Important changes
- new modules, expanded features, rewritten auth framework
- fix bugs introduced in 1.4.40/1.4.41
Downloads
Highlights
- new modules, expanded features
- performance: use extended socket/file syscalls and flags
- rewritten auth framework
- updated mod_authn_ldap
- new mod_authn_gssapi
- new mod_authn_mysql
- new mod_deflate
- new mod_geoip
- new mod_uploadprogress
- mod_dirlisting sortable columns
- mod_fastcgi support for authorizer, responder keyed with same path/extension
- mod_cgi permit CGI exec of unreadable files
- mod_scgi support for uwsgi protocol for Python WSGI backends
- add some SSL_* variables to CGI environment
- bug fixes
- remove preemptive shutdown() to backend
- fix backend socket connect issue: enforce wait for POLLWR after EINPROGRESS
- fix crash if ready events on abandoned fd
- fix broken digest auth
- behavior changes
- behavior change in mod_ssi to conform to same CGI env as CGI, FastCGI, SCGI:
- REQUEST_URI is original client request, instead of URI modified by mod_rewrite.
- DOCUMENT_ROOT changes if mod_alias or mod_userdir changes basedir.
Important changes
- security fixes
- fix bugs introduced in 1.4.40
Downloads
Highlights
- security fixes
- security: encode quoting chars in HTML and XML
- security: ensure gid != 0 if server.username is set, but not server.groupname
- security: disable stat_cache if server.follow-symlink = “disable”
- security: httpoxy defense: do not emit HTTP_PROXY to CGI env
- fix bugs introduced in 1.4.40 (sorry)
- bug: lighttpd 1.4.40 might leave client sockets in TIME WAIT (FIN2_WAIT)
- bug: lighttpd 1.4.40 times out on TLS requests with POST data
- bug: lighttpd 1.4.40 reversed REQUEST_URI/REDIRECT_URI (now reverted)
- bug: lighttpd 1.4.40 rejects IPv6 addrs in $HTTP[“remoteip”]
- bug: lighttpd 1.4.40 rejects IPv6 addrs in $SERVER[“socket”] scope identifier
- bug: lighttpd 1.4.40 segfault in mod_accesslog if %T in custom format
- bug: lighttpd 1.4.40 might trigger assert when converting to hex string
- behavior changes
- new: use TMPDIR if server.upload-dirs is not defined, “/var/tmp” if neither
- new: inherit server.use-ipv6 and server.set-v6only from global scope
- reverted REQUEST_URI/REDIRECT_URI to match behavior in lighttpd <= 1.4.39
Future scheduled behavior changes in lighttpd 1.4.42
- mod_ssi will set REQUEST_URI to original, client-requested URI
to match behavior of mod_cgi, mod_fastcgi, mod_scgi, mod_cml
Important changes
- major bug-fix release; hundreds of issues resolved in issue tracker
- git master lighttpd source repository (migrated from svn)
Downloads
Highlights
- improved resource management
- asynchronous, bidirectional streaming options to dynamic backends
- detect client disconnects and abort request to dynamic backends
- rework dynamic handler control flow logic for consistent clean up
- constrained memory footprint; limit memory used by large responses
- robustness and portability
- fallback to traditional I/O if mmap or sendfile not available
- update support for lua 5.2, 5.3; memcached; libressl; openssl 1.1.0
- better cygwin support; passes tests
- better webdav support
- selected new features
- lighttpd -tt performs config validation and preflight startup checks
- lighttpd -1 process single (one) request on stdin socket (e.g. xinetd)
- lighttpd -i graceful shutdown after of inactivity
- config file supports include file globs (e.g. include “conf.d/*.conf”)
- server.bsd-accept-filter (“httpready”, “dataready”)
- server.error-handler to handle 4xx and 5xx status
- server.http-parseopt-header-strict restrict chars allowed in HTTP headers
- server.http-parseopt-host-strict restrict chars allowed in HTTP Host
- server.http-parseopt-host-normalize normalize HTTP Host header
- server.listen-backlog to configure socket listen backlog
- server.max-request-size is now scopeable (no longer one global setting)
- server.stream-request-body to control streaming, buffering of request
- server.stream-response-body to control streaming, buffering of response
- server.upload-dirs will retry in remaining dirs in list if disk full
- accesslog.format now supports %a %A %C %D %k %{}t %{}T
- evasive.location for 302 redirect option if limit reached
- url.rewrite and url.redirect now short-circuit if replacement is blank
- url.access-allow for explicit list of allowed suffixes; deny others
- mod_cgi handles local redirect response if Location: /path?query
- REDIRECT_URI is set for internal redirects (cgi, magnet, rewrite, errdoc)
- REDIRECT_STATUS is set to http error status for error docs
- mod_indexfile sets PATH_TRANSLATED_DIRINDEX if target URL begins w/ ‘/’
- “listen-backlog” to configure socket listen backlog for FastCGI, SCGI
- X-Sendfile for CGI and SCGI (in addition to FastCGI)
Future scheduled behavior changes in lighttpd 1.4.41
- server.use-ipv6 = “enable” will be inherited from global scope if set, so if that is not what is desired, add server.use-ipv6 = “disable” to appropriate $SERVER[“socket”] blocks. Similar for server.set-v6only.
- long-deprecated config directives will be removed. These directives are non-functional and emit a warning message if directives were renamed. After being removed, they will result in “directive unknown” warnings.