Commit Graph

2248 Commits

Author SHA1 Message Date
Glenn Strauss 1dd5cce3bc [mod_fastcgi,mod_scgi] consolidate backend process accounting (#2788)
consolidate backend process accounting for consistency

  "FreeBSD/1.4.45/SSL: requests getting stuck in handle-req state occasionally"
2017-02-25 12:41:21 -05:00
Glenn Strauss 23c3535efc [mod_scgi] fix potential repeated use of proc->id
host->max_id is now number of procs allocated
proc->id is used when generated unix socket name or port for proc
2017-02-25 12:41:21 -05:00
Glenn Strauss 317b7e5fc6 [mod_scgi] fix unused_procs bidirectional-links 2017-02-25 12:41:20 -05:00
Glenn Strauss ab85841b14 [mod_cgi] fix CGI local-redir w/ url.rewrite-once (fixes #2793)
  "1.4.40 regression: broken redirect (using Location) between url.rewrite-once URLs"
2017-02-25 12:41:20 -05:00
Glenn Strauss fb6b4027c8 [mod_fastcgi,mod_scgi] consistent waitpid handling (fixes #2791)
more consistent waitpid() handling, consolidate similar code

If ECHILD received for a given pid, do not retry waitpid() for that pid

  "mod_fastcgi : pid {pid} 1 not found: No child processes"
2017-02-25 12:41:18 -05:00
Glenn Strauss 95a756dcb3 [core] issue trace if max-fds too large (fixes #2789)
  "lighttpd cores on AIX when nofiles is unlimited"
2017-02-13 14:24:53 -05:00
Glenn Strauss daa94fceee [core] move version.h logic into server.c
and remove version.h
2017-02-12 00:55:44 -05:00
Glenn Strauss bafe6abf04 [core] include lighttpd vers in server started msg 2017-02-12 00:29:05 -05:00
Glenn Strauss ce0f2f61d2 [core] set default server_tag in server.c
(instead of in configfile.c)

(now only server.c depends on version.h
 and must be recompiled after each commit)
2017-02-12 00:26:12 -05:00
Glenn Strauss 8f651a2b30 [core] config opt to intercept dynamic handler err (fixes #974)
new directive server.error-intercept = [ "enable" | "disable" ]
to intercept 4xx and 5xx responses from dynamic handlers
(e.g. CGI, FastCGI, SCGI, proxy)

Intercepted HTTP error status are then handled by one of
(if configured)

Do not use server.error-intercept with locations handled by mod_webdav!

  "would like something similar to nginx proxy_intercept_errors"
2017-02-11 14:59:15 -05:00
Glenn Strauss aa923e05f6 [mod_fastcgi,mod_scgi] backend spawn EINTR retry (#2788)
When spawning backends, retry blocking connect() to backend if EINTR
received when attempting to see if backend is already running.  EINTR
might be received if a HUP or USR1 signal is received while connecting
(or SIGCHLD on systems without SA_RESTART)

(expected to occur extremely rarely, but simple to handle properly)

  "FreeBSD/1.4.45/SSL: requests getting stuck in handle-req state occasionally"
2017-02-11 12:35:49 -05:00
Glenn Strauss 12440e89cd [core] use kqueue in level-triggered mode (fixes #2788)
use kqueue in level-triggered mode, not edge-triggered

  "FreeBSD/1.4.45/SSL: requests getting stuck in handle-req state occasionally"
2017-02-11 11:06:36 -05:00
Glenn Strauss 3209f30d11 [core] handle if backend sends Transfer-Encoding (#2786)
It is still not a good idea for backend to send Transfer-Encoding unless
backend is mod_proxy, and mod_proxy should not currently receive chunked
response since mod_proxy sends HTTP/1.0 request.

If mod_proxy is changed to sent HTTP/1.1 request, then lighttpd would
need to check if client is HTTP/1.0 and would need to de-chunk and
remove any other transfer-codings if not supported by next-hop.

  "error 500 (mod_cgi.c.601) cgi died"
2017-02-11 11:06:31 -05:00
Glenn Strauss 82501d24f2 [mod_openssl] inherit ssl.* from global scope
inherit ssl.* from global scope if $SERVER["socket"] contains
ssl.engine = "enable" and no other ssl.* settings

(In earlier versions of lighttpd, specifying ssl.engine = "enable"
 without specifying ssl.pemfile was a configuration error, so this
 change should not break any pre-existing and previously working

2017-02-02 08:48:29 -05:00
Glenn Strauss 55bf085cca [core] add label for 308 Permanent Redirect
2017-01-31 14:40:05 -05:00
Glenn Strauss 7f9209c6d4 [mod_cgi] do not send "Status" back to client
"Status" from CGI/1.1 environment should not be sent back to client.

Also, do not send "Status" back to client in mod_scgi
and more precisely parse for "Status" in mod_fastcgi
2017-01-31 14:40:05 -05:00
Glenn Strauss dde50f1939 [mod_cgi] RFC3875 CGI local-redir strict adherence (#2108)
RFC3875 CGI local-redir stricter adherence

do not apply local-redir if any response headers besides "Location"
do not apply local-redir if any response body has been received
(though it might not have been received yet, and we do not wait to find
 out, if lighttpd is configured to stream response body back to client)

  RFC3875 CGI 1.1 specification section 6.2.2 Local Redirect Response
  "CGI local redirect not implemented correctly"
2017-01-31 14:40:05 -05:00
Stefan Bühler 1c3e7095d9 [mime.conf] add text/markdown to utf-8 list, regenerate mime.conf 2017-01-31 14:40:05 -05:00
Glenn Strauss 0ae6bab4a9 [doc] SIGUSR1 doc and lighttpd-angel SIGUSR1
  add paranoid check to avoid sending kill(-1, <signal>) as root
2017-01-31 14:40:05 -05:00
Glenn Strauss b63c9011c3 [mod_rrdtool] no error if loaded but no config
there should be no error if mod_rrdtool is loaded but not configured
2017-01-31 14:40:05 -05:00
Glenn Strauss fb8057707c [mod_authn_mysql] fix minor memleak at shutdown 2017-01-31 14:40:05 -05:00
Glenn Strauss 6c1e6e660e [core] graceful restart with SIGUSR1 (fixes #2785)
more consistent cleanup of resources at shutdown
(e.g. upon error conditions)

Notes: graceful restart with SIGUSR1
- not available if chroot()ed, oneshot mode, or if idle timeout occurs
- preserve process id (pid)
- preserve existing listen sockets
  - i.e. does not close old listen sockets from prior configs
    (even if old listen sockets no longer in the new config)
    (sockets may have been bound w/ root privileges no longer available)
  - will fail to add listen sockets from new config if privileges
    lighttpd configured to drop privileges to non-root user, and
    new listen socket attempts to bind to low-numbered port requiring
    root privileges.
  - will fail if listen sockets in new config conflict with any previous
    old listen sockets
  - These failure modes will result in lighttpd shutting down instead of
    graceful restart.  These failure modes are not detectable with
    preflight checks ('lighttpd -tt -f lighttpd.conf') because the
    new instance of lighttpd running the preflight check does not
    known config state of n prior graceful restarts, or even the
    config state of the currently running lighttpd server.
- due to lighttpd feature of optionally managing backends
  (e.g. fastcgi and scgi via "bin-path"), lighttpd must wait for
  all child processes to exit prior to restarting.  Restarting new
  workers while old workers (and old backends) were still running would
  result in failure of restarted lighttpd process to be able to bind to
  sockets already in use by old backends (e.g. unix "socket" path)

  "graceful restart with SIGUSR1"
2017-01-31 14:40:05 -05:00
Glenn Strauss b0c66266d9 [core] initialize globals at top of main()
initialize globals (including file-scoped static globals) at top of main
2017-01-31 14:40:05 -05:00
Glenn Strauss 3cd822b5e0 [core] move interval timer near worker event loop
(interval timer is currently unused)
2017-01-31 14:40:05 -05:00
Glenn Strauss 733fa06cdb [core] combine duplicated getrlimit, network_init
combine duplicated getrlimit, network_init code which was duplicated
and only slightly modified for root and non-root.
2017-01-31 14:40:05 -05:00
Glenn Strauss 0a6eaf2e49 [core] check issetugid() early in main() 2017-01-31 14:40:05 -05:00
Glenn Strauss 92c724eac6 [doc] doc/initscripts.txt (fixes #2782)
add doc/initscripts.txt with description of lighttpd signal handling
  and links to the initscripts of various operating system distros

remove doc/initscripts/*

  "init scripts outdated, should be removed"
2017-01-31 14:40:02 -05:00
Glenn Strauss 739ccb5de0 [tests] remove unused file depending on
lighttpd tests do not depend on

remove *unused* file tests/docroot/www/404.fcgi
which used CGI::Fast, which depends on
2017-01-31 14:36:16 -05:00
Glenn Strauss 0f9b9242d8 [core] quicker graceful shutdown
close connections in keep-alive that are waiting for next request
disable keep-alive on existing connections
remove bandwidth write limits
reduce remaining linger timeout (on already finished requests)
  to be (from zero) *up to* one more second, but no more
2017-01-31 14:36:16 -05:00
Glenn Strauss 65a6740fe2 [core] improve accuracy of bandwidth write limits
reset counters at the beginning of the second, and then include in the
counters (for current second) any new data written
2017-01-31 14:36:16 -05:00
Glenn Strauss e2c19c3680 [core] X-LIGHTTPD-KBytes-per-second from backends (fixes #954)
  "X-LIGHTTPD-KBytes-per-second header patch"
2017-01-31 14:36:16 -05:00
Glenn Strauss 93622f4d7a [mod_flv_streaming] add end pos param (fixes #1887)
(mod_flv_streaming is becoming obsolete as Flash is replaced by
 HTML5 and most modern clients support HTTP/1.1 Range requests)

  "add end and header parameter for flv streaming"
2017-01-31 14:36:16 -05:00
Glenn Strauss 2ac2911b9a [core] config match w/ arbitrary HTTP request hdrs (fixes #1556)
  "Allow matching against any arbitrary HTTP header in the configuration file regexps"
2017-01-31 14:36:16 -05:00
Glenn Strauss 5b81201be9 [TLS] include <openssl/opensslv.h> in rand.c
include <openssl/opensslv.h> in rand.c for OPENSSL_VERSION_NUMBER

(openssl 1.1.0 deprecates RAND_pseudo_bytes())
2017-01-31 14:36:16 -05:00
Glenn Strauss 546dab3205 [core] permit connection-level state in modules
(take 2:
 relocate module cleanup check to after handle_connection_close hook)

modules may now keep state for the lifetime of a connection,
rather than being required to be reset after every request (when
there can be multiple keep-alive requests on the same connection)
2017-01-31 14:36:16 -05:00
Glenn Strauss b1405360fe apply debian/patches/spelling.patch
description: fix upstream spelling errors
author: Michael Gilbert <>
2017-01-31 14:36:15 -05:00
Glenn Strauss a90c2ffbeb [mod_auth] have LDAP template replace '?'
For consistency with other databases, which use '?' for placeholders,
have LDAP template replace '?' with username, in addition to the
(mod_auth historic) '$' char.
2017-01-31 14:36:15 -05:00
Glenn Strauss 2f83aac9fb mod_vhostdb* (dbi,mysql,pgsql,ldap) (fixes #485, fixes #1936, fixes #2297)
mod_vhostdb - vhost docroot lookups


mod_vhostdb_mysql  (now preferred over mod_mysql_vhost.c)

STATUS: experimental  (testing and feedback appreciated)

  "PostgreSQL virtual host support"
  "LDAP Virtual Host Definition Storage Integration"
  "mod_dbi_vhost (patch included)"
2017-01-31 14:36:15 -05:00
Glenn Strauss eda72ebfc7 [mod_auth] LDAP escape username in DN and filters
(replaces restriction on characters allowed in username)
2017-01-31 14:36:15 -05:00
Glenn Strauss 8981ca0467 [core] use getaddrinfo,inet_pton vs gethostbyname (fixes #2783)
when available, use getaddrinfo(),inet_pton() instead of gethostbyname()

NOTE: behavior change: mod_scgi now listens to INADDR_LOOPBACK if "host"
      is not specified.  (Prior behavior was INADDR_ANY.)  Backends
      should not listen on potentially public IPs unless explicitly
      configured to do so.  This change matches a change to mod_fastcgi
      made in 2008.

  "gethostbyname deprecated, should use getaddrinfo"
2017-01-31 14:36:15 -05:00
Glenn Strauss 9c91af0cfd [mod_auth] support LDAP groups for HTTP auth (fixes #1817)
  "LDAP-Group support for HTTP-Authentication"
2017-01-31 14:36:15 -05:00
Glenn Strauss 4a68780e1b [mod_scgi] tests/mod-scgi.t unit tests
(copied from tests/mod-fastcgi.t fcgi-responder tests)
2017-01-31 14:36:15 -05:00
Glenn Strauss d246656f5b [mod_ssi] send #exec cmd="..." output to temp file
prior code could leak pipe fd if ioctl() failed
prior code could leak pid (zombie) if waitpid() interrupted 4x
prior code could deadlock if child produced too much output and
  blocked in writing output while parent waited for child to exit

NOTE: mod_ssi #exec cmd="..." is still executed synchronously
      and *blocks* entire lighttpd server while executing.
2017-01-31 14:36:15 -05:00
Glenn Strauss acc37c1cbc [mod_openssl] use TLS SNI to set host-based certs
and then allow HTTP Host header to set con->uri.authority

remove con->tlsext_server_name
2017-01-31 14:36:15 -05:00
Glenn Strauss 37dac9a23c [core] support Expect: 100-continue with HTTP/1.1 (fixes #377, #1017, #1953, #2438)
support Expect: 100-continue with HTTP/1.1 requests

Ignore config option server.reject-expect-100-with-417;
server.reject-expect-100-with-417 will be removed in a future release.

  "Incorrect handling of the 100 (Continue) Status"
  "'Expect' header gives HTTP error 417"
  "Improve DAV support to be able to handle git as a client"
  "Change server.reject-expect-100-with-417 from flag to regular expression matching the URL"
2017-01-31 14:36:15 -05:00
Glenn Strauss 82feb70588 [core] move con throttling to connections-glue.c
move write throttling code from network.c:network_write_chunkqueue()
to connections-glue.c:connection_write_chunkqueue() and fix the code
to use TCP_CORK only on TCP sockets.
2017-01-31 14:36:15 -05:00
Glenn Strauss afce434e0b [mod_secdownload] new directives modify hash path (fixes #646, fixes #1904)
secdownload.path-segments = <number>
  include only given number of path segments in hash digest calculation

secdownload.hash-querystr = "enable" | "disable"
  include the query string in the hash digest calculation

  "secdownload.path_elements support"
  "mod_secdownload option to include url GET parameters in md5"
2017-01-31 14:36:15 -05:00
Glenn Strauss 4d92366ab2 [mod_setenv] directives to overwrite/remove hdrs (fixes #650, fixes #2295)
directives to set value, rather than append values to headers, env
These directives take precedence over the setenv.add-* counterparts

Set a blank value for request or response header to remove the header
(blank value in environment will be set as the value; not removed)

setenv.*-environment is now deferred to handle_request_env hook.
setenv.*-response-header is now processed in handle_response_start hook.

  "set-request-header or remove-request-header support for mod_setenv"
2017-01-31 14:36:15 -05:00
Glenn Strauss d171be31ae [core] do not emit req/response hdrs w/ blank val 2017-01-31 14:36:15 -05:00
Glenn Strauss 20946a8b92 [mod_openssl] allow ssl.verifyclient on url paths (fixes #2245)
re-patch mod_openssl config within the request so that per-request
settings can be applied, such as activating client cert verification
for specific URL paths.

(This can be used in conjunction with auth.backend = "extern"
 to require auth to occur)

  "SSL : authenticate only clients for a particular URL"
2017-01-31 14:36:14 -05:00