If lighttpd.conf is invalid, some modules may not have initialized their
per-context config structures, but will have their free-functions
called, which should not be run on uninitialized per-context configs.
x-ref:
"Segfault with simple-vhost.debug = "enable""
https://redmine.lighttpd.net/issues/2798
fix streaming response when server.stream-response-body = 2
and client catches up to stream from backend
(thx horgh)
x-ref:
"mod_fastcgi can fail to read entire response from server"
https://redmine.lighttpd.net/issues/2796
More specific checks on contents of array lists. Each module using
lists now does better checking on the types of values in the list
(strings, integers, arrays/lists)
This helps prevent misconfiguration of things like cgi.assign,
fastcgi.server, and scgi.server, where source code might be
served as static files if parenthesis are misplaced.
x-ref:
https://redmine.lighttpd.net/boards/2/topics/6571
usertrack.cookie-attrs allows user to add arbitrary attributes to the
cookie set by mod_usertrack, including attributes Secure and HttpOnly
as well as Path
usertrack.cookie-attrs is appended as-is to cookie string
and therefore must be properly URL-encoded
usertrack.cookie-attrs, if set, replaces *all* other cookie attributes,
including "; Path=/; Version=1" as well as the Domain= and Max-Age=
attributes if usertrack.cookie-domain and usetrack.cookie-max-age set,
so those should be part of usertrack.cookie-attrs if desired
e.g.
usertrack.cookie-name = "TRACKID" # (default)
usertrack.cookie-attrs = "; Path=/; Version=1; Domain=mydom.com; Max-Age=86400; Secure; HttpOnly"
x-ref:
"mod_usertrack should have an option to set the 'Secure' and 'HttpOnly' flags on the cookie"
https://redmine.lighttpd.net/issues/2795
new directive cgi.local-redir = [enable|disable]
*disable* RFC3875 6.2.2 local-redir by default.
(behavior change from when local-redir support added in lighttpd 1.4.40)
The reason for this behavior change is that CGI local-redir support
(RFC3875 6.2.2) is an optimization. Absence of support may result in
additional latency in servicing a request due the additional round-trip
to the client, but that was the prior behavior (before lighttpd 1.4.40)
and is the behavior of web servers which do not support CGI local-redir.
However, enabling CGI local-redir by default may result in broken links
in the case where a user config (unaware of CGI local-redir behavior)
returns HTML pages containing *relative* paths (not root-relative paths)
which are relative to the location of the local-redir target document,
and the local-redir target document is located at a different URL-path
from the original CGI request.
x-ref:
RFC3875 CGI 1.1 specification section 6.2.2 Local Redirect Response
http://www.ietf.org/rfc/rfc3875
"CGI local redirect not implemented correctly"
https://redmine.lighttpd.net/issues/2108
"1.4.40 regression: broken redirect (using Location) between url.rewrite-once URLs"
https://redmine.lighttpd.net/issues/2793
set status 200 OK if CGI does not return CGI headers
Note:
This mode in lighttpd is deprecated and may be removed in the next major
release of lighttpd. CGI scripts should return a proper CGI header in
the response, even if that header is empty and followed by a blank line,
before return response body.
Without a proper CGI response header, the first line(s) of the response
might be incorrectly construed as being CGI response headers, especially
if they contain ':', and response may be corrupted. That is why this
mode is deprecated (and not supported in numerous other web servers).
The minimal valid CGI response header is "\n", which lighttpd will treat
as equivalent to "Status: 200\n\n"
x-ref:
"error 500 (mod_cgi.c.601) cgi died"
https://redmine.lighttpd.net/issues/2786
consolidate backend process accounting for consistency
x-ref:
"FreeBSD/1.4.45/SSL: requests getting stuck in handle-req state occasionally"
https://redmine.lighttpd.net/issues/2788
more consistent waitpid() handling, consolidate similar code
If ECHILD received for a given pid, do not retry waitpid() for that pid
x-ref:
"mod_fastcgi : pid {pid} 1 not found: No child processes"
https://redmine.lighttpd.net/issues/2791
new directive server.error-intercept = [ "enable" | "disable" ]
to intercept 4xx and 5xx responses from dynamic handlers
(e.g. CGI, FastCGI, SCGI, proxy)
Intercepted HTTP error status are then handled by one of
server.error-handler
server.error-handler-404
server.errorfile-prefix
(if configured)
Do not use server.error-intercept with locations handled by mod_webdav!
x-ref:
"would like something similar to nginx proxy_intercept_errors"
https://redmine.lighttpd.net/issues/974
When spawning backends, retry blocking connect() to backend if EINTR
received when attempting to see if backend is already running. EINTR
might be received if a HUP or USR1 signal is received while connecting
(or SIGCHLD on systems without SA_RESTART)
(expected to occur extremely rarely, but simple to handle properly)
x-ref:
"FreeBSD/1.4.45/SSL: requests getting stuck in handle-req state occasionally"
https://redmine.lighttpd.net/issues/2788
use kqueue in level-triggered mode, not edge-triggered
x-ref:
"FreeBSD/1.4.45/SSL: requests getting stuck in handle-req state occasionally"
https://redmine.lighttpd.net/issues/2788
It is still not a good idea for backend to send Transfer-Encoding unless
backend is mod_proxy, and mod_proxy should not currently receive chunked
response since mod_proxy sends HTTP/1.0 request.
If mod_proxy is changed to sent HTTP/1.1 request, then lighttpd would
need to check if client is HTTP/1.0 and would need to de-chunk and
remove any other transfer-codings if not supported by next-hop.
x-ref:
"error 500 (mod_cgi.c.601) cgi died"
https://redmine.lighttpd.net/issues/2786
inherit ssl.* from global scope if $SERVER["socket"] contains
ssl.engine = "enable" and no other ssl.* settings
(In earlier versions of lighttpd, specifying ssl.engine = "enable"
without specifying ssl.pemfile was a configuration error, so this
change should not break any pre-existing and previously working
configs)
x-ref:
https://github.com/pfsense/FreeBSD-ports/pull/284
"Status" from CGI/1.1 environment should not be sent back to client.
Also, do not send "Status" back to client in mod_scgi
and more precisely parse for "Status" in mod_fastcgi
RFC3875 CGI local-redir stricter adherence
do not apply local-redir if any response headers besides "Location"
do not apply local-redir if any response body has been received
(though it might not have been received yet, and we do not wait to find
out, if lighttpd is configured to stream response body back to client)
x-ref:
RFC3875 CGI 1.1 specification section 6.2.2 Local Redirect Response
http://www.ietf.org/rfc/rfc3875
"CGI local redirect not implemented correctly"
https://redmine.lighttpd.net/issues/2108
more consistent cleanup of resources at shutdown
(e.g. upon error conditions)
Notes: graceful restart with SIGUSR1
- not available if chroot()ed, oneshot mode, or if idle timeout occurs
- preserve process id (pid)
- preserve existing listen sockets
- i.e. does not close old listen sockets from prior configs
(even if old listen sockets no longer in the new config)
(sockets may have been bound w/ root privileges no longer available)
- will fail to add listen sockets from new config if privileges
lighttpd configured to drop privileges to non-root user, and
new listen socket attempts to bind to low-numbered port requiring
root privileges.
- will fail if listen sockets in new config conflict with any previous
old listen sockets
- These failure modes will result in lighttpd shutting down instead of
graceful restart. These failure modes are not detectable with
preflight checks ('lighttpd -tt -f lighttpd.conf') because the
new instance of lighttpd running the preflight check does not
known config state of n prior graceful restarts, or even the
config state of the currently running lighttpd server.
- due to lighttpd feature of optionally managing backends
(e.g. fastcgi and scgi via "bin-path"), lighttpd must wait for
all child processes to exit prior to restarting. Restarting new
workers while old workers (and old backends) were still running would
result in failure of restarted lighttpd process to be able to bind to
sockets already in use by old backends (e.g. unix "socket" path)
x-ref:
"graceful restart with SIGUSR1"
https://redmine.lighttpd.net/issues/2785
add doc/initscripts.txt with description of lighttpd signal handling
and links to the initscripts of various operating system distros
remove doc/initscripts/*
x-ref:
"init scripts outdated, should be removed"
https://redmine.lighttpd.net/issues/2782
close connections in keep-alive that are waiting for next request
disable keep-alive on existing connections
remove bandwidth write limits
reduce remaining linger timeout (on already finished requests)
to be (from zero) *up to* one more second, but no more
(mod_flv_streaming is becoming obsolete as Flash is replaced by
HTML5 and most modern clients support HTTP/1.1 Range requests)
x-ref:
"add end and header parameter for flv streaming"
https://redmine.lighttpd.net/issues/1887
