TLS cipher defaults have been incrementally updated to stronger defaults
New defaults are forward-secret and support authenticated encryption (AEAD)
New defaults: openssl ciphers ‘EECDH+AESGCM:CHACHA20:!PSK:!DHE’
Previous defaults: openssl ciphers ‘EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384’
Little or no impact is expected for lighttpd configs already using lighttpd TLS defaults
(and supported clients, i.e. those which have not already reached end-of-life).
Reference: https://developers.cloudflare.com/ssl/reference/cipher-suites/recommendations/
mod_redirect: default url.redirect-code for HTTP/1.1 and later has been
changed from 301 Moved Permanently to 308 Permanent Redirect
(only if url.redirect is not explicitly set in lighttpd.conf)
RFC7538: https://datatracker.ietf.org/doc/html/rfc7538
(published almost 9 years ago)
lighttpd TLS defaults will change to MinProtocol TLSv1.3
Other configurations will still be supported, but will not be the default.
Proposed default: MinProtocol TLSv1.3
Current default: MinProtocol TLSv1.2
server.error-handler-404 will operate only on 404
(historical error: server.error-handler-404 operated on both 404 and 403)
Since lighttpd 1.4.40 (released Jul 2016), server.error-handler is available
to produce dynamic error pages for 4xx and 5xx responses.
Since lighttpd 1.4.56 (released Nov 2020), magnet.attract-response-start-to
is an additional, high performance mechanism to produce dynamic error pages.
https://wiki.lighttpd.net/mod_magnet
Some messages sent to syslog() (if enabled in lighttpd config) have been
changed to use different priorities (e.g. LOG_WARNING, LOG_DEBUG) instead
of everything being sent with LOG_ERROR priority. The change affects only
lighttpd configs which set server.errorlog-use-syslog = “enable” (not default)
Use sendfile() with musl libc; fix build detection of sendfile() w/ musl libc
Please report any issues, though any issues are unexpected since
lighttpd falls back to writev() if sendfile() fails.
TLS cipher defaults will be incrementally updated to stronger defaults
Proposed defaults are forward-secret and support authenticated encryption (AEAD)
Proposed defaults: openssl ciphers ‘EECDH+AESGCM:CHACHA20:!PSK:!DHE’
Current defaults: openssl ciphers ‘EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384’
Little or no impact is expected for lighttpd configs already using lighttpd TLS defaults
(and supported clients, i.e. those which have not already reached end-of-life).
Reference: https://developers.cloudflare.com/ssl/reference/cipher-suites/recommendations/
mod_redirect: default url.redirect-code for HTTP/1.1 and later will be
changed from 301 Moved Permanently to 308 Permanent Redirect
(only if url.redirect is not explicitly set in lighttpd.conf)
RFC7538: https://datatracker.ietf.org/doc/html/rfc7538
(published almost 9 years ago)
lighttpd TLS defaults will change to MinProtocol TLSv1.3
Other configurations will still be supported, but will not be the default.
Proposed default: MinProtocol TLSv1.3
Current default: MinProtocol TLSv1.2
no longer building separate modules for built-in modules\
lighttpd 1.4.70 omits building separate (unused) modules for:\
mod_access mod_alias mod_evhost mod_expire mod_fastcgi mod_indexfile\
mod_redirect mod_rewrite mod_scgi mod_setenv mod_simple_vhost mod_staticfile
lighttpd 1.4.68 builds common modules into the lighttpd base executable.\
Separate dynamic modules are still built for the benefit of existing\
packaging scripts in various distributions, but those modules are not used.\
A future version of lighttpd will omit building separate modules for:\
mod_access mod_alias mod_evhost mod_expire mod_fastcgi mod_indexfile\
mod_redirect mod_rewrite mod_scgi mod_setenv mod_simple_vhost mod_staticfile
TLS modules now default to using stronger, modern ciphers and will default to allow client preference in selecting ciphers.\
Allowing client preference in selecting ciphers is safe to do along with restrictions to use modern ciphers supporting PFS, and is better for mobile users without AES hardware acceleration.
Legacy ciphers can still be configured in lighttpd.conf using `ssl.openssl.ssl-conf-cmd`, as long as the ciphers are supported by the underlying TLS libraries.
Also see https://wiki.lighttpd.net/Docs_SSL
See https://wiki.lighttpd.net/Docs_SSL for replacements with ssl.openssl.ssl-conf-cmd, but prefer lighttpd defaults instead.
Continue gradual deprecation of “mini-application” lighttpd modules
for which mod_magnet lua implementations are better and more flexible.
Please post on lighttpd forums to share feedback if you use these modules.
Forums: https://redmine.lighttpd.net/projects/lighttpd/boards
Deprecated: mod_evasive has been removed.
mod_evasive can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_evasive
https://wiki.lighttpd.net/AbsoLUAtion#Fight-DDoS
https://wiki.lighttpd.net/AbsoLUAtion#Mod_Security
Deprecated: mod_secdownload has been removed.
mod_secdownload can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_secdownload
mod_secdownload historically uses insecure MD5 though SHA1, SHA256 available
Deprecated: mod_uploadprogress has been removed.
mod_uploadprogress can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_uploadprogress
Deprecated: mod_usertrack has been removed.
mod_usertrack can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_usertrack
mod_usertrack historically uses insecure MD5.
meson build: some opts have changed from type: ‘boolean’ to type: ‘feature’;
build scripts using -D with_example=true or =false need to change some opts
to =enabled, =disabled, or =auto
mod_magnet: removed experimental lighty.r.req_attr[“response.*“] accessors
(added in lighttpd 1.4.56 (2020) and replaced in lighttpd 1.4.65 (2022))
(see lighty.r.req_item.http_status and lighty.r.resp_body.* replacements)
lighttpd 1.4.68 builds common modules into the lighttpd base executable.
Separate dynamic modules are still built for the benefit of existing packaging scripts in various distributions, but those modules are not used.
A future version of lighttpd will omit building separate modules for:
mod_access mod_alias mod_evhost mod_expire mod_fastcgi mod_indexfile mod_redirect mod_rewrite mod_scgi mod_setenv mod_simple_vhost mod_staticfile
TLS modules will default to using stronger, modern ciphers and will default to allow client preference in selecting ciphers. Allowing client preference in selecting ciphers is safe to do along with restrictions to use modern ciphers supporting PFS, and is better for mobile users without AES hardware acceleration. Legacy ciphers can still be configured in lighttpd.conf using ssl.openssl.ssl-conf-cmd, as long as the ciphers are supported by the underlying TLS libraries. https://wiki.lighttpd.net/Docs_SSL
Continue gradual deprecation of “mini-application” lighttpd modules for which mod_magnet lua implementations are better and more flexible.\
Please post on lighttpd forums to share feedback if you use these modules.
Forums: https://redmine.lighttpd.net/projects/lighttpd/boards
Deprecated: mod_evasive will be removed.
mod_evasive can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_evasive
https://wiki.lighttpd.net/AbsoLUAtion#Fight-DDoS
https://wiki.lighttpd.net/AbsoLUAtion#Mod_Security
Deprecated: mod_secdownload will be removed.
mod_secdownload can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_secdownload
mod_secdownload historically uses insecure MD5 though SHA1, SHA256 available
Deprecated: mod_uploadprogress will be removed.
mod_uploadprogress can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_uploadprogress
Deprecated: mod_usertrack will be removed.
mod_usertrack can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_usertrack
mod_usertrack historically uses insecure MD5.
TLS modules will default to using stronger, modern ciphers and will default to allow client preference in selecting ciphers. Allowing client preference in selecting ciphers is safe to do along with restrictions to use modern ciphers supporting PFS, and is better for mobile users without AES hardware acceleration. Legacy ciphers can still be configured in lighttpd.conf using ssl.openssl.ssl-conf-cmd, as long as the ciphers are supported by the underlying TLS libraries. https://wiki.lighttpd.net/Docs_SSL
Continue gradual deprecation of “mini-application” lighttpd modules for which mod_magnet lua implementations are better and more flexible.
Please post on lighttpd forums to share feedback if you use these modules.
Forums: https://redmine.lighttpd.net/projects/lighttpd/boards
Deprecated: mod_secdownload will be removed.
mod_secdownload can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_secdownload
mod_secdownload historically uses insecure MD5 though SHA1, SHA256 available