diff options
author | Lars Wirzenius <liw@liw.fi> | 2020-07-26 07:02:27 +0000 |
---|---|---|
committer | Lars Wirzenius <liw@liw.fi> | 2020-07-26 07:02:27 +0000 |
commit | 2713af54b0cf89b665c05c769365572b0c4621f3 (patch) | |
tree | ed0657939e8ec97ed3922107ab80e994a88bd7a7 | |
parent | 0a04bf846a18788642669ab968825db3253010eb (diff) | |
parent | 3f38723a181558cfa020ac553b248144c3a75c61 (diff) | |
download | ewww-2713af54b0cf89b665c05c769365572b0c4621f3.tar.gz |
Merge branch 'subplot-fixes' into 'master'
Subplot fixes
Closes #24, #22, #21, #20, and #19
See merge request larswirzenius/ewww!10
-rw-r--r-- | ewww.md | 25 |
1 files changed, 14 insertions, 11 deletions
@@ -7,7 +7,8 @@ simple to configure, simple to keep running, and fast. * I have files in a directory, and a domain name pointing at the host. I want to serve the files using HTTPS. I want the TLS certificate to - come from Let's Encrypt, and get renewed automatically. + come from Let's Encrypt, but the web server doesn't need to be + involved in its creation or renewal. * Same, but I have multiple domain names and each should serve from different directories and potentially have their own certificates. @@ -25,8 +26,9 @@ expressed as _scenarios_ in the acceptance criteria chapter. on my Thinkpad T480 laptop. A self-signed certificate is OK. * Fast, time from starting server to having served first HTTPS request should be at most 100 ms. -* Serves only HTTPS, except what Let's Encrypt needs to be served over - plain HTTP. +* Serves only HTTPS, except what needs to be served over plain HTTP, + e.g., for Let's Encrypt certificate validation. Any plain HTTP + access must be explicitly allowed. I don't need flexibility, and I don't want to configure anything that's not essential for this. Hardcoded assumptions are A-OK, if my @@ -41,12 +43,13 @@ minimal. # Architecture -This is a thin layer on top of the Rust warp crate. It does minimal +[warp crate]: https://crates.io/crates/warp + +This is a thin layer on top of the Rust [warp crate][]. It does minimal processing for each request, and does not cache anything. -At startup, the server is provided with a directory and it reads all -configuration files in that directory. Each configuration file looks -like this: +At startup, the server is provided with a single configuration file, +which looks like this: ~~~yaml webroot: /srv/http/example.com @@ -63,10 +66,10 @@ tls-key: /etc/letsencrypt/live/certname/privkey.pem The hosts are aliases; the first host on the list is the main one, the others automatically redirect to it. -The server is started as `root`, reads in the TLS private key and -cert, binds to the ports, then drops privileges to `nobody`. The -configuration specifies for each port if plain HTTP or HTTPS is -expected. +The server is started via systemd or other mechanism that binds to +privileged ports and handles process management: daemonization, +restarting, etc. The configuration specifies for each port if plain +HTTP or HTTPS is expected. The server automatically listens on both port 80 (http) and 443 (https) so that it can serve the Let's Encrypt files. It only serves |