9c104ae improve doc; iterate twice over docroot to validate found symlinks
~benthor pushed to ~benthor/treehouse git
treehouse
treehouse
is a very minimal webserver with automatic TLS
certificate handling and privilege dropping. It does what it needs to
do to serve a static website via HTTP and HTTPS and nothing else.
I personally use it to serve https://inimeg.space from an old Raspberry Pi.
XXX
in the comments)treehouse
needs to be started as root in order to bind to the
privileged http and https ports 80 and 443. However, as soon as this
is accomplished, it uses the setgid
and setuid
syscalls to (by
default) become nobody
. As a result, treehouse
can only serve
files that are world-readable (or belong to nobody
).
It is possible to set gid
and uid
to other values besides the
default 65534
(nobody
).
treehouse
uses
autocert to
automatically obtain certificates from Let's Encrypt.
secdir
A directory for treehouse to store its certificates needs to be
provided with the mandatory secdir
flag. If the specified path does
not exist, it will be created (like mkdir -p
). treehouse
will also
chown
this directory to restrict access to the nobody
user and
group. It currently doesn't chmod
an existing directory, a
non-existing directory will however be created with 0700
permissions.
To make sure that treehouse
can not accidentally serve its private
TLS keys, it is an error to specify a secdir
that is a subdirectory
of docroot
.
treehouse
expects subdirectories in the docroot
directory that are
named according to the domain that is to be served. It will only
attempt to obtain TLS certificates matching the directory names it saw
on startup.
I use treehouse
like this:
Under ~/Public
, I have a subdirectory called inimeg.space
,
containing some static html files. This directory gets detected when
treehouse
starts up.
sudo ~/bin/treehouse -secdir /etc/treehouse/secrets --docroot ~/Public
2023/03/02 Running as root, dropping privileges
2023/03/02 using /home/benthor/Public as docroot
2023/03/02 using /etc/treehouse/secret as secdir
2023/03/02 handling domain http(s)://inimeg.space
2023/03/02 serving HTTPS
2023/03/02 serving HTTP
Since treehouse
also serves regular HTTP, you can also test your
setup without necessarily invoking autocert
. Just create a directory
named 127.0.0.1
under your docroot
, add an index.html
to it and
start treehouse
.
treehouse
You need some version of Go (version 1.x) installed. Even versions that are several years out of date should still work fine. Just do
go build .
Note that Cgo is not required, To build a static binary that still works even after your libc is updated, simply do
CGO_ENABLED=0 go build .
Here is how I cross compile treehouse
into a binary that I can
deploy on my old Raspberry Pi 1:
CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=5 go build -trimpath -ldflags "-X main.Version=$(git describe --tags) -w -s" -v .
The goal is to eventually publish a version 1.0 that can be considered complete and stable. The following items need to be done (in no particular order):
docroot