lighty's life

lighty developer blog

PRE-RELEASE: 1.4.21-r2392

We would like to draw your attention to the latest pre-release of the stable 1.4 branch of lighttpd.

You can get the pre-release from these urls:
SHA1 checksum:

Please test it as much as possible and provide us with feedback.
A lot of testing ensures a good release.
If no showstoppers are encountered, there will be a final release soon.

Important changes:

  • The fix from 1.4.20 for #1720 (decoded urls in mod_rewrite) was reverted as it introduced too many new problems
  • SSLv2 disabled by default
  • New setting to disable the returning of a 417 when Expect: 100-continue header is given:
    server.reject-expect-100-with-417 = “disable”
  • Settings that require numbers can now be strings too which get converted. Useful in conjunction wth env vars (thx andrewb)
  • mod_compress now supports caching through etags and last-modified
  • The annoying log entries about timeouted connections are now disabled by default and can be enabled with a new setting:
    debug.log-timeouts = “enable”
  • New $HTTP[‘language’] conditional (thx to petar) which allows interesting new configs like:

    $HTTP[“language”] =~ “(de|it|hr)” {
    url.redirect = ( “^/$” => “” )

Changelog since 1.4.20:

  • Fix base64 decoding in mod_auth (#1757, thx guido)
  • Fix mod_cgi segfault when bound to unix domain socket (#653)
  • Do not rely on ioctl FIONREAD (#673)
  • Now really fix mod auth ldap (#1066)
  • Fix leaving zombie process with include_shell (#1777)
  • Removed debian/, openwrt/ and cygwin/; they weren’t kept up-to-date, and we decided to remove dist. specific stuff
  • Try to convert string options to shorts for numeric options in config file; allows to use env-vars for numeric options. (#1159, thx andrewb)
  • Do not cache default vhost in mod_simple_vhost (#709)
  • Trust pcre-config, do not check for pcre manually (#1769)
  • Fix fastcgi authorization in subdirectories with check-local=disabled; don’t split pathinfo for authorizer. (#963)
  • Add possibility to disable methods in mod_compress (#1773)
  • Fix duplicate connection keep-alive/transfer-encoding headers (#960)
  • Fixed fix for round-robin in mod_proxy (forgot to increment the index) (#1715)
  • Fix fastcgi-authorizer handling; Status: 200 is now accepted as the doc requests
  • Compare address family in inet_ntop_cache
  • Revert CVE-2008-4359 (#1720) fix “encoding+simplifying urls for rewrite/redirect”: too many regressions.
  • Use FD_CLOEXEC if possible (fixes #1821)
  • Optimized buffer usage in mod_proxy (fixes #1850)
  • Fix uninitialized value in time struct after strptime
  • Do not pass Proxy-Connection: header from client to backend http server in mod_proxy (#1877)
  • Fix wrong malloc sizes in mod_accesslog (probably nothing bad happened…) (fixes #1855, thx ycheng)
  • Some small buffer.c fixes (closes #1837)
  • Remove floating point math from server.c (fixes #1402)
  • Disable SSLv2 by default
  • Use/enforce sane max-connection values (fixes #1803)
  • Allow mod_compress to return 304 (Not Modified); compress ignores the static-file.etags option.(fixes #1884)
  • Add option to ignore the “Expect: 100-continue” header instead of returning 417 Expectation failed (closes #1017)
  • Use modified etags in mod_compress (fixes #1800)
  • Fix max-connection limit handling/100% cpu usage (fixes #1436)
  • Fix error handling in freebsd-sendfile (fixes #1813)
  • Silenced the annoying “request timed out” warning, enable with the “debug.log-timeouts” option (fixes #1529)
  • Allow tabs in header values (fixes #1822)
  • Added Language conditional (fixes #1119); patch by petar

If you want to get the latest source for any branch, you can get it from our svn repository.
Documentation to do so can be obtained from this page:
Bug reports or feature requests can be filed in our ticket system:
Please make sure to check if there isn’t a ticket already here:

Thank you for flying light.


Please note that we won't accept comments for posts older than 3 months! Also please use our bug tracker to report bugs, and our irc channel #lighttpd@libera to chat.

« A little heads up 1.4.21 released »