Commit Graph

2096 Commits

Author SHA1 Message Date
Glenn Strauss 75040e9988 [mod_evhost] mod-evhost.t tests (#1194)
(thx Daniel-Brandt)

  "Partial matching in mod_evhost patterns"
2016-10-20 14:22:46 -04:00
Glenn Strauss a3bba43b30 [mod_evhost] partial matching patterns (fixes #1194)
"%%" "%_" "%x" "%{x.y}" where x and y are *single digit* 0 - 9
and y is the 1-indexed position of a single char to add, similar to
(but not supporting the entire Apache mod_vhost_alias syntax)

The lighttpd syntax for adding a single char at a give position requires
that the "%{x.y}" syntax, including the curly braces, which is different
from the Apache mod_vhost_alias syntax.

  "Partial matching in mod_evhost patterns"
2016-10-20 13:55:32 -04:00
Glenn Strauss 9f93454d56 [mod_expire] expire by mimetype (fixes #423)
new directive expire.mimetypes for list of mimetypes and expirations

mod_expire is now processed at the start of the response, and so now
may be applied to all responses, including dynamic responses.

mod_expire now applies only to GET and HEAD requests where the response
status is 200 OK or 206 Partial Content, and for which no other modules
or backend has already added a Cache-Control response header.

expire.url takes precedence over expire.mimetypes

  "Add expire by Mimetype"
2016-10-20 10:48:06 -04:00
Glenn Strauss 1f3ad401ba [mod_deflate] skip deflate if loadavg too high (fixes #1505)
[mod_deflate] skip deflate if 1 min loadavg too high
deflate.max-loadavg  = "3.50"  # express value as string of float num

[mod_compress] skip compression if 1 min loadavg too high
compress.max-loadavg = "3.50"  # express value as string of float num

Feature available on BSD-like systems which have getloadavg() in libc

Note: load average calculations are different on different operating
systems and different types of system loads, so there is no value that
can be recommended for one-size-fits-all.

  "Enable mod_compress to abandon compression when load average is too high"
2016-10-19 16:38:47 -04:00
Glenn Strauss 72a5ff1f21 [mod_accesslog] %{ratio}n logs compression ratio (fixes #2133)
mod_deflate and mod_compress now provide data for mod_accesslog
"%{ratio}n%%" log format to log compression ratio

Implementation detail: compression ratio is stored in con->environment
since lighttpd does not currently have concept of module notes, which is
from where %{VARNAME}n originates.  In the future, this might change in
lighttpd, so be sure to use %{ratio}n%% and not %{...}e for this info.

  "accesslog support "%n" (compress ratio)"
2016-10-19 16:37:22 -04:00
Glenn Strauss b11d059843 [cmake] build fcgi-auth, fcgi-responder for tests
Aside: must have cmake enable building openssl for tests to pass
due to tests/lighttpd.conf including config options requiring openssl
algorithms in mod_secdownload.c:
  (secdownload.algorithm       = "hmac-sha1")
  (secdownload.algorithm       = "hmac-sha256")

$ cmake -L .
$ make -j 4 -k
$ make test

2016-10-18 17:47:33 -04:00
Glenn Strauss 4943dac851 [doc] lighttpd-angel.8 (fixes #2254)
  "lighttpd-angel doesn't have man page"
2016-10-18 13:09:48 -04:00
Glenn Strauss ee40397fa5 [TLS] remote IP conditions are valid for TLS SNI (fixes #2272)
  "To allow different ssl.pemfile settings for different $HTTP["remoteip"]"
2016-10-18 12:46:11 -04:00
Glenn Strauss bad5f68ade [core] use paccept() on NetBSD (replace accept4())
thx nros (NetBSD)
2016-10-17 19:07:37 -04:00
Glenn Strauss ab07c71111 [autobuild] move http_cgi_ssl_env() for Mac OS X (fixes #2757)
move http_cgi_ssl_env() from response.c to http-header-glue.c
for symbol visibility on Mac OS X.

  "Undefined symbols: _http_cgi_ssl_env"
2016-10-17 14:25:40 -04:00
Glenn Strauss 961eba9e27 [TLS] openssl 1.1.0 hides struct bignum_st 2016-10-17 14:15:50 -04:00
Glenn Strauss ac90699d28 [autobuild] rm module stub code for missing deps
remove module stub code since the build system(s) no longer build any
module when the dependencies for a given module are not present.
2016-10-17 14:15:50 -04:00
Glenn Strauss c073a31f69 [autobuild] omit module stubs when missing deps
do not build any module (containing module stubs) when the dependencies
for a given module are not present.
2016-10-17 14:15:50 -04:00
Glenn Strauss 4184c382ec minor: make more convenient for me 2016-10-17 11:08:59 -04:00
Glenn Strauss aef6207965 [mod_deflate] ignore '*' in deflate.mimetypes
mod_deflate performs prefix match of deflate.mimetypes against the
response Content-Type.  Therefore "text/" will make all text/*
mimetypes.  This commit permits admin to specify "text/*" in
  deflate.mimetypes = ("text/*")
and mod_deflate will treat it as "text/".  This is done only when the
'*' is the last char in the mimetype.
2016-10-16 20:36:21 -04:00
Glenn Strauss 5feb2694f7 [autobuild] remove mod_authn_gssapi dep on resolv
remove mod_authn_gssapi explicit dependency on -lresolv
This fixes build on FreeBSD when ./configure --with-krb5
(On systems that need libresolv, libkrb5 depends on libresolv)

Also remove obsolete hstrerror() references from build
2016-10-16 08:56:30 -04:00
Glenn Strauss 22c560c228 - next is 1.4.43 2016-10-16 07:58:46 -04:00
Glenn Strauss 032772ab6c add random() to list of rand() fallbacks
(but prefer better mechanisms)
2016-10-16 05:11:38 -04:00
Glenn Strauss 768dc3aa5b quiet coverity warning 2016-10-16 05:01:08 -04:00
Glenn Strauss 3468974e0b [doc] NEWS 2016-10-16 03:07:46 -04:00
Glenn Strauss e82b980955 parallelize dist package build ( 2016-10-16 02:24:24 -04:00
Glenn Strauss 1f4874cb9c build w/o compiler warnings if no zlib or bz2lib 2016-10-16 01:58:36 -04:00
Glenn Strauss 3d0dcdf6ab fix SCons build 2016-10-16 01:58:25 -04:00
Glenn Strauss 609e9a5050 silence warnings from clang ccc-analyzer 2016-10-16 01:34:40 -04:00
Glenn Strauss 1e129cce45 ignore return value from fcntl() FD_CLOEXEC
setting or removing FD_CLOEXEC flag does not fail

Also the use in mod_fastcgi and mod_scgi is in child after fork().
If the fd already happens to be 0 (should not happen in current code)
and removing the FD_CLOEXEC flag fails, then the backend will fail
to start.
2016-10-15 23:28:09 -04:00
Glenn Strauss 9173d9aa7d [mod_cgi] fix pipe_cloexec() when no O_CLOEXEC 2016-10-15 23:28:09 -04:00
Glenn Strauss 7f4e156e5f [core] rand.[ch] to use better RNGs when available
prefer RAND_pseudo_bytes() (openssl), arc4random() or jrand48(),
if available, over rand()

These are not necessarily cryptographically secure, but should be better
than rand()
2016-10-15 23:28:09 -04:00
Glenn Strauss b8b38f3067 [TLS] set SSL_PROTOCOL, SSL_CIPHER* (fixes #2511)
initialized for mod_magnet and dynamic CGI-like handlers
(mod_cgi, mod_fastcgi, mod_scgi, mod_ssi) (*not* mod_proxy)

Note: in the future a config flag (does not yet exist) might be required
to activate initialization of these SSL_* env variables.  This might
occur if there are requests to access these variables in mod_accesslog,
and/or if more SSL_* varables are created, which would be more work.

  "pass protocol and cipher details to fcgi env"
2016-10-11 05:24:39 -04:00
Glenn Strauss 6155d7d9bb [TLS] set SSL_CLIENT_VERIFY w/ client cert (#1288, #2693)
(enabled with lighttpd.conf: ssl.verifyclient.activate = "enable")

  "SSL Client Certificate validation."
2016-10-11 05:16:34 -04:00
Glenn Strauss daab6f5cd5 [TLS] set SSL_CLIENT_M_SERIAL w/ client cert SN (fixes #2268)
  "Set serial number of the client certificate into environment"
2016-10-11 01:23:20 -04:00
Glenn Strauss d3ac5667a5 [TLS] replace env entries in https_add_ssl_entries
do not (incorrectly) extend SSL_* con->environment entry values
after url.rewrite occurs
2016-10-10 21:13:02 -04:00
Glenn Strauss 7fa5bfc938 consistent, shared code to create CGI env
consolidated from CGI, FastCGI, SCGI, SSI

Note: due to prior inconsistencies between the code in mod_cgi,
mod_fastcgi, mod_scgi, and mod_ssi, there are some minor behavior

CONTENT_LENGTH is now always set, even if 0
  (though CONTENT_LENGTH is never set for FASTCGI_AUTHORIZER)
PATH_INFO is created only if present, not if empty.
  (mod_fastcgi and mod_ssi previously set PATH_INFO="" (blank value))
PATH_TRANSLATED is now set if PATH_INFO is present
  (previously missing from mod_cgi and mod_ssi)

mod_ssi now sets DOCUMENT_ROOT to con->physical.basedir, like others
  (previously, mod_ssi set DOCUMENT_ROOT to con->physical.doc_root,
   which matched con->physical.basedir unless mod_alias changed basedir)
mod_ssi now sets REQUEST_URI to con->request.orig_uri, like others
  (previously, mod_ssi set REQUEST_URI to con->request.uri, which
   matched con->request.orig_uri except after redirects, error docs)
2016-10-10 13:37:36 -04:00
Glenn Strauss 81ce160d83 silence warnings from clang ccc-analyzer 2016-10-09 19:19:37 -04:00
Glenn Strauss ce24523b59 [core] restrict where config "else" clauses occur (#1268)
(improve validation)

  "condition should be optional in "else" clause in configuration file"
2016-10-09 09:20:37 -04:00
Glenn Strauss 79fb75709b [core] optional condition in config "else" clause (fixes #1268)
  "condition should be optional in "else" clause in configuration file"
2016-10-09 08:06:41 -04:00
Glenn Strauss 1018ff9922 [core] server.max-request-field-size (fixes #2130)
limits total size per request of request headers submitted by client

default limit set to 8k (prior lighttpd <= 1.4.41 hard-coded 64k limit)

(similar to Apache directive LimitRequestFieldSize)

  "limits the size of HTTP request header"
2016-10-06 00:18:07 -04:00
Glenn Strauss 2bea4fcb16 [core] make server.max-request-size scopeable (#1901)
  "make server.max-request-size scopeable"
2016-10-05 23:53:24 -04:00
Glenn Strauss 145ddc2ee7 [mod_mysql_vhost] support multiple '?' replacement (fixes #2163)
support multiple '?' replacement with escaped URI authority

  "Multiple use of '?' in mysql-vhost.sql"
2016-10-05 05:54:01 -04:00
Glenn Strauss d3cb9c8ced quiet coverity warning 2016-10-04 07:18:30 -04:00
Glenn Strauss 28d1213470 [mod_auth] fix printing of IP in error trace 2016-10-04 05:03:15 -04:00
Glenn Strauss 0f38b391dc DragonFlyBSD defines __DragonFly__ (#2746)
DragonFlyBSD defines __DragonFly__, not __DragonflyBSD__

(thx xenu)

  "[PATCH] better DragonFlyBSD support; fix crash"
2016-10-04 05:03:15 -04:00
Glenn Strauss ebbd639029 [cmake] build mod_authn_gssapi if WITH_KRB5 2016-10-04 05:03:15 -04:00
Glenn Strauss 06cb0c3024 [autobuild] update module/feature report
update module/feature report at end of ./configure run
2016-10-04 05:03:15 -04:00
Glenn Strauss 8b282db1d1 [mod_auth] permit specifying ldap DN; skip search (fixes #1248)
If auth.backend.ldap.filter begins with ',', then concatenate
uid=<username> with the 'filter' value to form the DN instead of using
ldap_search to query LDAP for the DN for the username, applying the
provided filter.

  "Allow User-DN to be supplied in the configuration rather than searching"
2016-10-04 05:03:15 -04:00
Glenn Strauss 59c753bf9f [mod_auth] ldap filter subst user for multiple '$' (fixes #1508)
ldap filter supports substitution of multiple '$', each with username

  "auth.backend.ldap.filter: only one/first "$" replaced with Username"
2016-09-28 16:57:43 -04:00
Glenn Strauss a401c9469a [mod_auth] HTTP Basic auth backends also do authz (#1817)
HTTP Basic auth backends now do both authn and authz
in order to allow provide a means to extend backends to optionally
support group authz

  "LDAP-Group support for HTTP-Authentication"
2016-09-28 06:36:38 -04:00
Glenn Strauss d4f812550c [mod_auth] refactor LDAP code into smaller funcs
better handling and freeing of resources
replace deprecated LDAP routines
2016-09-28 04:24:46 -04:00
Glenn Strauss a661944d7e [mod_scgi] add uwsgi protocol support
Configuring the protocol is controlled with new lighttpd.conf directive:
  scgi.protocol = "scgi"   # default
  scgi.protocol = "uwsgi"

The uwsgi protocol differs from the SCGI protocol only in how the
request is encoded.  The response from the backend is handled the
same way for both SCGI and uwsgi protocols.

2016-09-25 02:05:56 -04:00
Glenn Strauss 93afda9c8e performance: use Linux extended syscalls and flags
reduce syscalls on Linux using extended syscalls and flags,
e.g. accept4(), pipe2(), O_CLOEXEC, SOCK_CLOEXEC, SOCK_NONBLOCK

github: closes #2
2016-09-24 02:23:49 -04:00
Glenn Strauss 8047c2f448 fix errors detected by Coverity Scan
fix potential NULL pointer dereference in mod_deflate.c
remove logically dead code in connection-glue.c
add coverity annotations to see if some issues will be reclassified
2016-09-23 09:09:57 -04:00