Project

General

Profile

[Solved] Alls page and subdomain returns 404 with 1.4.60

Added by zebul66 about 2 months ago

Hi.
I just noticed that after the upgrade to 1.4.60, all the pages on all subdomains returns a 404.

Downgrading to 1.4.59, while keeping everything the same, is just working fine.

I am using lighttpd on archlinux-arm (armv7h) on a rpi3b

here is my config file:

I am serving 2 flask python app and 2 static html files for 4 sites.

server.document-root = "/home/cassini/something/www" 
server.port = 32644
server.tag = "'; DROP TABLE servertypes; --" 
server.pid-file = "/run/lighttpd/pid" 
server.username = "http" 
server.groupname = "http" 

server.error-handler-404 = "/error-404.html" 
server.errorlog-use-syslog = "enable" 

server.modules = (
  "mod_proxy",
  "mod_setenv",
#  "mod_deflate",
  "mod_openssl",
  "mod_fastcgi",
  "mod_accesslog",
  "mod_alias",
  "mod_rewrite",
  "mod_auth",
  "mod_authn_file" 
)

ssl.engine = "enable" 
ssl.pemfile = "/etc/letsencrypt/live/example.com/server.pem" 
ssl.ca-file = "/etc/letsencrypt/live/example.com/chain.pem" 

#deflate.mimetypes = (
#  "application/x-javascript",
#  "application/javascript",
#  "text/javascript",
#  "text/x-js", 
#  "text/css",
#  "text/html",
#  "text/plain",
#  "application/json",
#  "application/x-protobuf" 
#)
#deflate.allowed-encodings = ("bzip2", "gzip", "deflate")
#deflate.compression-level = 6
#deflate.min-compress-size = 1500

setenv.add-response-header = (
  "X-Content-Type-Options" => "nosniff",
  "X-Frame-Options" => "DENY",
  "X-XSS-Protection" => "1; mode=block",
  "Referrer-Policy" => "same-origin",
  "Strict-Transport-Security" => "max-age=15768000",
  "Content-Security-Policy" => "default-src 'self'; style-src 'unsafe-inline' 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self'; img-src 'self' https://*.tile.openstreetmap.org https://tile.thunderforest.com data:; connect-src 'self' https://api.wigle.net;",
 )

accesslog.use-syslog = "enable" 

mimetype.assign = (
  ".html" => "text/html", 
  ".txt" => "text/plain",
  ".jpg" => "image/jpeg",
  ".png" => "image/png",
  ".js" => "application/javascript",
  ".gif" => "image/gif",
  ".css" => "text/css; charset=utf-8",
  ".svg" => "image/svg+xml" 
)

$HTTP["host"] == "example.com" {
  setenv.set-response-header = (
    "Server" => "'; DROP TABLE servertypes; --" 
  )
  proxy.server = ( "" => ( ( "host" => "somehost123", "port" => "5556" ) ) )
  proxy.header = (
    "https-remap" => "enable",
  )
}

$HTTP["host"] == "ifttt.example.com" {
  server.document-root = "/home/ifttt" 

  fastcgi.server = ("/ifttt.fcgi" =>
    ((
      "socket" => "/home/ifttt/ifttt-fcgi.sock",
      "check-local" => "disable",
      "max-procs" => 1
     ))
  )

  url.rewrite-once = (
    "^(/.*)$" => "/ifttt.fcgi$1" 
  )
}

$HTTP["host"] == "munin.example.com" {
  auth.backend = "plain" 
  auth.backend.plain.userfile = "/etc/lighttpd/userfile.plain" 
  auth.require = ("" => ("method" => "basic", "realm" => "munin", "require" => "valid-user") )

  server.document-root = "/srv/http/munin/" 
  index-file.names = ( "index.html" )
}

$HTTP["host"] == "knots.example.com" {
  server.document-root = "/srv/http/knots/" 
  index-file.names = ( "index.html" )
}

# vim: set syntax=lighttpd:

Replies (8)

RE: Alls page and subdomain returns 404 with 1.4.60 - Added by zebul66 about 2 months ago

OK. So with help from @gps on lighttpd irc chan, and enabling debug variable, the obvious problem is:

 (configfile-glue.c.506) $HTTP["host"] == "munin.example.com" compare to munin.example.com:32644
oct. 15 09:52:27 ymir lighttpd[31108]: (configfile-glue.c.368) 3 (uncached) result: false (cond: global / $HTTP["host"] == "munin.example.com")

I let the devs decide if it is a bug or not.

Running on a non standard port (because of my ISP, I don't have access to all IPv4 ports),the host includes now the port and fails the condionnal in the config file.

either add the port in host comparison in config file, or downgrade to 1.4.59

RE: Alls page and subdomain returns 404 with 1.4.60 - Added by gstrauss about 2 months ago

I let the devs decide if it is a bug or not.

Yes. Still deciding ...

From a quick scan of the commits, it looks like this may have changed in commit 1de03a03, though I need to look more closely to confirm.

Running on a non standard port (because of my ISP, I don't have access to all IPv4 ports),the host includes now the port and fails the condionnal in the config file.
either add the port in host comparison in config file, or downgrade to 1.4.59

lighttpd wiki front page has a link to Configuration: File Syntax, which includes documentation for the config file syntax $HTTP["host"]

Instead of downgrading, you could explicitly match with the port
$HTTP["host"] == "munin.example.com:32644"
or you could be explicit that you want to match whether or not the port is present, and to ignore the port.
$HTTP["host"] =~ "^munin.example.com(?:$|:)"

RE: Alls page and subdomain returns 404 with 1.4.60 - Added by gstrauss about 2 months ago

zebul66
I don't see the behavior you are suggesting. I tested with the following and if the client provided munin.example.com:8080, it matched the munin.example.com host condition, as I expected.

echo aaa > /dev/shm/index.txt
mkdir /dev/shm/bbb
echo bbb > /dev/shm/bbb/index.txt

lighttpd.conf:

server.port = 8080
server.document-root = "/dev/shm" 
$HTTP["host"] == "munin.example.com" {
   server.document-root = "/dev/shm/bbb" 
}

$ curl -H "Host: munin.example.com:8080" http://localhost:8080/index.txt
bbb
$ curl -H "Host: munin.example.com" http://localhost:8080/index.txt
bbb
$ curl -H "Host: other.example.com" http://localhost:8080/index.txt
aaa
$ curl http://localhost:8080/index.txt
aaa

Please test with debug.log-request-header = "enable" and check the lighttpd error log to see what the client is sending.

RE: Alls page and subdomain returns 404 with 1.4.60 - Added by zebul66 about 2 months ago

As you can see im my config file, I have defined a server.document-root but this is cosmetic, because I don't use it. The directory does not even exist.

In my test I tried to get munin.example.com:32644/somehost/somehost/index.html, so this fails with 404.

If I create the server-document-root and put there a mock index.html, then this is that mock file that is served.

The full path of the file served is then /home/cassini/something/www/somehost/somehost/index.html instead of the expected /srv/http/munin/somehost/somehost/index.html

So the condtionnal fails and lighttpd falls back to serve something from server-document-root instead.

This is why you are seeing what you describe.

RE: Alls page and subdomain returns 404 with 1.4.60 - Added by gstrauss about 2 months ago

Sorry. I am still not following you. Would you please use enable some debugging in lighttpd.conf and show me some examples of requests that matched the condition and those that did not?
debug.log-request-header = "enable"
debug.log-response-header = "enable"
debug.log-condition-handling = "enable"

RE: Alls page and subdomain returns 404 with 1.4.60 - Added by zebul66 about 2 months ago

Attached a log of a single request that fails with a 404.
I don't think I can find some working request because everything returns a 404.

If you want to reproduce the bug with your test, use instead:

mkdir /tmp/aaa
# but leave it empty
mkdir /dev/shm/bbb
echo bbb > /dev/shm/bbb/index.txt
server.port = 32644
server.document-root = "/tmp/aaa" 
$HTTP["host"] == "munin.example.com" {
   server.document-root = "/dev/shm/bbb" 
}

RE: Alls page and subdomain returns 404 with 1.4.60 - Added by gstrauss about 2 months ago

Ah. It does not work with 5 digit port numbers, but smaller is ok. I was not including the ':' in the count and had tested with port 8080, then changed to 32644 in the post above (to match what you had posted). [Note: re-edited back to 8080 above]

--- a/src/configfile-glue.c
+++ b/src/configfile-glue.c
@@ -521,7 +521,7 @@ static cond_result_t config_check_cond_nocache(request_st * const r, const data_
                        /*(r->uri.authority lowercased during request parsing)*/
                        if (llen && llen != dlen) {
                                match ^= ((llen > dlen)
-                                            ? l->ptr[dlen] == ':' && llen - dlen <= 5
+                                            ? l->ptr[dlen] == ':' && llen - dlen <= 6
                                             : dc->string.ptr[(dlen = llen)] == ':')
                                         && 0 == memcmp(l->ptr, dc->string.ptr, dlen);
                                break;

RE: [Solved] Alls page and subdomain returns 404 with 1.4.60 - Added by zebul66 about 2 months ago

yes. confirming that the patch fixes the issue.

    (1-8/8)