path: root/src/network.c
AgeCommit message (Collapse)AuthorFilesLines
2017-10-29[core] isolate sock_addr manipulationGlenn Strauss1-25/+11
2017-10-28[core] fix implicit wildcard IPv4 and IPv6 listenGlenn Strauss1-6/+13
fix implicit wildcard IPv4 and IPv6 listening (regression in 1.4.46) (broken in commit:5248b46c) workaround (without this patch): server.set-v6only = "disable" (which may produce a warning when lighttpd parses config) x-ref:
2017-10-25[core] fix build --disable-ipv6 (fixes #2832)nicorac1-0/+4
x-ref: "Build error on systems without IPV6 support (regression from 1.4.46)" github: closes #87
2017-10-22[core] normalize config addrs for eq and ne (#2830)Glenn Strauss1-92/+15
address strings need to have DNS resolved and port added for consistency when matching other config conditionals x-ref: "1.4.46 regression: $SERVER["socket"] matches when it shouldn't"
2017-10-22[core] normalize config addrs for != match (#2830)Glenn Strauss1-0/+77
address strings need to have DNS resolved and port added for consistency when matching other config conditionals x-ref: "1.4.46 regression: $SERVER["socket"] matches when it shouldn't"
2017-10-22[core] fix 1.4.46 regression in config match (fixes #2830)Glenn Strauss1-1/+8
address strings need to have DNS resolved and port added for consistency when matching other config conditionals x-ref: "1.4.46 regression: $SERVER["socket"] matches when it shouldn't"
2017-10-21[core] translate DNS to IP str for cond socket cmpGlenn Strauss1-4/+9
translate DNS to IP string for conditinal socket comparison in lighttpd.conf for $SERVER["socket"] == ...
2017-10-09[core] quiet coverity warningGlenn Strauss1-1/+4
2017-10-09[core] compare listen addrs after DNS resolutionGlenn Strauss1-84/+76
compare listen addrs after DNS resolution when starting up server
2017-10-09[core] /dev/stdin listener for inetd wait yesGlenn Strauss1-5/+31
server.bind = "/dev/stdin" for use with inetd wait yes (experimental) x-ref: "inetd/wait mode with auto-shutdown after idle timeout"
2017-10-07[core] cleaner code; remove goto from network.cGlenn Strauss1-52/+32
2017-10-03[network] do not append port to unix socket pathsGlenn Strauss1-2/+4
2017-09-23[core] fdevent setsockopt() helper functionsGlenn Strauss1-9/+6
fdevent_set_tcp_nodelay() fdevent_set_so_reuseaddr()
2017-08-03[core] set socket perms after bind, before listenGlenn Strauss1-5/+5
(it is still recommended to create sockets in protected directories) x-ref: "Feature request: add server config for setting permissions on Unix domain socket"
2017-07-15[core] sock_addr_from_str_hints reusable name resGlenn Strauss1-123/+9
[core] sock_addr_from_str_hints() reusable name resolution func
2017-06-13[core] server.socket-perms to set perms on unix (fixes #656)Glenn Strauss1-0/+11
server.socket-perms = "0770" to set perms on unix domain socket on which lighttpd listens for requests, e.g. $SERVER["socket"] == "..." x-ref: "Feature request: add server config for setting permissions on Unix domain socket"
2017-03-28[core] include <netdb.h> where neededGlenn Strauss1-0/+3
include <netdb.h> in files which use getaddrinfo() instead of exposing header in local header "sys-socket.h"
2017-03-28[core] remove some unused header includesGlenn Strauss1-1/+0
remove exposure of stdio.h in buffer.h for print_backtrace(), now static
2017-01-31[core] graceful restart with SIGUSR1 (fixes #2785)Glenn Strauss1-16/+22
more consistent cleanup of resources at shutdown (e.g. upon error conditions) Notes: graceful restart with SIGUSR1 - not available if chroot()ed, oneshot mode, or if idle timeout occurs - preserve process id (pid) - preserve existing listen sockets - i.e. does not close old listen sockets from prior configs (even if old listen sockets no longer in the new config) (sockets may have been bound w/ root privileges no longer available) - will fail to add listen sockets from new config if privileges lighttpd configured to drop privileges to non-root user, and new listen socket attempts to bind to low-numbered port requiring root privileges. - will fail if listen sockets in new config conflict with any previous old listen sockets - These failure modes will result in lighttpd shutting down instead of graceful restart. These failure modes are not detectable with preflight checks ('lighttpd -tt -f lighttpd.conf') because the new instance of lighttpd running the preflight check does not known config state of n prior graceful restarts, or even the config state of the currently running lighttpd server. - due to lighttpd feature of optionally managing backends (e.g. fastcgi and scgi via "bin-path"), lighttpd must wait for all child processes to exit prior to restarting. Restarting new workers while old workers (and old backends) were still running would result in failure of restarted lighttpd process to be able to bind to sockets already in use by old backends (e.g. unix "socket" path) x-ref: "graceful restart with SIGUSR1"
2017-01-31[core] use getaddrinfo,inet_pton vs gethostbyname (fixes #2783)Glenn Strauss1-0/+19
when available, use getaddrinfo(),inet_pton() instead of gethostbyname() NOTE: behavior change: mod_scgi now listens to INADDR_LOOPBACK if "host" is not specified. (Prior behavior was INADDR_ANY.) Backends should not listen on potentially public IPs unless explicitly configured to do so. This change matches a change to mod_fastcgi made in 2008. x-ref "gethostbyname deprecated, should use getaddrinfo"
2017-01-31[core] move con throttling to connections-glue.cGlenn Strauss1-65/+0
move write throttling code from network.c:network_write_chunkqueue() to connections-glue.c:connection_write_chunkqueue() and fix the code to use TCP_CORK only on TCP sockets.
2017-01-31[mod_openssl] move openssl config into mod_opensslGlenn Strauss1-522/+5
move openssl data structures and config parsing into mod_openssl
2017-01-14[core] con interface for read/write; isolate SSLGlenn Strauss1-13/+1
2017-01-10[TLS] = "disable" for low mem (fixes #2778)Glenn Strauss1-1/+1
new directive = "enable"/"disable" to control SSL_CTX_set_read_ahead(). Default "enable". The "disable" setting is intended for use on low memory systems with a slow CPU which is unable to keep up with decryption of large request bodies. x-ref: "larger memory usage for file uploads via SSL on embedded system"
2016-12-23[TLS] openssl 1.1.0 makes SSL_OP_NO_SSLv2 no-opGlenn Strauss1-2/+2
silence coverity warning openssl 1.1.0 makes SSL_OP_NO_SSLv2 flag a no-op, leading to logically dead code when used with openssl 1.1.0. However, the code is still valid with earlier openssl versions, and so must be preserved.
2016-12-05openssl 1.1.0 init and cleanupGlenn Strauss1-0/+9
2016-10-18[TLS] remote IP conditions are valid for TLS SNI (fixes #2272)Glenn Strauss1-0/+1
x-ref: "To allow different ssl.pemfile settings for different $HTTP["remoteip"]"
2016-09-24performance: use Linux extended syscalls and flagsGlenn Strauss1-5/+4
reduce syscalls on Linux using extended syscalls and flags, e.g. accept4(), pipe2(), O_CLOEXEC, SOCK_CLOEXEC, SOCK_NONBLOCK github: closes #2
2016-08-20[core] better DragonFlyBSD support (fixes #2746)Glenn Strauss1-1/+1
(thx xenu) x-ref: "[PATCH] better DragonFlyBSD support; fix crash"
2016-07-29[core] check if EAI_ADDRFAMILY is definedGlenn Strauss1-1/+5
(EAI_ADDRFAMILY is not available on FreeBSD)
2016-07-27[core] fix result copy from getaddrinfo()Glenn Strauss1-1/+2
(thx avij)
2016-07-27[core] try AF_INET after AF_INET6 if use-ipv6Glenn Strauss1-0/+10
try AF_INET after AF_INET6 if server.use-ipv6 = "enable" and getaddrinfo() fails EAI_ADDRFAMILY when hints.ai_family is AF_INET6. (Prefer IPv6 instead of setting hinst.ai_family to AF_UNSPEC since lighttpd only uses the first address returned)
2016-07-05[TLS] fix return value checks during cert initGlenn Strauss1-2/+2
openssl interfaces typically return 1 to indicate success, with varying return values to indicate failure (sometimes 0, sometimes 'not 1') (thx mackyle)
2016-06-29[core] disable Nagle algorithm (TCP_NODELAY)Glenn Strauss1-0/+30
disable Nagle algorithm (TCP_NODELAY) on client sockets
2016-06-23fix errors detected by Coverity ScanGlenn Strauss1-2/+2
buffer.c:itostr() undefined behavior taking modulus of negative number additional minor code changes made to quiet other coverity warnings (false positives)
2016-06-21fix errors detected by Coverity ScanGlenn Strauss1-0/+1
fd leak in mod_dirlisting.c use after free in error condition in mod_proxy.c NULL pointer dereference in error message in chunk.c additional minor code changes made to quiet other coverity warnings
2016-06-19remove excess calls to joblist_append()Glenn Strauss1-4/+0
(recent commits streamlined dynamic handler flow control)
2016-06-19[TLS] release openssl buffers as used (fixes #1265, fixes #1283, #881)Glenn Strauss1-1/+7
use SSL_MODE_RELEASE_BUFFERS (OpenSSL >= 1.0.0) to free buffers as they are used, to potentially reduce memory footprint of idle SSL connections x-ref: "memory usage when ssl.engine used and large data uploaded through CGI" "SSL + file upload = lots of memory" "Memory usage increases when proxy+ssl+large file"
2016-06-04[config] server.bsd-accept-filter optionGlenn Strauss1-3/+8
BSD accept() filters server.bsd-accept-filter = "" (default) server.bsd-accept-filter = "httpready" server.bsd-accept-filter = "dataready" Note: this is a behavior change from prior versions. The default is now no additional accept() filter, whereas prior versions unconditionally enabled "httpready" accept() filter Additionally, server.defer-accept (Linux) is inherited from global scope into $SERVER["socket"] blocks github: closes #65
2016-05-07[core] fix IPv6 address + port parsing (#2204)Glenn Strauss1-2/+2
2016-05-07build with libresslGlenn Strauss1-3/+4
libressl defines SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3 as 0x0 (thx Christian Heckendorf) libressl matches ERR_remove_thread_state() signature from openssl 1.0.2 (libressl pretends that libressl is openssl version 2.0.0, but openssl 1.1.0 changes signature of ERR_remove_thread_state()) libressl does not yet provide compatibility interfaces for the new prototypes introduced in openssl 1.1.0, including DH_set0_pqg() and DH_set_length() remove OPENSSL_NO_KRB5 from build config (added in 5fab991b in 2005) (define USE_OPENSSL_KERBEROS if required) (Note: OPENSSL_NO_KRB5 removed in openssl 1.1.0)
2016-05-02[core] lighttpd -1 handles single request on stdin socket (fixes #1584)Glenn Strauss1-0/+10
(e.g. when called from xinetd) Note: lighttpd is designed as a high performance, long-running server, not a one-shot executable. This one-shot mode of operation has not been tuned for performance. lighttpd server start-up and initialization aims for correctness, not speed. If using this one-shot mode as part of fork and exec from xinetd, then performance is already not of high concern. x-ref: "support for xinetd"
2016-05-02[network] separate addr trans from socket creationGlenn Strauss1-65/+56
separate addr translation from socket creation in network_server_init()
2016-04-24[core] compile with upcoming openssl 1.1.0 release (fixes #2727)Glenn Strauss1-4/+12
(thx falemagn) x-ref: "Won't compile with OpenSSL 1.1.0"
2016-04-18remove handle_joblist hookGlenn Strauss1-11/+0
remove handle_joblist hook and remove the hooks defined in mod_fastcgi and mod_scgi. The calls made to fdevent management are redundant. If the calls were actually needed, then mod_proxy would have needed a handle_joblist handler, too.
2016-04-18[config] server.listen-backlog option (fixes #1825, #2116)Glenn Strauss1-1/+1
See doc/config/lighttpd.conf for explanation of listen() backlog queue Additionally, mod_fastcgi and mod_scgi backend servers can now also be configured with separate listen-backlog settings per server x-ref: "add server.listen-backlog option instead of hard-coded value (128 * 8) for listen()" "Don't disable backend when overloaded" github: Closes #50
2016-03-26[core] lighttpd -tt performs preflight startup checks (fixes #411)Glenn Strauss1-2/+10
lighttpd -t loads config file and performs syntax check lighttpd -tt (new) performs preflight startup checks, including loading and initializing modules, but skipping any potentially destructive actions which might affect an already running server (separate instance). These currently include: - skipping pidfile modification - skipping bind() to network sockets - skipping open of error and access logs From: Glenn Strauss <> git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2016-03-19consistent inclusion of config.h at top of files (fixes #2073)Glenn Strauss1-0/+2
From: Glenn Strauss <> git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2016-03-19[ssl] support disabling ssl.verifyclient.activate in SNI callback (fixes #2531)Stefan Bühler1-0/+2
From: Stefan Bühler <> git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2016-03-19[core] accept $SERVER["socket"] without port, use server.port as fallback ↵Stefan Bühler1-3/+8
(fixes #2204) From: Stefan Bühler <> git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9