test(lib): fix tests for double slash fix

Signed-off-by: Xe Iaso <me@xeiaso.net>

.github/workflows/smoke-tests.yml

@@ -14,6 +14,7 @@ jobs:
     strategy:
       matrix:
         test:
+          - double_slash
           - forced-language
           - git-clone
           - git-push

.github/workflows/ssh-ci.yml

@@ -19,7 +19,7 @@ jobs:
           - riscv64
           - ppc64le
           - aarch64-4k
-          # - aarch64-16k
+          - aarch64-16k
     steps:
       - name: Checkout code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

anubis.go

@@ -11,7 +11,7 @@ var Version = "devel"
 
 // CookieName is the name of the cookie that Anubis uses in order to validate
 // access.
-var CookieName = "techaro.lol-anubis-auth"
+var CookieName = "techaro.lol-anubis"
 
 // TestCookieName is the name of the cookie that Anubis uses in order to check
 // if cookies are enabled on the client's browser.

cmd/anubis/main.go

@@ -68,7 +68,7 @@ var (
 	slogLevel                = flag.String("slog-level", "INFO", "logging level (see https://pkg.go.dev/log/slog#hdr-Levels)")
 	stripBasePrefix          = flag.Bool("strip-base-prefix", false, "if true, strips the base prefix from requests forwarded to the target server")
 	target                   = flag.String("target", "http://localhost:3923", "target to reverse proxy to, set to an empty string to disable proxying when only using auth request")
-	targetSNI                = flag.String("target-sni", "", "if set, the value of the TLS handshake hostname when forwarding requests to the target")
+	targetSNI                = flag.String("target-sni", "", "if set, TLS handshake hostname when forwarding requests to the target, if set to auto, use Host header")
 	targetHost               = flag.String("target-host", "", "if set, the value of the Host header when forwarding requests to the target")
 	targetInsecureSkipVerify = flag.Bool("target-insecure-skip-verify", false, "if true, skips TLS validation for the backend")
 	targetDisableKeepAlive   = flag.Bool("target-disable-keepalive", false, "if true, disables HTTP keep-alive for the backend")
@@ -83,6 +83,7 @@ var (
 	versionFlag              = flag.Bool("version", false, "print Anubis version")
 	publicUrl                = flag.String("public-url", "", "the externally accessible URL for this Anubis instance, used for constructing redirect URLs (e.g., for forwardAuth).")
 	xffStripPrivate          = flag.Bool("xff-strip-private", true, "if set, strip private addresses from X-Forwarded-For")
+	customRealIPHeader      = flag.String("custom-real-ip-header", "", "if set, read remote IP from header of this name (in case your environment doesn't set X-Real-IP header)")
 
 	thothInsecure        = flag.Bool("thoth-insecure", false, "if set, connect to Thoth over plain HTTP/2, don't enable this unless support told you to")
 	thothURL             = flag.String("thoth-url", "", "if set, URL for Thoth, the IP reputation database for Anubis")
@@ -235,23 +236,28 @@ func makeReverseProxy(target string, targetSNI string, targetHost string, insecu
 
 	if insecureSkipVerify || targetSNI != "" {
 		transport.TLSClientConfig = &tls.Config{}
-		if insecureSkipVerify {
-			slog.Warn("TARGET_INSECURE_SKIP_VERIFY is set to true, TLS certificate validation will not be performed", "target", target)
-			transport.TLSClientConfig.InsecureSkipVerify = true
-		}
-		if targetSNI != "" {
-			transport.TLSClientConfig.ServerName = targetSNI
-		}
+	}
+	if insecureSkipVerify {
+		slog.Warn("TARGET_INSECURE_SKIP_VERIFY is set to true, TLS certificate validation will not be performed", "target", target)
+		transport.TLSClientConfig.InsecureSkipVerify = true
+	}
+	if targetSNI != "" && targetSNI != "auto" {
+		transport.TLSClientConfig.ServerName = targetSNI
 	}
 
 	rp := httputil.NewSingleHostReverseProxy(targetUri)
 	rp.Transport = transport
 
-	if targetHost != "" {
+	if targetHost != "" || targetSNI == "auto" {
 		originalDirector := rp.Director
 		rp.Director = func(req *http.Request) {
 			originalDirector(req)
-			req.Host = targetHost
+			if targetHost != "" {
+				req.Host = targetHost
+			}
+			if targetSNI == "auto" {
+				transport.TLSClientConfig.ServerName = req.Host
+			}
 		}
 	}
 
@@ -460,6 +466,7 @@ func main() {
 
 	var h http.Handler
 	h = s
+	h = internal.CustomRealIPHeader(*customRealIPHeader, h)
 	h = internal.RemoteXRealIP(*useRemoteAddress, *bindNetwork, h)
 	h = internal.XForwardedForToXRealIP(h)
 	h = internal.XForwardedForUpdate(*xffStripPrivate, h)

docs/docs/CHANGELOG.md

@@ -13,6 +13,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 <!-- This changes the project to: -->
 
+- Add `-custom-real-ip-header` flag to get the original request IP from a different header than `x-real-ip`.
 - Add `contentLength` variable to bot expressions.
 - Add `COOKIE_SAME_SITE_MODE` to force anubis cookies SameSite value, and downgrade automatically from `None` to `Lax` if cookie is insecure.
 - Fix lock convoy problem in decaymap ([#1103](https://github.com/TecharoHQ/anubis/issues/1103)).
@@ -21,12 +22,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Add validation warning when persistent storage is used without setting signing keys.
 - Fixed `robots2policy` to properly group consecutive user agents into `any:` instead of only processing the last one ([#925](https://github.com/TecharoHQ/anubis/pull/925)).
 - Add the [`s3api` storage backend](./admin/policies.mdx#s3api) to allow Anubis to use S3 API compatible object storage as its storage backend.
+- Fix a "stutter" in the cookie name prefix so the auth cookie is named `techaro.lol-anubis-auth` instead of `techaro.lol-anubis-auth-auth`.
 - Make `cmd/containerbuild` support commas for separating elements of the `--docker-tags` argument as well as newlines.
 - Add the `DIFFICULTY_IN_JWT` option, which allows one to add the `difficulty` field in the JWT claims which indicates the difficulty of the token ([#1063](https://github.com/TecharoHQ/anubis/pull/1063)).
 - Ported the client-side JS to TypeScript to avoid egregious errors in the future.
 - Fixes concurrency problems with very old browsers ([#1082](https://github.com/TecharoHQ/anubis/issues/1082)).
 - Randomly use the Refresh header instead of the meta refresh tag in the metarefresh challenge.
 - Update OpenRC service to truncate the runtime directory before starting Anubis.
+- Allow multiple consecutive slashes in a row in application paths ([#754](https://github.com/TecharoHQ/anubis/issues/754)).
+- Add option to set `targetSNI` to special keyword 'auto' to indicate that it should be automatically set to the request Host name ([424](https://github.com/TecharoHQ/anubis/issues/424)).
 
 ### Bug Fixes
 

docs/docs/admin/caveats-xff.mdx

@@ -20,6 +20,8 @@ Upstream: X-Forwarded-For: CF_IP
 
 As a workaround, you should configure your web server to parse an alternative source (such as `CF-Connecting-IP`), or pre-process the incoming `X-Forwarded-For` with your web server to ensure it only contains the real client IP address, then pass it to Anubis as `X-Forwarded-For`.
 
+If you do not control the web server upstream of Anubis, the `custom-real-ip-header` command line flag accepts a header value that Anubis will read the real client IP address from. Anubis will set the `X-Real-IP` header to the IP address found in the custom header.
+
 The `X-Real-IP` header will be automatically inferred from `X-Forwarded-For` if not set, setting it explicitly is not necessary as long as `X-Forwarded-For` contains only the real client IP. However setting it explicitly can eliminate spoofed values if your web server doesn't set this.
 
 See [Cloudflare](environments/cloudflare.mdx) for an example configuration.

docs/docs/admin/installation.mdx

@@ -76,6 +76,7 @@ Anubis uses these environment variables for configuration:
 | `COOKIE_DOMAIN`                | unset                   | The domain the Anubis challenge pass cookie should be set to. This should be set to the domain you bought from your registrar (EG: `techaro.lol` if your webapp is running on `anubis.techaro.lol`). See this [stackoverflow explanation of cookies](https://stackoverflow.com/a/1063760) for more information.<br/><br/>Note that unlike `REDIRECT_DOMAINS`, you should never include a port number in this variable.                                                                                                                         |
 | `COOKIE_DYNAMIC_DOMAIN`        | false                   | If set to true, automatically set cookie domain fields based on the hostname of the request. EG: if you are making a request to `anubis.techaro.lol`, the Anubis cookie will be valid for any subdomain of `techaro.lol`.                                                                                                                                                                                                                                                                                                                      |
 | `COOKIE_EXPIRATION_TIME`       | `168h`                  | The amount of time the authorization cookie is valid for.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
+| `CUSTOM_REAL_IP_HEADER`        | unset                   | If set, Anubis will read the client's real IP address from this header, and set it in `X-Real-IP` header.                                                                                                                                                                                                                                                                                                                                                                                                                                      |
 | `COOKIE_PARTITIONED`           | `false`                 | If set to `true`, enables the [partitioned (CHIPS) flag](https://developers.google.com/privacy-sandbox/cookies/chips), meaning that Anubis inside an iframe has a different set of cookies than the domain hosting the iframe.                                                                                                                                                                                                                                                                                                                 |
 | `COOKIE_PREFIX`                | `anubis-cookie`         | The prefix used for browser cookies created by Anubis. Useful for customization or avoiding conflicts with other applications.                                                                                                                                                                                                                                                                                                                                                                                                                 |
 | `COOKIE_SECURE`                | `true`                  | If set to `true`, enables the [Secure flag](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#block_access_to_your_cookies), meaning that the cookies will only be transmitted over HTTPS. If Anubis is used in an unsecure context (plain HTTP), this will be need to be set to false                                                                                                                                                                                                                                          |
@@ -122,7 +123,7 @@ If you don't know or understand what these settings mean, ignore them. These are
 | `TARGET_DISABLE_KEEPALIVE`    | `false`       | If `true`, disables HTTP keep-alive for connections to the target backend. Useful for backends that don't handle keep-alive properly.                                                                                                                                                                                                                                                           |
 | `TARGET_HOST`                 | unset         | If set, overrides the Host header in requests forwarded to `TARGET`.                                                                                                                                                                                                                                                                                                                            |
 | `TARGET_INSECURE_SKIP_VERIFY` | `false`       | If `true`, skip TLS certificate validation for targets that listen over `https`. If your backend does not listen over `https`, ignore this setting.                                                                                                                                                                                                                                             |
-| `TARGET_SNI`                  | unset         | If set, overrides the TLS handshake hostname in requests forwarded to `TARGET`.                                                                                                                                                                                                                                                                                                                 |
+| `TARGET_SNI`                  | unset         | If set, TLS handshake hostname when forwarding requests to the `TARGET`. If set to auto, use Host header.                                                                                                                                                                                                                                                                                                                 |
 
 </details>
 

internal/headers.go

@@ -38,6 +38,22 @@ func UnchangingCache(next http.Handler) http.Handler {
 	})
 }
 
+// CustomXRealIPHeader sets the X-Real-IP header to the value of a
+// different header.
+// Used in environments where the upstream proxy sets the request's
+// origin IP in a custom header.
+func CustomRealIPHeader(customRealIPHeaderValue string, next http.Handler) http.Handler {
+	if customRealIPHeaderValue == "" {
+		slog.Debug("skipping middleware, customRealIPHeaderValue is empty")
+		return next
+	}
+
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		r.Header.Set("X-Real-IP", r.Header.Get(customRealIPHeaderValue))
+		next.ServeHTTP(w, r)
+	})
+}
+
 // RemoteXRealIP sets the X-Real-Ip header to the request's real IP if
 // the setting is enabled by the user.
 func RemoteXRealIP(useRemoteAddress bool, bindNetwork string, next http.Handler) http.Handler {

lib/anubis_test.go

@@ -457,7 +457,7 @@ func TestBasePrefix(t *testing.T) {
 	}{
 		{
 			name:       "no prefix",
-			basePrefix: "/",
+			basePrefix: "",
 			path:       "/.within.website/x/cmd/anubis/api/make-challenge",
 			expected:   "/.within.website/x/cmd/anubis/api/make-challenge",
 		},
@@ -499,9 +499,15 @@ func TestBasePrefix(t *testing.T) {
 			}
 
 			q := req.URL.Query()
-			q.Set("redir", tc.basePrefix)
+			redir := tc.basePrefix
+			if tc.basePrefix == "" {
+				redir = "/"
+			}
+			q.Set("redir", redir)
 			req.URL.RawQuery = q.Encode()
 
+			t.Log(req.URL.String())
+
 			// Test API endpoint with prefix
 			resp, err := cli.Do(req)
 			if err != nil {
@@ -513,8 +519,15 @@ func TestBasePrefix(t *testing.T) {
 				t.Errorf("expected status code %d, got: %d", http.StatusOK, resp.StatusCode)
 			}
 
+			data, err := io.ReadAll(resp.Body)
+			if err != nil {
+				t.Fatalf("can't read body: %v", err)
+			}
+
+			t.Log(string(data))
+
 			var chall challengeResp
-			if err := json.NewDecoder(resp.Body).Decode(&chall); err != nil {
+			if err := json.NewDecoder(bytes.NewBuffer(data)).Decode(&chall); err != nil {
 				t.Fatalf("can't read challenge response body: %v", err)
 			}
 
@@ -535,7 +548,7 @@ func TestBasePrefix(t *testing.T) {
 				nonce++
 			}
 			elapsedTime := 420
-			redir := "/"
+			redir = "/"
 
 			cli.CheckRedirect = func(req *http.Request, via []*http.Request) error {
 				return http.ErrUseLastResponse

lib/config.go

@@ -107,7 +107,7 @@ func New(opts Options) (*Server, error) {
 		opts.ED25519PrivateKey = priv
 	}
 
-	anubis.BasePrefix = opts.BasePrefix
+	anubis.BasePrefix = strings.TrimRight(opts.BasePrefix, "/")
 	anubis.PublicUrl = opts.PublicUrl
 
 	result := &Server{

lib/http.go

@@ -279,7 +279,12 @@ func (s *Server) respondWithStatus(w http.ResponseWriter, r *http.Request, msg s
 }
 
 func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	s.mux.ServeHTTP(w, r)
+	if strings.HasPrefix(r.URL.Path, anubis.BasePrefix+anubis.StaticPath) {
+		s.mux.ServeHTTP(w, r)
+		return
+	}
+
+	s.maybeReverseProxyOrPage(w, r)
 }
 
 func (s *Server) stripBasePrefixFromRequest(r *http.Request) *http.Request {

lib/localization/locales/nn.json

@@ -13,7 +13,7 @@
   "try_again": "Prøv att",
   "go_home": "Gå heim",
   "contact_webmaster": "eller om du synest at du ikkje burde vera blokkert, venlegast tak kontakt med administratoren på",
-  "connection_security": "Venlegast vent medan vi stadfestar tryggleiken av tilkoplinga di.",
+  "connection_security": "Venlegast vent medan vi stadfester tryggleiken av tilkoplinga di.",
   "javascript_required": "Du lyt diverre slå på JavaScript for å koma deg forbi denne utfordringa. Dette krevst av di KI-selskap har endra sosialkontrakten om korleis nettstadsverting fungerer. Ei ikkje-JS-løysing er i gang med å skapast.",
   "benchmark_requires_js": "JavaScript må vera slegen på for å køyre samanlikningsverktøyet.",
   "difficulty": "Vanskenivå:",
@@ -41,7 +41,7 @@
   "oh_noes": "Å nei!",
   "benchmarking_anubis": "Samanliknar Anubis!",
   "you_are_not_a_bot": "Du er ikkje ein bot!",
-  "making_sure_not_bot": "Stadfestar at du ikkje er ein bot!",
+  "making_sure_not_bot": "Stadfester at du ikkje er ein bot!",
   "celphase": "CELPHASE",
   "js_web_crypto_error": "Nettlesaren din har ikkje eit fungerande web.crypto-element. Ser du dette med ei sikker tilkopling?",
   "js_web_workers_error": "Nettlesaren din støttar ikkje nettarbeidarar (Anubis brukar dette for å unngå å fryse nettlesaren din). Har du eit tillegg som JShelter installert?",
@@ -63,4 +63,4 @@
   "js_calculation_error_msg": "Mislukkast i å rekne utfordring:",
   "missing_required_forwarded_headers": "Manglende nødvendige X-Forwarded-* headers",
   "simplified_explanation": "Dette er eit tiltak mot robotar og vondsinna førespurnader som liknar på ein CAPTCHA. Men i staden for å måtte gjere arbeidet sjølv, får nettlesaren din ei utrekningsoppgåve som han må løyse for å sikre at han er ein gyldig klient. Dette konseptet blir kalla <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Arbeidsbevis</a>. Oppgåva blir rekna ut på nokre få sekund, og du får tilgang til nettstaden. Takk for di forståing og tålmod."
-}
+}

test/cmd/httpdebug/main.go

@@ -0,0 +1,25 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"log"
+	"log/slog"
+	"net/http"
+)
+
+var (
+	bind = flag.String("bind", ":3923", "TCP port to bind to")
+)
+
+func main() {
+	flag.Parse()
+
+	slog.Info("listening", "url", "http://localhost"+*bind)
+	log.Fatal(http.ListenAndServe(*bind, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		slog.Info("got request", "method", r.Method, "path", r.RequestURI)
+
+		fmt.Fprintln(w, r.Method, r.RequestURI)
+		r.Header.Write(w)
+	})))
+}

test/double_slash/anubis.yaml

@@ -0,0 +1,8 @@
+bots:
+  - name: challenge
+    user_agent_regex: CHALLENGE
+    action: CHALLENGE
+
+status_codes:
+  CHALLENGE: 200
+  DENY: 403

test/double_slash/input.txt

@@ -0,0 +1,178 @@
+/wiki//bin
+/wiki//boot
+/wiki//dev
+/wiki//dev/de
+/wiki//dev/en
+/wiki//dev/en-ca
+/wiki//dev/es
+/wiki//dev/fr
+/wiki//dev/hr
+/wiki//dev/hu
+/wiki//dev/it
+/wiki//dev/ja
+/wiki//dev/ko
+/wiki//dev/pl
+/wiki//dev/pt-br
+/wiki//dev/ro
+/wiki//dev/ru
+/wiki//dev/sv
+/wiki//dev/uk
+/wiki//dev/zh-cn
+/wiki//etc
+/wiki//etc/conf.d
+/wiki//etc/env.d
+/wiki//etc/fstab
+/wiki//etc/fstab/de
+/wiki//etc/fstab/en
+/wiki//etc/fstab/es
+/wiki//etc/fstab/fr
+/wiki//etc/fstab/hu
+/wiki//etc/fstab/it
+/wiki//etc/fstab/ja
+/wiki//etc/fstab/ko
+/wiki//etc/fstab/ru
+/wiki//etc/fstab/sv
+/wiki//etc/fstab/uk
+/wiki//etc/fstab/zh-cn
+/wiki//etc/hosts
+/wiki//etc/local.d
+/wiki//etc/make.conf
+/wiki//etc/portage
+/wiki//etc/portage/bashrc
+/wiki//etc/portage/Bashrc
+/wiki//etc/portage/binrepos.conf
+/wiki//etc/portage/binrepos.conf/en
+/wiki//etc/portage/binrepos.conf/hu
+/wiki//etc/portage/binrepos.conf/ja
+/wiki//etc/portage/binrepos.conf/ru
+/wiki//etc/portage/categories
+/wiki//etc/portage/color.map
+/wiki//etc/portage/env
+/wiki//etc/portage/img/ico.png
+/wiki//etc/portage/license_groups
+/wiki//etc/portage/make.conf
+/wiki//etc/portage/make.conf/de
+/wiki//etc/portage/make.conf/de/etc/portage/make.conf
+/wiki//etc/portage/make.conf/en
+/wiki//etc/portage/make.conf/es
+/wiki//etc/portage/make.conf/fr
+/wiki//etc/portage/make.conf/hu
+/wiki//etc/portage/make.conf/it
+/wiki//etc/portage/make.conf/it/var/db/repos/gentoo/licenses
+/wiki//etc/portage/make.conf/ja
+/wiki//etc/portage/make.conf/pl
+/wiki//etc/portage/make.conf/ru
+/wiki//etc/portage/make.conf/uk
+/wiki//etc/portage/make.conf/zh-cn
+/wiki//etc/portage/make.profile
+/wiki//etc/portage/mirrors
+/wiki//etc/portage/modules
+/wiki//etc/portage/package.accept_keywords
+/wiki//etc/portage/package.env
+/wiki//etc/portage/package.license
+/wiki//etc/portage/package.license/en
+/wiki//etc/portage/package.license/es
+/wiki//etc/portage/package.license/hu
+/wiki//etc/portage/package.license/ja
+/wiki//etc/portage/package.mask
+/wiki//etc/portage/package.mask/en
+/wiki//etc/portage/package.mask/hu
+/wiki//etc/portage/package.mask/ja
+/wiki//etc/portage/package.properties
+/wiki//etc/portage/package.unmask
+/wiki//etc/portage/package.use
+/wiki//etc/portage/package.use/de
+/wiki//etc/portage/package.use/en
+/wiki//etc/portage/package.use/es
+/wiki//etc/portage/package.use/fr
+/wiki//etc/portage/package.use/hu
+/wiki//etc/portage/package.use/it
+/wiki//etc/portage/package.use/ja
+/wiki//etc/portage/package.use/ru
+/wiki//etc/portage/package.use/uk
+/wiki//etc/portage/package.use/zh-cn
+/wiki//etc/portage/patches
+/wiki//etc/portage/profile/make.defaults
+/wiki//etc/portage/profile/package.provided
+/wiki//etc/portage/profile/package.provided/etc/portage/profile/package.provided
+/wiki//etc/portage/profile/package.provided/etc/portage/profiles/package.provided
+/wiki//etc/portage/profile/package.use.mask
+/wiki//etc/portage/profiles/package.provided
+/wiki//etc/portage/profiles/package.use.mask
+/wiki//etc/portage/profiles/package.use.mask/etc/portage/profile/package.use.mask
+/wiki//etc/portage/profiles/package.use.mask/etc/portage/profiles/package.use.mask
+/wiki//etc/portage/profiles/use.mask
+/wiki//etc/portage/profile/use.mask
+/wiki//etc/portage/repos.conf
+/wiki//etc/portage/repos.conf/brother-overlay.conf
+/wiki//etc/portage/repos.conf/de
+/wiki//etc/portage/repos.conf/en
+/wiki//etc/portage/repos.conf/es
+/wiki//etc/portage/repos.conf/etc/portage/repos.conf/gentoo.conf
+/wiki//etc/portage/repos.conf/fr
+/wiki//etc/portage/repos.conf/fr/etc/portage/repos.conf/gentoo.conf
+/wiki//etc/portage/repos.conf/gentoo.conf
+/wiki//etc/portage/repos.conf/gentoo.conf/etc/portage/repos.conf/gentoo.conf
+/wiki//etc/portage/repos.conf/hr
+/wiki//etc/portage/repos.conf/hu
+/wiki//etc/portage/repos.conf/it
+/wiki//etc/portage/repos.conf/ja
+/wiki//etc/portage/repos.conf/ko
+/wiki//etc/portage/repos.conf/pl
+/wiki//etc/portage/repos.conf/pt-br
+/wiki//etc/portage/repos.conf/ru
+/wiki//etc/portage/repos.conf/uk
+/wiki//etc/portage/repos.conf/zh-cn
+/wiki//etc/portage/savedconfig
+/wiki//etc/portage/sets
+/wiki//etc/profile
+/wiki//etc/profile.env
+/wiki//etc/sandbox.conf
+/wiki//home
+/wiki//lib
+/wiki//lib64
+/wiki//media
+/wiki//mnt
+/wiki//opt
+/wiki//proc
+/wiki//proc/config.gz
+/wiki//run
+/wiki//sbin
+/wiki//srv
+/wiki//sys
+/wiki//tmp
+/wiki//usr
+/wiki//usr/bin
+/wiki//usr_move
+/wiki//usr/portage
+/wiki//usr/portage/distfiles
+/wiki//usr/portage/licenses
+/wiki//usr/portage/metadata
+/wiki//usr/portage/metadata/md5-cache
+/wiki//usr/portage/metadata/md5-cache/usr/portage/metadata/md5-cache
+/wiki//usr/portage/metadata/md5-cache/var/db/repos/gentoo//metadata/md5-cache
+/wiki//usr/portage/packages
+/wiki//usr/portage/profiles
+/wiki//usr/portage/profiles/license_groups
+/wiki//usr/portage/profiles/license_groups/usr/portage/profiles/license_groups
+/wiki//usr/portage/profiles/license_groups/var/db/repos/gentoo//profiles/license_groups
+/wiki//usr/share/doc/
+/wiki//var/cache/binpkgs
+/wiki//var/cache/distfiles
+/wiki//var/db/pkg
+/wiki//var/db/pkg%22
+/wiki//var/db/repos/gentoo
+/wiki//var/db/repos/gentoo/licenses
+/wiki//var/db/repos/gentoo/licenses/var/db/repos/gentoo//licenses
+/wiki//var/db/repos/gentoo/licenses/var/db/repos/gentoo/licenses
+/wiki//var/db/repos/gentoo/metadata
+/wiki//var/db/repos/gentoo/metadata/md5-cache
+/wiki//var/db/repos/gentoo/metadata/var/db/repos/gentoo//metadata
+/wiki//var/db/repos/gentoo/metadata/var/db/repos/gentoo/metadata
+/wiki//var/db/repos/gentoo/profiles
+/wiki//var/db/repos/gentoo/profiles/license_groups
+/wiki//var/db/repos/gentoo/profiles/package.mask
+/wiki//var/lib/portage
+/wiki//var/lib/portage/world
+/wiki//var/run
+/gcc-bugs/bug-122002-4@http.gcc.gnu.org%2Fbugzilla%2F/T/

test/double_slash/test.mjs

@@ -0,0 +1,45 @@
+import { createReadStream } from "fs";
+import { createInterface } from "readline";
+
+async function getPage(path) {
+  return fetch(`http://localhost:8923${path}`)
+    .then(resp => {
+      if (resp.status !== 200) {
+        throw new Error(`wanted status 200, got status: ${resp.status}`);
+      }
+      return resp;
+    })
+    .then(resp => resp.text());
+}
+
+(async () => {
+  const fin = createReadStream("input.txt");
+  const rl = createInterface({
+    input: fin,
+    crlfDelay: Infinity,
+  });
+
+  const resultSheet = {};
+
+  let failed = false;
+
+  for await (const line of rl) {
+    console.log(line);
+
+    const resp = await getPage(line);
+    resultSheet[line] = {
+      match: resp.includes(`GET ${line}`),
+      line: resp.split("\n")[0],
+    };
+  }
+
+  for (let [k, v] of Object.entries(resultSheet)) {
+    if (!v.match) {
+      failed = true;
+    }
+
+    console.debug({ path: k, results: v });
+  }
+
+  process.exit(failed ? 1 : 0);
+})();

test/double_slash/test.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+function cleanup() {
+	pkill -P $$
+}
+
+trap cleanup EXIT SIGINT
+
+# Build static assets
+(cd ../.. && npm ci && npm run assets)
+
+go tool anubis --help 2>/dev/null || :
+
+go run ../cmd/httpdebug &
+
+go tool anubis \
+	--policy-fname ./anubis.yaml \
+	--use-remote-address \
+	--target=http://localhost:3923 &
+
+backoff-retry node ./test.mjs

test/double_slash/var/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore