forked from ampproject/amppackager
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathamppkg.example.toml
166 lines (152 loc) · 7.54 KB
/
amppkg.example.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
# This is a TOML 0.4.0 file, as specified by https://github.com/toml-lang/toml.
# The port to listen on; 8080 is the default.
# Port = 8080
# Uncomment this line to serve only to localhost clients, e.g. for testing, by
# binding on the loopback interface.
# LocalOnly = true
# The path to the PEM file containing the full certificate chain, ordered from
# leaf to root.
#
# Typically, it would look like:
# -----BEGIN CERTIFICATE-----
# ....
# -----END CERTIFICATE-----
# -----BEGIN CERTIFICATE-----
# ....
# -----END CERTIFICATE-----
# where the first certificate is for your domain, and the second is your CA's
# cert.
#
# For development, it may be any certificate that has an OCSP URL in its
# Authority Information Access section (e.g. a TLS cert from Let's Encrypt).
# For production, it must meet the following requirements set by the Signed
# Exchanges specification:
#
# The leaf certificate must use an EC P-256 key. (See https://goo.gl/pwK9EJ
# item 3.1.5.) It must have at least one SCT, either as an X.509 extension or
# as an extension to the OCSP responses from the URI mentioned in its Authority
# Information Access extension. (See https://goo.gl/JQiyNs item 7.4.)
#
# To limit the risk to your existing TLS traffic, your signed exchanges
# certificate should be minted from a different private key than your TLS
# certificate. See https://goo.gl/U4vasm for details.
#
# As of November 2018, DigiCert is the only provider of such certs:
# https://www.digicert.com/account/ietf/http-signed-exchange.php
#
# To verify it has the right key type:
# openssl x509 -in cert.pem -text | grep 'ASN1 OID: prime256v1'
# To verify it has the CanSignHttpExchanges extension:
# openssl x509 -in cert.pem -text | grep 1.3.6.1.4.1.11129.2.1.22:
#
# This will be served at /amppkg/cert/blahblahblah, where "blahblahblah" is a
# stable unique identifier for the cert (currently, its base64-encoded
# SHA-256).
CertFile = './pems/cert.pem'
# The path to the PEM file containing the private key that corresponds to the
# leaf certificate in CertFile.
KeyFile = './pems/privkey.pem'
# The path to a file where the OCSP response will be cached. The parent
# directory should exist, but the file need not. If this is a network-mounted
# file, it should support shared/exclusive locking.
OCSPCache = '/tmp/amppkg-ocsp'
# This is a simple level of validation, to guard against accidental
# misconfiguration of the reverse proxy that sits in front of the packager.
#
# You must specify at least one URLSet; you may specify multiple. Each one must
# specify a Sign pattern and may specify a Fetch pattern. When the packager
# receives a request for a package, it will first validate that the requested
# fetch/sign URL pair matches at least one of the given URLSets.
[[URLSet]]
# What URLs are allowed to show up in the browser's URL bar, when served from
# the AMP Cache. By default, the URL that the frontend requests to sign is
# also the URL where the packager fetches it. For extra flexibility, see
# URLSet.Fetch below.
#
# To ask the packager to fetch/sign a specific URL, request it like this:
# /priv/doc/https://amppackageexample.com/
# or this:
# /priv/doc?sign=https%3A%2F%2Famppackageexample.com%2F
#
# Note the need for the latter to be URL-escaped. Both options are provided,
# depending on what's easier for your server software.
[URLSet.Sign]
# The scheme of the URL must be https. There is no way to configure this.
# The `user:pass@` portion is disallowed. There is no way to configure this.
# The domain to limit signed URLs to. An exact string match. The
# certificate must cover this domain.
Domain = "amppackageexample.com"
# A full-match regexp on the path (not including the ?query). Defaults to
# ".*".
#
# The below example allows paths starting with /world/.
# PathRE = "/world/.*"
# A list of full-match regexps, carving out exclusions to the above PathRE.
# Examples of paths you might want to exclude:
# * Personalized content, such as user settings pages. Signed exchanges
# are cached globally and served to all users. (Personalization that
# happens at runtime via JS is fine.) This provides defense-in-depth,
# in addition to the Cache-Control: public check.
# * User-generated content, such as forums. For instance, if there's a
# chance of an XSS vulnerability in your templating library, the impact
# of such event is higher here: even after you've fixed the bug, caches
# may serve your signed packages for up to 7 days.
# PathExcludeRE = []
# A full-match regexp on the query portion of the URL, excluding the initial
# "?". Defaults to "" (though a single "?" is allowed). The below example
# allows non-empty query strings.
# QueryRE = ".*"
# The fragment portion of the URL (i.e. the '#' and everything after) must
# be empty. There is no way to configure this.
# By default, stateful headers (such as Set-Cookie and WWW-Authenticate)
# are stripped from the response before packaging. If instead you wish for
# this to cause packaging to fail, set ErrorOnStatefulHeaders = true.
# ErrorOnStatefulHeaders = true
# The maximum length of the URL. Defaults to 2000 as this is a de facto
# limit anyway in many browsers. The limit is to mitigate the risk of a
# content-sniffing attack (per https://github.com/WICG/webpackage/pull/348)
# against downstream servers that serve 200 responses regardless of some of
# the path components (e.g. looking up by id and not validating the slug in
# the requested URL). If your server only serves 200 responses on a limited
# set of valid URLs, and some of those URLs are >2000 chars, then it's safe
# to modify this default.
# MaxLength = 2000
# By default, the packager only looks at the sign param, and fetches the
# content from the same location. If you'd like more flexibility (for
# instance, to fetch content from an edge node), uncomment this section. This
# allows the frontend to specify an additional `fetch` query parameter.
# Instead of looking like:
#
# /priv/doc/https://amppackageexample.com/page.html
#
# The URL will look like:
#
# /priv/doc?fetch=https%3A%2F%2Finternal.amppackageexample.com%2Fpage.html&sign=https%3A%2F%2Famppackageexample.com%2Fpage.html
#
# Note that this reduces the defense-in-depth against the "signing oracle"
# attack. If an attacker can request custom URLs from the packager (or
# convince a frontend server to do so), it could convince the packager to
# fetch page A and sign it as page B. If enabling this, make sure there is no
# unauthorized access to the packager.
# [URLSet.Fetch]
# # The set of allowed schemes to fetch from is ["https"] by default, but may
# # be ["http"] or ["http", "https"].
# Scheme = ["http"]
#
# # By default, the packager enforces that the path and query are the same
# # between the fetch and sign URLs (e.g. respond in error if
# # fetch=http%3A%2F%2Ffoo%2Fbar.html and
# # sign=https%3A%2F%2Fbaz%2Fnot-bar.html). Change SamePath to false if this
# # requirement is too stringent.
# SamePath = false
#
# # A full-match regexp on the domain allowed. Only one of DomainRE and
# # Domain may be specified. Exercise caution; test the regexp thoroughly.
# # For instance, a DomainRE of "www.example.com" would allow fetches from
# # www-example.com.
# DomainRE = "www\\.corp\\d+\\.amppackageexample\\.com"
#
# # All other fields behave the same.
# Domain = "www.corp.amppackageexample.com"
# PathRE = "/world/.*"
# QueryRE = ""