lighttpd1.4

lighttpd

lighttpd 1.4.x https://www.lighttpd.net/

stable

Go to file

Glenn Strauss 309c1693ac [multiple] Y2038 32-bit signed time_t mitigations Most OS platforms have already provided solutions to Y2038 32-bit signed time_t 5 - 10 years ago (or more!) Notable exceptions are Linux i686 and FreeBSD i386. Since 32-bit systems tend to be embedded systems, and since many distros take years to pick up new software, this commit aims to provide Y2038 mitigations for lighttpd running on 32-bit systems with Y2038-unsafe 32-bit signed time_t * Y2038: lighttpd 1.4.60 and later report Y2038 safety $ lighttpd -V + Y2038 support # Y2038-SAFE $ lighttpd -V - Y2038 support (unsafe 32-bit signed time_t) # Y2038-UNSAFE * Y2038: general platform info * Y2038-SAFE: lighttpd 64-bit builds on platforms using 64-bit time_t - all major 64-bit platforms (known to this author) use 64-bit time_t * Y2038-SAFE: lighttpd 32-bit builds on platforms using 64-bit time_t - Linux x32 ABI (different from i686) - FreeBSD all 32-bit and 64-bit architectures except 32-bit i386 - NetBSD 6.0 (released Oct 2012) all 32-bit and 64-bit architectures - OpenBSD 5.5 (released May 2014) all 32-bit and 64-bit architectures - Microsoft Windows XP and Visual Studio 2005 (? unsure ?) Another reference suggests Visual Studio 2015 defaults to 64-bit time_t - MacOS 10.15 Catalina (released 2019) drops support for 32-bit apps * Y2038-SAFE: lighttpd 32-bit builds on platforms using 32-bit unsigned time_t - e.g. OpenVMS (unknown if lighttpd builds on this platform) * Y2038-UNSAFE: lighttpd 32-bit builds on platforms using 32-bit signed time_t - Linux 32-bit (including i686) - glibc 32-bit library support not yet available for 64-bit time_t - https://sourceware.org/glibc/wiki/Y2038ProofnessDesign - Linux kernel 5.6 on 32-bit platforms does support 64-bit time_t https://itsubuntu.com/linux-kernel-5-6-to-fix-the-year-2038-issue-unix-y2k/ - https://www.gnu.org/software/libc/manual/html_node/64_002dbit-time-symbol-handling.html "Note: at this point, 64-bit time support in dual-time configurations is work-in-progress, so for these configurations, the public API only makes the 32-bit time support available. In a later change, the public API will allow user code to choose the time size for a given compilation unit." - compiling with -D_TIME_BITS=64 currently has no effect - glibc recent (Jul 2021) mailing list discussion - https://public-inbox.org/bug-gnulib/878s2ozq70.fsf@oldenburg.str.redhat.com/T/ - FreeBSD i386 - DragonFlyBSD 32-bit * Y2038 mitigations attempted on Y2038-UNSAFE platforms (32-bit signed time_t) * lighttpd prefers system monotonic clock instead of realtime clock in places where realtime clock is not required * lighttpd treats negative time_t values as after 19 Jan 2038 03:14:07 GMT * (lighttpd presumes that lighttpd will not encounter dates before 1970 during normal operation.) * lighttpd casts struct stat st.st_mtime (and st.st_time) through uint64_t to convert negative timestamps for comparisions with 64-bit timestamps (treating negative timestamp values as after 19 Jan 2038 03:14:07 GMT) lighttpd provides unix_time64_t (int64_t) and * lighttpd provides struct unix_timespec64 (unix_timespec64_t) (struct timespec equivalent using unix_time64_t tv_sec member) * lighttpd provides gmtime64_r() and localtime64_r() wrappers for platforms 32-bit platforms using 32-bit time_t and lighttpd temporarily shifts the year in order to use gmtime_r() and localtime_r() (or gmtime() and localtime()) from standard libraries, before readjusting year and passing struct tm to formatting functions such as strftime() * lighttpd provides TIME64_CAST() macro to cast signed 32-bit time_t to unsigned 32-bit and then to unix_time64_t * Note: while lighttpd tries handle times past 19 Jan 2038 03:14:07 GMT on 32-bit platforms using 32-bit signed time_t, underlying libraries and underlying filesystems might not behave properly after 32-bit signed time_t overflows (19 Jan 2038 03:14:08 GMT). If a given 32-bit OS does not work properly using negative time_t values, then lighttpd likely will not work properly on that system. * Other references and blogs - https://en.wikipedia.org/wiki/Year_2038_problem - https://en.wikipedia.org/wiki/Time_formatting_and_storage_bugs - http://www.lieberbiber.de/2017/03/14/a-look-at-the-year-20362038-problems-and-time-proofness-in-various-systems/		2021-09-04 08:08:26 -04:00
doc	[doc] create-mime.conf.pl -v silent for mult vnd	2021-01-09 12:39:45 -05:00
scripts	build] scripts/ci-build.sh remove --with-maxminddb	2021-01-16 23:07:06 -05:00
src	[multiple] Y2038 32-bit signed time_t mitigations	2021-09-04 08:08:26 -04:00
tests	[tests] speed up mod-fastcgi and mod-scgi tests	2021-09-04 08:08:26 -04:00
.gitattributes	update .gitignore, add .gitattributes	2017-02-28 12:01:53 -05:00
.gitignore	[tests] t/test_mod_staticfile	2021-09-04 08:08:26 -04:00
AUTHORS	[doc] add self to AUTHORS (discussed w/ stbuehler)	2016-07-15 20:00:59 -04:00
CMakeLists.txt	- next is 1.4.60	2021-02-02 08:44:04 -05:00
COPYING	- white space cleanup part 2 this time 1.4 ;)	2006-10-04 13:26:23 +00:00
INSTALL	[doc] add --with-zstd to INSTALL	2021-01-13 14:39:01 -05:00
Makefile.am	[build] add GNUMAKEFLAGS=--no-print-directory	2020-12-27 21:37:28 -05:00
NEWS	[doc] NEWS	2021-02-02 08:06:02 -05:00
README	[doc] update README and INSTALL	2020-10-11 12:19:26 -04:00
README.FreeBSD	build with libressl	2016-05-07 12:50:41 -04:00
SConstruct	[build] look for port.h on Solaris, not sys/port.h	2021-08-27 02:16:53 -04:00
autogen.sh	[build] more portable autogen.sh shell script	2020-10-23 21:27:32 -04:00
configure.ac	[autoconf] add AC_SYS_LARGEFILE for lfs	2021-09-04 08:08:26 -04:00
distribute.sh.in	[doc] use https:// URLs to .lighttpd.net resources	2017-10-22 15:01:48 -04:00
meson.build	- next is 1.4.60	2021-02-02 08:44:04 -05:00
meson_options.txt	[meson] add with_zstd to meson_options.txt	2021-02-03 00:36:34 -05:00
packdist.sh	[multiple] correct misspellings in comments	2020-07-08 19:54:30 -04:00

README

========
lighttpd
========

-------------
a light httpd
-------------

:abstract:
  lighttpd a secure, fast, compliant and very flexible web-server
  which has been optimized for high-performance environments. It has a very
  low memory footprint compared to other webservers and takes care of cpu-load.
  Its advanced feature-set (FastCGI, CGI, Auth, Output-Compression,
  URL-Rewriting and many more) make lighttpd the perfect webserver-software
  for every server that is suffering load problems.

:documentation:
  https://redmine.lighttpd.net/projects/lighttpd/wiki/

the naming
----------

lighttpd is a __httpd__ which is

- fast as __light__ning and
- __light__ when it comes to memory consumption and system requirements

Features
--------

Network
```````

- IPv4, IPv6

Protocols
`````````

- HTTP/2   (https://tools.ietf.org/rfc/rfc7540.txt)
- HTTP/1.1 (https://tools.ietf.org/rfc/rfc2616.txt)
- HTTP/1.0 (https://tools.ietf.org/rfc/rfc1945.txt)
- HTTPS (via one of openssl, BoringSSL, LibreSSL, mbedTLS, wolfSSL, GnuTLS, NSS)
- CGI/1.1 (https://tools.ietf.org/html/rfc3875.txt)
- FastCGI (http://www.fastcgi.com/devkit/doc/fcgi-spec.html)

Advanced Features
`````````````````

- load-balanced FastCGI, SCGI, reverse-proxy, socket proxy, websocket tunnel
  (one webserver distributes requests to multiple PHP-servers via FastCGI)
- streaming FastCGI, SCGI, reverse-proxy, socket proxy, websocket tunnel
- custom error pages (for Response-Code 400-599)
- virtual hosts
- directory listings
- URL-Rewriting
- HTTP-Redirection
- output-compression with transparent caching

FastCGI-Support
```````````````

- parses the Response-header and completes the HTTP-header accordingly
- Keep-Alive handling based on Content-Length header

PHP-Support
```````````

- same speed as or faster than apache + mod_php4
- handles various PHP bugs in the FastCGI SAPI
- includes a utility to spawn FastCGI processes (necessary for PHP 4.3.x)

Security features
`````````````````

- chroot(), set UID, set GID
- protecting docroot

HTTP/1.1 features
`````````````````

- Ranges (start-end, start-, -end, multiple ranges)
- HTTP/1.0 Keep-Alive + HTTP/1.1 persistent Connections
- methods: GET, HEAD, POST
- Last-Modified + If-Modified handling
- sends Content-Length if possible
- sends Transfer-Encoding: chunk, if Content-Length is not possible
- sends Content-Type
- on-the-fly output compression (deflate, gzip)
- authentication: basic and digest
  (http://www.ietf.org/rfc/rfc2617.txt)

HTTP/1.1 compliance
```````````````````

- Sends 206 for Range Requests
- Sends 304 for If-Modified Requests
- Sends 400 for missing Host on HTTP/1.1 requests
- Sends 400 for broken Request-Line
- Sends 411 for missing Content-Length on POST requests
- Sends 416 for "out-of-range" on Range: Header
- Sends 501 for request-method != (GET|POST|HEAD)
- Sends 505 for protocol != HTTP/1.0 or HTTP/1.1
- Sends Date: on every requests

Intended Audience
-----------------

- Ad-Server Front-Ends ("Banner-Schleuder")
  - delivering small files rapidly
- php-servers under high load
  (load-balancing the php-request over multiple PHP-servers)

Works with
----------

It has been tested to work with

- IE 6.0
- Mozilla 1.x
- Konqueror 3.1
  (for Keep-Alive/Persistent Connections, Accept-Encoding for PHP + gzip)
- wget
  (for Resuming)
- acrobat plugin
  (for multiple ranges)


Works on
--------

lighttpd has been verified to compile and work on

- Linux
- FreeBSD
- NetBSD
- OpenBSD
- Solaris 8 + 9
- SGI IRIX 6.5
- Windows (when compiled under cygwin)
(and will likely compile and run on most unix-like systems with C99 compiler)

-----------------
Starting lighttpd
-----------------

As daemon in the background: ::

  $ lighttpd -f <configfile>

or without detaching from the console: ::

  $ lighttpd -D -f <configfile>