plugin_core contains the core features for generic request handling, static files, log files and buffer limits.

Socket addresses

The following address formats can be used:


Either with port or without; you can either use real IPs or to listen on all network interfaces.


Similar to IPv4; just put the IPv6 between “[” and “]” like this: [::1]:80 (IPv6 localhost with port 80).

Please note that lighttpd always listens to IPv6 only (some platforms listen to IPv4 too on [::] by default).

Unix domain sockets

A unix domain socket needs a filename where the socket is placed; use unix:/path/to/socket as socket address.

Please don’t put unix domain sockets in /tmp. Use /var/run/lighttpd/ or something like that, where only root or selected “trusted” users can create files.

This may be not supported in all places where a socket address can be specified.


debug.log_request_handling (option)

enable debug output for request handling

debug.log_request_handling value;
Default value: false


debug.log_request_handling true;

static.range_requests (option)

enabled ranged requests

static.range_requests value;
Default value: true


static.range_requests false;

keepalive.timeout (option)

how long a keep-alive connection is kept open (in seconds)

keepalive.timeout timeout;
Default value: 5


keepalive.timeout 30;

keepalive.requests (option)

maximum number of requests a client is allowed to make in one connection

keepalive.requests requests;
Default value: 0


keepalive.requests 10;

etag.use (option)

list of properties used to calculate etag; specify empty list to disable etags. Available: "inode", "mtime", "size"

etag.use properties;
Default value: ("inode", "mtime", "size")


etag.use ();

stat.async (option)

enables async stat() calls

stat.async value;
Default value: true

If a filename is in lighttpd’s stat “cache”, lighttpd assumes the kernel still has the entry in memory, and stat() therefore is unlikely to block.
Otherwise it will ask a background thread to call stat(), so the main worker threads are not waiting on a slow disk (or a network filesystem), but only if stat.async is enabled.

If you know your disk is fast enough (perhaps a ramdisk?) and want to save the context switch to the background thread you can disable this.

buffer_request_body (option)

enable buffering request body on disk

buffer_request_body value;
Default value: true

Some backends like to wait for the complete response before forwarding/handling it. For this they require this option to save some memory.

static.exclude_extensions (option)

don't deliver static files with one of the listed extensions

static.exclude_extensions extensions;
Default value: []


static.exclude_extensions [ ".php", ".htaccess", ".htpasswd" ]; (option)

server name; is used in some places instead of the HTTP request hostname if the latter was not specified in the (HTTP/1.0) request hostname;
Default value: ""

Even HTTP/1.0 clients usually specify a Host: header; without Host: header you could only run one domain on one IP address.
This option is for the rare case that you want to handle clients without Host: header support in a nice way.

Example "";

server.tag (option)

used to display server name + version in different places (HTTP response header, CGI environment, mod_dirlist footer, ...)

server.tag tag;
Default value: "lighttpd/2.0.0"

The default is "lighttpd/" + the current version.

mime_types (option)

maps file extensions to MIME types

mime_types mapping;
Default value: []

Default MIME type is “application/octet-stream”. The sources contain a mimetypes example config with many standard mappings.

The longest matching suffix is used (".tar.gz" always wins over ".gz"), and in case of duplicate entries the last one is used.


mime_types [ ".htm" => "text/html", ".txt" => "text/plain; charset=utf-8" ];

Actions needed from lua

These action are not needed (or usable) in non-lua configs.

list (action)

(lua) combines a list of actions into one action, only needed in lua

list actions;
list of actions to combine

when (action)

(lua) build a conditional block (only usable in lua)

when (condition, action1, action2);
A condition; can only be constructed in lua
action to run if condition was true or lua "nil"
(optional) action to run if condition was false

Mapping URL paths to filenames

docroot (action)

sets doc-root, and builds physical path for requested file

docroot patterns;
One or more patterns to build docroot from

Uses patterns to build document roots (base location of files to server).
docroot uses the first pattern that results in an existing directory; otherwise it uses the last entry.
You’ll want the docroot action before alias actions!


docroot ("/var/www/vhosts/$0/htdocs", "/var/www/default/htdocs");

alias (action)

sets doc-root depending on a matching prefix

alias mapping;
maps prefix to base location on disk

The prefix is removed from the url path before it is appended to the base location.
You’ll want the docroot action before alias actions!

Patterns are supported for alias targets as in docroot. As only one pattern per prefix can be given alias does not check whether the target exists.


docroot ("/var/www/vhosts/$0/htdocs", "/var/www/default/htdocs");
alias [
	"/phpmyadmin/" => "/usr/share/phpmyadmin",
	"/pma/" => "/usr/share/phpmyadmin",
	"/.well-known/openpgpkey/" => "/var/lib/gnupg/wks/$0/",
alias "/favicon.ico" => "/var/www/favicon.ico";

index (action)

default filenames to show in a directory

index filenames;
filenames to look for

If the physical path is a directory search for the specified filenames; prefix a filename with ‘/’ to search in the doc-root.

It works like this:

  • if current physical path points to a regular file do nothing
  • walk through the list of filenames to look for:
    • if filename does not start with ‘/’ and the current physical path doesn’t point to a directory, ignore the entry
    • if filename does not start with ‘/’ and the url didn’t end in a ‘/’, redirect request to url with ‘/’ appended
    • if filename does not start with ‘/’ search for it in current physical path (which is a directory)
    • if filename does start with ‘/’ search for it in the doc-root


setup {
	module_load "mod_dirlist";

# if a directory was requested, first search for some default files
index ["index.php", "index.html", "/index.php"];
# if none of them did exists show a simple directory listing
# ... + handle PHP and static files

pathinfo (action)

splits physical path into existing file/directory and the remaining PATH_INFO


Searches for the longest prefix of the physical path name that exists, splitting only at the directory separator /; also never leaves the document root (technically speaking the filename can’t get shorter than the document root).


The following example maps @ to the file @/var/www/index.php@ with @PATH_INFO=/some/site@ (given @/var/www/index.php@ is a normal file).

docroot "/var/www";
if phys.path =$ ".php" { fastcgi "unix:/var/run/lighttpd/php.sock"; }


The following example maps @ to the file @/var/www/index.php@ with @PATH_INFO=/some/site@ (given @/var/www/index.php@ is a normal file, and @/var/www/some@ does not exist).

docroot "/var/www";
index ("index.php");
if phys.path =$ ".php" { fastcgi "unix:/var/run/lighttpd/php.sock"; }

Generating responses

static (action)

handle GET and HEAD requests with a static file from disk


This action is automatically appended to the global config (unless a lua config is specified at the command line).

Does nothing if:

  • the request is already handled
  • no physical path was set (missing docroot, alias, …)
  • the physical path points to a directory

All other problems lead to an error page, for example:

  • wrong request method (405)
  • file not found (404)
  • couldn’t open file (403)
  • filename matches static.exclude_extensions (403)

static_no_fail (action)

handle GET and HEAD requests with a static file from disk


same as static, but doesn’t return any error pages; instead request handling continues.

respond (action)

returns a quick response with optional body

respond (status, content);
HTTP response status code
(optional) pattern for response body

Generates a simple response (our favorite benchmark handler).
The body is parsed as pattern.


respond 403 => "Forbidden";


respond 200 => "benchmark content!";


Log levels

For standard logging (“error.log”) lighttpd knows the following levels:

  • debug
  • info
  • warning
  • error
  • abort (right before terminating the process)
  • backend (for log data from backends, like FastCGI stderr stream)

Log targets

The following log targets are known:

  • not logging: empty string
  • files: file:/var/log/error.log or just /var/log/error.log
  • stderr: stderr: or stderr
  • syslog: syslog: (not supported yet)
  • pipes: pipe:command or | command (not supported yet)

Unknown strings are mapped to stderr.

log (action)

overwrite log targets for all log levels

log map;
mapping log levels (or default) to log targets


log [
	"error" => "/var/log/lighttpd/error.log",
	"abort" => "/var/log/lighttpd/error.log",
	"backend" => "/var/log/lighttpd/backend.log",
	default => "/var/log/lighttpd/debug.log",

log.write (action)

writes a log message to the "info" log level

log.write message;
message pattern string

Writes the specified message to the log using level info; the message is parsed as pattern.


log.write "hello world";

log (setup)

sets default log targets for all log levels

log map;
mapping log levels (or default) to log targets


setup {
	log [
		"error" => "/var/log/lighttpd/error.log",
		"abort" => "/var/log/lighttpd/error.log",
		"backend" => "/var/log/lighttpd/backend.log",
		default => "/var/log/lighttpd/debug.log",

log.timestamp (setup)

sets the format string to use for timestamps in the log

log.timestamp format;
a strftime format string

See strftime for the format string syntax.

The default format string is "%d/%b/%Y %T %Z".

Connection environment

The connection environment is a set of variable with names and values (both simple strings). CGI backends will forward the environment in addition to the standard CGI environment variables.
The connection environment overwrites the standard CGI values.

env.set (action)

sets a connection environment variable

env.set (name, value);
the variable name to set
the pattern value to set

The value is parsed as pattern.


env.set "INFO" => "%{req.path}";

env.add (action)

sets a connection environment variable if not already set

env.add (name, value);
the variable name to set
the pattern value to set

The value is parsed as pattern. env.add does not overwrite already existing values.


env.add "INFO" => "%{req.path}";

env.remove (action)

removes a connection environment variable

env.remove name;
the variable name to remove


env.remove "INFO";

env.clear (action)

removes all connection environment variables




Response header

All header values that get set are parsed as "patterns":core_pattern.html#core_pattern.

header.add (action)

adds a new response header line

header.add (name, value);
header name
pattern header value

The HTTP spec requires that multiple headers with the same name could be merged by joining their values with “,”.
In real life this doesn’t work always, especially not for “Cookie” headers; so this action actually adds a separate header line.


header.add "Cache-Control" => "public";

header.append (action)

appends value to response header line

header.append (name, value);
header name
pattern header value

If header already exists appends new value separated by ", "; otherwise adds a new header line.

header.overwrite (action)

overwrite response header line or add new one

header.overwrite (name, value);
header name
pattern header value

If header already exists overwrites the value; otherwise a new line gets added.

header.remove (action)

remove existing response header

header.remove name;
header name


# ... some PHP handling
# wait for response headers to be ready
if resp.status >= 0 {
	header.remove "X-Powered-By";

set_status (action)

modify HTTP status code


Modifies the HTTP status code, but doesn’t handle the request in any way.
Later actions could overwrite the status, or a backend (FastCGI, proxy, …) might overwrite it if the response is parsed later.
Only works if some action actually handled the request.

Lighttpd will generate error pages (if it knows the code) if the action that handled the request didn’t generate a response body and a body is allowed.


# hide all 404s at end of config by setting 403
if resp.status == 404 { set_status 403; }

Request headers

All header values that get set are parsed as "patterns":core_pattern.html#core_pattern.

req_header.add (action)

adds a new request header line

req_header.add (name, value);
header name
pattern header value

Same as header.add for request headers.

req_header.append (action)

appends value to request header line

req_header.append (name, value);
header name
pattern header value

Same as header.append for request headers.

req_header.overwrite (action)

overwrite request header line or add new one

req_header.overwrite (name, value);
header name
pattern header value

Same as header.overwrite for request headers.

req_header.remove (action)

remove existing request header

req_header.remove name;
header name

Same as header.remove for request headers.


Remove Accept-Encoding request header to workaround the BREACH vulnerability in https.

if request.scheme == "https" {
	# create a copy of the header value
	req_header.add "HTTPS-Accept-Encoding" => '%{req.header[Accept-Encoding]}';
	req_header.remove "Accept-Encoding";

io.buffer_out (action)

set memory limit for outgoing chunkqueues (default is 256KiB)

io.buffer_out limit;
limit in bytes (0 means unlimited)


io.buffer_out 512kbyte;

io.buffer_in (action)

set memory limit for intcoming chunkqueues (default is 256KiB)

io.buffer_in limit;
limit in bytes (0 means unlimited)


io.buffer_in 512kbyte;

map (action)

maps the result of a pattern to a user defined action

map (pattern, mapping);
the evaluation of this pattern is used as key in the mapping
maps strings (or default) to actions

The pattern is parsed as pattern. Have a look at mod_vhost for special mappings on hostnames.


map "%{req.path}" => [
	"/" => {
		respond 200 => "root";
	"/news" => {
		respond 200 => "news";
	default => {
		respond 404;

listen (setup)

listen to a socket address, see above for accepted formats (default TCP port is 80)

listen socket-address;
socket address to listen to


setup {
	listen "";
	listen "[::]";
	listen "";

workers (setup)

sets worker count; each worker runs in its own thread and works on the connections it gets assigned from the master worker

workers count;
number of workers (default is 1)


setup {
	workers 2;

workers.cpu_affinity (setup)

binds worker threads to a cpu, only available on Linux systems

workers.cpu_affinity mapping;
list of integers or a list of lists of integers


workers.cpu_affinity [0, 1];

module_load (setup)

load the given module(s)

module_load names;
string or list of strings with the module name(s)

modules can be "loaded" more than once without error


setup {
	module_load "mod_rewrite";

io.timeout (setup)

sets the global I/O timeout (wait for network read and write)

io.timeout timeout;
timeout value in seconds, default is 300s

stat_cache.ttl (setup)

set TTL for stat cache entries

stat_cache.ttl ttl;
time to live in seconds, default is 10s

tasklet_pool.threads (setup)

sets number of background threads for blocking tasks

tasklet_pool.threads threads;
number of threads

For example the stat cache uses such background threads.

if threads = 0 the tasks are run in foreground (no background threads).
if threads < 0 all worker share a GThreadPool.
if threads > 0 each worker has its own thread pool with threads threads.

fetch.files_static (setup)

starts a Fetch API provider

fetch.files_static (name, filename-pattern);
name of the storage
A filename pattern including exactly on *

Loads all filenames matching the wildcard pattern (which must include exactly on @*@) into the fetch storage.


setup {
	fetch.files_static "sni" => "/etc/certs/lighttpd_sni_*.pem";