*experimental*
decodes websockets and passes body back and forth from backend
(body could be known protocol such as JSON, or any custom protocol)
originally based off https://github.com/nori0428/mod_websocket
add public domain SHA1() if not linking with crypto lib
obtained from https://github.com/nori0428/mod_websocket
* Originally written by Steve Reid <steve@edmweb.com>
*
* Modified by Aaron D. Gifford <agifford@infowest.com>
*
* NO COPYRIGHT - THIS IS 100% IN THE PUBLIC DOMAIN
*
* The original unmodified version is available at:
* ftp://ftp.funet.fi/pub/crypt/hash/sha/sha1.c
PROPFIND getetag attr must match Etag response header from GET request
For consistency, make similar change in mod_ssi.
(thx ethoms)
x-ref:
"mod_webdav: Etag in response differs between PROPFIND and GET"
https://redmine.lighttpd.net/boards/3/topics/7473
remove RCSid tags
authors are listed in AUTHORS file
amend list of supported platforms (still incomplete)
...more changes are needed to update contents to current feature set
*experimental*
enable adaptive spawning for socket backend processes
new feature will allow "min-procs" => "0" and will spawn a backend
upon receipt of a request, if no backends are currently running.
This may be useful on resource-limited systems where there is a
seldom-used resource-intensive backend, such as home router
configuration web pages. The first request may be slower as the
backend is starting up, but then subsequent requests within
"idle-timeout" will hit the (temporarily) persistent backend for
faster responses.
x-ref:
"Adaptive spawning with min-procs=>0"
https://redmine.lighttpd.net/issues/1162
resolve DNS at startup and use the first IP address returned by resolver
Note: use of IP addresses is recommended instead of using DNS names.
If DNS names are used, but DNS is slow or unavailable, then lighttpd
will either appear to hang at startup or will fail to start up.
connection attempts in progress count towards proc load so that bursts
of new connections do not all queue for current least busy proc
(makes a difference only for local backends with more than one proc)
common codebase for socket backends, based off mod_fastcgi with
some features added for mod_proxy
(mostly intended to reduce code duplication and enhance code isolation)
mod_fastcgi and mod_scgi can now use fastcgi.balance and scgi.balance
for similar behavior as proxy.balance, but the balancing is per-host
and not per-proc. proxy.balance is also per-host and not per-proc.
mod_proxy and mod_scgi can now use proxy.map-extensions and
scgi.map-extensions, similar to fastcgi.map-extensions.
mod_fastcgi behavior change (affects only mod_status):
- statistics tags have been renamed from "fastcgi.*" to "gw.*"
"fastcgi.backend.*" -> "gw.backend.*"
"fastcgi.active-requests" -> "gw.active-requests"
("fastcgi.requests" remains "fastcgi.requests")
("proxy.requests" is new)
("scgi.requests" is new)
mod_scgi behavior change (likely minor):
- removed scgi_proclist_sort_down() and scgi_proclist_sort_up().
procs now chosen based on load as measured by num socket connnections
Note:
modules using gw_backend.[ch] are currently still independent modules.
If it had been written as a single module with fastcgi, scgi, proxy
implementations, then there would have been a chance of breaking some
existing user configurations where module ordering made a difference
for which module handled a given request, though for most people, this
would have made no difference.
Details about mod_fastcgi code transformations:
unsigned int debug -> int debug
fastcgi_env member removed from plugin_config
renamed "fcgi" and "fastcgi" to "gw", and "FCGI" to "GW"
reorganize routines for high-level and lower-level interfaces
some lower-level internal interfaces changed to use host,proc,debug
args rather than knowing about higher-level (app) hctx and plugin_data
tabs->spaces and reformatting
more consistent connect() error handling
NOTE: behavior change in mod_scgi:
"disable-time" default is now 1 second (was 60 seconds)
The new behavior matches the default in mod_fastcgi
(and is a much saner default disable time).
Better handling if server.error_handler_404 is a dynamic handler which
returns X-Sendfile pointing to a file which does not exist
(server.error_handler_404 historically did not reset con->file_started,
and for mod_fastcgi, an X-Sendfile failure in the error handler would
result in an empty response body.)
x-ref:
"Option to map send-file file-not-found error to normal 404"
https://redmine.lighttpd.net/issues/2474
server.socket-perms = "0770" to set perms on unix domain socket
on which lighttpd listens for requests, e.g. $SERVER["socket"] == "..."
x-ref:
"Feature request: add server config for setting permissions on Unix domain socket"
https://redmine.lighttpd.net/issues/656
ssl.ca-dn-file is used to send list of valid CA DNs to client for client
cert verification. If ssl.ca-dn-file is not specified, then the CAs in
ssl.ca-file are used.
client certs are validated against the set of certs from both
ssl.ca-dn-file and ssl.ca-file, but issuer of cert provided by
client must be in ssl.ca-dn-file if ssl.ca-dn-file is specified.
(certs should not need to be in to both ssl.ca-file and ssl.ca-dn-file)
(thx m4t)
If lighttpd is started privileged, then SSL/TLS modules need to be
initialized prior to chroot (optional) and prior to dropping privileges
in order to be able to read sensitive files such as private certificates
(thx m4t)
provide a safer X590_NAME_oneline() with return value semantics similar
to those of snprintf() and use safer_X509_NAME_oneline() to set
SSL_CLIENT_S_DN when client cert is validated.
The manpage for X509_NAME_oneline() says:
The functions X509_NAME_oneline() and X509_NAME_print() are legacy functions which produce a non standard output form, they don't handle multi character fields and have various quirks and inconsistencies. Their use is strongly discouraged in new applications.
Besides X509_NAME_oneline() function being deprecated, until fairly recently, there was a security issue with the function, too.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2176
The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.
github: closes #63, closes #83
x-ref:
"support SSL_CLIENT_VERIFY & SSL_CLIENT_S_DN"
https://redmine.lighttpd.net/issues/2693https://github.com/lighttpd/lighttpd1.4/pull/63https://github.com/lighttpd/lighttpd1.4/pull/83
It does seem possible for PROXY protocol subelements to be misaligned
and a message has been sent to HAProxy author of the PROXY protocol.
On most modern processors and operating systems, misaligned access has a
cost, but not the outrageous cost that it historical had on processors
and older operating systems such as on SPARC processors running Solaris
prior to Solaris 11.
ignore client verification error if not enforced
e.g. *not* ssl.verifyclient.enforce = "enable"
github: closes #83
x-ref:
"ignore client verification error if not enforced"
https://github.com/lighttpd/lighttpd1.4/pull/83
Gaël PORTAY