call connection_state_machine_h2() only if con->h2 has been initialized
(additional safeguard for #3152)
x-ref:
"Random Segfaults with version 1.4.64 w/ mod_sockproxy and ALPN h2"
https://redmine.lighttpd.net/issues/3152
server.feature-flags += ("auth.delay-invalid-creds" => "enable")
The default is enabled. This feature delays a response to bad http auth
(invalid username or password) to the next second, so up to 1 sec delay.
Delaying the response greatly reduces the efficiency of brute force
password attacks, limiting tries to one-per-second per connection.
Limiting the number of client connections allowed by lighttpd with
server.max-connections sets an upper bound on password tries per second,
but also makes it easier for an attacker to DoS (denial of service) the
server. Therefore, while this mitigation is enabled by default, it can
be disabled with
server.feature-flags += ("auth.delay-invalid-creds" => "disable")
(thx ultimator)
do not set r->http_version to HTTP_VERSION_2 when selecting TLS ALPN
if r->handler_module already set, since handler module is likely
mod_sockproxy, and con->h2 will not get initialized.
This does continue to select "h2", so the mod_sockproxy backend
should be prepared to receive the HTTP/2 client connection preface.
x-ref:
"Random Segfaults with version 1.4.64 w/ mod_sockproxy and ALPN h2"
https://redmine.lighttpd.net/issues/3152
option for partial PUT via copy/modify/rename
webdav.opts += ("partial-put-copy-modify" => "enable")
Some modern filesystems support efficiently cloning files,
making it less expensive to copy to a tempfile, modify, and
atomically rename the modified tempfile to replace the original.
send HTTP/2 SETTINGS_NO_RFC7540_PRIORITIES=1 with server connection
preface
RFC9218 Extensible Prioritization Scheme for HTTP
2.1 Disabling RFC 7540 Priorities
If endpoints use SETTINGS_NO_RFC7540_PRIORITIES they MUST send it in
the first SETTINGS frame.
RFC7540 Hypertext Transfer Protocol Version 2 (HTTP/2)
6.5.3. Settings Synchronization
Unsupported parameters MUST be ignored.
x-ref:
https://datatracker.ietf.org/doc/html/rfc9218https://datatracker.ietf.org/doc/html/rfc7540
allow redirect and rewrite extended substitution when lighttpd is built
without pcre. When built without pcre, url.rewrite and url.redirect
always match first list entry as if it were "", and numerical
substitutions ($0 %0 $1 %1 etc) are always ignored, but other extended
substitutions (e.g. ${url.path}) may still occur.
perl test framework now runs most tests even when lighttpd has been
built without pcre support, though some tests which rely on regex
are skipped (tests/core-condition.t)
When reading certificates, warn if leaf certificate is inactive/expired
(according to notBefore, notAfter fields of leaf certificate)
(note: not adding a delta for fudge factor when comparing times)
(note: not currently verifying each certificate in chain)
(thx pegasus)
disable CGI stdin input optimizations if CGI might Upgrade connection,
since if we upgrade protocols, the original Content-Length -- expected
to be 0 for Upgrade -- does not represent the end of the input.
reduce trace on Upgrade'd backend connection when ECONNRESET received,
which, for example, apparently might occur if a backend calls close()
on socket without first calling shutdown(fd, SHUT_WR) -- seen on Linux
kernel 5.16.15 where lighttpd received ECONNRESET when trying to read()
(instead of receiving EOF).
ensure socket ready for writing before checking connect() status
(sanity check in case request gets rescheduled for another reason
before the socket is ready for writing)
connect to backend (mod_cgi, mod_proxy, mod_sockproxy, mod_wstunnel)
for streaming request body without waiting for initial data in request
body. Useful for things like websockets when data starts on server-side
Add support for WebSockets over HTTP/2 to lighttpd core and to
mod_cgi w/ config: cgi.upgrade = "enable"
mod_proxy w/ config: proxy.header += ("upgrade" => "enable")
mod_wstunnel
HTTP/2 CONNECT extension defined in RFC8441 is translated to HTTP/1.1
'Upgrade: websocket' requests to mod_cgi or mod_proxy, and is handled
directly in mod_wstunnel.
x-ref:
WebSockets over HTTP/2
https://redmine.lighttpd.net/issues/3151
Bootstrapping WebSockets with HTTP/2
https://datatracker.ietf.org/doc/html/rfc8441
allow removal of lighty.r.req_env[] element by assigning nil value
(blank values ("") are permitted for environment variables,
unlike request and response headers)
(thx Lars Bingchong)
empty env var must be set to blank string and not left unset
(regression in lighttpd 1.4.56 - lighttpd 1.4.64)
x-ref:
https://stackoverflow.com/a/52913064/1338888
append to X-Forwarded-For
overwrite X-Host, X-Forwarded-Host, X-Forwarded-Proto
(with value that might be obtained from trusted downstream proxy
configured with mod_extforward)
(do not blindly pass through client-provided values, unless
mod_extforward has been configured to trust the downstream proxy)
(RFC 7239 Forwarded is a standardized header with structured format
and ought to be preferred over the legacy X-* headers, where available)
Glenn Strauss