| Age | Commit message (Collapse) | Author |
|---|
|
|
|
be in the right spot once tls_close() is handled by libevent.
suggested by jsing
|
|
In order to end a TLS connection regularly, an implementation MUST send a
close_notify alert. libtls does this in tls_close() via SSL_shutdown(),
so the socket had better still be open.
The incorrect order in server_close() caused a leak on each tls connection
due to a bug in libssl (fixed in tls_record_layer.c r1.56).
As pointed out by claudio, tls_close() should really be handled from the
main event loop. This will be addressed in a later commit.
ok claudio florian jsing
|
|
While there, use the length calculated by vasprintf() instead of using
strlen needlessly.
ok claudio florian
|
|
ok florian
|
|
before accessing anything in ifa_addr.
ok claudio@
|
|
from Edgar Pettijohn
ok kn
|
|
Diff by Matthias Pressfreund <mpfr @ fn de>. Thanks.
|
|
Found and fix by Matthias Pressfreund <mpfr @ fn de>. Thanks.
|
|
There is a soft fail mechanism to handle missing certs for seamless
interaction with acme-client. Move this to the config parser. This is
simpler than server.c r1.117 and avoids a crash due to listening on
port 443 without having set up the TLS context first. More precisely,
the crash happens if a server with missing certificate is visited via
https in a configuration where there is a second server with valid
certificate and key.
From Joshua Sing (joshua at hypera dot dev)
ok benno
|
|
ok jca@
|
|
ok millert florian
|
|
Update the httpd.conf(5) manual to reflect this. Initially prompted by a
question from tj and reminded by a diff from Navan Carson.
ok kn
|
|
|
|
This allows "fastcgi" directly inside of a server directive without
giving specifying socket.
OK tracey
|
|
remove redundant error message
tweaks and ok florian@
|
|
Lots of review time kn@
Lots of review time, tweaks, and ok florian@
|
|
from Ross L Richardson <openbsd AT rlr DOT id DOT au>, Thanks
ok claudio@
|
|
from Ross L Richardson <openbsd AT rlr DOT id DOT au>, Thanks
ok claudio@
|
|
from Ross L Richardson <openbsd AT rlr DOT id DOT au>, Thanks
ok claudio@
|
|
from Ross L Richardson <openbsd AT rlr DOT id DOT au>, Thanks
ok claudio@
|
|
from Ross L Richardson <openbsd AT rlr DOT id DOT au>, Thanks
ok claudio@
|
|
Found by Ross L Richardson, Thanks.
|
|
found by Ross L Richardson, thanks!
ok deraadt@
|
|
This came from a suggestion by Andras Farkas to replace use of
XHTML self-closing tags.
ok cwen@ danj@ florian@
|
|
Introduce a new "dark mode" for httpd(8) directory listings and error pages,
using the prefers-color-scheme css function. It uses the colorscheme already
used in OpenBSD project websites.
This version will only be displayed if the user's browser specifically sends
a "prefer darker themes if available" request.
Input from florian@, danj@ and clematis.
OK florian@, danj@ (on a previous version with the wrong background color)
|
|
configuration file.", but occasionally something else fit better; at the
same time, try to make the format for FILES more consistent;
original diff from clematis
|
|
|
|
Sometimes you want to redirect a request to another site but maintaining
the same type of connection (http or https) as the original request.
Allow a $REQUEST_SCHEME variable to be used in redirect locations to
allow this, e.g.
location "/cgi-bin/foobar*" { block return 302 "$REQUEST_SCHEME://foobar.example.org$REQUEST_URI" }
|
|
under /var/www for FastCGI servers.
From Nazar Zhuk (nazar AT zhuk DOT online), thanks!
Ok benno
|
|
section in the config, by moving the code down where the Host: header
has been read and the correct server configuration selected.
Note that it may not be that useful to have this option per server,
because it is valid to send requests with different Host: headers over
the same tcp connection.
problem noted and diff from Tracey Emery, thanks!
ok florian@
|
|
found by Clemens Goessnitzer, ok and prodded by florian@
|
|
OK deraadt
|
|
was reached. This is not what other servers are doing, it leads to
ugly log messages and might confuse some clients.
benno@ analyzed that the correct behavior is (probably) to send a 408
when we are in the middle of receiving headers and time out there and
just close the connection in all other cases.
In particular, if a connection gets opened and no request is received
at all just close the connection. If a connection is set to keep-alive
and a request was handled and no further request is coming in just
close the connection. The later is the usual cause for spurious log
messages and client confusion.
Reported over the years by many.
Input, explanations and OK benno
|
|
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
|
Add a QUERY_STRING_ENC macro that is URL encoded.
Patch from Tim Baumgartner
ok reyk
|
|
instead of the rewritten path and query string.
Patch from Tim Baumgard, reminded by Mischa Peters.
ok benno, reyk
|
|
|
|
by including the contents of the X-Forwarded-For and X-Forwarded-Port
headers. If httpd(8) runs behind a proxy like relayd(8), this allows
tracking the origin of the requests. The format is compatible with
log analyzers such as GoAccess and Webalizer.
Patch from Bruno Flueckiger
ok benno, reyk
|
|
When not logging anything, do not open files in the first place.
This prevents startup failures on configurations where the log/ directory
is missing but logging is disabled anyway.
OK aja solene reyk
|
|
lack of documentation and original diff provided by alfred morgan;
benno helped me track down the applicable options;
ok benno
|
|
thread
by alfred morgan, who wanted a tls example in the man page. florian noted
that they exist already in /etc/examples;
ok florian
|
|
This commit extends the existing grammar by adding the param option
to the fastcgi directive: fastcgi param name value.
Example usage:
fastcgi param VAR1 hello
fastcgi param VAR2 world
With help and OK florian@
Rogue manpage bits, feel free to modify them.
|
|
larger types really is a range reduction...
Almost any cast to (unsigned) is a bug.
ok millert tb benno
|
|
in the same way as the http authenticated username is loged.
From Karel Gardas, gardask at gmail dot com, Thanks!
ok florian@
|
|
addition to UNIX domain sockets.
Prompted by a mail from Daniel Gracia ( paladdin AT gmail ) pointing out
that we are not documenting TCP support at all, thanks!
Prodding by and with jmc@
|
|
available.
Assuming a httpd.conf based on /etc/examples/httpd.conf, httpd(8)
will only listen on port 80 and serve the acme-challenge directory
for acme-client(1).
The workflow to get a certificate then becomes
acme-client -vAD example.com && rcctl reload httpd
Without the need to edit the httpd.conf yet again. Once the cert
is in place and httpd is reloaded it starts to serve on port 443.
Idea, tweaks & OK deraadt, OK benno
|
|
Very patiently pointed out repeatedly by Tracey Emery ( tracey AT
traceyemery.net ), thanks!
OK benno
|
|
from Hiltjo Posthuma (hiltjo(at)codemadness.org)
|
|
(and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
