resolve DNS at startup and use the first IP address returned by resolver
Note: use of IP addresses is recommended instead of using DNS names.
If DNS names are used, but DNS is slow or unavailable, then lighttpd
will either appear to hang at startup or will fail to start up.
connection attempts in progress count towards proc load so that bursts
of new connections do not all queue for current least busy proc
(makes a difference only for local backends with more than one proc)
common codebase for socket backends, based off mod_fastcgi with
some features added for mod_proxy
(mostly intended to reduce code duplication and enhance code isolation)
mod_fastcgi and mod_scgi can now use fastcgi.balance and scgi.balance
for similar behavior as proxy.balance, but the balancing is per-host
and not per-proc. proxy.balance is also per-host and not per-proc.
mod_proxy and mod_scgi can now use proxy.map-extensions and
scgi.map-extensions, similar to fastcgi.map-extensions.
mod_fastcgi behavior change (affects only mod_status):
- statistics tags have been renamed from "fastcgi.*" to "gw.*"
"fastcgi.backend.*" -> "gw.backend.*"
"fastcgi.active-requests" -> "gw.active-requests"
("fastcgi.requests" remains "fastcgi.requests")
("proxy.requests" is new)
("scgi.requests" is new)
mod_scgi behavior change (likely minor):
- removed scgi_proclist_sort_down() and scgi_proclist_sort_up().
procs now chosen based on load as measured by num socket connnections
Note:
modules using gw_backend.[ch] are currently still independent modules.
If it had been written as a single module with fastcgi, scgi, proxy
implementations, then there would have been a chance of breaking some
existing user configurations where module ordering made a difference
for which module handled a given request, though for most people, this
would have made no difference.
Details about mod_fastcgi code transformations:
unsigned int debug -> int debug
fastcgi_env member removed from plugin_config
renamed "fcgi" and "fastcgi" to "gw", and "FCGI" to "GW"
reorganize routines for high-level and lower-level interfaces
some lower-level internal interfaces changed to use host,proc,debug
args rather than knowing about higher-level (app) hctx and plugin_data
tabs->spaces and reformatting
more consistent connect() error handling
NOTE: behavior change in mod_scgi:
"disable-time" default is now 1 second (was 60 seconds)
The new behavior matches the default in mod_fastcgi
(and is a much saner default disable time).
Better handling if server.error_handler_404 is a dynamic handler which
returns X-Sendfile pointing to a file which does not exist
(server.error_handler_404 historically did not reset con->file_started,
and for mod_fastcgi, an X-Sendfile failure in the error handler would
result in an empty response body.)
x-ref:
"Option to map send-file file-not-found error to normal 404"
https://redmine.lighttpd.net/issues/2474
server.socket-perms = "0770" to set perms on unix domain socket
on which lighttpd listens for requests, e.g. $SERVER["socket"] == "..."
x-ref:
"Feature request: add server config for setting permissions on Unix domain socket"
https://redmine.lighttpd.net/issues/656
ssl.ca-dn-file is used to send list of valid CA DNs to client for client
cert verification. If ssl.ca-dn-file is not specified, then the CAs in
ssl.ca-file are used.
client certs are validated against the set of certs from both
ssl.ca-dn-file and ssl.ca-file, but issuer of cert provided by
client must be in ssl.ca-dn-file if ssl.ca-dn-file is specified.
(certs should not need to be in to both ssl.ca-file and ssl.ca-dn-file)
(thx m4t)
If lighttpd is started privileged, then SSL/TLS modules need to be
initialized prior to chroot (optional) and prior to dropping privileges
in order to be able to read sensitive files such as private certificates
(thx m4t)
provide a safer X590_NAME_oneline() with return value semantics similar
to those of snprintf() and use safer_X509_NAME_oneline() to set
SSL_CLIENT_S_DN when client cert is validated.
The manpage for X509_NAME_oneline() says:
The functions X509_NAME_oneline() and X509_NAME_print() are legacy functions which produce a non standard output form, they don't handle multi character fields and have various quirks and inconsistencies. Their use is strongly discouraged in new applications.
Besides X509_NAME_oneline() function being deprecated, until fairly recently, there was a security issue with the function, too.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2176
The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.
github: closes #63, closes #83
x-ref:
"support SSL_CLIENT_VERIFY & SSL_CLIENT_S_DN"
https://redmine.lighttpd.net/issues/2693https://github.com/lighttpd/lighttpd1.4/pull/63https://github.com/lighttpd/lighttpd1.4/pull/83
It does seem possible for PROXY protocol subelements to be misaligned
and a message has been sent to HAProxy author of the PROXY protocol.
On most modern processors and operating systems, misaligned access has a
cost, but not the outrageous cost that it historical had on processors
and older operating systems such as on SPARC processors running Solaris
prior to Solaris 11.
ignore client verification error if not enforced
e.g. *not* ssl.verifyclient.enforce = "enable"
github: closes #83
x-ref:
"ignore client verification error if not enforced"
https://github.com/lighttpd/lighttpd1.4/pull/83
(original patch by mackyle)
The ssl.ca-dn-file option provides independent control of
the "certificate_authorities" field (see RFC 5246 section
7.4.4 Certificate Request) separate from the actual list
of trusted certificate authorities used for client
certificate verification.
It may be necessary to send a hint that includes the DN
of a non-root client CA in order to receive the correct
certificate from the client, but such a non-root CA really
does not belong in the trusted client root CA list.
Signed-off-by: Kyle J. McKay mackyle@gmail.com
github: closes #64
x-ref:
"add support for ssl.cadn-file"
https://redmine.lighttpd.net/issues/2694https://github.com/lighttpd/lighttpd1.4/pull/64
autotools now use AC_PROG_CC_STDC macro instead of -std=gnu99.
The default in current modern gcc compilers is -std=gnu11
(Note: src/CMakeLists.txt and SConstruct still specify -std=gnu99)
silence compiler warnings if HAVE_FORK is not set
However, if HAVE_FORK is not set, then -Werror was probably passed to
./configure, which is currently a mistake. lighttpd can successfully
compiles src/ with -Werror on many platforms, but ./configure tests
should not be run with -Werror. [gstrauss]
github: closes #81
x-ref:
"Fix warnings"
https://github.com/lighttpd/lighttpd1.4/pull/81
median webpage in today's day and age contains 75-100 requests per page
so increasing the default server.max-keep-alive-requests in lighttpd
from 16 is more than warranted
x-ref:
"set server.max-keep-alive-requests = 100"
https://redmine.lighttpd.net/issues/2205
define MSG_DONTWAIT and MSG_NOSIGNAL to be no-ops on platforms
without support. (fd should already be configured O_NONBLOCK
and SIGPIPE signal is configured to be ignored)
(thx avij and wardw)
Glenn Strauss
Gaël PORTAY