Solderpunk b8276dd23f Don't do HTTPS redirects for requests associated with Let's Encrypt certificate renewals. 1 month ago
LICENSE Import prototype. 2 months ago Fix Markdown errors in README (escape HTML tags) 2 months ago
config.go Import prototype. 2 months ago
htmlinspect.go Import prototype. 2 months ago
httphandlers.go Don't do HTTPS redirects for requests associated with Let's Encrypt certificate renewals. 1 month ago
main.go Don't do HTTPS redirects for requests associated with Let's Encrypt certificate renewals. 1 month ago


Shizaru is a minimalistic web server whose guiding principle is "serve no evil". Precisely what counts as "evil" can be configured by the user, so perhaps Shizaru is best explained as a webserver for imposing strong opinions. Said opinions can be imposed in many ways, for example by defining maximum file sizes, or by setting whitelists or blacklists for things like permitted MIME types (as inferred from file extension), permitted HTML tags, domains which are permitted to be linked to, etc.

Have no opinions of your own to impose? Fear not! Shizaru has lovely default settings which attempt to promote a fast, safe, clean, simple, respectful web. The website obesity crisis is combatted with strict file size limits, to ensure that your website does not end up larger than the major works of Russian literature. Besides being limited to 32 KiB in size, HTML pages are limited to 3 images and HTML tags cannot be nested more than 10 levels deep. This encourages uncluttered and quickly rendering layouts. <audio>, <applet>, <canvas>, <embed>, <iframe>, <script> and <video> tags are prohibited (among others). In other words, your web pages will need to be actual documents, not applications, which means they have some hope of being usable on older machines or without massively bloated browsers. Third-party images, stylesheets and fonts are not allowed, so your users can rest assured that they aren't being tracked indirectly.

This default configuration of Shizaru is not supposed to be a "retro server". Shizaru supports HTTPS (in fact, the only thing it will serve over HTTP is a redirct to HTTPS) and HTTP/2, and the default ruleset allows the use of many tags introduced in HTML5. The goal is not to remove the new and keep only the old, but to remove the evil and keep only the good. Old and good may be correlated when it comes to the web, but there are exceptions. The Shizaru defaults disallow <blink> and <marquee>, for example.

Running as non-root

Shizaru is written in Go, a modern compiled language with built in memory management and excellent concurrency support. Go is so wonderfully modern that it does not support simple, well-understood, tried-and-true server security features like using setuid to drop root privileges after binding to low-valued ports like 80 and 443. So how do you actually run the darn thing not as root?

If you want to run Shizaru on Linux, you can use Linux's "capabilities" system to assign a particular compiled binary the power to bind to priveleged ports without being root. See here for an example.

What if you're running on *BSD? As far as I know, no BSD system supports something equivalent to the Linux solution above. But, the pf firewall system (created by OpenBSD but now also available on FreeBSD and NetBSD) features a handy-dandy traffic redirection functoinality which you should be able to use to have e.g. incoming connections on ports 80 and 443 sent to an unpriveleged Shizaru process listening on ports 8080 and 4433. I haven't as yet testing this, though.


Shizaru doesn't yet daemonise itself, so you'll have to rely on an external tool, like this one.