Index: www/h2o/Makefile =================================================================== --- www/h2o/Makefile +++ www/h2o/Makefile @@ -4,12 +4,14 @@ PORTNAME= h2o DISTVERSIONPREFIX= v DISTVERSION= 2.2.3 +PORTREVISION= 1 CATEGORIES= www -MAINTAINER= dch@skunkwerks.at +MAINTAINER= dch@FreeBSD.org COMMENT= Optimized HTTP/2 server including support for TLS 1.3 and HTTP/1.x -LICENSE= MIT +LICENSE= MIT BSD2CLAUSE +LICENSE_COMB= multi USES= cmake:noninja compiler:c11 cpe perl5 shebangfix ssl CPE_VENDOR= h2o_project Index: www/h2o/files/h2o.conf.sample =================================================================== --- www/h2o/files/h2o.conf.sample +++ www/h2o/files/h2o.conf.sample @@ -4,29 +4,89 @@ user: www pid-file: /var/run/h2o.pid access-log: /var/log/h2o/h2o-access.log -error-log: /var/log/h2o/h2o-error.log +# send errors to syslog +error-log: "| logger -i -p daemon.err -t h2o" listen: 80 listen: - port: 443 - ssl: - minimum-version: TLSv1.2 - # generate your own certificates - certificate-file: /usr/local/etc/h2o/server.crt - key-file: /usr/local/etc/h2o/server.key -# enable Apache-style directory listings -# file.dirlisting: on -# per-host configuration + # gets A on https://www.ssllabs.com/ssltest as of 2017-11-01 + port: 443 + ssl: + minimum-version: TLSv1.2 + # generate your own certificates + certificate-file: /usr/local/etc/h2o/server.crt + key-file: /usr/local/etc/h2o/server.key + cipher-preference: server + cipher-suite: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS + +http1-request-timeout: 10 +http2-idle-timeout: 10 +limit-request-body: 10485760 # 10MiB +max-connections: 1024 + +file.mime.addtypes: + image/svg+xml: .svg + text/plain: .log + text/css: .css + application/atom+xml: .xml + application/zip: .zip + application/json: .json + "text/html; charset=utf-8": .html + +# host headers, global +header.add: "x-frame-options: deny" +header.add: "X-XSS-Protection: 1; mode=block" +header.add: "X-Content-Type-Options: nosniff" +header.add: "X-UA-Compatible: IE=Edge" +# 6 months HSTS pinning +header.add: "Strict-Transport-Security: max-age=16000000" +header.add: "Cache-Control: no-transform" + +# per-host configurations hosts: - my.example.org: - paths: - "/": - file.dir: "/usr/local/www/data/my.example.org" - pkg.example.org: - # virtual directory layout - paths: - "/poudriere": - file.dir: "/usr/local/poudriere/data/logs/bulk" - "/FreeBSD:10:amd64": - file.dir: "/usr/local/poudriere/data/packages/10_2_amd64-default/" - "/FreeBSD:11:amd64": - file.dir: "/usr/local/poudriere/data/packages/current_amd64-default/" + # a basic fileserver + www.example.org: + # enable Apache-style directory listings + file.dirlisting: on + file.send-gzip: on + paths: + "/": + file.dir: "/var/www/my.example.org" + # a simple permanent URL redirect + "/blog": + redirect: + status: 301 + url: https://blog.example.org/ + # a password-restricted url + "/admin": + mruby.handler: | + require "htpasswd.rb" + Htpasswd.new("/usr/local/etc/h2o/private/htpasswd", "domain") + file.dir: "/var/www/admin" + pkg.example.org: + # virtual directory layout to support serving FreeBSD packages built by poudriere + paths: + "/poudriere": + file.dir: "/usr/local/poudriere/data/logs/bulk" + "/FreeBSD:10:amd64": + file.dir: "/usr/local/poudriere/data/packages/10_amd64-default/" + "/FreeBSD:11:amd64": + file.dir: "/usr/local/poudriere/data/packages/11_amd64-default/" + # a simple ruby-powered embedded JSON API + api.example.net: + paths: + "/ok.json": + mruby.handler: | + Proc.new do |env| + [200, {'content-type' => 'application/json'}, ['{"status":"ok"}']] + end + # reverse proxy for websockets + ws.example.net: + paths: + "/": + proxy.websocket: ON + proxy.reverse.url: "http://localhost:1080/" + # re-usable lets encrypt ACME protocol + acme.example.net: + paths: + "/.well-known/acme-challenge": + file.dir: "/var/www/acme" Index: www/h2o/files/patch-lib_core_token__table.h =================================================================== --- /dev/null +++ www/h2o/files/patch-lib_core_token__table.h @@ -0,0 +1,11 @@ +--- lib/core/token_table.h.orig 2017-11-16 18:55:31 UTC ++++ lib/core/token_table.h +@@ -74,7 +74,7 @@ h2o_token_t h2o__tokens[] = {{{H2O_STRLIT(":authority" + {{H2O_STRLIT("strict-transport-security")}, 56, 0, 0, 0, 0, 0}, + {{H2O_STRLIT("te")}, 0, 1, 0, 0, 1, 0}, + {{H2O_STRLIT("transfer-encoding")}, 57, 1, 1, 1, 1, 0}, +- {{H2O_STRLIT("upgrade")}, 0, 1, 0, 1, 1, 0}, ++ {{H2O_STRLIT("upgrade")}, 0, 1, 1, 1, 1, 0, 0}, + {{H2O_STRLIT("user-agent")}, 58, 0, 0, 0, 0, 1}, + {{H2O_STRLIT("vary")}, 59, 0, 0, 0, 0, 0}, + {{H2O_STRLIT("via")}, 60, 0, 0, 0, 0, 0}, Index: www/h2o/files/patch-misc_tokens.pl =================================================================== --- /dev/null +++ www/h2o/files/patch-misc_tokens.pl @@ -0,0 +1,11 @@ +--- misc/tokens.pl.orig 2017-11-16 18:56:46 UTC ++++ misc/tokens.pl +@@ -223,7 +223,7 @@ __DATA__ + 61 0 0 0 0 0 www-authenticate + 0 1 1 0 1 0 connection + 0 0 0 0 0 0 x-reproxy-url +-0 1 0 1 1 0 upgrade ++0 1 1 1 1 0 upgrade + 0 1 0 0 1 0 http2-settings + 0 1 0 0 1 0 te + 0 1 1 0 0 0 keep-alive