upg lighttpd nginx
This commit is contained in:
parent
9e1bc78851
commit
f0cb12aa03
|
@ -6,7 +6,7 @@
|
|||
#-----------------------------------------| DESCRIPTION |---------------------------------------
|
||||
|
||||
pkgname=lighttpd
|
||||
pkgver=1.4.71
|
||||
pkgver=1.4.72
|
||||
pkgrel=01
|
||||
pkgdesc='A secure, fast, compliant and very flexible web-server w/o systemd'
|
||||
url="https://www.lighttpd.net/"
|
||||
|
@ -76,10 +76,10 @@ validpgpkeys=('C7CA1E9E29DC77F5480894B2E0E7D0171E95BAD7'
|
|||
'649D0DD767FF206202A76C5158F14A786FE198C8'
|
||||
'EAAF41A8BE3BB8D001CACD136DE62CA242909B84')
|
||||
|
||||
sha256sums=(b8b6915da20396fdc354df3324d5e440169b2e5ea7859e3a775213841325afac # lighttpd-1.4.71.tar.xz
|
||||
686a78f6f1ec7fc759d4864c9ca1e41addd96645047f8b6b9f5f7cf9405e45f7 # lighttpd-1.4.71.tar.xz.asc
|
||||
sha256sums=(f7cade4d69b754a0748c01463c33cd8b456ca9cc03bb09e85a71bcbcd54e55ec # lighttpd-1.4.72.tar.xz
|
||||
a4bba500e8665ffad599e0362627efff5791122772af42b85e4903fc349356aa # lighttpd-1.4.72.tar.xz.asc
|
||||
41f6c0042bb61021553779f861910e335834f6c15e4411756cdc6233b31076fe # lighttpd.logrotate.d
|
||||
fece4581bebf39768571962dedce176b2b5f487c0abb5c1cfb35395de216c01f # lighttpd.conf
|
||||
d8a185145a7c08b4fd8c8e6c12dae3e176389dd9b1c66e239757b2ba5108c871) # lighttpd.tmpfiles
|
||||
|
||||
## 6bf02943b314c63eb41a30fa1f6eb152e963e03193e7ebeb536338129a05cbf7 lighttpd-1.4.71-01-x86_64.pkg.tar.lz
|
||||
## c60fe1e24295ccf7a35764df281899dfde0f8f27fd52dd4e88e12bd6cbddbc14 lighttpd-1.4.72-01-x86_64.pkg.tar.lz
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Maintainer: Pierre Schmitz <pierre@archlinux.de>
|
||||
|
||||
pkgname=lighttpd
|
||||
pkgver=1.4.71
|
||||
pkgver=1.4.72
|
||||
pkgrel=1
|
||||
pkgdesc='A secure, fast, compliant and very flexible web-server'
|
||||
license=('custom')
|
||||
|
@ -17,7 +17,7 @@ backup=('etc/lighttpd/lighttpd.conf' 'etc/logrotate.d/lighttpd')
|
|||
options=('emptydirs')
|
||||
source=("https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${pkgver}.tar.xz"{,.asc}
|
||||
'lighttpd.logrotate.d' 'lighttpd.conf' 'lighttpd.tmpfiles' 'lighttpd.service')
|
||||
sha256sums=('b8b6915da20396fdc354df3324d5e440169b2e5ea7859e3a775213841325afac'
|
||||
sha256sums=('f7cade4d69b754a0748c01463c33cd8b456ca9cc03bb09e85a71bcbcd54e55ec'
|
||||
'SKIP'
|
||||
'41f6c0042bb61021553779f861910e335834f6c15e4411756cdc6233b31076fe'
|
||||
'fece4581bebf39768571962dedce176b2b5f487c0abb5c1cfb35395de216c01f'
|
||||
|
|
|
@ -0,0 +1,71 @@
|
|||
|
||||
# HG changeset patch
|
||||
# User Maxim Dounin <mdounin@mdounin.ru>
|
||||
# Date 1696940019 -10800
|
||||
# Node ID cdda286c0f1b4b10f30d4eb6a63fefb9b8708ecc
|
||||
# Parent 3db945fda515014d220151046d02f3960bcfca0a
|
||||
HTTP/2: per-iteration stream handling limit.
|
||||
|
||||
To ensure that attempts to flood servers with many streams are detected
|
||||
early, a limit of no more than 2 * max_concurrent_streams new streams per one
|
||||
event loop iteration was introduced. This limit is applied even if
|
||||
max_concurrent_streams is not yet reached - for example, if corresponding
|
||||
streams are handled synchronously or reset.
|
||||
|
||||
Further, refused streams are now limited to maximum of max_concurrent_streams
|
||||
and 100, similarly to priority_limit initial value, providing some tolerance
|
||||
to clients trying to open several streams at the connection start, yet
|
||||
low tolerance to flooding attempts.
|
||||
|
||||
diff -r 3db945fda515 -r cdda286c0f1b src/http/v2/ngx_http_v2.c
|
||||
--- a/src/http/v2/ngx_http_v2.c Fri Sep 22 19:23:57 2023 +0400
|
||||
+++ b/src/http/v2/ngx_http_v2.c Tue Oct 10 15:13:39 2023 +0300
|
||||
@@ -347,6 +347,7 @@
|
||||
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http2 read handler");
|
||||
|
||||
h2c->blocked = 1;
|
||||
+ h2c->new_streams = 0;
|
||||
|
||||
if (c->close) {
|
||||
c->close = 0;
|
||||
@@ -1284,6 +1285,14 @@
|
||||
goto rst_stream;
|
||||
}
|
||||
|
||||
+ if (h2c->new_streams++ >= 2 * h2scf->concurrent_streams) {
|
||||
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
|
||||
+ "client sent too many streams at once");
|
||||
+
|
||||
+ status = NGX_HTTP_V2_REFUSED_STREAM;
|
||||
+ goto rst_stream;
|
||||
+ }
|
||||
+
|
||||
if (!h2c->settings_ack
|
||||
&& !(h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG)
|
||||
&& h2scf->preread_size < NGX_HTTP_V2_DEFAULT_WINDOW)
|
||||
@@ -1349,6 +1358,12 @@
|
||||
|
||||
rst_stream:
|
||||
|
||||
+ if (h2c->refused_streams++ > ngx_max(h2scf->concurrent_streams, 100)) {
|
||||
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
|
||||
+ "client sent too many refused streams");
|
||||
+ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_NO_ERROR);
|
||||
+ }
|
||||
+
|
||||
if (ngx_http_v2_send_rst_stream(h2c, h2c->state.sid, status) != NGX_OK) {
|
||||
return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR);
|
||||
}
|
||||
diff -r 3db945fda515 -r cdda286c0f1b src/http/v2/ngx_http_v2.h
|
||||
--- a/src/http/v2/ngx_http_v2.h Fri Sep 22 19:23:57 2023 +0400
|
||||
+++ b/src/http/v2/ngx_http_v2.h Tue Oct 10 15:13:39 2023 +0300
|
||||
@@ -131,6 +131,8 @@
|
||||
ngx_uint_t processing;
|
||||
ngx_uint_t frames;
|
||||
ngx_uint_t idle;
|
||||
+ ngx_uint_t new_streams;
|
||||
+ ngx_uint_t refused_streams;
|
||||
ngx_uint_t priority_limit;
|
||||
|
||||
size_t send_window;
|
||||
|
|
@ -7,7 +7,7 @@
|
|||
|
||||
pkgname=nginx
|
||||
pkgver=1.24.0
|
||||
pkgrel=02
|
||||
pkgrel=03
|
||||
# update tests revision too
|
||||
pkgdesc="Lightweight HTTP server and IMAP/POP3 proxy server w/o systemd or ipv6"
|
||||
provides=("nginx=${pkgver}")
|
||||
|
@ -26,10 +26,12 @@ backup=(etc/nginx/fastcgi.conf
|
|||
etc/nginx/uwsgi_params
|
||||
etc/nginx/win-utf
|
||||
etc/logrotate.d/nginx)
|
||||
install=nginx.install
|
||||
#install=nginx.install
|
||||
source=($url/download/${pkgname}-${pkgver}.tar.gz{,.asc}
|
||||
hg+https://hg.nginx.org/nginx-tests#revision=24482e311749
|
||||
logrotate)
|
||||
hg+https://hg.nginx.org/nginx-tests#revision=24482e311749
|
||||
logrotate
|
||||
# https://hg.nginx.org/nginx/rev/cdda286c0f1b CVE-2023-44487
|
||||
HTTP2_per-iteration-stream-handling-limit.patch::https://hg.nginx.org/nginx/raw-rev/cdda286c0f1b)
|
||||
|
||||
_common_flags=(
|
||||
--with-compat
|
||||
|
@ -69,6 +71,8 @@ _stable_flags=(
|
|||
|
||||
prepare() {
|
||||
cp -r $pkgbase-$pkgver{,-src}
|
||||
cd $pkgbase-$pkgver
|
||||
patch -Np1 -i "$srcdir/HTTP2_per-iteration-stream-handling-limit.patch"
|
||||
}
|
||||
|
||||
build() {
|
||||
|
@ -155,6 +159,8 @@ validpgpkeys=(B0F4253373F8F6F510D42178520A9993A1C052F8 # Maxim Dounin <mdounin@m
|
|||
sha256sums=(77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d # nginx-1.24.0.tar.gz
|
||||
91ed170a5e8745fcd32eb60aefa6d60dfd572ac3e4c9bdbfc4bedd78c24f213c # nginx-1.24.0.tar.gz.asc
|
||||
SKIP # nginx tests (directory)
|
||||
06ebe161af3e761f2e2e35a67c6c0af27bf61aea7cd4ba8b28372ced5e3b3175) # logrotate
|
||||
06ebe161af3e761f2e2e35a67c6c0af27bf61aea7cd4ba8b28372ced5e3b3175 # logrotate
|
||||
af8e804540e808c7b07b324394ae0d782f46fe6dc67808b3bc978d01dce90b28) # HTTP2_per-iteration-stream-handling-limit.patch
|
||||
|
||||
## ad3a8638121b6aa63721eba44e6794e11587f279296f264a93a3ef5e5aae5836 nginx-1.24.0-02-x86_64.pkg.tar.lz
|
||||
|
||||
## d35644efcaa928a83335cd5219b8263976dd25ec3eac3f0378f644a8f8243722 nginx-1.24.0-03-x86_64.pkg.tar.lz
|
||||
|
|
|
@ -11,7 +11,7 @@ pkgbase=nginx
|
|||
pkgname=(nginx nginx-src)
|
||||
# update tests revision too
|
||||
pkgver=1.24.0
|
||||
pkgrel=2
|
||||
pkgrel=3
|
||||
arch=(x86_64)
|
||||
url='https://nginx.org'
|
||||
license=(custom)
|
||||
|
@ -27,11 +27,12 @@ backup=(etc/nginx/fastcgi.conf
|
|||
etc/nginx/uwsgi_params
|
||||
etc/nginx/win-utf
|
||||
etc/logrotate.d/nginx)
|
||||
install=nginx.install
|
||||
source=($url/download/nginx-$pkgver.tar.gz{,.asc}
|
||||
hg+https://hg.nginx.org/nginx-tests#revision=24482e311749
|
||||
nginx.service
|
||||
logrotate)
|
||||
logrotate
|
||||
# https://hg.nginx.org/nginx/rev/cdda286c0f1b CVE-2023-44487
|
||||
HTTP2_per-iteration-stream-handling-limit.patch::https://hg.nginx.org/nginx/raw-rev/cdda286c0f1b)
|
||||
# https://nginx.org/en/pgp_keys.html
|
||||
validpgpkeys=('B0F4253373F8F6F510D42178520A9993A1C052F8' # Maxim Dounin <mdounin@mdounin.ru>
|
||||
'13C82A63B603576156E30A4EA0EA981B66B0D967') # Konstantin Pavlov <thresh@nginx.com>
|
||||
|
@ -39,7 +40,8 @@ sha512sums=('1114e37de5664a8109c99cfb2faa1f42ff8ac63c932bcf3780d645e5ed32c0b2ac4
|
|||
'SKIP'
|
||||
'SKIP'
|
||||
'ca7d8666177d31b6c4924e9ab44ddf3d5b596b51da04d38da002830b03bd176d49354bbdd2a496617d57f44111ad59833296af87d03ffe3fca6b99327a7b4c3c'
|
||||
'2f4dfcfa711b8bcbc5918ba635f5e430ef7132e66276261ade62bb1cba016967432c8dce7f84352cb8b07dc7c6b18f09177aa3eb92c8e358b2a106c8ca142fe9')
|
||||
'2f4dfcfa711b8bcbc5918ba635f5e430ef7132e66276261ade62bb1cba016967432c8dce7f84352cb8b07dc7c6b18f09177aa3eb92c8e358b2a106c8ca142fe9'
|
||||
'18b69643648119dfab45101bb9404be667aeb9d550aa3bc9706e63e7da1c2806106e9a6bbfb2d10bd57ef56b9b5b0b524059353ec30a51469b44641cb7dbd8a6')
|
||||
|
||||
_common_flags=(
|
||||
--with-compat
|
||||
|
@ -78,6 +80,8 @@ _stable_flags=(
|
|||
|
||||
prepare() {
|
||||
cp -r $pkgbase-$pkgver{,-src}
|
||||
cd $pkgbase-$pkgver
|
||||
patch -Np1 -i "$srcdir/HTTP2_per-iteration-stream-handling-limit.patch"
|
||||
}
|
||||
|
||||
build() {
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
|
||||
real 7m56.248s
|
||||
user 2m55.472s
|
||||
sys 0m18.013s
|
||||
|
||||
real 1m14.251s
|
||||
user 1m7.433s
|
||||
sys 0m7.364s
|
||||
|
||||
|
|
Loading…
Reference in New Issue