RubyGems - thruster - Versions diffs - 0.1.8 → 0.1.17 - Mend

thruster 0.1.8 → 0.1.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5286aa0c2a89a9280a9673aab530638bbbbced90c3957c748112595f34953265
-  data.tar.gz: 23838c29af4438332aeedfd94139a0ad34b2be1846b17a68231d514af4b8b4fd
+  metadata.gz: 17f7c47629bdf83f9fdbf0516da851218ec63e2b0e904ec2f6ed062f157a12ac
+  data.tar.gz: 44321789f31c3e47580a2949aaf39087312f4d92ef40e090e6b7e68d55aeb100
 SHA512:
-  metadata.gz: 9686635fc5f1029fe26f32571b04c13053d2d0125060be0e2abb1c2b49fddb0037c19ec0fea2030412256006b756e88223c5c16c1770ed48a490c4f9034c9370
-  data.tar.gz: 354098f5ca579081bc039aa294a68865ee3898e8018ad2743165bd9fef624481faedb93b471d0764b7f988347f989c0f87d32735eee9277a0d64501ef4fd31d4
+  metadata.gz: 720978d3f236fcb18f9710f784a89e89f1876d21275f9b99fe2844b05821a0e7d65de1bccaf595645489e60854dd3a1def2c902d8f9a4919c2b41a549cf24ecc
+  data.tar.gz: ed002cd511d7e22ac8936cd21394350c8bc905d2d4e5e0214030639ab676fc99160b33da2d98a18342d31b57fdb5745a10b7494f40ad095f3f604707d75d2cd3

data/README.md CHANGED Viewed

@@ -73,27 +73,43 @@ configuration. But if you need to customize its behavior, there are a few
 environment variables that you can set.
 | Variable Name         | Description                                             | Default Value |
-|-----------------------|---------------------------------------------------------|---------------|
-| `TLS_DOMAIN`          | Comma-separated list of domain names to use for TLS provisioning. If not set, TLS will be disabled. | None |
-| `TARGET_PORT`         | The port that your Puma server should run on. Thruster will set `PORT` to this value when starting your server. | 3000 |
-| `CACHE_SIZE`          | The size of the HTTP cache in bytes. | 64MB |
-| `MAX_CACHE_ITEM_SIZE` | The maximum size of a single item in the HTTP cache in bytes. | 1MB |
-| `X_SENDFILE_ENABLED`  | Whether to enable X-Sendfile support. Set to `0` or `false` to disable. | Enabled |
-| `MAX_REQUEST_BODY`    | The maximum size of a request body in bytes. Requests larger than this size will be refused; `0` means no maximum size is enforced. | `0` |
-| `STORAGE_PATH`        | The path to store Thruster's internal state. Provisioned TLS certificates will be stored here, so that they will not need to be requested every time your application is started. | `./storage/thruster` |
-| `BAD_GATEWAY_PAGE`    | Path to an HTML file to serve when the backend server returns a 502 Bad Gateway error. If there is no file at the specific path, Thruster will serve an empty 502 response instead. Because Thruster boots very quickly, a custom page can be a useful way to show that your application is starting up. | `./public/502.html` |
-| `HTTP_PORT`           | The port to listen on for HTTP traffic. | 80 |
-| `HTTPS_PORT`          | The port to listen on for HTTPS traffic. | 443 |
-| `HTTP_IDLE_TIMEOUT`   | The maximum time in seconds that a client can be idle before the connection is closed. | 60 |
-| `HTTP_READ_TIMEOUT`   | The maximum time in seconds that a client can take to send the request headers and body. | 30 |
-| `HTTP_WRITE_TIMEOUT`  | The maximum time in seconds during which the client must read the response. | 30 |
-| `ACME_DIRECTORY`      | The URL of the ACME directory to use for TLS certificate provisioning. | `https://acme-v02.api.letsencrypt.org/directory` (Let's Encrypt production) |
-| `EAB_KID`             | The EAB key identifier to use when provisioning TLS certificates, if required. | None |
-| `EAB_HMAC_KEY`        | The Base64-encoded EAB HMAC key to use when provisioning TLS certificates, if required. | None |
-| `FORWARD_HEADERS`     | Whether to forward X-Forwarded-* headers from the client. | Disabled when running with TLS; enabled otherwise |
-| `DEBUG`               | Set to `1` or `true` to enable debug logging. | Disabled |
+|-----------------------------|---------------------------------------------------------|---------------|
+| `TLS_DOMAIN`                | Comma-separated list of domain names to use for TLS provisioning. If not set, TLS will be disabled. | None |
+| `TARGET_PORT`               | The port that your Puma server should run on. Thruster will set `PORT` to this value when starting your server. | 3000 |
+| `CACHE_SIZE`                | The size of the HTTP cache in bytes. | 64MB |
+| `MAX_CACHE_ITEM_SIZE`       | The maximum size of a single item in the HTTP cache in bytes. | 1MB |
+| `GZIP_COMPRESSION_ENABLED`  | Whether to enable gzip compression for responses. Set to `0` or `false` to disable. | Enabled |
+| `GZIP_COMPRESSION_DISABLE_ON_AUTH` | If set to `true`, disable gzip compression for authenticated requests with `Cookie`, `Authorization`, or `X-Csrf-Token` headers. | `false` |
+| `GZIP_COMPRESSION_JITTER`   | The amount of random jitter (in bytes) to add to the compressed response size to mitigate BREACH attacks. Set to `0` to disable. | 32 |
+| `X_SENDFILE_ENABLED`        | Whether to enable X-Sendfile support. Set to `0` or `false` to disable. | Enabled |
+| `MAX_REQUEST_BODY`          | The maximum size of a request body in bytes. Requests larger than this size will be refused; `0` means no maximum size is enforced. | `0` |
+| `STORAGE_PATH`              | The path to store Thruster's internal state. Provisioned TLS certificates will be stored here, so that they will not need to be requested every time your application is started. | `./storage/thruster` |
+| `BAD_GATEWAY_PAGE`          | Path to an HTML file to serve when the backend server returns a 502 Bad Gateway error. If there is no file at the specific path, Thruster will serve an empty 502 response instead. Because Thruster boots very quickly, a custom page can be a useful way to show that your application is starting up. | `./public/502.html` |
+| `HTTP_PORT`                 | The port to listen on for HTTP traffic. | 80 |
+| `HTTPS_PORT`                | The port to listen on for HTTPS traffic. | 443 |
+| `HTTP_IDLE_TIMEOUT`         | The maximum time in seconds that a client can be idle before the connection is closed. | 60 |
+| `HTTP_READ_TIMEOUT`         | The maximum time in seconds that a client can take to send the request headers and body. | 30 |
+| `HTTP_WRITE_TIMEOUT`        | The maximum time in seconds during which the client must read the response. | 30 |
+| `H2C_ENABLED`               | Set to `1` or `true` to enable h2c (http/2 cleartext) | Disabled |
+| `ACME_DIRECTORY`            | The URL of the ACME directory to use for TLS certificate provisioning. | `https://acme-v02.api.letsencrypt.org/directory` (Let's Encrypt production) |
+| `EAB_KID`                   | The EAB key identifier to use when provisioning TLS certificates, if required. | None |
+| `EAB_HMAC_KEY`              | The Base64-encoded EAB HMAC key to use when provisioning TLS certificates, if required. | None |
+| `FORWARD_HEADERS`           | Whether to forward X-Forwarded-* headers from the client. | Disabled when running with TLS; enabled otherwise |
+| `LOG_REQUESTS`              | Log all requests. Set to `0` or `false` to disable request logging | Enabled |
+| `DEBUG`                     | Set to `1` or `true` to enable debug logging. | Disabled |
 To prevent naming clashes with your application's own environment variables,
 Thruster's environment variables can optionally be prefixed with `THRUSTER_`.
 For example, `TLS_DOMAIN` can also be written as `THRUSTER_TLS_DOMAIN`. Whenever
 a prefixed variable is set, it will take precedence over the unprefixed version.
+## Security
+### BREACH Mitigation
+Thruster includes built-in mitigation for the [BREACH attack](https://breachattack.com/), which allows attackers to extract secrets from compressed encrypted traffic.
+1.  **Random Jitter (Enabled by Default)**: Thruster adds a random amount of "jitter" (padding) to the size of compressed responses. This makes it significantly harder for attackers to infer the content based on the compressed size. The default jitter is 32 bytes, controlled by `GZIP_COMPRESSION_JITTER`.
+2.  **Compression Guard (Optional)**: For higher security, you can disable compression entirely for authenticated requests (requests containing `Cookie`, `Authorization`, or `X-Csrf-Token` headers) by setting `GZIP_COMPRESSION_DISABLE_ON_AUTH=true`. This eliminates the side-channel entirely for sensitive traffic but may increase bandwidth usage.
+By default, Thruster prioritizes performance while providing baseline protection via jitter. Operators with strict security requirements should consider enabling the Compression Guard.

data/lib/thruster/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Thruster
-  VERSION = "0.1.8"
+  VERSION = "0.1.17"
 end

metadata CHANGED Viewed

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: thruster
 version: !ruby/object:Gem::Version
-  version: 0.1.8
+  version: 0.1.17
 platform: ruby
 authors:
 - Kevin McConnell
-autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-08-06 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies: []
 description: A zero-config HTTP/2 proxy for lightweight production deployments
 email: kevin@37signals.com
@@ -28,7 +27,6 @@ licenses:
 metadata:
   homepage_uri: https://github.com/basecamp/thruster
   rubygems_mfa_required: 'true'
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -43,8 +41,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.3
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Zero-config HTTP/2 proxy
 test_files: []