This change should fix an issue with lighttpd on Debian kfreebsd-* arch
(kfreebsd-amd64 and kfreebsd-i386)
.libs/mod_cgi.o: In function `cgi_create_env':
./src/mod_cgi.c:1103: warning: pipe2 is not implemented and will always fail
lighttpd is single-threaded so there is no race with pipe()
and then fcntl() F_SETFD FD_CLOEXEC on the pair of pipe fds.
Using pipe2() where available is still slightly more efficient
by eliding the syscalls to set FD_CLOEXEC.
Lack of pipe2() on relic Unix as well as missing on Mac OSX is likely
one reason why threaded web servers such as nginx choose not to support
CGI except via an external service to the process. Without pipe2(),
race conditions exist and it is not safe for a threaded server to use
pipe() and fork() when the server also does not want to potentially leak
open file descriptors to various unrelated CGI scripts.
issue warning at startup, instead of fatal error, if SHA used in
secdownload.algorithm = "..." but mod_secdownload was built without
SSL crypto. When lighttpd is built without openssl, this allows most
tests/* to be run and pass, except the ones in tests/mod-secdownload.t
which use "hmac-sha1" or "hmac-sha256".
(alternatively, could have made, used isolated tests/secdownload.conf)
attempt to route requests to same backends based on requestor (client)
IP address and target host and port of request.
(thx bra)
x-ref:
"Source IP sticky load balancing patch"
https://redmine.lighttpd.net/issues/2117
support Transfer-Encoding: chunked request body in conjunction with
server.stream-request-body = 0
dynamic handlers will still return 411 Length Required if
server.stream-request-body = 1 or 2 (!= 0)
since CGI-like env requires CONTENT_LENGTH be set
(and mod_proxy currently sends HTTP/1.0 requests to backends,
and Content-Length recommended for robust interaction with backend)
x-ref:
"request: support Chunked Transfer Coding for HTTP PUT"
https://redmine.lighttpd.net/issues/2156
EXPERIMENTAL: basic recursive SSI <!--#include virtual="..." -->
Marked experimental since behavior may change in future.
Prior behavior was simpler and treated them all as files included as-is.
New behavior treats all #include virtual="..." targets as SSI files.
In the future, this may change to be a full recursive subrequest and the
virtual path may be treated as a new subrequest and might be something
other than SSI (e.g. might be CGI). This has not been implemented.
Current behavior processes <!--#include virtual="..." --> as static file
Enable new behavior by setting ssi.recursion-max to value other than 0.
ssi.recursion-max = X to set maximum recusion depth
x-ref:
"add recursion to the SSI #include directive"
https://redmine.lighttpd.net/issues/536
modules may now keep state for the lifetime of a connection,
rather than being required to be reset after every request (when
there can be multiple keep-alive requests on the same connection)
defer li_rand_init() until first use of li_rand_pseudo_bytes()
li_rand_init() is now deferred until first use so that installations
that do not use modules which use these routines do need to potentially
block at startup. Current use by core lighttpd modules is in mod_auth
HTTP Digest auth and in mod_usertrack. Deferring collection of random
data until first use may allow sufficient entropy to be collected by
kernel before first use, helping reduce or avoid situations in
low-entropy-generating embedded devices which might otherwise block
lighttpd for minutes at device startup. Further discussion in
https://redmine.lighttpd.net/boards/2/topics/6981
(prerequisite for future mod_ssi enhancements)
This commit also addresses the concern that mod_geoip would
(previously) need to be listed in modules prior to mod_ssi.
x-ref:
https://github.com/lighttpd/lighttpd1.4/pull/73
except that HUP does not reload lighttpd 1.4.x config
Those who only use systemd lighttpd service 'reload' to rotate
access log files might choose to add a command to send lighttpd a
HUP signal. See github pull request (below) for further discussion.
[patch edited by gstrauss]
x-ref:
https://github.com/lighttpd/lighttpd1.4/pull/72
* In modules.conf, mod_geoip needs to be loaded before mod_ssi,
otherwise GeoIP vars won't be available to SSI pages.
* In geoip.conf suggest GeoLiteCity.dat instead of GeoCityLite.dat.
github: closes #73
e.g. if /usr/bin/php-cgi does not exist
A distribution package might need to be installed:
'php-cli' Fedora package; 'php7.0-cgi' or 'php5-cgi' Debian package
memcpy() may be a macro and gave error for missing arguement when
CONST_STR_LEN() macro is used (which expands to two arguments)
(thx ryandesign)
x-ref:
"mod_authn_file.c:683:56: error: too few arguments provided to function-like macro invocation (memcpy)"
https://redmine.lighttpd.net/issues/2772
FreeBSD 9.3 has O_CLOEXEC, but does not have pipe2() until FreeBSD 10.
FreeBSD 10 also adds SOCK_CLOEXEC, so use that as indicator
https://wiki.freebsd.org/AtomicCloseOnExec
Note: FreeBSD 9.3 will soon reach its "extended" EOL date (31 Dec 2016),
so those using FreeBSD 9.3 should consider upgrading.
https://www.freebsd.org/security/security.html#sup
Mac OS X does not have pipe2(). User reported:
Undefined symbols for architecture x86_64:
"_pipe2", referenced from:
_mod_cgi_handle_subrequest in mod_cgi.o
x-ref:
"Undefined symbols _pipe2"
https://redmine.lighttpd.net/issues/2765
warn if mod_authn_ldap is not listed in server.modules in lighttpd.conf
but auth.backend = "ldap" is in lighttpd.conf
warn if mod_authn_mysql is not listed in server.modules in lighttpd.conf
but auth.backend = "mysql" is in lighttpd.conf
A future release of lighttpd 1.4.x will cease automatically loading
these modules. After that, lighttpd will fail to start up if
auth.backend requires one of these modules and the module is not loaded.
(The purpose of this change is to remove from the lighttpd core server
the dependencies on LDAP or MariaDB libraries.)
sugilog