webdav.opts = ("unsafe-propfind-follow-symlink" => "enable")
This option is unsafe and unsupported. This option enables non-standard
behavior. If it works for you, great. If it does not work for you,
then too bad.
WebDAV resource and collection concepts do not have an equivalence
to unix symlinks. If "unsafe-propfind-follow-symlink" is "enable",
then lighttpd mod_webdav PROPFIND handling will follow symlinks
if and only if webdav.is_readonly = "enable" is also set.
Allowing symlinks is unsafe in the general case. Using WebDAV methods
to MOVE a relative symlink does not update the symlink relative target.
LOCK is on the resource (e.g. a symlink), not the target of the symlink.
COPY replaces the resource (e.g. a symlink), not the target of the
symlink. There are only a few examples of possibly many more reasons
why using symlinks in a WebDAV-writable collection is unsafe.
provide option to override GnuTLS priority string
ssl.openssl.ssl-conf-cmd = ("gnutls-override" => "...")
will *entirely* replace the priority string constructed by mod_gnutls.
Admin is responsible to ensure that the override is complete.
debugging:
A non-zero value for debug.log-ssl-noise = x *in the global scope*
will cause mod_gnutls to print the GnuTLS priority string to the
error log at startup. debug.log-ssl-noise = 0 in $SERVER["socket"]
scopes can then be used to disable runtime ssl log noise, or
debug.log-ssl-noise can be removed from the global scope after debugging
difference from mod_openssl:
Admin should schedule an independent job to periodically
generate a new STEK before prior STEK lifetime expires.
Only one STEK is active at a time in mod_gnutls.
(more details in prior commit message for mod_openssl)
difference from mod_openssl:
Admin should schedule an independent job to periodically
generate a new STEK up to 2 times during key lifetime
(mbedtls internals store up to 2 keys)
(more details in prior commit message for mod_openssl)
ssl.stek-file to specify session ticket encryption key (STEK)
If ssl.stek-file is specified, it overrides builtin STEK rotation.
STEK file is checked for changes (stat()) once every 64 seconds.
STEK file should be stored in non-persistent storage,
e.g. /dev/shm/lighttpd/stek-file (in memory)
with appropriate permissions set to keep stek-file from being
read by other users. Where possible, systems should also be
configured without swap.
Admin should schedule an independent job to periodically
generate a new STEK up to 3 times during key lifetime
(lighttpd stores up to 3 keys)
format of binary file is:
4-byte - format version (always 0; for use if format changes)
4-byte - activation timestamp
4-byte - expiration timestamp
16-byte - session ticket key name
32-byte - session ticket HMAC encrpytion key
32-byte - session ticket AES encrpytion key
STEK file can be created with a command such as:
dd if=/dev/random bs=1 count=80 status=none | \
perl -e 'print pack("iii",0,time()+300,time()+86400),<>' \
> STEK-file.$$ && mv STEK-file.$$ STEK-file
The above delays activation time by 5 mins (+300 sec) to allow file to
be propagated to other machines. (admin must handle this independently)
If STEK generation is performed immediately prior to starting lighttpd,
admin should activate keys immediately (without +300).
server ticket encryption key (STEK) rotation occurs every 28800 seconds
(8 hours) and upon lighttpd server restart. While lighttpd is running,
(3) encryption keys are preserved, so tickets expire after 1 day.
If using lighttpd with multiple lighttpd workers, then restarting
lighttpd keeps the STEK in sync between lighttpd workers, though
restarting lighttpd three times a day might not be palatable.
Work is in progress to allow admin to supply new encryption keys.
stricter parse of numerical digits for http status code, port num,
and a few other places. (stricter parse than that of strtol())
content ranges are still parsed more loosely at points of use
augment simple strtoll() which allowed number to begin with '+'
This is not exploitable for HTTP Request Smuggling since lighttpd
mod_proxy sends "Connection: close" to backends, and other CGI-based
backends reconstitute CONTENT_LENGTH in the environment without '+'.
(thx Amit Klein, Safebreach)
mod_openssl leverages cert callback in openssl 1.0.2 and later
(SSL_CTX_set_cert_cb())
server certificate chain
is now set in the cert callback
verify_store (for client certificate verification) (ssl.ca-file)
is now set in the cert callback
more carefully load sensitive files and clear temporary storage
(with openssl 1.1.1 and later)
x-ref:
"Lighttpd Returns Wrong Cert In Multi-cert Set-up"
https://redmine.lighttpd.net/issues/2842
set server certificate from callback in openssl 1.0.2 and later
(SSL_CTX_set_cert_cb())
For existing versions of lighttpd, certificate selection influenced by
ssl.cipher-list which can be used to set server cipher order preference
(along with ssl.honor-cipher-order = "enable", which is the default)
x-ref:
"Lighttpd Returns Wrong Cert In Multi-cert Set-up"
https://redmine.lighttpd.net/issues/2842
"lighttpd uses wrong pem-file"
https://redmine.lighttpd.net/issues/3009
server ticket encryption key (STEK) rotation occurs every 86400 seconds
and upon lighttpd server restart. If using lighttpd with multiple
lighttpd workers, then restarting lighttpd keeps the STEK in sync
between lighttpd workers.
(experimental)
mod_gnutls supports most ssl.* config options supported by mod_openssl
x-ref:
"GnuTLS support for the mod_ssl"
https://redmine.lighttpd.net/issues/109
report SSL_R_UNEXPECTED_EOF_WHILE_READING if debug.log-ssl-noise enabled
SSL_R_UNEXPECTED_EOF_WHILE_READING
added in openssl 1.1.1e and reverted in 1.1.1f, but kept in 3.0 branch
(experimental)
mod_mbedtls supports most ssl.* config options supported by mod_openssl
thx Ward Willats for the initial discussion and attempt in the comments
https://redmine.lighttpd.net/boards/3/topics/7029
Process basic backslash-escapes in format string from lighttpd.conf
Supported sequences: \a \b \f \n \r \t \v
Other backslash-sequences are replaces with the char following backslash
(Apache mod_log_config supports \n and \t as special-cases)
Glenn Strauss