lighttpd – installation and basic configuration

The lighttpd ecosystem has since expanded with modules to manage virtual hosts, redirection, URL rewriting, authentication, and other webby things. For most purposes, anything you can do in Apache you can do in lighttpd. In the next few sections, we’ll show how to install and configure lighttpd, with sidelong glances at Apache.

Installing lighttpd

Let’s install lighttpd and poke it with some metaphorical sticks. lighttpd wiki pages gives examples of binary or source installations for various Linux distributions. For hairy-chested developers (it doesn’t have to be your own hair), a full source install goes like this:

# wget
# tar xvzf lighttpd-1.4.13.tar.gz
# cd lighttpd-1.4.13
# ./configure
# make
# make install

This will install lighttpd under /usr/local. If the build failed, check that the prerequisite pcre and zlib development packages are installed on your system.

If you want to start and stop lighttpd manually, you’re done. To install lighttpd as a service like Apache, edit and install the init script:

# sed -e 's/FOO/lighttpd/g' doc/rc.lighttpd > lighttpd.init
# chmod a+rx lighttpd.init
# cp lighttpd.init /etc/init.d/lighttpd
# cp -p doc/sysconfig.lighttpd /etc/sysconfig/lighttpd
# install -Dp ./doc/lighttpd.conf /etc/lighttpd/lighttpd.conf
# chkconfig lighttpd on


Basic Configuration

The syntax of lighttpd’s configuration file may be the most visible difference from Apache. The wiki’s configuration page examples look more like Perl (or PHP or Python) than Apache’s XMLish httpd.conf. For a simple web site with static files, you need to specify the same things you would for Apache: the document root, the access and error logfile names, and the Linux user and group names for the server process. Here are Apache (httpd.conf) and lighttpd (lighttpd.conf) equivalents:


DocumentRoot /var/www/html
CustomLog /var/www/logs/access
ErrorLog /var/www/logs/error
User www
Group www


server.document-root = "/var/www/html"
accesslog.filename = "/var/www/logs/access"
server.errorlog = "/var/www/logs/error"
server.username = "www"
server.groupname = "www"
server.modules = ( "mod_accesslog" )

lighttpd has an include mechanism similar to Apache’s, so the lighttpd.conf file doesn’t have to grow. To use an optional module, you need to enable it and set its options. Apache enables with LoadModule, but lighttpd just includes the uncommented module name in the server.modules array. The only one you’d need so far is mod_accesslog.

Authentication and Authorization

lighttpd does not support .htaccess files, so you need to specify all settings in the lighttpd.conf file, or files that it includes. It understands Apache user files for basic and digest authentication, but group file support is not yet implemented. Here’s how to password-protect a top-level directory called special:


AuthName "My Special Directory"
AuthType Basic
AuthUserFile /var/www/passwords/users
Order deny,allow
require valid-user


auth.backend = "htpasswd"
auth.backend.htpasswd.userfile = "/var/www/passwords/users"
auth.require = ( "/special/" =>
"method"   => "basic",
"realm"    => "My Special Directory",
"require"  => "valid-user"


Virtual Hosts

Here’s another task for your hardworking and unappreciated web server: manage two sites called and


NameVirtualHost *
ServerName ""
DocumentRoot "/var/www/hosts/scratch/docs"
ServerName ""
DocumentRoot "/var/www/hosts/sniff/docs"


$HTTP["host"] == "" {
server.document-root = "/var/www/hosts/scratch/docs/" }
$HTTP["host"] == "" {
server.document-root = "/var/www/hosts/sniff/docs/" }

That’s doing it the hard way. If you manage many hosts, you’ll save typing with a virtual host module:


LoadModule vhost_alias_module modules/
VirtualDocumentRoot /var/www/hosts/%1/docs


server.modules = ( ..., "mod_evhost", ... )
evhost.path-pattern = "/var/www/hosts/%3/docs"


Server-Side Includes (SSI)

A baby step toward dynamic content, it’s easy to enable SSI for files with the .shtml suffix:


AddHandler server-parsed .shtml


server.modules = ( ..., "mod_ssi", ... )
ssi.extension = ( "shtml" )



lighttpd optimizes static file throughput by offloading CPU-intensive dynamic content to another process. Rather than processing PHP internally, as Apache does with mod_php, lighttpd hands it off to FastCGI. These configuration snippets turn dull, lifeless .php files into vivacious PHP scripts. For racier details than we can show on this family-rated site, see this page.


LoadModule php5_module modules/
AddType application/x-httpd-php .php


server.modules = ( ..., "mod_fastcgi", ... )
fastcgi.server =
( ".php" =>
( "localhost" =>
"socket" => "/tmp/php-fastcgi.socket",
"bin-path" => "/usr/local/bin/php"


lighttpd Goodies

lighttpd includes Apache-equivalent modules for compression, directory listings, user directories, SSL, WebDAV, and URL rewriting and redirection. You can read about these on the web site. Other interesting modules are unique to lighttpd.

If you want to be a mini YouTube, you can stream thousands of Flash movies in parallel with the mod_flv_streaming module. YouTube serves its own static files with lighttpd, although it doesn’t use this module yet.

If you had such a site with lots of Flash files, how would you protect against hotlinking? lighttpd’s solution, applicable to any file type, is mod_secdownload. You write a function (examples in the link include PHP and Ruby) to generate a special URL, and the module cracks the URL to permit access to a given file for a given amount of time.