lighttpd (pronounced /lighty/) is a secure, fast, compliant, and very flexible web server that has been optimized for high-performance environments. lighttpd uses memory and CPU efficiently and has lower resource use than other popular web servers. Its advanced feature-set (FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and much more) make lighttpd the perfect web server for all systems, small and large. lighttpd is released under the Open Source revised BSD license.

lighttpd wiki and documentation


News

1.4.77

January 10, 2025

Important changes

  • stronger TLS defaults: MinProtocol TLSv1.3; experimental TLS ECH support

Behavior Changes

  • lighttpd TLS defaults: MinProtocol TLSv1.3 Other configurations are still supported, but are not the default. Previous default: MinProtocol TLSv1.2 Current default: MinProtocol TLSv1.3
  • lighttpd TLS defaults now limit TLSv1.3 Groups to the IANA “Recommended” set: “X25519:P-256:P-384:X448” (https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8) Configure Groups/Curves using ssl.openssl.ssl-conf-cmd += (“Groups” => “…”)
  • server.error-handler-404 operates only on 404 (historical error: server.error-handler-404 operated on both 404 and 403) Since lighttpd 1.4.40 (released Jul 2016), server.error-handler is available to produce dynamic error pages for 4xx and 5xx responses. Since lighttpd 1.4.56 (released Nov 2020), magnet.attract-response-start-to is an additional, high performance mechanism to produce dynamic error pages. https://wiki.lighttpd.net/mod_magnet
  • doc/config/lighttpd.conf has been renamed doc/config/lighttpd.annotated.conf and doc/config/lighttpd.conf is now a simpler header which includes lighttpd.annotated.conf. lighttpd package maintainers must review their packaging scripts and include both lighttpd.conf and lighttpd.annotated.conf (e.g. doc/config/.conf) along with doc/config/conf.d/.conf.

Downloads

  • lighttpd-1.4.77.tar.gz (GPG signature)
    • SHA256: 5321755fb15ca20084b7b12c26f8991278907fd5a2597b1bdc061a29f7c5ba5d
  • lighttpd-1.4.77.tar.xz (GPG signature)
    • SHA256: acafabdbfa2267d8b6452d03d85fdd2a66525f3f05a36a79b6645c017f1562ce
  • SHA256 checksums
  • SHA512 checksums

    Changes from 1.4.76

  • [build] packdist.sh tweaks of convenience commands
  • [build] remove ancient distribute.sh.in script
  • [core] add .torrent to mimetype.assign builtin defaults
  • Revert “[core] special value for Linux POLLRDHUP on SPARC” (fixes #3251)
  • [core] special value for Linux POLLRDHUP on SPARC (fixes #3251)
  • [mod_ssi] rename ssi_val_tobool to ssi_val_to_bool
  • [multiple] rename config_plugin_value_tobool
  • [core] fix graceful shutdown timeout handling
  • [core] preprocessor option to force crypto lib
  • [cmake] fix some typos in pcre2 detection
  • [tests] disambiguate regex test value from string
  • [tests] fix deflate tests w/ Fedora zlib-ng-compat
  • [core] port for QNX7.1/8.0
  • [doc] remove ancient doc/scripts/spawn-php.sh
  • [mod_deflate] limit zstd max window size to 8 MB
  • [mod_accesslog] ignore format specifier w/o label
  • [autotools] add pkgconf test for libdbi
  • [mod_webdav] use SQLITE_PREPARE_PERSISTENT
  • [mod_webdav] call sqlite3_initialize() at init
  • [mod_webdav] disable double-quoted string literal
  • [doc] remove ancient doc/scripts/spawn-php.sh
  • [core] clarify error msg for plugin ver mismatch
  • [mod_dirlisting] Add dark mode support
  • [autotools] Prefer libpcre.pc to pcre-config
  • [core] server.ip-transparent option on listen sock
  • [core] reject HTTP/1.x request-line URI trail sp
  • [core] remove http_request_parse_proto_loose()
  • [core] strictly require CRLF on chunked header
  • [core] strictly require CRLF on all chunked header
  • [multiple] quiet coverity false positives
  • [core] http_request_check_uri_strict optimization
  • [h2] fix spurious connection resets with zero log_monotonic_secs
  • [mod_dirlisting] fix ?json output; emit JSON list (fixes #3256)
  • [mod_dirlisting] minor optimization for ?json
  • [mod_auth] fix Digest nonce validation w/ nonce_secret
  • [core] omit pcre2 JIT error trace if JIT not avail
  • [doc] rename sample config lighttpd.annotated.conf
  • [doc] simplify doc/config/lighttpd.conf entry
  • [doc] use shorter https://wiki.lighttpd.net/ url
  • [ci] ci dependency maintenance
  • [meson] use pkg-config to find mbedtls 3.6
  • [meson] update FORCE_* vars to select crypto lib
  • [core] remove long-unused #ifdef USE_ALARM
  • [core] avoid pedantic compiler warning (fixes #3262)
  • [mod_auth] HTTP Digest and HTTP/2 extended CONNECT
  • [mod_dirlisting] sort by exact value of size (fixes #3264)
  • [mod_dirlisting] sort mtime using data-value (#3264)
  • [ci] enable Solaris build (now less slow)
  • [core] remove mimetype.assign from tests/lighttpd.conf
  • [ci] adjust Solaris CI build
  • [doc] update create-mime.conf.pl compression types
  • [doc] update doc/config/conf.d/mime.conf
  • [ci] adjust Solaris CI build
  • [core] remove cast from ioctl() RNDGETENTCNT
  • [core] update ls-hpack
  • [core] light_isprint(), light_iscntrl()
  • [core] perf: tighter loops for str encode,escape
  • [mod_wstunnel] Sec-WebSocket-Protocol: binary
  • [core] light_iscntrl_or_utf8_invalid_byte()
  • [core] option: allow unescaped UTF-8 in errorlog (fixes #3268)
  • [systemd] test config in ExecReload before signal
  • [core] config parsing: detect invalid keys
  • [TLS] allow list of Groups/Curves
  • [mbedtls] reset crt_profile when reconfigured
  • [mod_mbedtls] guard mbedtls use of RSA_PSK
  • [mod_nss] add ssl.openssl.ssl-conf-cmd Ciphersuite
  • [mod_wolfssl] typo
  • [mod_nss] ver check for experimental groups/curves
  • [mod_wolfssl] missing return
  • [tests] do not test for exact compress zlib size
  • [tests] consolidate test value comparison logic
  • .github/workflows/dependabot.yml “github-actions”
  • [ci] dependabot.yml name
  • [ci] ci.yml pull_request types
  • [ci] move file to .github/dependabot.yml
  • [multiple] avoid sending body to GW_AUTHORIZER (fixes #3272)
  • [mod_magnet] use local sys-dirent.h (portability)
  • [mod_magnet] add code header to mod_magnet.c
  • [TLS] skip SSL_CTX init if not in SOCKET condition
  • [mod_openssl] ssl.ech-opts, load ECH keys
  • [mod_openssl] ssl.non-ech-host opt to require ECH
  • [mod_openssl] free mem from SSL_ech_get1_status()
  • [mod_openssl] ECH: use new OSSL_ECHSTORE APIs
  • [mod_openssl] ECH: refresh 4 year old patches
  • [mod_openssl] ECH: kludge compat w/ OpenSSL ECH API
  • [mod_openssl] omit OSSL_ECH_FOR_RETRY for ECH-only
  • [mod_openssl] ECH: OSSL_ECH_FOR_RETRY for cur key
  • [mod_openssl] ECH: boringssl support
  • [TLS] modify TLS defaults to MinProtocol TLSv1.3
  • [TLS] use TLSv1.3 groups X25519:P-256:P-384:X448
  • [ci] macos: mariadb-connector-c is keg-only
  • [mod_openssl] skip *.ech files beginning with ‘.’
  • [mod_openssl] ECH: rename directives to ECH terms
  • [core] server.error-handler-404 handles only 404
  • [mod_magnet] quiet coverity false positive
  • [mod_openssl] ECH: use same (debug) CGI var names
  • [mod_openssl] ECH: reload keys only if modified
  • [mod_openssl] ECH: remove kludge compat w/ OpenSSL ECH API
  • [core] reset cond cache item URL if pathinfo
  • [mod_openssl] use BUF_PTR_LEN when buffer not NULL
  • [mod_openssl] ECH: code comments for ECH-only host
  • [core] import xxHash v0.8.3
  • [autoconf] update ax_prog_cc_for_build.m4
Read more ...