xthttpd

xthttpd, or "eXtended Tiny/Turbo/Throttling HTTP Daemon" is a continuation of thttpd 2.29, by Jef Poskanzer. It started off with some fixes and refactors for my own uses, as well as security patches from a few other forks, but continued into a successor project with a few new and interesting features. It tries to remain as close to the original as possible, both in spirit and platform compatibility, without any major breaking changes (it can be used as a drop-in replacement).

This project is deliberately limited, and avoids changes unless they're absolutely necessary. In fact, almost all of thttpd's documentation still applies, but you should read the included manual pages to learn how to take advantage of the new features. Much work has gone into making the CGI facilities more powerful, which may be useful if you intend to provide dynamic web services from very resource-constrained embedded systems.

Build Instructions

Download links are available at the top of this page.

    1 autoconf2.13             # Generate the configure script
    2 export CFLAGS="-Os"      # Optimize for size
    3 export WEBGROUP="www"
    4 export WEBDIR="/var/www"
    5 ./configure
    6 make
    7 make install

GNU autoconf 2.13 is currently required.

Changelog

• 2.37, 2025.11.21
  • Some fixes for the multiple-server system to improve child process quitting, signal propagation, and configuration file processing.
  • Add an optional new user-friendly style of directory index, similar to the Apache HTTPd project.
  • Fix some build configuration issues (missing libcrypt errors on some platforms, and failing parallel builds due to incorrect dependency trees).
  • Fixed a few more edge cases in the minimum throttle speed functionality.
  • Throttle requests exceeding the CGI limit instead of cancelling them outright.
  • (!) Added a new facility to pre-process configuration files with m4.
  • Allow throttle specifications to be specified inline within the main configuration file.
• 2.36, 2023.08.20
  • Don't supply application/xhtml+xml content type to incompatible browsers, such as Internet Explorer 6.0 (You can disable this in config.h).
  • Correct an incorrect variable name in config.h.
  • Add a config.h option to disable static Deflate file compression support.
  • Don't provide any build-time default mime types and file types — allow the user to specify files containing these at run-time if needed.
  • Add a new "multiple-server" facility, allowing multiple different server configurations to be specified in the same file, and launched simultaneously under the guidance of one management process. This is useful if you want to provide many different services behind a load balancer, such as HAProxy. This only adds new syntax to the configuration file, it does not change backwards compatibility with thttpd.
  • Fix corrupt log identifiers.
• 2.35, 2023.06.07
  • Produced a final resolution for the throttle limit issue; the previous iteration did make the webserver "work" again when a minimum throttle limit was set, but whenever the limit was reached, the resource that reached it would become permanently inaccessible because the current rate would become "stuck" below the limit forever.
• 2.34, 2023.06.06
  • Investigated a series of strict compiler warnings in order to patch some minor bugs and tidy up the code.
  • Continued the work in 2.33c of preventing Linux workarounds from being built on systems without that kernel.
  • (!) Add support for a global CGI wrapper program specified via the -w command-line argument, cgiwrap config file variable, or CGI_WRAP define in config.h. This is a powerful tool that allows you to intercept the execution of CGI scripts, examine the environment, modify it, and/or call something else entirely, as well as a variety of other creative uses. See the installed manual page for more information.
  • Revisited some past changes aimed at preventing memory leaks, as some of them were not preventing anything at all but adding some degree of overhead — this is now fixed.
  • Removed any uses of the inline keyword for broader compiler compatibility.
  • Completely removed the V_CCOPT logic from the build scripts, which was originally used to guess optimization flags based on the compiler you were using.
  • Made the WEBGROUP and WEBDIR variables user-specifiable via environment variables fed to the ./configure script. This makes it easier to adapt makeweb for your system, and install the default CGI programs to the correct location.
  • Fixed some invalid format specifiers and/or types passed to printf calls.
  • Completely renamed all of the thttpd references in the project. You should uninstall the previous version of xthttpd before installing this version, because many files have been renamed (e.g the main binary, which is now xthttpd instead of thttpd).
  • Server version is now visible by default.
• 2.33c, 2023.06.01
  • Prevented a workaround to handle a bug in the Linux dup() call from triggering on systems that do not use the Linux kernel.
  • (!) Open files with O_NONBLOCK to prevent a local denial-of-service attack via named pipes (has no effect on regular files).
• 2.33b, 2023.06.01
  • (!) Backported parts of the keep-alive implementation from the merecat project with only minor alterations, all thanks goes to Joachim Nilsson.
  • Prevented the automatic directory index from showing hidden files (those prefixed with a dot in their name) by default. This is configurable at compile-time via INDEX_SHOW_HIDDEN in config.h.
  • Added some more compile-time default index file names, including index.pl and index.php.
• 2.33, 2023.06.01
  • (!) Attempted fix to the minimum throttle limit, which would previously cause visting any page on the web server to return a 503 error no matter what value was set, as long as it was set. Credit goes to Christian Boesgaard on the original thttpd mailing list for suggesting a fix to this bug in 2005.
  • Added support for the SCRIPT_FILENAME, DOCUMENT_ROOT, REDIRECT_STATUS, and HTTP_AUTHORIZATION CGI variables, in attempt to improve CGI compatibility with complex services such as PHP.
• 2.32, 2023.05.26
  • (!) Fixed X-Forwarded-For handling to accept IPv6 values and lists of IPs delimited by commas (currently only the first value of the first header is used, make sure your reverse proxy provides the correct information).
  • (!) Made parsing of the X-Forwarded-For header optional in environments where no reverse proxy is actually present, to prevent abuse of the header by a malicious user. This is controlled by the fwdhdr|nofwdhdr configuration values and the -f|-nof command-line arguments.
  • Prevented the file descriptor limit from exceeding a fixed maximum value to prevent the web server from using extreme values returned by the system to hoard potentially gigabytes of pointless memory.
• 2.31b, 2023.05.23
  • (!) Fixed a bug that caused auto-generated directory indexes to redirect endlessly.
  • Prevented a potential memory leak in CGI environment set-up code.
• 2.31, 2023.05.23
  • Fixed a bug that caused the PATH_TRANSLATED CGI variable not to include the virtual host directory if virtual hosting was enabled.
  • Fixed a bug that caused the PATH_INFO CGI variable to strip trailing slashes provided by the user, causing some CGI programs to redirect to the same URL endlessly and breaking the mechanism that stripped the PATH_INFO from the SCRIPT_NAME CGI variable, making it unreliable for CGI programs to locate themselves.
  • Fixed a bug that caused the SCRIPT_NAME CGI variable to sometimes contain trailing slashes when no PATH_INFO was specified.
• 2.30, 2023.05.19
  • Do not guess CFLAGS and LDFLAGS, allow the user to set them.
  • (!) Security patches and bug-fixes from sthttpd.
  • (!) Security patches and bug-fixes from merecat
  • Support for static Deflate compression (i.e. if index.html.gz exists, then when index.html is requested, it can be served compressed), but not dynamic/on-the-fly compression.

Prior to here, version history follows the releases upstream.