(experimental; untested)
Note: abstract sockets do not require filesystem access and can not be
protected using filesystem permissions; abstract sockets are accessible
by any process in the same network namespace on the same machine.
Abstract sockets can be passed to lighttpd via systemd socket activation
mechanism, via xinetd, or any other process which creates an abstract
socket and passes it to lighttpd. Abstract sockets can also be
configured in lighttpd.conf using a backslash-escaped double-quoted
string, where CTL and chars with high bit set are backslash-escaped into
"\\xFF", with "\\x" followed by two-byte hex encoding (e.g. "FF") for
each escaped char, e.g. "\\x00abstract-socket"
unix domain socket pedantic checks when received via HAProxy PROXY
protocol (and should already be enabled only from trusted upstreams)
UNIX_PATH_MAX might be different sizes in some OS, and might not be
defined. It is 108 on Linux, but might be 104 on BSD, MacOS, so be
a bit more pendantic about checking structure sizes and assigning
the path to the sock_addr.
remove usused accounting
simplify to use (64-bit) off_t for counting, but preserve doubles for
pretty-printing numbers with decimal point and size suffix
cleanup user-provided request and response headers
- remove leading and trailing whitespace from value
- replace with ' ' line ends following ',' in value
- warn if header value contains '\r' or '\n'
check con->h2 instead of r->http_version
(additional safeguard for #3152)
x-ref:
"Random Segfaults with version 1.4.64 w/ mod_sockproxy and ALPN h2"
https://redmine.lighttpd.net/issues/3152
rewrite lighty.r as table of methods implemented as userdata
(enable lua r table to potentially be reusable with other requests,
instead of relying on global table to obtain (request_st *)r)
various optimizations to reduce instruction memory use
set script env in first upvalue (_ENV upvalue) for func once,
upon script init, since script-env table is preserved and reused
(and script-env is cleared between script invocations)
call connection_state_machine_h2() only if con->h2 has been initialized
(additional safeguard for #3152)
x-ref:
"Random Segfaults with version 1.4.64 w/ mod_sockproxy and ALPN h2"
https://redmine.lighttpd.net/issues/3152
server.feature-flags += ("auth.delay-invalid-creds" => "enable")
The default is enabled. This feature delays a response to bad http auth
(invalid username or password) to the next second, so up to 1 sec delay.
Delaying the response greatly reduces the efficiency of brute force
password attacks, limiting tries to one-per-second per connection.
Limiting the number of client connections allowed by lighttpd with
server.max-connections sets an upper bound on password tries per second,
but also makes it easier for an attacker to DoS (denial of service) the
server. Therefore, while this mitigation is enabled by default, it can
be disabled with
server.feature-flags += ("auth.delay-invalid-creds" => "disable")
(thx ultimator)
do not set r->http_version to HTTP_VERSION_2 when selecting TLS ALPN
if r->handler_module already set, since handler module is likely
mod_sockproxy, and con->h2 will not get initialized.
This does continue to select "h2", so the mod_sockproxy backend
should be prepared to receive the HTTP/2 client connection preface.
x-ref:
"Random Segfaults with version 1.4.64 w/ mod_sockproxy and ALPN h2"
https://redmine.lighttpd.net/issues/3152
option for partial PUT via copy/modify/rename
webdav.opts += ("partial-put-copy-modify" => "enable")
Some modern filesystems support efficiently cloning files,
making it less expensive to copy to a tempfile, modify, and
atomically rename the modified tempfile to replace the original.
send HTTP/2 SETTINGS_NO_RFC7540_PRIORITIES=1 with server connection
preface
RFC9218 Extensible Prioritization Scheme for HTTP
2.1 Disabling RFC 7540 Priorities
If endpoints use SETTINGS_NO_RFC7540_PRIORITIES they MUST send it in
the first SETTINGS frame.
RFC7540 Hypertext Transfer Protocol Version 2 (HTTP/2)
6.5.3. Settings Synchronization
Unsupported parameters MUST be ignored.
x-ref:
https://datatracker.ietf.org/doc/html/rfc9218https://datatracker.ietf.org/doc/html/rfc7540
allow redirect and rewrite extended substitution when lighttpd is built
without pcre. When built without pcre, url.rewrite and url.redirect
always match first list entry as if it were "", and numerical
substitutions ($0 %0 $1 %1 etc) are always ignored, but other extended
substitutions (e.g. ${url.path}) may still occur.
perl test framework now runs most tests even when lighttpd has been
built without pcre support, though some tests which rely on regex
are skipped (tests/core-condition.t)
When reading certificates, warn if leaf certificate is inactive/expired
(according to notBefore, notAfter fields of leaf certificate)
(note: not adding a delta for fudge factor when comparing times)
(note: not currently verifying each certificate in chain)
