1.4.65

June 07, 2022

Important changes

WebSockets over HTTP/2, bugfixes

Highlights

  • WebSockets over HTTP/2
    RFC 8441 Bootstrapping WebSockets with HTTP/2
  • HTTP/2 PRIORITY_UPDATE
    RFC 9218 Extensible Prioritization Scheme for HTTP
  • prefix/suffix conditions in lighttpd.conf
  • mod_webdav safe partial-PUT
    webdav.opts += (“partial-put-copy-modify” => “enable”)
  • mod_accesslog option: accesslog.escaping = “json”
  • mod_deflate libdeflate build option
  • speed up request body uploads via HTTP/2

Behavior Changes

  • change default server.max-keep-alive-requests = 1000 to adjust
    to increasing HTTP/2 usage and to web2/web3 application usage
    (prior default was 100)
  • mod_status HTML now includes HTTP/2 control stream id 0 in the output
    which contains aggregate counts for the HTTP/2 connection
    (These lines can be identified with URL ‘*’, part of “PRI *” preface)
    alternative: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_status
  • MIME type application/javascript is translated to text/javascript (RFC 9239)

Future Scheduled Behavior Changes

  • TLS modules will default to using stronger, modern ciphers and
    will default to allow client preference in selecting ciphers.
    Allowing client preference in selecting ciphers is safe to do along
    with restrictions to use modern ciphers supporting PFS, and is
    better for mobile users without AES hardware acceleration.
    Legacy ciphers can still be configured in lighttpd.conf using
    `ssl.openssl.ssl-conf-cmd`, as long as the ciphers are supported by
    the underlying TLS libraries. https://wiki.lighttpd.net/Docs_SSL
    new defaults:
    “CipherString” => “EECDH+AESGCM:AES256+EECDH:CHACHA20:SHA256:!SHA384”,
    “Options” => “-ServerPreference”
    old defaults:
    “CipherString” => “HIGH”,
    “Options” => “ServerPreference”
  • Deprecated TLS options will be removed.
    – ssl.honor-cipher-order
    – ssl.dh-file
    – ssl.ec-curve
    – ssl.disable-client-renegotiation
    – ssl.use-sslv2
    – ssl.use-sslv3
    See https://wiki.lighttpd.net/Docs_SSL for replacements with
    `ssl.openssl.ssl-conf-cmd`, but prefer lighttpd defaults instead.
  • Continue gradual deprecation of “mini-application” lighttpd modules
    for which mod_magnet lua implementations are better and more flexible.
    Please post on lighttpd forums to share feedback if you use these modules.
    Forums: https://redmine.lighttpd.net/projects/lighttpd/boards
  • Deprecated: mod_evasive will be removed.
    mod_evasive can be replaced by mod_magnet and a few lines of lua:
    Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_evasive
    https://wiki.lighttpd.net/AbsoLUAtion#Fight-DDoS
    https://wiki.lighttpd.net/AbsoLUAtion#Mod_Security
  • Deprecated: mod_secdownload will be removed.
    mod_secdownload can be replaced by mod_magnet and a few lines of lua:
    Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_secdownload
    mod_secdownload historically uses insecure MD5 though SHA1, SHA256 available
  • Deprecated: mod_uploadprogress will be removed.
    mod_uploadprogress can be replaced by mod_magnet and a few lines of lua:
    Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_uploadprogress
  • Deprecated: mod_usertrack will be removed.
    mod_usertrack can be replaced by mod_magnet and a few lines of lua:
    Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_usertrack
    mod_usertrack historically uses insecure MD5.

Downloads

1.4.64

January 19, 2022

Important changes

  • remove deprecated modules, bugfixes, CVE-2022-22707 (rare configs)

Downloads

Behavior Changes

(previously announced and scheduled)

  • graceful restart/shutdown timeout changed from 0 (disabled) to 8 seconds
    configure an alternative with:
    server.feature-flags += (“server.graceful-shutdown-timeout” => 8)
  • build: lighttpd defaults to —with-pcre2 instead of —with-pcre
    pcre2 is current. pcre is no longer maintained.
    Explicitly specify —with-pcre in build to use pcre instead of pcre2.
  • deprecated modules (previously announced) have been removed
    • mod_authn_mysql
    • mod_mysql_vhost
    • mod_cml
    • mod_flv_streaming
    • mod_geoip
    • mod_trigger_b4_dl
      https://wiki.lighttpd.net/Docs_ConfigurationOptions#Deprecated
      suggests migration steps for replacements, if needed

1.4.63

December 04, 2021

Important changes

bugfixes

Downloads

FUTURE SCHEDULED BEHAVIOR CHANGES (estimated Jan 2022):

  • graceful restart/shutdown default timeout will change from
    0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)
    configure an alternative with:
    server.feature-flags += (“server.graceful-shutdown-timeout” => 5)
  • lighttpd (optional) dependencies on libev and on FAM are deprecated.
    lighttpd event loop and file monitoring use native OS interfaces
    except on obscure platforms. FAM and gamin appear to be abandoned.
    Package maintainers on Linux and *BSD:
    please remove —with-libev and —with-fam from package builds
    lighttpd uses epoll() on Linux, kqueue() on *BSD for event notification.
    lighttpd uses inotify() on Linux, kqueue() on *BSD for file monitoring.
  • lighttpd will default to —with-pcre2 instead of —with-pcre
    pcre2 is current. pcre is no longer maintained.
    Explicitly specify —with-pcre in build to use pcre instead of pcre2.

https://wiki.lighttpd.net/Docs_ConfigurationOptions#Deprecated

  • mod_compress is DEPRECATED; use mod_deflate
    mod_compress has been subsumed by mod_deflate
    Note: mod_compress config options may be removed in a future release
  • mod_geoip is DEPRECATED; use mod_maxminddb
    Note: mod_geoip will be removed from a future lighttpd release
  • mod_authn_mysql is DEPRECATED; use mod_authn_dbi
    Note: mod_authn_mysql will be removed from a future lighttpd release
  • mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql
    Note: mod_mysql_vhost will be removed from a future lighttpd release
  • mod_cml is DEPRECATED; use mod_magnet
    Note: mod_cml will be removed from a future lighttpd release
  • mod_flv_streaming is DEPRECATED; (Adobe Flash Video (.flv))
    Note: mod_flv_streaming will be removed from a future lighttpd release
    (Note: can be replaced with a few lines of lua code and mod_magnet)
    (sample script flv-streaming.lua is posted at
    https://redmine.lighttpd.net/projects/lighttpd/wiki/ModMagnetExamples )
    Adobe Flash is deprecated and support has been removed from modern clients
  • mod_trigger_b4_dl is DEPRECATED; use mod_magnet
    Note: mod_trigger_b4_dl will be removed from a future lighttpd release
    (Note: can be replaced with a few lines of lua code and mod_magnet)
    (sample script mod_trigger_b4_dl.lua is posted at
    https://redmine.lighttpd.net/projects/lighttpd/wiki/ModMagnetExamples )