Index: configure.in =================================================================== --- configure.in (.../tags/lighttpd-1.4.13) (revision 1718) +++ configure.in (.../branches/lighttpd-1.4.x) (revision 1718) @@ -398,7 +398,7 @@ AC_MSG_RESULT($WITH_LUA) if test "$WITH_LUA" != "no"; then - if test "$WITH_LUA" == "yes"; then + if test "$WITH_LUA" = "yes"; then WITH_LUA=lua fi PKG_CHECK_MODULES(LUA, $WITH_LUA >= 5.1, [ @@ -538,7 +538,7 @@ AC_OUTPUT -do_build="mod_cgi mod_fastcgi mod_proxy mod_evhost mod_simple_vhost mod_access mod_alias mod_setenv mod_usertrack mod_auth mod_status mod_accesslog mod_rrdtool mod_secdownload mod_expire mod_compress mod_dirlisting mod_indexfiles mod_userdir mod_webdav mod_staticfile mod_scgi mod_flv_streaming" +do_build="mod_cgi mod_fastcgi mod_extforward mod_proxy mod_evhost mod_simple_vhost mod_access mod_alias mod_setenv mod_usertrack mod_auth mod_status mod_accesslog mod_rrdtool mod_secdownload mod_expire mod_compress mod_dirlisting mod_indexfiles mod_userdir mod_webdav mod_staticfile mod_scgi mod_flv_streaming" plugins="mod_rewrite mod_redirect mod_ssi mod_trigger_b4_dl" features="regex-conditionals" Index: src/mod_cgi.c =================================================================== --- src/mod_cgi.c (.../tags/lighttpd-1.4.13) (revision 1718) +++ src/mod_cgi.c (.../branches/lighttpd-1.4.x) (revision 1718) @@ -842,6 +842,12 @@ CONST_BUF_LEN(con->authed_user)); } +#ifdef USE_OPENSSL + if (srv_sock->is_ssl) { + cgi_env_add(&env, CONST_STR_LEN("HTTPS"), CONST_STR_LEN("on")); + } +#endif + /* request.content_length < SSIZE_MAX, see request.c */ ltostr(buf, con->request.content_length); cgi_env_add(&env, CONST_STR_LEN("CONTENT_LENGTH"), buf, strlen(buf)); Index: src/base.h =================================================================== --- src/base.h (.../tags/lighttpd-1.4.13) (revision 1718) +++ src/base.h (.../branches/lighttpd-1.4.x) (revision 1718) @@ -481,7 +481,9 @@ enum { STAT_CACHE_ENGINE_UNSET, STAT_CACHE_ENGINE_NONE, STAT_CACHE_ENGINE_SIMPLE, +#ifdef HAVE_FAM_H STAT_CACHE_ENGINE_FAM +#endif } stat_cache_engine; unsigned short enable_cores; } server_config; Index: src/connections.c =================================================================== --- src/connections.c (.../tags/lighttpd-1.4.13) (revision 1718) +++ src/connections.c (.../branches/lighttpd-1.4.x) (revision 1718) @@ -500,11 +500,10 @@ case 201: case 301: case 302: + case 303: break; case 206: /* write_queue is already prepared */ - con->file_finished = 1; - break; case 205: /* class: header only */ case 304: @@ -970,7 +969,7 @@ } } else { /* a splited \r \n */ - return -1; + break; } } } Index: src/configfile.c =================================================================== --- src/configfile.c (.../tags/lighttpd-1.4.13) (revision 1718) +++ src/configfile.c (.../branches/lighttpd-1.4.x) (revision 1718) @@ -218,13 +218,19 @@ srv->srvconf.stat_cache_engine = STAT_CACHE_ENGINE_SIMPLE; } else if (buffer_is_equal_string(stat_cache_string, CONST_STR_LEN("simple"))) { srv->srvconf.stat_cache_engine = STAT_CACHE_ENGINE_SIMPLE; +#ifdef HAVE_FAM_H } else if (buffer_is_equal_string(stat_cache_string, CONST_STR_LEN("fam"))) { srv->srvconf.stat_cache_engine = STAT_CACHE_ENGINE_FAM; +#endif } else if (buffer_is_equal_string(stat_cache_string, CONST_STR_LEN("disable"))) { srv->srvconf.stat_cache_engine = STAT_CACHE_ENGINE_NONE; } else { log_error_write(srv, __FILE__, __LINE__, "sb", - "server.stat-cache-engine can be one of \"disable\", \"simple\", \"fam\", but not:", stat_cache_string); + "server.stat-cache-engine can be one of \"disable\", \"simple\"," +#ifdef HAVE_FAM_H + " \"fam\"," +#endif + " but not:", stat_cache_string); ret = HANDLER_ERROR; } Index: src/mod_scgi.c =================================================================== --- src/mod_scgi.c (.../tags/lighttpd-1.4.13) (revision 1718) +++ src/mod_scgi.c (.../branches/lighttpd-1.4.x) (revision 1718) @@ -2528,7 +2528,7 @@ hctx->reconnects < 5) { scgi_reconnect(srv, hctx); - log_error_write(srv, __FILE__, __LINE__, "sdsdsd", + log_error_write(srv, __FILE__, __LINE__, "ssdsd", "response not sent, request not sent, reconnection.", "connection-fd:", con->fd, "fcgi-fd:", hctx->fd); Index: src/request.c =================================================================== --- src/request.c (.../tags/lighttpd-1.4.13) (revision 1718) +++ src/request.c (.../branches/lighttpd-1.4.x) (revision 1718) @@ -85,6 +85,9 @@ /* Host is empty */ if (host_len == 0) return -1; + /* if the hostname ends in a "." strip it */ + if (host->ptr[host_len-1] == '.') host_len -= 1; + /* scan from the right and skip the \0 */ for (i = host_len - 1; i + 1 > 0; i--) { const char c = host->ptr[i]; Index: src/network_backends.h =================================================================== --- src/network_backends.h (.../tags/lighttpd-1.4.13) (revision 1718) +++ src/network_backends.h (.../branches/lighttpd-1.4.x) (revision 1718) @@ -14,7 +14,7 @@ # include #endif -#if defined HAVE_SYS_UIO_H && defined HAVE_SENDFILE && defined HAVE_WRITEV && defined(__FreeBSD__) +#if defined HAVE_SYS_UIO_H && defined HAVE_SENDFILE && defined HAVE_WRITEV && (defined(__FreeBSD__) || defined(__DragonFly__)) # define USE_FREEBSD_SENDFILE # include #endif Index: src/mod_proxy.c =================================================================== --- src/mod_proxy.c (.../tags/lighttpd-1.4.13) (revision 1718) +++ src/mod_proxy.c (.../branches/lighttpd-1.4.x) (revision 1718) @@ -656,6 +656,7 @@ } if (-1 == (r = read(hctx->fd, hctx->response->ptr + hctx->response->used - 1, b))) { + if (errno == EAGAIN) return 0; log_error_write(srv, __FILE__, __LINE__, "sds", "unexpected end-of-file (perhaps the proxy process died):", proxy_fd, strerror(errno)); Index: src/mod_extforward.c =================================================================== --- src/mod_extforward.c (.../tags/lighttpd-1.4.13) (revision 0) +++ src/mod_extforward.c (.../branches/lighttpd-1.4.x) (revision 1718) @@ -0,0 +1,490 @@ +#include +#include +#include +#include +#include + +#include "base.h" +#include "log.h" +#include "buffer.h" + +#include "plugin.h" + +#include "inet_ntop_cache.h" +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +/** + * mod_extforward.c for lighttpd, by comman.kang gmail com + * extended, modified by Lionel Elie Mamane (LEM), lionel mamane lu + * + * Config example: + * + * Trust proxy 10.0.0.232 and 10.0.0.232 + * extforward.forwarder = ( "10.0.0.232" => "trust", + * "10.0.0.233" => "trust" ) + * + * Trust all proxies (NOT RECOMMENDED!) + * extforward.forwarder = ( "all" => "trust") + * + * Note that "all" has precedence over specific entries, + * so "all except" setups will not work. + * + * Note: The effect of this module is variable on $HTTP["remotip"] directives and + * other module's remote ip dependent actions. + * Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP. + * Things done in between these two moments will match on the real client's IP. + * The moment things are done by a module depends on in which hook it does things and within the same hook + * on whether they are before/after us in the module loading order + * (order in the server.modules directive in the config file). + * + * Tested behaviours: + * + * mod_access: Will match on the real client. + * + * mod_accesslog: + * In order to see the "real" ip address in access log , + * you'll have to load mod_extforward after mod_accesslog. + * like this: + * + * server.modules = ( + * ..... + * mod_accesslog, + * mod_extforward + * ) + * + * Known issues: + * seems causing segfault with mod_ssl and $HTTP{"socket"} directives + * LEM 2006.05.26: Fixed segfault $SERVER["socket"] directive. Untested with SSL. + * + * ChangeLog: + * 2005.12.19 Initial Version + * 2005.12.19 fixed conflict with conditional directives + * 2006.05.26 LEM: IPv6 support + * 2006.05.26 LEM: Fix a segfault with $SERVER["socket"] directive. + * 2006.05.26 LEM: Run at uri_raw time, as we don't need to see the URI + * In this manner, we run before mod_access and $HTTP["remoteip"] directives work! + * 2006.05.26 LEM: Clean config_cond cache of tests whose result we probably change. + */ + + +/* plugin config for all request/connections */ + +typedef struct { + array *forwarder; +} plugin_config; + +typedef struct { + PLUGIN_DATA; + + plugin_config **config_storage; + + plugin_config conf; +} plugin_data; + + +/* context , used for restore remote ip */ + +typedef struct { + sock_addr saved_remote_addr; + buffer *saved_remote_addr_buf; +} handler_ctx; + + +static handler_ctx * handler_ctx_init(sock_addr oldaddr, buffer *oldaddr_buf) { + handler_ctx * hctx; + hctx = calloc(1, sizeof(*hctx)); + hctx->saved_remote_addr = oldaddr; + hctx->saved_remote_addr_buf = oldaddr_buf; + return hctx; +} + +static void handler_ctx_free(handler_ctx *hctx) { + free(hctx); +} + +/* init the plugin data */ +INIT_FUNC(mod_extforward_init) { + plugin_data *p; + p = calloc(1, sizeof(*p)); + return p; +} + +/* destroy the plugin data */ +FREE_FUNC(mod_extforward_free) { + plugin_data *p = p_d; + + UNUSED(srv); + + if (!p) return HANDLER_GO_ON; + + if (p->config_storage) { + size_t i; + + for (i = 0; i < srv->config_context->used; i++) { + plugin_config *s = p->config_storage[i]; + + if (!s) continue; + + array_free(s->forwarder); + + free(s); + } + free(p->config_storage); + } + + + free(p); + + return HANDLER_GO_ON; +} + +/* handle plugin config and check values */ + +SETDEFAULTS_FUNC(mod_extforward_set_defaults) { + plugin_data *p = p_d; + size_t i = 0; + + config_values_t cv[] = { + { "extforward.forwarder", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 0 */ + { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET } + }; + + if (!p) return HANDLER_ERROR; + + p->config_storage = calloc(1, srv->config_context->used * sizeof(specific_config *)); + + for (i = 0; i < srv->config_context->used; i++) { + plugin_config *s; + + s = calloc(1, sizeof(plugin_config)); + s->forwarder = array_init(); + + cv[0].destination = s->forwarder; + + p->config_storage[i] = s; + + if (0 != config_insert_values_global(srv, ((data_config *)srv->config_context->data[i])->value, cv)) { + return HANDLER_ERROR; + } + } + + return HANDLER_GO_ON; +} + +#define PATCH(x) \ + p->conf.x = s->x; +static int mod_extforward_patch_connection(server *srv, connection *con, plugin_data *p) { + size_t i, j; + plugin_config *s = p->config_storage[0]; + + PATCH(forwarder); + + /* LEM: The purpose of this seems to match extforward configuration + stanzas that are not in the global context, but in some sub-context. + I fear this will break contexts of the form HTTP['remote'] = . + (in the form that they do not work with the real remote, but matching on + the proxy instead). + + I'm not sure this this is all thread-safe. Is the p we are passed different + for each connection or is it global? + + mod_fastcgi does the same, so it must be safe. + */ + /* skip the first, the global context */ + for (i = 1; i < srv->config_context->used; i++) { + data_config *dc = (data_config *)srv->config_context->data[i]; + s = p->config_storage[i]; + + /* condition didn't match */ + if (!config_check_cond(srv, con, dc)) continue; + + /* merge config */ + for (j = 0; j < dc->value->used; j++) { + data_unset *du = dc->value->data[j]; + + if (buffer_is_equal_string(du->key, CONST_STR_LEN("extforward.forwarder"))) { + PATCH(forwarder); + } + } + } + + return 0; +} +#undef PATCH + + +static void put_string_into_array_len(array *ary, const char *str, int len) +{ + data_string *tempdata; + if (len == 0) + return; + tempdata = data_string_init(); + buffer_copy_string_len(tempdata->value,str,len); + array_insert_unique(ary,(data_unset *)tempdata); +} +/* + extract a forward array from the environment +*/ +static array *extract_forward_array(buffer *pbuffer) +{ + array *result = array_init(); + if (pbuffer->used > 0) { + char *base, *curr; + /* state variable, 0 means not in string, 1 means in string */ + int in_str = 0; + for (base = pbuffer->ptr, curr = pbuffer->ptr; *curr; curr++) + { + if (in_str) { + if ( (*curr > '9' || *curr < '0') && *curr != '.' && *curr != ':' ) { + /* found an separator , insert value into result array */ + put_string_into_array_len(result, base, curr-base); + /* change state to not in string */ + in_str = 0; + } + } else { + if (*curr >= '0' && *curr <= '9') + { + /* found leading char of an IP address, move base pointer and change state */ + base = curr; + in_str = 1; + } + } + } + /* if breaking out while in str, we got to the end of string, so add it */ + if (in_str) + { + put_string_into_array_len(result, base, curr-base); + } + } + return result; +} + +#define IP_TRUSTED 1 +#define IP_UNTRUSTED 0 +/* + check whether ip is trusted, return 1 for trusted , 0 for untrusted +*/ +static int is_proxy_trusted(const char *ipstr, plugin_data *p) +{ + data_string* allds = (data_string *) array_get_element(p->conf.forwarder,"all"); + if (allds) { + if (strcasecmp(allds->value->ptr,"trust") == 0) + return IP_TRUSTED; + else + return IP_UNTRUSTED; + } + return (data_string *)array_get_element(p->conf.forwarder,ipstr) ? IP_TRUSTED : IP_UNTRUSTED ; +} + +struct addrinfo *ipstr_to_sockaddr(const char *host) +{ + struct addrinfo hints, *res0; + int result; + memset(&hints, 0, sizeof(hints)); + hints.ai_flags = AI_NUMERICHOST | AI_NUMERICSERV; + + result = getaddrinfo(host, NULL, &hints, &res0); + if ( result != 0 ) + { + fprintf(stderr,"could not resolve hostname %s because %s\n", host,gai_strerror(result)); + if (result == EAI_SYSTEM) + perror("The system error is "); + return NULL; + } + else + if (res0==0) + fprintf(stderr, "Problem in resolving hostname %s: succeeded, but no information returned\n", host); + + return res0; +} + + +static void clean_cond_cache(server *srv, connection *con) +{ + size_t i; + + for (i = 0; i < srv->config_context->used; i++) { + data_config *dc = (data_config *)srv->config_context->data[i]; + + if (dc->comp == COMP_HTTP_REMOTEIP) + { + con->cond_cache[i].result = COND_RESULT_UNSET; + con->cond_cache[i].patterncount = 0; + } + } +} + +URIHANDLER_FUNC(mod_extforward_uri_handler) { + plugin_data *p = p_d; + data_string *forwarded = NULL; +#ifdef HAVE_IPV6 + char b2[INET6_ADDRSTRLEN + 1]; +#endif + const char *s; + UNUSED(srv); + mod_extforward_patch_connection(srv, con, p); + +/* log_error_write(srv, __FILE__, __LINE__,"s","mod_extforward_uri_handler called\n"); */ + + /* if the remote ip itself is not trusted , then do nothing */ +#ifdef HAVE_IPV6 + s = inet_ntop(con->dst_addr.plain.sa_family, + con->dst_addr.plain.sa_family == AF_INET6 ? + &(con->dst_addr.ipv6.sin6_addr) : + &(con->dst_addr.ipv4.sin_addr), + b2, + (sizeof b2) - 1); +#else + s = inet_ntoa(con->dst_addr.ipv4.sin_addr); +#endif + if (IP_UNTRUSTED == is_proxy_trusted (s, p) ) + return HANDLER_GO_ON; + + /* log_error_write(srv, __FILE__, __LINE__,"s","remote address is trusted proxy, go on\n");*/ + if (con->request.headers && + ((forwarded = (data_string *) array_get_element(con->request.headers,"X-Forwarded-For")) || + (forwarded = (data_string *) array_get_element(con->request.headers, "Forwarded-For")))) + { + /* log_error_write(srv, __FILE__, __LINE__,"s","found forwarded header\n");*/ + /* found forwarded for header */ + int i; + array *forward_array = extract_forward_array(forwarded->value); + char *real_remote_addr = NULL; +#ifdef HAVE_IPV6 + struct addrinfo *addrlist = NULL; +#endif + /* Testing shows that multiple headers and multiple values in one header + come in _reverse_ order. So the first one we get is the last one in the request. */ + for (i = forward_array->used - 1; i >= 0; i--) + { + data_string *ds = (data_string *) forward_array->data[i]; + if (ds) { +/* log_error_write(srv, __FILE__, __LINE__,"ss","forward",ds->value->ptr); */ + real_remote_addr = ds->value->ptr; + break; + /* LEM: What the hell is this about? + We test whether the forwarded for IP is trusted? + This looks like an ugly hack to handle multiple Forwarded-For's + and avoid those set to our proxies, or something like that. + My testing shows that reverse proxies add a new X-Forwarded-For header, + and we should thus take the last one, which is the first one we see. + + The net result of the old code is that we use the first untrusted IP, + or if all are trusted, the last trusted IP. + That's crazy. So I've disabled this. + */ + /* check whether it is trusted */ +/* if (IP_UNTRUSTED == is_proxy_trusted(ds->value->ptr,p) ) */ +/* break; */ +/* log_error_write(srv, __FILE__, __LINE__,"ss",ds->value->ptr," is trusted."); */ + + } + else { + /* bug ? bailing out here */ + break; + } + } + if (real_remote_addr != NULL) /* parsed */ + { + sock_addr s; + struct addrinfo *addrs_left; +/* log_error_write(srv, __FILE__, __LINE__,"ss","use forward",real_remote_addr); */ +#ifdef HAVE_IPV6 + addrlist = ipstr_to_sockaddr(real_remote_addr); + s.plain.sa_family = AF_UNSPEC; + for (addrs_left = addrlist; addrs_left != NULL; + addrs_left = addrs_left -> ai_next) + { + s.plain.sa_family = addrs_left->ai_family; + if ( s.plain.sa_family == AF_INET ) + { + s.ipv4.sin_addr = ((struct sockaddr_in*)addrs_left->ai_addr)->sin_addr; + break; + } + else if ( s.plain.sa_family == AF_INET6 ) + { + s.ipv6.sin6_addr = ((struct sockaddr_in6*)addrs_left->ai_addr)->sin6_addr; + break; + } + } +#else + s.ipv4.sin_addr.s_addr = inet_addr(real_remote_addr); + s.plain.sa_family = (s.ipv4.sin_addr.s_addr == 0xFFFFFFFF) ? AF_UNSPEC : AF_INET; +#endif + if (s.plain.sa_family != AF_UNSPEC) + { + /* we found the remote address, modify current connection and save the old address */ + if (con->plugin_ctx[p->id]) { + log_error_write(srv, __FILE__, __LINE__,"patching an already patched connection!"); + handler_ctx_free(con->plugin_ctx[p->id]); + con->plugin_ctx[p->id] = NULL; + } + /* save old address */ + con->plugin_ctx[p->id] = handler_ctx_init(con->dst_addr, con->dst_addr_buf); + /* patch connection address */ + con->dst_addr = s; + con->dst_addr_buf = buffer_init(); + buffer_copy_string(con->dst_addr_buf, real_remote_addr); +/* log_error_write(srv, __FILE__, __LINE__,"ss","Set dst_addr_buf to ", real_remote_addr); */ + /* Now, clean the conf_cond cache, because we may have changed the results of tests */ + clean_cond_cache(srv, con); + } +#ifdef HAVE_IPV6 + if (addrlist != NULL ) freeaddrinfo(addrlist); +#endif + } + array_free(forward_array); + } + + /* not found */ + return HANDLER_GO_ON; +} + +CONNECTION_FUNC(mod_extforward_restore) { + plugin_data *p = p_d; + UNUSED(srv); + + /* LEM: This seems completely unuseful, as we are not using + p->conf in this function. Furthermore, it brings a + segfault if one of the conditional configuration + blocks is "SERVER['socket'] == foo", because the + socket is not known yet in the srv/con structure. + */ + /* mod_extforward_patch_connection(srv, con, p); */ + + /* restore this connection's remote ip */ + if (con->plugin_ctx[p->id]) { + handler_ctx *hctx = con->plugin_ctx[p->id]; + con->dst_addr = hctx->saved_remote_addr; + buffer_free(con->dst_addr_buf); + con->dst_addr_buf = hctx->saved_remote_addr_buf; +/* log_error_write(srv, __FILE__, __LINE__,"s","LEM: Reset dst_addr_buf"); */ + handler_ctx_free(hctx); + con->plugin_ctx[p->id] = NULL; + /* Now, clean the conf_cond cache, because we may have changed the results of tests */ + clean_cond_cache(srv, con); + } + return HANDLER_GO_ON; +} + + +/* this function is called at dlopen() time and inits the callbacks */ + +int mod_extforward_plugin_init(plugin *p) { + p->version = LIGHTTPD_VERSION_ID; + p->name = buffer_init_string("extforward"); + + p->init = mod_extforward_init; + p->handle_uri_raw = mod_extforward_uri_handler; + p->handle_request_done = mod_extforward_restore; + p->connection_reset = mod_extforward_restore; + p->set_defaults = mod_extforward_set_defaults; + p->cleanup = mod_extforward_free; + + p->data = NULL; + + return 0; +} + Property changes on: src/mod_extforward.c ___________________________________________________________________ Name: svn:eol-style + native Index: src/Makefile.am =================================================================== --- src/Makefile.am (.../tags/lighttpd-1.4.13) (revision 1718) +++ src/Makefile.am (.../branches/lighttpd-1.4.x) (revision 1718) @@ -199,6 +199,11 @@ mod_fastcgi_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined mod_fastcgi_la_LIBADD = $(common_libadd) +lib_LTLIBRARIES += mod_extforward.la +mod_extforward_la_SOURCES = mod_extforward.c +mod_extforward_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined +mod_extforward_la_LIBADD = $(common_libadd) + lib_LTLIBRARIES += mod_access.la mod_access_la_SOURCES = mod_access.c mod_access_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined Index: src/network_writev.c =================================================================== --- src/network_writev.c (.../tags/lighttpd-1.4.13) (revision 1718) +++ src/network_writev.c (.../branches/lighttpd-1.4.x) (revision 1718) @@ -55,7 +55,7 @@ const size_t max_chunks = MAX_IOVEC; #elif defined(UIO_MAXIOV) /* Linux x86 (glibc-2.2.5-233) */ const size_t max_chunks = UIO_MAXIOV; -#elif (defined(__FreeBSD__) && __FreeBSD_version < 500000) /* FreeBSD 4.x */ +#elif (defined(__FreeBSD__) && __FreeBSD_version < 500000) || defined(__DragonFly__) /* FreeBSD 4.x */ const size_t max_chunks = 1024; /* UIO_MAXIOV value from sys/uio.h */ #else #error "sysconf() doesnt return _SC_IOV_MAX ..., check the output of 'man writev' for the EINVAL error and send the output to jan@kneschke.de" Index: src/mod_expire.c =================================================================== --- src/mod_expire.c (.../tags/lighttpd-1.4.13) (revision 1718) +++ src/mod_expire.c (.../branches/lighttpd-1.4.x) (revision 1718) @@ -85,7 +85,7 @@ /* * parse * - * '(access|modification) [plus] { }*' + * '(access|now|modification) [plus] { }*' * * e.g. 'access 1 years' */ @@ -101,6 +101,9 @@ if (0 == strncmp(ts, "access ", 7)) { type = 0; ts += 7; + } else if (0 == strncmp(ts, "now ", 4)) { + type = 0; + ts += 4; } else if (0 == strncmp(ts, "modification ", 13)) { type = 1; ts += 13; @@ -116,7 +119,7 @@ ts += 5; } - /* the rest is just (years|months|days|hours|minutes|seconds) */ + /* the rest is just (years|months|weeks|days|hours|minutes|seconds) */ while (1) { char *space, *err; int num; @@ -148,6 +151,9 @@ } else if (slen == 6 && 0 == strncmp(ts, "months", slen)) { num *= 60 * 60 * 24 * 30; + } else if (slen == 5 && + 0 == strncmp(ts, "weeks", slen)) { + num *= 60 * 60 * 24 * 7; } else if (slen == 4 && 0 == strncmp(ts, "days", slen)) { num *= 60 * 60 * 24; @@ -174,6 +180,8 @@ num *= 60 * 60 * 24 * 30 * 12; } else if (0 == strcmp(ts, "months")) { num *= 60 * 60 * 24 * 30; + } else if (0 == strcmp(ts, "weeks")) { + num *= 60 * 60 * 24 * 7; } else if (0 == strcmp(ts, "days")) { num *= 60 * 60 * 24; } else if (0 == strcmp(ts, "hours")) { Index: src/network_freebsd_sendfile.c =================================================================== --- src/network_freebsd_sendfile.c (.../tags/lighttpd-1.4.13) (revision 1718) +++ src/network_freebsd_sendfile.c (.../branches/lighttpd-1.4.x) (revision 1718) @@ -25,7 +25,7 @@ #ifndef UIO_MAXIOV -# ifdef __FreeBSD__ +# if defined(__FreeBSD__) || defined(__DragonFly__) /* FreeBSD 4.7, 4.9 defined it in sys/uio.h only if _KERNEL is specified */ # define UIO_MAXIOV 1024 # endif Index: src/http_auth.c =================================================================== --- src/http_auth.c (.../tags/lighttpd-1.4.13) (revision 1718) +++ src/http_auth.c (.../branches/lighttpd-1.4.x) (revision 1718) @@ -733,8 +733,9 @@ } } + if (p->conf.auth_ldap_allow_empty_pw != 1 && pw[0] == '\0') + return -1; - /* build filter */ buffer_copy_string_buffer(p->ldap_filter, p->conf.ldap_filter_pre); buffer_append_string_buffer(p->ldap_filter, username); Index: src/http_auth.h =================================================================== --- src/http_auth.h (.../tags/lighttpd-1.4.13) (revision 1718) +++ src/http_auth.h (.../branches/lighttpd-1.4.x) (revision 1718) @@ -36,6 +36,7 @@ buffer *auth_ldap_filter; buffer *auth_ldap_cafile; unsigned short auth_ldap_starttls; + unsigned short auth_ldap_allow_empty_pw; unsigned short auth_debug; Index: src/mod_auth.c =================================================================== --- src/mod_auth.c (.../tags/lighttpd-1.4.13) (revision 1718) +++ src/mod_auth.c (.../branches/lighttpd-1.4.x) (revision 1718) @@ -113,6 +113,7 @@ PATCH(auth_ldap_filter); PATCH(auth_ldap_cafile); PATCH(auth_ldap_starttls); + PATCH(auth_ldap_allow_empty_pw); #ifdef USE_LDAP PATCH(ldap); PATCH(ldap_filter_pre); @@ -160,6 +161,8 @@ PATCH(auth_ldap_cafile); } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.starttls"))) { PATCH(auth_ldap_starttls); + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.allow-empty-pw"))) { + PATCH(auth_ldap_allow_empty_pw); } } } @@ -312,6 +315,7 @@ { "auth.backend.ldap.starttls", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, { "auth.backend.ldap.bind-dn", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, { "auth.backend.ldap.bind-pw", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 10 */ + { "auth.backend.ldap.allow-empty-pw", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, { "auth.backend.htdigest.userfile", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, { "auth.backend.htpasswd.userfile", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, { "auth.debug", NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_CONNECTION }, /* 13 */ @@ -359,11 +363,12 @@ cv[6].destination = s->auth_ldap_filter; cv[7].destination = s->auth_ldap_cafile; cv[8].destination = &(s->auth_ldap_starttls); - cv[9].destination = s->auth_ldap_binddn; - cv[10].destination = s->auth_ldap_bindpw; - cv[11].destination = s->auth_htdigest_userfile; - cv[12].destination = s->auth_htpasswd_userfile; - cv[13].destination = &(s->auth_debug); + cv[9].destination = s->auth_ldap_binddn; + cv[10].destination = s->auth_ldap_bindpw; + cv[11].destination = &(s->auth_ldap_allow_empty_pw); + cv[12].destination = s->auth_htdigest_userfile; + cv[13].destination = s->auth_htpasswd_userfile; + cv[14].destination = &(s->auth_debug); p->config_storage[i] = s; ca = ((data_config *)srv->config_context->data[i])->value; Index: src/http-header-glue.c =================================================================== --- src/http-header-glue.c (.../tags/lighttpd-1.4.13) (revision 1718) +++ src/http-header-glue.c (.../branches/lighttpd-1.4.x) (revision 1718) @@ -148,7 +148,7 @@ char dst[INET6_ADDRSTRLEN]; log_error_write(srv, __FILE__, __LINE__, - "SSSS", "NOTICE: getnameinfo failed: ", + "SSS", "NOTICE: getnameinfo failed: ", strerror(errno), ", using ip-address instead"); buffer_append_string(o, @@ -162,7 +162,7 @@ case AF_INET: if (NULL == (he = gethostbyaddr((char *)&our_addr.ipv4.sin_addr, sizeof(struct in_addr), AF_INET))) { log_error_write(srv, __FILE__, __LINE__, - "SdSS", "NOTICE: gethostbyaddr failed: ", + "SdS", "NOTICE: gethostbyaddr failed: ", h_errno, ", using ip-address instead"); buffer_append_string(o, inet_ntoa(our_addr.ipv4.sin_addr)); Index: src/mod_fastcgi.c =================================================================== --- src/mod_fastcgi.c (.../tags/lighttpd-1.4.13) (revision 1718) +++ src/mod_fastcgi.c (.../branches/lighttpd-1.4.x) (revision 1718) @@ -275,6 +275,7 @@ buffer *key; /* like .php */ int note_is_sent; + int last_used_ndx; fcgi_extension_host **hosts; @@ -563,6 +564,7 @@ fe = calloc(1, sizeof(*fe)); assert(fe); fe->key = buffer_init(); + fe->last_used_ndx = -1; buffer_copy_string_buffer(fe->key, key); /* */ @@ -2365,6 +2367,7 @@ * check how much we have to read */ if (ioctl(hctx->fd, FIONREAD, &toread)) { + if (errno == EAGAIN) return 0; log_error_write(srv, __FILE__, __LINE__, "sd", "unexpected end-of-file (perhaps the fastcgi process died):", fcgi_fd); @@ -2375,12 +2378,23 @@ if (toread > 0) { buffer *b; + chunk *cq_first = hctx->rb->first; + chunk *cq_last = hctx->rb->last; b = chunkqueue_get_append_buffer(hctx->rb); buffer_prepare_copy(b, toread + 1); /* append to read-buffer */ if (-1 == (r = read(hctx->fd, b->ptr, toread))) { + if (errno == EAGAIN) { + /* roll back the last chunk allocation, + and continue on next iteration */ + buffer_free(hctx->rb->last->mem); + free(hctx->rb->last); + hctx->rb->first = cq_first; + hctx->rb->last = cq_last; + return 0; + } log_error_write(srv, __FILE__, __LINE__, "sds", "unexpected end-of-file (perhaps the fastcgi process died):", fcgi_fd, strerror(errno)); @@ -2393,6 +2407,7 @@ b->used = r + 1; /* one extra for the fake \0 */ b->ptr[b->used - 1] = '\0'; } else { + if (errno == EAGAIN) return 0; log_error_write(srv, __FILE__, __LINE__, "ssdsb", "unexpected end-of-file (perhaps the fastcgi process died):", "pid:", proc->pid, @@ -2499,6 +2514,8 @@ } break; case FCGI_STDERR: + if (packet.len == 0) break; + log_error_write(srv, __FILE__, __LINE__, "sb", "FastCGI-stderr:", packet.b); @@ -2979,17 +2996,23 @@ size_t k; int ndx, used = -1; - /* get best server */ - for (k = 0, ndx = -1; k < hctx->ext->used; k++) { - host = hctx->ext->hosts[k]; + /* check if the next server has no load. */ + ndx = hctx->ext->last_used_ndx + 1; + if(ndx >= hctx->ext->used || ndx < 0) ndx = 0; + host = hctx->ext->hosts[ndx]; + if (host->load > 0) { + /* get backend with the least load. */ + for (k = 0, ndx = -1; k < hctx->ext->used; k++) { + host = hctx->ext->hosts[k]; - /* we should have at least one proc that can do something */ - if (host->active_procs == 0) continue; + /* we should have at least one proc that can do something */ + if (host->active_procs == 0) continue; - if (used == -1 || host->load < used) { - used = host->load; + if (used == -1 || host->load < used) { + used = host->load; - ndx = k; + ndx = k; + } } } @@ -3005,6 +3028,7 @@ return HANDLER_FINISHED; } + hctx->ext->last_used_ndx = ndx; host = hctx->ext->hosts[ndx]; /* Index: src/server.c =================================================================== --- src/server.c (.../tags/lighttpd-1.4.13) (revision 1718) +++ src/server.c (.../branches/lighttpd-1.4.x) (revision 1718) @@ -163,6 +163,7 @@ #undef CLEAN for (i = 0; i < FILE_CACHE_MAX; i++) { + srv->mtime_cache[i].mtime = (time_t)-1; srv->mtime_cache[i].str = buffer_init(); } @@ -1231,6 +1232,19 @@ srv_socket->fd = -1; /* network_close() will cleanup after us */ + + if (srv->srvconf.pid_file->used && + srv->srvconf.changeroot->used == 0) { + if (0 != unlink(srv->srvconf.pid_file->ptr)) { + if (errno != EACCES && errno != EPERM) { + log_error_write(srv, __FILE__, __LINE__, "sbds", + "unlink failed for:", + srv->srvconf.pid_file, + errno, + strerror(errno)); + } + } + } } } @@ -1335,7 +1349,8 @@ } if (srv->srvconf.pid_file->used && - srv->srvconf.changeroot->used == 0) { + srv->srvconf.changeroot->used == 0 && + 0 == graceful_shutdown) { if (0 != unlink(srv->srvconf.pid_file->ptr)) { if (errno != EACCES && errno != EPERM) { log_error_write(srv, __FILE__, __LINE__, "sbds", Index: doc/extforward.txt =================================================================== --- doc/extforward.txt (.../tags/lighttpd-1.4.13) (revision 0) +++ doc/extforward.txt (.../branches/lighttpd-1.4.x) (revision 1718) @@ -0,0 +1,96 @@ +============== +mod_extforward +============== + +.. contents:: + +Overview +======== + +Comman Kang sent me: :: + + Hello jan. + + I've made something rough but similar to mod_extract_forwarded for + Apache. This module will extract the client's "real" ip from + X-Forwarded-For header which is added by squid or other proxies. It might be + useful for servers behind reverse proxy servers. + + However, this module is causing segfault with mod_ssl or + $HTTP{''socket"} directive, crashing in config_check_cond while patching + connection , I do not understand architecture of the lighttpd well, does it + need to call patch_connection in either handle_request_done and + connection_reset ? + +Lionel Elie Mamane improved the patch: :: + + I've taken lighttpd-1.4.10-mod_extforward.c from the wiki and I've + extended it. Here is the result. + + Major changes: + + - IPv6 support + + - Fixed at least one segfault with SERVER['socket'] + + - Arrange things so that a url.access-deny under scope of a + HTTP['remoteip'] condition works well :) + + I've commented the code in some places, mostly where I wasn't sure + what was going on, or I didn't see what the original author meant to + do. + +Options +======= + +extforward.forwarder + Sets trust level of proxy IP's. + + Default: empty + + Example: :: + + extforward.forwarder = ("10.0.0.232" => "trust") + + will translate ip addresses coming from 10.0.0.232 to real ip addresses extracted from X-Forwarded-For: HTTP request header. + +Note +======= + +The effect of this module is variable on $HTTP["remotip"] directives and other module's remote ip dependent actions. +Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP. +Things done in between these two moments will match on the real client's IP. +The moment things are done by a module depends on in which hook it does things and within the same hook +on whether they are before/after us in the module loading order +(order in the server.modules directive in the config file). + +Tested behaviours: + + mod_access: Will match on the real client. + + mod_accesslog: + In order to see the "real" ip address in access log , + you'll have to load mod_extforward after mod_accesslog. + like this: :: + + server.modules = ( + ..... + mod_accesslog, + mod_extforward + ) + +Samples +======= + +Trust proxy 10.0.0.232 and 10.0.0.232 :: + + extforward.forwarder = ( + "10.0.0.232" => "trust", + "10.0.0.233" => "trust", + ) + +Trust all proxies (NOT RECOMMENDED!) :: + + extforward.forwarder = ( "all" => "trust") + +Note that "all" has precedence over specific entries, so "all except" setups will not work. Index: doc/Makefile.am =================================================================== --- doc/Makefile.am (.../tags/lighttpd-1.4.13) (revision 1718) +++ doc/Makefile.am (.../branches/lighttpd-1.4.x) (revision 1718) @@ -6,6 +6,7 @@ cgi.txt \ compress.txt \ configuration.txt \ +extforward.txt \ fastcgi-state.txt \ fastcgi.txt \ features.txt \ @@ -43,6 +44,7 @@ cgi.html \ compress.html \ configuration.html \ + extforward.html \ fastcgi-state.html \ fastcgi.html \ features.html \ Index: NEWS =================================================================== --- NEWS (.../tags/lighttpd-1.4.13) (revision 1718) +++ NEWS (.../branches/lighttpd-1.4.x) (revision 1718) @@ -3,6 +3,23 @@ NEWS ==== +- 1.4.14 - ??? + * added mod_extforward module [1665] + * added HTTPS=on to the environment of cgi scripts (#861) + * fix handling of 303 #1045 + * made the configure check for lua more portable [1677] + * fix http 500 errors (colin.stephen/at/o2.com) #1041 + * prevent wrong pidfile unlinking on graceful restart (Chris Webb) [1656] + * ignore empty packets from STDERR stream. #998 + * fix a crash for files with an mtime of 0 reported by cubiq on irc [1519] + * allow empty passwords with ldap (Jörg Sonnenberger) [1516] + * mod_scgi.c segfault fix #964 + * Added round-robin support to mod_fastcgi [1500] + * Handle DragonFlyBSD the same way as Freebsd (Jörg Sonnenberger) [1492] + * added now and weeks support to mod_expire. #943 + * fix cpu hog in certain requests [1473] + * fix for handling hostnames with trailing dot [1406] + - 1.4.13 - 2006-10-09 * added initgroups in spawn-fcgi (#871) @@ -56,7 +73,7 @@ - 1.4.11 - 2006-03-09 * added ability to specify which ip address spawn-fci listens on - (agkr@pobox.com) + (agkr/at/pobox.com) * added mod_flv_streaming to streaming Flash Movies efficiently * fixed handling of error codes returned by mod_dav_svn behing a mod_proxy @@ -68,7 +85,7 @@ * fixed local source retrieval on windows (secunia) * fixed hanging cgi if remote side is dieing while reading - from the pipe (sandy@meebo.com) + from the pipe (sandy/at/meebo.com) - 1.4.10 - 2006-02-08 @@ -84,23 +101,23 @@ - 1.4.9 - 2006-01-14 - * added server.core-files option (sandy ) + * added server.core-files option (sandy ) * added docs for mod_status - * added mod_evasive to limit the number of connections by IP () + * added mod_evasive to limit the number of connections by IP () * added the power-magnet to mod_cml * added internal statistics to mod_fastcgi * added server.statistics-url to get internal statistics from mod_status * added support for conditional range-requests through If-Range * added static building via scons - * fixed 100% cpu loops in mod_cgi ("sandy" ) - * fixed handling for secure-download.timeout (jamis@37signals.com) - * fixed IE bug in content-charset in the output of mod_dirlisting (sniper@php.net) - * fixed typos and language in the docs (ryan-2005@ryandesign.com) - * fixed assertion in mod_cgi on HEAD request is Content-Length () + * fixed 100% cpu loops in mod_cgi ("sandy" ) + * fixed handling for secure-download.timeout (jamis/at/37signals.com) + * fixed IE bug in content-charset in the output of mod_dirlisting (sniper/at/php.net) + * fixed typos and language in the docs (ryan-2005/at/ryandesign.com) + * fixed assertion in mod_cgi on HEAD request is Content-Length () * fixed handling if equal but duplicate If-Modified-Since request headers * fixed endless loops in mod_fastcgi if backend is dead * fixed Depth: 1 handling in PROPFIND requests on empty dirs - * fixed encoding of UTF8 encoded dirlistings (Jani Taskinen ) + * fixed encoding of UTF8 encoded dirlistings (Jani Taskinen ) * fixed initial bind to a unix-domain socket through server.bind * fixed handling of lowercase filesystems * fixed duplicate request headers cause by mod_setenv @@ -108,12 +125,12 @@ - 1.4.8 - 2005-11-23 * added auto-reconnect to ldap-server in mod_auth - (joerg@netbsd.org) + (joerg/at/netbsd.org) * changed auth.ldap-cafile to be optional - (joerg@netbsd.org) + (joerg/at/netbsd.org) * added strip_request_uri in mod_fastcgi * added more X-* headers to mod_proxy - (Ben Grimm ) + (Ben Grimm ) * added 'debug' to simple-vhost to suppress the (mod_simple_vhost.c.157) No such file or directory /servers/ww.lighttpd.net/pages/ messages by default @@ -124,11 +141,11 @@ * fixed encoding the filenames in PROPFIND in mod_webdav * fixed range request handling in network_writev * fixed retry on connect error in mod_fastcgi - (Robert G. Jakabosky ) + (Robert G. Jakabosky ) * fixed possible crash in mod_webdav if sqlite3 support is available but not use * fixed fdvent-handler init if server.max-worker was used - (Siddharth Vijayakrishnan ) + (Siddharth Vijayakrishnan ) * fixed missing cleanup in mysql_vhost * fixed assert() in "connections.c:962: connection_handle_read_state: Assertion 'c->mem->used' failed." @@ -139,7 +156,7 @@ * fixed unsigned/signed comparisions * fixed streaming in mod_cgi * fixed possible overflow in password-salt handling - (reported on slashdot by james-web@and.org) + (reported on slashdot by james-web/at/and.org) * fixed server-traffic-limit if connection limit is not set - 1.4.7 - 2005-11-02 @@ -150,7 +167,7 @@ * added support for %I in mod_accesslog * added better compat to Apache for ?auto in mod_status * added support for userdirs without a entry in /etc/passwd in mod_userdir - (rob@inversepath.com) + (rob/at/inversepath.com) * added startup-time selectable network-backend * added location of upload-files to config as array * added webdav.log-xml for logging xml-content in mod_webdav Property changes on: . ___________________________________________________________________ Name: svk:merge + a98e19e4-a712-0410-8832-6551a15ffc53:/local/branches/lighttpd-1.4.x:1557