thruster 0.1.15-x86_64-linux → 0.1.17-x86_64-linux

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +15 -1
  3. data/exe/x86_64-linux/thrust +0 -0
  4. data/lib/thruster/version.rb +1 -1
  5. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: b8115358c44e83a5f3d4e280527a29e8d1f6c5ef68ad1f9395a57fd0abb187a6
4
- data.tar.gz: db26b38820461c4887ff0be8e677a98dc5a03acb11db64e24aa9af5fdd5f8fae
3
+ metadata.gz: cf929deb0e30661b67deb563d3ee428f99c01937714786af65ee04bd80ed8915
4
+ data.tar.gz: 6b87b3631374eef4f88ae8013b227b3935897e4844d6ba89c7e756a2e4c4fe6b
5
5
  SHA512:
6
- metadata.gz: 559558a609764873691dcf63b5c402417f34249350bb7fb6cb2e17c41800fae612dea4d9efcf07688f44edc378618eeb76268a8c4ceb79706e7c12ee48358239
7
- data.tar.gz: ce0aa7692e6273df3ff83bf8b710a90078ba34d8077d2537cad1b298c7a8b054cbdf0e2f8c16875fb6d5708ae5e486dc541740aeb9f1b193b68d6b6985c52ee8
6
+ metadata.gz: 63b053e3c464ac5aa0e030cd585c18c2b764b78f2cea0556e98a2cedb0313007c09114ee665587816e9b23a86de066f9de3b94730afbccb1dba6873d0ff50b13
7
+ data.tar.gz: 5d43f85e2c91717b54b74d8beb369a9b40ee344e6368b1cd2a4fce146717ca7e73c7d52fb89544e9670263dec3cebee3ebc20a306ceb8af2b0a3b17a1bbd706d
data/README.md CHANGED
@@ -78,7 +78,9 @@ environment variables that you can set.
78
78
  | `TARGET_PORT` | The port that your Puma server should run on. Thruster will set `PORT` to this value when starting your server. | 3000 |
79
79
  | `CACHE_SIZE` | The size of the HTTP cache in bytes. | 64MB |
80
80
  | `MAX_CACHE_ITEM_SIZE` | The maximum size of a single item in the HTTP cache in bytes. | 1MB |
81
- | `GZIP_COMPRESSION_ENABLED` | Whether to enable gzip compression for static assets. Set to `0` or `false` to disable. | Enabled |
81
+ | `GZIP_COMPRESSION_ENABLED` | Whether to enable gzip compression for responses. Set to `0` or `false` to disable. | Enabled |
82
+ | `GZIP_COMPRESSION_DISABLE_ON_AUTH` | If set to `true`, disable gzip compression for authenticated requests with `Cookie`, `Authorization`, or `X-Csrf-Token` headers. | `false` |
83
+ | `GZIP_COMPRESSION_JITTER` | The amount of random jitter (in bytes) to add to the compressed response size to mitigate BREACH attacks. Set to `0` to disable. | 32 |
82
84
  | `X_SENDFILE_ENABLED` | Whether to enable X-Sendfile support. Set to `0` or `false` to disable. | Enabled |
83
85
  | `MAX_REQUEST_BODY` | The maximum size of a request body in bytes. Requests larger than this size will be refused; `0` means no maximum size is enforced. | `0` |
84
86
  | `STORAGE_PATH` | The path to store Thruster's internal state. Provisioned TLS certificates will be stored here, so that they will not need to be requested every time your application is started. | `./storage/thruster` |
@@ -88,6 +90,7 @@ environment variables that you can set.
88
90
  | `HTTP_IDLE_TIMEOUT` | The maximum time in seconds that a client can be idle before the connection is closed. | 60 |
89
91
  | `HTTP_READ_TIMEOUT` | The maximum time in seconds that a client can take to send the request headers and body. | 30 |
90
92
  | `HTTP_WRITE_TIMEOUT` | The maximum time in seconds during which the client must read the response. | 30 |
93
+ | `H2C_ENABLED` | Set to `1` or `true` to enable h2c (http/2 cleartext) | Disabled |
91
94
  | `ACME_DIRECTORY` | The URL of the ACME directory to use for TLS certificate provisioning. | `https://acme-v02.api.letsencrypt.org/directory` (Let's Encrypt production) |
92
95
  | `EAB_KID` | The EAB key identifier to use when provisioning TLS certificates, if required. | None |
93
96
  | `EAB_HMAC_KEY` | The Base64-encoded EAB HMAC key to use when provisioning TLS certificates, if required. | None |
@@ -99,3 +102,14 @@ To prevent naming clashes with your application's own environment variables,
99
102
  Thruster's environment variables can optionally be prefixed with `THRUSTER_`.
100
103
  For example, `TLS_DOMAIN` can also be written as `THRUSTER_TLS_DOMAIN`. Whenever
101
104
  a prefixed variable is set, it will take precedence over the unprefixed version.
105
+
106
+ ## Security
107
+
108
+ ### BREACH Mitigation
109
+
110
+ Thruster includes built-in mitigation for the [BREACH attack](https://breachattack.com/), which allows attackers to extract secrets from compressed encrypted traffic.
111
+
112
+ 1. **Random Jitter (Enabled by Default)**: Thruster adds a random amount of "jitter" (padding) to the size of compressed responses. This makes it significantly harder for attackers to infer the content based on the compressed size. The default jitter is 32 bytes, controlled by `GZIP_COMPRESSION_JITTER`.
113
+ 2. **Compression Guard (Optional)**: For higher security, you can disable compression entirely for authenticated requests (requests containing `Cookie`, `Authorization`, or `X-Csrf-Token` headers) by setting `GZIP_COMPRESSION_DISABLE_ON_AUTH=true`. This eliminates the side-channel entirely for sensitive traffic but may increase bandwidth usage.
114
+
115
+ By default, Thruster prioritizes performance while providing baseline protection via jitter. Operators with strict security requirements should consider enabling the Compression Guard.
data/exe/x86_64-linux/thrust CHANGED
Binary file
data/lib/thruster/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Thruster
2
- VERSION = "0.1.15"
2
+ VERSION = "0.1.17"
3
3
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: thruster
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.15
4
+ version: 0.1.17
5
5
  platform: x86_64-linux
6
6
  authors:
7
7
  - Kevin McConnell