1.4.65

June 07, 2022

Important changes

WebSockets over HTTP/2, bugfixes

Highlights

  • WebSockets over HTTP/2
    RFC 8441 Bootstrapping WebSockets with HTTP/2
  • HTTP/2 PRIORITY_UPDATE
    RFC 9218 Extensible Prioritization Scheme for HTTP
  • prefix/suffix conditions in lighttpd.conf
  • mod_webdav safe partial-PUT
    webdav.opts += (“partial-put-copy-modify” => “enable”)
  • mod_accesslog option: accesslog.escaping = “json”
  • mod_deflate libdeflate build option
  • speed up request body uploads via HTTP/2

Behavior Changes

  • change default server.max-keep-alive-requests = 1000 to adjust to increasing HTTP/2 usage and to web2/web3 application usage (prior default was 100)
  • mod_status HTML now includes HTTP/2 control stream id 0 in the output which contains aggregate counts for the HTTP/2 connection
    (These lines can be identified with URL ‘*’, part of “PRI *” preface)
    alternative: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_status
  • MIME type application/javascript is translated to text/javascript (RFC 9239)

Future Scheduled Behavior Changes

  • TLS modules will default to using stronger, modern ciphers and will default to allow client preference in selecting ciphers. Allowing client preference in selecting ciphers is safe to do along with restrictions to use modern ciphers supporting PFS, and is better for mobile users without AES hardware acceleration. Legacy ciphers can still be configured in lighttpd.conf using ssl.openssl.ssl-conf-cmd, as long as the ciphers are supported by the underlying TLS libraries. https://wiki.lighttpd.net/Docs_SSL
    • new defaults:
      • "CipherString" => "EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384"
      • "Options" => "-ServerPreference"
    • old defaults:
      • "CipherString" => "HIGH"
      • "Options" => "ServerPreference"
  • Deprecated TLS options will be removed.
    • ssl.honor-cipher-order
    • ssl.dh-file
    • ssl.ec-curve
    • ssl.disable-client-renegotiation
    • ssl.use-sslv2
    • ssl.use-sslv3 See https://wiki.lighttpd.net/Docs_SSL for replacements with ssl.openssl.ssl-conf-cmd, but prefer lighttpd defaults instead.
  • Continue gradual deprecation of “mini-application” lighttpd modules for which mod_magnet lua implementations are better and more flexible.
    Please post on lighttpd forums to share feedback if you use these modules.
    Forums: https://redmine.lighttpd.net/projects/lighttpd/boards
  • Deprecated: mod_evasive will be removed.
    mod_evasive can be replaced by mod_magnet and a few lines of lua:
    Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_evasive
    https://wiki.lighttpd.net/AbsoLUAtion#Fight-DDoS
    https://wiki.lighttpd.net/AbsoLUAtion#Mod_Security
  • Deprecated: mod_secdownload will be removed.
    mod_secdownload can be replaced by mod_magnet and a few lines of lua:
    Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_secdownload
    mod_secdownload historically uses insecure MD5 though SHA1, SHA256 available
  • Deprecated: mod_uploadprogress will be removed.
    mod_uploadprogress can be replaced by mod_magnet and a few lines of lua:
    Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_uploadprogress
  • Deprecated: mod_usertrack will be removed.
    mod_usertrack can be replaced by mod_magnet and a few lines of lua:
    Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_usertrack
    mod_usertrack historically uses insecure MD5.

Downloads

Changes from 1.4.64

  • [build] meson: fix typo in variable name
  • [build] autoconf: report if building with zstd
  • [build] meson -Dlua_version=… to specify lua ver
  • [core] avoid CCRandomGenerateBytes on MacOS <10.12 (fixes #3140)
  • [core] use diff var name w/ CCRandomGenerateBytes (fixes #3141)
  • [core] parse conf cmds with SHELL or /bin/sh
  • [core] fix HMAC with openssl 3.0
  • [mod_webdav] no COPYFILE_CLONE_FORCE on OSX <10.12 (fixes #3142)
  • [mod_deflate] fix to return 304 with If-None-Match (fixes #3143)
  • [core] Illumos epoll incompatible w/ lighttpd impl
  • [core] feature flag to allow Range w/ HTTP/1.0
  • [mod_mbedtls] set usekeysize for mbedtls 3.2.0+
  • [mod_deflate] collect mmap code
  • [mod_deflate] prototype using libdeflate w/ mmap
  • [mod_deflate] —with-libdeflate to use libdeflate
  • [mod_deflate] mark input bytes const
  • [core] sys-setjmp.[ch]
  • [mod_magnet] check lighty.result.content b4 setjmp
  • [core] include guard consistency in sys-time.h
  • [core] network_write_file_chunk_remap separate fn
  • [multiple] use new sys_setjmp_eval3() interface
  • [multiple] pedantic chunk.c checks for 0-len chunk
  • [multiple] shared code for struct chunk and mmap
  • [mod_deflate] use pread if available
  • [mod_deflate] improve loop compressing file chunk
  • [core] prep server_tag at startup for h2 resp hdr
  • [mod_magnet] defer req_env init unless needed
  • [mod_magnet] reset after error attaching content
  • [mod_magnet] lua_tointegerx() avoids raising error
  • [mod_mbedtls] use newer mbedtls 3.2.0+ interfaces
  • [mod_magnet] adjust hot path for more inlining
  • [mod_magnet] collect chk for magnet lua_State init
  • [mod_magnet] use type returned from lua_getfield()
  • [core] chunk_file_pread() to wrap pread()
  • [core] disable keep-alive if forcing HTTP/1.0 resp
  • [mod_magnet] use lua_getextraspace() to store r
  • [core] fall back to getauxval(AT_RANDOM), if avail
  • [mod_magnet] keep message handler on stack
  • [doc] update external links
  • [mod_magnet] pass lighty table index, defer pops
  • [mod_magnet] clear and reuse script-env table
  • [mod_magnet] clear stack when reloading script
  • [mod_magnet] use lua_isnoneornil() in interfaces
  • [mod_magnet] fix lighty.c.cookie_tokens()
  • [mod_magnet] fix lighty.c.urldec_query()
  • [mod_magnet] remove duplicated NULL checks
  • [mod_magnet] adjust magnet_lighty_result_get()
  • [mod_magnet] magnet_tmpbuf_acquire(),release()
  • [mod_magnet] lighty.c.quotedenc(),dec() funcs
  • [mod_magnet] fix header,content legacy table clear
  • [mod_cgi] cgi.local-redir request_reset thru fnptr
  • [core] isolate plugins_*() funcs to main server
  • [mod_wolfssl] wolfssl v5.0.0 defines DH_set0_pqg()
  • [mod_auth] save letter-case diff in require config
  • [mod_magnet] magnet_push_quoted_string shared code
  • [mod_magnet] lighty.c.header_tokens convenience fn
  • [core] fill in un.sun_path after accept() (fixes #3147)
  • [mod_extforward] adjust trust check for HTTP/2
  • [mod_proxy] adjust handling of legacy X-* headers
  • [core] permit env w/ blank value (fix regression)
  • [TLS] consistent debug.log-ssl-noise config type
  • [mod_magnet] allow removal of req_env elt via nil
  • [core] compiler workarounds for very old gcc,glibc
  • [mod_mbedtls] use newer mbedtls 3.2.0+ interfaces
  • [mod_ssi] check http_chunk_transfer_cqlen for err
  • [core] chunkqueue_steal() handle unexpected 0 len
  • [core] discard DATA from REFUSED_STREAM at h2 init
  • [multiple] WebSockets over HTTP/2 (fixes #3151)
  • [multiple] immed connect to backend for streaming
  • [core] ensure socket ready before checking connect
  • [core] reduce trace on Upgrade backend connection
  • [core] adjust when TCP_CORK used on TLS connection
  • [mod_cgi] disable input optim if might Upgrade
  • [mod_cgi] immed start CGI if Upgrade
  • [mod_wolfssl] wolfssl v5.0.0 adds ASN1_TIME_diff()
  • [mod_openssl] libressl v3.5.0 adds ASN1_TIME_diff
  • [TLS] warn if leaf cert read is inactive/expired
  • [core] stricter conformance w/ upcoming HTTP/2 rev
  • [build] -D_DEFAULT_SOURCE consistency in builds
  • [mod_extforward] support addtl IPv6 syntax w/ “[]”
  • [core] build fix for cygwin and lmingw
  • [core] short-circuit earlier parsing h2 trailers
  • [core] reformat h2.h for cleaner enum additions
  • [core] consolidate trace for log-state-handling
  • [core] request_config bitmasks for smaller struct
  • [core] prefix (=\^), suffix (=$) config conditions (fixes #3153)
  • [core] tighten config parsing loop
  • [core] convert simple config cond regex to pre/sfx
  • [tests] able to run tests when built w/o pcre
  • [core] allow redirect,rewrite ext subst w/o pcre
  • [mod_sockproxy] reset http vers, avoid rare crash (fixes #3152)
  • [core] HTTP/2 PRIORITY_UPDATE frame (experimental)
  • [core] send HTTP/2 SETTINGS_NO_RFC7540_PRIORITIES
  • [core] stricter check of HTTP/2 GOAWAY frame size
  • [mod_mbedtls] use newer mbedtls 3.2.0+ interfaces
  • [mod_webdav] opt for partial PUT via copy/rename
  • [core] quiet compiler warning
  • [multiple] recognize HTTP QUERY method
  • [multiple] limit scope of socket config options
  • [core] fix config typo reading large int from str
  • [core] h2 prio sort urgency, incr, then stream id
  • [core] send Priority resp hdr w/ .css, .js re-prio
  • [multiple] reset http vers, avoid rare crash (fixes #3152)
  • [core] delay response to http auth invalid creds
  • [core] connection_state_machine_h2 only if con->h2
  • [core] default server.max-keep-alive-requests 1000
  • [mod_magnet] set script env in func first upvalue
  • [mod_magnet] rewrite lighty.r as table of userdata
  • [mod_status] con[h2 instead of r]{style=”text-align:right;”}>http_version
  • [mod_setenv] cleanup user-provided hdr sloppiness
  • [core] remove func decls duplicated in plugin.h
  • [mod_status] fix counting of HTTP/2 bytes written
  • [mod_magnet] no local server port on unix domain
  • [mod_extforward] unix domain socket pedantic chks
  • [core] sketch support for abstract sockets
  • [mod_magnet] magnet_plugin_stats_table() fn
  • [mod_magnet] magnet_script_setup_global_state() fn
  • [mod_magnet] lighty.server.* table w/ new function
  • [mod_accesslog] do not double-count hdr len in %I
  • [mod_magnet] reduce magnet_env_get_id() scanning
  • [mod_magnet] tighten magnet_env_get_buffer_by_id()
  • [mod_status] reusable code for r->state strings
  • [core] reusable code for r->state strings
  • [mod_magnet] expose r->state to lua scripts
  • [mod_magnet] tighten magnet_env_set()
  • [mod_magnet] lighty.r.req_item[] accessors
  • [mod_magnet] expose r->keep_alive to lua scripts
  • [mod_magnet] lighty.c.hrtime high-resolution time
  • [mod_magnet] lighty.r.resp_body.get
  • [mod_magnet] deprecate r.req_attr[“response.*]
  • [mod_magnet] separate funcs for uri_path_raw
  • [mod_magnet] lighty.c.stat high precision time
  • [mod_magnet] format multiline err traceback
  • [mod_magnet] adjust p->conf.stage checks
  • [mod_magnet] further isolate legacy API result tbl
  • [core] buffer_append_char() convenience func
  • [mod_accesslog] accesslog.escaping = “json”
  • [multiple] use buffer_append_char()
  • [mod_accesslog] remove begin/end tags from %{}t
  • [core] fix configparser_simplify_regex() comment
  • [multiple] simplify bytes_in/bytes_out accounting
  • [mod_accesslog] reorder fields in switch()
  • [core] remove unused srv->con_* counters
  • [mod_magnet] read-only access to r->server_name
  • [core] buffer_append_bs_escaped()
  • [core] buffer_append_string_c_escaped ASCII optim
  • [mod_magnet] backspace-escape encode/decode
  • [mod_status] display HTTP/2 control stream w/ reqs
  • [multiple] use preferred syntax for Content-Type
  • [doc] regenerate doc/config/conf.d/mime.conf
  • [multiple] rename status_counter -> plugin_stats
  • [core] feature-flag server.metrics-high-precision
  • [mod_magnet] quiet coverity false positive
  • [mod_wolfssl] compile fix for OpenWRT
  • [mod_webdav] If-None-Match: * on non-existent
  • [mod_magnet] r.req_body .collect .get .set .add
  • [mod_cgi] fix detection of failing error handler (fixes #3157)
  • [core] “url-invalid-utf8-reject” normalization opt
  • [mod_magnet] skip req body collect warn if modsec3
  • [build] update descriptions to remove old lua ver
  • [core] use current dir if context->basedir blank
  • [multiple] application/javascript text/javascript
  • [core] reset internal flags after graceful restart
  • [TLS] inherit ssl.engine from global scope
  • [core] avoid server.use-ipv6 warning after SIGUSR1
  • [mod_webdav] alt handling PROPFIND on collection
  • [mod_mbedtls] fix crt chain construction logic
  • [core] h2 SETTINGS_INITIAL_WINDOW_SIZE 64k (fixes #3089)
  • [core] increase session window size to 256k
  • [core] h2: avoid sending small WINDOW_UPDATE frames
  • [core] h2: avoid sending tiny DATA frames
  • [core] update cached tables with Priority header
  • [tests] test stubs for http_header.c and http_kv.c