Version 1.6.x

Legacy Releases

V1.6.21 Stable

2021-04-01

Server Core

• [New Feature] Zero downtime graceful restart.
• [New Feature] Allow Proxy External Apps to proxy to Unix Domain Sockets.
• [Bug fix] Address random crashing in Layer4 handler.
• [Misc] Address most compiler warnings.

V1.6.20 Stable

2021-02-16

Server Core

• [Security] Sanitize external application commands and user/group configurations. (https://github.com/litespeedtech/openlitespeed/issues/217)
• [Security] Do not allow setuid in external applications by dropping the SETUID capability.
• [Feature] Simplify CGROUPS support.
• [Bug Fix] Bubblewrap is now correctly enabled. (https://github.com/litespeedtech/openlitespeed/issues/223)
• [Bug Fix] Eliminate random delay when proxying secured websocket connections to the backend. (https://github.com/litespeedtech/openlitespeed/issues/219)
• [Bug Fix] Avoid excessive logging for proxy request headers. (https://github.com/litespeedtech/openlitespeed/issues/166)
• [Bug Fix] Address proxy request body corruption caused by request header manipulations. (https://github.com/litespeedtech/openlitespeed/issues/192)
• [Bug Fix] Improve logging for OCSP stapling errors. (https://github.com/litespeedtech/openlitespeed/issues/177)
• [Bug Fix] Address hanging chunked input streams.
• [Bug Fix] Add support for “noconntimeout” environment variable.

V1.6.19 Stable

2021-01-15

Server Core

• [Improvement] Address Sanitizer build now works properly.
• [Improvement] Better debug logging.
• [Bug Fix] Address memory leaks in cache engine, server configuration, and other components.
• [Bug Fix] Properly handle request/response headers up to 64KB in size.
• [Bug Fix] Correct TLS session Ticket key rotation with short timeout.
• [Bug Fix] Address memory access problems causing random crashes in a few cases.

V1.6.18 Stable

2020-11-24

Server Core

• [Tuning] Update install.sh to support centos8 and ubuntu20.
• [Tuning] Update HttpVHost::addPythonApp() to allow 4 ENV values (PYTHONPATH, LSAPI_STDERR_LOG, LSAPI_CHILDREN, LSAPI_KEEP_LISTEN) to be set from the config file (previously hard-coded).
• [Tuning] Adjust HttpServerImpl::gracefulShutdown() to setSigStop to avoid crash.
• [Bug Fix] Piped access logger should work now.
• [Bug Fix] Update checkCtrlEnv() to enable multiple “vary” values to be added for cache varycookie.
• [Bug Fix] Update HttpSession::smProcessReq() to add ‘HSF_REQ_BODY_DONE’ processing to ‘HSPS_HANDLER_PRE_PROCESSING’.

QUIC

• [Bug Fix] Fixed two congestion controller bugs that led to poor performance in some circumstances.
• [Bug Fix] Fixed a few small memory leaks.
• [Bug Fix] Fixed a bug in HTTP/3 framing.
• [Bug Fix] Fixed IETF QUIC handshake bug when client’s Initial packet arrives late.

V1.6.17 Stable

2020-10-29

Server Core

• [Tuning] Update rc-inst.sh to create a symlinked file for lsws.service to improve lsws service compatibility in CentOS 7.
• [Tuning] Follow ip2location 8.1.4 library API changes.
• [Tuning] Add MIME type image/avif.
• [Tuning] Send HTTP/2 connection GOAWAY frame as soon as all streams are finished during server graceful shutdown.
• [Tuning] Use localtime instead of gmtime for strftime() when printing timestamps in access log.
• [Bug Fix] Correct an IPv6 matching issue when accessing allow/deny IP list.
• [Bug Fix] Remove some incorrect asserts that were causing crashes.
• [Bug Fix] Add ‘connection’ header to cache module Bypass Header list so that cache can work with HTTP/2 for Safari, curl, and so on.
• [Bug Fix] Corrected Reverse NOESCAPE flag logic for redirect actions.
• [Bug Fix] Update AccessLog::customLog() to ensure appended buffer is less than available space.
• [Bug Fix] Add Missing “x-Forwarded-For” header ID conversion from gpack decoded header.

QUIC

• [Bug Fix] Plug memory leak in IETF full conn dtor: cleanup closed IDs sets.
• [Bug Fix] Plug Memory leak: free pushed promise when refcnt is zero.
• [Bug Fix] Deactivate only *recent* HQ frame, not any HQ frame.

WebAdmin Console

• [Bug Fix] Correct access log settings in template config.
• [Bug Fix] Address unwanted behavior for log viewer browsing buttons.

V1.6.16 Stable

2020-09-22

Server Core

• [New Feature] Apply Expires header to range responses and FLV/h264 streams.
• [New Feature] Add HTTP/2 GREASE frame and GREASE for SETTINGS support. (Refs: https://bugs.chromium.org/p/chromium/issues/detail?id=1123912, https://mikebishop.github.io/http-misc-extensions/draft-bishop-httpbis-grease.html)
• [Update] Upgrade LSQUIC to v2.12.8 (https://github.com/litespeedtech/lsquic/releases/tag/v2.12.8)
• [Update] Support ‘-b’ (under development) option in lsup.sh.
• [Tuning] LSAPI get_req_header_by_id() now sets the returned valLen value in all cases.
• [Tuning] No longer convert ‘*:port’ to ‘0.0.0.0:port’ while parsing the config.
• [Tuning] Update build.sh to build libbcrypt when installing the server.
• [Tuning] Update HttpContext::configRewriteRule() to match the max line length when using plain conf.
• [Bug Fix] Normalize listener socket address, especially for IPv6, so it can match the listener address passed from the previous instance during a graceful restart.
• [Bug Fix] Address a crash bug in cache module.
• [Bug Fix] Address a bug that was preventing Rails applications from running correctly.
• [Bug Fix] Update autoindex script to make page layout responsive and no longer follow symbolic links.
• [Bug Fix] htmlspecialchars() no longer returns a blank string without the ENT_SUBSTITUTE flag for special chars.

WebAdmin

• [Bug Fix] Correct access log settings in template config.
• [Bug Fix] Address unwanted behavior for log viewer browsing buttons.

V1.6.15 Stable

2020-08-05

Server Core

• [Major New Feature] Bubblewrap isolated CGI/PHP execution environments.
• [Update] Upgrade installation LSPHP to v74.
• [Update] Update LSQUIC to v2.12.7. (https://github.com/litespeedtech/lsquic/releases/tag/v2.12.7)
• [Tuning] Localize WebAdmin Console Google fonts and JS files.
• [Tuning] Set default server config file ‘compressibleTypes’ value to “default” (use the built-in defaults which already contain most common types such as ‘application/json’ etc).
• [Tuning] Change reCAPTCHA API URL from ‘www.google.com’ to ‘www.recaptcha.net’ to avoid blocking in some countries.
• [Tuning] Avoid reCAPTCHA verification for ‘/.well-known/’ URL.
• [Tuning] Detect ‘X-Real-Ip’ header in a similar way to the ‘CF-Connecting-IP’ header and update client IP info accordingly.
• [Tuning] Use $VH_NAME instead of ‘Example’ conf/vhosts/Example/vhconf.conf.
• [Bug Fix] Address some crash issues in server DEBUG version.
• [Bug Fix] Address uninitialized number comparison bug in HttpReq::classifyUrl().
• [Bug Fix] Avoid crash caused by using failed ChunkOutputStream::write() call return values.
• [Bug Fix] Do not suspend write if there is still pending data at the SSL layer
• [Bug Fix] Address memory leak caused by failure to save pending xpool bigblock linked list.
• [Bug Fix] Address PHP scripts changing error page status codes to 200.
• [Bug Fix] HttpServerImpl::onTimer30Secs is no longer run while server is in the middle of quitting.
• [Bug Fix] Tune RadixNode::getHeader() to avoid accessing passed in NULL pointers.

V1.6.14 Stable

2020-06-18

Server Core

• [Update] Add ruby-lsapi-5.0 gem compatibility to RackRunner.rb. (Similar to LSWS implementation)
• [Update] Cache module now bypasses a number of pre-defined varies to avoid encountering a 500 error for those cases.
• [Update] Upgrade LSQUIC to v2.12.4
• [Update] Add ubuntu 20 support to build.sh.
• [Bug Fix] Correct a cache engine bug that was causing file writes to occur in the wrong location in the file.
• [Bug Fix] Correct ownership/permissions for conf directory and its sub-directories.
• [Bug Fix] Server should now correctly use a newly assigned unix domain socket address when the default socket address is already occupied.

V1.6.13 Stable

2020-04-30

Server Core

• [Security] Limit sample upload testing page to only support jpeg file uploads.
• [Security] Prevent access log from being set to ‘/etc’. ‘/tmp’, or ‘/bin’ directories.
• [New Feature] Added support for error code 451 “Unavailable For Legal Reasons”.
• [New Feature] Cache hit info is now included in real time stats file.
• [Update] Updated LSQUIC Library to v2.12.2. (https://github.com/litespeedtech/lsquic/releases/tag/v2.12.2)
• [Improvement] Update installation script to generate self-signed certificates that are supported by Mac OS browsers.
• [Improvement] lsadm is now added to current server defined group on server start if not already set.
• [Bug Fix] Fixed an uninitialized pointer bug introduced in the latest version of the mod_sec module.
• [Bug Fix] Fixed a plainconf parsing bug with module handler contexts.
• [Bug Fix] Fixed a pagespeed module compilation issue for Debian and Centos8 systems.
• [Bug Fix] Fixed a variable not defined error when executing freebsdFix() in script build.sh.
• [Bug Fix] Server no longer tries to add mod_gzip to the current session when session hook is not initialized.

V1.6.12 Stable

2020-04-09

Server Core

• [Bug Fix] Fixed a rewrite conf parsing bug that could cause a 404 for some existing pages.

V1.6.11 Stable

2020-04-02

Server Core

• [Update] Updated LSQUIC to v2.12.1. (https://github.com/litespeedtech/lsquic/releases/tag/v2.12.1)
• [Improvement] Config files are now parsed more quickly.
• [Tuning] Change default “disableInitLogRotation” value to 1 for error log.
• [Tuning] Updated some log message levels to reduce redundant log messages.
• [Bug Fix] Fixed mod_security.cpp v3.0.4+ compilation errors .
• [Bug Fix] HttpVHost::addPythonContext() now updates the python context to avoid naming the virtual directory to the same name as the physical directory.
• [Bug Fix] Fixed a modverinfo.sh output result error.

V1.6.10 Stable

2020-03-16

Server Core

• [Security] Prevent setting log file names ending in “.php”, “.php71”, etc.
• [Improvement] Added support for Centos8.
• [Update] Prevent assignment of port 80 or port 443 to WebAdmin Console.
• [Update] Updated Example/upload.html to display more information about related optional modules.
• [Update] Updated lsup.sh to support systemctl.
• [Bug Fix] Fixed a rare logging crash.
• [Bug Fix] Fixed a crash when UserAgent header value was empty.
• [Bug Fix] Fixed a compilation issue on Centos.
• [Bug Fix] Fixed lsphp installation issues for Centos.
• [Bug Fix] Fixed a few hidden Http/2 bugs.
• [Bug Fix] Fixed mod_security compilation issue.

V1.6.9

2020-02-20

Server Core

• [Improvement] Fixed access log entries listing HTTP/1.1 for HTTP/2 connections.
• [Update] Reduced the number of QUIC log entries written at lower levels.
• [Update] Updated LSQUIC to v2.10.6.
• [QUIC] Fixed HTTP/3 framing: don’t misinterpret rare occurence as error.
• [QUIC] Fixed compilation on FreeBSD.
• [Bug Fix] Fixed file uploads failing for QUIC connections.
• [Bug Fix] Fixed some errors with the lsup.sh tool.
• [Bug Fix] Fixed lswsctrl restart command failing on CentOS.

V1.6.8

2020-02-10

Server Core

• [New Feature] Expired cache entries are now automatically removed to free up space.
• [New Feature] Updated cache to only serve litespeed cache related headers for frontend requests.
• [New Feature] Skip rewrite processing for Let’s Encrypt verification requests.
• [Improvement] Fixed some minor issues in internal cache manager module.
• [Improvement] REFRESH URI cache requests are now equivalent to a stale purge.
• [Improvement] Added response header entry for URI stale purge.
• [Improvement] Improved cache purge accuracy.
• [Update] Update context configure to auto add a trailing ‘/’ to the location if it is a directory.
• [Update] Update lsup.sh tool to add support the -e paramater flag which is used to only upgrade binaries.
• [Bug Fix] Fixed cache cleanup not getting called when “storagepath” config setting was not set.
• [Bug Fix] Fixed a crash bug when parsing rewrite rules that occured in very rare cases.

V1.6.7

2020-01-29

Server Core

• [Tuning] Ensure that buffered SSL data is flushed near the end of related event processing.
• [Update] Updated lsquic to version 2.10.1 (https://github.com/litespeedtech/lsquic/releases/tag/v2.10.1)
• [Bug Fix] Fixed a code regression causing some old bugs to be reintroduced (Cannot enable QUIC, http2 upload issue, etc).
• [Bug Fix] process start time is now detected correctly.
• [Bug Fix] Fixed a NodeJS wrapper script failing to handle startup files referenced by absolute path.

V1.6.6

2020-01-23

Server Core

• [Security] Update WebAdmin Console to avoid serving PHP files not belonging to it.
• [New Feature] Skip rewrite processing for Let’s encrypt verification requests.
• [New Feature] Add “Subject Alternative Name” item to self signed certificate.
• [Update] Updated lsquic to version 2.9.0 (https://github.com/litespeedtech/lsquic/releases/tag/v2.9.0)
• [Bug Fix] Fixed “uninitialized member”, “connect with empty socket address”, and “virtual memory buffer uninitialized” crash bugs.
• [Bug Fix] Fixed a resource leak bug caused by unclosed file handles.
• [Bug Fix] Fixed static file contexts not serving correctly.
• [Bug Fix] reCAPTCHA verification page is no longer cached.
• [Bug Fix] Fixed old server process lingering after restart when active QUIC clients existed.

V1.6.5

2020-01-03

Server Core

• [Security] Initial webadmin password for new installations is now randomized.
• [Security] Improved WebAdmin Console security by strictly checking request URLs.
• [Update] Incorporated version 1.5.10 changes.
• [Update] Updated lsquic to version 2.8.3 (https://github.com/litespeedtech/lsquic/releases/tag/v2.8.3).
• [Update] Updated WebAdmin Console to show new releases for both the current release branch and the latest release branch.
• [Update] Updated Cache module to track and write file errors and abort serving files from cache when an error occurs.
• [Bug Fix] Disable memory mappping when serving static files to avoid crashes in some cases.
• [Bug Fix] Fixed a memory access bug when logging errors.
• [Bug Fix] Fixed some crashes involving Spdy connections in older browsers.
• [Bug Fix] Fixed handling for virtual host URIs that do not end in a ‘/’ character.
• [Bug Fix] Fixed cache timer not being called when no cache storage path was set.

V1.6.4

2019-11-18

Server Core

• [Updated] Added some lsphp73 dependencies to installation.
• [Update] Updated lsquic to version 2.6.5(https://github.com/litespeedtech/lsquic/releases/tag/v2.6.5).
• [Bug Fix] Fixed “use after free” issue by Avoiding recursive NtwkIOLink::handleEvents() calls.
• [Bug Fix] Fixed permission issues with `autoupdate/` and `tmp/` directories.
• [Bug Fix] Fixed a bug that caused excessive buffering for HTTP/2 connections.
• [Bug Fix] Fix Context level external redirects causing errors.

V1.6.3

2019-11-12

Server Core

• [New Feature] Added support for ‘LS_STDERR_LOG’ environment variable to set up the stderr log file for started processes.
• [Update] Update mod_security-ls to always go through reqbody and respBody phases.
• [Update] lsphp 73 is now used on Linux platforms.
• [Update] Updated lib lsquic to v2.6.3(https://github.com/litespeedtech/lsquic/releases/tag/v2.6.3)
• [Update] Default conf values for maxConns, procSoftLimit, procHardLimit, and env PHP_LSAPI_CHILDREN have been changed to be more reasonable.
• [Bug Fix] Fixed a cache module and mod_security-ls conflict that could cause a crash.
• [Bug Fix] Fix some mod_security-ls compilation issues.

Cache Module

• [Bug Fix] Fixed a rare crash that occurred when failing to create new cache entries.

V1.6.2

2019-10-24

Server Core

• [Update] Removed libgeoip dependency.
• [Update] Use LSPHP 7 by default.
• [Update] Update to liblsquic 2.4.10 (fixing several bugs relating to QUIC and HTTP/3).
• [Bug Fix] Fixed a bug causing a “[modcompress] AddHooks failed” error.
• [Bug Fix] Fixed “No request delivery notification has been received from LSAPI application …” error being logged when a background process’ running time is larger than 10 seconds
• [Bug Fix] Fixed debug log toggle not working.
• [Bug Fix] Fixed Accept-Encoding header being case sensitive.
• [Bug Fix] Fixed UDS files not being cleaned up.
• [Bug Fix] Fixed installation issue with the lshttpd service.
• [Bug Fix] Fixed a network throttling bug that prevented paused SSL connections from being resumed.

Cache Module

• [New Feature] Added stale purge support. With this feature, only the first visitor to a stale cache page will hit the backend with subsequent visitors getting served the stale cache copy until the page has finished being re-cached by the first request.

V1.6.1

2019-09-22

Server Core

• [Improvement] Restart detached PHP processes when PHP binary is changed.
• [Update] Update HTTP/3 support to include the latest HTTP/3 draft (h3-23).
• [Update] Update QUIC to make BBR congestion control the algorithm used by default.
• [Update] Update some error log message levels to be more reasonable.
• [Bug Fix] Fixed a memory issue in pagespeed module.
• [Bug Fix] Fixed some build.sh errors to avoid errors.
• [Bug Fix] Fixed a bug in Makefile.am to ensure that `./configure` still works.
• [Bug Fix] Fixed an access log bug where traffic byte count was sometimes not reset between requests.

V1.6.0

2019-09-10

Server Core

• [Major New Feature] Added Google QUIC and HTTP/3 (Internet Draft 22) support
• [New Feature] Added build.sh, a new build tool to build from source code (including any dependencies) for most platforms in a single click.
• [Improvement] Added compilation support for FreeBSD, Mac, Ubuntu 19.
• [Bug Fix] Fixed a PHP memory limit bug.