feat add spdlog

third_party/prometheus/3rdparty/civetweb/examples/https/README.md

@@ -0,0 +1,15 @@
+HTTPS Server configuration example
+====
+
+This directory contains an example [`civetweb.conf`](civetweb.conf) configuration file for a secure HTTPS server.  You can run a HTTPS server without most of the options there - only `ssl_certificate` and one port (e.g., `443s`) in `listening_ports` is required.  The default settings will work, but not comply with up to date security standards.  It is somewhat debatable what "up to date security" means - you can use the following web sites to run tests:
+
+- https://securityheaders.io
+- https://www.htbridge.com/ssl
+- https://www.htbridge.com/websec
+- https://www.ssllabs.com/ssltest/analyze.html / https://www.qualys.com/forms/freescan/
+- probably there are some more ... let me know!
+
+Instructions to run the test and to adapt the configuration can be found [`civetweb.conf`](civetweb.conf).  You can test this configuration directly with the standalone server, or you can take the settings and add it into your embedding code.
+
+Note: I do not take any warranty or liability for this configuration, or for the content of any linked web site.
+

third_party/prometheus/3rdparty/civetweb/examples/https/civetweb.conf

@@ -0,0 +1,86 @@
+# Instructions to run (on Linux) to reproduce test results:
+#
+# 1) copy civetweb executable here (examples/https directory)
+# 2) sudo ./civetweb
+#
+# Instructions to adapt to your own server:
+#
+# 1) generate your own server cert
+# 2) generate at least one backup server cert
+#    in case you want a self signed cert, you can use the script
+#    in resources/cert for both steps
+# 3) copy the content of the *.pin files into the Public-Key-Pins
+#    header config (the base64 encoded certificate hash)
+# 4) set the document root, and all other required http server settings
+# 5) Run the tests from the three websites below. They will tell you
+#    also what clients are compatible with your settings. The settings
+#    here are very strict and lock out most older clients/browsers.
+#    You will find some hints for fine tuning there as well.
+# 6) If you know all your clients, and give them client certificates in
+#    advance, you can significantly improve security by setting
+#    "ssl_verify_peer" to "yes" and specifying a client cert (directory)
+#    using "ssl_ca_file/path". This will lock out all clients without a
+#    proper certificate. Don't use it for your public home page, but
+#    consider it for your private remote access server.
+# 7) run civetweb, like above - or better create your own start script
+#    You are welcome to share your thoughts and experience on GitHub
+#    (see README.md in CivetWeb main directory).
+
+# Don't run as super user, switch back to a regular user
+run_as_user user
+
+# The standard HTTP port 80 should redirect to the standard HTTPS port 443
+listening_ports 80r,443s
+
+# Don't forget to set the document root and domain
+#document_root tdb
+#authentication_domain mydomain.com
+
+# Set the a certificate
+ssl_certificate ../../resources/cert/server.pem
+
+# Require a client cert for your private server (see above)
+#ssl_verify_peer yes
+#ssl_ca_file ../../resources/cert/client.pem
+
+# Enforce TLS1.2 and some strong cipher(s)
+ssl_protocol_version 4
+ssl_cipher_list ECDH+AESGCM+AES256:!aNULL:!MD5:!DSS
+
+# Tell all browsers to access this site only as HTTPS for the next 180 days
+strict_transport_security_max_age 15552000
+
+# Set some HTTP security header, see https://securityheaders.io
+additional_header Content-Security-Policy: script-src 'self'
+additional_header X-Frame-Options: SAMEORIGIN
+additional_header X-Xss-Protection: 1; mode=block
+additional_header X-Content-Type-Options: nosniff
+additional_header Referrer-Policy: same-origin
+additional_header Public-Key-Pins: pin-sha256="uz1UTAPen+xb+UoQqkVlEx4H653LbMjfRJcZx5OrjbI="; pin-sha256="pf3px1MBPmlTGAPoiHWqaSJ9L9Z+DKfwgsU7LfLnmsk="; max-age=7776000
+#additional_header Expect-CT: max-age=86400,report-uri="https://mydomain.com/report"
+
+
+# Ratings from 2017-09-03 (tests performed later may require more
+# strict security settings)
+#
+# Headers rated A+ from https://securityheaders.io/
+#
+# SSL rated B from https://www.htbridge.com/ssl when using a self signed
+# certificate, but no other weaknesses for modern browsers.
+# Site remarks some older TLS versions and some weaker ciphers are not
+# supported (but that's accessibility, not security).
+#
+# HTTPS rated A+ from https://www.htbridge.com/websec/ when using a self
+# signed certificate, generated with make_certs.sh in resources/cert/
+# and adding the server.pin and server_bkup.pin content into the
+# Public-Key-Pins header above.
+#
+# A rating of "T / If trust issues are ignored: A" (ignoring self-signed cert)
+# from https://www.ssllabs.com/ssltest/, https://www.qualys.com/forms/freescan/
+# (Note: this test is runs with reverse DNS name, while all others use the
+# IP address).
+#
+# Note: This settings are very strict and prevent some older but still common
+# versions of major browsers to access this site. The test web sites will give
+# you an overview. Test, before you use this settings.
+