUT`         | The maximum time in seconds that a client can take to send the request headers and body. | 30 |
 | `HTTP_WRITE_TIMEOUT`        | The maximum time in seconds during which the client must read the response. | 30 |
+| `H2C_ENABLED`               | Set to `1` or `true` to enable h2c (http/2 cleartext) | Disabled |
 | `ACME_DIRECTORY`            | The URL of the ACME directory to use for TLS certificate provisioning. | `https://acme-v02.api.letsencrypt.org/directory` (Let's Encrypt production) |
 | `EAB_KID`                   | The EAB key identifier to use when provisioning TLS certificates, if required. | None |
 | `EAB_HMAC_KEY`              | The Base64-encoded EAB HMAC key to use when provisioning TLS certificates, if required. | None |
@@ -123,3 +126,18 @@ When a request is processed with GeoIP2 enabled, Thruster will add the following
 Your Rails application can then access this information via `request.headers['X-GeoIP-Country']`.
 
 **Note:** You'll need to obtain a GeoIP2 database file from MaxMind. The free GeoLite2 databases are available at https://dev.maxmind.com/geoip/geolite2-free-geolocation-data.
+
+### GeoLite2 Licensing and Attribution
+
+If you use this proxy with GeoLite2 data, you are responsible for complying with the applicable MaxMind GeoLite2 license terms and requirements, including attribution and update/destruction obligations.
+
+## Security
+
+### BREACH Mitigation
+
+Thruster includes built-in mitigation for the [BREACH attack](https://breachattack.com/), which allows attackers to extract secrets from compressed encrypted traffic.
+
+1.  **Random Jitter (Enabled by Default)**: Thruster adds a random amount of "jitter" (padding) to the size of compressed responses. This makes it significantly harder for attackers to infer the content based on the compressed size. The default jitter is 32 bytes, controlled by `GZIP_COMPRESSION_JITTER`.
+2.  **Compression Guard (Optional)**: For higher security, you can disable compression entirely for authenticated requests (requests containing `Cookie`, `Authorization`, or `X-Csrf-Token` headers) by setting `GZIP_COMPRESSION_DISABLE_ON_AUTH=true`. This eliminates the side-channel entirely for sensitive traffic but may increase bandwidth usage.
+
+By default, Thruster prioritizes performance while providing baseline protection via jitter. Operators with strict security requirements should consider enabling the Compression Guard.

data/lib/thruster/version.rb

@@ -1,3 +1,3 @@
 module Thruster
-  VERSION = "0.1.17"
+  VERSION = '0.1.19'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: geofiltering-thruster
 version: !ruby/object:Gem::Version
-  version: 0.1.17
+  version: 0.1.19
 platform: aarch64-linux
 authors:
 - Kevin McConnell
@@ -44,7 +44,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.9
+rubygems_version: 4.0.3
 specification_version: 4
 summary: Zero-config HTTP/2 proxy with GeoIP filtering
 test_files: []