[UE] lighttpd1.4.66 ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope
Added by leo1 over 2 years ago
Hello
Based on the latest 1.4.66 version and embedded Linux system, The lighttpd process in my device reported a segmentation fault and did not come up.
The crash information is as follows:
[20220916_16:00:43:922]2018-10-07 15:43[ 122.719985] lighttpd[12864]: segfault at 4dbfd7dc ip 4dbfd7dc sp 7fe64c6c error 14 [20220916_16:00:43:922]:52: (../../lighttpd-1.4.66/src/mod_openssl.c.2748) ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope [20220916_16:00:43:922]2018-10-07 15:43:52: (../../lighttpd-1.4.66/src/server.c.1291) Initialization of plugins failed. Going down. [20220916_16:00:43:922]Segmentation fault (core dumped).
Is there something wrong with my lighttpd configuration?
Thanks.
My configs are as below:
# lighttpd configuration file
#
# use it as a base for lighttpd 1.0.0 and above
#
# $Id: lighttpd.conf,v 1.7 2004/11/03 22:26:05 weigon Exp $
# Run-time base dir for GW executables
# Does not work well.
# Currently configured for 1 file system builds
#var.basedir = "" #env.CONFIG_TI_ROOTGW_SEPARATE_FS_NAME
############ Options you really have to take care of ####################
## modules to load
# at least mod_access and mod_accesslog should be loaded
# all other module should only be loaded if really neccesary
# - saves some time
# - saves memory
server.modules = (
"mod_rewrite",
"mod_redirect",
# "mod_alias",
"mod_access",
"mod_accesslog",
# "mod_trigger_b4_dl",
"mod_auth",
# "mod_status",
"mod_setenv", #ARRIS MOD CLM-53446
"mod_fastcgi",
# "mod_proxy",
# "mod_simple_vhost",
# "mod_evhost",
# "mod_userdir",
"mod_cgi",
# "mod_compress",
# "mod_ssi",
# "mod_usertrack",
# "mod_expire",
# "mod_secdownload",
# "mod_rrdtool",
"mod_openssl",
)
## A static document-root. For virtual hosting take a look at the
## mod_simple_vhost module.
#server.document-root = "/usr/www/"
server.document-root = "/" + "/usr/www/"
## where to send error-messages to
server.errorlog = "/rdklogs/logs/lighttpderror.log"
# files to check for if .../ is requested
index-file.names = ( "index.php", "index.html",
"index.htm", "default.htm", "intel-web-page.html" )
## set the event-handler (read the performance section in the manual)
# server.event-handler = "freebsd-kqueue" # needed on OS X
# mimetype mapping
mimetype.assign = (
".pdf" => "application/pdf",
".sig" => "application/pgp-signature",
".spl" => "application/futuresplash",
".class" => "application/octet-stream",
".ps" => "application/postscript",
".torrent" => "application/x-bittorrent",
".dvi" => "application/x-dvi",
".gz" => "application/x-gzip",
".pac" => "application/x-ns-proxy-autoconfig",
".swf" => "application/x-shockwave-flash",
".tar.gz" => "application/x-tgz",
".tgz" => "application/x-tgz",
".tar" => "application/x-tar",
".zip" => "application/zip",
".mp3" => "audio/mpeg",
".m3u" => "audio/x-mpegurl",
".wma" => "audio/x-ms-wma",
".wax" => "audio/x-ms-wax",
".ogg" => "application/ogg",
".wav" => "audio/x-wav",
".gif" => "image/gif",
".jar" => "application/x-java-archive",
".jpg" => "image/jpeg",
".jpeg" => "image/jpeg",
".png" => "image/png",
".xbm" => "image/x-xbitmap",
".xpm" => "image/x-xpixmap",
".xwd" => "image/x-xwindowdump",
".css" => "text/css",
".html" => "text/html",
".htm" => "text/html",
".js" => "text/javascript",
".asc" => "text/plain",
".c" => "text/plain",
".cpp" => "text/plain",
".log" => "text/plain",
".conf" => "text/plain",
".text" => "text/plain",
".txt" => "text/plain",
".dtd" => "text/xml",
".xml" => "text/xml",
".mpeg" => "video/mpeg",
".mpg" => "video/mpeg",
".mov" => "video/quicktime",
".qt" => "video/quicktime",
".avi" => "video/x-msvideo",
".asf" => "video/x-ms-asf",
".asx" => "video/x-ms-asf",
".wmv" => "video/x-ms-wmv",
".bz2" => "application/x-bzip",
".tbz" => "application/x-bzip-compressed-tar",
".tar.bz2" => "application/x-bzip-compressed-tar",
# default mime type
"" => "application/octet-stream",
)
# Use the "Content-Type" extended attribute to obtain mime type if possible
#mimetype.use-xattr = "enable"
## send a different Server: header
## be nice and keep it at lighttpd
server.tag = "lighttpd"
#### accesslog module. This log will be huge during dDos attacking.
accesslog.filename = "/rdklogs/logs/lighttpdaccess.log"
## deny access the file-extensions
#
# ~ is for backupfiles from vi, emacs, joe, ...
# .inc is often used for code includes which should in general not be part
# of the document-root
url.access-deny = ( "~", ".inc", ".html", "actionHandler", "cgi-bin", "cmn", "common", "custom", "includes", "languages", "pcontrol" )
#$HTTP["url"] =~ "\.pdf$" {
# server.range-requests = "disable"
#}
##
# which extensions should not be handle via static-file transfer
#
# .php, .pl, .fcgi are most often handled by mod_fastcgi or mod_cgi
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi", ".sh" )
######### Options that are good to be but not neccesary to be changed #######
server.use-ipv6 = "enable"
## bind to port (default: 80)
## bind to localhost (default: all interfaces)
#server.bind = "10.0.0.1"
#$SERVER["socket"] == "255.255.255.255:80" {}
## error-handler for status 404
#server.error-handler-404 = "/error-handler.html"
server.error-handler-404 = "/index.php"
## to help the rc.scripts
server.pid-file = "/var/run/lighttpd.pid"
###### virtual hosts
##
## If you want name-based virtual hosting add the next three settings and load
## mod_simple_vhost
##
## document-root =
## virtual-server-root + virtual-server-default-host + virtual-server-docroot
## or
## virtual-server-root + http-host + virtual-server-docroot
##
#simple-vhost.server-root = "/srv/www/vhosts/"
#simple-vhost.default-host = "www.example.org"
#simple-vhost.document-root = "/htdocs/"
##
## Format: <errorfile-prefix><status-code>.html
## -> ..../status-404.html for 'File not found'
#server.errorfile-prefix = "/usr/share/lighttpd/errors/status-"
#server.errorfile-prefix = "/srv/www/errors/status-"
server.errorfile-prefix = "/usr/www/status-"
## virtual directory listings
#dir-listing.activate = "enable"
## select encoding for directory listings
#dir-listing.encoding = "utf-8"
## enable debugging
#debug.log-request-header = "enable"
#debug.log-response-header = "enable"
#debug.log-request-handling = "enable"
#debug.log-file-not-found = "enable"
### only root can use these options
#
# chroot() to directory (default: no chroot() )
#server.chroot = "/"
## change uid to <uid> (default: don't care)
#server.username = "wwwrun"
## change uid to <uid> (default: don't care)
#server.groupname = "wwwrun"
#### compress module
#compress.cache-dir = "/var/cache/lighttpd/compress/"
#compress.filetype = ("text/plain", "text/html")
#### proxy module
## read proxy.txt for more info
#proxy.server = ( ".php" =>
# ( "localhost" =>
# (
# "host" => "192.168.0.101",
# "port" => 80
# )
# )
# )
#### fastcgi module
## read fastcgi.txt for more info
## for PHP don't forget to set cgi.fix_pathinfo = 1 in the php.ini
fastcgi.server = ( ".php" =>
( "localhost" =>
(
# "host" => "10.0.0.1" ,
#ARRIS MOD START CLM-28750
# "host" => "0.0.0.0",
"host" => "127.0.0.1",
#ARRIS MOD END CLM-28750
"port" => 1026 ,
# "bin-path" => "/bin/php-cgi -c /etc/php.ini",
# "bin-path" => "/fss/gw" + "/bin/php-cgi -c /etc/php.ini",
"bin-path" => "/usr/bin/php-cgi -c /etc/php.ini",
)
)
)
#### CGI module
cgi.assign = ( ".pl" => "/usr/bin/perl",
".cgi" => "/usr/bin/perl",
".sh" => "/bin/sh" )
#### SSL engine
#ssl.engine = "enable"
#ssl.pemfile = "/etc/ssl/private/lighttpd.pem"
#### status module
#status.status-url = "/server-status"
#status.config-url = "/server-config"
#### auth module
## read authentication.txt for more info
#auth.backend = "plain"
#auth.backend.plain.userfile = "lighttpd.user"
#auth.backend.plain.groupfile = "lighttpd.group"
#auth.backend.ldap.hostname = "localhost"
#auth.backend.ldap.base-dn = "dc=my-domain,dc=com"
#auth.backend.ldap.filter = "(uid=$)"
#auth.require = ( "/server-status" =>
# (
# "method" => "digest",
# "realm" => "download archiv",
# "require" => "user=jan"
# ),
# "/server-config" =>
# (
# "method" => "digest",
# "realm" => "download archiv",
# "require" => "valid-user"
# )
# )
#### url handling modules (rewrite, redirect, access)
#url.rewrite = ( "^/$" => "/server-status" )
#url.redirect = ( "^/wishlist/(.+)" => "http://www.123.org/$1" )
#### both rewrite/redirect support back reference to regex conditional using %n
#$HTTP["host"] =~ "^www\.(.*)" {
# url.redirect = ( "^/(.*)" => "http://%1/$1" )
#}
#
# define a pattern for the host url finding
# %% => % sign
# %0 => domain name + tld
# %1 => tld
# %2 => domain name without tld
# %3 => subdomain 1 name
# %4 => subdomain 2 name
#
#evhost.path-pattern = "/srv/www/vhosts/%3/htdocs/"
#### expire module
#expire.url = ( "/buggy/" => "access 2 hours", "/asdhas/" => "access plus 1 seconds 2 minutes")
#### ssi
#ssi.extension = ( ".shtml" )
#### rrdtool
#rrdtool.binary = "/usr/bin/rrdtool"
#rrdtool.db-name = "/var/lib/lighttpd/lighttpd.rrd"
#### setenv
#setenv.add-request-header = ( "TRAV_ENV" => "mysql://user@host/db" )
#setenv.add-response-header = ( "X-Secret-Message" => "42" )
## for mod_trigger_b4_dl
# trigger-before-download.gdbm-filename = "/var/lib/lighttpd/trigger.db"
# trigger-before-download.memcache-hosts = ( "127.0.0.1:11211" )
# trigger-before-download.trigger-url = "^/trigger/"
# trigger-before-download.download-url = "^/download/"
# trigger-before-download.deny-url = "http://127.0.0.1/index.html"
# trigger-before-download.trigger-timeout = 10
#### variable usage:
## variable name without "." is auto prefixed by "var." and becomes "var.bar"
#bar = 1
#var.mystring = "foo"
## integer add
#bar += 1
## string concat, with integer cast as string, result: "www.foo1.com"
#server.name = "www." + mystring + var.bar + ".com"
## array merge
#index-file.names = (foo + ".php") + index-file.names
#index-file.names += (foo + ".php")
#### include
#include /etc/lighttpd/lighttpd-inc.conf
## same as above if you run: "lighttpd -f /etc/lighttpd/lighttpd.conf"
#include "lighttpd-inc.conf"
#### include_shell
#include_shell "echo var.a=1"
## the above is same as:
#var.a=1
setenv.add-response-header += ( "X-Content-Type-Options" => "nosniff" )
server.port = 80
server.bind = "brlan0"
$HTTP["scheme"] == "http" {
$SERVER["socket"] == "brlan0:51515" {
}
else $HTTP["host"] == "192.168.0.1" {
}
else $HTTP["host"] == "192.168.100.1" {
}
else $HTTP["host"] == "[fe80::d63f:cbff:fe86:1d6e]" {
}
else $HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
$SERVER["socket"] == "wan0:80" { server.use-ipv6 = "enable" }
$SERVER["socket"] == "brlan0:443" { server.use-ipv6 = "enable" ssl.engine = "enable" ssl.ca-file = "/tmp/cacert.pem" ssl.dh-file = "/etc/dhparam.pem" ssl.honor-cipher-order = "enable" ssl.cipher-list = "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256" }
$SERVER["socket"] == "wan0:443" { server.use-ipv6 = "enable" ssl.engine = "enable" ssl.ca-file = "/tmp/cacert.pem" ssl.dh-file = "/etc/dhparam.pem" ssl.honor-cipher-order = "enable" ssl.cipher-list = "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256" }
$SERVER["socket"] == "erouter0:8181" { server.use-ipv6 = "enable" ssl.engine = "enable" ssl.ca-file = "/tmp/cacert.pem" }
$SERVER["socket"] == "brlan0:51515" { server.use-ipv6 = "enable" server.document-root = "/usr/www/pcontrol/" }
$SERVER["socket"] == "brlan0:50011" {
server.use-ipv6 = "enable"
ssl.engine = "enable"
ssl.ca-file = "/tmp/cacert.pem"
server.document-root = "/usr/lca/"
accesslog.filename = "/var/tmp/lca_access.log"
accesslog.syslog-level = 7
accesslog.format = "%h %V %u %t \"%r\" %>s %b \"%{Cookie}i\" \"%{Content-Type}i\" \"%{Content-Length}i\" \"%{Content-Encoding}i\" \"%{User-Agent}i\" duration:%T/%D"
fastcgi.server = ( "" =>
( "localhost" =>
(
"socket" => "/tmp/php-cgi.socket",
"bin-path" => "/usr/bin/php-cgi -c /etc/lca_php.ini",
"max-procs" => 2
)
)
)
}
Replies (6)
RE: lighttpd1.4.66 ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope - Added by leo1 over 2 years ago
leo1 wrote:
Hello
Based on the latest 1.4.66 version and embedded Linux system, The lighttpd process in my device reported a segmentation fault and did not come up.
The crash information is as follows:
[20220916_16:00:43:922]2018-10-07 15:43[ 122.719985] lighttpd12864: segfault at 4dbfd7dc ip 4dbfd7dc sp 7fe64c6c error 14
[20220916_16:00:43:922]:52: (../../lighttpd-1.4.66/src/mod_openssl.c.2748) ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope
[20220916_16:00:43:922]2018-10-07 15:43:52: (../../lighttpd-1.4.66/src/server.c.1291) Initialization of plugins failed. Going down.
[20220916_16:00:43:922]Segmentation fault (core dumped).Is there something wrong with my lighttpd configuration?
Thanks.
| lighttpd.conf (14.7 KB) lighttpd.conf |
RE: lighttpd1.4.66 ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope - Added by leo1 over 2 years ago
Hi
My gdb debug info is as follows:
Core was generated by `lighttpd -tt -f /var/lighttpd.conf'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x4e8c27dc in ?? ()
(gdb) bt
#0 0x4e8c27dc in ?? ()
#1 0x4e601bae in OPENSSL_cleanup () from /usr/lib/libcrypto.so.1.1
#2 0x4e13f093 in ?? ()
#3 0x00000000 in ?? ()
I had a similar segfault in lighttpd 1.4.53 version before, now I upgraded to the latest lighttpd 1.4.66
version and the error still occurs. Is the library version of my openssl wrong? This problem has troubled
me for a long time. Any help from you is greatly appreciated.
RE: lighttpd1.4.66 ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope - Added by gstrauss over 2 years ago
[20220916_16:00:43:922]:52: (../../lighttpd-1.4.66/src/mod_openssl.c.2748) ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope [20220916_16:00:43:922]2018-10-07 15:43:52: (../../lighttpd-1.4.66/src/server.c.1291) Initialization of plugins failed. Going down.
Is there something wrong with my lighttpd configuration?
Yes. See above error message and see the lighttpd documentation.
Has anything changed since #3159 or https://redmine.lighttpd.net/boards/2/topics/10542 ?
You still have failed to read the documentation
RE: lighttpd1.4.66 ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope - Added by gstrauss over 2 years ago
Your config is missing ssl.pemfile in some $SERVER["socket"] containing ssl.engine = "enable"ssl.dh-file is deprecated.
RE: lighttpd1.4.66 ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope - Added by leo1 over 2 years ago
Hi gstrauss.Thanks for your help, I have added server.pem.
But the segfault still appears. I suspect that my openssl library version does not match.
My openssl library version is OpenSSL 1.1.1l.Is there any way to confirm it?
Thanks.
RE: [UE] lighttpd1.4.66 ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope - Added by leo1 over 2 years ago
I found that I deleted the ssl.ca-file configuration in lighttpd.conf, the segfault problem no longer appeared, and the lighttpd process was running normally. But when I try to log into the GUI, I find that I can't log in. I suspect the cacert.pem file in the tmp directory needs to be updated or the new lighttpd version replaces the ssl.ca-file with a different configuration