HIGHLIGHTS
* WebSockets over HTTP/2
RFC 8441 Bootstrapping WebSockets with HTTP/2
* HTTP/2 PRIORITY_UPDATE
RFC 9218 Extensible Prioritization Scheme for HTTP
* prefix/suffix conditions in lighttpd.conf
* mod_webdav safe partial-PUT
webdav.opts += ("partial-put-copy-modify" => "enable")
* mod_accesslog option: accesslog.escaping = "json"
* mod_deflate libdeflate build option
* speed up request body uploads via HTTP/2
BEHAVIOR CHANGES:
* change default server.max-keep-alive-requests = 1000 to adjust
to increasing HTTP/2 usage and to web2/web3 application usage
(prior default was 100)
* mod_status HTML now includes HTTP/2 control stream id 0 in the output
which contains aggregate counts for the HTTP/2 connection
(These lines can be identified with URL '*', part of "PRI *" preface)
alternative: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_status
* MIME type application/javascript is translated to text/javascript (RFC 9239)
- [core] import xxHash v0.8.1
- [core] isolate use of sys/filio.h
- [core] fix reqpool mem corruption in 1.4.62 (fixes#3118)
pkgsrc changes:
- Link with pkgsrc xxhash instead of the vendored copy
Highlights
* improve performance, reduce memory use, bugfixes
* HTTP/2 smoother and lower memory use (in general)
* HTTP/2 tuning to better handle aggressive client initial requests
* reduce memory footprint; workaround poor glibc behavior; jemalloc is better
* mod_magnet lua performance improvements
* mod_dirlisting performance improvements and new caching option
* memory constraints for extreme edge cases in mod_dirlisting, mod_ssi, mod_webdav
* connect(), write(), read() time limits on backends (separate from client timeouts)
* lighttpd restarts if large discontinuity in time occurs (embedded systems)
* RFC7233 Range support for all non-streaming responses, not only static files
as well as adding options for other SSL libraries, disabling options
explicitly should cause less problems when the OS contains libraries used
by the options.
add options for other SSL libraries later. Add 'libdbi' option to enable
mod_vhostdb_dbi and the new mod_authn_dbi module, off by default. Bump
PKGREVISION.
# Highlights
- HTTP/2 support
- must be enabled in lighttpd.conf in lighttpd 1.4.56;
may be enabled by default in a future release
- `server.feature-flags += ("server.h2proto" => "enable", "server.h2c" => "enable")`
- TLS library options: OpenSSL, mbedTLS, wolfSSL, GnuTLS, NSS
- mod_openssl (existing)
- mod_mbedtls (experimental)
- mod_wolfssl (experimental)
- mod_gnutls (experimental)
- mod_nss (experimental)
- TLS OCSP stapling
(except mbedTLS; not currently supported by mbedTLS)
- TLS session ticket key rotation control
(except NSS; API limitation in NSS)
- mod_deflate brotli support
- mod_proxy makes HTTP/1.1 requests to backends (change from HTTP/1.0)
- RFC 8297 support for 103 Early Hints produced by backends (scripts)
- graceful restart option to transfer listen fds (minimal pause)
- `server.systemd-socket-activation = "enable"`
- `server.feature-flags += ("server.graceful-restart-bg" => "enable", "server.graceful-shutdown-timeout" => "15")`
# Behavior Changes
- mod_openssl
- default MinProtocol TLSv1.2
TLSv1 and TLSv1.1 are deprecated and no longer supported by major browsers.
<https://news.netcraft.com/archives/2020/03/03/browsers-on-track-to-block-850000-tls-1-0-sites.html>
If prior behavior is required, configure:
`ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1")`
If using openssl <= 1.0.2 (end-of-life)
`ssl.openssl.ssl-conf-cmd = ("Protocol" => "-ALL, TLSv1, TLSv1.1, TLSv1.2")`
- (internal) TLS session cache is disabled by default,
replaced by lighttpd robust TLSv1.2 session ticket support
If backward compatibility is needed:
`server.feature-flags += ("ssl.session-cache" => "enable")`
- (internal) openssl creates a session ticket encryption key per SSL_CTX.
lighttpd 1.4.56 and later assigns a single session ticket encryption key
for the lighttpd server (across all SSL_CTX) for consistency.
- behavior change with ssl.ca-dn-file (uncommon); applies to client
certificate verification and ssl.ca-dn-file (uncommon)
If client certificate verification is enabled
(ssl.verifyclient.activate = "enable"),
all CAs used for client certificate verification must be present in
ssl.ca-file. This is the typical use case when client certificate
verification is enabled. Certificates in (optional) ssl.ca-dn-file
are used to send issuer names to client when the server sends a
client certificate request. These names are use by the client
during certificate selection, and the server requires that the
certificate sent by the client be issued by one of the subjects
in ssl.ca-dn-file.
(Prior behavior merged ssl.ca-file and ssl.ca-dn-file for trusted CAs.
New behavior requires all trusted CAs be listed in ssl.ca-file,
and a subset be duplicated into ssl.ca-dn-file to specify allowed
client cert issuer.)
- mod_deflate: support for bzip2 is now disabled by default in the build
- (enable using `./configure --with-bzip2`)
bzip2 Content-Encoding is not widely supported
Prefer to build `--with-brotli`
brotli Content-Encoding is more widely supported than bzip2
# Future Scheduled Behavior Changes
- HTTP/2 support will be enabled by default in a future release
- graceful restart/shutdown default timeout will change from
0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)
configure an alternative with:
`server.feature-flags += ("server.graceful-shutdown-timeout" => 5)`
- mod_compress is DEPRECATED; use mod_deflate
mod_compress has been subsumed by mod_deflate
Note: mod_compress config options may be removed in a future release
- mod_geoip is DEPRECATED; use mod_maxminddb
Note: mod_geoip will be removed from a future lighttpd release
- mod_authn_mysql is DEPRECATED; use mod_authn_dbi
Note: mod_authn_mysql will be removed from a future lighttpd release
- mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql
Note: mod_mysql_vhost will be removed from a future lighttpd release
- mod_cml is DEPRECATED; use mod_magnet
Note: mod_cml will be removed from a future lighttpd release
patch-src_fdevent__solaris__port.c was removed since what it solves is fixed
in this version.
Changes from 1.4.54
[core] fix compile error on Solaris
[core] attribute_pure
[core] array-specialized buffer_caseless_compare()
[core] specialized buffer_eq_*() for short strings
[core] mark some more funcs w/ attribute_pure
[core] use buffer_eq_icase* funcs
[multiple] replace strcasecmp() on short strings
[core] mark some more funcs w/ attribute_pure
[mod_webdav] fix startup crash w/ multiple conds
[core] cold func http_response_omit_header()
[core] use buffer_eq_icase_ssn func
[core] use buffer_eq_icase_ssn func
[core] correct attribute_pure syntax
[core] allocate unix socket paths with SUN_LEN()+1
Use explicit_memset from NetBSD if available for safe_memclear
Also use explicit_memset (NetBSD) with cmake, scons and meson
[cmake]: enable CMAKE_POSITION_INDEPENDENT_CODE by default
[core] improve http_headers[] data struct packing
[core] fdevent_poll() is effective periodic timer
[core] move con state handling to connections*.c
[core] issue config error for invalid ‘:’
[mod_deflate] fix choose encoding parse error
[core] retry on some fdevent set/del temporary err
[core] disable stat_cache FAM if FAM conn closed
[mod_auth] http_auth_const_time_memeq improvement
[build] prefer pkg-config for postgres
[mod_authn_gssapi] 500 if fail to delegate creds
[mod_authn_gssapi] option to store delegated creds
[mod_webdav] fix file uploads > 128M
[mod_auth] do not use quoted-string for algorithm
[mod_auth] require digest uri= match original URI
[mod_auth] Authentication-Info: nextnonce=…
[mod_auth] http_auth_const_time_memeq_pad()
[mod_auth] http_auth_const_time_memeq()
[build] PGSQL_CFLAGS with pkg-config for postgres
[core] avoid freeaddrinfo() on NULL ptr
[core] reject WS following header field-name
[core] reject Transfer-Encoding + Content-Length
[mod_openssl] reject invalid ALPN
[mod_accesslog] parse multiple cookies
[core] Oracle Solaris does not have POLLRDHUP
[multiple] address coverity warnings
[core] preserve %2b and %2B in query string
[core] fall back to accept() if accept4() EPERM
[mod_auth] close connection after bad password
[core] do not accept() > server.max-connections
[core] save errno before logging if execve() fails
[config] update /var/run → /run for systemd
[core] Solaris has getloadavg in sys/loadavg.h
[build] Fix build when using nested CMake
[core] fix one-byte OOB read (underflow)
pkgsrc changes:
Replace use of legacy GeoIP library with libmaxminddb.
Uses a different module.
Changes:
Highlights
behavior change: strict URL parsing and normalization (configurable)
behavior change: mod_webdav now rejects partial PUT (configurable)
mod_auth: HTTP Auth Digest algorithm=SHA-256
mod_webdav: major rewrite: robustness, performance, RFC compliance
mod_maxminddb: new; obsoletes discontinued mod_geoip
Changes from 1.4.53
[mod_evhost] handle IPv6 literal addr; add tests
[core] separate server_main_loop() func, mark hot
[core] mark startup/shutdown funcs cold
[core] some server_main_loop() cleanup
[core] fdevent_process()
[core] srv→max_fds_lowat and srv→max_fds_hiwat
[core] remove server.h
[mod_staticfile] search ext array if not empty
[core] store joblist pointer on stack
[core] quickly clear request buffer for reuse
[core] helper funcs for connection_state_machine()
[core] perf: optimize connection_read_header()
[core] parse request in connection_read_header()
[core] log_request_header_on_error in one place
[core] copy request only if might need for logging
[core] make parse_request,request.request same buf
[core] prefer buffer_caseless_compare()
[core] pass req hdrs buffer to http_request_parse
[core] replace con→response.keep_alive
[core] mark log_error_write*() funcs cold
[core] http_request_parse() mark error paths cold
[core] lift code out of request line parse loop
[core] get_http_method_key() match by strlen first
[core] RFC7230 HTTP-version parse
[mod_accesslog] attempt to reconstruct req line
[multiple] minor: remove duplicated conditions
[mod_deflate] honor request for x-gzip, x-bzip2
[mod_auth] minor: adjust config validation
[core] discard oversized trailers
[core] no keep-alive if POLLRDHUP,empty read queue
[core] fix gw_backend spelling of directive in err
[multiple] reduce code dup in list resizing
[core] con→is_ssl_sock
[core] connection_handle_write() updates con state
[core] skip plugins_call_cleanup if not init’ed
[core] simpler loops to run plugin hooks
[core] fix mixed use of srv→split_vals array (fixes#2932)
[core] dispatch events from within event framework
[core] don’t call fd event handlers more than once, they might already be gone (fixes segfault)
[core] poll: fdarray uses fd as index, not fde_ndx
[core] map FDEVENT_* to OS system event frameworks
[core] prefer memchr() over strchr()
[core] use openssl to read,discard request body
[mod_openssl] inherit cipherlist from global scope
[mod_openssl] default: ssl.cipher-list = “HIGH”
[mod_proxy] pass Content-Length to backend if > 0
[core] config option to allow GET w/ request body
[core] some fdevent code streamlining
[core] remove fde_ndx member outside fdevents
[core] remove redundant check for allow_http11
[mod_openssl] use 16k static buffer instead of 64k
[core] pull server load checks out of main loop
[core] isolate fdevent processing
[core] release empty chunk buf when nothing read
[core] perf: pass (fdnode *) to epoll and kqueue
[core] modify config parser to handle multiple }
[core] pass (fdnode *) for registered fdevent fd
[mod_auth] http_auth_digest_hex2bin()
[mod_auth] http_auth_info_t digest abstraction
[mod_auth] pass http_auth_require_t for 401 Unauth
[core] no SOCK_NONBLOCK on QNX 7.0
[mod_auth] HTTP Auth Digest algorithm=SHA-256
[core] silence coverity warning
[mod_magnet] fix invalid script return-type crash (fixes#2938)
[build] remove -Wdeclaration-after-statement
[core] pass conf.follow_symlink in more places
[core] fix assertion with server.error-handler (fixes#2941)
[core] extend dir redirection to take HTTP status
[doc] minor adjust create-mime.conf.pl regex match (#2942)
[core] attribute((fallthrough)) for GCC 7.0
[core] fdevent_mkstemp_append() (shared)
[core] off_t upload_temp_file_size
[core] clear FDEVENT_RDHUP if no POLLRDHUP
[mod_wstunnel] fix ping-interval for big-endian (fixes#2944)
[core] fix abort in http-parseopts (fixes#2945)
[core] remove repeated slashes in http-parseopts
[core] fix 1.4.52 regression in mem use with POST (fixes#2948)
[multiple] cleaner calloc use in SETDEFAULTS_FUNC
[core] add const to some etag prototypes
[core] attribute((format …))
[core] struct log_error_st for error logging
[core] log_error, log_perror using printf-like fmt
[core] new worker_init hook to follow parent fork
[core] replace open() with fdevent_open_cloexec()
[mod_webdav] major rewrite (fixes#1818)
[core] 200 for OPTIONS /non-existent/path HTTP/1.1 (fixes#2939)
[mod_webdav] surround Lock-Token with “<…>”
[mod_webdav] fix uuid detection macro
[mod_webdav] fix misbehavior on blank nodes in PROPPATCH
[mod_webdav] clean up resources after do{}while(0)
[mod_webdav] check If-Match, If-Unmodified-Since (#1818)
[mod_webdav] deprecated unsafe partial PUT compat
[mod_webdav] provide ETag in more responses
[mod_webdav] platform portability fixes
[mod_webdav] disable elftc_copyfile() on FreeBSD
[mod_webdav] special-case If: ()
[mod_webdav] check If-None-Match (#1818)
[stat_cache] separate func for symlink policy chk
[stat_cache] separate symlink pol from data struct
[stat_cache] store entries without trailing slash
[stat_cache] pass age param for stat cache cleanup
[stat_cache] remove splaytree ins/del debug code
[stat_cache] FAM: reduce string copying
[stat_cache] FAM: check FAMNextEvent() return code
[stat_cache] FAM: use entry hash index as userdata
[stat_cache] FAM: improve handling modified file
[stat_cache] FAM: ignore follow-symlink config
[stat_cache] FAM: check hash collision before add
[stat_cache] FAM: ignore event with no valid match
[stat_cache] FAM: funcs to invalidate entries
[stat_cache] interfaces to invalidate entries
[mod_webdav] update stat_cache after file mod
[core] use high precision stat timestamp in etag
[scons] adjustment for static build under CentOS
[core] emit trace using path before clearing path
[core] http_chunk_append_file_fd()
[multiple] open target file earlier in some cases
[stat_cache] no longer stat() and open() for stat
[stat_cache] FAM: improve monitoring, cache 16 sec
[stat_cache] FAM: separate routine for FDEVENT_IN
[stat_cache] FAM: whitespace-only change
[mod_webdav] quiet coverity warnings
[doc] highlight relevance of module load order (fixes#2946)
[core] behavior change: stricter URL normalization
[stat_cache] fix compilation error for cmake
[cmake] help cmake on FreeBSD find sys/event.h
[scons] help scons on FreeBSD find sys/event.h
[build] detect FreeBSD elftc_copyfile()
[mod_openssl] use SSL_CTX_set_client_hello_cb()
[core] support weak etags with If-None-Match
[core] store log_state_handling flag on stack
[core] check if splay_tree NULL before invalidate
[mod_webdav] workaround Microsoft-WebDAV-MiniRedir
[mod_webdav] doc Microsoft-WebDAV-MiniRedir bugs
[mod_webdav] invalidate parent dir in stat_cache
[doc] systemd socket activation config example
[core] chunkqueue perf: code reuse
[core] chunkqueue perf: specialized buffer.h funcs
[core] chunkqueue perf: skip opening 0-length file
[core] chunkqueue perf: read small files into mem
[core] buffer_reset() should not be passed NULL
[tests] has_feature() helper func
[tests] skip mod-secdownload HMAC-SHA1,HMAC-SHA256
[core] use high precision stat timestamp on OS X
[mod_magnet] expose server addr (local IP) to lua
[core] adjust http_chunk read() retry loop
[mod_maxminddb] MaxMind GeoIP2 support
[mod_authn_ldap] ldap_set_option LDAP_OPT_RESTART (fixes#2940)
* [mod_cml,mod_flv_streaming] fix NULL ptr deref
* [mod_simple_vhost] t/test_mod_simple_vhost
* [mod_evhost] split uri handler func for testing
* [mod_evhost] restructure for unit tests
* [mod_evhost] t/test_mod_evhost
* [mod_access] restructure for unit tests
* [mod_access] t/test_mod_access
* [tests] include first.h and NDEBUG early
* [core] use kill_signal for gw_proc_kill()
* [tests] t/test_keyvalue
* [tests] some test config cleanup
* [tests] update skip count in mod-fastcgi.t
* [multiple] reduce initial buffer sz if large POST (fixes#2922)
* [mod_fastcgi] fix NULL ptr deref from bugfix #2922 (fixes#2923)
* [tests] more test config cleanup
* [core] perf: incremental hash of pathname w/o copy
* [core] perf: reuse buffer to redirect to directory
* [core] do not free() reused buffer
* [core] use connected sock port in dir redirect
* [core] http_response_buffer_append_authority()
* [core] use con->server_name for dir redir
* [core] memeq compare rounded to 64, not next 1M
* [core] define MD5_DIGEST_LENGTH 16
* [mod_auth] permit additional auth backends to load
* [core] send Connection: close if reqbody not read (fixes#2924)
* [core] cache rev DNS for localhost for dir redir
* [doc/conf] resolve some mime type conflicts from debian buster,
regenerate mime.conf
* [core] move winsock init to network_init()
* [core] move /dev/stdin graceful restart handling
* [core] network_srv_sockets_append() shared code
* [core] systemd socket activation support
* [build] autotools: try mysqlclient.pc and mariadb.pc (fixes#2925)
* [mod_expire] look up expire fallback "" explicitly
* [multiple] calloc match ptr type (clang --analyze)
* [multiple] quiet clang --analyze where trivial
* [mod_webdav] compare COPY, MOVE Destination scheme
* [core] con->uri.scheme is maintained lowercase
* [mod_openssl] ALPN and acme-tls/1 (fixes#2931)
* [core] Fix recursive include_shell invocations
* [mod_openssl] ssl.privkey directive (optional)
