rockfish http
Serve static report files over HTTP with optional session-based authentication.
Overview
The http command runs a lightweight HTTP server to serve generated report
pages behind a login wall. Designed to sit behind a reverse proxy (nginx,
Caddy, etc.), it provides user management, session cookies, and static
file serving with automatic index.html resolution.
Usage
rockfish http [OPTIONS] [COMMAND]
Options
| Option | Default | Description |
|---|---|---|
--dir | /var/lib/report | Directory to serve |
--host | 127.0.0.1 | Bind address |
--port | 8001 | Bind port |
--users-file | /opt/rockfish/etc/users | Path to users password file |
--session-expiry-hours | 24 | Session expiry in hours |
--no-auth | — | Disable authentication (serve without login) |
User Management
Manage users with the user subcommand:
# Add a new user (prompts for password)
rockfish http user add <username>
# Delete an existing user
rockfish http user del <username>
# List all configured users
rockfish http user list
Password File
Users are stored in a password file (default: /opt/rockfish/etc/users):
# Rockfish HTTP users
# Format: username:sha256hex
admin:e3b0c44298fc1c149afb...
analyst:d7a8fbb307d7809469...
- Passwords are SHA-256 hashed before storage
- File permissions are set to
0600(owner read/write only) - The file is reloaded on each login attempt (no restart needed to add users)
Authentication
When authentication is enabled (default), the server:
- Redirects unauthenticated requests to
/login - Accepts username/password via HTML login form
- Validates credentials using constant-time comparison (
subtlecrate) - Issues a session cookie (
rockfish_session) on successful login - Expired sessions are cleaned up automatically every 5 minutes
Session Cookies
| Property | Value |
|---|---|
| Cookie name | rockfish_session |
| HttpOnly | Yes (no JavaScript access) |
| SameSite | Strict (CSRF protection) |
| Max-Age | Configurable (default: 24 hours) |
Audit Logging
All login attempts are logged to stderr:
LOGIN OK user=admin from=192.168.1.100
LOGIN FAIL user=unknown from=10.0.0.5
Configuration
The HTTP server can be configured via YAML:
http:
dir: /var/lib/report
host: 127.0.0.1
port: 8001
users_file: /opt/rockfish/etc/users
session_expiry_hours: 24
auth: true
CLI arguments override YAML values.
Examples
# Serve reports with authentication
rockfish http --dir /var/www/html/ndr
# Serve on all interfaces (e.g., behind reverse proxy)
rockfish http --dir /var/lib/report --host 0.0.0.0 --port 8080
# Serve without authentication (local/demo use)
rockfish http --dir ./report --no-auth
# Create admin user, then start server
rockfish http user add admin
rockfish http --dir /var/lib/report
Reverse Proxy (nginx)
server {
listen 443 ssl;
server_name ndr.example.com;
ssl_certificate /etc/ssl/certs/ndr.pem;
ssl_certificate_key /etc/ssl/private/ndr.key;
location / {
proxy_pass http://127.0.0.1:8001;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Systemd Service
[Unit]
Description=Rockfish NDR Report Server
After=network.target
[Service]
ExecStart=/opt/rockfish/bin/rockfish http --dir /var/lib/report --host 127.0.0.1 --port 8001
Restart=on-failure
User=rockfish
[Install]
WantedBy=multi-user.target
Continuous Report + HTTP Server
Run report generation and the HTTP server together:
# Terminal 1: Regenerate reports every 10 minutes
rockfish report -d /data --sensor prod-01 --hive \
--continuous --interval-minutes 10 -o /var/lib/report
# Terminal 2: Serve reports with authentication
rockfish http --dir /var/lib/report