From f1ec9f27dcb97e5686ea8a0fcfa78db33ab9ea1a Mon Sep 17 00:00:00 2001 From: Steffen Nurpmeso Date: Mon, 8 Aug 2022 18:12:45 +0200 Subject: [PATCH] lighttpd: 1.4.66 --- lighttpd/.signature | 8 ++--- lighttpd/Pkgfile | 2 +- lighttpd/lighttpd.conf | 72 ++++++++++++++++++++++++++++++++---------- 3 files changed, 60 insertions(+), 22 deletions(-) diff --git a/lighttpd/.signature b/lighttpd/.signature index d7908922f..199a854c7 100644 --- a/lighttpd/.signature +++ b/lighttpd/.signature @@ -1,8 +1,8 @@ untrusted comment: verify with /etc/ports/contrib.pub -RWSagIOpLGJF30xypBkXqO+e+nsWZ2Yev3pjAh+ejt3A4d419W7b9B/s00ineT8XmyioAhRQvYoUZUbGgJ4z1QvoR6wpBmvSBAI= -SHA256 (Pkgfile) = ff3604e107979c835c69016fc65a4052e94ae715d28d2393a19386362574aa49 +RWSagIOpLGJF32tBrBsYYoh4GxQ5Oo7dG0oL0ljy9ounh0ogoIRJ77jdH7L/MDN5oY9NIl+B+jgYO5tYp6IxXa6LqdVA2Yex1gM= +SHA256 (Pkgfile) = 261026e84dff39382dd5875a1a8aad551a0f60cef6296c0bff09300f8140ea1b SHA256 (.footprint) = e7d6f627943ee66508700aa687a9441be5c271038d1ae094cc68f1c9e55df362 -SHA256 (lighttpd-1.4.65.tar.xz) = bf0fa68a629fbc404023a912b377e70049331d6797bcbb4b3e8df4c3b42328be +SHA256 (lighttpd-1.4.66.tar.xz) = 47ac6e60271aa0196e65472d02d019556dc7c6d09df3b65df2c1ab6866348e3b SHA256 (lighttpd.rc) = b96a244cb1bd3222e76bf4c9954da0c13225109c99e2d406de76a3d231bbb362 -SHA256 (lighttpd.conf) = 5b3206d9b83328a6e376eef7b3f44d268e74fa86a523c8c90b65561436569c34 +SHA256 (lighttpd.conf) = 2403f1c60d6bc801337c50eb44474b1707c93323db5bc224769fb96b635597ae SHA256 (post-install) = 21c61212d525b0e4e08dd245825957c395c12747f2e29dc7d664067ceac9b3e8 diff --git a/lighttpd/Pkgfile b/lighttpd/Pkgfile index 918ed5436..864699100 100644 --- a/lighttpd/Pkgfile +++ b/lighttpd/Pkgfile @@ -4,7 +4,7 @@ # Depends on: libpcre2 lua bzip2 linux-pam openssl zlib zstd name=lighttpd -version=1.4.65 +version=1.4.66 release=1 source=( https://download.${name}.net/${name}/releases-1.4.x/${name}-${version}.tar.xz diff --git a/lighttpd/lighttpd.conf b/lighttpd/lighttpd.conf index 55980c822..7169f315b 100644 --- a/lighttpd/lighttpd.conf +++ b/lighttpd/lighttpd.conf @@ -15,13 +15,15 @@ server.username = "lighttpd" server.groupname = "lighttpd" server.document-root = var.basedir + "/htdocs" server.pid-file = "/run/lighttpd.pid" -#server.breakagelog = "/tmp/cgibreak" # var.logdir + "/error.log" +#server.syslog-facility = "ftp" # log errors to syslog instead #server.errorlog-use-syslog = "enable" #debug.log-request-handling = "enable" server.errorlog = var.logdir + "/error.log" -server.indexfiles = ("index.html") # "index.php", "index.htm"...) -# server.tag = "lighttpd" # how server announces itself +# "index.php", "index.htm"...) +server.indexfiles = ("index.html") +# how server announces itself +# server.tag = "lighttpd" server.follow-symlink = "enable" server.event-handler = "linux-sysepoll" # Enable HTTP/2 @@ -40,6 +42,8 @@ server.feature-flags += ( # NOTE: the order of modules is important. server.modules = ( +# "mod_auth", +# "mod_authn_file", "mod_openssl", "mod_redirect", "mod_rewrite", @@ -53,11 +57,14 @@ server.modules = ( ) mimetype.assign = ( # {{{ + ".tar.bz2" => "application/x-gtar-compressed", + ".tar.gz" => "application/x-gtar-compressed", ".cbor" => "application/cbor", ".efi" => "application/efi", ".epub" => "application/epub+zip", ".gz" => "application/gzip", ".tgz" => "application/gzip", + ".js" => "application/javascript", ".json" => "application/json", ".json-patch" => "application/json-patch+json", ".mbox" => "application/mbox", @@ -352,7 +359,6 @@ mimetype.assign = ( # {{{ ".htm" => "text/html", ".html" => "text/html", ".sandboxed" => "text/html-sandboxed", - ".js" => "text/javascript", ".cnd" => "text/jcr-cnd", ".markdown" => "text/markdown; charset=utf-8", ".md" => "text/markdown; charset=utf-8", @@ -440,20 +446,25 @@ mimetype.assign = ( # {{{ # which extensions should not be handled via static-file transfer # (extensions that are usually handled by mod_cgi, mod_fastcgi, etc). +# ,".php", ".pl", ".cgi", ".fcgi") static-file.exclude-extensions = (".cgi") accesslog.filename = var.logdir + "/access.log" #accesslog.use-syslog = "enable" -accesslog.format = "%t %V:%p <%s> %h I=%I O=%O T=%T : \"%r\"" +accesslog.format = "%V:%p <%s> %h I=%I O=%O T=%T : \"%r\"" # CGI stderr etc. +#server.breakagelog = "/tmp/cgibreak" # var.logdir + "/error.log" cgi.x-sendfile = "enable" deflate.cache-dir = var.statedir + "/deflate" deflate.mimetypes = ("text/", "application/x-tar") deflate.allowed-encodings = ("gzip", "zstd") +deflate.max-compress-size = 0 # in KB +deflate.min-compress-size = 256 # in Bytes +deflate.max-loadavg = "5.00" # loadavg above which deflate temporarily stops -url.access-deny = (".php", ".inc") +url.access-deny = ("~", ".php", ".inc") # Do not give access to /server-status page do non-local addresses #$HTTP["remoteip"] !~ "10\..*|192\.168\..*|127\..*" { # url.access-deny = ("/server-status") @@ -468,6 +479,7 @@ ssl.disable-client-renegotiation = "enable" # ssl.pemfile = "/etc/letsencrypt/config/certs/HOST.DOM/key_and_cert.pem" # ssl.ca-file = "/etc/letsencrypt/config/certs/HOST.DOM/fullchain.pem" # ssl.dh-file = "/etc/letsencrypt/config/certs/HOST.DOM/dhparam2048.pem" +# # Need something for older OpenSSL (MacOS Lion, 2014!) # ssl.cipher-list = "TLSv1.3:TLSv1.2:!aNULL:!eNULL:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA:@STRENGTH" # # These three are deprecated # ssl.use-sslv2 = "disable" @@ -485,9 +497,8 @@ ssl.disable-client-renegotiation = "enable" # $HTTP["url"] =~ ".+\.html\/.*" { # url.redirect = ("^/?(.*)$" => "http://www.HOST.DOM/") # } -# $HTTP["url"] =~ "^/\.well-known/acme-challenge" { -# url.access-deny = ("config") -# alias.url = ("/.well-known/acme-challenge" => "/etc/letsencrypt") +# $HTTP["url"] =~ "^/\.well-known" { +# url.redirect = ("(.*)" => "https://www.HOST.DOM$1") # } #} #$SERVER["socket"] == ":443" { @@ -495,9 +506,17 @@ ssl.disable-client-renegotiation = "enable" # $HTTP["url"] =~ ".+\.html\/.*" { # url.redirect = ("^/?(.*)$" => "https://www.HOST.DOM/") # } +# $HTTP["url"] =~ "^/\.well-known" { +# alias.url = ("/.well-known" => "/etc/lighttpd/well-known") +# } +# $HTTP["url"] =~ "^/\.well-known/acme-challenge(/*)?" { +# url.access-deny = ("config") +# alias.url = ("/.well-known/acme-challenge" => "/etc/letsencrypt") +# } #} -#$HTTP["host"] =~ "^download\.HOST\.DOM" { +# Download area +#$HTTP["host"] =~ "^ftp\.HOST\.DOM" { # url.rewrite-once = ( # "^(/.well-known/.+)" => "$1", # "^/?(style\.css|favicon\.ico)$" => "/$1", @@ -513,7 +532,7 @@ ssl.disable-client-renegotiation = "enable" # Serve git.HOST.DOM/scm for git access /browse for gitweb browsing. # Note that all the gitweb static/ files must reside in htdocs with this config # and all git repositories must be in /var/git to which server needs access -# /etc/gitweb-common.conf: + # /etc/gitweb-common.conf: ##read_config_file("gitweb_config.perl"); #our $projectroot = $ENV{'GITWEB_PROJECTROOT'} || "/pub/git"; #our $project_maxdepth = 1; @@ -546,17 +565,31 @@ ssl.disable-client-renegotiation = "enable" #$feature{timed}{default} = [1]; #$feature{extra-branch-refs}{default} = ['stable','release']; #$HTTP["host"] =~ "^git\.HOST\.DOM" { -# url.rewrite-once = ("^/?$" => "/browse") +# url.rewrite-once = ( +# "^/?$" => "/browse", +# "^/(\?.*)$" => "/browse/$1" +# ) +## $HTTP["url"] =~ "^/cgit(/.*)?$" { +## url.redirect = ("^/cgit(.*)$" => "/browse$1") +## } # $HTTP["url"] =~ "^/browse(/.*)?$" { -# accesslog.format = "%V:%p <%s> %h I=%I O=%O T=%T GW" -# alias.url = ("/browse" => "/usr/share/gitweb/gitweb.cgi") +# accesslog.format = "%V:%p <%s> %h T=%T GW" +## alias.url = ("/browse" => "/usr/share/gitweb/gitweb.cgi") +# alias.url = ("/browse" => "/usr/share/webapps/cgit/cgit") +# auth.require = ("" => ( +# "method" => "basic", +# "realm" => "user is moon, password is mars", +# "require" => "valid-user")) +# auth.backend = "plain" +# # echo 'moon:mars' > /etc/lighttpd/cgit-access.conf +# auth.backend.plain.userfile = "/etc/lighttpd/cgit-access.conf" # cgi.assign = ("" => "") -# connection.kbytes-per-second = 32 +# connection.kbytes-per-second = 16 # expire.url = ("" => "access plus 0 seconds") -# server.max-keep-alive-requests = 3 +# server.max-keep-alive-requests = 1 # setenv.add-environment = ( -# "PERL5OPT" => "-C", # "GITWEB_PROJECTROOT" => "/var/git" +# "CGIT_CONFIG" => "/var/git/.cgitrc" # ) # # Funny people try to access /browse via git, redirect them # url.redirect = ( @@ -566,6 +599,7 @@ ssl.disable-client-renegotiation = "enable" # ) # } # $HTTP["url"] =~ "^/scm" { +# accesslog.format = "%V:%p <%s> %h T=%T SCM" # alias.url = ("/scm" => "/usr/libexec/git-core/git-http-backend") # cgi.assign = ("" => "") # server.max-keep-alive-requests = 1 @@ -599,6 +633,7 @@ ssl.disable-client-renegotiation = "enable" # } #} +# WWW #$HTTP["host"] =~ "^(www\.)?HOST\.DOM" { # url.rewrite-once = ("^/downloads/?(.*)?$" => "/downloads/$1") # $HTTP["url"] =~ "^/downloads(.*)?$" { @@ -609,6 +644,9 @@ ssl.disable-client-renegotiation = "enable" # $HTTP["url"] =~ "^/browse(/.*)?$" { # url.redirect = ("^/?(.*)$" => "https://git.HOST.DOM/$1") # } +# $HTTP["url"] =~ "^/cgit(/.*)?$" { +# url.redirect = ("^/?(.*)$" => "https://git.HOST.DOM/$1") +# } # $HTTP["url"] =~ "^/ftp" { # url.redirect = ("^/ftp(/.*)?$" => "https://ftp.HOST.DOM$1") # }