Skip to content

Home

  • in releases
  • 3 min read

1.4.62

Important changes

support pcre2; HTTP Digest auth userhash; bugfixes

Downloads

FUTURE SCHEDULED BEHAVIOR CHANGES (estimated Jan 2022):

  • graceful restart/shutdown default timeout will change from\ 0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)\ configure an alternative with:\ server.feature-flags += (“server.graceful-shutdown-timeout” => 5)
  • lighttpd (optional) dependencies on libev and on FAM are deprecated.\ lighttpd event loop and file monitoring use native OS interfaces\ except on obscure platforms. FAM and gamin appear to be abandoned.\ Package maintainers on Linux and *BSD:\ please remove —with-libev and —with-fam from package builds\ lighttpd uses epoll() on Linux, kqueue() on *BSD for event notification.\ lighttpd uses inotify() on Linux, kqueue() on *BSD for file monitoring.
  • lighttpd will default to —with-pcre2 instead of —with-pcre\ pcre2 is current. pcre is no longer maintained.\ Explicitly specify —with-pcre in build to use pcre instead of pcre2.

https://wiki.lighttpd.net/Docs_ConfigurationOptions#Deprecated

  • mod_compress is DEPRECATED; use mod_deflate\ mod_compress has been subsumed by mod_deflate\ Note: mod_compress config options may be removed in a future release
  • mod_geoip is DEPRECATED; use mod_maxminddb\ Note: mod_geoip will be removed from a future lighttpd release
  • mod_authn_mysql is DEPRECATED; use mod_authn_dbi\ Note: mod_authn_mysql will be removed from a future lighttpd release
  • mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql\ Note: mod_mysql_vhost will be removed from a future lighttpd release
  • mod_cml is DEPRECATED; use mod_magnet\ Note: mod_cml will be removed from a future lighttpd release
  • mod_flv_streaming is DEPRECATED; (Adobe Flash Video (.flv))\ Note: mod_flv_streaming will be removed from a future lighttpd release\ (Note: can be replaced with a few lines of lua code and mod_magnet)\ (sample script flv-streaming.lua is posted at\ https://redmine.lighttpd.net/projects/lighttpd/wiki/ModMagnetExamples )\ Adobe Flash is deprecated and support has been removed from modern clients
  • mod_trigger_b4_dl is DEPRECATED; use mod_magnet\ Note: mod_trigger_b4_dl will be removed from a future lighttpd release\ (Note: can be replaced with a few lines of lua code and mod_magnet)\ (sample script mod_trigger_b4_dl.lua is posted at\ https://redmine.lighttpd.net/projects/lighttpd/wiki/ModMagnetExamples )
  • in releases
  • 3 min read

1.4.61

Important changes

bugfixes

Downloads

Future Scheduled Behavior Changes (estimated early 2022)

  • graceful restart/shutdown default timeout will change from\ 0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)\ configure an alternative with:\ server.feature-flags += (“server.graceful-shutdown-timeout” => 5)
  • lighttpd (optional) dependencies on libev and on FAM are deprecated.\ lighttpd event loop and file monitoring use native OS interfaces\ except on obscure platforms. FAM and gamin appear to be abandoned.\ Package maintainers on Linux and *BSD:\ please remove —with-libev and —with-fam from package builds\ lighttpd uses epoll() on Linux, kqueue() on *BSD for event notification.\ lighttpd uses inotify() on Linux, kqueue() on *BSD for file monitoring.

https://wiki.lighttpd.net/Docs_ConfigurationOptions#Deprecated

  • mod_compress is DEPRECATED; use mod_deflate\ mod_compress has been subsumed by mod_deflate\ Note: mod_compress config options may be removed in a future release
  • mod_geoip is DEPRECATED; use mod_maxminddb\ Note: mod_geoip will be removed from a future lighttpd release
  • mod_authn_mysql is DEPRECATED; use mod_authn_dbi\ Note: mod_authn_mysql will be removed from a future lighttpd release
  • mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql\ Note: mod_mysql_vhost will be removed from a future lighttpd release
  • mod_cml is DEPRECATED; use mod_magnet\ Note: mod_cml will be removed from a future lighttpd release
  • mod_flv_streaming is DEPRECATED; (Adobe Flash Video (.flv))\ (Note: can be replaced with a few lines of lua code and mod_magnet)\ (sample script flv-streaming.lua is posted at\ https://redmine.lighttpd.net/projects/lighttpd/wiki/ModMagnetExamples )\ Adobe Flash is deprecated and support has been removed from modern clients
  • in releases
  • 12 min read

1.4.60

Important changes

  • improve performance, reduce memory use, bugfixes

Downloads

Highlights

  • HTTP/2 smoother and lower memory use (in general)
  • HTTP/2 tuning to better handle aggressive client initial requests
  • reduce memory footprint; workaround poor glibc behavior; jemalloc is better
  • mod_magnet lua performance improvements
  • mod_dirlisting performance improvements and new caching option
  • memory constraints for extreme edge cases in mod_dirlisting, mod_ssi, mod_webdav
  • connect(), write(), read() time limits on backends (separate from client timeouts)
  • lighttpd restarts if large discontinuity in time occurs (embedded systems)
  • RFC7233 Range support for all non-streaming responses, not only static files

Behavior Changes

  • connect() to backend now has default 8 second timeout (configurable)

Future Scheduled Behavior Changes (estimated early 2022)

  • graceful restart/shutdown default timeout will change from\ 0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)\ configure an alternative with:\ server.feature-flags += (“server.graceful-shutdown-timeout” => 5)
  • lighttpd (optional) dependencies on libev and on FAM are deprecated.\ lighttpd event loop and file monitoring use native OS interfaces\ except on obscure platforms. FAM and gamin appear to be abandoned.\ Package maintainers on Linux and *BSD:\ please remove —with-libev and —with-fam from package builds\ lighttpd uses epoll() on Linux, kqueue() on *BSD for event notification.\ lighttpd uses inotify() on Linux, kqueue() on *BSD for file monitoring.

https://wiki.lighttpd.net/Docs_ConfigurationOptions#Deprecated

  • mod_compress is DEPRECATED; use mod_deflate\ mod_compress has been subsumed by mod_deflate\ Note: mod_compress config options may be removed in a future release
  • mod_geoip is DEPRECATED; use mod_maxminddb\ Note: mod_geoip will be removed from a future lighttpd release
  • mod_authn_mysql is DEPRECATED; use mod_authn_dbi\ Note: mod_authn_mysql will be removed from a future lighttpd release
  • mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql\ Note: mod_mysql_vhost will be removed from a future lighttpd release
  • mod_cml is DEPRECATED; use mod_magnet\ Note: mod_cml will be removed from a future lighttpd release
  • mod_flv_streaming is DEPRECATED; (Adobe Flash Video (.flv))\ (Note: can be replaced with a few lines of lua code and mod_magnet)\ (sample script flv-streaming.lua is posted at\ https://redmine.lighttpd.net/projects/lighttpd/wiki/AbsoLUAtion )\ Adobe Flash is deprecated and support has been removed from modern clients
  • in releases
  • 3 min read

1.4.59

Important changes

HTTP/2 enabled by default, mod_deflate zstd support, mod_ajp13 (new), bugfixes

Downloads

Behavior Changes

  • HTTP/2 enabled by default

Future Scheduled Behavior Changes

  • graceful restart/shutdown default timeout will change from\ 0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)\ configure an alternative with:\ server.feature-flags += (“server.graceful-shutdown-timeout” => 5)
  • mod_compress is DEPRECATED; use mod_deflate\ mod_compress has been subsumed by mod_deflate\ Note: mod_compress config options may be removed in a future release
  • mod_geoip is DEPRECATED; use mod_maxminddb\ Note: mod_geoip will be removed from a future lighttpd release
  • mod_authn_mysql is DEPRECATED; use mod_authn_dbi\ Note: mod_authn_mysql will be removed from a future lighttpd release
  • mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql\ Note: mod_mysql_vhost will be removed from a future lighttpd release
  • mod_cml is DEPRECATED; use mod_magnet\ Note: mod_cml will be removed from a future lighttpd release
  • in releases
  • 2 min read

1.4.58

Important changes

bugfixes, portability

Downloads

Future Scheduled Behavior Changes

  • HTTP/2 support will be enabled by default in a future release
  • graceful restart/shutdown default timeout will change from\ 0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)\ configure an alternative with:\ server.feature-flags += ("server.graceful-shutdown-timeout" => 5)
  • mod_compress is DEPRECATED; use mod_deflate\ mod_compress has been subsumed by mod_deflate\ Note: mod_compress config options may be removed in a future release
  • mod_geoip is DEPRECATED; use mod_maxminddb\ Note: mod_geoip will be removed from a future lighttpd release
  • mod_authn_mysql is DEPRECATED; use mod_authn_dbi\ Note: mod_authn_mysql will be removed from a future lighttpd release
  • mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql\ Note: mod_mysql_vhost will be removed from a future lighttpd release
  • mod_cml is DEPRECATED; use mod_magnet\ Note: mod_cml will be removed from a future lighttpd release
  • in releases
  • 2 min read

1.4.57

Important changes

bugfixes

Downloads

Future Scheduled Behavior Changes

  • HTTP/2 support will be enabled by default in a future release
  • graceful restart/shutdown default timeout will change from\ 0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)\ configure an alternative with:\ server.feature-flags += ("server.graceful-shutdown-timeout" => 5)
  • mod_compress is DEPRECATED; use mod_deflate\ mod_compress has been subsumed by mod_deflate\ Note: mod_compress config options may be removed in a future release
  • mod_geoip is DEPRECATED; use mod_maxminddb\ Note: mod_geoip will be removed from a future lighttpd release
  • mod_authn_mysql is DEPRECATED; use mod_authn_dbi\ Note: mod_authn_mysql will be removed from a future lighttpd release
  • mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql\ Note: mod_mysql_vhost will be removed from a future lighttpd release
  • mod_cml is DEPRECATED; use mod_magnet\ Note: mod_cml will be removed from a future lighttpd release
  • in releases
  • 16 min read

1.4.56

Important changes

HTTP/2, TLS library options, brotli, bugfixes

Downloads

Highlights

  • HTTP/2 support
    • must be enabled in lighttpd.conf in lighttpd 1.4.56; may be enabled by default in a future release
    • server.feature-flags += ("server.h2proto" => "enable", "server.h2c" => "enable")
  • TLS library options: OpenSSL, mbedTLS, wolfSSL, GnuTLS, NSS
    • mod_openssl (existing)
    • mod_mbedtls (experimental)
    • mod_wolfssl (experimental)
    • mod_gnutls (experimental)
    • mod_nss (experimental)
  • TLS OCSP stapling (except mbedTLS; not currently supported by mbedTLS)
  • TLS session ticket key rotation control (except NSS; API limitation in NSS)
  • mod_deflate brotli support
  • mod_proxy makes HTTP/1.1 requests to backends (change from HTTP/1.0)
  • RFC 8297 support for 103 Early Hints produced by backends (scripts)
  • graceful restart option to transfer listen fds (minimal pause)
    • server.systemd-socket-activation = "enable"
    • server.feature-flags += ("server.graceful-restart-bg" => "enable", "server.graceful-shutdown-timeout" => "15")

Behavior Changes

  • mod_openssl

    • default MinProtocol TLSv1.2
      TLSv1 and TLSv1.1 are deprecated and no longer supported by major browsers.
      https://news.netcraft.com/archives/2020/03/03/browsers-on-track-to-block-850000-tls-1-0-sites.html
      If prior behavior is required, configure:
      ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1")
      If using openssl \<= 1.0.2 (end-of-life)
      `ssl.openssl.ssl-conf-cmd = (“Protocol” => “-ALL, TLSv1, TLSv1.1, TLSv1.2”)
    • (internal) TLS session cache is disabled by default,
      replaced by lighttpd robust TLSv1.2 session ticket support
      If backward compatibility is needed:
      server.feature-flags += ("ssl.session-cache" => "enable")
    • (internal) openssl creates a session ticket encryption key per SSL_CTX.
      lighttpd 1.4.56 and later assigns a single session ticket encryption key
      for the lighttpd server (across all SSL_CTX) for consistency.
    • behavior change with ssl.ca-dn-file (uncommon); applies to client
      certificate verification and ssl.ca-dn-file (uncommon)
      If client certificate verification is enabled
      (ssl.verifyclient.activate = “enable”),
      all CAs used for client certificate verification must be present in
      ssl.ca-file. This is the typical use case when client certificate
      verification is enabled. Certificates in (optional) ssl.ca-dn-file
      are used to send issuer names to client when the server sends a
      client certificate request. These names are use by the client
      during certificate selection, and the server requires that the
      certificate sent by the client be issued by one of the subjects
      in ssl.ca-dn-file.
      (Prior behavior merged ssl.ca-file and ssl.ca-dn-file for trusted CAs.
      New behavior requires all trusted CAs be listed in ssl.ca-file,
      and a subset be duplicated into ssl.ca-dn-file to specify allowed
      client cert issuer.)

  • mod_deflate: support for bzip2 is now disabled by default in the build
    (enable using ./configure --with-bzip2)
    bzip2 Content-Encoding is not widely supported
    Prefer to build --with-brotli
    brotli Content-Encoding is more widely supported than bzip2

Future Scheduled Behavior Changes

  • HTTP/2 support will be enabled by default in a future release
  • graceful restart/shutdown default timeout will change from
    0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)
    configure an alternative with:
    server.feature-flags += ("server.graceful-shutdown-timeout" => 5)
  • mod_compress is DEPRECATED; use mod_deflate
    mod_compress has been subsumed by mod_deflate
    Note: mod_compress config options may be removed in a future release
  • mod_geoip is DEPRECATED; use mod_maxminddb
    Note: mod_geoip will be removed from a future lighttpd release
  • mod_authn_mysql is DEPRECATED; use mod_authn_dbi
    Note: mod_authn_mysql will be removed from a future lighttpd release
  • mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql
    Note: mod_mysql_vhost will be removed from a future lighttpd release
  • mod_cml is DEPRECATED; use mod_magnet
    Note: mod_cml will be removed from a future lighttpd release

1.4.54

Important changes

  • behavior change: strict URL parsing and normalization (configurable)
  • performance enhancements, bug fixes

Downloads

Highlights

  • behavior change: strict URL parsing and normalization (configurable)
  • behavior change: mod_webdav now rejects partial PUT (configurable)
  • mod_auth: HTTP Auth Digest algorithm=SHA-256
  • mod_webdav: major rewrite: robustness, performance, RFC compliance
  • mod_maxminddb: new; obsoletes discontinued mod_geoip

Behavior Change

lighttpd now performs strict URL parsing and normalization on HTTP requests. This is configurable, but the defaults are now strict unless explicitly configured otherwise.

Enabling strict URL parsing and normalization by default provides more consistent behavior for mod_redirect and mod_rewrite, which match against the (url-encoded) URL request. However, decoding %2F by default, while generally desirable for consistency, is potentially a breaking change for those encoding URLs in the url-path and relying on the literal ‘/’ as a delimiter. For those uses, “url-path-2f-decode” => “disable” will need to be explicitly set in the lighttpd config.

https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_http-parseoptsDetails

The recommended settings for server.http-parseopts are the following, unless specific use requires looser settings:

      server.http-parseopts = (
        "header-strict"            => "enable",
        "host-strict"              => "enable",
        "host-normalize"           => "enable",
        "url-normalize"            => "enable",
        "url-normalize-unreserved" => "enable",
        "url-normalize-required"   => "enable",
        "url-ctrls-reject"         => "enable",
        "url-path-2f-decode"       => "enable",
        "url-path-dotseg-remove"   => "enable",
        "url-query-20-plus"        => "enable"
      )
  • in releases
  • 2 min read

1.4.53

Important changes

TLS-ALPN-01, systemd socket activation, bug fixes

Future scheduled behavior change (Q1 2019)

Beginning in Q1 2019, lighttpd defaults are scheduled to change to perform limited URL normalization on HTTP requests.

Since lighttpd 1.4.50, this URL normalization is available with server.http-parseopts \<https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_http-parseoptsDetails>. The lighttpd default will become server.http-parseopts = (“url-normalize-unreserved” => “enable”, “url-path-2f-decode” => “enable”) unless server.http-parseopts is explicitly set in the lighttpd config. Enabling URL normalization by default will provide more consistent behavior for mod_redirect and mod_rewrite, which match against the (url-encoded) URL request. However, decoding %2F by default, while generally desirable for consistency, is potentially a breaking change for those encoding URLs in the url-path and relying on the literal ‘/’ as a delimiter. For those uses, “url-path-2f-decode” => “disable” will need to be explicitly set in the lighttpd config.

https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_http-parseoptsDetails

The recommended settings for server.http-parseopts are the following, unless specific use requires looser settings:

      server.http-parseopts = (
        "header-strict"            => "enable",
        "host-strict"              => "enable",
        "host-normalize"           => "enable",
        "url-normalize"            => "enable",
        "url-normalize-unreserved" => "enable",
        "url-normalize-required"   => "enable",
        "url-ctrls-reject"         => "enable",
        "url-path-2f-decode"       => "enable",
        "url-path-dotseg-remove"   => "enable",
        "url-query-20-plus"        => "enable"
      )

Downloads