patch needed since lighttpd 1.4.71, where mod_h2 is a standalone module
by default, rather than previous of lighttpd having h2.c built-in to the
lighttpd base executable.
x-ref:
"mod_h2 is missing in scons fullstatic build"
https://redmine.lighttpd.net/issues/3224
(renamed w/ '-' instead of '_' for consistency with other feature flags)
global setting; default enabled to preserve existing behavior
If disabled, 404 Not Found is returned if request processing reaches the
step to check filesystem and path, including pathinfo, does not exist.
server.feature-flags += ("server.http-pathinfo" => "disabled")
Note: this global feature is separate from static-file.disable-pathinfo,
which only affects requests not handled by any other module, and finally
handled by mod_staticfile.
stat_cache_refresh_entry() file-scoped static support func separate from
stat_cache_get_entry()
rewrite stat_cache_get_entry() to avoid code repetition
add global config opt to send GOAWAY for invalid auth
(adds cost to and reduces speed of brute force auth password attacks)
global setting; default enabled to preserve existing behavior
Disable with:
server.feature-flags += ("auth.http-goaway-invalid-creds" => 0)
for networks with proxies where multiple requests from *different* clients
are multiplexed on the same h2 connection to lighttpd.
global setting; default enabled to preserve existing behavior
If disabled, 404 Not Found is returned if request processing reaches the
step to check filesystem and path, including pathinfo, does not exist.
server.feature-flags += ("server.http_pathinfo" => "disabled")
Note: this global feature is separate from static-file.disable-pathinfo,
which only affects requests not handled by any other module, and finally
handled by mod_staticfile.
yield writing large HTTP/1.x TLS responses on slow, embedded devices
in order to give other connections a better chance. (Slow, embedded
devices performing TLS encryption might be slower than network speed.)
remove connection_handle_write() HTTP/1.x state change minor optim which
does not apply to HTTP/2 or later use of connection_handle_write(), and
move an HTTP/2 check (okay to apply to HTTP/1.x) into the underlying
connection_write_chunkqueue()
disable keep-alive and close connection after servicing request
if HTTP/1.1 Content-Length and Transfer-Encoding: chunked are
received in the same HTTP/1.1 request.
x-ref:
RFC9112 HTTP/1.1
https://httpwg.org/specs/rfc9112.html#rfc.section.6.1.p.15
"A server MAY reject a request that contains both Content-Length
and Transfer-Encoding or process such a request in accordance
with the Transfer-Encoding alone. Regardless, the server MUST
close the connection after responding to such a request to
avoid the potential attacks."
Protocols like zchunk and zsync may try to send a large number of Ranges
in a single HTTP request. Track if ranges are sorted and allow larger
number of ranges if the list of ranges is already sorted ascending.
If unsorted ranges are encountered, the limit remains 10 ranges due to
the non-linear cost to detect overlapping ranges or other range attacks.
(optimize for code size to save a few bytes, though cold marking on
http_range_process() could be removed for the minimal cost of some
bytes in the binary size)
Glenn Strauss
Sam James