[core] delay response to http auth invalid creds

server.feature-flags += ("auth.delay-invalid-creds" => "enable")

The default is enabled. This feature delays a response to bad http auth
(invalid u

[core] delay response to http auth invalid creds

server.feature-flags += ("auth.delay-invalid-creds" => "enable")

The default is enabled. This feature delays a response to bad http auth
(invalid username or password) to the next second, so up to 1 sec delay.
Delaying the response greatly reduces the efficiency of brute force
password attacks, limiting tries to one-per-second per connection.
Limiting the number of client connections allowed by lighttpd with
server.max-connections sets an upper bound on password tries per second,
but also makes it easier for an attacker to DoS (denial of service) the
server. Therefore, while this mitigation is enabled by default, it can
be disabled with
server.feature-flags += ("auth.delay-invalid-creds" => "disable")

show more ...

[core] http_response_send_file() takes const path

[mod_ajp13,mod_fastcgi] check resp w/ content len

limit response body from mod_ajp13 and mod_fastcgi to Content-Length,
if Content-Length is provided in response headers; discard excess

[core] disable streaming response with authorizer (fixes #3106)

disable streaming response while processing "authorizer" mode
until "authorizer" response 200 OK from the backend is complete

(thx je

[core] disable streaming response with authorizer (fixes #3106)

disable streaming response while processing "authorizer" mode
until "authorizer" response 200 OK from the backend is complete

(thx jefftharris)

x-ref:
"FastCGI authorizer hang with server.stream-response-body"
https://redmine.lighttpd.net/boards/2/topics/9969
"FastCGI authorizer hang with server.stream-response-body"
https://redmine.lighttpd.net/issues/3106

show more ...

[multiple] internal control for backend read bytes

separate internal control for backend max_per_read

When not streaming, large reads will be flushed to temp files on disk.
When streaming, use a sm

[multiple] internal control for backend read bytes

separate internal control for backend max_per_read

When not streaming, large reads will be flushed to temp files on disk.
When streaming, use a smaller buffer to help reduce memory usage.

When not streaming, attempt to read and empty kernel socket bufs.
(e.g. MAX_READ_LIMIT 256k)

When writing to sockets (or pipes) attempt to fill kernel socket bufs.
(e.g. MAX_WRITE_LIMIT 256k)

show more ...

[core] improve handling of suboptimal backend wr

more efficiently handle reading of suboptimal backend write behavior

check to accumulate small reads in mem before flushing to temp file

[multiple] Y2038 32-bit signed time_t mitigations

Most OS platforms have already provided solutions to
Y2038 32-bit signed time_t 5 - 10 years ago (or more!)
Notable exceptions are Linux i686 and Fr

[multiple] Y2038 32-bit signed time_t mitigations

Most OS platforms have already provided solutions to
Y2038 32-bit signed time_t 5 - 10 years ago (or more!)
Notable exceptions are Linux i686 and FreeBSD i386.

Since 32-bit systems tend to be embedded systems,
and since many distros take years to pick up new software,
this commit aims to provide Y2038 mitigations for lighttpd
running on 32-bit systems with Y2038-unsafe 32-bit signed time_t

* Y2038: lighttpd 1.4.60 and later report Y2038 safety
$ lighttpd -V
+ Y2038 support # Y2038-SAFE
$ lighttpd -V
- Y2038 support (unsafe 32-bit signed time_t) # Y2038-UNSAFE

* Y2038: general platform info
* Y2038-SAFE: lighttpd 64-bit builds on platforms using 64-bit time_t
- all major 64-bit platforms (known to this author) use 64-bit time_t
* Y2038-SAFE: lighttpd 32-bit builds on platforms using 64-bit time_t
- Linux x32 ABI (different from i686)
- FreeBSD all 32-bit and 64-bit architectures *except* 32-bit i386
- NetBSD 6.0 (released Oct 2012) all 32-bit and 64-bit architectures
- OpenBSD 5.5 (released May 2014) all 32-bit and 64-bit architectures
- Microsoft Windows XP and Visual Studio 2005 (? unsure ?)
Another reference suggests Visual Studio 2015 defaults to 64-bit time_t
- MacOS 10.15 Catalina (released 2019) drops support for 32-bit apps
* Y2038-SAFE: lighttpd 32-bit builds on platforms using 32-bit unsigned time_t
- e.g. OpenVMS (unknown if lighttpd builds on this platform)
* Y2038-UNSAFE: lighttpd 32-bit builds on platforms using 32-bit signed time_t
- Linux 32-bit (including i686)
- glibc 32-bit library support not yet available for 64-bit time_t
- https://sourceware.org/glibc/wiki/Y2038ProofnessDesign
- Linux kernel 5.6 on 32-bit platforms does support 64-bit time_t
https://itsubuntu.com/linux-kernel-5-6-to-fix-the-year-2038-issue-unix-y2k/
- https://www.gnu.org/software/libc/manual/html_node/64_002dbit-time-symbol-handling.html
"Note: at this point, 64-bit time support in dual-time
configurations is work-in-progress, so for these
configurations, the public API only makes the 32-bit time
support available. In a later change, the public API will
allow user code to choose the time size for a given
compilation unit."
- compiling with -D_TIME_BITS=64 currently has no effect
- glibc recent (Jul 2021) mailing list discussion
- https://public-inbox.org/bug-gnulib/[email protected]/T/
- FreeBSD i386
- DragonFlyBSD 32-bit

* Y2038 mitigations attempted on Y2038-UNSAFE platforms (32-bit signed time_t)
* lighttpd prefers system monotonic clock instead of realtime clock
in places where realtime clock is not required
* lighttpd treats negative time_t values as after 19 Jan 2038 03:14:07 GMT
* (lighttpd presumes that lighttpd will not encounter dates before 1970
during normal operation.)
* lighttpd casts struct stat st.st_mtime (and st.st_*time) through uint64_t
to convert negative timestamps for comparisions with 64-bit timestamps
(treating negative timestamp values as after 19 Jan 2038 03:14:07 GMT)
* lighttpd provides unix_time64_t (int64_t) and
* lighttpd provides struct unix_timespec64 (unix_timespec64_t)
(struct timespec equivalent using unix_time64_t tv_sec member)
* lighttpd provides gmtime64_r() and localtime64_r() wrappers
for platforms 32-bit platforms using 32-bit time_t and
lighttpd temporarily shifts the year in order to use
gmtime_r() and localtime_r() (or gmtime() and localtime())
from standard libraries, before readjusting year and passing
struct tm to formatting functions such as strftime()
* lighttpd provides TIME64_CAST() macro to cast signed 32-bit time_t to
unsigned 32-bit and then to unix_time64_t

* Note: while lighttpd tries handle times past 19 Jan 2038 03:14:07 GMT
on 32-bit platforms using 32-bit signed time_t, underlying libraries and
underlying filesystems might not behave properly after 32-bit signed time_t
overflows (19 Jan 2038 03:14:08 GMT). If a given 32-bit OS does not work
properly using negative time_t values, then lighttpd likely will not work
properly on that system.

* Other references and blogs
- https://en.wikipedia.org/wiki/Year_2038_problem
- https://en.wikipedia.org/wiki/Time_formatting_and_storage_bugs
- http://www.lieberbiber.de/2017/03/14/a-look-at-the-year-20362038-problems-and-time-proofness-in-various-systems/

show more ...

[multiple] static file optimization; reuse cache

reuse cache lookup in common case of serving a static file
rather than repeating the stat_cache_entry lookup
(which is more work than memcmp() to re-

[multiple] static file optimization; reuse cache

reuse cache lookup in common case of serving a static file
rather than repeating the stat_cache_entry lookup
(which is more work than memcmp() to re-check stat_cache_entry match)

show more ...

[core] consistent inclusion of sys-time.h

[core] http_cgi.[ch] CGI interfaces (RFC 3875)

collect Common Gateway Interface (CGI) interfaces (RFC 3875)

[mod_ajp13] AJPv13 Tomcat connector for lighttpd

(experimental)

AJPv13 protocol reference:
https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html

[multiple] employ http_date.h, sys-time.h

- replace use of strptime() w/ implementation specialized for HTTP dates
- use thread-safe gmtime_r(), localtime_r() (replace localtime, gmtime)

[core] http_response_buffer_append_authority()

make public func for benefit of external, third-party mod_authn_tkt

[core] relay 1xx from backend over HTTP/2

relay 1xx from backend over HTTP/2, e.g. 103 Early Hints
(if client is connected using HTTP/2)

enabled by default unless disabled in lighttpd.conf with:

[core] relay 1xx from backend over HTTP/2

relay 1xx from backend over HTTP/2, e.g. 103 Early Hints
(if client is connected using HTTP/2)

enabled by default unless disabled in lighttpd.conf with:
server.feature-flags += ( "server.h2-discard-backend-1xx" = "enable" )

Warning: backends which send 103 Early Hints should check User-Agent
before doing so since naive clients might not handle unexpected 1xx.
Some clients may take the 1xx response as the final response, expecting
only one response. Some clients might not properly handle 100 Continue
if the client did not send Expect: 100-continue with the request.
https://tools.ietf.org/html/rfc8297#section-3 Security Considerations

x-ref:
An HTTP Status Code for Indicating Hints (103 Early Hints)
https://tools.ietf.org/html/rfc8297

show more ...

[core] h2_send_headers() specialized for resp hdrs

specialized version of http_response_write_header(); send headers
directly to HPACK encoder, rather than double-buffering in chunkqueue

[core] isolate more resp code in response.c

http_response_handler() and response generation flow control logic

[multiple] isolate more con code in connections.c

move code from connections-glue.c back into connections.c

move code from connections-glue.c to http-header-glue.c
rename connection_response_rese

[multiple] isolate more con code in connections.c

move code from connections-glue.c back into connections.c

move code from connections-glue.c to http-header-glue.c
rename connection_response_reset()
to http_response_reset()
rename connection_handle_read_post_error()
to http_response_reqbody_read_error()

show more ...

[core] http_response_comeback()

group HANDLER_COMEBACK logic in http_response_comeback() and call it
from places that reset state in order to (sometimes partially) reprocess
a request. This include

[core] http_response_comeback()

group HANDLER_COMEBACK logic in http_response_comeback() and call it
from places that reset state in order to (sometimes partially) reprocess
a request. This includes error handler (server.error-handler),
r->handler_module when cgi.local-redir, and looping in
http_response_prepare() when modules make changes to the request and
return HANDLER_COMEBACK (e.g. mod_rewrite, mod_magnet, mod_cml)

Also, set r->conditional_is_valid closer to where elements are set
(and become valid for use in condition checks), and parse target
in http_request_parse() instead of http_response_prepare()

show more ...

[multiple] split con, request (very large change)

NB: r->tmp_buf == srv->tmp_buf (pointer is copied for quicker access)

NB: request read and write chunkqueues currently point to connection
chun

[multiple] split con, request (very large change)

NB: r->tmp_buf == srv->tmp_buf (pointer is copied for quicker access)

NB: request read and write chunkqueues currently point to connection
chunkqueues; per-request and per-connection chunkqueues are
not distinct from one another
con->read_queue == r->read_queue
con->write_queue == r->write_queue

NB: in the future, a separate connection config may be needed for
connection-level module hooks. Similarly, might need to have
per-request chunkqueues separate from per-connection chunkqueues.
Should probably also have a request_reset() which is distinct from
connection_reset().

show more ...

[core] static buffers for mtime_cache

[multiple] connection hooks no longer get (srv *)

(explicit (server *) not passed; available in con->srv)

[multiple] prefer (connection *) to (srv *)

convert all log_error_write() to log_error() and pass (log_error_st *)

use con->errh in preference to srv->errh (even though currently same)

avoid passi

[multiple] prefer (connection *) to (srv *)

convert all log_error_write() to log_error() and pass (log_error_st *)

use con->errh in preference to srv->errh (even though currently same)

avoid passing (server *) when previously used only for logging (errh)

show more ...

[core] gw_backend config_plugin_values_init_block

switch gw_backend.c to use config_plugin_values_init_block()

[core] add xsendfile* check if xdocroot is NULL

[core] (const buffer *) from strftime_cache_get()