Commit Graph

87 Commits

Author SHA1 Message Date
Glenn Strauss 6ec66c4dce [core] better DragonFlyBSD support (fixes #2746)
(thx xenu)

  "[PATCH] better DragonFlyBSD support; fix crash"
2016-08-20 14:19:10 -04:00
Glenn Strauss 5e76b284df [mod_accesslog] %a %A %C %D %k %{}t %{}T (fixes #1145, fixes #1415, fixes #2081)
add support for additional commonly-used accesslog format flags

  "mod_accesslog cookie field support %{VARNAME}C"
  "access_log : %D time used in ms (not supported)"
  "%{format}t support"
2016-07-12 23:03:16 -04:00
Glenn Strauss fe02be7e34 [core] make server.max-request-size scopeable (fixes #1901)
  "make server.max-request-size scopeable"
2016-07-09 11:01:13 -04:00
Glenn Strauss 695c8f4e07 [config] config options to stream request/response (#949, #376)
This allows admin to configure if response is collected in entirety
prior to sending data to client

For compatibility with existing configs, default is existing behavior:
  buffer entire response prior to sending data to client

The following are config options, though not all implemented yet

// default: buffer entire request body before connecting to backend = 0

// stream request body to backend; buffer to temp files = 1

// stream request body to backend; minimal buffering might block upload = 2

// default: buffer entire response body before sending to client = 0

// stream response body to client; buffer to temp files = 1

// stream response body to client; minimal buffering might block backend = 2

  "fastcgi, cgi, flush, php5 problem."
 "Reimplement upload (POST) handling to match apache/zeus/thttpd/boa functionality"
2016-06-19 23:34:15 -04:00
Glenn Strauss 4eeeb8fc76 [config] server.bsd-accept-filter option
BSD accept() filters

server.bsd-accept-filter = ""           (default)
server.bsd-accept-filter = "httpready"
server.bsd-accept-filter = "dataready"

Note: this is a behavior change from prior versions.
The default is now no additional accept() filter, whereas prior
versions unconditionally enabled "httpready" accept() filter

Additionally, server.defer-accept (Linux) is inherited from global scope
into $SERVER["socket"] blocks

github: closes #65
2016-06-04 18:59:03 -04:00
Glenn Strauss b47494d4cd [config] opts for http header parsing strictness (fixes #551, fixes #1086, fixes #1184, fixes #2143, #2258, #2281, fixes #946, fixes #1330, fixes #602, #1016)
server.http-parseopt-header-strict  = "enable"
server.http-parseopt-host-strict    = "enable"  (implies host-normalize)
server.http-parseopt-host-normalize = "disable"

defaults retain current behavior, which is strict header parsing
and strict host parsing, with enhancement to normalize IPv4 address
and port number strings.

For lighttpd tests, these need to be enabled (and are by default)
For marginally faster HTTP header parsing for benchmarks, disable these.

To allow
  - underscores in hostname
  - hypen ('-') at beginning of hostname
  - all-numeric TLDs
  server.http-parseopt-host-strict    = "disable"

  "lighttpd doesn't allow underscores in host names"
  "hyphen in hostname"
  "a numeric tld"
  "Numeric tld's"
  "Bad Request"
  "400 Bad Request when using Numeric TLDs"

To allow a variety of numerical formats to be converted to IP addresses
  server.http-parseopt-host-strict    = "disable"
  server.http-parseopt-host-normalize = "enable"

  "URL encoding leads to "400 - Bad Request""
  "400 Bad Request when using IP's numeric value ("ip2long()")"

To allow most 8-bit and 7-bit chars in headers
  server.http-parseopt-header-strict  = "disable"  (not recommended)

  "Russian letters not alowed?"
  "header Content-Disposition with russian '?' (CP1251, ascii code 255) causes error"
2016-05-19 19:15:13 -04:00
Glenn Strauss 98acff0ea0 [core] add default modules while processing server config
(instead of doing separately, before processing server config)
2016-05-10 22:32:03 -04:00
Glenn Strauss 1ca52fdce3 build with libressl
libressl defines SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3 as 0x0
  (thx Christian Heckendorf)

libressl matches ERR_remove_thread_state() signature from openssl 1.0.2
  (libressl pretends that libressl is openssl version 2.0.0,
   but openssl 1.1.0 changes signature of ERR_remove_thread_state())

libressl does not yet provide compatibility interfaces for the new
  prototypes introduced in openssl 1.1.0, including
  DH_set0_pqg() and DH_set_length()

remove OPENSSL_NO_KRB5 from build config (added in 5fab991b in 2005)
  (define USE_OPENSSL_KERBEROS if required)
  (Note: OPENSSL_NO_KRB5 removed in openssl 1.1.0)
2016-05-07 12:50:41 -04:00
Glenn Strauss dbdab5dbc9 [core] server.error-handler new directive for error pages (fixes #2702)
server.error-handler preserves HTTP status error code when error page
is static, and allows dynamic handlers to change HTTP status code
when error page is provided by dynamic handler.  server.error-handler
intercepts all HTTP status codes >= 400 except when the content is
generated by a dynamic handler (cgi, ssi, fastcgi, scgi, proxy, lua).
The request method is unconditionally changed to GET for the request
to service the error handler, and the original request method is
later restored (for logging purposes).  request body from the
original request, if present, is discarded.

server.error-handler is somewhat similar to server.error-handler-404,
but server.error-handler-404 is now deprecated, intercepts only 404
and 403 HTTP status codes, and returns 200 OK for static error pages,
a source of confusion for some admins.  On the other hand, the new
server.error-handler, when set, will intercept all HTTP status error
codes >= 400.  server.error-handler takes precedence over
server.error-handler-404 when both are set.

NOTE: a major difference between server.error-handler and the
now-deprecated server.error-handler-404 is that the values of the
non-standard CGI environment variables REQUEST_URI and REDIRECT_URI
have been swapped.  Since REDIRECT_STATUS is the original HTTP
status code, REDIRECT_URI is now the original request, and REQUEST_URI
is the current request (e.g. the URI/URL to the error handler).
The prior behavior -- which reversed REQUEST_URI and REDIRECT_URI values
from those described above -- is preserved for server.error-handler-404.

Additionally, REDIRECT_STATUS is now available to mod_magnet, which
continues to have access to request.uri and request.orig_uri.

See further discussion at

github: closes #36
2016-04-25 01:01:08 -04:00
Glenn Strauss 87b172e70e remove unused con->error_handler member
Also remove con->in_error_handler member since non-zero
con->error_handler_saved_status can be used as flag to
indicate the same thing
2016-04-25 01:01:08 -04:00
Glenn Strauss 71ed1912c7 [config] server.listen-backlog option (fixes #1825, #2116)
See doc/config/lighttpd.conf for explanation of listen() backlog queue

Additionally, mod_fastcgi and mod_scgi backend servers can now also be
configured with separate listen-backlog settings per server

  "add server.listen-backlog option instead of hard-coded value (128 * 8) for listen()"
  "Don't disable backend when overloaded"

Closes #50
2016-04-18 04:29:28 -04:00
Glenn Strauss d17d48e01e [stat] mimetype.xattr-name global config option (fixes #2631)
For backwards compatibility with existing lighttpd configs, default is
  mimetype.xattr-name = "Content-Type"

Those who wish to use the definition of xattr mimetype
can set the following in the global lighttpd config:
  mimetype.xattr-name = "user.mime_type"

From: Glenn Strauss <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2016-03-26 13:49:43 +00:00
Glenn Strauss 292309f88b [core] lighttpd -tt performs preflight startup checks (fixes #411)
lighttpd -t loads config file and performs syntax check
lighttpd -tt (new) performs preflight startup checks,
  including loading and initializing modules, but skipping any
  potentially destructive actions which might affect an already
  running server (separate instance).  These currently include:
  - skipping pidfile modification
  - skipping bind() to network sockets
  - skipping open of error and access logs

From: Glenn Strauss <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2016-03-26 13:39:54 +00:00
Glenn Strauss 8abd06a7ff consistent inclusion of config.h at top of files (fixes #2073)
From: Glenn Strauss <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2016-03-19 15:14:35 +00:00
Stefan Bühler ad65603ec0 [core] fix conditional cache handling
- add new "skip" result to mark conditions that didn't actually get
  evaluated to false but just skipped because the preconditions failed.
- add "local_result" for each cache entry to remember whether the
  condition itself matched (not including the preconditions).
  this can be reused after a cache reset if the condition itself was not
  reset, but the preconditions were
- clear result of subtree (children and else-branches) when clearing a
  condition cache

From: Stefan Bühler <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2016-02-21 18:32:14 +00:00
Stefan Bühler a069548370 [core] revert increase of temp file size back to 1MB, provide a configure option "server.upload-temp-file-size" instead (fixes #2680)
From: Stefan Bühler <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2015-11-07 12:51:14 +00:00
Stefan Bühler d8b363c1d1 [stat-cache] fix FAM cleanup/fdevent handling
From: Stefan Bühler <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2013-11-13 11:43:31 +00:00
Stefan Bühler 1af871fcef [ssl] fix SNI handling; only use key+cert+verify-client from SNI specific config (fixes #2525, CVE-2013-4508)
pull all values into all SSL_CTXs, but use only the local for verify-client; correct SNI name is no requirement,
so enforcing verification for a subset of SNI names doesn't actually
protect those.

From: Stefan Bühler <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2013-11-05 15:29:07 +00:00
Stefan Bühler 3ce548c8d0 remove unused members from struct server_socket
From: Stefan Bühler <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2013-11-05 15:29:04 +00:00
Stefan Bühler 559b198f86 [auth] put REMOTE_USER into cgi environment, making it accessible to lua via lighty.req_env (fixes #2495)
From: Stefan Bühler <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2013-08-30 13:14:52 +00:00
Stefan Bühler 93fd9ea7a4 [ssl] add option ssl.empty-fragments, defaulting to disabled (fixes #2492)
if ssl.empty-fragments is set to enabled, but the openssl version used
  to compile lighttpd doesn't support empty fragments, a warning is
  displayed (it might still work).

From: Stefan Bühler <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2013-08-30 13:14:50 +00:00
Stefan Bühler 05858f6cf2 [ssl] Fix $HTTP["scheme"] conditional, could be "http" for ssl connections if the ssl $SERVER["socket"] conditional was nested (fixes #2501)
con->conf.is_ssl got removed and replaced by:
 * con->conf.ssl_enabled for the config var "ssl.engine" - it is only
   used to determine which server-sockets should use ssl. (usually not
   needed as it is mandatory and enough to set ssl.pemfile anyway)
 * con->srv_socket->is_ssl to detect the actual ssl status of the
   bound socket, which is the same as the ssl status of the connection
 * con->uri.scheme for the actual $HTTP["scheme"] value, also used for
   the CGI "HTTPS=ON" variable. This defaults to "https" if the
   connection uses ssl, but can be changed for example by mod_extforward
   if X-Forwarded-Proto: is set to either "http" or "https" (other values
   are ignored right now)

Also removed the broken srv_socket->is_proxy_ssl as it was a connection
value in a server_socket struct...

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2013-07-31 20:23:21 +00:00
Stefan Bühler 0f96222e7e [ssl] add option to honor server cipher order, true by default (fixes #2364)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2011-11-30 19:59:24 +00:00
Stefan Bühler a94bdd07df [ssl] count renegotiations to prevent client renegotiations
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2011-11-30 18:40:08 +00:00
Stefan Bühler f434d514ad Limit amount of bytes we send in one go; fixes stalling in one connection and timeouts on slow systems.
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2011-08-22 15:12:28 +00:00
Stefan Bühler f610f894a3 ssl: Support for Diffie-Hellman and Elliptic-Curve Diffie-Hellman key exchange (fixes #2301, #2246, #2239)
- add ssl.use-sslv3
 - load all algorithms

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2011-03-13 18:00:09 +00:00
Stefan Bühler e23e999089 bind to IPV6-only if ipv6 address was specified (
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2010-08-07 13:16:16 +00:00
Stefan Bühler f601b8028b Append to previous buffer in con read (fixes #2147, found by liming, CVE-2010-0295)
* Remove ssl_error_want_reuse_buffer for SSL_read:
   Although the manual states we have to use the same arguments in the
   next call after SSL_ERROR_WANT_*, it has been running without this
   in 1.5 for a long time now.
 * As POST-data chunks get copied to the next queue, we reuse chunks
   there as well.

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2010-02-01 23:28:50 +00:00
Stefan Bühler e430ce09bc export some SSL_CLIENT_* vars for client cert validation (fixes #1288, thx presbrey)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2009-11-05 21:46:48 +00:00
Stefan Bühler b987643307 Add SSL Client Certificate verification (#1288)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2009-10-14 18:19:19 +00:00
Peter Colberg 8b6dae4139 Add TLS servername indication (SNI) support (fixes #386, thx Peter Colberg <>)
* This patch may "break" some configs, if they do stupid things. Like setting
  ssl.pemfile to a not existing file in a "non-socket/non-ssl" block.
  Fix them! :)

From: Peter Colberg <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2009-10-14 13:39:59 +00:00
Stefan Bühler 67cb38d0ca always define _GNU_SOURCE
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2009-10-12 10:39:36 +00:00
Stefan Bühler 22e8b456a9 Fix header inclusion order, always include "config.h" before any system header
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2009-10-11 14:31:42 +00:00
Stefan Bühler d69683ddb5 Remember keep-alive-idle in separate variable (fixes #1988)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2009-10-11 13:16:03 +00:00
Stefan Bühler fbdb305f8a Add server.breakagelog, a "special" stderr (fixes #1863)
* The breakage-log simply replaces stderr (the old stderr is moved away if needed for errorlog),
  and stderr isn't closed after forking.
  It defaults to stderr if started with -n (no daemonize), otherwise it defaults to /dev/null.
  It is _not_ reopened in log_error_cycle, as there may be many long running childs which have it
  still open anyway. Use a pipe-logger with cycle-support if you need it.

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2009-06-21 17:25:39 +00:00
Stefan Bühler 28e198d5a5 Use unsigned int (and T_CONFIG_INT) for max_request_size
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2009-06-21 17:25:30 +00:00
Stefan Bühler 0d8c6accd7 Add T_CONFIG_INT for bigger integers from the config (needed for #1966)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2009-06-21 17:25:24 +00:00
Stefan Bühler 7ad4792357 Add support for "real" entropy from /dev/[u]random (fixes #1977)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2009-06-11 09:53:34 +00:00
Stefan Bühler 0226d4bf36 Add option to enable TCP_DEFER_ACCEPT (fixes #1447)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2009-04-26 17:59:55 +00:00
Stefan Bühler 1527160c69 Add support for pipe logging for server.errorlog (fixes #296)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2009-04-10 10:50:51 +00:00
Stefan Bühler def70d86e9 Remove the optional port info from SERVER_NAME (thx Mr_Bond)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2009-04-09 16:51:44 +00:00
Stefan Bühler a6218765c2 Fix some problems with more strict compilers (#1923)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2009-03-07 13:54:10 +00:00
Stefan Bühler 22bee5ad52 Silenced the annoying "request timed out" warning, enable with the "debug.log-timeouts" option (fixes #1529)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2009-02-05 21:54:47 +00:00
Stefan Bühler cb91487c8d Add option to ignore the "Expect: 100-continue" header instead of returning 417 Expectation failed (closes #1017)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2009-02-04 15:16:29 +00:00
Stefan Bühler 19588f6ee6 Hide some ssl errors per default, enable them with debug.log-ssl-noise (#397)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2008-08-19 17:40:42 +00:00
Elan Ruusamäe af4be7d0ce - HTTPS env var should be "on" when using mod_extforward and the X-Forwarded-Proto header is set. (#1499)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2008-01-18 09:07:54 +00:00
Jan Kneschke 3940c60e68 fixed aggressive caching of conditionals (#41)
$HTTP["url"] =~ "" { cgi.assign = ... } fails if there is a module
loaded which is called before uri_clean is set (mod_exforward,
mod_rewrite, ...) 

- merged [1792], [1798], [1807], [1810], [1811] from trunk

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2007-08-18 09:27:11 +00:00
Marcus Rückert 5a583661e3 - only generate the etag_flags once and store them in the connections

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2007-07-03 18:47:00 +00:00
Jan Kneschke b2a96c959a added static-file.etags, etag.use-inode, etag.use-mtime,
etag.use-size to customize the generation of ETags for 
static files. (fixes #1209) (patch by <>)

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2007-06-15 15:51:16 +00:00
Marcus Rückert e61146a740 - applied patch from (#1039)
References to FAM stat cache engine should be conditional

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2007-02-19 13:55:07 +00:00