Security, speed, compliance, and flexibility -- all of these describe lighttpd (pron. lighty) which is rapidly redefining efficiency of a webserver; as it is designed and optimized for high performance environments. With a small memory footprint compared to other web-servers, effective management of the cpu-load, and advanced feature set (FastCGI, SCGI, Auth, Output-Compression, URL-Rewriting and many more) lighttpd is the perfect solution for every server that is suffering load problems. And best of all it's Open Source licensed under the revised BSD license.

Web 2.0

lighttpd powers several popular Web 2.0 sites. Its high speed io-infrastructure allows them to scale several times better with the same hardware than with alternative web-servers.

This fast web server and its development team create a web-server with the needs of the future web in mind:

Its event-driven architecture is optimized for a large number of parallel connections (keep-alive) which is important for high performance AJAX applications.

News

1.4.41

July 31, 2016

Important changes

security fixes
fix bugs introduced in 1.4.40

Downloads

lighttpd-1.4.41.tar.gz (GPG signature)
- SHA256: 8a5749e218237fafc3119dd8a4fcf510ea728728b3fcf1193fcad7209be4b6d7
lighttpd-1.4.41.tar.xz (GPG signature)
- SHA256: 4bcc383ef6d6dc7b284f68882d71a178e2986c83c4e85eeb3c8f3b882e346b6c
SHA256 checksums

Highlights

security fixes
- security: encode quoting chars in HTML and XML
- security: ensure gid != 0 if server.username is set, but not server.groupname
- security: disable stat_cache if server.follow-symlink = “disable”
- security: httpoxy defense: do not emit HTTP_PROXY to CGI env
fix bugs introduced in 1.4.40 (sorry)
- bug: lighttpd 1.4.40 might leave client sockets in TIME WAIT (FIN2_WAIT)
- bug: lighttpd 1.4.40 times out on TLS requests with POST data
- bug: lighttpd 1.4.40 reversed REQUEST_URI/REDIRECT_URI (now reverted)
- bug: lighttpd 1.4.40 rejects IPv6 addrs in $HTTP[“remoteip”]
- bug: lighttpd 1.4.40 rejects IPv6 addrs in $SERVER[“socket”] scope identifier
- bug: lighttpd 1.4.40 segfault in mod_accesslog if %T in custom format
- bug: lighttpd 1.4.40 might trigger assert when converting to hex string
behavior changes
- new: use TMPDIR if server.upload-dirs is not defined, “/var/tmp” if neither
- new: inherit server.use-ipv6 and server.set-v6only from global scope
- reverted REQUEST_URI/REDIRECT_URI to match behavior in lighttpd <= 1.4.39

Future scheduled behavior changes in lighttpd 1.4.42

mod_ssi will set REQUEST_URI to original, client-requested URI
to match behavior of mod_cgi, mod_fastcgi, mod_scgi, mod_cml