November 29, 2020

Important changes

HTTP/2, TLS library options, brotli, bugfixes



  • HTTP/2 support
    • must be enabled in lighttpd.conf in lighttpd 1.4.56;
      may be enabled by default in a future release
    • server.feature-flags += ("server.h2proto" => "enable", "server.h2c" => "enable")
  • TLS library options: OpenSSL, mbedTLS, wolfSSL, GnuTLS, NSS
    • mod_openssl (existing)
    • mod_mbedtls (experimental)
    • mod_wolfssl (experimental)
    • mod_gnutls (experimental)
    • mod_nss (experimental)
  • TLS OCSP stapling
    (except mbedTLS; not currently supported by mbedTLS)
  • TLS session ticket key rotation control
    (except NSS; API limitation in NSS)
  • mod_deflate brotli support
  • mod_proxy makes HTTP/1.1 requests to backends (change from HTTP/1.0)
  • RFC 8297 support for 103 Early Hints produced by backends (scripts)
  • graceful restart option to transfer listen fds (minimal pause)
    • server.systemd-socket-activation = "enable"
    • server.feature-flags += ("server.graceful-restart-bg" => "enable", "server.graceful-shutdown-timeout" => "15")

Behavior Changes

  • mod_openssl
    • default MinProtocol TLSv1.2
      TLSv1 and TLSv1.1 are deprecated and no longer supported by major browsers.
      If prior behavior is required, configure:
      ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1")
      If using openssl <= 1.0.2 (end-of-life)
      ssl.openssl.ssl-conf-cmd = ("Protocol" => "-ALL, TLSv1, TLSv1.1, TLSv1.2")
    • (internal) TLS session cache is disabled by default,
      replaced by lighttpd robust TLSv1.2 session ticket support
      If backward compatibility is needed:
      server.feature-flags += ("ssl.session-cache" => "enable")
    • (internal) openssl creates a session ticket encryption key per SSL_CTX.
      lighttpd 1.4.56 and later assigns a single session ticket encryption key
      for the lighttpd server (across all SSL_CTX) for consistency.
    • behavior change with ssl.ca-dn-file (uncommon); applies to client
      certificate verification and ssl.ca-dn-file (uncommon)
      If client certificate verification is enabled
      (ssl.verifyclient.activate = “enable”),
      all CAs used for client certificate verification must be present in
      ssl.ca-file. This is the typical use case when client certificate
      verification is enabled. Certificates in (optional) ssl.ca-dn-file
      are used to send issuer names to client when the server sends a
      client certificate request. These names are use by the client
      during certificate selection, and the server requires that the
      certificate sent by the client be issued by one of the subjects
      in ssl.ca-dn-file.
      (Prior behavior merged ssl.ca-file and ssl.ca-dn-file for trusted CAs.
      New behavior requires all trusted CAs be listed in ssl.ca-file,
      and a subset be duplicated into ssl.ca-dn-file to specify allowed
      client cert issuer.)
  • mod_deflate: support for bzip2 is now disabled by default in the build
    (enable using ./configure --with-bzip2)
    bzip2 Content-Encoding is not widely supported
    Prefer to build --with-brotli
    brotli Content-Encoding is more widely supported than bzip2

Future Scheduled Behavior Changes

  • HTTP/2 support will be enabled by default in a future release
  • graceful restart/shutdown default timeout will change from
    0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)
    configure an alternative with:
    server.feature-flags += ("server.graceful-shutdown-timeout" => 5)
  • mod_compress is DEPRECATED; use mod_deflate
    mod_compress has been subsumed by mod_deflate
    Note: mod_compress config options may be removed in a future release
  • mod_geoip is DEPRECATED; use mod_maxminddb
    Note: mod_geoip will be removed from a future lighttpd release
  • mod_authn_mysql is DEPRECATED; use mod_authn_dbi
    Note: mod_authn_mysql will be removed from a future lighttpd release
  • mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql
    Note: mod_mysql_vhost will be removed from a future lighttpd release
  • mod_cml is DEPRECATED; use mod_magnet
    Note: mod_cml will be removed from a future lighttpd release


January 31, 2020

Important changes

  • bugfixes



May 27, 2019

Important changes

  • behavior change: strict URL parsing and normalization (configurable)
  • performance enhancements, bug fixes



  • behavior change: strict URL parsing and normalization (configurable)
  • behavior change: mod_webdav now rejects partial PUT (configurable)
  • mod_auth: HTTP Auth Digest algorithm=SHA-256
  • mod_webdav: major rewrite: robustness, performance, RFC compliance
  • mod_maxminddb: new; obsoletes discontinued mod_geoip

Behavior Change

lighttpd now performs strict URL parsing and normalization on HTTP requests. This is configurable, but the defaults are now strict unless explicitly configured otherwise.

Enabling strict URL parsing and normalization by default provides more consistent behavior for mod_redirect and mod_rewrite, which match against the (url-encoded) URL request. However, decoding %2F by default, while generally desirable for consistency, is potentially a breaking change for those encoding URLs in the url-path and relying on the literal ‘/’ as a delimiter. For those uses, “url-path-2f-decode” => “disable” will need to be explicitly set in the lighttpd config.


The recommended settings for server.http-parseopts are the following, unless specific use requires looser settings:

      server.http-parseopts = (
        "header-strict"            => "enable",
        "host-strict"              => "enable",
        "host-normalize"           => "enable",
        "url-normalize"            => "enable",
        "url-normalize-unreserved" => "enable",
        "url-normalize-required"   => "enable",
        "url-ctrls-reject"         => "enable",
        "url-path-2f-decode"       => "enable",
        "url-path-dotseg-remove"   => "enable",
        "url-query-20-plus"        => "enable"