consolidate backend process accounting for consistency
x-ref:
"FreeBSD/1.4.45/SSL: requests getting stuck in handle-req state occasionally"
https://redmine.lighttpd.net/issues/2788
more consistent waitpid() handling, consolidate similar code
If ECHILD received for a given pid, do not retry waitpid() for that pid
x-ref:
"mod_fastcgi : pid {pid} 1 not found: No child processes"
https://redmine.lighttpd.net/issues/2791
new directive server.error-intercept = [ "enable" | "disable" ]
to intercept 4xx and 5xx responses from dynamic handlers
(e.g. CGI, FastCGI, SCGI, proxy)
Intercepted HTTP error status are then handled by one of
server.error-handler
server.error-handler-404
server.errorfile-prefix
(if configured)
Do not use server.error-intercept with locations handled by mod_webdav!
x-ref:
"would like something similar to nginx proxy_intercept_errors"
https://redmine.lighttpd.net/issues/974
When spawning backends, retry blocking connect() to backend if EINTR
received when attempting to see if backend is already running. EINTR
might be received if a HUP or USR1 signal is received while connecting
(or SIGCHLD on systems without SA_RESTART)
(expected to occur extremely rarely, but simple to handle properly)
x-ref:
"FreeBSD/1.4.45/SSL: requests getting stuck in handle-req state occasionally"
https://redmine.lighttpd.net/issues/2788
use kqueue in level-triggered mode, not edge-triggered
x-ref:
"FreeBSD/1.4.45/SSL: requests getting stuck in handle-req state occasionally"
https://redmine.lighttpd.net/issues/2788
It is still not a good idea for backend to send Transfer-Encoding unless
backend is mod_proxy, and mod_proxy should not currently receive chunked
response since mod_proxy sends HTTP/1.0 request.
If mod_proxy is changed to sent HTTP/1.1 request, then lighttpd would
need to check if client is HTTP/1.0 and would need to de-chunk and
remove any other transfer-codings if not supported by next-hop.
x-ref:
"error 500 (mod_cgi.c.601) cgi died"
https://redmine.lighttpd.net/issues/2786
inherit ssl.* from global scope if $SERVER["socket"] contains
ssl.engine = "enable" and no other ssl.* settings
(In earlier versions of lighttpd, specifying ssl.engine = "enable"
without specifying ssl.pemfile was a configuration error, so this
change should not break any pre-existing and previously working
configs)
x-ref:
https://github.com/pfsense/FreeBSD-ports/pull/284
"Status" from CGI/1.1 environment should not be sent back to client.
Also, do not send "Status" back to client in mod_scgi
and more precisely parse for "Status" in mod_fastcgi
RFC3875 CGI local-redir stricter adherence
do not apply local-redir if any response headers besides "Location"
do not apply local-redir if any response body has been received
(though it might not have been received yet, and we do not wait to find
out, if lighttpd is configured to stream response body back to client)
x-ref:
RFC3875 CGI 1.1 specification section 6.2.2 Local Redirect Response
http://www.ietf.org/rfc/rfc3875
"CGI local redirect not implemented correctly"
https://redmine.lighttpd.net/issues/2108
more consistent cleanup of resources at shutdown
(e.g. upon error conditions)
Notes: graceful restart with SIGUSR1
- not available if chroot()ed, oneshot mode, or if idle timeout occurs
- preserve process id (pid)
- preserve existing listen sockets
- i.e. does not close old listen sockets from prior configs
(even if old listen sockets no longer in the new config)
(sockets may have been bound w/ root privileges no longer available)
- will fail to add listen sockets from new config if privileges
lighttpd configured to drop privileges to non-root user, and
new listen socket attempts to bind to low-numbered port requiring
root privileges.
- will fail if listen sockets in new config conflict with any previous
old listen sockets
- These failure modes will result in lighttpd shutting down instead of
graceful restart. These failure modes are not detectable with
preflight checks ('lighttpd -tt -f lighttpd.conf') because the
new instance of lighttpd running the preflight check does not
known config state of n prior graceful restarts, or even the
config state of the currently running lighttpd server.
- due to lighttpd feature of optionally managing backends
(e.g. fastcgi and scgi via "bin-path"), lighttpd must wait for
all child processes to exit prior to restarting. Restarting new
workers while old workers (and old backends) were still running would
result in failure of restarted lighttpd process to be able to bind to
sockets already in use by old backends (e.g. unix "socket" path)
x-ref:
"graceful restart with SIGUSR1"
https://redmine.lighttpd.net/issues/2785
add doc/initscripts.txt with description of lighttpd signal handling
and links to the initscripts of various operating system distros
remove doc/initscripts/*
x-ref:
"init scripts outdated, should be removed"
https://redmine.lighttpd.net/issues/2782
close connections in keep-alive that are waiting for next request
disable keep-alive on existing connections
remove bandwidth write limits
reduce remaining linger timeout (on already finished requests)
to be (from zero) *up to* one more second, but no more
(mod_flv_streaming is becoming obsolete as Flash is replaced by
HTML5 and most modern clients support HTTP/1.1 Range requests)
x-ref:
"add end and header parameter for flv streaming"
https://redmine.lighttpd.net/issues/1887
(take 2:
relocate module cleanup check to after handle_connection_close hook)
modules may now keep state for the lifetime of a connection,
rather than being required to be reset after every request (when
there can be multiple keep-alive requests on the same connection)
For consistency with other databases, which use '?' for placeholders,
have LDAP template replace '?' with username, in addition to the
(mod_auth historic) '$' char.
when available, use getaddrinfo(),inet_pton() instead of gethostbyname()
NOTE: behavior change: mod_scgi now listens to INADDR_LOOPBACK if "host"
is not specified. (Prior behavior was INADDR_ANY.) Backends
should not listen on potentially public IPs unless explicitly
configured to do so. This change matches a change to mod_fastcgi
made in 2008.
x-ref
"gethostbyname deprecated, should use getaddrinfo"
https://redmine.lighttpd.net/issues/2783
prior code could leak pipe fd if ioctl() failed
prior code could leak pid (zombie) if waitpid() interrupted 4x
prior code could deadlock if child produced too much output and
blocked in writing output while parent waited for child to exit
NOTE: mod_ssi #exec cmd="..." is still executed synchronously
and *blocks* entire lighttpd server while executing.
move write throttling code from network.c:network_write_chunkqueue()
to connections-glue.c:connection_write_chunkqueue() and fix the code
to use TCP_CORK only on TCP sockets.
secdownload.path-segments = <number>
include only given number of path segments in hash digest calculation
secdownload.hash-querystr = "enable" | "disable"
include the query string in the hash digest calculation
x-ref:
"secdownload.path_elements support"
https://redmine.lighttpd.net/issues/646
"mod_secdownload option to include url GET parameters in md5"
https://redmine.lighttpd.net/issues/1904
directives to set value, rather than append values to headers, env
setenv.set-request-header
setenv.set-response-header
setenv.set-environment
These directives take precedence over the setenv.add-* counterparts
Set a blank value for request or response header to remove the header
(blank value in environment will be set as the value; not removed)
setenv.*-environment is now deferred to handle_request_env hook.
setenv.*-response-header is now processed in handle_response_start hook.
x-ref:
"setenv.add-or-replace-response-header"
https://redmine.lighttpd.net/issues/650
"set-request-header or remove-request-header support for mod_setenv"
https://redmine.lighttpd.net/issues/2295
re-patch mod_openssl config within the request so that per-request
settings can be applied, such as activating client cert verification
for specific URL paths.
(This can be used in conjunction with auth.backend = "extern"
to require auth to occur)
x-ref:
"SSL : authenticate only clients for a particular URL"
https://redmine.lighttpd.net/issues/2245
Glenn Strauss
Stefan Bühler