lighttpd - Home

1.4.19 - Made in Germany

2008-03-10T23:44:00Z

Long time no see.

It has been almost half a year since 1.4.18. 6months. Jan has been working on many interesting features for 1.5. [1] Currently he ports it to glib2.

But back to 1.4.19. Yes again the release date was nailed down by a few security bugs. *cough* Nevertheless we got a ton of other nice bugfixes. All praise our new lighttpd hero Stefan Bühler. Big thank you from my side. (darix)

lighttpd_sa_2008_01.txt (patch: lighttpd-1.4.x_high_load_dos.patch)
lighttpd_sa_2008_02.txt (patch: lighttpd-1.4.x_mod_cgi_disclosure.patch)
lighttpd_sa_2008_03.txt (patch: lighttpd-1.4.x_mod_userdir_disclosure.patch)

Download

lighttpd-1.4.19.tar.gz
(sha1sum: 79e2d61dd9017c3c50c0fe98b2289cae5c1255ee md5sum: cede410e7adee3ea14206749190a8b5d )
lighttpd-1.4.19.tar.bz2
(sha1sum: fd4450e7faae55ebe0905114722995b0c57397cc md5sum: d787374e4e4aaa09d5cfa9ab9d23ad40)

Changes

added support for If-Range: <date> (#1346)
added support for matching $HTTP["scheme"] in configs
fixed initgroups() called after chroot (#1384)
fixed case-sensitive check for Auth-Method (#1456)
execute fcgi app without /bin/sh if used as argument to spawn-fcgi (#1428)
fixed a bug that made /-prefixed extensions being handled also when matching the end of the uri in fcgi,scgi and proxy modules (#1489)
print error if X-LIGHTTPD-send-file cannot be done; reset header Content-Length for send-file. Patches by Stefan Buehler
prevent crash in certain php-fcgi configurations (#841)
add IdleServers and Scoreboard directives in ?auto mode for mod_status (#1507)
open log immediately after daemonizing, fixes SIGPIPEs on startup (#165)
HTTPS env var should be "on" when using mod_extforward and the X-Forwarded-Proto header is set. (#1499)
generate ETag and Last-Modified headers for mod_ssi based on newest modified include (#1491)
support letterhomes in mod_userdir (#1473)
support chained proxies in mod_extforward (#1528)
fixed bogus "cgi died ?" if we kill the CGI process on shutdown
fixed ECONNRESET handling in network-openssl
fixed handling of EAGAIN in network-linux-sendfile (#657)
reset conditional cache (#1164)
create directories in mod_compress (was broken with alias/userdir) (#1027)
fixed out of range access in fd array (#1562, #372) (CVE-2008-0983)
mod_compress should check if the request is already handled, e.g. by fastcgi (#1565)
remove broken workaround for buggy Opera version with ssl/chunked encoding (#285)
generate etag/last-modified header for on-the-fly-compressed files (#1171)
req-method OPTIONS: do not insert default response if request was denied, do not deny OPTIONS by default (#1324)
fixed memory leak on windows (#1347)
fixed building outside of the src dir (#1349)
fixed including of stdint.h/inttypes.h in etag.c (#1413)
do not add Accept-Ranges header if range-request is disabled (#1449)
log the ip of failed auth tries in error.log (enhancement #1544)
fixed RoundRobin in mod_proxy (#516)
check for symlinks after successful pathinfo matching (#1574)
fixed mod-proxy.t to run with a builddir outside of the src dir
do not suppress content on "307 Temporary Redirect" (#1412)
fixed Content-Length header if response body gets removed in connections.c (#1412, part 2)
do not generate a "Content-Length: 0" header for HEAD requests, added test too
remove compress cache file if compression or write failed (#1150)
fixed body handling of status 300 requests
spawn-fcgi: only try to connect to unix socket (not tcp) before spawning (#1575)
fix sending source of cgi script instead of 500 error if fork fails (CVE-2008-1111)
fix min-procs handling in mod_scgi.c, just set to max-procs (patch from #623)
fix sending "408 - Timeout" instead of "410 - Gone" for timedout urls in mod_secdownload (#1440)
workaround #1587: require userdir.path to be set to enable mod_userdir (empty string allowed) (CVE-2008-1270)
make configure checks for --with-pcre, --with-zlib and --with-bzip2 failing if the headers aren't found
fixed handling of waitpid() == EINTR mod_ssi on solaris

[1] No. We don't have a release date for it. Especially not with all the big changes going on.

Mono + FastCGI

2008-01-23T16:49:00Z

Reggie pointed me to the FastCGI support for Mono. For our lighttpd they have a full featured page that should cover all possible configuration needs.

Feel free to try it out and comment on this article if it works as expected.

Giving Solaris some love

2007-10-28T10:50:00Z

Weekend time is hacking time. This weekend it is about getting 1.5.0 running nicely on Solaris and making sure lighttpd is a first class citizen there.

All tests successful (1 subtest UNEXPECTEDLY SUCCEEDED), 88 subtests skipped.
Files=22, Tests=324, 60 wallclock secs ( 1.98 cusr +  1.03 csys =  3.01 CPU)

The over all situation hasn't changed: I still don't have a solaris box here for development here and I think that's a good thing. Instead I run Nexenta (aka gnu/solaris) in a VMware on WinXP/x64. And use ssh to log into it :)

I would like to do the same with my MacOSX too. Up to now I use the MacMini (the old, PPC one) and only log in via ssh for compiling too. Turning it into a vmware image I can start up when needed would be a lot better as it doesn't require me to start another load, power-consuming box.

But back solaris:

compiles cleanly on solaris 11 with GCC
runs test-suite cleanly
detects special features and uses them (sendfilev, /dev/poll)

This should make the current trunk/ running nicely on Solaris. So, give it a try please so we can push out 1.5.0 soon.

Powered by Lighttpd

2007-04-04T06:44:00Z

lighttpd is used by many well-known sites. The typical scenario is using lighttpd as off-load server to push out static content and leave to complex work to another server.

One example is YouTube. They have a farm of servers which push out the thumbnails you see before you see the movies:

$ curl -I http://sjl-static16.sjl.youtube.com/vi/TgF_eRkfqEY/2.jpg
HTTP/1.1 200 OK
Content-Type: image/jpeg
ETag: "983726135810477085"
Accept-Ranges: bytes
Last-Modified: Fri, 03 Feb 2006 04:32:53 GMT
Content-Length: 3495
Date: Wed, 04 Apr 2007 06:49:51 GMT
Server: lighttpd-aio/1.4.11.8

As you see in the name-scheme, there are some more of those servers pushing out content.

On wikipedia they run at least 2 servers with lighttpd:

upload.wikimedia.org
download.wikimedia.org

While download is used to distribute the SQL dumps of the database when tend to grow above the magic 4GByte border, upload is used to push out all the images and resize them when necessary.

$ curl -I http://upload.wikimedia.org/wikipedia/commons/thumb/2/21/Mandel_zoom_00_mandelbrot_set.jpg/250px-Mandel_zoom_00_mandelbrot_set.jpg
HTTP/1.0 200 OK
Content-Type: image/jpeg
ETag: "6460328581220324712"
Accept-Ranges: bytes
Last-Modified: Mon, 04 Dec 2006 22:24:53 GMT
Content-Length: 5973
Date: Wed, 14 Mar 2007 11:16:19 GMT
Server: lighttpd/1.4.13
X-Cache: HIT from sq13.wikimedia.org
X-Cache-Lookup: HIT from sq13.wikimedia.org:3128
X-Cache: HIT from knsq12.knams.wikimedia.org
X-Cache-Lookup: HIT from knsq12.knams.wikimedia.org:3128
Age: 6265
X-Cache: HIT from knsq10.knams.wikimedia.org
X-Cache-Lookup: HIT from knsq10.knams.wikimedia.org:80
Via: 1.0 sq13.wikimedia.org:3128 (squid/2.6.STABLE12), 1.0 knsq12.knams.wikimedia.org:3128 (squid/2.6.STABLE12), 1.0 knsq10.knams.wikimedia.org:80 (squid/2.6.STABLE12)
Connection: close