| Age | Commit message (Collapse) | Author |
|---|
|
mix 'listen * port 80' and 'listen * tls port 443' in one server block.
Also the last argument of server_tls_cmp - match_keypair - is always 0
so remove this code.
OK florian@ tb@ some long time ago
|
|
ok tb@
|
|
A server configuration yields multiple struct server_config in the
env->sc_servers queue: an actual server ("parent") and one for each
location directive in httpd.conf. In parent_configure(), the parents
are configured first, then the corresponding locations.
parse.y r1.118 kills the parent if an error is encountered on loading
the TLS keypairs but leaves the locations in the sc_servers queue.
When running the default config without TLS keys already in place, this
then leads to the self-explanatory "invalid location" error message. Its
intention is to indicates the unexpected situation that config_setserver()
encounters a location without an associated server.
Fix this by not only destroying the parent but also removing all of its
locations.
ok jsing
|
|
before accessing anything in ifa_addr.
ok claudio@
|
|
from Edgar Pettijohn
ok kn
|
|
Diff by Matthias Pressfreund <mpfr @ fn de>. Thanks.
|
|
Found and fix by Matthias Pressfreund <mpfr @ fn de>. Thanks.
|
|
There is a soft fail mechanism to handle missing certs for seamless
interaction with acme-client. Move this to the config parser. This is
simpler than server.c r1.117 and avoids a crash due to listening on
port 443 without having set up the TLS context first. More precisely,
the crash happens if a server with missing certificate is visited via
https in a configuration where there is a second server with valid
certificate and key.
From Joshua Sing (joshua at hypera dot dev)
ok benno
|
|
This allows "fastcgi" directly inside of a server directive without
giving specifying socket.
OK tracey
|
|
remove redundant error message
tweaks and ok florian@
|
|
Lots of review time kn@
Lots of review time, tweaks, and ok florian@
|
|
under /var/www for FastCGI servers.
From Nazar Zhuk (nazar AT zhuk DOT online), thanks!
Ok benno
|
|
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
|
|
|
by including the contents of the X-Forwarded-For and X-Forwarded-Port
headers. If httpd(8) runs behind a proxy like relayd(8), this allows
tracking the origin of the requests. The format is compatible with
log analyzers such as GoAccess and Webalizer.
Patch from Bruno Flueckiger
ok benno, reyk
|
|
This commit extends the existing grammar by adding the param option
to the fastcgi directive: fastcgi param name value.
Example usage:
fastcgi param VAR1 hello
fastcgi param VAR2 world
With help and OK florian@
Rogue manpage bits, feel free to modify them.
|
|
larger types really is a range reduction...
Almost any cast to (unsigned) is a bug.
ok millert tb benno
|
|
available.
Assuming a httpd.conf based on /etc/examples/httpd.conf, httpd(8)
will only listen on port 80 and serve the acme-challenge directory
for acme-client(1).
The workflow to get a certificate then becomes
acme-client -vAD example.com && rcctl reload httpd
Without the need to edit the httpd.conf yet again. Once the cert
is in place and httpd is reloaded it starts to serve on port 443.
Idea, tweaks & OK deraadt, OK benno
|
|
(and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
|
"looks good" gilles@ halex@
|
|
out of memory log_warn(). i.e. ("%s", __func__) instead of manual
function names and redundant verbiage about which wrapper detected the
out of memory condition.
ok henning@
|
|
calloc or strdup), we just need to log that we ran out of memory in a
particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
|
For example:
location match "/page/(%d+)/.*" {
request rewrite "/static/index.php?id=%1&$QUERY_STRING"
}
Requested by many.
Ok benno@
|
|
"root strip" was semantically incorrect and did cause some confusion
as it never stripped the root but the client's request path.
Discussed with many. Heads up: this is a grammar change that also
affects acme-client(1) configurations (see current.html).
OK claudio@
|
|
Spotted by benno@
|
|
Thanks to otto@ for the initial diff.
OK benno@
|
|
Otherwise the default port for http or https may used depending on
uninitialized memory. Fixes regress on i386.
OK reyk@
|
|
From Jack Burton <jack at saosce dot com dot au> - thanks!
Also tested by Jan Klemkow <j.klemkow at wemelug dot de>.
ok beck@ reyk@
|
|
No functional change, but it makes it easier to deal with the grammar.
|
|
|
|
OK florian@ jmc@
|
|
ok benno@
|
|
"listen on * port 80".
While here accept up to 16 addresses from DNS or interface groups.
requested by & "lovely" deraadt@
OK kn@
|
|
Off-by-one pointed out by and diff from Kris Katterjohn katterjohn AT
gmail, thanks!
chris@ pointed out that more than httpd(8) is effected.
OK gilles@
|
|
to be specified, rather than a single curve.
ok beck@
|
|
tls ticket lifetime default
to turn it on with a 2h ticket lifetime.
Rekeying happens after a quarter of that time.
OK reky@ and bob@
|
|
|
|
ok jmc@
|
|
modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
|
with more modern TAILQ_FOREACH(). This what symget() was already
doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
|
and this way we can give a separate specific error message.
ok beck@ reyk@
|
|
ok jsing@
|
|
ok jsing@ bcook@
|
|
variable and limit it from 128 to 32 instances (the old value).
While here, move a few PROC_ defines around.
OK rzalamena@
|
|
ok reyk@
|
|
which is actually the same thing (cluebat from reyk@).
|
|
not allow TLS and non-TLS to be configured on the same port, do not allow
TLS options to be specified without a TLS listener and ensure that the TLS
options are the same when a server is specified on the same address/port.
Currently, these configurations are permitted but do not work as intended.
Also factor out and reuse the server matching code, which was previously
duplicated.
ok reyk@
|
|
change this in all config parsers in our tree that support macros.
problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@
ok florian@ mikeb@
|
|
include the process name, and replace all calls of fatal*(NULL) with
fatal(__func__) for better debugging.
OK benno@
|
|
ok millert krw
|
