The problem is TLSv1. Not in the server, but in the browser. As long as you keep your (UNIX-(like)) system up-t0-date, and compile your firefox yourself, or the maintainers of your package-system are doing that properly, everything remains fine. Should you be a windows- or MacOS-X-user, though, and should you furthermore be so unlucky as to use the binary provided by the Mozilla-Dev-Team, you’re in for some trouble, because that version of Firefox cannot display websites using TLSv1.
I surrendered. I officially admit that I surrendered. Last weekend, I compiled and installed the apache web-server again, and now most of the sites I am hosting are up and running on the apache again.
For some time now, I have been experiencing weird bugs with my webserver. I was running a lighttpd, version 1.4.22. Two annoying bugs occurred:
The first was more a nuisance when uploading files through a POST, which resulted in error 417 “Expectation failed” on the first attempt (while on the second it worked).
The second bug resulted in a reproducible denial-of-service, as it crashed the webserver. It occurred whenever a firefox-webbrowser attempted to connect to the server through HTTPS.
I hoped these bugs to be solved by upgrading from 1.4.22 to 1.4.23 and 1.4.24, but that did not happen. As I needed a solution to these bugs, I decided to switch from lighttpd to nginx.
The transition went surprisingly smooth. The configuration is a bit more complicated as it was with lighttpd, but easily set up and quite good explained on nginx’s website, too.
Now, nginx runs all my websites, interacts with PHP through FastCGI, and problems seem to be gone.
While looking closer at those rules I posted earlier I noticed an important but missing rule, which would prevent e.g. the preview-functionality of the post-/page-editor. The following rule enables this: 1 "^/(.*/)??(.*=.*)$" => "index.php?$2" “^/(.*/)??(.*=.*)$” => “index.php?$2″ The whole ruleset would thus now look like this: 1 2 3 4 5 6 7 8 9 [...]
Today, someone in the channel #wordpress on freenode (see WordPress.org’s IRC-page for more information about the channel) asked whether WordPress would work with lighttpd. As I am running such an installation myself, I took it up to help him, looking for rewrite-rules on the net, since my own were only for WordPress MU. I was [...]
On Thursday, March 27th 2008, a DoS-vulnerability in lighttpd 1.4.19 and lower versions was reported on cve.mitre.org. It has been confirmed through lighttpd’s bug-tracking system. As of this writing, there is no official bugfix-release of lighttpd, yet, but according to the bug-tracking system, the issue is closed and marked as fixed. This suggests that there [...]