Lighttpd 1.4.65, a lightweight http server, has been released, attempting to combine high performance, security, standards compliance, and customization flexibility. Lighttpd is suitable for use on highly loaded systems and aims for low memory and CPU consumption. The new version contains 173 changes. The project code is written in C language and distributed under the BSD license.
Main innovations:
- Added support for WebSocket over HTTP/2, and implemented RFC 8441, which describes a mechanism for running the WebSockets protocol on a single thread within an HTTP/2 connection.
- An extended priority management scheme has been implemented that allows the client to influence the priority of responses transmitted by the server (RFC 9218), as well as to control priorities when redirecting requests. For HTTP/2, the PRIORITY_UPDATE frame is supported.
- Added support for conditional matches anchored to the beginning (=^) and end (=$) of a string in the lighttpd.conf settings. Such string checks are much faster than regular expressions and are sufficient for many simple checks.
- mod_webdav added support for partial PUT operations (covering part of the data using the Range header). You can use the 'webdav.opts += ("partial-put-copy-modify' => "enable")' option to enable it.
- Added option 'accesslog.escaping = 'json'' to mod_accesslog.
- Added support for building with libdeflate to mod_deflate.
- Faster transmission of the request body via HTTP/2.
- Server.max-keep-alive-requests changed from 100 to 1000 by default.
- Changed "application/javascript" to "text/javascript" in the list of MIME types (RFC 9239).
More restrictive cipher settings for TLS and disabling legacy ciphers by default are planned for the future. The CipherString setting will be changed from "HIGH" to "EECDH+AESGCM:AES256+EECDH:CHACHA20:SHA256:!SHA384". Also scheduled to be removed are deprecated TLS options: ssl.honor-cipher-order, ssl.dh-file, ssl.ec-curve, ssl.disable-client-renegotiation, ssl.use-sslv2, ssl.use-sslv3. In addition, the cleaning of mini-modules will continue, which can be replaced with a more flexible Lua implementation of mod_magnet. In particular, the mod_evasive, mod_secdownload, mod_uploadprogress and mod_usertrack modules are scheduled for removal.
Source: opennet.ru