lighttpd fly light

IMPORTANT all 1.4.x users should upgrade to 1.4.19, all users of 1.5-svn should at least upgrade to r1922.

Security, speed, compliance, and flexibility -- all of these describe lighttpd (pron. lighty) which is rapidly redefining efficiency of a webserver; as it is designed and optimized for high performance environments. With a small memory footprint compared to other web-servers, effective management of the cpu-load, and advanced feature set (FastCGI, SCGI, Auth, Output-Compression, URL-Rewriting and many more) lighttpd is the perfect solution for every server that is suffering load problems. And best of all it‘s Open Source licensed under the revised BSD license.

Web 2.0

lighttpd powers several popular Web 2.0 sites like YouTube, wikipedia and meebo. Its high speed io-infrastructure allows them to scale several times better with the same hardware than with alternative web-servers.

This fast web server and its development team create a web-server with the needs of the future web in mind:

• Faster FastCGI
• COMET meets mod_mailbox
• Async IO

Its event-driven architecture is optimized for a large number of parallel connections (keep-alive) which is important for high performance AJAX applications.

News

1.4.19 - Made in Germany

March 10th, 2008

Long time no see.

It has been almost half a year since 1.4.18. 6months. Jan has been working on many interesting features for 1.5. [1] Currently he ports it to glib2.

But back to 1.4.19. Yes again the release date was nailed down by a few security bugs. *cough* Nevertheless we got a ton of other nice bugfixes. All praise our new lighttpd hero Stefan Bühler. Big thank you from my side. (darix)

• lighttpd_sa_2008_01.txt (patch: lighttpd-1.4.x_high_load_dos.patch)
• lighttpd_sa_2008_02.txt (patch: lighttpd-1.4.x_mod_cgi_disclosure.patch)
• lighttpd_sa_2008_03.txt (patch: lighttpd-1.4.x_mod_userdir_disclosure.patch)

Download

• lighttpd-1.4.19.tar.gz
  (sha1sum: 79e2d61dd9017c3c50c0fe98b2289cae5c1255ee
md5sum: cede410e7adee3ea14206749190a8b5d )
• lighttpd-1.4.19.tar.bz2
  (sha1sum: fd4450e7faae55ebe0905114722995b0c57397cc
md5sum: d787374e4e4aaa09d5cfa9ab9d23ad40)

Changes

• added support for If-Range: <date> (#1346)
• added support for matching $HTTP["scheme"] in configs
• fixed initgroups() called after chroot (#1384)
• fixed case-sensitive check for Auth-Method (#1456)
• execute fcgi app without /bin/sh if used as argument to spawn-fcgi (#1428)
• fixed a bug that made /-prefixed extensions being handled also when matching the end of the uri in fcgi,scgi and proxy modules (#1489)
• print error if X-LIGHTTPD-send-file cannot be done; reset header Content-Length for send-file. Patches by Stefan Buehler
• prevent crash in certain php-fcgi configurations (#841)
• add IdleServers and Scoreboard directives in ?auto mode for mod_status (#1507)
• open log immediately after daemonizing, fixes SIGPIPEs on startup (#165)
• HTTPS env var should be "on" when using mod_extforward and the X-Forwarded-Proto header is set. (#1499)
• generate ETag and Last-Modified headers for mod_ssi based on newest modified include (#1491)
• support letterhomes in mod_userdir (#1473)
• support chained proxies in mod_extforward (#1528)
• fixed bogus "cgi died ?" if we kill the CGI process on shutdown
• fixed ECONNRESET handling in network-openssl
• fixed handling of EAGAIN in network-linux-sendfile (#657)
• reset conditional cache (#1164)
• create directories in mod_compress (was broken with alias/userdir) (#1027)
• fixed out of range access in fd array (#1562, #372) (CVE-2008-0983)
• mod_compress should check if the request is already handled, e.g. by fastcgi (#1565)
• remove broken workaround for buggy Opera version with ssl/chunked encoding (#285)
• generate etag/last-modified header for on-the-fly-compressed files (#1171)
• req-method OPTIONS: do not insert default response if request was denied, do not deny OPTIONS by default (#1324)
• fixed memory leak on windows (#1347)
• fixed building outside of the src dir (#1349)
• fixed including of stdint.h/inttypes.h in etag.c (#1413)
• do not add Accept-Ranges header if range-request is disabled (#1449)
• log the ip of failed auth tries in error.log (enhancement #1544)
• fixed RoundRobin in mod_proxy (#516)
• check for symlinks after successful pathinfo matching (#1574)
• fixed mod-proxy.t to run with a builddir outside of the src dir
• do not suppress content on "307 Temporary Redirect" (#1412)
• fixed Content-Length header if response body gets removed in connections.c (#1412, part 2)
• do not generate a "Content-Length: 0" header for HEAD requests, added test too
• remove compress cache file if compression or write failed (#1150)
• fixed body handling of status 300 requests
• spawn-fcgi: only try to connect to unix socket (not tcp) before spawning (#1575)
• fix sending source of cgi script instead of 500 error if fork fails (CVE-2008-1111)
• fix min-procs handling in mod_scgi.c, just set to max-procs (patch from #623)
• fix sending "408 - Timeout" instead of "410 - Gone" for timedout urls in mod_secdownload (#1440)
• workaround #1587: require userdir.path to be set to enable mod_userdir (empty string allowed) (CVE-2008-1270)
• make configure checks for --with-pcre, --with-zlib and --with-bzip2 failing if the headers aren‘t found
• fixed handling of waitpid() == EINTR mod_ssi on solaris

[1] No. We don‘t have a release date for it. Especially not with all the big changes going on.

Mono + FastCGI

January 23rd, 2008

Reggie pointed me to the FastCGI support for Mono. For our lighttpd they have a full featured page that should cover all possible configuration needs.

Feel free to try it out and comment on this article if it works as expected.

Giving Solaris some love

October 28th, 2007

Weekend time is hacking time. This weekend it is about getting 1.5.0 running nicely on Solaris and making sure lighttpd is a first class citizen there.

All tests successful (1 subtest UNEXPECTEDLY SUCCEEDED), 88 subtests skipped.
Files=22, Tests=324, 60 wallclock secs ( 1.98 cusr +  1.03 csys =  3.01 CPU)

Read the rest of this entry

Powered by Lighttpd

April 4th, 2007

lighttpd is used by many well-known sites. The typical scenario is using lighttpd as off-load server to push out static content and leave to complex work to another server.

• Lighttpd enters the Top5
• Lighttpd powers 5 Alexa Top 250 sites

One example is YouTube. They have a farm of servers which push out the thumbnails you see before you see the movies:

$ curl -I http://sjl-static16.sjl./vi/TgF_eRkfqEY/2.jpg
HTTP/1.1 200 OK
Content-Type: image/jpeg
ETag: "983726135810477085"
Accept-Ranges: bytes
Last-Modified: Fri, 03 Feb 2006 04:32:53 GMT
Content-Length: 3495
Date: Wed, 04 Apr 2007 06:49:51 GMT
Server: lighttpd-aio/1.4.11.8

As you see in the name-scheme, there are some more of those servers pushing out content.

On wikipedia they run at least 2 servers with lighttpd:

• upload.
• download.

While download is used to distribute the SQL dumps of the database when tend to grow above the magic 4GByte border, upload is used to push out all the images and resize them when necessary.

$ curl -I http://upload./wikipedia/commons/thumb/2/21/Mandel_zoom_00_mandelbrot_set.jpg/250px-Mandel_zoom_00_mandelbrot_set.jpg
HTTP/1.0 200 OK
Content-Type: image/jpeg
ETag: "6460328581220324712"
Accept-Ranges: bytes
Last-Modified: Mon, 04 Dec 2006 22:24:53 GMT
Content-Length: 5973
Date: Wed, 14 Mar 2007 11:16:19 GMT
Server: lighttpd/1.4.13
X-Cache: HIT from sq13.
X-Cache-Lookup: HIT from sq13.:3128
X-Cache: HIT from knsq12.knams.
X-Cache-Lookup: HIT from knsq12.knams.:3128
Age: 6265
X-Cache: HIT from knsq10.knams.
X-Cache-Lookup: HIT from knsq10.knams.:80
Via: 1.0 sq13.:3128 (squid/2.6.STABLE12), 1.0 knsq12.knams.:3128 (squid/2.6.STABLE12), 1.0 knsq10.knams.:80 (squid/2.6.STABLE12)
Connection: close