Skip to content

nathanaelle/nataraja

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

53 Commits
conf
conf
 
 
debian
debian
 
 
src
src
 
 
vendor
vendor
 
 
.gitmodules
.gitmodules
 
 
Makefile
Makefile
 
 
ReadMe.markdown
ReadMe.markdown
 
 

Repository files navigation

Nataraja

What is Nataraja ?

Nataraja is a HTTP reverse proxy.

Why another one ?

Main goals

  • Simple configuration
  • Default secure TLS without any knowledge
  • transparent support of HTTP/1.1 & HTTP/2
  • IPv4 & IPv6
  • Minimal WAF
  • transparent reload conf
  • HTTP Caching

Rejected goals

  • coping with cgi
  • permit TLS tuning
  • Non "reverse proxy" proxy
  • Serving static files
  • ESI scripting

Configuration

For the full options list see conf/config.toml for the main config and conf/example.vhost

Minimal config

Listen	= [ "127.0.0.1", "::1" ]
Proxied	= "http://host.tld/"
IncludeVhosts = "/path/to/vhosts"

Minimal vhost without TLS

[[Serve]]
zones           = [ "www.f.q.d.n" ]

[[Redirect]]
From            = [ "f.q.d.n" ]
To              = "www.f.q.d.n"

Minimal vhost with TLS

[[Serve]]
zones           = [ "www.f.q.d.n" ]
# Only one key is acceptable because HSTS pinning/preload is disabled by default
keys            = [ "/path/privatekey-1" ]
cert            = "/path/cert"

[[Redirect]]
From            = [ "f.q.d.n" ]
To              = "www.f.q.d.n"

A more Complicated Case

[[Serve]]
zones           = [ "www.foo.example", "foo.example" ]
keys            = [ "/etc/ssl/foo.priv-1", "/etc/ssl/foo.pub-2" ]  # the second key is a public key only for HPKP
cert            = "/path/foo.cert"

[[Serve]]
zones                   = [ "www.bar.example" ]
StrictTransportSecurity = "max-age=15552000;includeSubdomains"
XFrameOptions		= "DENY"
keys                    = [ "/etc/ssl/bar.priv-1", "/etc/ssl/bar.pub-2" ]  # the second key is a public key only for HPKP
cert                    = "/path/bar.cert"

[[Serve]]
zones           = [ "quux.example" ]

[[Redirect]]
From            = [ "bar.example" ]
To              = "www.bar.example"

[[Redirect]]
From            = [ ".quux.example", "another-quux.example", ".another-quux.example" ]
To              = "quux.example"

Explanation for the TLS configuration

the TLS configuration for a virtual host, needs 2 mandatory informations :

  • the path to the certificate provided by the CA
  • the path to the private key
  • optionaly, you can add severals public keys to the primary key

all the other configurations fall in two cases :

  • good practices like cipher suite, accepted protocols, HSTS, …
  • informations already stored in the certificate like OCSP responder, intermediate certificate, …

so, it seems logical to provide only the non guessable part : the certificates and the private and public keys

Features

HTTPS

  • automatic OCSP
  • automatic HPKP (multiple public and private keys transparently handled)
  • automatic HSTS
  • Autofinding the Chain of trust to the root certificate
  • no cargo culting required for cipher suit
  • Automatic redirection to HTTPS if a certificate is provided

HTTP

  • HTTP Range (not Multipart-Ranges)
  • HTTP Cache Compliant
  • wildcard zone redirection (aka redirect *.some-zo.ne to another-zo.ne )
  • JSON message in AccessLog
  • AccessLog and ErrorLog are syslog RFC 5424 compliant

License

2-Clause BSD

Todo

  • write comments
  • better handling of CSP configuration (don't be less secure than default)

About

HTTP & HTTPS reverse proxy made easy

Topics

go golang http2 reverse-proxy http-server

Resources

Readme
Activity

Stars

11 stars

Watchers

3 watching

Forks

2 forks
Report repository

Releases 1

first release Latest
Nov 18, 2017

Packages

No packages published

Contributors 2

  •  
  •  

Languages