Commit Graph

3327 Commits (fea5bdc87349b5841ff70249258a0a4b31040313)

Author SHA1 Message Date
Glenn Strauss fea5bdc873 [core] con layer plugin_ctx separate from request 2020-08-02 07:47:41 -04:00
Glenn Strauss 5f7bf472c7 [core] server.feature-flags extensible config
server.feature-flags = ("server.xxxx" => "enable")
2020-08-02 07:46:27 -04:00
Glenn Strauss 5d7071293a [build] add --with-brotli to CI build
(thx stbuehler)
2020-08-02 06:46:22 -04:00
Glenn Strauss bc5d4b3492 [mod_compress] remove mod_compress 2020-08-02 06:46:22 -04:00
Glenn Strauss de9e2f9881 [tests] mod_compress -> mod_deflate 2020-08-02 06:46:22 -04:00
Glenn Strauss 672891a7d6 [doc] mod_compress -> mod_deflate 2020-08-02 06:46:22 -04:00
Glenn Strauss 8dd33a72dd [mod_deflate] mod_deflate subsumes mod_compress
translate config server.modules "mod_compress" to "mod_deflate"
accept compress.* directives, but issue DEPRECATED warning trace

mod_deflate differences from mod_compress:
- mod_compress compress.filetype was exact match; deflate.mimetypes is
  prefix match (behavior change might compress longer mimetype matches,
  which are likely of similar type and compressability)
- mod_compress always sent entire (compressed) file for Range request
  mod_deflate will stream compress range result (not stored in cache)
- mod_compress would short-circuit request with 403 Forbidden error
  if request file did not exist (stat() failed) (This behavior was
  unfriendly to other handlers)
- mod_compress compress.cache-dir layout differs from deflate.cache-dir
  layout; file cache should be cleared (or renamed) when migrating from
  mod_compress to mod_deflate
- mod_deflate does not issue Vary: Accept-Encoding if request does not
  contain Accept-Encoding.  The identity response can be cache by
  proxies and served to clients.  Historically, some proxies disabled
  caching if any Vary: response was seen.  If the Vary header is
  desirable, mod_deflate code which checks for Accept-Encoding and
  compression type can be moved down a few lines to be below the
  setting of the Vary response header.
2020-08-02 06:46:22 -04:00
Glenn Strauss be6da785c5 [mod_deflate] deflate.cache-dir compressed cache
(achieves feature parity with mod_compress)
2020-08-02 06:46:22 -04:00
Glenn Strauss 5b15c1f449 [mod_deflate] propagate errs from internal funcs
also, pass one less arg to internal funcs
2020-08-02 06:46:22 -04:00
Glenn Strauss b2fe37f0a9 [mod_deflate] fix typo in config option
(typo on master branch; never released)
2020-08-02 06:46:22 -04:00
Glenn Strauss f47ffb438c [build] bzip2 default to not-enabled in build
./configure --with-bzip2 to enable

(autoconf build previously had bzip2 enabled by default, but bzip2
 already disabled by default in CMake, SCONS, and meson build configs)
2020-08-02 06:46:22 -04:00
Glenn Strauss 8d5e237c60 [mod_deflate] Brotli support
configuration option: ./configure --with-brotli
2020-08-02 06:46:22 -04:00
Glenn Strauss be8047d82f [build] build fixes for AIX
  "Compile on AIX conflicting types for 'etag_create'"
2020-07-21 12:08:27 -04:00
Stefan Bühler 5722574df5 move to scripts 2020-07-21 12:04:12 +02:00
Stefan Bühler 852de34113 add 2020-07-21 12:01:50 +02:00
Glenn Strauss 1a516b4c4c [mod_vhostdb_dbi] allow strings and ints in config
e.g. allow "port" value to be a string or integer instead of requiring
     port be a string
2020-07-16 00:30:20 -04:00
Glenn Strauss 3dca923591 [mod_authn_mysql,file] use crypt() to save stack
use crypt() instead of crypt_r() to save stack space,
as struct crypt_data might be very large.

While crypt() is not thread-safe, lighttpd is single-threaded
2020-07-16 00:29:43 -04:00
Glenn Strauss fed2ecae19 [mod_authn_dbi] authn backend employing DBI 2020-07-16 00:29:43 -04:00
Glenn Strauss dba4a328c2 [core] Nettle assert()s if buffer len > digest sz 2020-07-13 17:39:30 -04:00
Glenn Strauss c3dd167dd9 [mod_openssl] fix build warnings on MacOS X
need undef OPENSSL_NO_STDIO for a few funcs which access filesystem
2020-07-13 17:39:30 -04:00
Glenn Strauss 33ae830291 [mod_auth] accept "nonce-secret" & "nonce_secret" 2020-07-13 17:39:30 -04:00
Glenn Strauss 563fe5f013 [mod_authn_ldap,mod_vhostdb_ldap] add timeout opt (#2805)
auth.backend.ldap.timeout = "2000000"    # quoted-string; microseconds
vhostdb.ldap += ("timeout" => "2000000") # quoted-string; microseconds

Default is 2000000 microseconds (2 secs)

These values are converted to struct timeval and passed to
  ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, );
  ldap_set_option(ld, LDAP_OPT_TIMEOUT, ...);
if those LDAP_OPT_* values are available (both are OpenLDAP-specific).

  "mod_auth caching"
2020-07-13 17:39:30 -04:00
Glenn Strauss e11514b086 [mod_auth,mod_vhostdb] add caching option (fixes #2805)
auth.cache    = ("max-age" => "600")
vhostdb.cache = ("max-age" => "600")

If specified with an empty array, default max-age is 600 secs (10 mins)
auth.cache    = ()
vhostdb.cache = ()

(Note: cache expiration occurs every 8 seconds, so maximum cache time
 might be up to max-age + 8 seconds)

  "mod_auth caching"
2020-07-13 17:39:27 -04:00
Rosen Penev fd2a12d636 [meson] add missing libmaxminddb section
Fixes the following error when building with -Dwith_maxminddb=true: ERROR: Unknown variable "libmaxminddb".

A full log can be found at meson-logs/meson-log.txt

Signed-off-by: Rosen Penev <>
2020-07-11 01:07:19 -04:00
Rosen Penev 04a7d98cb9 [meson] fix libmariadb dependency
libmariadb is what should be used as only the library portion is used.

Fixes compilation under OpenWrt.

Note that mariadb.pc is a superset that links to libmariadb.

Signed-off-by: Rosen Penev <>
2020-07-11 01:07:16 -04:00
Glenn Strauss 3057b63ea2 [multiple] address coverity warnings 2020-07-10 22:18:26 -04:00
Glenn Strauss 3119d938cb [mod_webdav] build fix: ifdef live_properties 2020-07-10 21:54:27 -04:00
Glenn Strauss 50ddc8108b [mod_webdav] update rc for PROPFIND allprop
(rc currently ignored in case of PROPFIND allprop)
2020-07-10 21:36:32 -04:00
Glenn Strauss 10b7aedcdb [mod_webdav] fix theoretical NULL dereference
fix theoretical NULL dereference identified by Coverity Scan

possible for PROPFIND with specific atypical choices in lighttpd.conf:
- possible for getcontenttype if no content type matches resource
  and no default type configured in lighttpd.conf
- possible for getetag if etag disabled in lighttpd.conf
2020-07-10 21:34:28 -04:00
Glenn Strauss 2781a3be6d [multiple] address coverity warnings 2020-07-10 21:34:28 -04:00
Glenn Strauss ea58cc6f3f [core] store fd in srv->stdin_fd during setup
(pedantic; no impact)

upon error, server will exit, so the impact of momentarily leaking fd
has no impact.  This commit holds the fd in srv->stdin_fd to address
Coverity warning about leaking fd when using server.bind = "/dev/stdin"
2020-07-10 19:30:24 -04:00
Glenn Strauss 6886e78bca [core] remove unused mbedtls_enabled flag
(initially used during development of mod_mbedtls, but no longer used)
2020-07-10 19:28:12 -04:00
Glenn Strauss 2f5fc68b59 [build] fix typo in src/ EXTRA_DIST 2020-07-10 19:27:42 -04:00
Glenn Strauss c75fd15d7a [build] remove tests/mod-userdir.t from builds
(replaced with src/t/test_mod_userdir.c)
2020-07-10 03:29:42 -04:00
Glenn Strauss be0d11414e [cmake] update deps for src/t/test_* 2020-07-10 03:20:37 -04:00
Glenn Strauss 52fb78459f [cmake] update deps for src/t/test_* 2020-07-10 03:13:08 -04:00
Glenn Strauss f85d1f9070 [core] splaytree_djbhash() in splaytree.h (reuse)
rename and move hashme() from stat_cache.c to splaytree_djbhash() in
splaytree.h for code reuse
2020-07-10 00:02:48 -04:00
Glenn Strauss 0d4c8edd8f [mod_mysql_vhost] deprecated; use mod_vhostdb_mysql
add warning at server startup when mod_mysql_vhost is loaded

mod_vhostdb_mysql subsumes mod_mysql_vhost.  Individual mod_mysql_vhost
directives map one-to-one to keywords in vhostdb.mysql = (...) directive
2020-07-09 23:45:06 -04:00
Glenn Strauss d334eaf1ee [core] uint32_t is plenty large for path names 2020-07-09 23:45:04 -04:00
Glenn Strauss 28f1867c11 quiet clang analyzer scan-build warnings
(expansion of buffer_string_lenth() inline function and CONST_BUF_LEN()
 macro, which always check for NULL, appears to cause the analyzer to
 believe that a pointer might be NULL in cases where it otherwise can
 not be NULL)

2020-07-08 22:51:32 -04:00
Glenn Strauss 98a224a4a2 [mod_openssl] prefer some WolfSSL native APIs
Prefer some WolfSSL native APIs when building with WolfSSL.

However, some functionality in WolfSSL is available only through the
WolfSSL compatibility layer for OpenSSL, so the effort to create a
native mod_wolfssl halted here.
2020-07-08 22:51:32 -04:00
Glenn Strauss ed088f5728 [core] error if s->socket_perms chmod() fails 2020-07-08 22:51:32 -04:00
Glenn Strauss 0ad57da55b [mod_openssl,mbedtls,gnutls,nss] fdevent_load_file
employ fdevent_load_file() to load CRL, X509 cert, and private key files
into memory
2020-07-08 22:51:32 -04:00
Glenn Strauss cc04468762 [core] fdevent_load_file() shared code 2020-07-08 22:51:32 -04:00
Glenn Strauss e00deb5578 [mod_nss] NSS option for TLS (fixes #1218)


mod_nss supports most ssl.* config options supported by mod_openssl

  "alternate ssl backend"
2020-07-08 22:51:32 -04:00
Glenn Strauss 8a1ddce0c2 [mod_openssl] default to set MinProtocol TLSv1.2
(behavior change)

TLSv1.0 and TLSv1.1 are deprecated and no longer supported by major

MinProtocol is configurable, if required:
e.g. ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.1")

2020-07-08 22:51:32 -04:00
Glenn Strauss 8422fa4573 [mod_gnutls] detect certs marked OCSP Must-Staple 2020-07-08 22:51:32 -04:00
Glenn Strauss f56c8e58e4 [mod_openssl] detect certs marked OCSP Must-Staple 2020-07-08 22:51:32 -04:00
Glenn Strauss 1c5def49f6 [mod_webdav] webdav.opts "propfind-depth-infinity"
webdav.opts = ("propfind-depth-infinity" => "enable")
to allow PROPFIND with Depth: infinity   (default "disable")
2020-07-08 22:51:32 -04:00
Glenn Strauss 6bf0b57787 [mod_webdav] unsafe-propfind-follow-symlink option
webdav.opts = ("unsafe-propfind-follow-symlink" => "enable")

This option is unsafe and unsupported.  This option enables non-standard
behavior.  If it works for you, great.  If it does not work for you,
then too bad.

WebDAV resource and collection concepts do not have an equivalence
to unix symlinks.  If "unsafe-propfind-follow-symlink" is "enable",
then lighttpd mod_webdav PROPFIND handling will follow symlinks
if and only if webdav.is_readonly = "enable" is also set.

Allowing symlinks is unsafe in the general case.  Using WebDAV methods
to MOVE a relative symlink does not update the symlink relative target.
LOCK is on the resource (e.g. a symlink), not the target of the symlink.
COPY replaces the resource (e.g. a symlink), not the target of the
symlink.  There are only a few examples of possibly many more reasons
why using symlinks in a WebDAV-writable collection is unsafe.
2020-07-08 22:51:32 -04:00