Skip to content

2016

  • in releases
  • 2 min read

1.4.44

Important changes

  • support HTTP/1.1 ‘Transfer-Encoding: chunked’ request body
  • bug fixes

Downloads

Highlights

  • improvements
    • support HTTP/1.1 ‘Transfer-Encoding: chunked’ request body
    • mod_dirlisting: render dirlisting as HTML
    • mod_proxy: option to replace HTTP Host sent to backend
    • mod_proxy: proxy.balance = “sticky” option
    • mod_ssi: basic recursive SSI include virtual
    • various code portability and build fixes for older platforms
  • bug fixes
    • fix race in dynamic handler configs (reentrancy)
    • mod_cgi: fix out of sockets error for POST to CGI (1.4.43)
    • mod_scgi: fix segfault (1.4.43)
    • mod_magnet: fix magnet_cgi_set() set of env vars
    • mod_fastcgi: fix segfault if all backends down (1.4.43)
  • in releases
  • 2 min read

1.4.43

Important changes

  • improve FastCGI, SCGI, proxy reconnect on failure
  • bug fixes

Downloads

Highlights

  • improvements
    • improve FastCGI, SCGI, proxy reconnect on failure
    • build systems: do not build modules for which dependencies are not present
    • autobuild: use CC_FOR_BUILD for lemon when cross-compiling
    • config: warn if mod_authn_ldap,mysql not listed
    • config file remote IP conditions are valid for TLS SNI
    • mod_deflate ignore trailing ‘*’ in deflate.mimetypes
    • mod_deflate skip deflate if loadavg too high
    • mod_accesslog %{ratio}n logs compression ratio
    • mod_expire by mimetype
    • mod_evhost partial matching patterns
    • mod_dirlisting config header and readme files
  • bug fixes
    • fix potential tempfile corruption with streaming response
    • fix fd leak when using libev (1.4.42)
    • fix ssl client certificate authentication segfaults (1.4.42)
    • fix mod_scgi prefix matching to always match url
  • in releases
  • 3 min read

1.4.42

Important changes

  • new modules, expanded features, rewritten auth framework
  • fix bugs introduced in 1.4.40/1.4.41

Downloads

Highlights

  • new modules, expanded features
    • performance: use extended socket/file syscalls and flags
    • rewritten auth framework
      • updated mod_authn_ldap
      • new mod_authn_gssapi
      • new mod_authn_mysql
    • new mod_deflate
    • new mod_geoip
    • new mod_uploadprogress
    • mod_dirlisting sortable columns
    • mod_fastcgi support for authorizer, responder keyed with same path/extension
    • mod_cgi permit CGI exec of unreadable files
    • mod_scgi support for uwsgi protocol for Python WSGI backends
    • add some SSL_* variables to CGI environment
  • bug fixes
    • remove preemptive shutdown() to backend
    • fix backend socket connect issue: enforce wait for POLLWR after EINPROGRESS
    • fix crash if ready events on abandoned fd
    • fix broken digest auth
  • behavior changes
    • behavior change in mod_ssi to conform to same CGI env as CGI, FastCGI, SCGI:
      • REQUEST_URI is original client request, instead of URI modified by mod_rewrite.
      • DOCUMENT_ROOT changes if mod_alias or mod_userdir changes basedir.

1.4.41

Important changes

  • security fixes
  • fix bugs introduced in 1.4.40

Downloads

Highlights

  • security fixes
    • security: encode quoting chars in HTML and XML
    • security: ensure gid != 0 if server.username is set, but not server.groupname
    • security: disable stat_cache if server.follow-symlink = “disable”
    • security: httpoxy defense: do not emit HTTP_PROXY to CGI env
  • fix bugs introduced in 1.4.40 (sorry)
    • bug: lighttpd 1.4.40 might leave client sockets in TIME WAIT (FIN2_WAIT)
    • bug: lighttpd 1.4.40 times out on TLS requests with POST data
    • bug: lighttpd 1.4.40 reversed REQUEST_URI/REDIRECT_URI (now reverted)
    • bug: lighttpd 1.4.40 rejects IPv6 addrs in $HTTP[“remoteip”]
    • bug: lighttpd 1.4.40 rejects IPv6 addrs in $SERVER[“socket”] scope identifier
    • bug: lighttpd 1.4.40 segfault in mod_accesslog if %T in custom format
    • bug: lighttpd 1.4.40 might trigger assert when converting to hex string
  • behavior changes
    • new: use TMPDIR if server.upload-dirs is not defined, “/var/tmp” if neither
    • new: inherit server.use-ipv6 and server.set-v6only from global scope
    • reverted REQUEST_URI/REDIRECT_URI to match behavior in lighttpd \<= 1.4.39

Future scheduled behavior changes in lighttpd 1.4.42

  • mod_ssi will set REQUEST_URI to original, client-requested URI
    to match behavior of mod_cgi, mod_fastcgi, mod_scgi, mod_cml

1.4.40

Important changes

  • major bug-fix release; hundreds of issues resolved in issue tracker
  • git master lighttpd source repository (migrated from svn)

Downloads

Highlights

  • improved resource management
    • asynchronous, bidirectional streaming options to dynamic backends
    • detect client disconnects and abort request to dynamic backends
    • rework dynamic handler control flow logic for consistent clean up
    • constrained memory footprint; limit memory used by large responses
  • robustness and portability
    • fallback to traditional I/O if mmap or sendfile not available
    • update support for lua 5.2, 5.3; memcached; libressl; openssl 1.1.0
    • better cygwin support; passes tests
    • better webdav support
  • selected new features
    • lighttpd -tt performs config validation and preflight startup checks
    • lighttpd –1 process single (one) request on stdin socket (e.g. xinetd)
    • lighttpd -i <secs> graceful shutdown after <secs> of inactivity
    • config file supports include file globs (e.g. include “conf.d/*.conf”)
    • server.bsd-accept-filter (“httpready”, “dataready”)
    • server.error-handler to handle 4xx and 5xx status
    • server.http-parseopt-header-strict restrict chars allowed in HTTP headers
    • server.http-parseopt-host-strict restrict chars allowed in HTTP Host
    • server.http-parseopt-host-normalize normalize HTTP Host header
    • server.listen-backlog to configure socket listen backlog
    • server.max-request-size is now scopeable (no longer one global setting)
    • server.stream-request-body to control streaming, buffering of request
    • server.stream-response-body to control streaming, buffering of response
    • server.upload-dirs will retry in remaining dirs in list if disk full
    • accesslog.format now supports %a %A %C %D k{}t %{}T
    • evasive.location for 302 redirect option if limit reached
    • url.rewrite and url.redirect now short-circuit if replacement is blank
    • url.access-allow for explicit list of allowed suffixes; deny others
    • mod_cgi handles local redirect response if Location: /path?query
    • REDIRECT_URI is set for internal redirects (cgi, magnet, rewrite, errdoc)
    • REDIRECT_STATUS is set to http error status for error docs
    • mod_indexfile sets PATH_TRANSLATED_DIRINDEX if target URL begins w/ ‘/’
    • “listen-backlog” to configure socket listen backlog for FastCGI, SCGI
    • X-Sendfile for CGI and SCGI (in addition to FastCGI)

Future scheduled behavior changes in lighttpd 1.4.41

  • server.use-ipv6 = “enable” will be inherited from global scope if set, so if that is not what is desired, add server.use-ipv6 = “disable” to appropriate $SERVER[“socket”] blocks. Similar for server.set-v6only.
  • long-deprecated config directives will be removed. These directives are non-functional and emit a warning message if directives were renamed. After being removed, they will result in “directive unknown” warnings.