Elan Ruusamäe [Sun, 28 May 2023 11:39:33 +0000 (14:39 +0300)]
Fix ssl global init
(configfile-glue.c.338) WARNING: ssl.openssl.ssl-conf-cmd must be in
global scope or $SERVER["socket"] with '==', or else is ignored
(mod_openssl.c.2674) ssl.pemfile has to be set in same $SERVER["socket"]
scope as other ssl.* directives, unless only ssl .engine is set,
inheriting ssl.* from global scope
Important changes from 1.4.69
- speed up CGI spawning
- native Windows build (experimental) (not packaged; no installer)
- support HTTP/2 downstream proxy serving multiple clients on single connection (mod_extforward, mod_maxminddb)
- restructure code to isolate HTTP/2
Behavior Changes (previously announced):
- no longer building separate modules for built-in modules
- lighttpd 1.4.70 omits building separate (unused) modules for:
mod_access mod_alias mod_evhost mod_expire mod_fastcgi mod_indexfile
mod_redirect mod_rewrite mod_scgi mod_setenv mod_simple_vhost
mod_staticfile
Deprecated: mod_evasive has been removed.
> mod_evasive can be replaced by mod_magnet and a few lines of lua:
> Replacement:
> - https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_evasive
> - https://wiki.lighttpd.net/AbsoLUAtion#Fight-DDoS
> - https://wiki.lighttpd.net/AbsoLUAtion#Mod_Security
Deprecated: mod_secdownload has been removed.
> mod_secdownload can be replaced by mod_magnet and a few lines of lua:
> Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_secdownload
> mod_secdownload historically uses insecure MD5 though SHA1, SHA256 available
Deprecated: mod_secdownload has been removed.
> mod_secdownload can be replaced by mod_magnet and a few lines of lua:
> Replacement:
> https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_secdownload
> mod_secdownload historically uses insecure MD5 though SHA1, SHA256
available
Deprecated: mod_usertrack has been removed.
> mod_usertrack can be replaced by mod_magnet and a few lines of lua:
> Replacement:
> https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_usertrack
> mod_usertrack historically uses insecure MD5.
Future Scheduled Behavior Changes:
> lighttpd 1.4.68 builds common modules into the lighttpd base
> executable. Separate dynamic modules are still built for the benefit
> of existing packaging scripts in various distributions, but those
> modules are not used. A future version of lighttpd will omit building
> separate modules for: mod_access mod_alias mod_evhost mod_expire
> mod_fastcgi mod_indexfile mod_redirect mod_rewrite mod_scgi mod_setenv
> mod_simple_vhost mod_staticfile
* HTTP/2 support will be enabled by default in a future release
* graceful restart/shutdown default timeout will change from
0 (infinite/no timeout) to 5 seconds (or some similar non-zero
period)
configure an alternative with:
server.feature-flags += ("server.graceful-shutdown-timeout" => 5)
Elan Ruusamäe [Mon, 23 Oct 2017 08:08:49 +0000 (11:08 +0300)]
up to 1.4.47, fixes regressions in 1.4.46
- [mod_authn_gssapi] needs -lcom_err under Darwin
- [core] stricter validation of request-URI begin
- [core] fix 1.4.46 regression in config match (fixes #2830)
- [core] normalize config addrs for != match (#2830)
- [core] normalize config addrs for eq and ne (#2830)
- [doc] use https:// URLs to .lighttpd.net resources
- [core] fix 1.4.46 regression in Last-Modified
Important changes:
- new modules: mod_openssl, mod_vhostdb, mod_wstunnel
- new protocols: Upgrade: websocket, HAProxy PROXY, RFC7239 Forwarded
Selected features:
- HTTP/1.1 Upgrade: websocket (mod_proxy, mod_cgi, and mod_wstunnel)
- HTTP/1.1 Expect: 100-continue
- proxy: HAProxy PROXY protocol (mod_extforward, mod_proxy)
- proxy: RFC7239 Forwared HTTP extension (mod_extforward, mod_proxy)
- proxy: basic host/URL header remapping to/from backend
- config: resolve DNS names to first IP returned at lighttpd startup
- config: allow overriding prior config values using :=
- config: allow conditions on arbitrary HTTP request headers ($REQUEST_HEADER[])
- new module: mod_openssl - isolate SSL/TLS code; cleaner abstractions
- new module: mod_vhostdb* - framework for mass vhost via database backends
- new module: mod_wstunnel - decode/encode websocket proto to/from backend
- common code for dynamic backends; common features; better process management
- numerous new directives for experimental new features
Bug Fixes:
- core: fix streaming response when client catches up to stream from backend
- CGI: RFC3875 CGI local-redir strict adherence; local-redir disable dy default
- BSD: use kqueue in level-triggered mode
- fix triggered assert on HTTP chunked input
- SSL: fix bidirectional streaming over SSL
Behavior Changes:
- mod_scgi binds to INADDR_LOOPBACK if no host is specified (prior behavior
used INADDR_ANY) If lighttpd is spawning SCGI backend, default is now to
limit exposure to localhost unless explicitly configured otherwise. This
matches the behavior (since 2008) in mod_fastcgi.
- core: mimetype.assign matches basename or longest extension(s) (".tar.gz"),
not just any suffix match, if 16 or more entries
- core: increase default server.max-keep-alive-requests from 16 to 100
- proxy: add X-Forwarded-Host
- openssl: ssl.read-ahead = "disable" default (safer for slow embedded systems)
- mod_cgi cgi.local-redir = "disable" default (RFC3875 6.2.2 local-redir
optimization added in lighttpd 1.4.40)
- reproducible builds: omit __DATE__ and __TIME__ in lighttpd -h or lighttpd -v
Elan Ruusamäe [Wed, 10 May 2017 15:13:02 +0000 (18:13 +0300)]
load authn_ldap
fixes warnings from logs:
2017-05-10 18:11:33: (configfile.c.41) Warning: please add "mod_authn_ldap" to server.modules list in lighttpd.conf. A future release of lighttpd 1.4.x will not automatically load mod_authn_ldap and lighttpd will fail to start up since your lighttpd.conf uses auth.backend = "ldap".
Elan Ruusamäe [Sat, 24 Dec 2016 17:26:16 +0000 (19:26 +0200)]
up to 1.4.44
- [mod_scgi] fix segfault (fixes #2762)
- [mod_authn_gssapi] fix memory leak
- [config] warn if mod_authn_ldap,mysql not listed
- [mod_magnet] fix magnet_cgi_set() set of env vars (fixes #2763)
- [mod_cgi] FreeBSD 9.3/MacOSX does not have pipe2() (fixes #2765)
- [mod_extforward] fix crash on invalid IP (fixes #2766)
- [mod_fastcgi] fix segfault if all backends down (fixes #2768)
- [mod_cgi] fix out of sockets error for POST to CGI (fixes #2771)
- [mod_auth] compile fix for Mac OS X XCode (fixes #2772)
- [mod_authn_gssapi] better resource cleanup
- [core] compile fix for Mac OS X 10.6 (old) (fixes #2773)
- fix race in dynamic handler configs (reentrancy) (fixes #2774)
- [mod_authn_mysql] close mysql_conn in cleanup
- [mod_webdav] compile fix when locking not enabled
- load mod_auth & mod_authn_file in sample/test.conf
- comment out auth.backend.ldap.* in tests/*.conf
- [mod_fastcgi,mod_scgi] warn if invalid "bin-path"
- RAND_pseudo_bytes() is deprecated in openssl 1.1.0
- openssl 1.1.0 init and cleanup
- [mod_cgi] remove direct calls to network_backend*
- [build] build network_*.c into lighttpd executable
- suggest inclusion of mod_geoip... before mod_ssi.
- set systemd settings similar to lighttpd2
- [doc] remove reference to Linux rt-signals
- [mod_authn_gssapi] fix missing error ret, coverity
- [core] rename li_rand() to li_rand_pseudo_bytes()
- remove #include "stream.h" where not used
- [mod_cml] include lua headers before base.h
- [core] combine duplicated connection reset code
- [mod_ssi] produce content in subrequest hook
- [core] remove srv->entropy[]
- [core] defer li_rand_init() until first use
- [core] permit connection-level state in modules
- [mod_dirlisting] render dirlisting as HTML (fixes #2767)
- [mod_proxy] replace HTTP Host sent to backend (fixes #2770)
- [mod_ssi] basic recursive SSI include virtual (fixes #536)
- [mod_ssi] implement, ignore <!--#comment ... -->
- [core] consolidate duplicated read-to-close code
- [core] fix segfault when parsing a bad config file
- [core] support Transfer-Encoding: chunked req body (fixes #2156)
- [autobuild] set NO_RDYNAMIC=yes for midipix
- [mod_proxy] proxy.balance = "sticky" option (fixes #2117)
- [mod_secdownload] warn if SHA used w/o SSL crypto
- [build] compile fixes for AIX
- [build] check for pipe2() at configure time
- [mod_evhost] fix an incorrect error trace
- [tests] mark tests/docroot/www/*.pl scripts a+x
- [mod_cgi] fall back to pipe() if pipe2() fails
- fix SCons fullstatic build with glibc pthreads
- [TLS] openssl 1.1.0 makes SSL_OP_NO_SSLv2 no-op
Elan Ruusamäe [Mon, 5 Dec 2016 16:38:24 +0000 (18:38 +0200)]
run aclocal before autoheader
+ autoheader
aclocal.m4:17: warning: this file was generated for autoconf 2.69.
You have another version of autoconf. It may work, but is not guaranteed to.
If you have problems, you may need to regenerate the build system entirely.
To do so, use the procedure documented by the package, typically 'autoreconf'.