Skip to content

Home

1.4.65

Important changes

WebSockets over HTTP/2, bugfixes

Highlights

  • WebSockets over HTTP/2\ RFC 8441 Bootstrapping WebSockets with HTTP/2
  • HTTP/2 PRIORITY_UPDATE\ RFC 9218 Extensible Prioritization Scheme for HTTP
  • prefix/suffix conditions in lighttpd.conf
  • mod_webdav safe partial-PUT\ webdav.opts += (“partial-put-copy-modify” => “enable”)
  • mod_accesslog option: accesslog.escaping = “json”
  • mod_deflate libdeflate build option
  • speed up request body uploads via HTTP/2

Behavior Changes

  • change default server.max-keep-alive-requests = 1000 to adjust to increasing HTTP/2 usage and to web2/web3 application usage (prior default was 100)
  • mod_status HTML now includes HTTP/2 control stream id 0 in the output which contains aggregate counts for the HTTP/2 connection\ (These lines can be identified with URL ‘*‘, part of “PRI *” preface)\ alternative: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_status
  • MIME type application/javascript is translated to text/javascript (RFC 9239)

Future Scheduled Behavior Changes

  • TLS modules will default to using stronger, modern ciphers and will default to allow client preference in selecting ciphers. Allowing client preference in selecting ciphers is safe to do along with restrictions to use modern ciphers supporting PFS, and is better for mobile users without AES hardware acceleration. Legacy ciphers can still be configured in lighttpd.conf using ssl.openssl.ssl-conf-cmd, as long as the ciphers are supported by the underlying TLS libraries. https://wiki.lighttpd.net/Docs_SSL
    • new defaults:
      • "CipherString" => "EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384"
      • "Options" => "-ServerPreference"
    • old defaults:
      • "CipherString" => "HIGH"
      • "Options" => "ServerPreference"
  • Deprecated TLS options will be removed.
    • ssl.honor-cipher-order
    • ssl.dh-file
    • ssl.ec-curve
    • ssl.disable-client-renegotiation
    • ssl.use-sslv2
    • ssl.use-sslv3 See https://wiki.lighttpd.net/Docs_SSL for replacements with ssl.openssl.ssl-conf-cmd, but prefer lighttpd defaults instead.
  • Continue gradual deprecation of “mini-application” lighttpd modules for which mod_magnet lua implementations are better and more flexible.\ Please post on lighttpd forums to share feedback if you use these modules.\ Forums: https://redmine.lighttpd.net/projects/lighttpd/boards
  • Deprecated: mod_evasive will be removed.\ mod_evasive can be replaced by mod_magnet and a few lines of lua:\ Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_evasive \ https://wiki.lighttpd.net/AbsoLUAtion#Fight-DDoS \ https://wiki.lighttpd.net/AbsoLUAtion#Mod_Security
  • Deprecated: mod_secdownload will be removed.\ mod_secdownload can be replaced by mod_magnet and a few lines of lua:\ Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_secdownload \ mod_secdownload historically uses insecure MD5 though SHA1, SHA256 available
  • Deprecated: mod_uploadprogress will be removed.\ mod_uploadprogress can be replaced by mod_magnet and a few lines of lua:\ Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_uploadprogress
  • Deprecated: mod_usertrack will be removed.\ mod_usertrack can be replaced by mod_magnet and a few lines of lua:\ Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_usertrack \ mod_usertrack historically uses insecure MD5.

Downloads

1.4.64

Important changes

  • remove deprecated modules, bugfixes, CVE-2022-22707 (rare configs)

Downloads

Behavior Changes

(previously announced and scheduled)

  • graceful restart/shutdown timeout changed from 0 (disabled) to 8 seconds
    configure an alternative with:
    server.feature-flags += ("server.graceful-shutdown-timeout" => 8)
  • build: lighttpd defaults to —with-pcre2 instead of —with-pcre
    pcre2 is current. pcre is no longer maintained.
    Explicitly specify —with-pcre in build to use pcre instead of pcre2.
  • deprecated modules (previously announced) have been removed

1.4.63

Important changes

bugfixes

Downloads

FUTURE SCHEDULED BEHAVIOR CHANGES (estimated Jan 2022):

  • graceful restart/shutdown default timeout will change from 0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)\ configure an alternative with:\ server.feature-flags += (“server.graceful-shutdown-timeout” => 5)
  • lighttpd (optional) dependencies on libev and on FAM are deprecated.\ lighttpd event loop and file monitoring use native OS interfaces\ except on obscure platforms. FAM and gamin appear to be abandoned.\ Package maintainers on Linux and *BSD: please remove —with-libev and —with-fam from package builds\ lighttpd uses epoll() on Linux, kqueue() on *BSD for event notification.\ lighttpd uses inotify() on Linux, kqueue() on *BSD for file monitoring.
  • lighttpd will default to —with-pcre2 instead of —with-pcre\ pcre2 is current. pcre is no longer maintained.\ Explicitly specify —with-pcre in build to use pcre instead of pcre2.

https://wiki.lighttpd.net/Docs_ConfigurationOptions#Deprecated

  • mod_compress is DEPRECATED; use mod_deflate\ mod_compress has been subsumed by mod_deflate\ Note: mod_compress config options may be removed in a future release
  • mod_geoip is DEPRECATED; use mod_maxminddb\ Note: mod_geoip will be removed from a future lighttpd release
  • mod_authn_mysql is DEPRECATED; use mod_authn_dbi\ Note: mod_authn_mysql will be removed from a future lighttpd release
  • mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql\ Note: mod_mysql_vhost will be removed from a future lighttpd release
  • mod_cml is DEPRECATED; use mod_magnet\ Note: mod_cml will be removed from a future lighttpd release
  • mod_flv_streaming is DEPRECATED; (Adobe Flash Video (.flv))\ Note: mod_flv_streaming will be removed from a future lighttpd release\ (Note: can be replaced with a few lines of lua code and mod_magnet)\ (sample script flv-streaming.lua is posted at\ https://redmine.lighttpd.net/projects/lighttpd/wiki/ModMagnetExamples )\ Adobe Flash is deprecated and support has been removed from modern clients
  • mod_trigger_b4_dl is DEPRECATED; use mod_magnet\ Note: mod_trigger_b4_dl will be removed from a future lighttpd release\ (Note: can be replaced with a few lines of lua code and mod_magnet)\ (sample script mod_trigger_b4_dl.lua is posted at\ https://redmine.lighttpd.net/projects/lighttpd/wiki/ModMagnetExamples )

1.4.62

Important changes

support pcre2; HTTP Digest auth userhash; bugfixes

Downloads

FUTURE SCHEDULED BEHAVIOR CHANGES (estimated Jan 2022):

  • graceful restart/shutdown default timeout will change from\ 0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)\ configure an alternative with:\ server.feature-flags += (“server.graceful-shutdown-timeout” => 5)
  • lighttpd (optional) dependencies on libev and on FAM are deprecated.\ lighttpd event loop and file monitoring use native OS interfaces\ except on obscure platforms. FAM and gamin appear to be abandoned.\ Package maintainers on Linux and *BSD:\ please remove —with-libev and —with-fam from package builds\ lighttpd uses epoll() on Linux, kqueue() on *BSD for event notification.\ lighttpd uses inotify() on Linux, kqueue() on *BSD for file monitoring.
  • lighttpd will default to —with-pcre2 instead of —with-pcre\ pcre2 is current. pcre is no longer maintained.\ Explicitly specify —with-pcre in build to use pcre instead of pcre2.

https://wiki.lighttpd.net/Docs_ConfigurationOptions#Deprecated

  • mod_compress is DEPRECATED; use mod_deflate\ mod_compress has been subsumed by mod_deflate\ Note: mod_compress config options may be removed in a future release
  • mod_geoip is DEPRECATED; use mod_maxminddb\ Note: mod_geoip will be removed from a future lighttpd release
  • mod_authn_mysql is DEPRECATED; use mod_authn_dbi\ Note: mod_authn_mysql will be removed from a future lighttpd release
  • mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql\ Note: mod_mysql_vhost will be removed from a future lighttpd release
  • mod_cml is DEPRECATED; use mod_magnet\ Note: mod_cml will be removed from a future lighttpd release
  • mod_flv_streaming is DEPRECATED; (Adobe Flash Video (.flv))\ Note: mod_flv_streaming will be removed from a future lighttpd release\ (Note: can be replaced with a few lines of lua code and mod_magnet)\ (sample script flv-streaming.lua is posted at\ https://redmine.lighttpd.net/projects/lighttpd/wiki/ModMagnetExamples )\ Adobe Flash is deprecated and support has been removed from modern clients
  • mod_trigger_b4_dl is DEPRECATED; use mod_magnet\ Note: mod_trigger_b4_dl will be removed from a future lighttpd release\ (Note: can be replaced with a few lines of lua code and mod_magnet)\ (sample script mod_trigger_b4_dl.lua is posted at\ https://redmine.lighttpd.net/projects/lighttpd/wiki/ModMagnetExamples )

1.4.61

Important changes

bugfixes

Downloads

Future Scheduled Behavior Changes (estimated early 2022)

  • graceful restart/shutdown default timeout will change from\ 0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)\ configure an alternative with:\ server.feature-flags += (“server.graceful-shutdown-timeout” => 5)
  • lighttpd (optional) dependencies on libev and on FAM are deprecated.\ lighttpd event loop and file monitoring use native OS interfaces\ except on obscure platforms. FAM and gamin appear to be abandoned.\ Package maintainers on Linux and *BSD:\ please remove —with-libev and —with-fam from package builds\ lighttpd uses epoll() on Linux, kqueue() on *BSD for event notification.\ lighttpd uses inotify() on Linux, kqueue() on *BSD for file monitoring.

https://wiki.lighttpd.net/Docs_ConfigurationOptions#Deprecated

  • mod_compress is DEPRECATED; use mod_deflate\ mod_compress has been subsumed by mod_deflate\ Note: mod_compress config options may be removed in a future release
  • mod_geoip is DEPRECATED; use mod_maxminddb\ Note: mod_geoip will be removed from a future lighttpd release
  • mod_authn_mysql is DEPRECATED; use mod_authn_dbi\ Note: mod_authn_mysql will be removed from a future lighttpd release
  • mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql\ Note: mod_mysql_vhost will be removed from a future lighttpd release
  • mod_cml is DEPRECATED; use mod_magnet\ Note: mod_cml will be removed from a future lighttpd release
  • mod_flv_streaming is DEPRECATED; (Adobe Flash Video (.flv))\ (Note: can be replaced with a few lines of lua code and mod_magnet)\ (sample script flv-streaming.lua is posted at\ https://redmine.lighttpd.net/projects/lighttpd/wiki/ModMagnetExamples )\ Adobe Flash is deprecated and support has been removed from modern clients

1.4.60

Important changes

  • improve performance, reduce memory use, bugfixes

Downloads

Highlights

  • HTTP/2 smoother and lower memory use (in general)
  • HTTP/2 tuning to better handle aggressive client initial requests
  • reduce memory footprint; workaround poor glibc behavior; jemalloc is better
  • mod_magnet lua performance improvements
  • mod_dirlisting performance improvements and new caching option
  • memory constraints for extreme edge cases in mod_dirlisting, mod_ssi, mod_webdav
  • connect(), write(), read() time limits on backends (separate from client timeouts)
  • lighttpd restarts if large discontinuity in time occurs (embedded systems)
  • RFC7233 Range support for all non-streaming responses, not only static files

Behavior Changes

  • connect() to backend now has default 8 second timeout (configurable)

Future Scheduled Behavior Changes (estimated early 2022)

  • graceful restart/shutdown default timeout will change from\ 0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)\ configure an alternative with:\ server.feature-flags += (“server.graceful-shutdown-timeout” => 5)
  • lighttpd (optional) dependencies on libev and on FAM are deprecated.\ lighttpd event loop and file monitoring use native OS interfaces\ except on obscure platforms. FAM and gamin appear to be abandoned.\ Package maintainers on Linux and *BSD:\ please remove —with-libev and —with-fam from package builds\ lighttpd uses epoll() on Linux, kqueue() on *BSD for event notification.\ lighttpd uses inotify() on Linux, kqueue() on *BSD for file monitoring.

https://wiki.lighttpd.net/Docs_ConfigurationOptions#Deprecated

  • mod_compress is DEPRECATED; use mod_deflate\ mod_compress has been subsumed by mod_deflate\ Note: mod_compress config options may be removed in a future release
  • mod_geoip is DEPRECATED; use mod_maxminddb\ Note: mod_geoip will be removed from a future lighttpd release
  • mod_authn_mysql is DEPRECATED; use mod_authn_dbi\ Note: mod_authn_mysql will be removed from a future lighttpd release
  • mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql\ Note: mod_mysql_vhost will be removed from a future lighttpd release
  • mod_cml is DEPRECATED; use mod_magnet\ Note: mod_cml will be removed from a future lighttpd release
  • mod_flv_streaming is DEPRECATED; (Adobe Flash Video (.flv))\ (Note: can be replaced with a few lines of lua code and mod_magnet)\ (sample script flv-streaming.lua is posted at\ https://redmine.lighttpd.net/projects/lighttpd/wiki/AbsoLUAtion )\ Adobe Flash is deprecated and support has been removed from modern clients

1.4.59

Important changes

HTTP/2 enabled by default, mod_deflate zstd support, mod_ajp13 (new), bugfixes

Downloads

Behavior Changes

  • HTTP/2 enabled by default

Future Scheduled Behavior Changes

  • graceful restart/shutdown default timeout will change from\ 0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)\ configure an alternative with:\ server.feature-flags += (“server.graceful-shutdown-timeout” => 5)
  • mod_compress is DEPRECATED; use mod_deflate\ mod_compress has been subsumed by mod_deflate\ Note: mod_compress config options may be removed in a future release
  • mod_geoip is DEPRECATED; use mod_maxminddb\ Note: mod_geoip will be removed from a future lighttpd release
  • mod_authn_mysql is DEPRECATED; use mod_authn_dbi\ Note: mod_authn_mysql will be removed from a future lighttpd release
  • mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql\ Note: mod_mysql_vhost will be removed from a future lighttpd release
  • mod_cml is DEPRECATED; use mod_magnet\ Note: mod_cml will be removed from a future lighttpd release

1.4.58

Important changes

bugfixes, portability

Downloads

Future Scheduled Behavior Changes

  • HTTP/2 support will be enabled by default in a future release
  • graceful restart/shutdown default timeout will change from\ 0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)\ configure an alternative with:\ server.feature-flags += ("server.graceful-shutdown-timeout" => 5)
  • mod_compress is DEPRECATED; use mod_deflate\ mod_compress has been subsumed by mod_deflate\ Note: mod_compress config options may be removed in a future release
  • mod_geoip is DEPRECATED; use mod_maxminddb\ Note: mod_geoip will be removed from a future lighttpd release
  • mod_authn_mysql is DEPRECATED; use mod_authn_dbi\ Note: mod_authn_mysql will be removed from a future lighttpd release
  • mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql\ Note: mod_mysql_vhost will be removed from a future lighttpd release
  • mod_cml is DEPRECATED; use mod_magnet\ Note: mod_cml will be removed from a future lighttpd release

1.4.57

Important changes

bugfixes

Downloads

Future Scheduled Behavior Changes

  • HTTP/2 support will be enabled by default in a future release
  • graceful restart/shutdown default timeout will change from\ 0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)\ configure an alternative with:\ server.feature-flags += ("server.graceful-shutdown-timeout" => 5)
  • mod_compress is DEPRECATED; use mod_deflate\ mod_compress has been subsumed by mod_deflate\ Note: mod_compress config options may be removed in a future release
  • mod_geoip is DEPRECATED; use mod_maxminddb\ Note: mod_geoip will be removed from a future lighttpd release
  • mod_authn_mysql is DEPRECATED; use mod_authn_dbi\ Note: mod_authn_mysql will be removed from a future lighttpd release
  • mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql\ Note: mod_mysql_vhost will be removed from a future lighttpd release
  • mod_cml is DEPRECATED; use mod_magnet\ Note: mod_cml will be removed from a future lighttpd release

1.4.56

Important changes

HTTP/2, TLS library options, brotli, bugfixes

Downloads

Highlights

  • HTTP/2 support
    • must be enabled in lighttpd.conf in lighttpd 1.4.56; may be enabled by default in a future release
    • server.feature-flags += ("server.h2proto" => "enable", "server.h2c" => "enable")
  • TLS library options: OpenSSL, mbedTLS, wolfSSL, GnuTLS, NSS
    • mod_openssl (existing)
    • mod_mbedtls (experimental)
    • mod_wolfssl (experimental)
    • mod_gnutls (experimental)
    • mod_nss (experimental)
  • TLS OCSP stapling (except mbedTLS; not currently supported by mbedTLS)
  • TLS session ticket key rotation control (except NSS; API limitation in NSS)
  • mod_deflate brotli support
  • mod_proxy makes HTTP/1.1 requests to backends (change from HTTP/1.0)
  • RFC 8297 support for 103 Early Hints produced by backends (scripts)
  • graceful restart option to transfer listen fds (minimal pause)
    • server.systemd-socket-activation = "enable"
    • server.feature-flags += ("server.graceful-restart-bg" => "enable", "server.graceful-shutdown-timeout" => "15")

Behavior Changes

  • mod_openssl

    • default MinProtocol TLSv1.2
      TLSv1 and TLSv1.1 are deprecated and no longer supported by major browsers.
      https://news.netcraft.com/archives/2020/03/03/browsers-on-track-to-block-850000-tls-1-0-sites.html
      If prior behavior is required, configure:
      ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1")
      If using openssl \<= 1.0.2 (end-of-life)
      `ssl.openssl.ssl-conf-cmd = (“Protocol” => “-ALL, TLSv1, TLSv1.1, TLSv1.2”)
    • (internal) TLS session cache is disabled by default,
      replaced by lighttpd robust TLSv1.2 session ticket support
      If backward compatibility is needed:
      server.feature-flags += ("ssl.session-cache" => "enable")
    • (internal) openssl creates a session ticket encryption key per SSL_CTX.
      lighttpd 1.4.56 and later assigns a single session ticket encryption key
      for the lighttpd server (across all SSL_CTX) for consistency.
    • behavior change with ssl.ca-dn-file (uncommon); applies to client
      certificate verification and ssl.ca-dn-file (uncommon)
      If client certificate verification is enabled
      (ssl.verifyclient.activate = “enable”),
      all CAs used for client certificate verification must be present in
      ssl.ca-file. This is the typical use case when client certificate
      verification is enabled. Certificates in (optional) ssl.ca-dn-file
      are used to send issuer names to client when the server sends a
      client certificate request. These names are use by the client
      during certificate selection, and the server requires that the
      certificate sent by the client be issued by one of the subjects
      in ssl.ca-dn-file.
      (Prior behavior merged ssl.ca-file and ssl.ca-dn-file for trusted CAs.
      New behavior requires all trusted CAs be listed in ssl.ca-file,
      and a subset be duplicated into ssl.ca-dn-file to specify allowed
      client cert issuer.)
  • mod_deflate: support for bzip2 is now disabled by default in the build
    (enable using ./configure --with-bzip2)
    bzip2 Content-Encoding is not widely supported
    Prefer to build --with-brotli
    brotli Content-Encoding is more widely supported than bzip2

Future Scheduled Behavior Changes

  • HTTP/2 support will be enabled by default in a future release
  • graceful restart/shutdown default timeout will change from
    0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)
    configure an alternative with:
    server.feature-flags += ("server.graceful-shutdown-timeout" => 5)
  • mod_compress is DEPRECATED; use mod_deflate
    mod_compress has been subsumed by mod_deflate
    Note: mod_compress config options may be removed in a future release
  • mod_geoip is DEPRECATED; use mod_maxminddb
    Note: mod_geoip will be removed from a future lighttpd release
  • mod_authn_mysql is DEPRECATED; use mod_authn_dbi
    Note: mod_authn_mysql will be removed from a future lighttpd release
  • mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql
    Note: mod_mysql_vhost will be removed from a future lighttpd release
  • mod_cml is DEPRECATED; use mod_magnet
    Note: mod_cml will be removed from a future lighttpd release