Security, speed, compliance, and flexibility -- all of these describe lighttpd (pron. lighty) which is rapidly redefining efficiency of a webserver; as it is designed and optimized for high performance environments. With a small memory footprint compared to other web-servers, effective management of the cpu-load, and advanced feature set (FastCGI, SCGI, Auth, Output-Compression, URL-Rewriting and many more) lighttpd is the perfect solution for every server that is suffering load problems. And best of all it's Open Source licensed under the revised BSD license.

Web 2.0

lighttpd powers several popular Web 2.0 sites. Its high speed io-infrastructure allows them to scale several times better with the same hardware than with alternative web-servers.

This fast web server and its development team create a web-server with the needs of the future web in mind:

Its event-driven architecture is optimized for a large number of parallel connections (keep-alive) which is important for high performance AJAX applications.

News

1.4.52

November 28, 2018

Important changes

performance enhancements, bug fixes

Future scheduled behavior change (Q1 2019)

Beginning in Q1 2019, lighttpd defaults are scheduled to change to perform limited URL normalization on HTTP requests.

Since lighttpd 1.4.50, this URL normalization is available with server.http-parseopts <https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_http-parseoptsDetails>. The lighttpd default will become server.http-parseopts = (“url-normalize-unreserved” => “enable”, “url-path-2f-decode” => “enable”) unless server.http-parseopts is explicitly set in the lighttpd config. Enabling URL normalization by default will provide more consistent behavior for mod_redirect and mod_rewrite, which match against the (url-encoded) URL request. However, decoding %2F by default, while generally desirable for consistency, is potentially a breaking change for those encoding URLs in the url-path and relying on the literal ‘/’ as a delimiter. For those uses, “url-path-2f-decode” => “disable” will need to be explicitly set in the lighttpd config.

https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_http-parseoptsDetails

The recommended settings for server.http-parseopts are the following, unless specific use requires looser settings:

      server.http-parseopts = (
        "header-strict"            => "enable",
        "host-strict"              => "enable",
        "host-normalize"           => "enable",
        "url-normalize"            => "enable",
        "url-normalize-unreserved" => "enable",
        "url-normalize-required"   => "enable",
        "url-ctrls-reject"         => "enable",
        "url-path-2f-decode"       => "enable",
        "url-path-dotseg-remove"   => "enable",
        "url-query-20-plus"        => "enable"
      )

Downloads

lighttpd-1.4.52.tar.gz (GPG signature)
- SHA256: 0f9de0227681c078f6b8c6154b581ced5fe7bcb5ff428ccf292581764b771145
lighttpd-1.4.52.tar.xz (GPG signature)
- SHA256: 27bc0991c530b7c6335e6efff2181934d3c1a1c516f7401ea71d8302cefda764
SHA256 checksums