From 26fea3db2dc643f86c9df1999b23b430571e17f5 Mon Sep 17 00:00:00 2001 From: Marcin Krol Date: Tue, 7 Apr 2020 01:04:09 +0200 Subject: [PATCH] - updated to 1.4.55, partial PLD merge --- lighttpd-branding.patch | 2 +- lighttpd.conf | 7 +++-- lighttpd.init | 4 ++- lighttpd.spec | 69 +++++++++++++++++++++++++++-------------- ssl.conf | 21 ++++++------- 5 files changed, 65 insertions(+), 38 deletions(-) diff --git a/lighttpd-branding.patch b/lighttpd-branding.patch index 64a9be4..55cc9cf 100644 --- a/lighttpd-branding.patch +++ b/lighttpd-branding.patch @@ -5,7 +5,7 @@ #endif -#define PACKAGE_DESC PACKAGE_NAME "/" PACKAGE_VERSION REPO_VERSION -+#define PACKAGE_DESC PACKAGE_NAME "/" PACKAGE_VERSION REPO_VERSION " (TLD Linux)" ++#define PACKAGE_DESC PACKAGE_NAME "/" PACKAGE_VERSION REPO_VERSION " (PLD Linux)" #include #include diff --git a/lighttpd.conf b/lighttpd.conf index 08c6655..e86ff08 100644 --- a/lighttpd.conf +++ b/lighttpd.conf @@ -1,6 +1,7 @@ # lighttpd configuration file. -include_shell "for f in conf.d/*.conf ; do [ -f \"$f\" ] && echo \"include \\"$f\\"\" ; done" +# modules config +include "conf.d/*.conf" ## a static document-root, for virtual-hosting take look at the ## server.virtual-* options @@ -180,8 +181,10 @@ server.groupname = "lighttpd" ## #connection.kbytes-per-second = 32 -# webapps configs +# webapps config include "webapps.d/*.conf" # vhosts config include "vhosts.d/*.conf" + +## EOF diff --git a/lighttpd.init b/lighttpd.init index 026a230..eb9751b 100755 --- a/lighttpd.init +++ b/lighttpd.init @@ -10,6 +10,8 @@ # Source function library . /etc/rc.d/init.d/functions +upstart_controlled + # Get network config . /etc/sysconfig/network @@ -38,7 +40,7 @@ configtest() { if [ -n "$out" ]; then # make it unique, format nicely out=$(echo "$out" | sort -u | xargs | sed -e 's/ /, /g') - echo >&2 "WARNING: found deprecated '$out', convert to 'url.rewrite-final' recommended, See http://redmine.lighttpd.net/issues/2379" + echo >&2 "WARNING: found deprecated '$out', convert to 'url.rewrite-once' recommended, See https://redmine.lighttpd.net/issues/2379" fi env SHELL=/bin/sh $DAEMON -t -f $CONFIGFILE $HTTPD_OPTS diff --git a/lighttpd.spec b/lighttpd.spec index 26c12fb..af66cfb 100644 --- a/lighttpd.spec +++ b/lighttpd.spec @@ -17,6 +17,7 @@ %bcond_without mysql # mysql support in mod_mysql_vhost, mod_vhostdb_mysql %bcond_without pgsql # PgSQL, enables mod_vhostdb_pgsql %bcond_without geoip # GeoIP support +%bcond_without maxminddb # MaxMind GeoIP2 module %bcond_with krb5 # krb5 support (does not work with heimdal) %bcond_without ldap # ldap support in mod_auth, mod_vhostdb_ldap %bcond_without lua # LUA support in mod_cml (needs LUA >= 5.1) @@ -41,12 +42,12 @@ Summary: Fast and light HTTP server Summary(pl.UTF-8): Szybki i lekki serwer HTTP Name: lighttpd -Version: 1.4.54 +Version: 1.4.55 Release: 1 License: BSD Group: Networking/Daemons/HTTP Source0: https://download.lighttpd.net/lighttpd/releases-1.4.x/%{name}-%{version}.tar.xz -# Source0-md5: 7abc776243c811e9872f73ab38b7f8b5 +# Source0-md5: be4bda2c28bcbdac6eb941528f6edf03 Source1: %{name}.init Source2: %{name}.conf Source3: %{name}.user @@ -108,16 +109,18 @@ Source142: mod_openssl.conf Source143: mod_vhostdb.conf Source144: mod_wstunnel.conf Source145: mod_authn_mysql.conf +Source146: mod_sockproxy.conf +Source147: mod_maxminddb.conf # use branch.sh script to create branch.diff #Patch100: %{name}-branch.diff ## Patch100-md5: 7bd09235304c8bcb16f34d49d480c0fb Patch1: %{name}-mod_evasive-status_code.patch Patch2: %{name}-mod_h264_streaming.patch Patch3: %{name}-branding.patch -Patch6: test-port-setup.patch -Patch7: env-documentroot.patch +Patch5: test-port-setup.patch URL: https://www.lighttpd.net/ %{?with_geoip:BuildRequires: GeoIP-devel} +%{?with_maxminddb:BuildRequires: libmaxminddb-devel} %{?with_xattr:BuildRequires: attr-devel} BuildRequires: autoconf >= 2.57 BuildRequires: automake >= 1:1.11.2 @@ -556,6 +559,14 @@ mod_magnet is a module to control the request handling in lighty. %description mod_magnet -l pl.UTF-8 mod_magnet to moduł sterujący obsługą żądań w lighty. +%package mod_maxminddb +Summary: lighttpd module +Group: Networking/Daemons/HTTP +#URL: https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModGeoip +Requires: %{name} = %{version}-%{release} + +%description mod_maxminddb + %package mod_mysql_vhost Summary: lighttpd module for MySQL based vhosting Summary(pl.UTF-8): Moduł lighttpd obsługujący vhosty oparte na MySQL-u @@ -643,18 +654,6 @@ webserver BEFORE they are handled. Ten moduł pozwala na przepisywanie zbioru URL-i wewnętrznie w serwerze WWW _przed_ ich obsługą. -%package mod_sockproxy -Summary: lighttpd module for socket forwarding -Summary(pl.UTF-8): Moduł lighttpd przekazywania gniazdek -Group: Networking/Daemons/HTTP -Requires: %{name} = %{version}-%{release} - -%description mod_sockproxy -Sock proxy module for socket forwarding. - -%description mod_sockproxy -l pl.UTF-8 -Moduł proxy do przekazywania gniazdek. - %package mod_rrdtool Summary: lighttpd module for monitoring traffic and server load Summary(pl.UTF-8): Moduł lighttpd do monitorowania ruchu i obciążenia serwera @@ -736,6 +735,17 @@ lighttpd module for simple virtual-hosting. %description mod_simple_vhost -l pl.UTF-8 Moduł lighttpd do prostych hostów wirtualnych. +%package mod_sockproxy +Summary: Transparent socket proxy +Group: Networking/Daemons/HTTP +URL: https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModSockProxy +Requires: %{name} = %{version}-%{release} + +%description mod_sockproxy +mod_sockproxy is a transparent socket proxy. For a given $SERVER["socket"] +config, connections will be forwarded to backend(s) without any +interpretation of the protocol. + %package mod_ssi Summary: lighttpd module for server-side includes Summary(pl.UTF-8): Moduł lighttpd do SSI (server-side includes) @@ -953,8 +963,7 @@ Plik monitrc do monitorowania serwera www lighttpd. #%patch1 -p1 UPDATE (and submit upstream!) if you need this %{?with_h264_streaming:%patch2 -p1} %patch3 -p1 -%patch6 -p1 -#%patch7 -p1 probably fixed upstream +%patch5 -p1 rm -f src/mod_ssi_exprparser.h # bad patching: should be removed by is emptied instead @@ -983,6 +992,7 @@ fi %{?with_dbi:--with-dbi} \ %{?with_krb5:--with-krb5} \ %{?with_geoip:--with-geoip} \ + %{?with_maxminddb:--with-maxminddb} \ %{?with_mysql:--with-mysql} \ %{?with_ldap:--with-ldap} \ %{?with_ssl:--with-openssl} \ @@ -1051,6 +1061,9 @@ cp -p %{SOURCE113} $RPM_BUILD_ROOT%{_sysconfdir}/conf.d/50_mod_flv_streaming.con %if %{with geoip} cp -p %{SOURCE140} $RPM_BUILD_ROOT%{_sysconfdir}/conf.d/50_mod_geoip.conf %endif +%if %{with maxminddb} +cp -p %{SOURCE147} $RPM_BUILD_ROOT%{_sysconfdir}/conf.d/50_mod_maxminddb.conf +%endif %if %{with ldap} cp -p %{SOURCE141} $RPM_BUILD_ROOT%{_sysconfdir}/conf.d/50_mod_authn_ldap.conf %endif @@ -1083,6 +1096,7 @@ cp -p %{SOURCE144} $RPM_BUILD_ROOT%{_sysconfdir}/conf.d/50_mod_wstunnel.conf %if %{with mysql} cp -p %{SOURCE133} $RPM_BUILD_ROOT%{_sysconfdir}/conf.d/50_mod_mysql_vhost.conf %endif +cp -p %{SOURCE146} $RPM_BUILD_ROOT%{_sysconfdir}/conf.d/50_mod_sockproxy.conf cp -p %{SOURCE134} $RPM_BUILD_ROOT%{_sysconfdir}/conf.d/55_mod_magnet.conf cp -p %{SOURCE111} $RPM_BUILD_ROOT%{_sysconfdir}/conf.d/55_mod_expire.conf @@ -1190,16 +1204,17 @@ fi %module_scripts mod_h264_streaming %module_scripts mod_indexfile %module_scripts mod_magnet +%module_scripts mod_maxminddb %module_scripts mod_mysql_vhost %module_scripts mod_openssl %module_scripts mod_proxy %module_scripts mod_redirect %module_scripts mod_rewrite -%module_scripts mod_sockproxy %module_scripts mod_scgi %module_scripts mod_secdownload %module_scripts mod_setenv %module_scripts mod_simple_vhost +%module_scripts mod_sockproxy %module_scripts mod_ssi %module_scripts mod_staticfile %module_scripts mod_status @@ -1403,6 +1418,13 @@ fi %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/conf.d/*mod_magnet.conf %attr(755,root,root) %{pkglibdir}/mod_magnet.so +%if %{with maxminddb} +%files mod_maxminddb +%defattr(644,root,root,755) +%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/conf.d/*mod_maxminddb.conf +%attr(755,root,root) %{pkglibdir}/mod_maxminddb.so +%endif + %if %{with mysql} %files mod_mysql_vhost %defattr(644,root,root,755) @@ -1430,10 +1452,6 @@ fi %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/conf.d/*mod_rewrite.conf %attr(755,root,root) %{pkglibdir}/mod_rewrite.so -%files mod_sockproxy -%defattr(644,root,root,755) -%attr(755,root,root) %{pkglibdir}/mod_sockproxy.so - %files mod_rrdtool %defattr(644,root,root,755) %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/conf.d/*mod_rrdtool.conf @@ -1460,6 +1478,11 @@ fi %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/conf.d/*mod_simple_vhost.conf %attr(755,root,root) %{pkglibdir}/mod_simple_vhost.so +%files mod_sockproxy +%defattr(644,root,root,755) +%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/conf.d/*mod_sockproxy.conf +%attr(755,root,root) %{pkglibdir}/mod_sockproxy.so + %files mod_ssi %defattr(644,root,root,755) %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/conf.d/*mod_ssi.conf diff --git a/ssl.conf b/ssl.conf index e9c1a21..15bfb6a 100644 --- a/ssl.conf +++ b/ssl.conf @@ -33,21 +33,20 @@ $SERVER["socket"] == ":443" { # "HTTPS" => "on" # ) + # https://ssl-config.mozilla.org/#server=lighttpd&server-version=1.4.54&config=intermediate # intermediate configuration, tweak to your needs + # ssl.use-sslv2 = "disable" ssl.use-sslv3 = "disable" - ssl.honor-cipher-order = "enable" - # If you know you have RSA keys (standard), you can use: - #ssl.cipher-list = "aRSA+HIGH !3DES +kEDH +kRSA !kSRP !kPSK" - # The more generic version (without the restriction to RSA keys) is - #ssl.cipher-list = "HIGH !aNULL !3DES +kEDH +kRSA !kSRP !kPSK" - # List from https://mozilla.github.io/server-side-tls/ssl-config-generator/ - ssl.cipher-list = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" + # intermediate configuration, tweak to your needs + ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1") + ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" + ssl.honor-cipher-order = "disable" - # HSTS(15768000 seconds = 6 months) -# setenv.add-response-header = ( -# "Strict-Transport-Security" => "max-age=15768000;" -# ) + # HTTP Strict Transport Security (63072000 seconds + # setenv.add-response-header = ( + # "Strict-Transport-Security" => "max-age=63072000" + # ) $HTTP["useragent"] =~ "MSIE" { server.max-keep-alive-requests = 0 -- 2.46.0