summaryrefslogtreecommitdiffstats
path: root/usr.sbin/httpd (follow)
Commit message (Collapse)AuthorAgeFilesLines
* A socket buffer is not the best size to read from a disk.otto2021-03-161-6/+9
| | | | Use st_blksize to set high water mark; florian@
* these programs (with common ancestry) had a -fno-common problem relatedderaadt2021-01-273-6/+11
| | | | | to privsep_procid. ok mortimer
* fix a memory leak, found by rob@ in relayd.benno2021-01-221-1/+2
| | | | ok tb@
* Fix httpd example configtb2021-01-181-1/+19
| | | | | | | | | | | | | | | | | | | A server configuration yields multiple struct server_config in the env->sc_servers queue: an actual server ("parent") and one for each location directive in httpd.conf. In parent_configure(), the parents are configured first, then the corresponding locations. parse.y r1.118 kills the parent if an error is encountered on loading the TLS keypairs but leaves the locations in the sc_servers queue. When running the default config without TLS keys already in place, this then leads to the self-explanatory "invalid location" error message. Its intention is to indicates the unexpected situation that config_setserver() encounters a location without an associated server. Fix this by not only destroying the parent but also removing all of its locations. ok jsing
* unwrap a linetb2021-01-051-3/+2
|
* Pull tls_close() and tls_free() further up, so tls_free() will alreadytb2021-01-021-6/+6
| | | | | | be in the right spot once tls_close() is handled by libevent. suggested by jsing
* Call tls_close() before closing the underlying sockettb2021-01-021-5/+7
| | | | | | | | | | | | | | In order to end a TLS connection regularly, an implementation MUST send a close_notify alert. libtls does this in tls_close() via SSL_shutdown(), so the socket had better still be open. The incorrect order in server_close() caused a leak on each tls connection due to a bug in libssl (fixed in tls_record_layer.c r1.56). As pointed out by claudio, tls_close() should really be handled from the main event loop. This will be addressed in a later commit. ok claudio florian jsing
* Don't leak the log message in server_sendlogtb2020-12-311-2/+4
| | | | | | | While there, use the length calculated by vasprintf() instead of using strlen needlessly. ok claudio florian
* Don't leak access.log and error.log on reload.tb2020-12-311-1/+2
| | | | ok florian
* getifaddrs() can return entries where ifa_addr is NULL. Check for thisbenno2020-12-301-2/+3
| | | | | before accessing anything in ifa_addr. ok claudio@
* remove an unused structjung2020-11-201-5/+1
| | | | | | from Edgar Pettijohn ok kn
* Add location (found|not found) option to test for resource path existence.denis2020-10-294-21/+92
| | | | Diff by Matthias Pressfreund <mpfr @ fn de>. Thanks.
* Do not allow duplicate "location" directive.denis2020-10-261-2/+5
| | | | Found and fix by Matthias Pressfreund <mpfr @ fn de>. Thanks.
* Handle absence of TLS certs while parsing the configtb2020-10-112-15/+11
| | | | | | | | | | | | | | There is a soft fail mechanism to handle missing certs for seamless interaction with acme-client. Move this to the config parser. This is simpler than server.c r1.117 and avoids a crash due to listening on port 443 without having set up the TLS context first. More precisely, the crash happens if a server with missing certificate is visited via https in a configuration where there is a second server with valid certificate and key. From Joshua Sing (joshua at hypera dot dev) ok benno
* Fix memory leak in "iov".tobhe2020-09-211-1/+3
| | | | ok jca@
* Use the original requested URI for REQUEST_URI.yasuoka2020-09-123-7/+14
| | | | ok millert florian
* httpd(8) uses TLSv1.3 and TLSv1.2 by defaulttb2020-09-051-6/+4
| | | | | | | Update the httpd.conf(5) manual to reflect this. Initially prompted by a question from tj and reminded by a diff from Navan Carson. ok kn
* typo; pointed out by Matthias (mpfr AT fn.de), thanks!florian2020-08-291-2/+2
|
* Set fastcgi socket default on server and location.florian2020-08-263-24/+20
| | | | | | This allows "fastcgi" directly inside of a server directive without giving specifying socket. OK tracey
* check that fcgiport string value is within rangetracey2020-08-251-5/+11
| | | | | remove redundant error message tweaks and ok florian@
* Add support for non-localhost fastcgi sockets.tracey2020-08-245-54/+103
| | | | | Lots of review time kn@ Lots of review time, tweaks, and ok florian@
* remove unused functionsbenno2020-08-032-65/+2
| | | | | from Ross L Richardson <openbsd AT rlr DOT id DOT au>, Thanks ok claudio@
* remove another tautologybenno2020-08-031-3/+2
| | | | | from Ross L Richardson <openbsd AT rlr DOT id DOT au>, Thanks ok claudio@
* remove unused assignmentbenno2020-08-031-2/+2
| | | | | from Ross L Richardson <openbsd AT rlr DOT id DOT au>, Thanks ok claudio@
* remove tautological conditionbenno2020-08-031-2/+2
| | | | | from Ross L Richardson <openbsd AT rlr DOT id DOT au>, Thanks ok claudio@
* remove dead assignmentsbenno2020-08-031-6/+1
| | | | | from Ross L Richardson <openbsd AT rlr DOT id DOT au>, Thanks ok claudio@
* Remove the unused function canonicalize_host(), it was copied from relayd.benno2020-07-302-56/+2
| | | | Found by Ross L Richardson, Thanks.
* remove unsused enum key_type, copied initialy from relays.benno2020-07-251-13/+1
| | | | | found by Ross L Richardson, thanks! ok deraadt@
* Use the simpler HTML5 idiom to declare charset in autogenerated pages.bentley2020-05-222-6/+4
| | | | | | | This came from a suggestion by Andras Farkas to replace use of XHTML self-closing tags. ok cwen@ danj@ florian@
* httpd: add a "dark mode" in directory listings and error pagescwen2020-05-182-4/+11
| | | | | | | | | | | | | Introduce a new "dark mode" for httpd(8) directory listings and error pages, using the prefers-color-scheme css function. It uses the colorscheme already used in OpenBSD project websites. This version will only be displayed if the user's browser specifically sends a "prefer darker themes if available" request. Input from florian@, danj@ and clematis. OK florian@, danj@ (on a previous version with the wrong background color)
* list example files in FILES with a short description: generally, "Examplejmc2020-05-161-2/+7
| | | | | | | configuration file.", but occasionally something else fit better; at the same time, try to make the format for FILES more consistent; original diff from clematis
* replace examples of "Ic arg Ic arg" with "Ic arg arg" and stop the spread;jmc2020-04-231-3/+3
|
* httpd: allow $REQUEST_SCHEME in redirect targets, ok jung@ florian@sthen2020-02-252-4/+17
| | | | | | | | | Sometimes you want to redirect a request to another site but maintaining the same type of connection (http or https) as the original request. Allow a $REQUEST_SCHEME variable to be used in redirect locations to allow this, e.g. location "/cgi-bin/foobar*" { block return 302 "$REQUEST_SCHEME://foobar.example.org$REQUEST_URI" }
* Implement "strip" option for fastcgi to be able to have multiple chrootsflorian2020-02-094-8/+23
| | | | | | under /var/www for FastCGI servers. From Nazar Zhuk (nazar AT zhuk DOT online), thanks! Ok benno
* Pick the value for "max requests number" from the correct server {}benno2020-01-141-8/+8
| | | | | | | | | | | | section in the config, by moving the code down where the Host: header has been read and the correct server configuration selected. Note that it may not be that useful to have this option per server, because it is valid to send requests with different Host: headers over the same tcp connection. problem noted and diff from Tracey Emery, thanks! ok florian@
* remove useless NULL check, it's checked 7 lines further up.benno2019-11-041-4/+1
| | | | found by Clemens Goessnitzer, ok and prodded by florian@
* Do not log "(null)" in debug logging.florian2019-10-221-2/+3
| | | | OK deraadt
* httpd(8) sent a 408 response every time a connection request timeoutflorian2019-10-141-2/+5
| | | | | | | | | | | | | | | | was reached. This is not what other servers are doing, it leads to ugly log messages and might confuse some clients. benno@ analyzed that the correct behavior is (probably) to send a 408 when we are in the middle of receiving headers and time out there and just close the connection in all other cases. In particular, if a connection gets opened and no request is received at all just close the connection. If a connection is set to keep-alive and a request was handled and no further request is coming in just close the connection. The later is the usual cause for spurious log messages and client confusion. Reported over the years by many. Input, explanations and OK benno
* When system calls indicate an error they return -1, not some arbitraryderaadt2019-06-282-5/+5
| | | | | | value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
* The QUERY_STRING macro is not actually URL encoded, so fix the manual.tb2019-05-082-5/+19
| | | | | | | | Add a QUERY_STRING_ENC macro that is URL encoded. Patch from Tim Baumgartner ok reyk
* Set the REQUEST_URI CGI variable to the requested URI and query stringtb2019-05-083-15/+22
| | | | | | | | instead of the rewritten path and query string. Patch from Tim Baumgard, reminded by Mischa Peters. ok benno, reyk
* spacingreyk2019-05-085-15/+16
|
* Add a "forwarded" log format that extends the "combined" log formattb2019-05-034-12/+64
| | | | | | | | | | | by including the contents of the X-Forwarded-For and X-Forwarded-Port headers. If httpd(8) runs behind a proxy like relayd(8), this allows tracking the origin of the requests. The format is compatible with log analyzers such as GoAccess and Webalizer. Patch from Bruno Flueckiger ok benno, reyk
* Avoid opening log files on "no log"kn2019-05-021-2/+2
| | | | | | | | When not logging anything, do not open files in the first place. This prevents startup failures on configurations where the log/ directory is missing but logging is disabled anyway. OK aja solene reyk
* document where multiline {} is applicable;jmc2019-04-161-3/+10
| | | | | | | lack of documentation and original diff provided by alfred morgan; benno helped me track down the applicable options; ok benno
* reference the /etc/examples files for httpd and acme-client. started from a threadjmc2019-03-121-2/+11
| | | | | | | by alfred morgan, who wanted a tls example in the man page. florian noted that they exist already in /etc/examples; ok florian
* httpd(8): add support for setting custom FastCGI parameters.pirofti2019-02-196-10/+180
| | | | | | | | | | | | This commit extends the existing grammar by adding the param option to the fastcgi directive: fastcgi param name value. Example usage: fastcgi param VAR1 hello fastcgi param VAR2 world With help and OK florian@ Rogue manpage bits, feel free to modify them.
* (unsigned) means (unsigned int) which on ptrdiff_t or size_t or otherderaadt2019-02-131-3/+3
| | | | | | larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
* log X509 peer's cert subject name when tls client authentication is used,benno2019-02-101-2/+9
| | | | | | in the same way as the http authenticated username is loged. From Karel Gardas, gardask at gmail dot com, Thanks! ok florian@
* Improve fastcgi socket documentation and mention that TCP is supported inflorian2019-02-081-3/+12
| | | | | | | addition to UNIX domain sockets. Prompted by a mail from Daniel Gracia ( paladdin AT gmail ) pointing out that we are not documenting TCP support at all, thanks! Prodding by and with jmc@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.