Messages

1

24.7 Production Series / Re: The new GUI doesn't work on one of my several servers.

« on: July 28, 2024, 10:02:00 am »

FYI: "opnsense-patch 724f8494d6" gets you this workaround to the issue:
https://github.com/opnsense/core/commit/724f8494d64074e0384b9f593e699daf2d84d604

"(/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.76/src/h2.c.612) h2: xx.xx.xx.xx sent too many RST_STREAM too quickly"
That error is emitted after triggering the detection of activity which looks like the HTTP/2 rapid reset attack (CVE-2023-44487).

Maybe the client side of the GUI should manage widget requests through a queue to better limit the number of concurrent requests?

2

24.1 Legacy Series / Re: WebGui not accessible via OpenVPN

« on: July 16, 2024, 05:10:37 am »

> "Error   lighttpd   (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.76/src/mod_openssl.c.3510) SSL: 1 error:0A00009C:SSL routines::http request (10.67.6.102)

That suggests that you made an HTTP (clear-text ) request to a port on which lighttpd was configured to expect HTTPS (TLS).

Or maybe you misconfigured your lighttpd.conf to have lighttpd expect TLS on port 80, so when you made an HTTP (clear-text) request to port 80, it failed as above.

3

21.1 Legacy Series / Re: [SOLVED] Cannot log into webui - message 411 Length Required

« on: October 21, 2021, 07:57:13 am »

Glad you identified the actual culprit.

FYI: various gateway protocols (e.g. CGI, FastCGI, SCGI, ...) require CONTENT_LENGTH.  If lighttpd is configured to stream the request body using a non-zero value, e.g.

Code: [Select]

server.stream-request-body = 1, then lighttpd will return "411 Length Required" for requests containing a request body which do not provide Content-Length in the request headers (when lighttpd is required to provide CONTENT_LENGTH to backend protocols).

However, if request body streaming is disabled in lighttpd.conf (the default if not specified)

Code: [Select]

server.stream-request-body = 0, then lighttpd will collect the request body -- by decoding Transfer-Encoding: chunked (HTTP/1.1) or collecting DATA frames (HTTP/2) -- and lighttpd will set CONTENT_LENGTH for the backends.

Therefore, a workaround is to set

Code: [Select]

server.stream-request-body = 0 if intermediaries impolitely modify requests to remove Content-Length.

4

21.1 Legacy Series / Re: No web gui, can't restart it either

« on: October 21, 2021, 07:40:42 am »

Test and pre-flight the lighttpd config by manually running:

Code: [Select]

lighttpd -f /etc/lighttpd/lighttpd.conf -tt

5

20.7 Legacy Series / Re: Configure lighttpd to log real client IP behind reverse proxy?

« on: March 15, 2021, 11:05:11 am »

Just a follow-up that this was fixed in lighttpd-1.4.59 and is in OPNsense 21.1.1 (released Feb 10)
https://opnsense.org/opnsense-21-1-1-released/

6

20.1 Legacy Series / Re: WebUI not loading after SSL cert update

« on: February 21, 2021, 09:16:26 pm »

@mgsteve do you have the cert files that caused the error for you?  Can you share the exact files?  (Please do not share the private key.  If it is part of the ssl.pemfile or ssl.ca-file, then please remove the contents between "-----BEGIN PRIVATE KEY-----" and "-----END PRIVATE KEY-----" (or similar) before posting, but otherwise leave those lines as-is so that I can see the format of the file.)

I am a lighttpd developer and have been unable to reproduce the issue.  I tried different combinations of stray char at end of file, and differences in line endings ("\n" and "\r\n"), but lighttpd 1.4.59 with openssl 1.1.1i handles them just fine.  lighttpd uses openssl routines to read certificate files, so I don't think this is an issue with lighttpd, but if lighttpd can detect the issue, maybe lighttpd can issue better error trace.

Maybe the issue you were having was related to https://forum.opnsense.org/index.php?topic=20325.0 ?

7

20.7 Legacy Series / Re: [SOLVED] Can't access opnsense web GUI after broken(?) update (…)

« on: February 20, 2021, 11:13:29 pm »

> So no more ssl.ca-file, right?

Correct: if the full certificate chain is provided in ssl.pemfile, then ssl.ca-file is no longer needed for that purpose (building the certificate chain).

ssl.ca-file is still used for client certificate verification -- if that is enabled with ssl.verifyclient.* -- and might contain the certificates for the CA which issues the client certificates.

8

20.7 Legacy Series / Re: [SOLVED] Can't access opnsense web GUI after broken(?) update (…)

« on: February 20, 2021, 05:37:53 am »

@Franco, lighttpd 1.4.56 migrates from old openssl interfaces (<= openssl 1.0.1) to newer openssl certificate callback interfaces, and lighttpd 1.4.56 tries to build the certificate chain when one is not provided.  The best solution is to provide the certificate chain:

Code: [Select]

    ssl.privkey= "/etc/lighttpd/certs/www.example.com/privkey.pem"
    ssl.pemfile= "/etc/lighttpd/certs/www.example.com/fullchain.pem"

I am a lighttpd developer and am looking into the "building cert chain" issue, which was only recently reported in https://redmine.lighttpd.net/boards/2/topics/9620

If you are aware of other issues with lighttpd, please post to https://redmine.lighttpd.net/boards/2/ so that lighttpd developers are aware of the issue, and you can link to forum.opnsense.org.

9

21.1 Legacy Series / Re: High CPU usage after upgrade.

« on: February 20, 2021, 05:04:49 am »

This was likely fixed in lighttpd 1.4.59 (included in OpnSense 21.1.1, released 9 Feb 2021)
https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/471ab4dd5bbf752c24fdd11bfcaf163b4769cfce
https://forum.opnsense.org/index.php?topic=21386.0

10

21.1 Legacy Series / Re: 503 Service Unavailable

« on: February 20, 2021, 04:53:14 am »

If using PHP-FPM, the PHP-FPM service is started independently from lighttpd.

Check that your lighttpd config is not trying to start the PHP backends, too.  The lighttpd.conf (or include file) should not include a "bin-path" in the configuration for the PHP-FPM sockets, since on your system you want to configure lighttpd to connect to the PHP-FPM sockets, but you do not want lighttpd to attempt to create those sockets.

Another thing to check is that the user account under which lighttpd is running has permission to access the paths to the unix domain socket.

11

20.7 Legacy Series / Re: Update 20.7.6 to 20.7.7 Update ERR_SSL_PROTOCOL_ERROR

« on: February 20, 2021, 04:43:14 am »

lighttpd developer here.   lighttpd developers generally fix issues very quickly IFF those issues are reported to the lighttpd developers at https://redmine.lighttpd.net/projects/lighttpd/issues

When configuring certificates in lighttpd, please include the intermediate certificates.  Let's Encrypt provides fullchain.pem, and that is the file that should be configured for lighttpd to use.

Code: [Select]

    ssl.privkey= "/etc/lighttpd/certs/www.example.com/privkey.pem"
    ssl.pemfile= "/etc/lighttpd/certs/www.example.com/fullchain.pem"

There is extensive documentation for how to configure lighttpd TLS modules:
https://redmine.lighttpd.net/projects/lighttpd/wiki/HowToSimpleSSL
https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL

12

16.1 Legacy Series / Re: lighttpd SSL error records logged every minute in system log.

« on: December 29, 2016, 10:30:56 am »

FYI: lighttpd 1.4.44 was released a few days ago.  If you have any feedback, please post to #lighttpd on freenode or lighttpd forums https://redmine.lighttpd.net/projects/lighttpd/boards

13

16.1 Legacy Series / Re: lighttpd SSL error records logged every minute in system log.

« on: August 03, 2016, 07:31:06 pm »

FYI: I have been working with pkubaj, the FreeBSD package maintainer.  lighttpd 1.4.40 incorporates all existing patches added by FreeBSD except for those patches specific to the mysql auth (optional) feature.  The reason why the FreeBSD 1.4.40 patch you linked is so large is that the *generated*  Makefile is part of the patch, and that there are many removed lines due to removal of patch files that are now integrated into lighttpd 1.4.40.  [edit] The largest part of that FreeBSD patch is that pkubaj renamed one of the mysql auth patch files.

14

16.1 Legacy Series / Re: lighttpd SSL error records logged every minute in system log.

« on: August 03, 2016, 06:50:06 am »

@jonkersa wrote
> Every minute the same three lines - displayed below  - are recorded in the system log.

That is possibly caused by something performing a health-check each minute by making a TCP connection and then closing it, without negotiating TLS.

As mentioned above, please add debug.log-ssl-noise = "disable" to lighttpd.conf.  That should quiet some of the warnings you are seeing.  For the last remaining warning, "SSL routines:SSL_shutdown:shutdown while in init",  a change has been pushed to lighttpd git master (post lighttpd 1.4.41) to skip SSL_shutdown() if TLS handshake has not yet completed.  https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/156bea38597ced5de7521ada2e85fb67aead21db  You'll have to backport that one-line patch to lighttpd 1.4.39, or upgrade to lighttpd 1.4.41 (highly recommended) and apply the patch.

It would be nice to get some feedback if this resolves the issue for you.   Thank you.


@franco: please review https://www.lighttpd.net/2016/7/31/1.4.41/ for security fixes and other limited changes made in lighttpd 1.4.41.  If you were planning to upgrade to lighttpd 1.4.40, you should hopefully be eager to upgrade to lighttpd 1.4.41 instead of staying on lighttpd 1.4.39 for another 6 months.  (For all the improvements in lighttpd 1.4.40, see https://www.lighttpd.net/2016/7/16/1.4.40/ )

15

16.1 Legacy Series / Re: lighttpd SSL error records logged every minute in system log.

« on: August 03, 2016, 02:10:59 am »

It is fair to wait a bit to get a better sense of stability.  Overall, 1.4.40 and 1.4.41 addressed hundreds of reported issues in lighttpd, and so 1.4.41 is expected to be much better than 1.4.39.

lighttpd works on FreeBSD.  What "porting" do you mean with "I don't feel comfortable porting 1.4.41 to FreeBSD"?