lighttpd: 1.4.66

lighttpd/.signature

@@ -1,8 +1,8 @@
 untrusted comment: verify with /etc/ports/contrib.pub
-RWSagIOpLGJF30xypBkXqO+e+nsWZ2Yev3pjAh+ejt3A4d419W7b9B/s00ineT8XmyioAhRQvYoUZUbGgJ4z1QvoR6wpBmvSBAI=
-SHA256 (Pkgfile) = ff3604e107979c835c69016fc65a4052e94ae715d28d2393a19386362574aa49
+RWSagIOpLGJF32tBrBsYYoh4GxQ5Oo7dG0oL0ljy9ounh0ogoIRJ77jdH7L/MDN5oY9NIl+B+jgYO5tYp6IxXa6LqdVA2Yex1gM=
+SHA256 (Pkgfile) = 261026e84dff39382dd5875a1a8aad551a0f60cef6296c0bff09300f8140ea1b
 SHA256 (.footprint) = e7d6f627943ee66508700aa687a9441be5c271038d1ae094cc68f1c9e55df362
-SHA256 (lighttpd-1.4.65.tar.xz) = bf0fa68a629fbc404023a912b377e70049331d6797bcbb4b3e8df4c3b42328be
+SHA256 (lighttpd-1.4.66.tar.xz) = 47ac6e60271aa0196e65472d02d019556dc7c6d09df3b65df2c1ab6866348e3b
 SHA256 (lighttpd.rc) = b96a244cb1bd3222e76bf4c9954da0c13225109c99e2d406de76a3d231bbb362
-SHA256 (lighttpd.conf) = 5b3206d9b83328a6e376eef7b3f44d268e74fa86a523c8c90b65561436569c34
+SHA256 (lighttpd.conf) = 2403f1c60d6bc801337c50eb44474b1707c93323db5bc224769fb96b635597ae
 SHA256 (post-install) = 21c61212d525b0e4e08dd245825957c395c12747f2e29dc7d664067ceac9b3e8

lighttpd/Pkgfile

@@ -4,7 +4,7 @@
 # Depends on:  libpcre2 lua   bzip2 linux-pam openssl zlib zstd
 
 name=lighttpd
-version=1.4.65
+version=1.4.66
 release=1
 source=(
   https://download.${name}.net/${name}/releases-1.4.x/${name}-${version}.tar.xz

lighttpd/lighttpd.conf

@@ -15,13 +15,15 @@ server.username = "lighttpd"
 server.groupname = "lighttpd"
 server.document-root = var.basedir + "/htdocs"
 server.pid-file = "/run/lighttpd.pid"
-#server.breakagelog = "/tmp/cgibreak" # var.logdir  + "/error.log"
+#server.syslog-facility = "ftp"
 # log errors to syslog instead
 #server.errorlog-use-syslog = "enable"
 #debug.log-request-handling = "enable"
 server.errorlog = var.logdir  + "/error.log"
-server.indexfiles = ("index.html") # "index.php", "index.htm"...)
-# server.tag = "lighttpd" # how server announces itself
+# "index.php", "index.htm"...)
+server.indexfiles = ("index.html")
+# how server announces itself
+# server.tag = "lighttpd"
 server.follow-symlink = "enable"
 server.event-handler = "linux-sysepoll"
 # Enable HTTP/2
@@ -40,6 +42,8 @@ server.feature-flags += (
 
 # NOTE: the order of modules is important.
 server.modules = (
+#   "mod_auth",
+#   "mod_authn_file",
    "mod_openssl",
    "mod_redirect",
    "mod_rewrite",
@@ -53,11 +57,14 @@ server.modules = (
 )
 
 mimetype.assign = ( # {{{
+	".tar.bz2" => "application/x-gtar-compressed",
+	".tar.gz" => "application/x-gtar-compressed",
 	".cbor" => "application/cbor",
 	".efi" => "application/efi",
 	".epub" => "application/epub+zip",
 	".gz" => "application/gzip",
 	".tgz" => "application/gzip",
+	".js" => "application/javascript",
 	".json" => "application/json",
 	".json-patch" => "application/json-patch+json",
 	".mbox" => "application/mbox",
@@ -352,7 +359,6 @@ mimetype.assign = ( # {{{
 	".htm" => "text/html",
 	".html" => "text/html",
 	".sandboxed" => "text/html-sandboxed",
-	".js" => "text/javascript",
 	".cnd" => "text/jcr-cnd",
 	".markdown" => "text/markdown; charset=utf-8",
 	".md" => "text/markdown; charset=utf-8",
@@ -440,20 +446,25 @@ mimetype.assign = ( # {{{
 
 # which extensions should not be handled via static-file transfer
 # (extensions that are usually handled by mod_cgi, mod_fastcgi, etc).
+# ,".php", ".pl", ".cgi", ".fcgi")
 static-file.exclude-extensions = (".cgi")
 
 accesslog.filename = var.logdir + "/access.log"
 #accesslog.use-syslog = "enable"
-accesslog.format = "%t %V:%p <%s> %h I=%I O=%O T=%T : \"%r\""
+accesslog.format = "%V:%p <%s> %h I=%I O=%O T=%T : \"%r\""
 
 # CGI stderr etc.
+#server.breakagelog = "/tmp/cgibreak" # var.logdir  + "/error.log"
 cgi.x-sendfile = "enable"
 
 deflate.cache-dir = var.statedir + "/deflate"
 deflate.mimetypes = ("text/", "application/x-tar")
 deflate.allowed-encodings = ("gzip", "zstd")
+deflate.max-compress-size = 0 # in KB
+deflate.min-compress-size = 256 # in Bytes
+deflate.max-loadavg = "5.00" # loadavg above which deflate temporarily stops
 
-url.access-deny = (".php", ".inc")
+url.access-deny = ("~", ".php", ".inc")
 # Do not give access to /server-status page do non-local addresses 
 #$HTTP["remoteip"] !~ "10\..*|192\.168\..*|127\..*" {
 #  url.access-deny = ("/server-status")
@@ -468,6 +479,7 @@ ssl.disable-client-renegotiation = "enable"
 #   ssl.pemfile = "/etc/letsencrypt/config/certs/HOST.DOM/key_and_cert.pem"
 #   ssl.ca-file = "/etc/letsencrypt/config/certs/HOST.DOM/fullchain.pem"
 #   ssl.dh-file = "/etc/letsencrypt/config/certs/HOST.DOM/dhparam2048.pem"
+#   # Need something for older OpenSSL (MacOS Lion, 2014!)
 #   ssl.cipher-list = "TLSv1.3:TLSv1.2:!aNULL:!eNULL:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA:@STRENGTH"
 #   # These three are deprecated
 #   ssl.use-sslv2 = "disable"
@@ -485,9 +497,8 @@ ssl.disable-client-renegotiation = "enable"
 #   $HTTP["url"] =~ ".+\.html\/.*" {
 #      url.redirect = ("^/?(.*)$" => "http://www.HOST.DOM/")
 #   }
-#   $HTTP["url"] =~ "^/\.well-known/acme-challenge" {
-#      url.access-deny = ("config")
-#      alias.url = ("/.well-known/acme-challenge" => "/etc/letsencrypt")
+#   $HTTP["url"] =~ "^/\.well-known" {
+#      url.redirect = ("(.*)" => "https://www.HOST.DOM$1")
 #   }
 #}
 #$SERVER["socket"] == ":443" {
@@ -495,9 +506,17 @@ ssl.disable-client-renegotiation = "enable"
 #   $HTTP["url"] =~ ".+\.html\/.*" {
 #      url.redirect = ("^/?(.*)$" => "https://www.HOST.DOM/")
 #   }
+#   $HTTP["url"] =~ "^/\.well-known" {
+#      alias.url = ("/.well-known" => "/etc/lighttpd/well-known")
+#   }
+#   $HTTP["url"] =~ "^/\.well-known/acme-challenge(/*)?" {
+#      url.access-deny = ("config")
+#      alias.url = ("/.well-known/acme-challenge" => "/etc/letsencrypt")
+#   }
 #}
 
-#$HTTP["host"] =~ "^download\.HOST\.DOM" {
+# Download area
+#$HTTP["host"] =~ "^ftp\.HOST\.DOM" {
 #   url.rewrite-once = (
 #      "^(/.well-known/.+)" => "$1",
 #      "^/?(style\.css|favicon\.ico)$" => "/$1",
@@ -513,7 +532,7 @@ ssl.disable-client-renegotiation = "enable"
 # Serve git.HOST.DOM/scm for git access /browse for gitweb browsing.
 # Note that all the gitweb static/ files must reside in htdocs with this config
 # and all git repositories must be in /var/git to which server needs access
-# /etc/gitweb-common.conf:
+  # /etc/gitweb-common.conf:
   ##read_config_file("gitweb_config.perl");
   #our $projectroot = $ENV{'GITWEB_PROJECTROOT'} || "/pub/git";
   #our $project_maxdepth = 1;
@@ -546,17 +565,31 @@ ssl.disable-client-renegotiation = "enable"
   #$feature{timed}{default} = [1];
   #$feature{extra-branch-refs}{default} = ['stable','release'];
 #$HTTP["host"] =~ "^git\.HOST\.DOM" {
-#   url.rewrite-once = ("^/?$" => "/browse")
+#   url.rewrite-once = (
+#      "^/?$" => "/browse",
+#      "^/(\?.*)$" => "/browse/$1"
+#   )
+##   $HTTP["url"] =~ "^/cgit(/.*)?$" {
+##      url.redirect = ("^/cgit(.*)$" => "/browse$1")
+##   }
 #   $HTTP["url"] =~ "^/browse(/.*)?$" {
-#      accesslog.format = "%V:%p <%s> %h I=%I O=%O T=%T GW"
-#      alias.url = ("/browse" => "/usr/share/gitweb/gitweb.cgi")
+#      accesslog.format = "%V:%p <%s> %h T=%T GW"
+##      alias.url = ("/browse" => "/usr/share/gitweb/gitweb.cgi")
+#      alias.url = ("/browse" => "/usr/share/webapps/cgit/cgit")
+#      auth.require = ("" => (
+#         "method" => "basic",
+#         "realm" => "user is moon, password is mars",
+#         "require" => "valid-user"))
+#      auth.backend = "plain"
+#      # echo 'moon:mars' > /etc/lighttpd/cgit-access.conf
+#      auth.backend.plain.userfile = "/etc/lighttpd/cgit-access.conf"
 #      cgi.assign = ("" => "")
-#      connection.kbytes-per-second = 32
+#      connection.kbytes-per-second = 16
 #      expire.url = ("" => "access plus 0 seconds")
-#      server.max-keep-alive-requests = 3
+#      server.max-keep-alive-requests = 1
 #      setenv.add-environment = (
-#         "PERL5OPT" => "-C",
 #         "GITWEB_PROJECTROOT" => "/var/git"
+#         "CGIT_CONFIG" => "/var/git/.cgitrc"
 #      )
 #      # Funny people try to access /browse via git, redirect them
 #      url.redirect = (
@@ -566,6 +599,7 @@ ssl.disable-client-renegotiation = "enable"
 #      )
 #   }
 #   $HTTP["url"] =~ "^/scm" {
+#      accesslog.format = "%V:%p <%s> %h T=%T SCM"
 #      alias.url = ("/scm" => "/usr/libexec/git-core/git-http-backend")
 #      cgi.assign = ("" => "")
 #      server.max-keep-alive-requests = 1
@@ -599,6 +633,7 @@ ssl.disable-client-renegotiation = "enable"
 #   }
 #}
 
+# WWW
 #$HTTP["host"] =~ "^(www\.)?HOST\.DOM" {
 #   url.rewrite-once = ("^/downloads/?(.*)?$" => "/downloads/$1")
 #   $HTTP["url"] =~ "^/downloads(.*)?$" {
@@ -609,6 +644,9 @@ ssl.disable-client-renegotiation = "enable"
 #   $HTTP["url"] =~ "^/browse(/.*)?$" {
 #      url.redirect = ("^/?(.*)$" => "https://git.HOST.DOM/$1")
 #   }
+#   $HTTP["url"] =~ "^/cgit(/.*)?$" {
+#      url.redirect = ("^/?(.*)$" => "https://git.HOST.DOM/$1")
+#   }
 #   $HTTP["url"] =~ "^/ftp" {
 #      url.redirect = ("^/ftp(/.*)?$" => "https://ftp.HOST.DOM$1")
 #   }