buffer_commit() is called by routines which preallocate for operations
like read(). The caller must properly manage the memory. The checks
removed from buffer_commit() are too late.
special-case OPTIONS * and CONNECT in http_response_prepare()
http_response_prepare() is no longer revisited if r->handler_module
is set, so it is no longer necessary to fill r->physical.path for
CONNECT
improve HTTP/2 behavior when server.max-request-size reached
accept slightly more data than max-request-size if END_STREAM flag recvd
reduce rwin so that client may exceed server.max-request-size, but not
by much. (client might ignore and might send a firehose of data anyway)
accept up to 64k more data to potentially sink data that was in-flight
beyond the rwin, in order to allow server to send 413 Payload Too Large
before resetting the stream.
merge http_response_send_file 0-sized file special case
(historically was a short-circuit before Range handling,
but Range handling has been rewritten and moved elsewhere)
reuse cache lookup in common case of serving a static file
rather than repeating the stat_cache_entry lookup
(which is more work than memcmp() to re-check stat_cache_entry match)
HTTP/2 requires that TLS protocol >= TLSv1.2
HTTP/2 requires that TLS record compression be disabled
HTTP/2 requires that TLSv1.2 renegotiation be disabled
HTTP/2 requires that TLS SNI extension be presented with ALPN h2
(not enforced;
SNI omitted by client when connecting to IP instead of to name)
RFC 7540 9.2 Use of TLS Features
"Implementations are encouraged to provide defaults that comply,
but it is recognized that deployments are ultimately responsible
for compliance."
If TLS record compression or renegotiation are for some reason required
(which is strongly discouraged), then disable HTTP/2 in lighttpd with
server.feature-flags = ("server.h2proto" => "disable")
slurp password/digest file into memory and then clear after use
(avoid stdio, which buffers by default and does not wipe those buffers)
password/digest files are not expected to be very large
e.g. a password file with 1000 entries is expected to be < 64k
If files are larger, mod_authn_dbi or other mod_authn_* is recommended
HTTP/1.1 dictates that Cache-Control overrides Expires if both present.
Therefore, send only Cache-Control to HTTP/1.1 requests. This means
that if an intermediary upgraded the request to HTTP/1.1, and the actual
client sent HTTP/1.0, then the actual client might not understand
Cache-Control when it may have understood Expires. RFC 2616 HTTP/1.1
was released June 1999, almost 22 years ago (as this comment is written)
If a client today is sending HTTP/1.0, chances are the client does not
cache. Avoid the overhead of formatting time for Expires to send both
Cache-Control and Expires when the majority of clients are HTTP/1.1 or
HTTP/2 (or later).
(thx oldium)
improve handling of HTTP/2 DATA frames received
a short time after sending response
x-ref:
"POST request DATA part for non-existing URI closes HTTP/2 connection prematurely"
https://redmine.lighttpd.net/issues/3078
rename to reflect use for verifying client certificate
(old names are still accepted, but are discouraged)
ssl.ca-file -> ssl.verifyclient.ca-file
ssl.ca-dn-file -> ssl.verifyclient.ca-dn-file
ssl.ca-crl-file -> ssl.verifyclient.ca-crl-file
Glenn Strauss