Security, speed, compliance, and flexibility -- all of these describe lighttpd (pron. lighty) which is rapidly redefining efficiency of a webserver; as it is designed and optimized for high performance environments. With a small memory footprint compared to other web-servers, effective management of the cpu-load, and advanced feature set (FastCGI, SCGI, Auth, Output-Compression, URL-Rewriting and many more) lighttpd is the perfect solution for every server that is suffering load problems. And best of all it's Open Source licensed under the revised BSD license.

Web 2.0

lighttpd powers several popular Web 2.0 sites. Its high speed io-infrastructure allows them to scale several times better with the same hardware than with alternative web-servers.

This fast web server and its development team create a web-server with the needs of the future web in mind:

Its event-driven architecture is optimized for a large number of parallel connections (keep-alive) which is important for high performance AJAX applications.



July 31, 2016

Important changes

  • security fixes
  • fix bugs introduced in 1.4.40



  • security fixes
    • security: encode quoting chars in HTML and XML
    • security: ensure gid != 0 if server.username is set, but not server.groupname
    • security: disable stat_cache if server.follow-symlink = “disable”
    • security: httpoxy defense: do not emit HTTP_PROXY to CGI env
  • fix bugs introduced in 1.4.40 (sorry)
    • bug: lighttpd 1.4.40 might leave client sockets in TIME WAIT (FIN2_WAIT)
    • bug: lighttpd 1.4.40 times out on TLS requests with POST data
    • bug: lighttpd 1.4.40 reversed REQUEST_URI/REDIRECT_URI (now reverted)
    • bug: lighttpd 1.4.40 rejects IPv6 addrs in $HTTP[“remoteip”]
    • bug: lighttpd 1.4.40 rejects IPv6 addrs in $SERVER[“socket”] scope identifier
    • bug: lighttpd 1.4.40 segfault in mod_accesslog if %T in custom format
    • bug: lighttpd 1.4.40 might trigger assert when converting to hex string
  • behavior changes
    • new: use TMPDIR if server.upload-dirs is not defined, “/var/tmp” if neither
    • new: inherit server.use-ipv6 and server.set-v6only from global scope
    • reverted REQUEST_URI/REDIRECT_URI to match behavior in lighttpd <= 1.4.39

Future scheduled behavior changes in lighttpd 1.4.42

  • mod_ssi will set REQUEST_URI to original, client-requested URI
    to match behavior of mod_cgi, mod_fastcgi, mod_scgi, mod_cml