warn if no confidentiality flag (GSS_C_CONF_FLAG) returned in flags
after call to gss_accept_sec_context() when SPNEGO Negotiate
(auth.require "method" => "gssapi") and credentials are being
stored (auth.backend.gssapi.store-creds = "enable" (default))
Missing flag GSS_C_CONF_FLAG is no longer an error.
(mod_authn_gssapi is for auth, not used for message transport;
mod_authn_gssapi never uses gss_unwrap())
NB: mod_authn_gssapi should be used over TLS for encryption.
"gssapi - no confidentiality for user"
"Chapter 1 The GSS-API: An Overview" (online reference)
add preprocessor option to force crypto lib used by lighttpd base
-DFORCE_MBEDTLS_CRYPTO for mbed TLS
or -DFORCE_WOLFSSL_CRYPTO for WolfSSL
This allows building lighttpd with support for multiple TLS modules,
and at the same time specifying the lighttpd base crypto lib dependency.
(Packages such as OpenWRT lighttpd package would need to update
package dependency along with specifying the preprocessor define)
If lighttpd is built with meson and without "-Dwith_nettle=true",
then lighttpd will use mbed TLS if built with "-Dwith_mbedtls",
so the preprocessor option is not strictly necessary for mbed TLS.
However, if built with "-Dwith_mbedtls" and "-Dwith_wolfssl" *and*
without "-Dwith_nettle=true" *and* lighttpd base crypto dependency
on WolfSSL is desired, then CFLAGS -DFORCE_WOLFSSL_CRYPTO is needed,
e.g. with a patch to add it to 'defs' near the top of src/meson.build.
"lighttpd authentication modules depends on libnettle"
check r->http_status before handling Range so that error handling is
(re-)invoked only if Range handling returns an error status.
"No setenv.add-response-header lines when http status code is 404"
must use mmap MAP_SHARED for writes to modify file on disk
(MAP_PRIVATE does not modify underlying file on disk)
"gzip dynamic compression broken with source size bigger than 128k"
clarify server.username = "root" error message
clarify server.groupname = "root" error message
Suggest commenting out those directives in lighttpd.conf if set to root.
Just like any normal unix program, lighttpd runs as the
user/group under which the process was started, unless you run
lighttpd as root and instruct lighttpd to setuid/setgid to a
different user/group (via server.username and server.groupname).
That *different* user/group should not be uid/gid 0, or else they
are not *different* from root and might be a configuration mistake.
reset r->http_status and clear response body for http-response-send-file
called from magnet.attract-response-start-to in order to match
http_response_send_file() behavior to send ETag, replace response body
h2: avoid sending tiny DATA frames when h2 window is tiny
and a larger amount of data is pending to be sent;
wait for slightly larger window to be available
note: must temporarily disable this when running h2spec since some
h2spec tests expect 1-byte DATA frame, not a deferred response
Note this may slow down uploads due to delay in sending WINDOW_UPDATE
smaller than the default max frame size (16384), but as a trade-off
this aims to reduce degenerative behavior from clients sending an
increasing number of tiny DATA frames. The default 65535 value for
SETTINGS_INITIAL_WINDOW_SIZE (which lighttpd immediately increases to
65536) is larger than 16384, so deferring small updates should not
exhaust the window (from lighttpd's perspective).
"Slow upload / Increase CPU/Memory usage with HTTP/2 enabled"
"libnghttp2 degenerative behavior possible when HTTP/2 window size exhausted"
Increase stream window size to 64k (from default 64k-1)
Increase session window size to 256k (from default 64k-1)
(multiple of SETTINGS_MAX_FRAME_SIZE (default 16k))
(rely on TCP window scaling and TCP congestion control
to manage client sending too much data)
Window size as multiple of SETTINGS_MAX_FRAME_SIZE (default 16k) may be
friendlier to client buffer management and more efficient for uploading.
Window sizes are not increased to arbitrarily large numbers as the
HTTP/2 flow control may be useful to help simplistic/naive clients
avoid symptoms of buffer bloat.
Bandwidth delay product on high bandwidth, high latency links may be
large, so increasing window sizes may increase performance. However,
lighttpd code does not check actual per-connection RTT or kernel
socket buffer sizes. 256k chosen as session window size, and 192k as
stream window size.
Above changes avoid degenerative behavior from the widely deployed
libnghttp2 which may devolve to sending 1 byte at a time in some cases.
"Slow upload / Increase CPU/Memory usage with HTTP/2 enabled"
Delivering HTTP/2 upload speed improvements
alternative way of handling PROPFIND on collection where the request was
made without a trailing slash. Instead of sending 308 redirect in some
cases, set Content-Location response header *and* treat as if request
had been made with trailing slash on the collection for PROPFIND and
There is a standing convention that when a collection is referred to
by its name without a trailing slash, the server MAY handle the
request as if the trailing slash were present. In this case, it
SHOULD return a Content-Location header in the response, pointing to
the URL ending with the "/".
"The previous workaround for GVFS is breaking the new version of GVFS"
HTTP Extensions for Web Distributed Authoring and Versioning (WebDAV)
Since lighttpd 1.4.56, an oversight in config processing missed
setting explicitly p->conf.ssl_enabled = 0 in network.c when
initializing conditions. When ssl.engine = "enable" in lighttpd.conf
global scope, the missing reset in network.c required non-TLS ports
(e.g. $SERVER["socket"] == ":80") to contain ssl.engine = "disable"
in order for requests to those ports to be served rather than erroring.
(This error was discovered during collaboration with jens-maus in
There have been zero other instances of this error reported since the
release of lighttpd 1.4.56 in Nov 2020.
Therefore, having ssl.engine = "enable" inherited from the global scope
is unlikely to have any widespread impact in practice, and enabling
ssl.engine = "enable" (along with TLS certificate configuration) is now
recommended as default. When ssl.engine = "enable" in the global scope,
ssl.engine = "disable" should be specified in those $SERVER["socket"]
conditions where clear-text is desired.
(if required, type may still be overwritten by mod_setenv or mod_magnet)
"Updates to ECMAScript Media Types"
failing error handler produced no output and POLLRDHUP received with
commit dd23fcb2 changed return value from HANDER_FINISHED to
HANDLER_GO_ON when introducing cgi_process_rd_revents(), and POLLRDHUP
case which previously fell through needed to continue to return
HANDLER_FINISHED after calling cgi_connection_close()
"fall-back with cgi error handler no longer works"