summaryrefslogtreecommitdiffstats
path: root/usr.sbin/httpd/server.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Fix rev 1.70 of server.c by only re-enabling the bufferevent if weflorian2015-08-031-4/+8
| | | | | | | | previously disabled it because we were reading to fast (from disk). Problem noted and tracked down to that commit by weerd@ and independently by stsp@. Tested by weerd@, stsp@, reyk@ OK bluhm@, reyk@
* backout the previous: it broke wordpress somehow.reyk2015-07-291-3/+1
| | | | | | we need more care to find a proper fix for the fastcgi headers. acknowledged by deraadt@
* Read fcgi response records until we have the whole http header and canflorian2015-07-291-1/+3
| | | | | | parse it. Otherwise http headers can leak into the body. Pointed out by Jean-Philippe Ouellet on bugs@ Thanks! OK reyk, commit ASAP deraadt@
* libtls has been changed to set SSL_MODE_ENABLE_PARTIAL_WRITE andreyk2015-07-181-24/+5
| | | | | | | | | | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER by default. This gives tls_write() a similar short write semantics as write(2) and a workaround in httpd to cope with the previous differences can be removed. Specifically, httpd can stop copying data into a local buffer that was used to keep it around for repeated writes. OK bluhm@
* If we can read faster from disk than send data to the client stopflorian2015-07-161-2/+11
| | | | | | | | | | reading from disk when we hold a certain amount of data in RAM. Re-enable reading once we send enough data to the client. Otherwise we might end up with the whole file (which can be huge) in RAM. Reported by Matthew Martin ( matt.a.martin AT gmail ) on bugs@, thanks! OK reyk@, benno@
* Escape the message in server_log() as well.reyk2015-07-151-5/+7
| | | | OK benno@
* Close connections that fail to complete a TLS handshake.jsing2015-07-151-1/+2
| | | | | | Based on a diff from Jack Burton <jack at saosce dot com dot au>. ok reyk@
* Fix typo in comment.jsing2015-07-151-2/+2
|
* Send the TLS certificate and key via separate imsgs, rather thanjsing2015-07-151-1/+4
| | | | | | | | | including them in the IMSG_CFG_SERVER imsg. This allows the certificate and key to each be almost 16KB (the maximum size for an imsg), rather than having a combined total of less than 16KB (which can be reached with large keys, certificate bundles or by including text versions of certificates). ok reyk@
* Explicitly check for and handle EOF on a TLS connection.jsing2015-07-151-1/+6
| | | | ok reyk@
* Fix memory leaks that can occur when config_getserver() fails.jsing2015-07-151-6/+17
| | | | | | | | | | config.c r1.34 and r1.30 introduced potential memory leaks for auth and return_uri when config_getserver fails. Fix this by switching to serverconfig_free() and adding the missing free for srv_conf->auth. While here, make serverconfig_free() a little more bulletproof by explicit_bzero()ing key material. ok reyk@
* We cannot log errors with server_close() before allocatingflorian2015-04-231-8/+6
| | | | | | | clt_log evbuffer. server_close() calls server_log() which uses ctl_log. Crash reported by Daniel Jakots <vigdis AT chown DOT me>, thanks! OK benno
* Always check the return value of proc_composev_imsg() and handle failuresjsing2015-04-111-2/+6
| | | | | | | | | appropriately. Otherwise imsg construction can silently fail, resulting in non-obvious problems. Found the hard way by Theodore Wynnychenko. ok doug@ florian@
* Prevent use after free.florian2015-03-151-4/+4
| | | | | | | | While here unconditionally free clt and move declaration of server_inflight_dec() into server.c Found while investigating if (foo != NULL) free(foo) patterns pointed out by Markus Elfring. OK reyk
* Add return_uri to serverconfig_reset() to avoid using garbage from thereyk2015-02-231-1/+2
| | | | | | imsg buffer. Debugging & OK halex@
* Allow TLS protocols to be specified via a "tls protocols" configurationjsing2015-02-121-2/+3
| | | | | | option. ok reyk@
* Change TLS_PROTOCOLS_DEFAULT to be TLSv1.2 only. Add a TLS_PROTOCOLS_ALLjsing2015-02-121-1/+3
| | | | | | | | that includes all currently supported protocols (TLSv1.0, TLSv1.1 and TLSv1.2). Change all users of libtls to use TLS_PROTOCOLS_ALL so that they maintain existing behaviour. Discussed with tedu@ and reyk@.
* Remove server_load_file() in favor of tls_load_file(3)reyk2015-02-071-37/+10
|
* Add httpd configuration options to allow the specification of DHEjsing2015-02-071-1/+12
| | | | | | | parameters and the ECDHE curve. This primarily allows for DHE cipher suites to be enabled. ok reyk@
* Add support for blocking, dropping, and redirecting requests.reyk2015-02-071-1/+2
| | | | OK florian@
* httpd is based on relayd and had included many headers that are onlyreyk2015-01-211-9/+7
| | | | | | | | | needed by its ancestor. jsg@, include-what-you-use, and some manual review helped to cleanup the headers (take iwyu with a grain of salt). Based on common practice, httpd.h now also includes the necessary headers for itself. OK florian@
* Decouple auth parameters from struct server_config into struct auth.reyk2015-01-191-1/+5
| | | | OK florian@
* Replace <sys/param.h> with <limits.h> and other less dirty headers wherederaadt2015-01-161-3/+6
| | | | | | | | | possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
* bump copyright yearreyk2015-01-131-2/+2
|
* Only open a socket once for each unique "listen on" statement. Thisreyk2015-01-061-2/+19
| | | | | | | prevents running out of file descriptors when loading a configuration with many aliases. OK florian@
* Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary.guenther2014-12-211-2/+1
| | | | | | *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't. ok reyk@
* Like previously done in relayd, change the keyword "ssl" to "tls" toreyk2014-12-121-47/+47
| | | | | | reflect reality. OK benno@
* stop viral header propagation. none of this code uses sys/hash.htedu2014-12-041-2/+1
| | | | from Max Fillinger
* Update httpd(8) to use libtls instead of libressl.jsing2014-10-311-34/+34
|
* Remove unnecessary netinet/in_systm.h include.lteo2014-10-251-2/+1
| | | | ok millert@
* Update ressl configuration to handle recent changes in the library.jsing2014-10-031-7/+17
| | | | ok tedu@
* Fix an error case that was never handled ending up in an endless eventreyk2014-10-021-6/+10
| | | | | | | loop that could eat all CPU. I thought that the previous (correct) commit fixed it which wasn't the case. But this one is obvious. ok florian@
* Remove a limitation that only allowed to specify a server name once.reyk2014-09-051-3/+18
| | | | | | | | | The key has been changed to server name + address + port and now it is possible to use the same server name for multiple servers with different addresses, eg. http://www.example.com and https://www.example.com/. OK doug@ florian@
* FastCGI did not support persistent connections. Add initial supportreyk2014-09-021-1/+21
| | | | | | | | | for persistent connections with FastCGI by implementing chunked Transfer-Encoding. This only works with HTTP/1.1. With input and help from florian@ who found some FastCGI edge cases. OK florian@
* Write all data before closing the server socket if the output bufferreyk2014-08-271-5/+14
| | | | | | | is not empty. This fixes a bug of short responses that could happen with large files or fcgi data on connections with a higher latency. OK florian@
* Use memset(buf instead of memset(&buf.reyk2014-08-061-3/+3
| | | | Pointed out by deraadt@
* Also clean up the public key when it is no longer needed.jsing2014-08-061-2/+6
| | | | ok deraadt@ reyk@
* Configure the default SSL ciphers as HIGH:!aNULL.jsing2014-08-061-1/+3
| | | | ok deraadt@ reyk@
* http POST supportflorian2014-08-061-1/+3
| | | | with & OK reyk@
* spacingreyk2014-08-061-5/+5
|
* The watermark exposed a bug in server_write that broke keep-alivereyk2014-08-061-4/+5
| | | | | | | support. Instead of calling server_close from server_write, we have to proceed to the next connection by calling the error handler. OK jsg@
* Bring back the last read (done) / last write (done) messages instead of justreyk2014-08-061-3/+3
| | | | "done" to simplify connection debugging.
* Adjust the read/write watermarks according to the TCP send buffer.reyk2014-08-061-1/+13
| | | | | | | | | This fixes sending of large files. Previously, httpd was reading the input file too quickly and could run out of memory when filling the input buffer. Found by jsg@ OK florian@
* add missing va_start/va_end callsjsg2014-08-061-1/+3
| | | | ok deraadt@ guenther@
* Load the SSL public/private keys in the parent process, then provide themjsing2014-08-061-8/+66
| | | | | | | to the privsep process via imsg. This allows the keys to be moved out of the chroot (now /etc/ssl/server.crt, /etc/ssl/private/server.key). ok reyk@
* Improve logging to allow per- server/location log files. The logreyk2014-08-051-39/+64
| | | | | | | files can also be owned by root now: they're opened by the parent and send to the logger process with fd passing. This also works with reload. ok deraadt@
* Temporarily move the default location of the SSL/TLS server key andreyk2014-08-041-4/+7
| | | | | | | certificate from /var/www/ to /var/www/conf/. Don't get scared - this will be changed soon! They're currently located in the chroot directory but will be moved outside as soon as we adopted some of the key privsep from relayd in ressl/httpd.
* Proxy commit for jsing@:reyk2014-08-041-7/+221
| | | | | | | "Add TLS/SSL support to httpd, based on the recent ressl commits." From jsing@ ok reyk@
* Add initial support for log files in /var/www/logs/. Logging withreyk2014-08-041-10/+71
| | | | | | syslog is still supported but disabled by default. ok deraadt@
* httpd doesn't support SSL/TLS yet, remove the remaining bits.reyk2014-08-041-4/+1
| | | | The secrect plan is to add it later using the ressl wrapper library.
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.