enable server.log-request-header-on-error when either
server.log-request-handling or server.log-request-header
are enabled in the global scope.
server.log-request-header-on-error is a global directive since it must
be set prior to parsing of request, and errors parsing request might
otherwise occur before lighttpd config conditions are parsed and set
(i.e. based on the parsed request headers)
x-ref:
"Log error if Host name is illegal (e.g. contains an underscore)"
https://redmine.lighttpd.net/issues/2885
server.http-parseopts = ( ... ) URL normalization options
Note: *not applied* to CONNECT method
Note: In a future release, URL normalization likely enabled by default
(normalize URL, reject control chars, remove . and .. path segments)
To prepare for this change, lighttpd.conf configurations should
explicitly select desired behavior by enabling or disabling:
server.http-parseopts = ( "url-normalize" => "enable", ... )
server.http-parseopts = ( "url-normalize" => "disable" )
x-ref:
"lighttpd ... compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data."
https://www.cvedetails.com/cve/CVE-2008-4359/
"Rewrite/redirect rules and URL encoding"
https://redmine.lighttpd.net/issues/1720
provide standard types in first.h instead of base.h
provide lighttpd types in base_decls.h instead of settings.h
reduce headers exposed by headers for core data structures
do not expose <pcre.h> or <stdlib.h> in headers
move stat_cache_entry to stat_cache.h
reduce use of "server.h" and "base.h" in headers
server.socket-perms = "0770" to set perms on unix domain socket
on which lighttpd listens for requests, e.g. $SERVER["socket"] == "..."
x-ref:
"Feature request: add server config for setting permissions on Unix domain socket"
https://redmine.lighttpd.net/issues/656
median webpage in today's day and age contains 75-100 requests per page
so increasing the default server.max-keep-alive-requests in lighttpd
from 16 is more than warranted
x-ref:
"set server.max-keep-alive-requests = 100"
https://redmine.lighttpd.net/issues/2205
fix crash for invalid syntax in config file for server.modules
x-ref:
"Missing array entry type check in config_insert (configfile.c), SIGSEGV"
https://redmine.lighttpd.net/issues/2810
More specific checks on contents of array lists. Each module using
lists now does better checking on the types of values in the list
(strings, integers, arrays/lists)
This helps prevent misconfiguration of things like cgi.assign,
fastcgi.server, and scgi.server, where source code might be
served as static files if parenthesis are misplaced.
x-ref:
https://redmine.lighttpd.net/boards/2/topics/6571
new directive server.error-intercept = [ "enable" | "disable" ]
to intercept 4xx and 5xx responses from dynamic handlers
(e.g. CGI, FastCGI, SCGI, proxy)
Intercepted HTTP error status are then handled by one of
server.error-handler
server.error-handler-404
server.errorfile-prefix
(if configured)
Do not use server.error-intercept with locations handled by mod_webdav!
x-ref:
"would like something similar to nginx proxy_intercept_errors"
https://redmine.lighttpd.net/issues/974
large code move, but minimal changes made to code (besides whitespace),
so that code builds
next: need to isolate openssl data structures and config parsing
new directive ssl.read-ahead = "enable"/"disable" to control
SSL_CTX_set_read_ahead(). Default "enable". The "disable" setting
is intended for use on low memory systems with a slow CPU which is
unable to keep up with decryption of large request bodies.
x-ref:
"larger memory usage for file uploads via SSL on embedded system"
https://redmine.lighttpd.net/issues/2778
warn if mod_authn_ldap is not listed in server.modules in lighttpd.conf
but auth.backend = "ldap" is in lighttpd.conf
warn if mod_authn_mysql is not listed in server.modules in lighttpd.conf
but auth.backend = "mysql" is in lighttpd.conf
A future release of lighttpd 1.4.x will cease automatically loading
these modules. After that, lighttpd will fail to start up if
auth.backend requires one of these modules and the module is not loaded.
(The purpose of this change is to remove from the lighttpd core server
the dependencies on LDAP or MariaDB libraries.)
warn if mod_authn_ldap is not listed in server.modules in lighttpd.conf
but auth.backend = "ldap" is in lighttpd.conf
warn if mod_authn_mysql is not listed in server.modules in lighttpd.conf
but auth.backend = "mysql" is in lighttpd.conf
A future release of lighttpd 1.4.x will cease automatically loading
these modules. After that, lighttpd will fail to start up if
auth.backend requires one of these modules and the module is not loaded.
(The purpose of this change is to remove from the lighttpd core server
the dependencies on LDAP or MariaDB libraries.)
limits total size per request of request headers submitted by client
default limit set to 8k (prior lighttpd <= 1.4.41 hard-coded 64k limit)
(similar to Apache directive LimitRequestFieldSize)
x-ref:
"limits the size of HTTP request header"
https://redmine.lighttpd.net/issues/2130
create new, extensible interface for (additional) auth backends
attempt to handle HANDLER_WAIT_FOR_EVENT returned by auth backends
to allow for async auth backends (e.g. to mysql database)
separate auth backends from mod_auth and http_auth
mod_authn_file.c htdigest, htpasswd, plain auth backends
mod_authn_ldap.c ldap auth backend
add http_auth.c to common_sources for auth backend registration
(mod_authn_file could be three separate modules, but no need for now)
If server.upload-dirs is not configured, then attempt to use TMPDIR
from the environment, if set, or else use /var/tmp which is not often
a tmpfs, unlike /tmp. Warn at startup if tempdirs are not present.
If server.upload-dirs is not configured, then attempt to use TMPDIR
from the environment, if set, or else use /tmp. Warn at startup if
tempdirs are not present.
inherit server.use-ipv6 and server.set-v6only from global scope
into $SERVER["socket"] blocks
(This potential behavior change was announced with lighttpd 1.4.40)
x-ref:
"$SERVER["socket"] to bind to IPv6 by default"
https://redmine.lighttpd.net/issues/678
do not expose server info server_tag is configured by admin
default con->conf.server_tag is still PACKAGE_DESC, those
admin can configure server.tag otherwise.
(these changes reduce recompilation and relinking when switching
brances in source control)
This allows admin to configure if response is collected in entirety
prior to sending data to client
For compatibility with existing configs, default is existing behavior:
buffer entire response prior to sending data to client
The following are config options, though not all implemented yet
// default: buffer entire request body before connecting to backend
server.stream-request-body = 0
// stream request body to backend; buffer to temp files
server.stream-request-body = 1
// stream request body to backend; minimal buffering might block upload
server.stream-request-body = 2
// default: buffer entire response body before sending to client
server.stream-request-body = 0
// stream response body to client; buffer to temp files
server.stream-request-body = 1
// stream response body to client; minimal buffering might block backend
server.stream-request-body = 2
x-ref:
"fastcgi, cgi, flush, php5 problem."
https://redmine.lighttpd.net/issues/949
"Reimplement upload (POST) handling to match apache/zeus/thttpd/boa functionality"
https://redmine.lighttpd.net/issues/376
BSD accept() filters
server.bsd-accept-filter = "" (default)
server.bsd-accept-filter = "httpready"
server.bsd-accept-filter = "dataready"
Note: this is a behavior change from prior versions.
The default is now no additional accept() filter, whereas prior
versions unconditionally enabled "httpready" accept() filter
Additionally, server.defer-accept (Linux) is inherited from global scope
into $SERVER["socket"] blocks
github: closes #65
server.http-parseopt-header-strict = "enable"
server.http-parseopt-host-strict = "enable" (implies host-normalize)
server.http-parseopt-host-normalize = "disable"
defaults retain current behavior, which is strict header parsing
and strict host parsing, with enhancement to normalize IPv4 address
and port number strings.
For lighttpd tests, these need to be enabled (and are by default)
For marginally faster HTTP header parsing for benchmarks, disable these.
To allow
- underscores in hostname
- hypen ('-') at beginning of hostname
- all-numeric TLDs
server.http-parseopt-host-strict = "disable"
x-ref:
"lighttpd doesn't allow underscores in host names"
https://redmine.lighttpd.net/issues/551
"hyphen in hostname"
https://redmine.lighttpd.net/issues/1086
"a numeric tld"
https://redmine.lighttpd.net/issues/1184
"Numeric tld's"
https://redmine.lighttpd.net/issues/2143
"Bad Request"
https://redmine.lighttpd.net/issues/2258
"400 Bad Request when using Numeric TLDs"
https://redmine.lighttpd.net/issues/2281
To allow a variety of numerical formats to be converted to IP addresses
server.http-parseopt-host-strict = "disable"
server.http-parseopt-host-normalize = "enable"
x-ref:
"URL encoding leads to "400 - Bad Request""
https://redmine.lighttpd.net/issues/946
"400 Bad Request when using IP's numeric value ("ip2long()")"
https://redmine.lighttpd.net/issues/1330
To allow most 8-bit and 7-bit chars in headers
server.http-parseopt-header-strict = "disable" (not recommended)
x-ref:
"Russian letters not alowed?"
https://redmine.lighttpd.net/issues/602
"header Content-Disposition with russian '?' (CP1251, ascii code 255) causes error"
https://redmine.lighttpd.net/issues/1016
Philip Prindeville