lighttpd (pronounced /lighty/) is a secure, fast, compliant, and very flexible web server that has been optimized for high-performance environments. lighttpd uses memory and CPU efficiently and has lower resource use than other popular web servers. Its advanced feature-set (FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and much more) make lighttpd the perfect web server for all systems, small and large. lighttpd is released under the Open Source revised BSD license.

lighttpd wiki and documentation


News

1.4.75

March 13, 2024

Important changes

  • incrementally stronger TLS cipher defaults; bugs fixes

Downloads

Behavior Changes: (previously announced)

  • TLS cipher defaults have been incrementally updated to stronger defaults New defaults are forward-secret and support authenticated encryption (AEAD) New defaults: openssl ciphers ‘EECDH+AESGCM:CHACHA20:!PSK:!DHE’ Previous defaults: openssl ciphers ‘EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384’ Little or no impact is expected for lighttpd configs already using lighttpd TLS defaults (and supported clients, i.e. those which have not already reached end-of-life). Reference: https://developers.cloudflare.com/ssl/reference/cipher-suites/recommendations/
  • mod_redirect: default url.redirect-code for HTTP/1.1 and later has been changed from 301 Moved Permanently to 308 Permanent Redirect (only if url.redirect is not explicitly set in lighttpd.conf) RFC7538: https://datatracker.ietf.org/doc/html/rfc7538 (published almost 9 years ago)

Future Scheduled Behavior Changes: (2025)

  • lighttpd TLS defaults will change to MinProtocol TLSv1.3 Other configurations will still be supported, but will not be the default. Proposed default: MinProtocol TLSv1.3 Current default: MinProtocol TLSv1.2
  • server.error-handler-404 will operate only on 404 (historical error: server.error-handler-404 operated on both 404 and 403) Since lighttpd 1.4.40 (released Jul 2016), server.error-handler is available to produce dynamic error pages for 4xx and 5xx responses. Since lighttpd 1.4.56 (released Nov 2020), magnet.attract-response-start-to is an additional, high performance mechanism to produce dynamic error pages. https://wiki.lighttpd.net/mod_magnet

    Changes from 1.4.74

  • [mod_redirect] url.redirect-code = 308 new default
  • [ls-hpack] more portability fixes for sys/queue.h
  • [ls-hpack] update version to 2.3.3
  • [TLS] default to stronger ciphers w/ PFS and AEAD
  • [ci] apt-get install build-essential on Ubuntu
  • [ci] /usr/local/opt keg-only pkgs on Darwin(macOS)
  • [mod_authn_sasl] translate SASL_LOG_* to syslog
  • [build] include src/compat/sys/queue.h in tarball
  • [core] fdlog_openlog(), fdlog_closelog()
  • [mod_accesslog] fdlog_openlog() if using syslog
  • [cmake] fix LEMON_PATH with empty CMAKE_BUILD_TYPE
  • [ci] limit github ci to specific branches
  • [ci] prefer non-login shell for Cygwin CI build
  • [ci] prefer dash for Cygwin and MSYS2 builds
  • [mod_wstunnel] fix server.ping-interval w/ HTTP/2
  • [mod_dirlisting] fix suffix display of ‘/’ on file (fixes #3242)
  • [mod_openssl] use internal asn1_time fn on 32-bit (fixes #3244)
  • [mod_openssl] faster ASN1_TIME parse
  • [mod_wolfssl] faster ASN1_TIME parse
  • [doc] update TLS comment in sample lighttpd.conf