re-patch mod_openssl config within the request so that per-request
settings can be applied, such as activating client cert verification
for specific URL paths.
(This can be used in conjunction with auth.backend = "extern"
to require auth to occur)
x-ref:
"SSL : authenticate only clients for a particular URL"
https://redmine.lighttpd.net/issues/2245
Set auth.extern-authn = "enable" to check REMOTE_USER (if set) against
require rules, and proceed if allowed. If REMOTE_USER is not present,
or the require rules do not match, then check configured auth scheme.
REMOTE_USER might be set by another module, e.g. mod_openssl client cert
verification and REMOTE_USER configured with ssl.verifyclient.username)
x-ref:
"[mod_auth] allow SSL clientcert authenticated users to bypass AUTH"
https://redmine.lighttpd.net/issues/2481
(instead of handle_subrequest_start hook)
The handle_request_env hook is called on demand by dynamic handlers
and this change makes mod_geoip available for mod_magnet lua code.
large code move, but minimal changes made to code (besides whitespace),
so that code builds
next: need to isolate openssl data structures and config parsing
handle_request_env (called on demand by handlers to populate env)
handle_connection_accept
handle_connection_shut_wr (was handle_connection_close)
handle_connection_close (now occurs at socket close())
The (misnamed) connection_reset hook is always called after a request,
whether request completes or is aborted, and whether keep-alive or not,
so no needed to repeat the same function in the handle_connection_close
hook.
new directive ssl.read-ahead = "enable"/"disable" to control
SSL_CTX_set_read_ahead(). Default "enable". The "disable" setting
is intended for use on low memory systems with a slow CPU which is
unable to keep up with decryption of large request bodies.
x-ref:
"larger memory usage for file uploads via SSL on embedded system"
https://redmine.lighttpd.net/issues/2778
Loosen local redirect handling in mod_cgi to skip handling as local
redirect if the Location matches con->uri.path, since if the request
is intended to redirect back to the same CGI using the same request
method, path info, and query string, the CGI would logically just
return the final intended response. Loosening this handling avoids a
problem with applications (potentially) accessible through multiple
gateways, where the application is not aware of this specific handling
of Location in the Common Gateway Interface (CGI/1.1), the application
sends abs-path in the Location response header instead of absoluteURI,
and the application expects the client to receive this Location response
header instead of the server to process as a CGI local redirect.
One example of such an application is LuCI,
which sends Set-Cookie with Location: /abs-path
https://github.com/openwrt/luci
(Note that this loose check for matching con->uri.path is not perfect
and might not match if the CGI returned a path with a different case
and the server is on a case-insensitive filesystem, or if the path
returned by the CGI is rewritten elsewhere to a different con->uri.path
before getting to mod_cgi.)
RFC3875 CGI 1.1 specification section 6.2.2 Local Redirect Response
http://www.ietf.org/rfc/rfc3875
x-ref:
"CGI local-redir handling conflicts with LuCI redirect w/ Set-Cookie"
https://redmine.lighttpd.net/issues/2779
"CGI local redirect not implemented correctly"
https://redmine.lighttpd.net/issues/2108
silence coverity warning
openssl 1.1.0 makes SSL_OP_NO_SSLv2 flag a no-op, leading to
logically dead code when used with openssl 1.1.0. However, the code
is still valid with earlier openssl versions, and so must be preserved.
This change should fix an issue with lighttpd on Debian kfreebsd-* arch
(kfreebsd-amd64 and kfreebsd-i386)
.libs/mod_cgi.o: In function `cgi_create_env':
./src/mod_cgi.c:1103: warning: pipe2 is not implemented and will always fail
lighttpd is single-threaded so there is no race with pipe()
and then fcntl() F_SETFD FD_CLOEXEC on the pair of pipe fds.
Using pipe2() where available is still slightly more efficient
by eliding the syscalls to set FD_CLOEXEC.
Lack of pipe2() on relic Unix as well as missing on Mac OSX is likely
one reason why threaded web servers such as nginx choose not to support
CGI except via an external service to the process. Without pipe2(),
race conditions exist and it is not safe for a threaded server to use
pipe() and fork() when the server also does not want to potentially leak
open file descriptors to various unrelated CGI scripts.
issue warning at startup, instead of fatal error, if SHA used in
secdownload.algorithm = "..." but mod_secdownload was built without
SSL crypto. When lighttpd is built without openssl, this allows most
tests/* to be run and pass, except the ones in tests/mod-secdownload.t
which use "hmac-sha1" or "hmac-sha256".
(alternatively, could have made, used isolated tests/secdownload.conf)
attempt to route requests to same backends based on requestor (client)
IP address and target host and port of request.
(thx bra)
x-ref:
"Source IP sticky load balancing patch"
https://redmine.lighttpd.net/issues/2117
support Transfer-Encoding: chunked request body in conjunction with
server.stream-request-body = 0
dynamic handlers will still return 411 Length Required if
server.stream-request-body = 1 or 2 (!= 0)
since CGI-like env requires CONTENT_LENGTH be set
(and mod_proxy currently sends HTTP/1.0 requests to backends,
and Content-Length recommended for robust interaction with backend)
x-ref:
"request: support Chunked Transfer Coding for HTTP PUT"
https://redmine.lighttpd.net/issues/2156
EXPERIMENTAL: basic recursive SSI <!--#include virtual="..." -->
Marked experimental since behavior may change in future.
Prior behavior was simpler and treated them all as files included as-is.
New behavior treats all #include virtual="..." targets as SSI files.
In the future, this may change to be a full recursive subrequest and the
virtual path may be treated as a new subrequest and might be something
other than SSI (e.g. might be CGI). This has not been implemented.
Current behavior processes <!--#include virtual="..." --> as static file
Enable new behavior by setting ssi.recursion-max to value other than 0.
ssi.recursion-max = X to set maximum recusion depth
x-ref:
"add recursion to the SSI #include directive"
https://redmine.lighttpd.net/issues/536
modules may now keep state for the lifetime of a connection,
rather than being required to be reset after every request (when
there can be multiple keep-alive requests on the same connection)
defer li_rand_init() until first use of li_rand_pseudo_bytes()
li_rand_init() is now deferred until first use so that installations
that do not use modules which use these routines do need to potentially
block at startup. Current use by core lighttpd modules is in mod_auth
HTTP Digest auth and in mod_usertrack. Deferring collection of random
data until first use may allow sufficient entropy to be collected by
kernel before first use, helping reduce or avoid situations in
low-entropy-generating embedded devices which might otherwise block
lighttpd for minutes at device startup. Further discussion in
https://redmine.lighttpd.net/boards/2/topics/6981
(prerequisite for future mod_ssi enhancements)
This commit also addresses the concern that mod_geoip would
(previously) need to be listed in modules prior to mod_ssi.
x-ref:
https://github.com/lighttpd/lighttpd1.4/pull/73
Glenn Strauss
Stefan Bühler