Commit Graph

3743 Commits

Author SHA1 Message Date
Glenn Strauss 169d8d3608 [core] accept "HTTP/2.0", "HTTP/3.0" from backends (fixes #3031)
accept "HTTP/2.0" and "HTTP/3.0" NPH from naive non-proxy backends

(thx flynn)

  "uwsgi fails with HTTP/2"
2020-11-09 19:00:58 -05:00
Glenn Strauss c0e2667b71 [multiple] handle NULL val as empty in *_env_add (fixes #3030)
(bug on master branch; never released)

(thx flynn)

  "Fastcgi fails if server.tag is empty"
2020-11-09 18:20:13 -05:00
Glenn Strauss 213373948a [tests] allow LIGHTTPD_EXE_PATH override
allow LIGHTTPD_EXE_PATH override to be able to run source tree tests/*.t
against installed executable, e.g. LIGHTTPD_EXE_PATH=/usr/sbin/lighttpd

Beware that tests might not pass or might not be supported if the target
executable is not the same version as that of the source tree

(Possible use for this override is by Debian autopkgtests)
2020-11-09 05:07:05 -05:00
Glenn Strauss ff7cbcf5dd [mod_maxminddb] fix config validation typo
(bug on master branch; never released)

(thx maxentry)

  "maxminddb.env error 1.4.56"
2020-11-05 13:20:39 -05:00
Glenn Strauss 2a3fac7653 [mod_openssl] adjust LIBRESSL_VERSION_NUMBER check
libressl >= 0x3000000fL has SSL_set1_chain(), but not some other APIs
2020-11-05 01:17:30 -05:00
Glenn Strauss dce440602d [core] stat_cache preprocessor paranoia 2020-11-05 01:08:11 -05:00
Glenn Strauss 520bffcd24 [core] use struct kevent on stack in stat_cache
This alternative approach attempts to work around error:
  invalid application of 'sizeof' to incomplete type 'struct kevent'
seen in continuous integration (CI) autoconf build on FreeBSD VM
2020-11-05 00:48:41 -05:00
Glenn Strauss 57f450f199 [mod_openssl] add LIBRESSL_VERSION_NUMBER checks
add some additional LIBRESSL_VERSION_NUMBER checks for feature support
2020-11-04 22:47:36 -05:00
Glenn Strauss 8e1394ea49 [core] no graceful-restart-bg on OpenBSD, NetBSD
disable server.graceful-restart-bg on OpenBSD and NetBSD

kqueue is not inherited across fork, and OpenBSD and NetBSD do not
implement rfork() (implemented on FreeBSD and DragonFly)

lighttpd has not implemented rebuilding the kqueues after fork,
so server.graceful-restart-bg is disabled on OpenBSD and NetBSD.
2020-11-04 20:16:30 -05:00
Glenn Strauss 0b00b13a42 [core] use kqueue() instead of FAM/gamin on *BSD
Note: there have always been limitations with lighttpd stat_cache.[ch]
using FAM/gamin on *BSD via kqueue() as lighttpd stat_cache.[ch] only
monitors directories.  This kqueue() implementation also only monitors
directories and has limitations.

lighttpd stat_cache.[ch] is notified about additions and removals of
files within a monitored directory but might not be notified of changes
such as timestamps (touch), ownership, or even changes in contents
(e.g. if a file is edited through a hard link)

server.stat-cache-engine = "disable" should be used when files should
not be cached.  Full stop.  Similarly, "disable" is recommended if files
change frequently.  If using server.stat-cache-engine with any engine,
there are caching effects and tradeoffs.

On *BSD and using kqueue() on directories, any change detected clears
the stat_cache of all entries in that directory, since monitoring only
the directory does not indicate which file was added or removed.  This
is not efficient for directories containing frequently changed files.
2020-11-04 20:16:30 -05:00
Glenn Strauss 1efd74457b [core] cold func for gw_recv_response error case
2020-11-04 03:53:15 -05:00
Glenn Strauss 639f70a00f [core] set last_used on rd/wr from backend (fixes #3029)
  "mod_wstunnel kills child on disconnect after idle-timeout from connection start"
2020-11-04 03:53:15 -05:00
Glenn Strauss 3db556fde3 [mod_nss] update session ticket NSS devel comment
Update: NSS developer explains:
"The way that we currently operate is to tie the session key encryption
 to the server public key. Which only works if you have an RSA key
2020-11-04 03:53:15 -05:00
Glenn Strauss 7ce8b22cb2 [build] detect inotify header <sys/inotify.h> 2020-11-04 03:53:15 -05:00
Glenn Strauss 5c7173026f [core] use inotify in stat_cache.[ch] on Linux
use inotify in stat_cache.[ch] on Linux, replacing FAM/gamin
2020-11-04 03:53:15 -05:00
Glenn Strauss 64aff80d86 [build] prepend search for lua version 5.4 2020-10-31 00:55:44 -04:00
Glenn Strauss 89cd3d8b9d [meson] add matching -I for lua lib version 2020-10-31 00:55:44 -04:00
Glenn Strauss d5e899e299 [doc] refresh doc/config/conf.d/mime.conf 2020-10-30 00:27:14 -04:00
Glenn Strauss d9c8e38253 [build] meson --with-xxhash option 2020-10-29 20:28:44 -04:00
Glenn Strauss 07622251b0 [build] option to use system-provided libxxhash
2020-10-29 19:30:45 -04:00
Glenn Strauss 7ff2a467c9 [build] fix typo in 2020-10-29 19:07:44 -04:00
Glenn Strauss 28b086aa26 [core] use system xxhash lib if available 2020-10-29 17:20:25 -04:00
Glenn Strauss bcac9b5785 [core] set NSS_VER_INCLUDE after crypto lib select 2020-10-29 16:49:35 -04:00
Glenn Strauss 8187e98897 [multiple] include wolfssl/options.h after select
include wolfssl/options.h crypto lib config
after selecting crypto lib to use

wolfSSL does not prefix its defines with a wolfSSL-specific namespace
(so we would like to avoid unnecessarily polluting preproc namespace)

This commit further isolates wolfSSL after split from mod_openssl.
Cleans up some preprocessor logic that was put in place when using
the wolfSSL compatibility layer for openssl, before creating a
dedicated mod_wolfssl.
2020-10-29 16:42:55 -04:00
Glenn Strauss 6fb63fa8d6 [multiple] include mbedtls/config.h after select
include mbedtls/config.h crypto lib config
after selecting crypto lib to use
2020-10-29 16:41:27 -04:00
Glenn Strauss 441c95c697 [multiple] consistent order for crypto lib select 2020-10-29 16:39:56 -04:00
Glenn Strauss e726a41a74 [core] adjust wolfssl workaround for another case
adjust wolfssl types.h workaround for another edge case
2020-10-29 05:45:18 -04:00
Glenn Strauss 78b13b610c [core] move misplaced error trace to match option
(thx grohne)
2020-10-29 05:34:43 -04:00
Glenn Strauss e9590277ca [core] workaround fragile code in wolfssl types.h
workaround fragile code in wolfssl/wolfcrypto/types.h

Including header blows up compile in 32-bit when lighttpd meson build
in OpenWRT on a 32-bit platform generates lighttpd config.h containing
define of SIZEOF_LONG, but not SIZEOF_LONG_LONG, and the wolfssl types.h
flubs and fails to choose an enum value used by a macro that is unused
by most consumers of the wolfssl header.
2020-10-29 05:06:24 -04:00
Glenn Strauss 31fc3a0773 [TLS] server.feature-flags "ssl.session-cache"
disabled by default, but can be enabled
(session tickets should be preferred)

applies to mod_openssl, mod_wolfssl, mod_nss

session cache is not currently implemented in mod_mbedtls or mod_gnutls
2020-10-29 01:05:55 -04:00
Glenn Strauss 1d27391c29 [mod_mbedtls] wrap addtl code in preproc defines
wrap additional code in preprocessor defines to check if enabled in lib
2020-10-28 22:58:47 -04:00
Glenn Strauss 3353ff2024 [build] adjust for use by OpenWRT 2020-10-28 22:58:47 -04:00
Glenn Strauss babfb43873 [build] WITHOUT_LIB_CRYPTO option in code
(not (yet?) an end-user option in the build system)
(If extended to build system, build system should also unset CRYPTO_LIB)

If WITHOUT_LIB_CRYPTO is defined in sys-crypto.h, then non-TLS modules
will have access to MD5() and SHA1() built with lighttpd (algo_md5.[ch]
and algo_sha1.[ch]), but not to other message digest algorithms.

As of this commit, this affects only mod_secdownload with SHA256 digest
and mod_auth* modules using HTTP Digest Auth with digest=SHA-256, which
is not currently well-supported by client browers (besides Opera)
2020-10-27 16:47:33 -04:00
Glenn Strauss 31a7f0d43c [build] detect nss3/nss.h or nss/nss.h for NSS 2020-10-27 16:40:08 -04:00
Glenn Strauss 75c29505be [build] CMake use pkg_check_modules() w/ wolfssl 2020-10-27 13:01:01 -04:00
Glenn Strauss 07f40eaf9a [build] CMake mod_openssl, mod_wolfssl can coexist 2020-10-27 12:37:48 -04:00
Glenn Strauss e130124892 [build] add --with-brotli to 2020-10-27 12:32:10 -04:00
Glenn Strauss db7252ec13 [build] fix lib paths for GnuTLS, NSS
(thx dirk)
2020-10-27 03:47:35 -04:00
Glenn Strauss 1f1b3bcc55 [mod_secdownload] fix compile w/ NSS on FreeBSD
(thx dirk)

nss/alghmac.h might not exist
2020-10-26 22:24:24 -04:00
Glenn Strauss 988fa8ecfa [mod_wolfssl] need to build --enable-alpn for ALPN
need to build wolfSSL library with --enable-alpn for ALPN
even if already building wolfSSL library with --enable-openssall

ALPN is required by the HTTP/2 specification
2020-10-26 22:21:16 -04:00
Glenn Strauss 17d8d9c919 [mod_wolfssl] cripple SNI if not built OPENSSL_ALL
crippled functionality if wolfssl library not built --enable-opensslall
* SNI not handled since SNI callbacks are disabled in wolfSSL library
  unless the wolfSSL library is built with --enable-openssall

  This means that there is only one certificate per listening socket --
  no certificate selection based on server name indication (SNI)
  and is additionally a violation of the HTTP/2 specification,
  which requires SNI.

slightly reduced functionality if wolfssl not built --enable-opensslall
* disable client certificate verification (error out if in lighttpd.conf)
2020-10-26 22:12:39 -04:00
Glenn Strauss 1221bd6e40 [mod_wolfssl] use more wolfssl/options.h defines 2020-10-26 20:26:24 -04:00
Glenn Strauss 8f31ed7fe1 [build] use pkg-config with wolfssl 2020-10-26 16:09:21 -04:00
Glenn Strauss a1f6d1322a [build] mark dependencies on crypto lib for MD5()
(lighttpd base executable depends on crypto lib for rand functionality,
 so the crypto library was already being loaded -- no missing symbols)
2020-10-26 13:53:07 -04:00
Glenn Strauss 2576b2c3d0 [tests] OpenBSD crypt() support limited to bcrypt
OpenBSD crypt() does not support (insecure) crypt-des or crypt-md5
2020-10-26 11:45:48 -04:00
Glenn Strauss 1fad70f4f7 [core] STAILQ_* -> SIMPLEQ_* on OpenBSD
(thx brad)
2020-10-26 11:29:40 -04:00
Glenn Strauss 008533e355 [doc] NEWS 2020-10-25 15:47:31 -04:00
Glenn Strauss 48384c7e2f [core] fix (startup) mem leaks in configparser.y
(thx stbuehler)
2020-10-24 17:06:50 -04:00
Glenn Strauss 949662d27e [multiple] add some missing config cleanup
(thx stbuehler)
2020-10-24 16:08:21 -04:00
Glenn Strauss 55fb46f695 [mod_accesslog] update defaults after cycling log
(thx avij)

must update the cached copy of global scope config after cycling log.
Although (accesslog_st *) is modified in-place, the log_access_fd member
of (accesslog_st *) is copied into the cache and must be updated after
cycling logs in the global scope.
2020-10-24 14:38:47 -04:00