Important changes
- stronger TLS defaults (as previously announced)
- KTLS sendfile in mod_openssl and mod_gnutls, if available and enabled
- removal of deprecated modules
Behavior Changes (previously announced)
- TLS modules now default to using stronger, modern ciphers and
will default to allow client preference in selecting ciphers.
Allowing client preference in selecting ciphers is safe to do along
with restrictions to use modern ciphers supporting PFS, and is
better for mobile users without AES hardware acceleration.
Legacy ciphers can still be configured in lighttpd.conf using
`ssl.openssl.ssl-conf-cmd`, as long as the ciphers are supported by
the underlying TLS libraries. https://wiki.lighttpd.net/Docs_SSL
new defaults:
“CipherString” => “EECDH+AESGCM:AES256+EECDH:CHACHA20:
SHA256:!SHA384”,
“Options” => “-ServerPreference”
old defaults:
“CipherString” => “HIGH”,
“Options” => “ServerPreference”
- Deprecated TLS options have been removed.
– ssl.honor-cipher-order
– ssl.dh-file
– ssl.ec-curve
– ssl.disable-client-renegotiation
– ssl.use-sslv2
– ssl.use-sslv3
See https://wiki.lighttpd.net/Docs_SSL for replacements with
`ssl.openssl.ssl-conf-cmd`, but prefer lighttpd defaults instead.
- Continue gradual deprecation of “mini-application” lighttpd modules
for which mod_magnet lua implementations are better and more flexible.
Please post on lighttpd forums to share feedback if you use these modules.
Forums: https://redmine.lighttpd.net/projects/lighttpd/boards
- Deprecated: mod_evasive has been removed.
mod_evasive can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_evasive
https://wiki.lighttpd.net/AbsoLUAtion#Fight-DDoS
https://wiki.lighttpd.net/AbsoLUAtion#Mod_Security
- Deprecated: mod_secdownload has been removed.
mod_secdownload can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_secdownload
mod_secdownload historically uses insecure MD5 though SHA1, SHA256 available
- Deprecated: mod_uploadprogress has been removed.
mod_uploadprogress can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_uploadprogress
- Deprecated: mod_usertrack has been removed.
mod_usertrack can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_usertrack
mod_usertrack historically uses insecure MD5.
Behavior Changes (not previously announced)
- meson build: some opts have changed from type: ‘boolean’ to type: ‘feature’;
build scripts using -D with_example=true or =false need to change some opts
to =enabled, =disabled, or =auto
- mod_magnet: removed experimental lighty.r.req_attr[“response.*”] accessors
(added in lighttpd 1.4.56 (2020) and replaced in lighttpd 1.4.65 (2022))
(see lighty.r.req_item.http_status and lighty.r.resp_body.* replacements)
- remove libev fdevent option (ignore)
lighttpd directly uses native OS event handlers
Future Scheduled Behavior Changes
- lighttpd 1.4.68 builds common modules into the lighttpd base executable.
Separate dynamic modules are still built for the benefit of existing
packaging scripts in various distributions, but those modules are not used.
A future version of lighttpd will omit building separate modules for:
mod_access mod_alias mod_evhost mod_expire mod_fastcgi mod_indexfile
mod_redirect mod_rewrite mod_scgi mod_setenv mod_simple_vhost mod_staticfile
Downloads
Important changes
bugfixes
Future Scheduled Behavior Changes
- TLS modules will default to using stronger, modern ciphers and
will default to allow client preference in selecting ciphers.
Allowing client preference in selecting ciphers is safe to do along
with restrictions to use modern ciphers supporting PFS, and is
better for mobile users without AES hardware acceleration.
Legacy ciphers can still be configured in lighttpd.conf using
`ssl.openssl.ssl-conf-cmd`, as long as the ciphers are supported by
the underlying TLS libraries. https://wiki.lighttpd.net/Docs_SSL
new defaults:
“CipherString” => “EECDH+AESGCM:AES256+EECDH:CHACHA20:SHA256:!SHA384”,
“Options” => “-ServerPreference”
old defaults:
“CipherString” => “HIGH”,
“Options” => “ServerPreference”
- Deprecated TLS options will be removed.
– ssl.honor-cipher-order
– ssl.dh-file
– ssl.ec-curve
– ssl.disable-client-renegotiation
– ssl.use-sslv2
– ssl.use-sslv3
See https://wiki.lighttpd.net/Docs_SSL for replacements with
`ssl.openssl.ssl-conf-cmd`, but prefer lighttpd defaults instead.
- Continue gradual deprecation of “mini-application” lighttpd modules
for which mod_magnet lua implementations are better and more flexible.
Please post on lighttpd forums to share feedback if you use these modules.
Forums: https://redmine.lighttpd.net/projects/lighttpd/boards
- Deprecated: mod_evasive will be removed.
mod_evasive can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_evasive
https://wiki.lighttpd.net/AbsoLUAtion#Fight-DDoS
https://wiki.lighttpd.net/AbsoLUAtion#Mod_Security
- Deprecated: mod_secdownload will be removed.
mod_secdownload can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_secdownload
mod_secdownload historically uses insecure MD5 though SHA1, SHA256 available
- Deprecated: mod_uploadprogress will be removed.
mod_uploadprogress can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_uploadprogress
- Deprecated: mod_usertrack will be removed.
mod_usertrack can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_usertrack
mod_usertrack historically uses insecure MD5.
Downloads
Important changes
bugfixes
Future Scheduled Behavior Changes
- TLS modules will default to using stronger, modern ciphers and
will default to allow client preference in selecting ciphers.
Allowing client preference in selecting ciphers is safe to do along
with restrictions to use modern ciphers supporting PFS, and is
better for mobile users without AES hardware acceleration.
Legacy ciphers can still be configured in lighttpd.conf using
`ssl.openssl.ssl-conf-cmd`, as long as the ciphers are supported by
the underlying TLS libraries. https://wiki.lighttpd.net/Docs_SSL
new defaults:
“CipherString” => “EECDH+AESGCM:AES256+EECDH:CHACHA20:SHA256:!SHA384”,
“Options” => “-ServerPreference”
old defaults:
“CipherString” => “HIGH”,
“Options” => “ServerPreference”
- Deprecated TLS options will be removed.
– ssl.honor-cipher-order
– ssl.dh-file
– ssl.ec-curve
– ssl.disable-client-renegotiation
– ssl.use-sslv2
– ssl.use-sslv3
See https://wiki.lighttpd.net/Docs_SSL for replacements with
`ssl.openssl.ssl-conf-cmd`, but prefer lighttpd defaults instead.
- Continue gradual deprecation of “mini-application” lighttpd modules
for which mod_magnet lua implementations are better and more flexible.
Please post on lighttpd forums to share feedback if you use these modules.
Forums: https://redmine.lighttpd.net/projects/lighttpd/boards
- Deprecated: mod_evasive will be removed.
mod_evasive can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_evasive
https://wiki.lighttpd.net/AbsoLUAtion#Fight-DDoS
https://wiki.lighttpd.net/AbsoLUAtion#Mod_Security
- Deprecated: mod_secdownload will be removed.
mod_secdownload can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_secdownload
mod_secdownload historically uses insecure MD5 though SHA1, SHA256 available
- Deprecated: mod_uploadprogress will be removed.
mod_uploadprogress can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_uploadprogress
- Deprecated: mod_usertrack will be removed.
mod_usertrack can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_usertrack
mod_usertrack historically uses insecure MD5.
Downloads