search

mozilla / ssl-config-generator

Mozilla SSL Configuration Generator
https://ssl-config.mozilla.org/
Mozilla Public License 2.0
360 stars 59 forks source link

lighttpd updates for lighttpd 1.4.76 #189

Open gstrauss opened 1 year ago

gstrauss commented 1 year ago

lighttpd updates for lighttpd 1.4.76 This PR modifies only the lighttpd version in src/js/configs.js The rest of the changes in this PR are limited to src/templates/partials/lighttpd.hbs

lighttpd 1.4.56 and later default to MinProtocol TLSv1.2

lighttpd 1.4.68 and later default to a strict set of PFS ciphers and
to -ServerPreference, since a strict set of PFS ciphers is the default.

Simplify intermediate and modern configs for lighttpd 1.4.68 and later.
lighttpd defaults will incrementally be made more secure in the future
and using lighttpd secure defaults (without explicitly hard-coding the
defaults at a point in time) will allow users to get more secure
defaults along with lighttpd upgrades, instead of accidentally
continuing to use explicitly set older, less-secure config settings.

lighttpd 308 redirect code from http to https
   (for lighttpd 1.4.31 to lighttpd 1.4.74;
    has become default in lighttpd 1.4.75 for HTTP/1.1 (and later) requests)
gstrauss commented 1 year ago

@gene1wood please review. Thank you.

This PR was submitted in Jan for lighttpd 1.4.68, updated in Feb for lighttpd 1.4.69, and now once again updated in May for lighttpd 1.4.70.

gstrauss commented 8 months ago

@gene1wood is there a chance that this could get reviewed? It is a year old.

gstrauss commented 7 months ago

@gene1wood please consider using git rebase instead of git merge into contributor branches. The git history will be much clearer. In particular, resolving merge conflicts, if any, have the proper focus. A conflict with git merge involves merging changes made elsewhere (of wide and varied nature) into the contributor branch. A conflict with git rebase involves resolving conflicts with changes made specifically in the contributor branch.

On the contributor branch: git fetch; git rebase origin/master rather than git fetch; git merge origin/master

gstrauss commented 7 months ago

To hopefully keep this PR fresh and unblocked, I rebased this PR on the master branch and added a commit to emit 308 redirect only for Intermediate and Modern configs, leaving the existing lighttpd default redirect behavior (sending 301 for redirects) for the Old config.

--- a/src/templates/partials/lighttpd.hbs
+++ b/src/templates/partials/lighttpd.hbs
@@ -115,9 +115,11 @@ $HTTP["scheme"] == "https" {
     )
 }
 else $HTTP["scheme"] == "http" {
+ {{#unless (includes "old" form.config)}}
  {{#if (minver "1.4.31" form.serverVersion)}}
     url.redirect-code = 308
  {{/if}}
+ {{/unless}}
  {{#if (minver "1.4.50" form.serverVersion)}}
     url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
  {{else}}

@gene1wood: If that is still a blocker for you, please remove url.redirect-code from the lighttpd config and use the lighttpd defaults.

@janbrasna I updated #117 with links that note that Windows versions before Windows 10 are all end-of-life and no longer receiving security updates, and IE in Windows 10 is end-of-life and no longer receiving security updates, so any concern or questions about widespread support for 308 status code should have been resolved over a year ago.

gstrauss commented 7 months ago

@gene1wood: ping

Are there remaining questions or feedback preventing this PR from moving forwards?

gene1wood commented 7 months ago

@gstrauss I will try to set aside time in the next few days to look at this.

gstrauss commented 6 months ago

@gene1wood: ping

Are there remaining questions or feedback preventing this PR from moving forwards?

gstrauss commented 6 months ago

@gene1wood: ping

Are there remaining questions or feedback preventing this PR from moving forwards?

PR has been rebased on to tip of ssl-config-generator master branch and updated for lighttpd 1.4.74.

gstrauss commented 5 months ago

@gene1wood: ping

Are there remaining questions or feedback preventing this PR from moving forwards?

With the release of lighttpd 1.4.75, the discussion over the almost !!! 3 year old !!! 308 Permanent Redirect issue #137 for Apache, and subsequent #139 for lighttpd is mostly moot for lighttpd since lighttpd 1.4.75 mod_redirect by default uses 308 for HTTP/1.1 (and later) requests, though lighttpd 1.4.75 still defaults to use 301 for HTTP/1.0 requests. This PR does not add url.redirect-code for lighttpd 1.4.75 and later, which is the same as the current behavior in ssl-config-generator.

To avoid sending information in query strings, POST is often used, so using 308 instead of 301 is important for proper security postures when URL redirects are necessary to maintain compatibility with site changes. It is a sad state of affairs that #137 has not been resolved in almost 3 years (!!!) with usage/transition guidance though modern, intermediate, and old configs.

gstrauss commented 3 months ago

@gene1wood: ping

Are there remaining questions or feedback preventing this PR from moving forwards?

gstrauss commented 2 months ago

@gene1wood: ping

Are there remaining questions or feedback preventing this PR from moving forwards?