Skip to content

Home

1.4.71

Important changes

  • bugfixes and portability; HTTP/2 support separated to mod_h2 module

Downloads

Behavior Changes (previously announced):

  • http/2 support will be split out into optional separate module (mod_h2)\ (static builds will need to list mod_h2 in plugin-static.h to include mod_h2)

1.4.70

Important changes

  • speed up CGI spawning
  • native Windows build (experimental) (not packaged; no installer)
  • support HTTP/2 downstream proxy serving multiple clients on single connection (mod_extforward, mod_maxminddb)
  • restructure code to isolate HTTP/2

Downloads

Behavior Changes (previously announced):

  • no longer building separate modules for built-in modules\ lighttpd 1.4.70 omits building separate (unused) modules for:\ mod_access mod_alias mod_evhost mod_expire mod_fastcgi mod_indexfile\ mod_redirect mod_rewrite mod_scgi mod_setenv mod_simple_vhost mod_staticfile

Future Scheduled Behavior Changes:

  • HTTP/2 support will be split out into optional separate module (mod_h2)\ (static builds will need to list mod_h2 in plugin-static.h to include mod_h2)
  • in releases
  • 2 min read

1.4.69

Important changes

  • bugfixes, portability

Downloads

Future Scheduled Behavior Changes:

  • lighttpd 1.4.68 builds common modules into the lighttpd base executable.\ Separate dynamic modules are still built for the benefit of existing\ packaging scripts in various distributions, but those modules are not used.\ A future version of lighttpd will omit building separate modules for:\ mod_access mod_alias mod_evhost mod_expire mod_fastcgi mod_indexfile\ mod_redirect mod_rewrite mod_scgi mod_setenv mod_simple_vhost mod_staticfile
  • in releases
  • 5 min read

1.4.68

Important changes

  • stronger TLS defaults (as previously announced)
  • KTLS sendfile in mod_openssl and mod_gnutls, if available and enabled
  • removal of deprecated modules

Behavior Changes (previously announced)

  • TLS modules now default to using stronger, modern ciphers and will default to allow client preference in selecting ciphers.\ Allowing client preference in selecting ciphers is safe to do along with restrictions to use modern ciphers supporting PFS, and is better for mobile users without AES hardware acceleration.
    Legacy ciphers can still be configured in lighttpd.conf using `ssl.openssl.ssl-conf-cmd`, as long as the ciphers are supported by the underlying TLS libraries.
    Also see https://wiki.lighttpd.net/Docs_SSL
    • new defaults:
      • "CipherString" => "EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384"
      • "Options" => "-ServerPreference"
    • old defaults:
      • "CipherString" => "HIGH"
      • "Options" => "ServerPreference"

  • Deprecated TLS options have been removed.

    • ssl.honor-cipher-order
    • ssl.dh-file
    • ssl.ec-curve
    • ssl.disable-client-renegotiation
    • ssl.use-sslv2
    • ssl.use-sslv3

    See https://wiki.lighttpd.net/Docs_SSL for replacements with ssl.openssl.ssl-conf-cmd, but prefer lighttpd defaults instead.

  • Continue gradual deprecation of “mini-application” lighttpd modules for which mod_magnet lua implementations are better and more flexible.
    Please post on lighttpd forums to share feedback if you use these modules.
    Forums: https://redmine.lighttpd.net/projects/lighttpd/boards

  • Deprecated: mod_evasive has been removed.
    mod_evasive can be replaced by mod_magnet and a few lines of lua:
    Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_evasive https://wiki.lighttpd.net/AbsoLUAtion#Fight-DDoS https://wiki.lighttpd.net/AbsoLUAtion#Mod_Security

  • Deprecated: mod_secdownload has been removed.
    mod_secdownload can be replaced by mod_magnet and a few lines of lua:
    Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_secdownload
    mod_secdownload historically uses insecure MD5 though SHA1, SHA256 available

  • Deprecated: mod_uploadprogress has been removed.
    mod_uploadprogress can be replaced by mod_magnet and a few lines of lua:
    Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_uploadprogress

  • Deprecated: mod_usertrack has been removed. mod_usertrack can be replaced by mod_magnet and a few lines of lua:
    Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_usertrack
    mod_usertrack historically uses insecure MD5.

Behavior Changes (not previously announced)

  • meson build: some opts have changed from type: ‘boolean’ to type: ‘feature’; build scripts using -D with_example=true or =false need to change some opts to =enabled, =disabled, or =auto
  • mod_magnet: removed experimental lighty.r.req_attr[“response.*“] accessors (added in lighttpd 1.4.56 (2020) and replaced in lighttpd 1.4.65 (2022)) (see lighty.r.req_item.http_status and lighty.r.resp_body.* replacements)
  • remove libev fdevent option (ignore)
    lighttpd directly uses native OS event handlers

Future Scheduled Behavior Changes

  • lighttpd 1.4.68 builds common modules into the lighttpd base executable.
    Separate dynamic modules are still built for the benefit of existing packaging scripts in various distributions, but those modules are not used.
    A future version of lighttpd will omit building separate modules for:
    mod_access mod_alias mod_evhost mod_expire mod_fastcgi mod_indexfile mod_redirect mod_rewrite mod_scgi mod_setenv mod_simple_vhost mod_staticfile

Downloads

  • in releases
  • 2 min read

1.4.67

Important changes

bugfixes

Future Scheduled Behavior Changes

  • TLS modules will default to using stronger, modern ciphers and will default to allow client preference in selecting ciphers. Allowing client preference in selecting ciphers is safe to do along with restrictions to use modern ciphers supporting PFS, and is better for mobile users without AES hardware acceleration. Legacy ciphers can still be configured in lighttpd.conf using ssl.openssl.ssl-conf-cmd, as long as the ciphers are supported by the underlying TLS libraries.
    https://wiki.lighttpd.net/Docs_SSL
    • new defaults:
      • "CipherString" => "EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384"
      • "Options" => "-ServerPreference"
    • old defaults:
      • "CipherString" => "HIGH"
      • "Options" => "ServerPreference"

  • Deprecated TLS options will be removed.

    • ssl.honor-cipher-order
    • ssl.dh-file
    • ssl.ec-curve
    • ssl.disable-client-renegotiation
    • ssl.use-sslv2
    • ssl.use-sslv3

    See https://wiki.lighttpd.net/Docs_SSL for replacements with ssl.openssl.ssl-conf-cmd, but prefer lighttpd defaults instead.

  • Continue gradual deprecation of “mini-application” lighttpd modules for which mod_magnet lua implementations are better and more flexible.\ Please post on lighttpd forums to share feedback if you use these modules.
    Forums: https://redmine.lighttpd.net/projects/lighttpd/boards

  • Deprecated: mod_evasive will be removed.
    mod_evasive can be replaced by mod_magnet and a few lines of lua:
    Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_evasive
    https://wiki.lighttpd.net/AbsoLUAtion#Fight-DDoS
    https://wiki.lighttpd.net/AbsoLUAtion#Mod_Security

  • Deprecated: mod_secdownload will be removed.
    mod_secdownload can be replaced by mod_magnet and a few lines of lua:
    Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_secdownload
    mod_secdownload historically uses insecure MD5 though SHA1, SHA256 available

  • Deprecated: mod_uploadprogress will be removed.
    mod_uploadprogress can be replaced by mod_magnet and a few lines of lua:
    Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_uploadprogress

  • Deprecated: mod_usertrack will be removed.
    mod_usertrack can be replaced by mod_magnet and a few lines of lua:
    Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_usertrack
    mod_usertrack historically uses insecure MD5.

Downloads

1.4.66

Important changes

bugfixes

Future Scheduled Behavior Changes

Downloads

1.4.65

Important changes

WebSockets over HTTP/2, bugfixes

Highlights

  • WebSockets over HTTP/2\ RFC 8441 Bootstrapping WebSockets with HTTP/2
  • HTTP/2 PRIORITY_UPDATE\ RFC 9218 Extensible Prioritization Scheme for HTTP
  • prefix/suffix conditions in lighttpd.conf
  • mod_webdav safe partial-PUT\ webdav.opts += (“partial-put-copy-modify” => “enable”)
  • mod_accesslog option: accesslog.escaping = “json”
  • mod_deflate libdeflate build option
  • speed up request body uploads via HTTP/2

Behavior Changes

  • change default server.max-keep-alive-requests = 1000 to adjust to increasing HTTP/2 usage and to web2/web3 application usage (prior default was 100)
  • mod_status HTML now includes HTTP/2 control stream id 0 in the output which contains aggregate counts for the HTTP/2 connection\ (These lines can be identified with URL ‘*‘, part of “PRI *” preface)\ alternative: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_status
  • MIME type application/javascript is translated to text/javascript (RFC 9239)

Future Scheduled Behavior Changes

  • TLS modules will default to using stronger, modern ciphers and will default to allow client preference in selecting ciphers. Allowing client preference in selecting ciphers is safe to do along with restrictions to use modern ciphers supporting PFS, and is better for mobile users without AES hardware acceleration. Legacy ciphers can still be configured in lighttpd.conf using ssl.openssl.ssl-conf-cmd, as long as the ciphers are supported by the underlying TLS libraries. https://wiki.lighttpd.net/Docs_SSL
    • new defaults:
      • "CipherString" => "EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384"
      • "Options" => "-ServerPreference"
    • old defaults:
      • "CipherString" => "HIGH"
      • "Options" => "ServerPreference"
  • Deprecated TLS options will be removed.
    • ssl.honor-cipher-order
    • ssl.dh-file
    • ssl.ec-curve
    • ssl.disable-client-renegotiation
    • ssl.use-sslv2
    • ssl.use-sslv3 See https://wiki.lighttpd.net/Docs_SSL for replacements with ssl.openssl.ssl-conf-cmd, but prefer lighttpd defaults instead.
  • Continue gradual deprecation of “mini-application” lighttpd modules for which mod_magnet lua implementations are better and more flexible.\ Please post on lighttpd forums to share feedback if you use these modules.\ Forums: https://redmine.lighttpd.net/projects/lighttpd/boards
  • Deprecated: mod_evasive will be removed.\ mod_evasive can be replaced by mod_magnet and a few lines of lua:\ Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_evasive \ https://wiki.lighttpd.net/AbsoLUAtion#Fight-DDoS \ https://wiki.lighttpd.net/AbsoLUAtion#Mod_Security
  • Deprecated: mod_secdownload will be removed.\ mod_secdownload can be replaced by mod_magnet and a few lines of lua:\ Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_secdownload \ mod_secdownload historically uses insecure MD5 though SHA1, SHA256 available
  • Deprecated: mod_uploadprogress will be removed.\ mod_uploadprogress can be replaced by mod_magnet and a few lines of lua:\ Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_uploadprogress
  • Deprecated: mod_usertrack will be removed.\ mod_usertrack can be replaced by mod_magnet and a few lines of lua:\ Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_usertrack \ mod_usertrack historically uses insecure MD5.

Downloads

  • in releases
  • 3 min read

1.4.64

Important changes

  • remove deprecated modules, bugfixes, CVE-2022-22707 (rare configs)

Downloads

Behavior Changes

(previously announced and scheduled)

  • graceful restart/shutdown timeout changed from 0 (disabled) to 8 seconds
    configure an alternative with:
    server.feature-flags += ("server.graceful-shutdown-timeout" => 8)
  • build: lighttpd defaults to —with-pcre2 instead of —with-pcre
    pcre2 is current. pcre is no longer maintained.
    Explicitly specify —with-pcre in build to use pcre instead of pcre2.
  • deprecated modules (previously announced) have been removed
  • in releases
  • 2 min read

1.4.63

Important changes

bugfixes

Downloads

FUTURE SCHEDULED BEHAVIOR CHANGES (estimated Jan 2022):

  • graceful restart/shutdown default timeout will change from 0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)\ configure an alternative with:\ server.feature-flags += (“server.graceful-shutdown-timeout” => 5)
  • lighttpd (optional) dependencies on libev and on FAM are deprecated.\ lighttpd event loop and file monitoring use native OS interfaces\ except on obscure platforms. FAM and gamin appear to be abandoned.\ Package maintainers on Linux and *BSD: please remove —with-libev and —with-fam from package builds\ lighttpd uses epoll() on Linux, kqueue() on *BSD for event notification.\ lighttpd uses inotify() on Linux, kqueue() on *BSD for file monitoring.
  • lighttpd will default to —with-pcre2 instead of —with-pcre\ pcre2 is current. pcre is no longer maintained.\ Explicitly specify —with-pcre in build to use pcre instead of pcre2.

https://wiki.lighttpd.net/Docs_ConfigurationOptions#Deprecated

  • mod_compress is DEPRECATED; use mod_deflate\ mod_compress has been subsumed by mod_deflate\ Note: mod_compress config options may be removed in a future release
  • mod_geoip is DEPRECATED; use mod_maxminddb\ Note: mod_geoip will be removed from a future lighttpd release
  • mod_authn_mysql is DEPRECATED; use mod_authn_dbi\ Note: mod_authn_mysql will be removed from a future lighttpd release
  • mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql\ Note: mod_mysql_vhost will be removed from a future lighttpd release
  • mod_cml is DEPRECATED; use mod_magnet\ Note: mod_cml will be removed from a future lighttpd release
  • mod_flv_streaming is DEPRECATED; (Adobe Flash Video (.flv))\ Note: mod_flv_streaming will be removed from a future lighttpd release\ (Note: can be replaced with a few lines of lua code and mod_magnet)\ (sample script flv-streaming.lua is posted at\ https://redmine.lighttpd.net/projects/lighttpd/wiki/ModMagnetExamples )\ Adobe Flash is deprecated and support has been removed from modern clients
  • mod_trigger_b4_dl is DEPRECATED; use mod_magnet\ Note: mod_trigger_b4_dl will be removed from a future lighttpd release\ (Note: can be replaced with a few lines of lua code and mod_magnet)\ (sample script mod_trigger_b4_dl.lua is posted at\ https://redmine.lighttpd.net/projects/lighttpd/wiki/ModMagnetExamples )