"%%" "%_" "%x" "%{x.y}" where x and y are *single digit* 0 - 9
and y is the 1-indexed position of a single char to add, similar to
http://httpd.apache.org/docs/2.4/mod/mod_vhost_alias.html
(but not supporting the entire Apache mod_vhost_alias syntax)
The lighttpd syntax for adding a single char at a give position requires
that the "%{x.y}" syntax, including the curly braces, which is different
from the Apache mod_vhost_alias syntax.
x-ref:
"Partial matching in mod_evhost patterns"
https://redmine.lighttpd.net/issues/1194
new directive expire.mimetypes for list of mimetypes and expirations
mod_expire is now processed at the start of the response, and so now
may be applied to all responses, including dynamic responses.
mod_expire now applies only to GET and HEAD requests where the response
status is 200 OK or 206 Partial Content, and for which no other modules
or backend has already added a Cache-Control response header.
expire.url takes precedence over expire.mimetypes
x-ref:
"Add expire by Mimetype"
https://redmine.lighttpd.net/issues/423
[mod_deflate] skip deflate if 1 min loadavg too high
deflate.max-loadavg = "3.50" # express value as string of float num
[mod_compress] skip compression if 1 min loadavg too high
compress.max-loadavg = "3.50" # express value as string of float num
Feature available on BSD-like systems which have getloadavg() in libc
Note: load average calculations are different on different operating
systems and different types of system loads, so there is no value that
can be recommended for one-size-fits-all.
x-ref:
"Enable mod_compress to abandon compression when load average is too high"
https://redmine.lighttpd.net/issues/1505
mod_deflate and mod_compress now provide data for mod_accesslog
"%{ratio}n%%" log format to log compression ratio
Implementation detail: compression ratio is stored in con->environment
since lighttpd does not currently have concept of module notes, which is
from where %{VARNAME}n originates. In the future, this might change in
lighttpd, so be sure to use %{ratio}n%% and not %{...}e for this info.
x-ref:
"accesslog support "%n" (compress ratio)"
https://redmine.lighttpd.net/issues/2133
Aside: must have cmake enable building openssl for tests to pass
due to tests/lighttpd.conf including config options requiring openssl
algorithms in mod_secdownload.c:
(secdownload.algorithm = "hmac-sha1")
(secdownload.algorithm = "hmac-sha256")
$ cmake -L .
$ cmake -DWITH_OPENSSL:BOOL=ON .
$ make -j 4 -k
$ make test
x-ref:
https://blog.lighttpd.net/articles/2006/12/25/1-5-0-goes-cmake/
move http_cgi_ssl_env() from response.c to http-header-glue.c
for symbol visibility on Mac OS X.
x-ref:
"Undefined symbols: _http_cgi_ssl_env"
https://redmine.lighttpd.net/issues/2757
mod_deflate performs prefix match of deflate.mimetypes against the
response Content-Type. Therefore "text/" will make all text/*
mimetypes. This commit permits admin to specify "text/*" in
deflate.mimetypes = ("text/*")
and mod_deflate will treat it as "text/". This is done only when the
'*' is the last char in the mimetype.
remove mod_authn_gssapi explicit dependency on -lresolv
This fixes build on FreeBSD when ./configure --with-krb5
(On systems that need libresolv, libkrb5 depends on libresolv)
Also remove obsolete hstrerror() references from build
setting or removing FD_CLOEXEC flag does not fail
Also the use in mod_fastcgi and mod_scgi is in child after fork().
If the fd already happens to be 0 (should not happen in current code)
and removing the FD_CLOEXEC flag fails, then the backend will fail
to start.
prefer RAND_pseudo_bytes() (openssl), arc4random() or jrand48(),
if available, over rand()
These are not necessarily cryptographically secure, but should be better
than rand()
initialized for mod_magnet and dynamic CGI-like handlers
(mod_cgi, mod_fastcgi, mod_scgi, mod_ssi) (*not* mod_proxy)
Note: in the future a config flag (does not yet exist) might be required
to activate initialization of these SSL_* env variables. This might
occur if there are requests to access these variables in mod_accesslog,
and/or if more SSL_* varables are created, which would be more work.
x-ref:
"pass protocol and cipher details to fcgi env"
https://redmine.lighttpd.net/issues/2511
consolidated from CGI, FastCGI, SCGI, SSI
Note: due to prior inconsistencies between the code in mod_cgi,
mod_fastcgi, mod_scgi, and mod_ssi, there are some minor behavior
changes.
CONTENT_LENGTH is now always set, even if 0
(though CONTENT_LENGTH is never set for FASTCGI_AUTHORIZER)
PATH_INFO is created only if present, not if empty.
(mod_fastcgi and mod_ssi previously set PATH_INFO="" (blank value))
PATH_TRANSLATED is now set if PATH_INFO is present
(previously missing from mod_cgi and mod_ssi)
mod_ssi now sets DOCUMENT_ROOT to con->physical.basedir, like others
(previously, mod_ssi set DOCUMENT_ROOT to con->physical.doc_root,
which matched con->physical.basedir unless mod_alias changed basedir)
mod_ssi now sets REQUEST_URI to con->request.orig_uri, like others
(previously, mod_ssi set REQUEST_URI to con->request.uri, which
matched con->request.orig_uri except after redirects, error docs)
limits total size per request of request headers submitted by client
default limit set to 8k (prior lighttpd <= 1.4.41 hard-coded 64k limit)
(similar to Apache directive LimitRequestFieldSize)
x-ref:
"limits the size of HTTP request header"
https://redmine.lighttpd.net/issues/2130
If auth.backend.ldap.filter begins with ',', then concatenate
uid=<username> with the 'filter' value to form the DN instead of using
ldap_search to query LDAP for the DN for the username, applying the
provided filter.
x-ref:
"Allow User-DN to be supplied in the configuration rather than searching"
https://redmine.lighttpd.net/issues/1248
ldap filter supports substitution of multiple '$', each with username
x-ref:
"auth.backend.ldap.filter: only one/first "$" replaced with Username"
https://redmine.lighttpd.net/issues/1508
HTTP Basic auth backends now do both authn and authz
in order to allow provide a means to extend backends to optionally
support group authz
x-ref:
"LDAP-Group support for HTTP-Authentication"
https://redmine.lighttpd.net/issues/1817
Configuring the protocol is controlled with new lighttpd.conf directive:
scgi.protocol = "scgi" # default
scgi.protocol = "uwsgi"
The uwsgi protocol differs from the SCGI protocol only in how the
request is encoded. The response from the backend is handled the
same way for both SCGI and uwsgi protocols.
x-ref: http://uwsgi-docs.readthedocs.io/en/latest/Protocol.html
fix potential NULL pointer dereference in mod_deflate.c
remove logically dead code in connection-glue.c
add coverity annotations to see if some issues will be reclassified
Glenn Strauss