All relevant changes are documented in this file.
Notable new features: multiple server support from one process, HTTPS, HTTP/1.1 keep-alive, and built-in gzip deflate compression using zlib.
- Add support for HTTPS, works with certificates from Let's Encrypt
- Add support for multiple servers, listen to different ports
- Add support for built-in HTTP redirect, e.g. from HTTP to HTTPS
- Add support for server location directive, similar to nginx but with security limitations and native vhost support native to thttpd
- Add gzip deflate compression when built with zlib, also compress HEAD as well as GET requests
- Add true
Connection: keep-alivesupport - Add missing
Vary: Accept-Encodingheader - CGI: Allow handling other HTTP methods besides GET/HEAD/POST, from thttpd v2.29, change by Jef Poskanzer
- CGI: Allow
:PORTinHTTP_POST, like Apache - CGI: Allow trailing slash in
PATH_INFO, like Apache - CGI: Change default
CGI_PATTERNfrom disabled to**.cgi|/cgi-bin/* - CGI: Add support for looking for an
index.cgiindex file - CGI: Add several missing standard CGI/1.1 environment variables, see the file doc/cgi.txt for details
- PHP:
- Add support for
php-cgiandindex.phpindex file - Add support for PHP pattern matching, run php-cgi if
**.php
- Add support for
- Server-Side Includes (SSI):
- Add support for SSI pattern matching, run cgi-bin/ssi if
**.shtml - Add support for silencing default SSI
errmsg - Add support for looking for
index.shtmlindex file
- Add support for SSI pattern matching, run cgi-bin/ssi if
- Dot files are no longer shown in dir listings, use the
merecat.confsettinglist-dotfiles = trueto enable - Server stats are no longer periodically sent to syslog, re-enable in
merecat.confif you need theSTATS_TIMEfeature - Apply Debian thttpd
SIGBUSpatch for reading from NFS - Add
-I IDENTcommand line option to override program identity. This change makes it possible to change syslog, PID file name, and.conffile name. Useful when running multiple instances of Merecat - Add
--enable-msie-paddingtoconfigurescript - Add
.htaccesssupport, limited to IPv4. Feature by Felix J. Ogris - Allow
.htpasswdfile to be symlinked - DOC: How to use
.htpasswdand virtual hosts - DOC: Added section on how to optimize performance
- Update MIME types, e.g. Ogg video, 7zip, svg
- Add Dockerfile for ease of deployment in limited setups
- Add cute cat default favicon
- Built-in icons for FTP dir listings; folder, file, etc.
- Refactor, deprecated POSIX API's, e.g.
bzero() --> memset() - Enable
SO_REUSEPORTif available, useful for load balancing
- Fix CVE-2017-17663, buffer overrun in htpasswd tool, from thttpd v2.28
- Fixes for non GNU C libraries like musl:
__progname,%m, etc. - Fix
X-Forwarded-Forwhen using IPv6, thanks to Steve Kemp! - Debian packaging fixes
- Make sure both
.htpasswdand.htaccessare declared forbidden files and not allowed to be downloaded or shown in directory listings - Use
memmove()instead ofstrcpy()for possibly overlapping regions - Cleanup of default
merecat.conf, default disabled options to their built-in default values - Spelling fixes and major documentation cleanup
v2.31 - 2016-11-06
The "it works now" release.
- Sort directories first in dir listings
- Include systemd unit file
- Add
debian/packaging, easy to rebuild and replace for others - Add
--enable-public-htmlto enable~user/public_htmldirs - Support for shared
WEBROOT/cgi-binas fallback for vhosts - Update default landing page
- Add missing CSS and jpeg files to install
- Fix dependency tracking when reconfiguring
- Fix
.conffile parser bugs reported by Gaetan Bisson - Fix missing
HAVE_LIBCONFUSE#define causing.conffile support to not be built, reported by Gaetan Bisson - Fix malplaced call to
cfg_free()in .conf file parser, reported by Gaetan Bisson - Update man page and other documentation with missing quotes around CGI pattern, issue reported by Gaetan Bisson
- Fix syslog warning: bind 0.0.0.0: Address already in use
v2.30 - 2016-10-09
Initial release. Based on sthttpd master, 2015-07-22.