Out on the web there are bots probing every attack surface within the HTTP and TLS layers. This has thrown up many curiosities and helped me harden the server.
Highlights
- Full TLS 1.3 implementation including 0-RTT, with modern ChaCha20-Poly1305 and AES-GCM AEAD ciphers
- Full HTTP/2 implementation
- Homemade elliptic curve group implementations for TLS key-exchange and signatures
- HTTP/1.1 and TLS 1.2 fallbacks with both modern and legacy ciphers
- C++20 coroutines for improving control flow particularly around bulk file transfer latency
- Buffered and skippable video streaming supported with HTTP range requests
- Supports HTTP-01 ACME challenges
- SSL certificates are renewed automatically with no server downtime
- HPACK
- Huffman compression for strings - these can be toggled off for secrets
- Dynamic indexing of HTTP headers, for requests on the same TCP connection
- Fixed size data frames
- Avoids fragmentation between ethernet packets
- Ensures TLS record size patterns do not reveal data contents
- Handles multiple concurrent requests on the same TCP connection
- Consumes frames eagerly when streaming to manage back-pressure in real-time
- The server runs at https://freddiewoodruff.co.uk on a Raspberry Pi 1 Model B.
- Homemade event and task manager
- lock-free task executor with a fixed-size threadpool
poll()-based event reactor- Rust port of this component
- Log output for a
fail2bandynamic firewall - Includes
gcc-14C++23 features and some homemade implementations of C++26 features for achieving lock-freedom - Supports FIPS 203 ML-KEM to protect against "harvest-now, decrypt-later" attacks
Usage
Install with
git clone https://github.com/fwoodruff/HTTPS.git
cd HTTPSthen run with Make
make -j$(nproc) && ./target/codeymccodeface
Note, this requires GCC 14 or later.
Alternatively use Docker
docker build -t server .
docker run --init --rm -p 8443:8443 -p 8080:8080 serverCA certificates can renewed with:
sudo certbot certonly \
--webroot \
-w /home/freddiewoodruff/doc/HTTPS23/resources/webpages/freddiewoodruff.co.uk \
--key-type ecdsa \
--elliptic-curve secp256r1 \
--cert-name freddiewoodruff.co.uk \
-d freddiewoodruff.co.uk \
-d www.freddiewoodruff.co.uk \
--force-renewalSet up a cronjob for renewal with sudo crontab -e
0 */12 * * * certbot renew --quiet
config.txt is for localhost.
live_config.txt is my Raspberry Pi server config.
Benchmarks
| Client request | Data-rate | Transfer time |
|---|---|---|
scp freddiewoodruff.co.uk:~/doc/HTTPS20/webpages/assets/carina.png . |
3.0MB/s | 41s |
wget https://freddiewoodruff.co.uk/assets/carina.png |
702KB/s | 3m 3s |
Targeting
Compiling C++23 for a Raspberry Pi 1B mixes old with new.
Dockerfile.armv6 downloads a cross-compiler and builds the ARMv6 binary. Run as follows:
mkdir -p target
docker build -t containerymccontainerface -f Dockerfile.armv6 .
c_id=$(docker create containerymccontainerface)
docker cp $c_id:/target/codeymccodeface ./target/codeymccodeface.armv6
docker rm $c_id