When lighttpd is not configured to stream the response body,
lighttpd sends partial content with an incorrect Content-Length
to an HTTP/1.0 client if a backend sends Transfer-Encoding: chunked
in response to lighttpd HTTP/1.1 request (to backend), and the response
from the backend ends up truncated.
lighttpd could instead send an HTTP/1.0 502 Bad Gateway, but the
current implementation chooses to send the partial content. After all,
an HTTP/1.0 client is, well, HTTP/1.0, and so of limited intelligence.
remove http_chunk_append_file() and http_chunk_append_file_range()
callers should choose to use stat_cache_entry_open() for caching
or should open file and check sizes and ranges
add option to read config file from stdin using: -f -
(with "-" indicating to read config file from stdin)
This was already been possible using temporary files, unlinked and
passed to lighttpd as -f /proc/self/fd/XX (with XX as fd number)
on systems (or containers) in which /proc/self/fd/ is available
Note: using -f - is incompatible with one-shot mode (-1)
since one-shot mode expects stdin to be connected to the client
merge connection_accept() into network_server_handle_fdevent()
(possible since connection_accepted() was split out from
connection_accept() a long time ago)
network_server_handle_fdevent() checks max_conns and is the only
callers of connection_accept(), so connection_accept() does not
need to repeat the check.
faster to use http_header_request_set_ptr() and buffer_copy_string_len()
than to use http_header_request_set() and http_header_request_get()
check r->http_host for NULL instead of relying on buffer_copy_* to do so
buffer_commit() is called by routines which preallocate for operations
like read(). The caller must properly manage the memory. The checks
removed from buffer_commit() are too late.
special-case OPTIONS * and CONNECT in http_response_prepare()
http_response_prepare() is no longer revisited if r->handler_module
is set, so it is no longer necessary to fill r->physical.path for
CONNECT
improve HTTP/2 behavior when server.max-request-size reached
accept slightly more data than max-request-size if END_STREAM flag recvd
reduce rwin so that client may exceed server.max-request-size, but not
by much. (client might ignore and might send a firehose of data anyway)
accept up to 64k more data to potentially sink data that was in-flight
beyond the rwin, in order to allow server to send 413 Payload Too Large
before resetting the stream.
merge http_response_send_file 0-sized file special case
(historically was a short-circuit before Range handling,
but Range handling has been rewritten and moved elsewhere)
reuse cache lookup in common case of serving a static file
rather than repeating the stat_cache_entry lookup
(which is more work than memcmp() to re-check stat_cache_entry match)
HTTP/2 requires that TLS protocol >= TLSv1.2
HTTP/2 requires that TLS record compression be disabled
HTTP/2 requires that TLSv1.2 renegotiation be disabled
HTTP/2 requires that TLS SNI extension be presented with ALPN h2
(not enforced;
SNI omitted by client when connecting to IP instead of to name)
RFC 7540 9.2 Use of TLS Features
"Implementations are encouraged to provide defaults that comply,
but it is recognized that deployments are ultimately responsible
for compliance."
If TLS record compression or renegotiation are for some reason required
(which is strongly discouraged), then disable HTTP/2 in lighttpd with
server.feature-flags = ("server.h2proto" => "disable")
slurp password/digest file into memory and then clear after use
(avoid stdio, which buffers by default and does not wipe those buffers)
password/digest files are not expected to be very large
e.g. a password file with 1000 entries is expected to be < 64k
If files are larger, mod_authn_dbi or other mod_authn_* is recommended
Glenn Strauss
Pavel Gulchuk