Commit Graph

150 Commits

Author SHA1 Message Date
Glenn Strauss cb753ec5b5 [mod_mbedtls] mbedTLS option for TLS

mod_mbedtls supports most ssl.* config options supported by mod_openssl

thx Ward Willats for the initial discussion and attempt in the comments
2020-07-08 22:51:31 -04:00
Glenn Strauss 7c7f8c467c [multiple] split con, request (very large change)
NB: r->tmp_buf == srv->tmp_buf (pointer is copied for quicker access)

NB: request read and write chunkqueues currently point to connection
    chunkqueues; per-request and per-connection chunkqueues are
    not distinct from one another
      con->read_queue  == r->read_queue
      con->write_queue == r->write_queue

NB: in the future, a separate connection config may be needed for
    connection-level module hooks.  Similarly, might need to have
    per-request chunkqueues separate from per-connection chunkqueues.
    Should probably also have a request_reset() which is distinct from
2020-07-08 19:54:29 -04:00
Glenn Strauss 48004c6a7c [core] remove unused arg to fdevent_fcntl_set_nb* 2020-07-08 19:54:29 -04:00
Glenn Strauss 05cc88ddb4 [multiple] omit passing srv to fdevent_handler 2020-07-08 19:54:29 -04:00
Glenn Strauss cbdbd60b35 [multiple] quiet clang compiler warnings 2020-07-08 19:54:28 -04:00
Glenn Strauss ca97505a72 [multiple] store srv->tmp_buf in tb var
rather than using srv->tmp_buf directly in code modifying temp buf (tb)
2020-07-08 19:54:28 -04:00
Glenn Strauss b5775b9951 [multiple] reduce direct use of srv->errh 2020-07-08 19:54:28 -04:00
Glenn Strauss 010c28949c [multiple] prefer (connection *) to (srv *)
convert all log_error_write() to log_error() and pass (log_error_st *)

use con->errh in preference to srv->errh (even though currently same)

avoid passing (server *) when previously used only for logging (errh)
2020-07-08 19:54:28 -04:00
Glenn Strauss 5977ce2b4a [core] isolate use of data_config, configfile.h 2020-07-08 18:08:52 -04:00
Glenn Strauss ed62e354ff [core] use config_plugin_values_init() 2020-07-08 18:08:51 -04:00
Glenn Strauss d23071a38f [core] config_get_config_cond_info()
isolate direct use of (data_config *)
2020-07-08 18:08:51 -04:00
Glenn Strauss 5aadcba456 [core] buffer string in data_config
(instead of (buffer *))
2020-02-24 11:15:32 -05:00
Glenn Strauss 62e97967ca [core] prefer uint32_t to size_t in base.h
even 2 billion is way larger than even extreme operating values
expected for the members in base.h

include some structs directly in struct server, rather than by ptr
2020-02-24 11:15:32 -05:00
Glenn Strauss fb74bb7514 [core] do not accept() > server.max-connections 2020-01-26 00:41:05 -05:00
Glenn Strauss 78f24ba141 [core] silence coverity warning 2019-03-07 00:32:17 -05:00
Glenn Strauss 9113011d5b [core] pass (fdnode *) for registered fdevent fd
inline fdevent_fdnode_interest()
avoid array lookup for (fdnode *) for various ops
2019-03-07 00:32:17 -05:00
Glenn Strauss 800e9b7349 [core] remove fde_ndx member outside fdevents
(isolated to fdevent framework internals)
2019-03-07 00:32:17 -05:00
Glenn Strauss d28bac32fe [multiple] reduce code dup in list resizing
reduce code duplication in list resizing
realloc() of NULL ptr has behavior similar to malloc()

Note that if initial size == 0, then code used to adjust size
must be += x to ensure the size is non-zero for reallocation.
(Multiplying 0 * x, e.g. power-2 resizing, will result in 0.)
2019-02-12 22:36:04 -05:00
Glenn Strauss ce7b47c015 [core] systemd socket activation support 2019-01-19 17:42:08 -05:00
Glenn Strauss 5b0e27f8ad [core] network_srv_sockets_append() shared code 2019-01-18 01:55:33 -05:00
Glenn Strauss 6b77372ae7 [core] move /dev/stdin graceful restart handling
move /dev/stdin graceful restart handling special-case up out of
2019-01-18 00:16:55 -05:00
Glenn Strauss b2ee667a3d [core] move winsock init to network_init() 2019-01-13 23:56:54 -05:00
Glenn Strauss f69bd9cdb8 [core] perf: simple, quick buffer_clear()
quickly clear buffer instead of buffer_string_set_length(b, 0) or
buffer_reset(b).  Avoids free() of large buffers about to be reused,
or buffers that are module-scoped, persistent, and reused.

(buffer_reset() should still be used with buffers in connection *con
 when the data in the buffers is supplied by external, untrusted source)
2018-11-23 00:37:38 -05:00
Glenn Strauss 04d76e7afd [core] some header cleanup
provide standard types in first.h instead of base.h
provide lighttpd types in base_decls.h instead of settings.h
reduce headers exposed by headers for core data structures
  do not expose <pcre.h> or <stdlib.h> in headers
move stat_cache_entry to stat_cache.h
reduce use of "server.h" and "base.h" in headers
2018-04-08 22:22:23 -04:00
Glenn Strauss 142971a80c [core] consolidate backend network write handlers
network_write.[ch] isolates various write, writev, sendfile wrappers
2017-11-02 00:41:53 -04:00
Glenn Strauss 1367f60626 [core] isolate sock_addr manipulation 2017-10-29 01:23:19 -04:00
Glenn Strauss f394207d5f [core] fix implicit wildcard IPv4 and IPv6 listen
fix implicit wildcard IPv4 and IPv6 listening (regression in 1.4.46)

(broken in commit:5248b46c)

workaround (without this patch): server.set-v6only = "disable"
(which may produce a warning when lighttpd parses config)

2017-10-28 22:58:12 -04:00
nicorac 3d257ec3a9 [core] fix build --disable-ipv6 (fixes #2832)
  "Build error on systems without IPV6 support (regression from 1.4.46)"

github: closes #87
2017-10-25 22:45:57 -04:00
Glenn Strauss f5ff2a011d [core] normalize config addrs for eq and ne (#2830)
address strings need to have DNS resolved and port added
for consistency when matching other config conditionals

  "1.4.46 regression: $SERVER["socket"] matches when it shouldn't"
2017-10-22 14:13:55 -04:00
Glenn Strauss 3549fc8280 [core] normalize config addrs for != match (#2830)
address strings need to have DNS resolved and port added
for consistency when matching other config conditionals

  "1.4.46 regression: $SERVER["socket"] matches when it shouldn't"
2017-10-22 14:13:53 -04:00
Glenn Strauss 585206616d [core] fix 1.4.46 regression in config match (fixes #2830)
address strings need to have DNS resolved and port added
for consistency when matching other config conditionals

  "1.4.46 regression: $SERVER["socket"] matches when it shouldn't"
2017-10-22 12:41:02 -04:00
Glenn Strauss 3f2561dec5 [core] translate DNS to IP str for cond socket cmp
translate DNS to IP string for conditinal socket comparison
in lighttpd.conf for $SERVER["socket"] == ...
2017-10-21 14:47:30 -04:00
Glenn Strauss 60a98ebaf4 [core] quiet coverity warning 2017-10-09 08:50:26 -04:00
Glenn Strauss 9a69f31b20 [core] compare listen addrs after DNS resolution
compare listen addrs after DNS resolution when starting up server
2017-10-09 02:45:12 -04:00
Glenn Strauss 5c25f629ab [core] /dev/stdin listener for inetd wait yes
server.bind = "/dev/stdin" for use with inetd wait yes


  "inetd/wait mode with auto-shutdown after idle timeout"
2017-10-09 02:44:30 -04:00
Glenn Strauss 00d976b130 [core] cleaner code; remove goto from network.c 2017-10-07 16:11:36 -04:00
Glenn Strauss c49f515096 [network] do not append port to unix socket paths
2017-10-03 21:16:03 -04:00
Glenn Strauss 93e91954a7 [core] fdevent setsockopt() helper functions
2017-09-23 10:30:08 -04:00
Glenn Strauss 19d2190a4f [core] set socket perms after bind, before listen
(it is still recommended to create sockets in protected directories)

  "Feature request: add server config for setting permissions on Unix domain socket"
2017-08-03 00:37:43 -04:00
Glenn Strauss 5248b46c95 [core] sock_addr_from_str_hints reusable name res
[core] sock_addr_from_str_hints() reusable name resolution func
2017-07-15 22:42:15 -04:00
Glenn Strauss d15ddcb6fa [core] server.socket-perms to set perms on unix (fixes #656)
server.socket-perms = "0770" to set perms on unix domain socket
on which lighttpd listens for requests, e.g. $SERVER["socket"] == "..."

  "Feature request: add server config for setting permissions on Unix domain socket"
2017-06-13 08:56:13 -04:00
Glenn Strauss 8cf6e908d3 [core] include <netdb.h> where needed
include <netdb.h> in files which use getaddrinfo()
  instead of exposing header in local header "sys-socket.h"
2017-03-28 02:17:33 -04:00
Glenn Strauss a53f662a30 [core] remove some unused header includes
remove exposure of stdio.h in buffer.h for print_backtrace(), now static
2017-03-28 02:17:33 -04:00
Glenn Strauss 6c1e6e660e [core] graceful restart with SIGUSR1 (fixes #2785)
more consistent cleanup of resources at shutdown
(e.g. upon error conditions)

Notes: graceful restart with SIGUSR1
- not available if chroot()ed, oneshot mode, or if idle timeout occurs
- preserve process id (pid)
- preserve existing listen sockets
  - i.e. does not close old listen sockets from prior configs
    (even if old listen sockets no longer in the new config)
    (sockets may have been bound w/ root privileges no longer available)
  - will fail to add listen sockets from new config if privileges
    lighttpd configured to drop privileges to non-root user, and
    new listen socket attempts to bind to low-numbered port requiring
    root privileges.
  - will fail if listen sockets in new config conflict with any previous
    old listen sockets
  - These failure modes will result in lighttpd shutting down instead of
    graceful restart.  These failure modes are not detectable with
    preflight checks ('lighttpd -tt -f lighttpd.conf') because the
    new instance of lighttpd running the preflight check does not
    known config state of n prior graceful restarts, or even the
    config state of the currently running lighttpd server.
- due to lighttpd feature of optionally managing backends
  (e.g. fastcgi and scgi via "bin-path"), lighttpd must wait for
  all child processes to exit prior to restarting.  Restarting new
  workers while old workers (and old backends) were still running would
  result in failure of restarted lighttpd process to be able to bind to
  sockets already in use by old backends (e.g. unix "socket" path)

  "graceful restart with SIGUSR1"
2017-01-31 14:40:05 -05:00
Glenn Strauss 8981ca0467 [core] use getaddrinfo,inet_pton vs gethostbyname (fixes #2783)
when available, use getaddrinfo(),inet_pton() instead of gethostbyname()

NOTE: behavior change: mod_scgi now listens to INADDR_LOOPBACK if "host"
      is not specified.  (Prior behavior was INADDR_ANY.)  Backends
      should not listen on potentially public IPs unless explicitly
      configured to do so.  This change matches a change to mod_fastcgi
      made in 2008.

  "gethostbyname deprecated, should use getaddrinfo"
2017-01-31 14:36:15 -05:00
Glenn Strauss 82feb70588 [core] move con throttling to connections-glue.c
move write throttling code from network.c:network_write_chunkqueue()
to connections-glue.c:connection_write_chunkqueue() and fix the code
to use TCP_CORK only on TCP sockets.
2017-01-31 14:36:15 -05:00
Glenn Strauss 8960633dc7 [mod_openssl] move openssl config into mod_openssl
move openssl data structures and config parsing into mod_openssl
2017-01-31 14:36:10 -05:00
Glenn Strauss 2bc94dee82 [core] con interface for read/write; isolate SSL 2017-01-14 01:06:16 -05:00
Glenn Strauss b03c496298 [TLS] = "disable" for low mem (fixes #2778)
new directive = "enable"/"disable" to control
SSL_CTX_set_read_ahead().  Default "enable".  The "disable" setting
is intended for use on low memory systems with a slow CPU which is
unable to keep up with decryption of large request bodies.

  "larger memory usage for file uploads via SSL on embedded system"
2017-01-10 15:59:50 -05:00
Glenn Strauss 38d00abd8f [TLS] openssl 1.1.0 makes SSL_OP_NO_SSLv2 no-op
silence coverity warning

openssl 1.1.0 makes SSL_OP_NO_SSLv2 flag a no-op, leading to
logically dead code when used with openssl 1.1.0.  However, the code
is still valid with earlier openssl versions, and so must be preserved.
2016-12-23 07:36:30 -05:00