January 27, 2019

Important changes

TLS-ALPN-01, systemd socket activation, bug fixes

Future scheduled behavior change (Q1 2019)

Beginning in Q1 2019, lighttpd defaults are scheduled to change to perform limited URL normalization on HTTP requests.

Since lighttpd 1.4.50, this URL normalization is available with server.http-parseopts <https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_http-parseoptsDetails>. The lighttpd default will become server.http-parseopts = (“url-normalize-unreserved” => “enable”, “url-path-2f-decode” => “enable”) unless server.http-parseopts is explicitly set in the lighttpd config. Enabling URL normalization by default will provide more consistent behavior for mod_redirect and mod_rewrite, which match against the (url-encoded) URL request. However, decoding %2F by default, while generally desirable for consistency, is potentially a breaking change for those encoding URLs in the url-path and relying on the literal ‘/’ as a delimiter. For those uses, “url-path-2f-decode” => “disable” will need to be explicitly set in the lighttpd config.


The recommended settings for server.http-parseopts are the following, unless specific use requires looser settings:

      server.http-parseopts = (
        "header-strict"            => "enable",
        "host-strict"              => "enable",
        "host-normalize"           => "enable",
        "url-normalize"            => "enable",
        "url-normalize-unreserved" => "enable",
        "url-normalize-required"   => "enable",
        "url-ctrls-reject"         => "enable",
        "url-path-2f-decode"       => "enable",
        "url-path-dotseg-remove"   => "enable",
        "url-query-20-plus"        => "enable"


Changes from 1.4.52

  • [mod_cml,mod_flv_streaming] fix NULL ptr deref
  • [mod_simple_vhost] t/test_mod_simple_vhost
  • [mod_evhost] split uri handler func for testing
  • [mod_evhost] restructure for unit tests
  • [mod_evhost] t/test_mod_evhost
  • [mod_access] restructure for unit tests
  • [mod_access] t/test_mod_access
  • [tests] include first.h and NDEBUG early
  • [core] use kill_signal for gw_proc_kill()
  • [tests] t/test_keyvalue
  • [tests] some test config cleanup
  • [tests] update skip count in mod-fastcgi.t
  • [multiple] reduce initial buffer sz if large POST (fixes #2922)
  • [mod_fastcgi] fix NULL ptr deref from bugfix #2922 (fixes #2923)
  • [tests] more test config cleanup
  • [core] perf: incremental hash of pathname w/o copy
  • [core] perf: reuse buffer to redirect to directory
  • [core] do not free() reused buffer
  • [core] use connected sock port in dir redirect
  • [core] http_response_buffer_append_authority()
  • [core] use con→server_name for dir redir
  • [core] memeq compare rounded to 64, not next 1M
  • [core] define MD5_DIGEST_LENGTH 16
  • [mod_auth] permit additional auth backends to load
  • [core] send Connection: close if reqbody not read (fixes #2924)
  • [core] cache rev DNS for localhost for dir redir
  • [doc/conf] resolve some mime type conflicts from debian buster, regenerate mime.conf
  • [core] move winsock init to network_init()
  • [core] move /dev/stdin graceful restart handling
  • [core] network_srv_sockets_append() shared code
  • [core] systemd socket activation support
  • [build] autotools: try mysqlclient.pc and mariadb.pc (fixes #2925)
  • [mod_expire] look up expire fallback "" explicitly
  • [multiple] calloc match ptr type (clang —analyze)
  • [multiple] quiet clang —analyze where trivial
  • [mod_webdav] compare COPY, MOVE Destination scheme
  • [core] con→uri.scheme is maintained lowercase
  • [mod_openssl] ALPN and acme-tls/1 (fixes #2931)
  • [core] Fix recursive include_shell invocations
  • [mod_openssl] ssl.privkey directive (optional)