thruster-dilolabs 0.1.19

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 6ac259b7de0372f6568f28d90fac147559ce1a74dc1850d2d14820ef133a1f2a
+  data.tar.gz: 67d746bc119be929084e1db7afe2c9c9cecb97dbdcc9ef6b19a3286ae12cfce5
+SHA512:
+  metadata.gz: 37d73bce0539d9330e7ba57d12e639dc5593d25196a9bf210a72789ad983f81163d5982dfdb0eb06c2b11b4154d2d857ccc417b0bb34d382e0d35f4cfedd9045
+  data.tar.gz: 1fc249999a2baf44185645c8b7a029091891e9e194d1027ed4b7d9a5669df0eeacc851995cb0f45881cee2c98bd62a3e49069ded49e46e10e596fa1ab5901b35

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 37signals, LLC
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,115 @@
+# Thruster
+
+Thruster is an HTTP/2 proxy for simple production-ready deployments of Rails
+applications. It runs alongside the Puma webserver to provide a few additional
+features that help your app run efficiently and safely on the open Internet:
+
+- HTTP/2 support
+- Automatic TLS certificate management with Let's Encrypt
+- Basic HTTP caching of public assets
+- X-Sendfile support and compression, to efficiently serve static files
+
+Thruster aims to be as zero-config as possible. It has no configuration file,
+and most features are automatically enabled with sensible defaults. The goal is
+that simply running your Puma server with Thruster should be enough to get a
+production-ready setup.
+
+The only exception to this is TLS provisioning: in order for Thruster to
+provision TLS certificates, it needs to know which domain those certificates
+should be for. So to use TLS, you need to set the `TLS_DOMAIN` environment
+variable. If you don't set this variable, Thruster will run in HTTP-only mode.
+
+Thruster also wraps the Puma process so that you can use it without managing
+multiple processes yourself. This is particularly useful when running in a
+containerized environment, where you typically won't have a process manager
+available to coordinate the processes. Instead you can use Thruster as your
+`CMD`, and it will manage Puma for you.
+
+Thruster was originally created for the [ONCE](https://once.com) project, where
+we wanted a no-fuss way to serve a Rails application from a single container,
+directly on the open Internet. We've since found it useful for simple
+deployments of other Rails applications.
+
+
+## Installation
+
+Thruster is distributed as a Ruby gem. Because Thruster is written in Go, we
+provide several pre-built platform-specific binaries. Installing the gem will
+automatically fetch the appropriate binary for your platform.
+
+To install it, add it to your application's Gemfile:
+
+```ruby
+gem 'thruster'
+```
+
+Or install it globally:
+
+```sh
+$ gem install thruster
+```
+
+
+## Usage
+
+To run your Puma application inside Thruster, prefix your usual command string
+with `thrust`. For example:
+
+```sh
+$ thrust bin/rails server
+```
+
+Or with automatic TLS:
+
+```sh
+$ TLS_DOMAIN=myapp.example.com thrust bin/rails server
+```
+
+
+## Custom configuration
+
+In most cases, Thruster should work out of the box with no additional
+configuration. But if you need to customize its behavior, there are a few
+environment variables that you can set.
+
+| Variable Name         | Description                                             | Default Value |
+|-----------------------------|---------------------------------------------------------|---------------|
+| `TLS_DOMAIN`                | Comma-separated list of domain names to use for TLS provisioning. If not set, TLS will be disabled. | None |
+| `TARGET_PORT`               | The port that your Puma server should run on. Thruster will set `PORT` to this value when starting your server. | 3000 |
+| `CACHE_SIZE`                | The size of the HTTP cache in bytes. | 64MB |
+| `MAX_CACHE_ITEM_SIZE`       | The maximum size of a single item in the HTTP cache in bytes. | 1MB |
+| `GZIP_COMPRESSION_ENABLED`  | Whether to enable gzip compression for responses. Set to `0` or `false` to disable. | Enabled |
+| `GZIP_COMPRESSION_DISABLE_ON_AUTH` | If set to `true`, disable gzip compression for authenticated requests with `Cookie`, `Authorization`, or `X-Csrf-Token` headers. | `false` |
+| `GZIP_COMPRESSION_JITTER`   | The amount of random jitter (in bytes) to add to the compressed response size to mitigate BREACH attacks. Set to `0` to disable. | 32 |
+| `X_SENDFILE_ENABLED`        | Whether to enable X-Sendfile support. Set to `0` or `false` to disable. | Enabled |
+| `MAX_REQUEST_BODY`          | The maximum size of a request body in bytes. Requests larger than this size will be refused; `0` means no maximum size is enforced. | `0` |
+| `STORAGE_PATH`              | The path to store Thruster's internal state. Provisioned TLS certificates will be stored here, so that they will not need to be requested every time your application is started. | `./storage/thruster` |
+| `BAD_GATEWAY_PAGE`          | Path to an HTML file to serve when the backend server returns a 502 Bad Gateway error. If there is no file at the specific path, Thruster will serve an empty 502 response instead. Because Thruster boots very quickly, a custom page can be a useful way to show that your application is starting up. | `./public/502.html` |
+| `HTTP_PORT`                 | The port to listen on for HTTP traffic. | 80 |
+| `HTTPS_PORT`                | The port to listen on for HTTPS traffic. | 443 |
+| `HTTP_IDLE_TIMEOUT`         | The maximum time in seconds that a client can be idle before the connection is closed. | 60 |
+| `HTTP_READ_TIMEOUT`         | The maximum time in seconds that a client can take to send the request headers and body. | 30 |
+| `HTTP_WRITE_TIMEOUT`        | The maximum time in seconds during which the client must read the response. | 30 |
+| `H2C_ENABLED`               | Set to `1` or `true` to enable h2c (http/2 cleartext) | Disabled |
+| `ACME_DIRECTORY`            | The URL of the ACME directory to use for TLS certificate provisioning. | `https://acme-v02.api.letsencrypt.org/directory` (Let's Encrypt production) |
+| `EAB_KID`                   | The EAB key identifier to use when provisioning TLS certificates, if required. | None |
+| `EAB_HMAC_KEY`              | The Base64-encoded EAB HMAC key to use when provisioning TLS certificates, if required. | None |
+| `FORWARD_HEADERS`           | Whether to forward X-Forwarded-* headers from the client. | Disabled when running with TLS; enabled otherwise |
+| `LOG_REQUESTS`              | Log all requests. Set to `0` or `false` to disable request logging | Enabled |
+| `DEBUG`                     | Set to `1` or `true` to enable debug logging. | Disabled |
+
+To prevent naming clashes with your application's own environment variables,
+Thruster's environment variables can optionally be prefixed with `THRUSTER_`.
+For example, `TLS_DOMAIN` can also be written as `THRUSTER_TLS_DOMAIN`. Whenever
+a prefixed variable is set, it will take precedence over the unprefixed version.
+
+## Security
+
+### BREACH Mitigation
+
+Thruster includes built-in mitigation for the [BREACH attack](https://breachattack.com/), which allows attackers to extract secrets from compressed encrypted traffic.
+
+1.  **Random Jitter (Enabled by Default)**: Thruster adds a random amount of "jitter" (padding) to the size of compressed responses. This makes it significantly harder for attackers to infer the content based on the compressed size. The default jitter is 32 bytes, controlled by `GZIP_COMPRESSION_JITTER`.
+2.  **Compression Guard (Optional)**: For higher security, you can disable compression entirely for authenticated requests (requests containing `Cookie`, `Authorization`, or `X-Csrf-Token` headers) by setting `GZIP_COMPRESSION_DISABLE_ON_AUTH=true`. This eliminates the side-channel entirely for sensitive traffic but may increase bandwidth usage.
+
+By default, Thruster prioritizes performance while providing baseline protection via jitter. Operators with strict security requirements should consider enabling the Compression Guard.

data/exe/thrust

@@ -0,0 +1,11 @@
+#! /usr/bin/env ruby
+
+PLATFORM = [ :cpu, :os ].map { |m| Gem::Platform.local.send(m) }.join("-")
+EXECUTABLE = File.expand_path(File.join(__dir__, PLATFORM, "thrust"))
+
+if File.exist?(EXECUTABLE)
+  exec(EXECUTABLE, *ARGV)
+else
+  STDERR.puts("ERROR: Unsupported platform: #{PLATFORM}")
+  exit 1
+end

data/lib/thruster/version.rb

@@ -0,0 +1,3 @@
+module Thruster
+  VERSION = "0.1.19"
+end

data/lib/thruster.rb

@@ -0,0 +1,4 @@
+module Thruster
+end
+
+require_relative "thruster/version"

metadata

@@ -0,0 +1,48 @@
+--- !ruby/object:Gem::Specification
+name: thruster-dilolabs
+version: !ruby/object:Gem::Version
+  version: 0.1.19
+platform: ruby
+authors:
+- Kevin McConnell
+- Cyril Blaecke
+bindir: exe
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies: []
+description: A zero-config HTTP/2 proxy for lightweight production deployments
+email: cyril@dilolabs.fr
+executables:
+- thrust
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- exe/thrust
+- lib/thruster.rb
+- lib/thruster/version.rb
+homepage: https://github.com/dilolabs/thruster
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/dilolabs/thruster
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 4.0.6
+specification_version: 4
+summary: Zero-config HTTP/2 proxy
+test_files: []