To enable "Forwarded", must enable which params to include.
The recommended set is "for" and "proto" unless other params
are required and proper security precautions have been taken.
proxy.forwarded = ( "for" => 1,
"proto" => 1,
#"host" => 1,
#"by" => 1,
#"remote_user" => 1,
)
See https://tools.ietf.org/html/rfc7239 for info about "Forwarded"
x-ref:
"Forwarded HTTP Extension"
https://tools.ietf.org/html/rfc7239
"Forward authenticated user to proxied requests"
https://redmine.lighttpd.net/issues/2703
enable with, e.g.:
extforward.headers = ( "Forwarded" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For", "Forwarded-For" )
The default remains:
extforward.headers = ( "X-Forwarded-For", "Forwarded-For" )
Support for "Forwarded" is not enabled by default since intermediate
proxies might not be aware of Forwarded, and might therefore pass
spoofed Forwarded header received from client.
extforward.params = ( # overwrite "Host" with Forwarded value
#"host" => 1
# set REMOTE_USER with Forwarded value
#"remote_user" => 1
)
Note: be cautious configuring trusted proxies if enabling these options
since Forwarded header may be spoofed and passed along indescriminantly
by proxies which do not handle Forwarded.
To remove "Forwarded" from incoming requests, do not enable these
options and instead use mod_setenv to clear the request header:
setenv.set-request-header = ( "Forwarded" => "" )
Other proxy-related headers which admin might evaluate to keep or clear:
setenv.set-request-header = ( "X-Forwarded-For" => "",
"X-Forwarded-By" => "",
"X-Forwarded-Server" => "",
"X-Origin-IP" => "",
"Via" => "",
#...
)
x-ref:
"Forwarded HTTP Extension"
https://tools.ietf.org/html/rfc7239
"Forward authenticated user to proxied requests"
https://redmine.lighttpd.net/issues/2703
lighttpd appends the request "Host" to the non-standard header "X-Host"
when acting as a reverse proxy. This patch additionally appends "Host"
to the non-standard header "X-Forwarded-Host" to match the convention in
some other web servers
x-ref:
"mod_proxy should send the X-Forwarded-Host header to the proxied server"
https://redmine.lighttpd.net/issues/418
apply diff from commit:2eaf42d0 made to mod_fastcgi.c back in 2009
(change is being made for (a bit more) consistency between the modules
as mod_scgi.c was forked from mod_fastcgi.c a very long time ago, as
well as to remove call to sleep for 10ms (usleep(10000) from mod_scgi)
x-ref:
"fastcgi incomplete header might crash lighty"
https://redmine.lighttpd.net/issues/2096
If lighttpd.conf is invalid, some modules may not have initialized their
per-context config structures, but will have their free-functions
called, which should not be run on uninitialized per-context configs.
x-ref:
"Segfault with simple-vhost.debug = "enable""
https://redmine.lighttpd.net/issues/2798
fix streaming response when server.stream-response-body = 2
and client catches up to stream from backend
(thx horgh)
x-ref:
"mod_fastcgi can fail to read entire response from server"
https://redmine.lighttpd.net/issues/2796
More specific checks on contents of array lists. Each module using
lists now does better checking on the types of values in the list
(strings, integers, arrays/lists)
This helps prevent misconfiguration of things like cgi.assign,
fastcgi.server, and scgi.server, where source code might be
served as static files if parenthesis are misplaced.
x-ref:
https://redmine.lighttpd.net/boards/2/topics/6571
usertrack.cookie-attrs allows user to add arbitrary attributes to the
cookie set by mod_usertrack, including attributes Secure and HttpOnly
as well as Path
usertrack.cookie-attrs is appended as-is to cookie string
and therefore must be properly URL-encoded
usertrack.cookie-attrs, if set, replaces *all* other cookie attributes,
including "; Path=/; Version=1" as well as the Domain= and Max-Age=
attributes if usertrack.cookie-domain and usetrack.cookie-max-age set,
so those should be part of usertrack.cookie-attrs if desired
e.g.
usertrack.cookie-name = "TRACKID" # (default)
usertrack.cookie-attrs = "; Path=/; Version=1; Domain=mydom.com; Max-Age=86400; Secure; HttpOnly"
x-ref:
"mod_usertrack should have an option to set the 'Secure' and 'HttpOnly' flags on the cookie"
https://redmine.lighttpd.net/issues/2795
new directive cgi.local-redir = [enable|disable]
*disable* RFC3875 6.2.2 local-redir by default.
(behavior change from when local-redir support added in lighttpd 1.4.40)
The reason for this behavior change is that CGI local-redir support
(RFC3875 6.2.2) is an optimization. Absence of support may result in
additional latency in servicing a request due the additional round-trip
to the client, but that was the prior behavior (before lighttpd 1.4.40)
and is the behavior of web servers which do not support CGI local-redir.
However, enabling CGI local-redir by default may result in broken links
in the case where a user config (unaware of CGI local-redir behavior)
returns HTML pages containing *relative* paths (not root-relative paths)
which are relative to the location of the local-redir target document,
and the local-redir target document is located at a different URL-path
from the original CGI request.
x-ref:
RFC3875 CGI 1.1 specification section 6.2.2 Local Redirect Response
http://www.ietf.org/rfc/rfc3875
"CGI local redirect not implemented correctly"
https://redmine.lighttpd.net/issues/2108
"1.4.40 regression: broken redirect (using Location) between url.rewrite-once URLs"
https://redmine.lighttpd.net/issues/2793
set status 200 OK if CGI does not return CGI headers
Note:
This mode in lighttpd is deprecated and may be removed in the next major
release of lighttpd. CGI scripts should return a proper CGI header in
the response, even if that header is empty and followed by a blank line,
before return response body.
Without a proper CGI response header, the first line(s) of the response
might be incorrectly construed as being CGI response headers, especially
if they contain ':', and response may be corrupted. That is why this
mode is deprecated (and not supported in numerous other web servers).
The minimal valid CGI response header is "\n", which lighttpd will treat
as equivalent to "Status: 200\n\n"
x-ref:
"error 500 (mod_cgi.c.601) cgi died"
https://redmine.lighttpd.net/issues/2786
consolidate backend process accounting for consistency
x-ref:
"FreeBSD/1.4.45/SSL: requests getting stuck in handle-req state occasionally"
https://redmine.lighttpd.net/issues/2788
more consistent waitpid() handling, consolidate similar code
If ECHILD received for a given pid, do not retry waitpid() for that pid
x-ref:
"mod_fastcgi : pid {pid} 1 not found: No child processes"
https://redmine.lighttpd.net/issues/2791
Glenn Strauss
Philip Prindeville