Skip to content

lighttpd

lighttpd (pronounced /lighty/) is a secure, fast, compliant, and very flexible web server that has been optimized for high-performance environments. lighttpd uses memory and CPU efficiently and has lower resource use than other popular web servers. Its advanced feature-set (FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and much more) make lighttpd the perfect web server for all systems, small and large. lighttpd is released under the Open Source revised BSD license.

See https://redmine.lighttpd.net/projects/lighttpd/wiki for documentation, wiki, forum and issue tracker.

News

  • in releases
  • 1 min read

1.4.82

Important changes

  • restrict request trailers to configured list; bugfixes

BEHAVIOR CHANGES:

  • trailers in request headers will be ignored unless allowed field names are explicitly configured in a comma-separated list containing no spaces:

    server.feature-flags += ("request.trailer-whitelist" => "...")

    This changes behavior from lighttpd 1.4.80, which added support for request trailers and header merging, but did not restrict request trailers.

Downloads

  • in releases
  • 3 min read

1.4.80

Important changes

  • detect and issue error trace for HTTP/2 MadeYouReset VU#767506 CVE-2025-8671

Highlights

  • detect and issue error trace for HTTP/2 MadeYouReset VU#767506 CVE-2025-8671
  • stricter HTTP request/response header, trailer, and chunked validation/parsing
  • support HTTP response trailers
  • support HTTP request trailers merge to headers (if not streaming request body)
  • bug fixes

BEHAVIOR CHANGES

  • extend TLS error log messages to include client addr if error caused by client (Please review TLS error string matching in log watchers)
  • extend TLS error log messages for HTTP/2 attack detection (Please review TLS error string matching in log watchers)
  • reject path info on static files by default (prior default allowed path info) (For prior behavior, configure static-file.disable-pathinfo = “disable”)

Downloads

1.4.79

Important changes

  • hardened systemd lighttpd.service
  • bug fix for mod_openssl using both ECDSA and RSA certs

BEHAVIOR CHANGES

  • lighttpd-provided hardened systemd lighttpd.service may need admin-overrides on non-typical systems (less popular distros) using lighttpd-provided systemd lighttpd.service and which also run lighttpd as root, or run CGI scripts as root, to manage the system. To create overrides, systemctl edit lighttpd and edit /etc/systemd/system/lighttpd.service.d/override.conf . In contrast, many popular distros configure lighttpd to drop privileges from root and to run as an unprivileged user, e.g. ‘lighttpd’ or ‘www-data’. These systems are unlikely to be affected by the hardened and more secure systemd lighttpd.service configuration.

Downloads

  • in releases
  • 4 min read

1.4.77

Important changes

  • stronger TLS defaults: MinProtocol TLSv1.3; experimental TLS ECH support

Behavior Changes

  • lighttpd TLS defaults: MinProtocol TLSv1.3 Other configurations are still supported, but are not the default. Previous default: MinProtocol TLSv1.2 Current default: MinProtocol TLSv1.3
  • lighttpd TLS defaults now limit TLSv1.3 Groups to the IANA “Recommended” set: “X25519:P-256:P-384:X448” (https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8) Configure Groups/Curves using ssl.openssl.ssl-conf-cmd += (“Groups” => “…”)
  • server.error-handler-404 operates only on 404 (historical error: server.error-handler-404 operated on both 404 and 403) Since lighttpd 1.4.40 (released Jul 2016), server.error-handler is available to produce dynamic error pages for 4xx and 5xx responses. Since lighttpd 1.4.56 (released Nov 2020), magnet.attract-response-start-to is an additional, high performance mechanism to produce dynamic error pages. https://wiki.lighttpd.net/mod_magnet
  • doc/config/lighttpd.conf has been renamed doc/config/lighttpd.annotated.conf and doc/config/lighttpd.conf is now a simpler header which includes lighttpd.annotated.conf. lighttpd package maintainers must review their packaging scripts and include both lighttpd.conf and lighttpd.annotated.conf (e.g. doc/config/.conf) along with doc/config/conf.d/.conf.

Downloads

1.4.76

Important changes

detect VU#421644 HTTP/2 CONTINUATION Flood, avoid CVE-2024-3094 xz supply chain attack, bug fixes

  • detect VU#421644 HTTP/2 CONTINUATION Flood

    • issue trace and send GO_AWAY
    • (lighttpd not vulnerable to attack)

  • avoid CVE-2024-3094 xz supply chain attack

    • use ‘git archive’ to replace ‘make dist’ to create release tarballs
      • remove excess complexity (m4 and autotools) from release process
      • now more easily verifiable that sources come from signed git release tag

FUTURE SCHEDULED BEHAVIOR CHANGES: (2025)

  • lighttpd TLS defaults will change to MinProtocol TLSv1.3 Other configurations will still be supported, but will not be the default. Proposed default: MinProtocol TLSv1.3 Current default: MinProtocol TLSv1.2
  • server.error-handler-404 will operate only on 404 (historical error: server.error-handler-404 operated on both 404 and 403) Since lighttpd 1.4.40 (released Jul 2016), server.error-handler is available to produce dynamic error pages for 4xx and 5xx responses. Since lighttpd 1.4.56 (released Nov 2020), magnet.attract-response-start-to is an additional, high performance mechanism to produce dynamic error pages. https://wiki.lighttpd.net/mod_magnet

Downloads

1.4.75

Important changes

  • incrementally stronger TLS cipher defaults; bugs fixes

Downloads

Behavior Changes: (previously announced)

  • TLS cipher defaults have been incrementally updated to stronger defaults New defaults are forward-secret and support authenticated encryption (AEAD) New defaults: openssl ciphers ‘EECDH+AESGCM:CHACHA20:!PSK:!DHE’ Previous defaults: openssl ciphers ‘EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384’ Little or no impact is expected for lighttpd configs already using lighttpd TLS defaults (and supported clients, i.e. those which have not already reached end-of-life). Reference: https://developers.cloudflare.com/ssl/reference/cipher-suites/recommendations/
  • mod_redirect: default url.redirect-code for HTTP/1.1 and later has been changed from 301 Moved Permanently to 308 Permanent Redirect (only if url.redirect is not explicitly set in lighttpd.conf) RFC7538: https://datatracker.ietf.org/doc/html/rfc7538 (published almost 9 years ago)

Future Scheduled Behavior Changes: (2025)

  • lighttpd TLS defaults will change to MinProtocol TLSv1.3 Other configurations will still be supported, but will not be the default. Proposed default: MinProtocol TLSv1.3 Current default: MinProtocol TLSv1.2
  • server.error-handler-404 will operate only on 404 (historical error: server.error-handler-404 operated on both 404 and 403) Since lighttpd 1.4.40 (released Jul 2016), server.error-handler is available to produce dynamic error pages for 4xx and 5xx responses. Since lighttpd 1.4.56 (released Nov 2020), magnet.attract-response-start-to is an additional, high performance mechanism to produce dynamic error pages. https://wiki.lighttpd.net/mod_magnet
  • in releases
  • 6 min read

1.4.74

Important changes

bugs fixes, portability, expand CI

Downloads

Behavior Changes:

  • Some messages sent to syslog() (if enabled in lighttpd config) have been changed to use different priorities (e.g. LOG_WARNING, LOG_DEBUG) instead of everything being sent with LOG_ERROR priority. The change affects only lighttpd configs which set server.errorlog-use-syslog = “enable” (not default)
  • Use sendfile() with musl libc; fix build detection of sendfile() w/ musl libc Please report any issues, though any issues are unexpected since lighttpd falls back to writev() if sendfile() fails.

Future Scheduled Behavior Changes: (for the next lighttpd release)

  • TLS cipher defaults will be incrementally updated to stronger defaults Proposed defaults are forward-secret and support authenticated encryption (AEAD) Proposed defaults: openssl ciphers ‘EECDH+AESGCM:CHACHA20:!PSK:!DHE’ Current defaults: openssl ciphers ‘EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384’ Little or no impact is expected for lighttpd configs already using lighttpd TLS defaults (and supported clients, i.e. those which have not already reached end-of-life). Reference: https://developers.cloudflare.com/ssl/reference/cipher-suites/recommendations/
  • mod_redirect: default url.redirect-code for HTTP/1.1 and later will be changed from 301 Moved Permanently to 308 Permanent Redirect (only if url.redirect is not explicitly set in lighttpd.conf) RFC7538: https://datatracker.ietf.org/doc/html/rfc7538 (published almost 9 years ago)

Future Scheduled Behavior Changes: (2025)

  • lighttpd TLS defaults will change to MinProtocol TLSv1.3 Other configurations will still be supported, but will not be the default. Proposed default: MinProtocol TLSv1.3 Current default: MinProtocol TLSv1.2