summaryrefslogtreecommitdiff
path: root/usr.sbin/httpd
AgeCommit message (Collapse)Author
2020-10-29Add location (found|not found) option to test for resource path existence.denis
Diff by Matthias Pressfreund <mpfr @ fn de>. Thanks.
2020-10-26Do not allow duplicate "location" directive.denis
Found and fix by Matthias Pressfreund <mpfr @ fn de>. Thanks.
2020-10-11Handle absence of TLS certs while parsing the configTheo Buehler
There is a soft fail mechanism to handle missing certs for seamless interaction with acme-client. Move this to the config parser. This is simpler than server.c r1.117 and avoids a crash due to listening on port 443 without having set up the TLS context first. More precisely, the crash happens if a server with missing certificate is visited via https in a configuration where there is a second server with valid certificate and key. From Joshua Sing (joshua at hypera dot dev) ok benno
2020-09-21Fix memory leak in "iov".tobhe
ok jca@
2020-09-12Use the original requested URI for REQUEST_URI.YASUOKA Masahiko
ok millert florian
2020-09-05httpd(8) uses TLSv1.3 and TLSv1.2 by defaultTheo Buehler
Update the httpd.conf(5) manual to reflect this. Initially prompted by a question from tj and reminded by a diff from Navan Carson. ok kn
2020-08-29typo; pointed out by Matthias (mpfr AT fn.de), thanks!Florian Obser
2020-08-26Set fastcgi socket default on server and location.Florian Obser
This allows "fastcgi" directly inside of a server directive without giving specifying socket. OK tracey
2020-08-25check that fcgiport string value is within rangetracey
remove redundant error message tweaks and ok florian@
2020-08-24Add support for non-localhost fastcgi sockets.tracey
Lots of review time kn@ Lots of review time, tweaks, and ok florian@
2020-08-03remove unused functionsSebastian Benoit
from Ross L Richardson <openbsd AT rlr DOT id DOT au>, Thanks ok claudio@
2020-08-03remove another tautologySebastian Benoit
from Ross L Richardson <openbsd AT rlr DOT id DOT au>, Thanks ok claudio@
2020-08-03remove unused assignmentSebastian Benoit
from Ross L Richardson <openbsd AT rlr DOT id DOT au>, Thanks ok claudio@
2020-08-03remove tautological conditionSebastian Benoit
from Ross L Richardson <openbsd AT rlr DOT id DOT au>, Thanks ok claudio@
2020-08-03remove dead assignmentsSebastian Benoit
from Ross L Richardson <openbsd AT rlr DOT id DOT au>, Thanks ok claudio@
2020-07-30Remove the unused function canonicalize_host(), it was copied from relayd.Sebastian Benoit
Found by Ross L Richardson, Thanks.
2020-07-25remove unsused enum key_type, copied initialy from relays.Sebastian Benoit
found by Ross L Richardson, thanks! ok deraadt@
2020-05-22Use the simpler HTML5 idiom to declare charset in autogenerated pages.Anthony J. Bentley
This came from a suggestion by Andras Farkas to replace use of XHTML self-closing tags. ok cwen@ danj@ florian@
2020-05-18httpd: add a "dark mode" in directory listings and error pagescwen
Introduce a new "dark mode" for httpd(8) directory listings and error pages, using the prefers-color-scheme css function. It uses the colorscheme already used in OpenBSD project websites. This version will only be displayed if the user's browser specifically sends a "prefer darker themes if available" request. Input from florian@, danj@ and clematis. OK florian@, danj@ (on a previous version with the wrong background color)
2020-05-16list example files in FILES with a short description: generally, "ExampleJason McIntyre
configuration file.", but occasionally something else fit better; at the same time, try to make the format for FILES more consistent; original diff from clematis
2020-04-23replace examples of "Ic arg Ic arg" with "Ic arg arg" and stop the spread;Jason McIntyre
2020-02-25httpd: allow $REQUEST_SCHEME in redirect targets, ok jung@ florian@Stuart Henderson
Sometimes you want to redirect a request to another site but maintaining the same type of connection (http or https) as the original request. Allow a $REQUEST_SCHEME variable to be used in redirect locations to allow this, e.g. location "/cgi-bin/foobar*" { block return 302 "$REQUEST_SCHEME://foobar.example.org$REQUEST_URI" }
2020-02-09Implement "strip" option for fastcgi to be able to have multiple chrootsFlorian Obser
under /var/www for FastCGI servers. From Nazar Zhuk (nazar AT zhuk DOT online), thanks! Ok benno
2020-01-14Pick the value for "max requests number" from the correct server {}Sebastian Benoit
section in the config, by moving the code down where the Host: header has been read and the correct server configuration selected. Note that it may not be that useful to have this option per server, because it is valid to send requests with different Host: headers over the same tcp connection. problem noted and diff from Tracey Emery, thanks! ok florian@
2019-11-04remove useless NULL check, it's checked 7 lines further up.Sebastian Benoit
found by Clemens Goessnitzer, ok and prodded by florian@
2019-10-22Do not log "(null)" in debug logging.Florian Obser
OK deraadt
2019-10-14httpd(8) sent a 408 response every time a connection request timeoutFlorian Obser
was reached. This is not what other servers are doing, it leads to ugly log messages and might confuse some clients. benno@ analyzed that the correct behavior is (probably) to send a 408 when we are in the middle of receiving headers and time out there and just close the connection in all other cases. In particular, if a connection gets opened and no request is received at all just close the connection. If a connection is set to keep-alive and a request was handled and no further request is coming in just close the connection. The later is the usual cause for spurious log messages and client confusion. Reported over the years by many. Input, explanations and OK benno
2019-06-28When system calls indicate an error they return -1, not some arbitraryTheo de Raadt
value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
2019-05-08The QUERY_STRING macro is not actually URL encoded, so fix the manual.Theo Buehler
Add a QUERY_STRING_ENC macro that is URL encoded. Patch from Tim Baumgartner ok reyk
2019-05-08Set the REQUEST_URI CGI variable to the requested URI and query stringTheo Buehler
instead of the rewritten path and query string. Patch from Tim Baumgard, reminded by Mischa Peters. ok benno, reyk
2019-05-08spacingReyk Floeter
2019-05-03Add a "forwarded" log format that extends the "combined" log formatTheo Buehler
by including the contents of the X-Forwarded-For and X-Forwarded-Port headers. If httpd(8) runs behind a proxy like relayd(8), this allows tracking the origin of the requests. The format is compatible with log analyzers such as GoAccess and Webalizer. Patch from Bruno Flueckiger ok benno, reyk
2019-05-02Avoid opening log files on "no log"kn
When not logging anything, do not open files in the first place. This prevents startup failures on configurations where the log/ directory is missing but logging is disabled anyway. OK aja solene reyk
2019-04-16document where multiline {} is applicable;Jason McIntyre
lack of documentation and original diff provided by alfred morgan; benno helped me track down the applicable options; ok benno
2019-03-12reference the /etc/examples files for httpd and acme-client. started from a ↵Jason McIntyre
thread by alfred morgan, who wanted a tls example in the man page. florian noted that they exist already in /etc/examples; ok florian
2019-02-19httpd(8): add support for setting custom FastCGI parameters.Paul Irofti
This commit extends the existing grammar by adding the param option to the fastcgi directive: fastcgi param name value. Example usage: fastcgi param VAR1 hello fastcgi param VAR2 world With help and OK florian@ Rogue manpage bits, feel free to modify them.
2019-02-13(unsigned) means (unsigned int) which on ptrdiff_t or size_t or otherTheo de Raadt
larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
2019-02-10log X509 peer's cert subject name when tls client authentication is used,Sebastian Benoit
in the same way as the http authenticated username is loged. From Karel Gardas, gardask at gmail dot com, Thanks! ok florian@
2019-02-08Improve fastcgi socket documentation and mention that TCP is supported inFlorian Obser
addition to UNIX domain sockets. Prompted by a mail from Daniel Gracia ( paladdin AT gmail ) pointing out that we are not documenting TCP support at all, thanks! Prodding by and with jmc@
2019-01-08Allow httpd(8) to start when TLS is configured but a cert is not yetFlorian Obser
available. Assuming a httpd.conf based on /etc/examples/httpd.conf, httpd(8) will only listen on port 80 and serve the acme-challenge directory for acme-client(1). The workflow to get a certificate then becomes acme-client -vAD example.com && rcctl reload httpd Without the need to edit the httpd.conf yet again. Once the cert is in place and httpd is reloaded it starts to serve on port 443. Idea, tweaks & OK deraadt, OK benno
2018-12-04Check maxrequestbody when we found the right server / location.Florian Obser
Very patiently pointed out repeatedly by Tracey Emery ( tracey AT traceyemery.net ), thanks! OK benno
2018-11-04isalpha(3) requires an unsigned char value (or -1).Philip Guenther
from Hiltjo Posthuma (hiltjo(at)codemadness.org)
2018-11-01- odd condition/test in PF lexerAlexandr Nedvedicky
(and other lexers too) This commit rectifies earlier change: in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). OK deraadt@, OK millert@
2018-10-15Omit HSTS headers over unencrypted connections, per RFC 6797.Anthony J. Bentley
ok florian@
2018-10-11Backout my previous commit:Sebastian Benoit
date: 2018/10/01 19:24:09; author: benno; state: Exp; lines: +7 -1; commitid: 0O8fyHPNvPd8rvYU; Only send 408 Timeout responses when we have seen at least part of a request. Without a request, just close the connection when we hit request timeout. Prompted by a bug report from Nikola Kolev, thanks. ok reyk@ and some suggestions from claudio@ and bluhm@ Mark Patruck (mark AT wrapped DOT cx) found a problem with it, thanks for the report. ok reyk@ bluhm@ sthen@ deraadt@
2018-10-01Only send 408 Timeout responses when we have seen at least part of aSebastian Benoit
request. Without a request, just close the connection when we hit request timeout. Prompted by a bug report from Nikola Kolev, thanks. ok reyk@ and some suggestions from claudio@ and bluhm@
2018-09-09During the fork+exec implementation, daemon(3) was moved afterAlexander Bluhm
proc_init(). As a consequence httpd(8) and relayd(8) child processes did not detach from the terminal anymore. Dup /dev/null to the stdio file descriptors in the children. OK benno@
2018-09-07Do not send a Content-Length header for 1xx and 204 status codes sinceFlorian Obser
RFC 7230 states that a server MUST NOT do so. At least relayd chokes on this. Pointed out & diff by Carlin Bingham (cb AT walcyrge.org), thanks! OK benno
2018-09-07replace malloc()+strlcpy() with strndup() in cmdline_symset().miko
"looks good" gilles@ halex@
2018-08-19double the allowed length for the 'tls ciphers' optionJasper Lievisse Adriaanse
for example now it can hold the recommended cipher list from the mozilla ssl config generator rather than failing with a "ciphers too long" error. ok benno@ sthen@ tb@