rack-tls_tools 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/.gitignore +9 -0
- data/.travis.yml +6 -0
- data/Gemfile +11 -0
- data/LICENSE.txt +21 -0
- data/README.md +132 -0
- data/Rakefile +11 -0
- data/bin/console +14 -0
- data/bin/setup +7 -0
- data/lib/rack-tls_tools.rb +1 -0
- data/lib/rack/tls_tools.rb +8 -0
- data/lib/rack/tls_tools/hpkp.rb +55 -0
- data/lib/rack/tls_tools/hsts.rb +38 -0
- data/lib/rack/tls_tools/secure_cookies.rb +34 -0
- data/lib/rack/tls_tools/version.rb +5 -0
- data/rack-tls_tools.gemspec +24 -0
- metadata +101 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: 142ab0d969273c9be4f7f457aab4e2407f926493
|
4
|
+
data.tar.gz: 25df1c6e73c1c9a2aa85e14ebb54a6ada3218ec1
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: 788fe7f194feb7bb7663becb4b9cdd8ec4f2de9c32e57d229b830a1a9a4481f6d2b9067323b6c3826e1c0b596fd673c88924fe0cfb5fcea254923b3369276dc2
|
7
|
+
data.tar.gz: ba1d9dfd34301a50f59928a143253571b9b8345fcf45fd369a05a528c3b134a07280a0b6da672e190d26e059c551af4f08c9e6d4725c8d6b94870429565fdcc2
|
data/.gitignore
ADDED
data/.travis.yml
ADDED
data/Gemfile
ADDED
data/LICENSE.txt
ADDED
@@ -0,0 +1,21 @@
|
|
1
|
+
The MIT License (MIT)
|
2
|
+
|
3
|
+
Copyright (c) 2015 Jens Kraemer
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
7
|
+
in the Software without restriction, including without limitation the rights
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
10
|
+
furnished to do so, subject to the following conditions:
|
11
|
+
|
12
|
+
The above copyright notice and this permission notice shall be included in
|
13
|
+
all copies or substantial portions of the Software.
|
14
|
+
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
21
|
+
THE SOFTWARE.
|
data/README.md
ADDED
@@ -0,0 +1,132 @@
|
|
1
|
+
# Rack::TlsTools [](https://travis-ci.org/jkraemer/rack-tls_tools)
|
2
|
+
|
3
|
+
A bunch of rack middlewares to enforce secure cookies and add HSTS and HPKP
|
4
|
+
headers to your app's responses.
|
5
|
+
|
6
|
+
## Caution
|
7
|
+
|
8
|
+
By mis-using HSTS and HPKP it's very easy to lock out your clients from your
|
9
|
+
site.
|
10
|
+
|
11
|
+
Please make sure you understand what they do and how they work before trying
|
12
|
+
this out on a production site. While experimenting it might be a good idea to
|
13
|
+
use short `max_age` values so any effects of a possible mis-configuration don't
|
14
|
+
last until next year.
|
15
|
+
|
16
|
+
## Installation
|
17
|
+
|
18
|
+
Add this line to your application's Gemfile:
|
19
|
+
|
20
|
+
```ruby
|
21
|
+
gem 'rack-tls_tools'
|
22
|
+
```
|
23
|
+
|
24
|
+
And then execute:
|
25
|
+
|
26
|
+
$ bundle
|
27
|
+
|
28
|
+
Or install it yourself as:
|
29
|
+
|
30
|
+
$ gem install rack-tls_tools
|
31
|
+
|
32
|
+
|
33
|
+
## Usage
|
34
|
+
|
35
|
+
### SecureCookies
|
36
|
+
|
37
|
+
To mark any cookie you set over HTTPS as *secure*, just add
|
38
|
+
`Rack::TlsTools::SecureCookies` to your middleware stack. For Rails that means
|
39
|
+
adding
|
40
|
+
|
41
|
+
```ruby
|
42
|
+
config.middleware.use Rack::TlsTools::SecureCookies
|
43
|
+
```
|
44
|
+
|
45
|
+
to your `config/application.rb`.
|
46
|
+
|
47
|
+
|
48
|
+
### HSTS
|
49
|
+
|
50
|
+
HTTP Strict Transport Security is a security feature that lets your web site
|
51
|
+
tell browsers that it should only be communicated with using HTTPS.
|
52
|
+
|
53
|
+
Basically it's a simple HTTP header sent by the server, indicating that the
|
54
|
+
current site must only be accessed over HTTPS.
|
55
|
+
|
56
|
+
- [Mozilla Developer Network](https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security)
|
57
|
+
- [RFC 6797](https://tools.ietf.org/html/rfc6797)
|
58
|
+
|
59
|
+
```ruby
|
60
|
+
config.middleware.use Rack::TlsTools::Hsts, max_age: 1.year, subdomains: false
|
61
|
+
```
|
62
|
+
|
63
|
+
### HPKP
|
64
|
+
|
65
|
+
HPKP aka Public Key Pinning is used to tell clients to associate a specific
|
66
|
+
cryptographic public key with your site. The goal is to prevent MITM attacks
|
67
|
+
with forged certificates in the future.
|
68
|
+
|
69
|
+
- [Mozilla Developer Network](https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning)
|
70
|
+
- [RFC7469](https://tools.ietf.org/html/rfc7469)
|
71
|
+
|
72
|
+
In order to add HPKP headers to your site you have to specify a set of
|
73
|
+
configurations, each consisting of a number of host names (which are all
|
74
|
+
using the same SSL certificates) and a number of hashes identifying these
|
75
|
+
certificates. So if your app serves different domains using different SSL
|
76
|
+
certificates, use a separate hash in the `hosts` array for each of them.
|
77
|
+
|
78
|
+
```ruby
|
79
|
+
config.middleware.use Rack::TlsTools::Hpkp, {
|
80
|
+
max_age: 3.months,
|
81
|
+
subdomains: false,
|
82
|
+
hosts: [
|
83
|
+
{
|
84
|
+
names: %w(test.com www.test.com),
|
85
|
+
sha256: %w(TjqopKw/ZnhQVuSJcigTYFZzyzcV4meL4ukoThbkr0E= IXx7fkhrahUAGPqxiGyXvQ0aACvZiT0GqELG5X+Irlc=),
|
86
|
+
report_uri: 'https://hpkp-reports.test.com/',
|
87
|
+
},
|
88
|
+
{
|
89
|
+
names: %w(example.com),
|
90
|
+
sha256: %w(cw67ZLBJG8VBdPwhnpAWV9hn65+ETjdJ80N7QaKPq4Q= /OO9h4ETSyxhCj11N+52iPXCkZY1hoWSye9Xb3AkbZ0=),
|
91
|
+
subdomains: true,
|
92
|
+
max_age: 30000,
|
93
|
+
},
|
94
|
+
]
|
95
|
+
}
|
96
|
+
```
|
97
|
+
|
98
|
+
The top level `max_age` and `subdomains` values serve as defaults which can be
|
99
|
+
overridden in each of the `hosts` hashes. If omitted these default to the
|
100
|
+
values shown above. `report_uri` is optional, if set, browsers should `POST`
|
101
|
+
some useful information there once they detect a certificate mismatch according
|
102
|
+
to the [RFC](https://tools.ietf.org/html/rfc7469).
|
103
|
+
|
104
|
+
**Always** add at least two hashes for each domain - one for the current key, and
|
105
|
+
one for a backup key you will be using in case the current one is lost,
|
106
|
+
compromised or simply expires.
|
107
|
+
|
108
|
+
#### Generating the relevant hashes
|
109
|
+
|
110
|
+
You can generate these hashes from your private key, your server certificate
|
111
|
+
and even the Certificate Signing Request ([Source](https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning)):
|
112
|
+
|
113
|
+
openssl rsa -in my-key-file.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
|
114
|
+
openssl req -in my-signing-request.csr -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
|
115
|
+
openssl x509 -in my-certificate.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
|
116
|
+
|
117
|
+
|
118
|
+
|
119
|
+
## Development
|
120
|
+
|
121
|
+
After checking out the repo, run `bin/setup` to install dependencies. Then, run `bin/console` for an interactive prompt that will allow you to experiment.
|
122
|
+
|
123
|
+
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release` to create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
|
124
|
+
|
125
|
+
## Contributing
|
126
|
+
|
127
|
+
1. Fork it ( https://github.com/jkraemer/rack-tls_tools/fork )
|
128
|
+
2. Create your feature branch (`git checkout -b my-new-feature`)
|
129
|
+
3. Commit your changes (`git commit -am 'Add some feature'`)
|
130
|
+
4. Push to the branch (`git push origin my-new-feature`)
|
131
|
+
5. Create a new Pull Request
|
132
|
+
|
data/Rakefile
ADDED
data/bin/console
ADDED
@@ -0,0 +1,14 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
|
3
|
+
require "bundler/setup"
|
4
|
+
require "rack/tls_tools"
|
5
|
+
|
6
|
+
# You can add fixtures and/or initialization code here to make experimenting
|
7
|
+
# with your gem easier. You can also use a different console, if you like.
|
8
|
+
|
9
|
+
# (If you use this, don't forget to add pry to your Gemfile!)
|
10
|
+
# require "pry"
|
11
|
+
# Pry.start
|
12
|
+
|
13
|
+
require "irb"
|
14
|
+
IRB.start
|
data/bin/setup
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
require 'rack/tls_tools'
|
@@ -0,0 +1,55 @@
|
|
1
|
+
module Rack
|
2
|
+
module TlsTools
|
3
|
+
|
4
|
+
# https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning
|
5
|
+
class Hpkp
|
6
|
+
|
7
|
+
# three months
|
8
|
+
DEFAULT_MAX_AGE = 3600 * 24 * 60
|
9
|
+
|
10
|
+
def initialize(app, options = {})
|
11
|
+
@app = app
|
12
|
+
@options = {
|
13
|
+
enable: true,
|
14
|
+
max_age: DEFAULT_MAX_AGE,
|
15
|
+
subdomains: false,
|
16
|
+
hosts: [],
|
17
|
+
}.merge(options)
|
18
|
+
@config_by_hostname = flatten_host_config @options[:hosts]
|
19
|
+
end
|
20
|
+
|
21
|
+
def call(env)
|
22
|
+
@app.call(env).tap do |response|
|
23
|
+
@request = Rack::Request.new env
|
24
|
+
if @request.ssl? and config = @config_by_hostname[@request.host] and config[:enable]
|
25
|
+
add_hpkp_header! response[1], config
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
|
30
|
+
private
|
31
|
+
|
32
|
+
def add_hpkp_header!(headers, config)
|
33
|
+
val = config[:sha256].map{|h|%{pin-sha256="#{h}"}}.join('; ')
|
34
|
+
val << %{; max-age=#{config[:max_age]}} if config[:max_age]
|
35
|
+
val << %{; includeSubDomains} if config[:subdomains]
|
36
|
+
val << %{; report-uri="#{config[:report_uri]}"} if config[:report_uri]
|
37
|
+
headers['Public-Key-Pins'] = val
|
38
|
+
end
|
39
|
+
|
40
|
+
def flatten_host_config(hosts)
|
41
|
+
{}.tap do |config_by_hostname|
|
42
|
+
hosts.each do |host_config|
|
43
|
+
host_config[:names].each do |hostname|
|
44
|
+
cfg = @options.merge host_config
|
45
|
+
cfg.delete :names
|
46
|
+
cfg.delete :hosts
|
47
|
+
config_by_hostname[hostname] = cfg
|
48
|
+
end
|
49
|
+
end
|
50
|
+
end
|
51
|
+
end
|
52
|
+
end
|
53
|
+
end
|
54
|
+
end
|
55
|
+
|
@@ -0,0 +1,38 @@
|
|
1
|
+
module Rack
|
2
|
+
module TlsTools
|
3
|
+
|
4
|
+
# http://en.wikipedia.org/wiki/Strict_Transport_Security
|
5
|
+
class Hsts
|
6
|
+
|
7
|
+
# a year
|
8
|
+
DEFAULT_MAX_AGE = 3600 * 24 * 365
|
9
|
+
|
10
|
+
def initialize(app, options = {})
|
11
|
+
@app = app
|
12
|
+
@options = {
|
13
|
+
enable: true,
|
14
|
+
max_age: DEFAULT_MAX_AGE,
|
15
|
+
subdomains: false,
|
16
|
+
}.merge(options)
|
17
|
+
end
|
18
|
+
|
19
|
+
def call(env)
|
20
|
+
@app.call(env).tap do |response|
|
21
|
+
@request = Rack::Request.new env
|
22
|
+
if @request.ssl? && @options[:enable]
|
23
|
+
add_hsts_header! response[1]
|
24
|
+
end
|
25
|
+
end
|
26
|
+
end
|
27
|
+
|
28
|
+
private
|
29
|
+
|
30
|
+
def add_hsts_header!(headers)
|
31
|
+
val = "max-age=#{@options[:max_age]}"
|
32
|
+
val += "; includeSubDomains" if @options[:subdomains]
|
33
|
+
headers['Strict-Transport-Security'] = val
|
34
|
+
end
|
35
|
+
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end
|
@@ -0,0 +1,34 @@
|
|
1
|
+
module Rack
|
2
|
+
module TlsTools
|
3
|
+
|
4
|
+
class SecureCookies
|
5
|
+
|
6
|
+
def initialize(app, *args)
|
7
|
+
@app = app
|
8
|
+
end
|
9
|
+
|
10
|
+
def call(env)
|
11
|
+
@app.call(env).tap do |response|
|
12
|
+
@request = Rack::Request.new env
|
13
|
+
if @request.ssl?
|
14
|
+
secure_cookies! response[1]
|
15
|
+
end
|
16
|
+
end
|
17
|
+
end
|
18
|
+
|
19
|
+
private
|
20
|
+
|
21
|
+
def secure_cookies!(headers)
|
22
|
+
if cookies = headers['Set-Cookie']
|
23
|
+
headers['Set-Cookie'] = cookies.split("\n").map do |cookie|
|
24
|
+
cookie =~ /(^|;\s*)secure($|\s*;)/ ? cookie : cookie + '; secure'
|
25
|
+
end.join("\n")
|
26
|
+
end
|
27
|
+
end
|
28
|
+
|
29
|
+
end
|
30
|
+
|
31
|
+
end
|
32
|
+
end
|
33
|
+
|
34
|
+
|
@@ -0,0 +1,24 @@
|
|
1
|
+
# coding: utf-8
|
2
|
+
lib = File.expand_path('../lib', __FILE__)
|
3
|
+
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
4
|
+
require 'rack/tls_tools/version'
|
5
|
+
|
6
|
+
Gem::Specification.new do |spec|
|
7
|
+
spec.name = "rack-tls_tools"
|
8
|
+
spec.version = Rack::TlsTools::VERSION
|
9
|
+
spec.authors = ["Jens Kraemer"]
|
10
|
+
spec.email = ["jk@jkraemer.net"]
|
11
|
+
|
12
|
+
spec.summary = %q{Secure cookies, HSTS and HPKP for any Rack app}
|
13
|
+
spec.description = %q{A bunch of rack middlewares to enforce secure cookies and add HSTS (Strict Transport Security) and HPKP (Public Key Pinning) headers to your Rack application.}
|
14
|
+
spec.homepage = "https://github.com/jkraemer/rack-tls_tools"
|
15
|
+
|
16
|
+
spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
|
17
|
+
spec.bindir = "exe"
|
18
|
+
spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
|
19
|
+
spec.require_paths = ["lib"]
|
20
|
+
|
21
|
+
spec.add_dependency 'rack', '>= 1.4.0'
|
22
|
+
spec.add_development_dependency "bundler", ">= 1.7"
|
23
|
+
spec.add_development_dependency "rake", "~> 10.0"
|
24
|
+
end
|
metadata
ADDED
@@ -0,0 +1,101 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: rack-tls_tools
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.1.0
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Jens Kraemer
|
8
|
+
autorequire:
|
9
|
+
bindir: exe
|
10
|
+
cert_chain: []
|
11
|
+
date: 2015-05-18 00:00:00.000000000 Z
|
12
|
+
dependencies:
|
13
|
+
- !ruby/object:Gem::Dependency
|
14
|
+
name: rack
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
16
|
+
requirements:
|
17
|
+
- - ">="
|
18
|
+
- !ruby/object:Gem::Version
|
19
|
+
version: 1.4.0
|
20
|
+
type: :runtime
|
21
|
+
prerelease: false
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
23
|
+
requirements:
|
24
|
+
- - ">="
|
25
|
+
- !ruby/object:Gem::Version
|
26
|
+
version: 1.4.0
|
27
|
+
- !ruby/object:Gem::Dependency
|
28
|
+
name: bundler
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
30
|
+
requirements:
|
31
|
+
- - ">="
|
32
|
+
- !ruby/object:Gem::Version
|
33
|
+
version: '1.7'
|
34
|
+
type: :development
|
35
|
+
prerelease: false
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
37
|
+
requirements:
|
38
|
+
- - ">="
|
39
|
+
- !ruby/object:Gem::Version
|
40
|
+
version: '1.7'
|
41
|
+
- !ruby/object:Gem::Dependency
|
42
|
+
name: rake
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
44
|
+
requirements:
|
45
|
+
- - "~>"
|
46
|
+
- !ruby/object:Gem::Version
|
47
|
+
version: '10.0'
|
48
|
+
type: :development
|
49
|
+
prerelease: false
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
51
|
+
requirements:
|
52
|
+
- - "~>"
|
53
|
+
- !ruby/object:Gem::Version
|
54
|
+
version: '10.0'
|
55
|
+
description: A bunch of rack middlewares to enforce secure cookies and add HSTS (Strict
|
56
|
+
Transport Security) and HPKP (Public Key Pinning) headers to your Rack application.
|
57
|
+
email:
|
58
|
+
- jk@jkraemer.net
|
59
|
+
executables: []
|
60
|
+
extensions: []
|
61
|
+
extra_rdoc_files: []
|
62
|
+
files:
|
63
|
+
- ".gitignore"
|
64
|
+
- ".travis.yml"
|
65
|
+
- Gemfile
|
66
|
+
- LICENSE.txt
|
67
|
+
- README.md
|
68
|
+
- Rakefile
|
69
|
+
- bin/console
|
70
|
+
- bin/setup
|
71
|
+
- lib/rack-tls_tools.rb
|
72
|
+
- lib/rack/tls_tools.rb
|
73
|
+
- lib/rack/tls_tools/hpkp.rb
|
74
|
+
- lib/rack/tls_tools/hsts.rb
|
75
|
+
- lib/rack/tls_tools/secure_cookies.rb
|
76
|
+
- lib/rack/tls_tools/version.rb
|
77
|
+
- rack-tls_tools.gemspec
|
78
|
+
homepage: https://github.com/jkraemer/rack-tls_tools
|
79
|
+
licenses: []
|
80
|
+
metadata: {}
|
81
|
+
post_install_message:
|
82
|
+
rdoc_options: []
|
83
|
+
require_paths:
|
84
|
+
- lib
|
85
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
86
|
+
requirements:
|
87
|
+
- - ">="
|
88
|
+
- !ruby/object:Gem::Version
|
89
|
+
version: '0'
|
90
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
91
|
+
requirements:
|
92
|
+
- - ">="
|
93
|
+
- !ruby/object:Gem::Version
|
94
|
+
version: '0'
|
95
|
+
requirements: []
|
96
|
+
rubyforge_project:
|
97
|
+
rubygems_version: 2.4.5
|
98
|
+
signing_key:
|
99
|
+
specification_version: 4
|
100
|
+
summary: Secure cookies, HSTS and HPKP for any Rack app
|
101
|
+
test_files: []
|