From 880eaf4d251814953f5a79ffec99e6e485f6d156 Mon Sep 17 00:00:00 2001 From: Jose Quintana Date: Fri, 2 Jun 2023 01:42:16 +0200 Subject: [PATCH] docs: http2 and tls feature improvements [skip ci] describe also a workaround for `security-headers` feature when using it along with `http2` --- docs/content/features/http2-tls.md | 53 ++++++++++++++++++++++++++++++++--------------------- docs/content/features/security-headers.md | 4 ++++ 2 files changed, 36 insertions(+), 21 deletions(-) diff --git a/docs/content/features/http2-tls.md b/docs/content/features/http2-tls.md index 8aaf3fb..0bb9ce3 100644 --- a/docs/content/features/http2-tls.md +++ b/docs/content/features/http2-tls.md @@ -8,27 +8,38 @@ This feature is disabled by default and can be activated via the boolean `-t, -- SWS comes with safe TLS defaults for underlying cryptography. -- Cipher suites: - ```rust - // TLS1.3 suites - TLS13_AES_256_GCM_SHA384 - TLS13_AES_128_GCM_SHA256 - TLS13_CHACHA20_POLY1305_SHA256 - - // TLS1.2 suites - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - ``` -- Key exchange groups: - - `X25519`, `SECP256R1` and `SECP384R1` -- Protocol versions: - - TLS `1.2` and `1.3` - -These defaults are safe and useful for most use cases. See [Rustls safe defaults](https://docs.rs/rustls/0.21.1/rustls/struct.ConfigBuilder.html#method.with_safe_defaults) for more details. +- **Cipher suites:** + - TLS1.3: + ``` + TLS13_AES_256_GCM_SHA384 + TLS13_AES_128_GCM_SHA256 + TLS13_CHACHA20_POLY1305_SHA256 + ``` + - TLS1.2: + ``` + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + ``` +- **Key exchange groups:** + - `X25519`, `SECP256R1` and `SECP384R1` +- **Protocol versions:** + - TLS `1.2` and `1.3` + +These defaults are safe and useful for most use cases. See [Rustls safe defaults](https://docs.rs/rustls/0.21.1/rustls/struct.ConfigBuilder.html#method.with_safe_defaults) for more details. + +## Private key file formats + +Only the following private key file formats are supported: + +- **RSA Private Key:** A DER-encoded plaintext RSA private key as specified in [PKCS#1/RFC3447](https://datatracker.ietf.org/doc/html/rfc3447). +- **PKCS8 Private Key:** A DER-encoded plaintext private key as specified in [PKCS#8/RFC5958](https://datatracker.ietf.org/doc/rfc5958/). +- **EC Private Key:** A Sec1-encoded plaintext private key as specified in [RFC5915](https://www.rfc-editor.org/rfc/rfc5915). + +## Example !!! info "Tips" - Either `--host`, `--port` and `--root` have defaults (optional values) so they can be specified or omitted as required. diff --git a/docs/content/features/security-headers.md b/docs/content/features/security-headers.md index f56585e..aaac362 100644 --- a/docs/content/features/security-headers.md +++ b/docs/content/features/security-headers.md @@ -6,6 +6,10 @@ When the [HTTP/2](../features/http2-tls.md) feature is activated *security heade This feature is disabled by default on HTTP/1 and can be controlled by the boolean `--security-headers` option or the equivalent [SERVER_SECURITY_HEADERS](./../configuration/environment-variables.md#server_security_headers) env. +!!! info "Not enabled by default when using TOML config file" + This is an issue reported on [static-web-server#210](https://github.com/static-web-server/static-web-server/issues/210). + The workaround is just to enable the `security-header` explicitly along with the `tls` feature. More details on the [issue #210 comment](https://github.com/static-web-server/static-web-server/issues/210#issuecomment-1572686507). + !!! tip "Customize HTTP headers" If you want to customize HTTP headers on demand then have a look at the [Custom HTTP Headers](custom-http-headers.md) section. -- libgit2 1.7.2