Skip to content

releases

  • in releases
  • 6 min read

1.4.74

Important changes

bugs fixes, portability, expand CI

Downloads

Behavior Changes:

  • Some messages sent to syslog() (if enabled in lighttpd config) have been changed to use different priorities (e.g. LOG_WARNING, LOG_DEBUG) instead of everything being sent with LOG_ERROR priority. The change affects only lighttpd configs which set server.errorlog-use-syslog = “enable” (not default)
  • Use sendfile() with musl libc; fix build detection of sendfile() w/ musl libc Please report any issues, though any issues are unexpected since lighttpd falls back to writev() if sendfile() fails.

Future Scheduled Behavior Changes: (for the next lighttpd release)

  • TLS cipher defaults will be incrementally updated to stronger defaults Proposed defaults are forward-secret and support authenticated encryption (AEAD) Proposed defaults: openssl ciphers ‘EECDH+AESGCM:CHACHA20:!PSK:!DHE’ Current defaults: openssl ciphers ‘EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384’ Little or no impact is expected for lighttpd configs already using lighttpd TLS defaults (and supported clients, i.e. those which have not already reached end-of-life). Reference: https://developers.cloudflare.com/ssl/reference/cipher-suites/recommendations/
  • mod_redirect: default url.redirect-code for HTTP/1.1 and later will be changed from 301 Moved Permanently to 308 Permanent Redirect (only if url.redirect is not explicitly set in lighttpd.conf) RFC7538: https://datatracker.ietf.org/doc/html/rfc7538 (published almost 9 years ago)

Future Scheduled Behavior Changes: (2025)

  • lighttpd TLS defaults will change to MinProtocol TLSv1.3 Other configurations will still be supported, but will not be the default. Proposed default: MinProtocol TLSv1.3 Current default: MinProtocol TLSv1.2

1.4.71

Important changes

  • bugfixes and portability; HTTP/2 support separated to mod_h2 module

Downloads

Behavior Changes (previously announced):

  • http/2 support will be split out into optional separate module (mod_h2)\ (static builds will need to list mod_h2 in plugin-static.h to include mod_h2)

1.4.70

Important changes

  • speed up CGI spawning
  • native Windows build (experimental) (not packaged; no installer)
  • support HTTP/2 downstream proxy serving multiple clients on single connection (mod_extforward, mod_maxminddb)
  • restructure code to isolate HTTP/2

Downloads

Behavior Changes (previously announced):

  • no longer building separate modules for built-in modules\ lighttpd 1.4.70 omits building separate (unused) modules for:\ mod_access mod_alias mod_evhost mod_expire mod_fastcgi mod_indexfile\ mod_redirect mod_rewrite mod_scgi mod_setenv mod_simple_vhost mod_staticfile

Future Scheduled Behavior Changes:

  • HTTP/2 support will be split out into optional separate module (mod_h2)\ (static builds will need to list mod_h2 in plugin-static.h to include mod_h2)
  • in releases
  • 2 min read

1.4.69

Important changes

  • bugfixes, portability

Downloads

Future Scheduled Behavior Changes:

  • lighttpd 1.4.68 builds common modules into the lighttpd base executable.\ Separate dynamic modules are still built for the benefit of existing\ packaging scripts in various distributions, but those modules are not used.\ A future version of lighttpd will omit building separate modules for:\ mod_access mod_alias mod_evhost mod_expire mod_fastcgi mod_indexfile\ mod_redirect mod_rewrite mod_scgi mod_setenv mod_simple_vhost mod_staticfile
  • in releases
  • 5 min read

1.4.68

Important changes

  • stronger TLS defaults (as previously announced)
  • KTLS sendfile in mod_openssl and mod_gnutls, if available and enabled
  • removal of deprecated modules

Behavior Changes (previously announced)

  • TLS modules now default to using stronger, modern ciphers and will default to allow client preference in selecting ciphers.\ Allowing client preference in selecting ciphers is safe to do along with restrictions to use modern ciphers supporting PFS, and is better for mobile users without AES hardware acceleration.
    Legacy ciphers can still be configured in lighttpd.conf using `ssl.openssl.ssl-conf-cmd`, as long as the ciphers are supported by the underlying TLS libraries.
    Also see https://wiki.lighttpd.net/Docs_SSL
    • new defaults:
      • "CipherString" => "EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384"
      • "Options" => "-ServerPreference"
    • old defaults:
      • "CipherString" => "HIGH"
      • "Options" => "ServerPreference"

  • Deprecated TLS options have been removed.

    • ssl.honor-cipher-order
    • ssl.dh-file
    • ssl.ec-curve
    • ssl.disable-client-renegotiation
    • ssl.use-sslv2
    • ssl.use-sslv3

    See https://wiki.lighttpd.net/Docs_SSL for replacements with ssl.openssl.ssl-conf-cmd, but prefer lighttpd defaults instead.

  • Continue gradual deprecation of “mini-application” lighttpd modules for which mod_magnet lua implementations are better and more flexible.
    Please post on lighttpd forums to share feedback if you use these modules.
    Forums: https://redmine.lighttpd.net/projects/lighttpd/boards

  • Deprecated: mod_evasive has been removed.
    mod_evasive can be replaced by mod_magnet and a few lines of lua:
    Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_evasive https://wiki.lighttpd.net/AbsoLUAtion#Fight-DDoS https://wiki.lighttpd.net/AbsoLUAtion#Mod_Security

  • Deprecated: mod_secdownload has been removed.
    mod_secdownload can be replaced by mod_magnet and a few lines of lua:
    Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_secdownload
    mod_secdownload historically uses insecure MD5 though SHA1, SHA256 available

  • Deprecated: mod_uploadprogress has been removed.
    mod_uploadprogress can be replaced by mod_magnet and a few lines of lua:
    Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_uploadprogress

  • Deprecated: mod_usertrack has been removed. mod_usertrack can be replaced by mod_magnet and a few lines of lua:
    Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_usertrack
    mod_usertrack historically uses insecure MD5.

Behavior Changes (not previously announced)

  • meson build: some opts have changed from type: ‘boolean’ to type: ‘feature’; build scripts using -D with_example=true or =false need to change some opts to =enabled, =disabled, or =auto
  • mod_magnet: removed experimental lighty.r.req_attr[“response.*“] accessors (added in lighttpd 1.4.56 (2020) and replaced in lighttpd 1.4.65 (2022)) (see lighty.r.req_item.http_status and lighty.r.resp_body.* replacements)
  • remove libev fdevent option (ignore)
    lighttpd directly uses native OS event handlers

Future Scheduled Behavior Changes

  • lighttpd 1.4.68 builds common modules into the lighttpd base executable.
    Separate dynamic modules are still built for the benefit of existing packaging scripts in various distributions, but those modules are not used.
    A future version of lighttpd will omit building separate modules for:
    mod_access mod_alias mod_evhost mod_expire mod_fastcgi mod_indexfile mod_redirect mod_rewrite mod_scgi mod_setenv mod_simple_vhost mod_staticfile

Downloads

  • in releases
  • 2 min read

1.4.67

Important changes

bugfixes

Future Scheduled Behavior Changes

  • TLS modules will default to using stronger, modern ciphers and will default to allow client preference in selecting ciphers. Allowing client preference in selecting ciphers is safe to do along with restrictions to use modern ciphers supporting PFS, and is better for mobile users without AES hardware acceleration. Legacy ciphers can still be configured in lighttpd.conf using ssl.openssl.ssl-conf-cmd, as long as the ciphers are supported by the underlying TLS libraries.
    https://wiki.lighttpd.net/Docs_SSL
    • new defaults:
      • "CipherString" => "EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384"
      • "Options" => "-ServerPreference"
    • old defaults:
      • "CipherString" => "HIGH"
      • "Options" => "ServerPreference"

  • Deprecated TLS options will be removed.

    • ssl.honor-cipher-order
    • ssl.dh-file
    • ssl.ec-curve
    • ssl.disable-client-renegotiation
    • ssl.use-sslv2
    • ssl.use-sslv3

    See https://wiki.lighttpd.net/Docs_SSL for replacements with ssl.openssl.ssl-conf-cmd, but prefer lighttpd defaults instead.

  • Continue gradual deprecation of “mini-application” lighttpd modules for which mod_magnet lua implementations are better and more flexible.\ Please post on lighttpd forums to share feedback if you use these modules.
    Forums: https://redmine.lighttpd.net/projects/lighttpd/boards

  • Deprecated: mod_evasive will be removed.
    mod_evasive can be replaced by mod_magnet and a few lines of lua:
    Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_evasive
    https://wiki.lighttpd.net/AbsoLUAtion#Fight-DDoS
    https://wiki.lighttpd.net/AbsoLUAtion#Mod_Security

  • Deprecated: mod_secdownload will be removed.
    mod_secdownload can be replaced by mod_magnet and a few lines of lua:
    Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_secdownload
    mod_secdownload historically uses insecure MD5 though SHA1, SHA256 available

  • Deprecated: mod_uploadprogress will be removed.
    mod_uploadprogress can be replaced by mod_magnet and a few lines of lua:
    Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_uploadprogress

  • Deprecated: mod_usertrack will be removed.
    mod_usertrack can be replaced by mod_magnet and a few lines of lua:
    Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_usertrack
    mod_usertrack historically uses insecure MD5.

Downloads

1.4.66

Important changes

bugfixes

Future Scheduled Behavior Changes

Downloads

1.4.65

Important changes

WebSockets over HTTP/2, bugfixes

Highlights

  • WebSockets over HTTP/2\ RFC 8441 Bootstrapping WebSockets with HTTP/2
  • HTTP/2 PRIORITY_UPDATE\ RFC 9218 Extensible Prioritization Scheme for HTTP
  • prefix/suffix conditions in lighttpd.conf
  • mod_webdav safe partial-PUT\ webdav.opts += (“partial-put-copy-modify” => “enable”)
  • mod_accesslog option: accesslog.escaping = “json”
  • mod_deflate libdeflate build option
  • speed up request body uploads via HTTP/2

Behavior Changes

  • change default server.max-keep-alive-requests = 1000 to adjust to increasing HTTP/2 usage and to web2/web3 application usage (prior default was 100)
  • mod_status HTML now includes HTTP/2 control stream id 0 in the output which contains aggregate counts for the HTTP/2 connection\ (These lines can be identified with URL ‘*‘, part of “PRI *” preface)\ alternative: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_status
  • MIME type application/javascript is translated to text/javascript (RFC 9239)

Future Scheduled Behavior Changes

  • TLS modules will default to using stronger, modern ciphers and will default to allow client preference in selecting ciphers. Allowing client preference in selecting ciphers is safe to do along with restrictions to use modern ciphers supporting PFS, and is better for mobile users without AES hardware acceleration. Legacy ciphers can still be configured in lighttpd.conf using ssl.openssl.ssl-conf-cmd, as long as the ciphers are supported by the underlying TLS libraries. https://wiki.lighttpd.net/Docs_SSL
    • new defaults:
      • "CipherString" => "EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384"
      • "Options" => "-ServerPreference"
    • old defaults:
      • "CipherString" => "HIGH"
      • "Options" => "ServerPreference"
  • Deprecated TLS options will be removed.
    • ssl.honor-cipher-order
    • ssl.dh-file
    • ssl.ec-curve
    • ssl.disable-client-renegotiation
    • ssl.use-sslv2
    • ssl.use-sslv3 See https://wiki.lighttpd.net/Docs_SSL for replacements with ssl.openssl.ssl-conf-cmd, but prefer lighttpd defaults instead.
  • Continue gradual deprecation of “mini-application” lighttpd modules for which mod_magnet lua implementations are better and more flexible.\ Please post on lighttpd forums to share feedback if you use these modules.\ Forums: https://redmine.lighttpd.net/projects/lighttpd/boards
  • Deprecated: mod_evasive will be removed.\ mod_evasive can be replaced by mod_magnet and a few lines of lua:\ Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_evasive \ https://wiki.lighttpd.net/AbsoLUAtion#Fight-DDoS \ https://wiki.lighttpd.net/AbsoLUAtion#Mod_Security
  • Deprecated: mod_secdownload will be removed.\ mod_secdownload can be replaced by mod_magnet and a few lines of lua:\ Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_secdownload \ mod_secdownload historically uses insecure MD5 though SHA1, SHA256 available
  • Deprecated: mod_uploadprogress will be removed.\ mod_uploadprogress can be replaced by mod_magnet and a few lines of lua:\ Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_uploadprogress
  • Deprecated: mod_usertrack will be removed.\ mod_usertrack can be replaced by mod_magnet and a few lines of lua:\ Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_usertrack \ mod_usertrack historically uses insecure MD5.

Downloads