If auth.backend.ldap.filter begins with ',', then concatenate
uid=<username> with the 'filter' value to form the DN instead of using
ldap_search to query LDAP for the DN for the username, applying the
provided filter.
x-ref:
"Allow User-DN to be supplied in the configuration rather than searching"
https://redmine.lighttpd.net/issues/1248
ldap filter supports substitution of multiple '$', each with username
x-ref:
"auth.backend.ldap.filter: only one/first "$" replaced with Username"
https://redmine.lighttpd.net/issues/1508
HTTP Basic auth backends now do both authn and authz
in order to allow provide a means to extend backends to optionally
support group authz
x-ref:
"LDAP-Group support for HTTP-Authentication"
https://redmine.lighttpd.net/issues/1817
Configuring the protocol is controlled with new lighttpd.conf directive:
scgi.protocol = "scgi" # default
scgi.protocol = "uwsgi"
The uwsgi protocol differs from the SCGI protocol only in how the
request is encoded. The response from the backend is handled the
same way for both SCGI and uwsgi protocols.
x-ref: http://uwsgi-docs.readthedocs.io/en/latest/Protocol.html
fix potential NULL pointer dereference in mod_deflate.c
remove logically dead code in connection-glue.c
add coverity annotations to see if some issues will be reclassified
module status: experimental; more testing and review needed
Kerberos library calls have been preserved from original patch set
and should be reviewed.
module has been quickly tested with Basic auth (Use over TLS!)
SPNEGO -has not- been tested. Again, kerberos library calls have
been preserved from original patch set. YMMV. (Use over TLS!)
x-ref:
"Kerberos/GSSAPI Delegation Support"
https://redmine.lighttpd.net/issues/1899
needed to build on Solaris using Oracle Solaris Studio (thx petrs)
x-ref:
"vector_realloc missing when linking test_configfile"
https://redmine.lighttpd.net/issues/2752
lots of fixes and improvements
limitations: see comments at top of mod_deflate.c
missing functionality: encode streaming response
(module currently requires response be collected before being sent)
potential functionality: addition of compressed file cache would
allow mod_deflate to fully supplant mod_compress in lighttpd 1.4.x
x-ref:
"Adding mod_deflate to 1.4.xx"
https://redmine.lighttpd.net/issues/1824
"mod_deflate backport compile error if ENABLE_MMAP not defined"
https://redmine.lighttpd.net/issues/2753
github: closes #67
allow authorizer and responder to be configured for same path or ext
x-ref:
"mod_fastcgi authorizers cannot protect fastcgi responders"
https://redmine.lighttpd.net/issues/321
(for persistence across multiple re-entries into routines upon
receiving fdevent)
(setting module debug flag in global scope is still recommended
since there are places where p->conf.debug is checked since
handler_ctx might not be available at all points)
import Variable-* from FastCGI authorizer response into con->environment
restart request after FastCGI authorizer if no fastcgi.server docroot
(thx Christoph Kreutzer for initial patch attempt)
x-ref:
"mod_fastcgi authorizers cannot protect fastcgi responders"
http://redmine.lighttpd.net/issues/321
x-ref:
"FastCGI Authorizer support for Variable-name variable passing"
http://redmine.lighttpd.net/issues/322
github: closes #70
Note: http_auth_backend_t digest interface returns result as a
binary MD5 (16-bytes) so that caller consistently converts to
lowercase before using it in further digest calculation.
(Alternatively, the http_auth_backend_t digest interface could have
taken a 33-char buffer and returned an explicitly lowercased hex str)
create new, extensible interface for (additional) auth backends
attempt to handle HANDLER_WAIT_FOR_EVENT returned by auth backends
to allow for async auth backends (e.g. to mysql database)
separate auth backends from mod_auth and http_auth
mod_authn_file.c htdigest, htpasswd, plain auth backends
mod_authn_ldap.c ldap auth backend
add http_auth.c to common_sources for auth backend registration
(mod_authn_file could be three separate modules, but no need for now)
copied javascript from mod_status and from lighttpd2 mod_dirlist
modified and specialized for stable dirlist sorting by name
Partial implementation of Apache autoindex request query arguments
(https://httpd.apache.org/docs/current/en/mod/mod_autoindex.html)
If query string is supplied, allow specifying initial column to sort
?C=N name (default)
?C=M last-modified, then by name
?C=S size, then by name
?C=T type, then by name
?C=D type, then by name
and O=[AD] can be added for descending or ascending order, e.g.
?C=N&O=D descending (default)
?C=N&O=A ascending
(While functional, no effort was made on js performance.
Patches welcome)
New directive dir-listing.external-js for user to replace sorting js
Note: dir-listing.external-js or default js sorting is enabled only
if dir-listing.auto-layout = "enable" (which is the default)
x-ref:
"client-selectable directory list sorting"
https://redmine.lighttpd.net/issues/613
"dir-listing.external-js"
https://redmine.lighttpd.net/issues/2315
Due to the POLLHUP behavior triggered on *BSD/Darwin, the shutdown()
had previously been limited to local connections. If interested in
squeezing the last bits of performance out of a machine, an admin
should configure local connections to be AF_UNIX instead of AF_INET
or AF_INET6 to localhost. The reason the shutdown() was originally
added in mod_proxy and mod_scgi was to aggressively reduce the number
of potential sockets in TIME_WAIT held by lighttpd.
(See commit:923688d2 "drain backend socket/pipe bufs upon FDEVENT_HUP",
done for reliability given the aforementioned *BSD/Darwin behavior.)
When using AF_UNIX, the TIME_WAIT issue does not exist, ergo, the
recommendation is to use AF_UNIX for local sockets, when available.
Using AF_UNIX sockets is a better solution to eliminate TIME_WAIT
than is TCP shutdown() half-close which, as we have seen, might not
be handled well by frameworks which are more complex than basic read
request, send response, and close.
x-ref:
"1.4.40/41 mod_proxy, mod_scgi may trigger POLLHUP on *BSD,Darwin"
https://redmine.lighttpd.net/issues/2743
Christoph Kreutzer