|Solderpunk b8276dd23f Don't do HTTPS redirects for requests associated with Let's Encrypt certificate renewals.||1 month ago|
|LICENSE||2 months ago|
|README.md||2 months ago|
|config.go||2 months ago|
|htmlinspect.go||2 months ago|
|httphandlers.go||1 month ago|
|main.go||1 month ago|
Shizaru is a minimalistic web server whose guiding principle is "serve no evil". Precisely what counts as "evil" can be configured by the user, so perhaps Shizaru is best explained as a webserver for imposing strong opinions. Said opinions can be imposed in many ways, for example by defining maximum file sizes, or by setting whitelists or blacklists for things like permitted MIME types (as inferred from file extension), permitted HTML tags, domains which are permitted to be linked to, etc.
Have no opinions of your own to impose? Fear not! Shizaru has lovely default
settings which attempt to promote a fast, safe, clean, simple, respectful web.
The website obesity crisis is
combatted with strict file size limits, to ensure that your website does not
end up larger than the major works of Russian literature. Besides being
limited to 32 KiB in size, HTML pages are limited to 3 images and HTML tags
cannot be nested more than 10 levels deep. This encourages uncluttered and
quickly rendering layouts.
<video> tags are prohibited (among others).
In other words, your web pages will need to be actual documents, not
applications, which means they have some hope of being usable on older machines
or without massively bloated browsers. Third-party images, stylesheets and
fonts are not allowed, so your users can rest assured that they aren't being
This default configuration of Shizaru is not supposed to be a "retro server".
Shizaru supports HTTPS (in fact, the only thing it will serve over HTTP is a
redirct to HTTPS) and HTTP/2, and the default ruleset allows the use of many
tags introduced in HTML5. The goal is not to remove the new and keep only the
old, but to remove the evil and keep only the good. Old and good may be
correlated when it comes to the web, but there are exceptions. The Shizaru
<marquee>, for example.
Shizaru is written in Go, a modern compiled language with built in memory
management and excellent concurrency support. Go is so wonderfully modern that
it does not support simple, well-understood, tried-and-true server security
features like using
setuid to drop root privileges after binding to low-valued
ports like 80 and 443. So how do you actually run the darn thing not as root?
If you want to run Shizaru on Linux, you can use Linux's "capabilities" system to assign a particular compiled binary the power to bind to priveleged ports without being root. See here for an example.
What if you're running on *BSD? As far as I know, no BSD system supports
something equivalent to the Linux solution above. But, the
pf firewall system
(created by OpenBSD but now also available on FreeBSD and NetBSD) features a
handy-dandy traffic redirection
functoinality which you should be able to use to have e.g. incoming connections
on ports 80 and 443 sent to an unpriveleged Shizaru process listening on ports
8080 and 4433. I haven't as yet testing this, though.
Shizaru doesn't yet daemonise itself, so you'll have to rely on an external tool, like this one.