Commit Graph

2286 Commits (c3c78599ddf96c6b30764aaadbb577ea42f79b9f)

Author SHA1 Message Date
Glenn Strauss 961eba9e27 [TLS] openssl 1.1.0 hides struct bignum_st 2016-10-17 14:15:50 -04:00
Glenn Strauss ac90699d28 [autobuild] rm module stub code for missing deps
remove module stub code since the build system(s) no longer build any
module when the dependencies for a given module are not present.
2016-10-17 14:15:50 -04:00
Glenn Strauss c073a31f69 [autobuild] omit module stubs when missing deps
do not build any module (containing module stubs) when the dependencies
for a given module are not present.
2016-10-17 14:15:50 -04:00
Glenn Strauss 4184c382ec minor: make more convenient for me 2016-10-17 11:08:59 -04:00
Glenn Strauss aef6207965 [mod_deflate] ignore '*' in deflate.mimetypes
mod_deflate performs prefix match of deflate.mimetypes against the
response Content-Type.  Therefore "text/" will make all text/*
mimetypes.  This commit permits admin to specify "text/*" in
  deflate.mimetypes = ("text/*")
and mod_deflate will treat it as "text/".  This is done only when the
'*' is the last char in the mimetype.
2016-10-16 20:36:21 -04:00
Glenn Strauss 5feb2694f7 [autobuild] remove mod_authn_gssapi dep on resolv
remove mod_authn_gssapi explicit dependency on -lresolv
This fixes build on FreeBSD when ./configure --with-krb5
(On systems that need libresolv, libkrb5 depends on libresolv)

Also remove obsolete hstrerror() references from build
2016-10-16 08:56:30 -04:00
Glenn Strauss 22c560c228 - next is 1.4.43 2016-10-16 07:58:46 -04:00
Glenn Strauss 032772ab6c add random() to list of rand() fallbacks
(but prefer better mechanisms)
2016-10-16 05:11:38 -04:00
Glenn Strauss 768dc3aa5b quiet coverity warning 2016-10-16 05:01:08 -04:00
Glenn Strauss 3468974e0b [doc] NEWS 2016-10-16 03:07:46 -04:00
Glenn Strauss e82b980955 parallelize dist package build ( 2016-10-16 02:24:24 -04:00
Glenn Strauss 1f4874cb9c build w/o compiler warnings if no zlib or bz2lib 2016-10-16 01:58:36 -04:00
Glenn Strauss 3d0dcdf6ab fix SCons build 2016-10-16 01:58:25 -04:00
Glenn Strauss 609e9a5050 silence warnings from clang ccc-analyzer 2016-10-16 01:34:40 -04:00
Glenn Strauss 1e129cce45 ignore return value from fcntl() FD_CLOEXEC
setting or removing FD_CLOEXEC flag does not fail

Also the use in mod_fastcgi and mod_scgi is in child after fork().
If the fd already happens to be 0 (should not happen in current code)
and removing the FD_CLOEXEC flag fails, then the backend will fail
to start.
2016-10-15 23:28:09 -04:00
Glenn Strauss 9173d9aa7d [mod_cgi] fix pipe_cloexec() when no O_CLOEXEC 2016-10-15 23:28:09 -04:00
Glenn Strauss 7f4e156e5f [core] rand.[ch] to use better RNGs when available
prefer RAND_pseudo_bytes() (openssl), arc4random() or jrand48(),
if available, over rand()

These are not necessarily cryptographically secure, but should be better
than rand()
2016-10-15 23:28:09 -04:00
Glenn Strauss b8b38f3067 [TLS] set SSL_PROTOCOL, SSL_CIPHER* (fixes #2511)
initialized for mod_magnet and dynamic CGI-like handlers
(mod_cgi, mod_fastcgi, mod_scgi, mod_ssi) (*not* mod_proxy)

Note: in the future a config flag (does not yet exist) might be required
to activate initialization of these SSL_* env variables.  This might
occur if there are requests to access these variables in mod_accesslog,
and/or if more SSL_* varables are created, which would be more work.

  "pass protocol and cipher details to fcgi env"
2016-10-11 05:24:39 -04:00
Glenn Strauss 6155d7d9bb [TLS] set SSL_CLIENT_VERIFY w/ client cert (#1288, #2693)
(enabled with lighttpd.conf: ssl.verifyclient.activate = "enable")

  "SSL Client Certificate validation."
2016-10-11 05:16:34 -04:00
Glenn Strauss daab6f5cd5 [TLS] set SSL_CLIENT_M_SERIAL w/ client cert SN (fixes #2268)
  "Set serial number of the client certificate into environment"
2016-10-11 01:23:20 -04:00
Glenn Strauss d3ac5667a5 [TLS] replace env entries in https_add_ssl_entries
do not (incorrectly) extend SSL_* con->environment entry values
after url.rewrite occurs
2016-10-10 21:13:02 -04:00
Glenn Strauss 7fa5bfc938 consistent, shared code to create CGI env
consolidated from CGI, FastCGI, SCGI, SSI

Note: due to prior inconsistencies between the code in mod_cgi,
mod_fastcgi, mod_scgi, and mod_ssi, there are some minor behavior

CONTENT_LENGTH is now always set, even if 0
  (though CONTENT_LENGTH is never set for FASTCGI_AUTHORIZER)
PATH_INFO is created only if present, not if empty.
  (mod_fastcgi and mod_ssi previously set PATH_INFO="" (blank value))
PATH_TRANSLATED is now set if PATH_INFO is present
  (previously missing from mod_cgi and mod_ssi)

mod_ssi now sets DOCUMENT_ROOT to con->physical.basedir, like others
  (previously, mod_ssi set DOCUMENT_ROOT to con->physical.doc_root,
   which matched con->physical.basedir unless mod_alias changed basedir)
mod_ssi now sets REQUEST_URI to con->request.orig_uri, like others
  (previously, mod_ssi set REQUEST_URI to con->request.uri, which
   matched con->request.orig_uri except after redirects, error docs)
2016-10-10 13:37:36 -04:00
Glenn Strauss 81ce160d83 silence warnings from clang ccc-analyzer 2016-10-09 19:19:37 -04:00
Glenn Strauss ce24523b59 [core] restrict where config "else" clauses occur (#1268)
(improve validation)

  "condition should be optional in "else" clause in configuration file"
2016-10-09 09:20:37 -04:00
Glenn Strauss 79fb75709b [core] optional condition in config "else" clause (fixes #1268)
  "condition should be optional in "else" clause in configuration file"
2016-10-09 08:06:41 -04:00
Glenn Strauss 1018ff9922 [core] server.max-request-field-size (fixes #2130)
limits total size per request of request headers submitted by client

default limit set to 8k (prior lighttpd <= 1.4.41 hard-coded 64k limit)

(similar to Apache directive LimitRequestFieldSize)

  "limits the size of HTTP request header"
2016-10-06 00:18:07 -04:00
Glenn Strauss 2bea4fcb16 [core] make server.max-request-size scopeable (#1901)
  "make server.max-request-size scopeable"
2016-10-05 23:53:24 -04:00
Glenn Strauss 145ddc2ee7 [mod_mysql_vhost] support multiple '?' replacement (fixes #2163)
support multiple '?' replacement with escaped URI authority

  "Multiple use of '?' in mysql-vhost.sql"
2016-10-05 05:54:01 -04:00
Glenn Strauss d3cb9c8ced quiet coverity warning 2016-10-04 07:18:30 -04:00
Glenn Strauss 28d1213470 [mod_auth] fix printing of IP in error trace 2016-10-04 05:03:15 -04:00
Glenn Strauss 0f38b391dc DragonFlyBSD defines __DragonFly__ (#2746)
DragonFlyBSD defines __DragonFly__, not __DragonflyBSD__

(thx xenu)

  "[PATCH] better DragonFlyBSD support; fix crash"
2016-10-04 05:03:15 -04:00
Glenn Strauss ebbd639029 [cmake] build mod_authn_gssapi if WITH_KRB5 2016-10-04 05:03:15 -04:00
Glenn Strauss 06cb0c3024 [autobuild] update module/feature report
update module/feature report at end of ./configure run
2016-10-04 05:03:15 -04:00
Glenn Strauss 8b282db1d1 [mod_auth] permit specifying ldap DN; skip search (fixes #1248)
If auth.backend.ldap.filter begins with ',', then concatenate
uid=<username> with the 'filter' value to form the DN instead of using
ldap_search to query LDAP for the DN for the username, applying the
provided filter.

  "Allow User-DN to be supplied in the configuration rather than searching"
2016-10-04 05:03:15 -04:00
Glenn Strauss 59c753bf9f [mod_auth] ldap filter subst user for multiple '$' (fixes #1508)
ldap filter supports substitution of multiple '$', each with username

  "auth.backend.ldap.filter: only one/first "$" replaced with Username"
2016-09-28 16:57:43 -04:00
Glenn Strauss a401c9469a [mod_auth] HTTP Basic auth backends also do authz (#1817)
HTTP Basic auth backends now do both authn and authz
in order to allow provide a means to extend backends to optionally
support group authz

  "LDAP-Group support for HTTP-Authentication"
2016-09-28 06:36:38 -04:00
Glenn Strauss d4f812550c [mod_auth] refactor LDAP code into smaller funcs
better handling and freeing of resources
replace deprecated LDAP routines
2016-09-28 04:24:46 -04:00
Glenn Strauss a661944d7e [mod_scgi] add uwsgi protocol support
Configuring the protocol is controlled with new lighttpd.conf directive:
  scgi.protocol = "scgi"   # default
  scgi.protocol = "uwsgi"

The uwsgi protocol differs from the SCGI protocol only in how the
request is encoded.  The response from the backend is handled the
same way for both SCGI and uwsgi protocols.

2016-09-25 02:05:56 -04:00
Glenn Strauss 93afda9c8e performance: use Linux extended syscalls and flags
reduce syscalls on Linux using extended syscalls and flags,
e.g. accept4(), pipe2(), O_CLOEXEC, SOCK_CLOEXEC, SOCK_NONBLOCK

github: closes #2
2016-09-24 02:23:49 -04:00
Glenn Strauss 8047c2f448 fix errors detected by Coverity Scan
fix potential NULL pointer dereference in mod_deflate.c
remove logically dead code in connection-glue.c
add coverity annotations to see if some issues will be reclassified
2016-09-23 09:09:57 -04:00
Glenn Strauss d2b7c7bad2 remove excess initializers (fix compiler warnings) 2016-09-23 04:23:25 -04:00
Glenn Strauss ed3065cfb2 [CMake] fix clang -Wcast-align warnings in lemon.c 2016-09-23 02:24:23 -04:00
Glenn Strauss 177f5509bd [SCons] define with_geoip for SCons build 2016-09-23 01:15:52 -04:00
Glenn Strauss 9e6524fef5 [SCons] fix syntax error in SConstruct 2016-09-23 01:05:58 -04:00
Glenn Strauss 4ba57b2f67 [SCons] define with_krb5 for SCons build 2016-09-23 00:58:43 -04:00
Glenn Strauss e9ee22c204 [autobuild] skip two new tests if no fcgi-auth 2016-09-23 00:58:41 -04:00
Glenn Strauss 8576341df3 silence warnings from clang ccc-analyzer
rewrite some (generally correct) code for clang ccc-analyzer to be
able to recognize the patterns instead of issuing spurious warnings.
2016-09-23 00:27:43 -04:00
Glenn Strauss 1c1a63786e [mod_auth] mod_authn_gssapi Kerberos auth backend (fixes #1899)
module status: experimental; more testing and review needed

Kerberos library calls have been preserved from original patch set
and should be reviewed.

module has been quickly tested with Basic auth (Use over TLS!)

SPNEGO -has not- been tested.  Again, kerberos library calls have
been preserved from original patch set.  YMMV. (Use over TLS!)

  "Kerberos/GSSAPI Delegation Support"
2016-09-22 23:15:38 -04:00
Glenn Strauss 7ba06c71a6 [mod_auth] structured data, register auth schemes
- parse auth.* directives into structured data during config processing
- register auth schemes (basic, digest, extern, ...) for extensibility
- remove auth.debug directive
2016-09-22 19:54:57 -04:00
Glenn Strauss 381aaae363 remove unused array type TYPE_COUNT data_count
(unused type, and very similar to TYPE_INTEGER data_integer,
 differing only in initial value and how dup inserts are merged)
2016-09-22 19:54:57 -04:00