Until now we parse HEAD requests but don't properly fulfil them.
This adds enough that if the request pointed to a valid mount,
it will send the headers and complete the transaction without
sending the body.
Test with
$ (echo -n -e "GET / HTTP/1.0\r\nHost: default\r\n\r\n"; sleep 2) | nc 127.0.0.1 7681
https://github.com/warmcat/libwebsockets/issues/1625
"dead bodies" that were sent but not processed by lws as server
will clog up and destroy transaction tracking if repeated POSTs
with keepalive are sent to nonexistant paths.
This patch introduces a DISCARD_BODY state that follows BODY
except the payload is not signalled to the protocol callback.
Calling transaction_completed() with pending body makes lws
enter DISCARD_BODY and retry transaction completed only after
the pending body is exhausted.
When creating a vhost and the port is already bound to another process
this flag would allow the user code to choose to have the
lws_create_vhost function to fail and return a null pointer.
https://github.com/warmcat/libwebsockets/issues/1571
Although the code exists for non-tls h1 upgrade to h2, it hasn't been looked
after since all expected uses for h2 are going to be via h2 / alpn.
This patch aligns its upgrade actions with alpn upgrade path so it works OK
via
$ curl --http2 http://localhost:7681/ -v -w "\n"
ie, without tls. Operation via tls is unaffected.
To use the non-tls upgrade path, you have to be listening without tls, ie with the
test server without -s. If you're listening in a way that requires tls, this
can't be used to bypass that (or, eg, client certs) in itself, since you have to be
able to talk to it in h1 in the first place to attempt the upgrade to h2.
The common h2 path has some code to dropping the ah unconditionally it looks
like after the first service... this is too aggressive since the first thing
coming on the upgrade path is WINDOW_UPDATE. It looks wrong anyway, transaction /
stream completion will drop the ah and should be enough.
Generic sessions has been overdue some love to align it with
the progress in the rest of lws.
1) Strict Content Security Policy
2) http2 compatibility
3) fixes and additions for use in a separate process via unix domain socket
4) work on ws and http proxying in lws
5) add minimal example
- prioritize user-defined mimetypes over predefined server mimetypes.
- fix accessing memory out of string bounds.
- prefer case-insensitive comparison for extension matching.
- other minor fixes and improvements.
This is aimed at allowing a stride to optionally be
given for the parameter name array... this will allow
use of lws_struct metadata as the parameter name
array.
Also introduce the option to put all allocations in
an lwsac instead of via lws_mallocs.
Firefox sends HTTP requests with "Connection: keep-alive" header.
When LWS responds with 401 and WWW-Authenticate header, Firefox
doesn't show an authentication dialog until connection is closed.
Adding "Content-Length: 0" solves the problem.
If you're providing a unix socket service that will be proxied / served by another
process on the same machine, the unix fd permissions on the listening unix socket fd
have to be managed so only something running under the server credentials
can open the listening unix socket.
Up until now if you wanted to drop privs, a numeric uid and gid had to be
given in info to control post-init permissions... this adds info.username
and info.groupname where you can do the same using user and group names.
The internal plat helper lws_plat_drop_app_privileges() is updated to directly use
context instead of info both ways it can be called, and to be able to return fatal
errors.
All failures to lookup non-0 or -1 uid or gid names from uid, or to look up
uid or gid from username or groupnames given, get an err message and fatal exit.
If you just want a "file" in multipart, don't care about the length or
anything else, then you don't need any params tables and associated
allocations.
lws has been able to proxy h2 or h1 inbound connections to an
h1 onward connection for a while now. It's simple to use just
build with LWS_WITH_HTTP_PROXY and make a mount where the origin
is the onward connection details. Unix sockets can also be
used as the onward connection.
This patch extends the support to be able to also do the same for
inbound h2 or h1 ws upgrades to an h1 ws onward connection as well.
This allows you to offer completely different services in a
common URL space, including ones that connect back by ws / wss.
We use POSIX dir scanning apis normally, but for windows, we require libuv
to do it for us.
Formalize that into a wrapper lws_dir() that hides the backend code.
Make it configurable, ON by default and forced on with lejp-conf that
depends on it.
lejp-conf isn't the only user that needs to generate human-readable
JSON parsing error stacks.
Build it in with lejp and introduce an error code -> string api
info.protocols works okay, but it has an annoying problem... you have to know
the type for each protocol's pss at the top level of the code, so you can set
the struct lws_protocols user_data size for it.
Lws already rewrites the protocol tables for a vhost in the case of runtime
protocol plugins... this adapts that already-existing code slightly to give
a new optional way to declare the protocol array.
Everything works as before by default, but now info.protocols may be NULL and
info.pprotocols defined instead (if that's also NULL, as it will be if you
just ignore it after memsetting to 0, then it continues to fall back to the
dummy protocol handler as before).
info.pprotocols is a NULL-termined array of pointers to lws_protocol
structs. This can be composed at the top level of your code without knowing
anything except the name of the externally-defined lws_protocol struct(s).
The minimal example http-server-dynamic is changed to use the new scheme as
an example.
Until now lws only parses headers it knows at build-time from its
prebuilt lexical analyzer.
This adds an on-by-default cmake option and a couple of apis
to also store and query "custom", ie, unknown-to-lws headers.
A minimal example is also provided.
At the moment it only works on h1, h2 support needs improvements
to the hpack implementation.
Since it bloats ah memory usage compared to without it if custom
headers are present, the related code and ah footprint can be
disabled with the cmake option LWS_WITH_CUSTOM_HEADERS, but it's
on by default normally. ESP32 platform disables it.
https://github.com/warmcat/libwebsockets/pull/1499
On lwsws, incoming ws connections to the default vhost
are not rejected by the dummy protocol handler and not
really serviced either, leading to bots connecting to it to
get immortal, idle ws connections with no timeout (since it's an
established ws connection).
Rejecting these connections by default by adding a handler
for ESTABLISHED in the dummy handler will solve it nicely,
but it will break an unknown number of dumb. protocol-less
user implementations that rely on this behaviour by using
break; from their own ESTABLISHED handler and calling
through to the currently NOP dummy handler one.
Add support to assertively disable the default protocol
index used for subprotocol-less ws connections instead.
Normalize the vhost options around optionally handling noncompliant
traffic at the listening socket for both non-tls and tls cases.
By default everything is as before.
However it's now possible to tell the vhost to allow noncompliant
connects to fall back to a specific role and protocol, both set
by name in the vhost creation info struct.
The original vhost flags allowing http redirect to https and
direct http serving from https server (which is a security
downgrade if enabled) are cleaned up and tested.
A minimal example minimal-raw-fallback-http-server is added with
switches to confirm operation of all the valid possibilities (see
the readme on that).
Until now basic auth only protected http actions in the protected
mount.
This extends the existing basic auth scheme to also be consulted for
ws upgrades if a "basic-auth" pvo exists on the selected protocol for
the vhost. The value of the pvo is the usual basic auth credentials
file same as for the http case.
The retry stuff for bind failures is actually aimed at the scenarios the interface
either doesn't exist yet, or is not configured enough (having an IP) to be bindable yet.
This patch treats EADDRINUSE as fatal at vhost init.
