This is an old revision of the document!


LiteSpeed Web Server Changelog

RC1

[Major New Feature] Apache 2.4 conditional context <If> <Ifelse> <Else> support.
[Major New Feature] Asynchronous mod_security engine.
[Major New Feature] Bubblewrap isolated CGI/PHP execution environments.
[New Feature] HTTP/3 draft 29 support.
[Major Enhancement] HTTP/2 has gone through a major rewrite with more efficient header handling.
[Enhancement] Added ModSecurity JSON audit log.

Build 5

[Bug fix] Properly pass CHUNK encoded request body to script handler to address random file upload failure.
[Bug fix] Addressed graceful restart failure when the server has many IPs in use and is forced to create listeners for individual IP.

Build 4

[New Feature] Control whether to wait for the full request body or not before passing requests to the request handler with new environment variable "wait-req-full-body". (Waiting allows the request handler to see the full request body immediately)
[Tuning] Increase reCAPTCHA verified status timeout from 1-hour to 1-day.
[Tuning] Increase .htaccess processing time limit from 500ms to 2.5sec to allow for the processing of larger .htaccess files.

Build 3

[Bug Fix] LiteMage cache object count is now more accurate.
[Bug Fix] Address a few compatibility issues with Plesk admin console proxy through regular HTTPS access.
[Bug Fix] Cache statistics access through IPv6.
[Improvement] Protect WebAdmin listener port from duplicate regular listener configuration.
[Improvement] Add Plesk git integration support.

Build 2

[Bug Fix] Address 404 error for reCAPTCHA verification.
[Bug Fix] 'SetEnv' directive is now properly applied inside <Files> or <FilesMatch> contexts. 

Build 1

[Bug Fix] Correct DirectAdmin PHP handler detection when "DirectAdmin" panel is selected under "PHP" config tab.
[Bug Fix] WebSocket ProxyPass configuration now works correctly inside the <Location> context.
[Bug Fix] Match Apache's Redirect behavior by discarding original query string if target URL has query string set.

Build 0

[New Feature] Add the ability to load an extra ECC certificate for an Apache virtual host when multi-cert support is enabled.
[New Feature] Apply header modification configurations in .htaccess to dynamic responses for CloudLinux Python/Ruby/NodeJS selector application.
[New Feature] Update client IP using request header "X-Real-IP".
[New Feature] Use Client IP in Header can now be set to use the last IP listed in the X-Forwarded-For header for servers behind AWS ELB.
[Security] Block 'LD_*' environment variable overriding from .htaccess.
[Improvement] New Ruby 2.0+ compatible RackRunner script for ruby-lsapi 5.0.
[Improvement] Separate IPv4 and IPv6 virtual hosts now share cached pages for the same domain.
[Improvement] Update WHM plugin to v4.0 (drops support for EasyApache 3).
[Improvement] Make reCAPATCHA compatible with WordPress password protected pages.
[Bug Fix] Invisible reCAPTCHA now works properly with IE 11 browser.
[Bug Fix] Correct Magento LiteMage2 cache object statistics.
[Bug Fix] Address an AJPv13 hanging bug.
[Bug Fix] Enabling bandwidth throttling no longer causes rare HTTP/2 response hangs.
[Bug Fix] Properly apply UMASK configuration for external applications.
[Bug Fix] Fix a problem with Plesk log rotation when LSWS overrode Apache's rc script with a symbolic link.
[Bug Fix] NodeJS default being not properly set in httpd_config.xml no longer causes crashing.
[Bug Fix] Address cp_switch_ws.sh issues when switching back to Apache.

Build 9

[Bug Fix] Correct a SHM memory allocation issue.
[Bug Fix] Address a URL handling regression introduced in build 7 that affected NextCloud WebDAV clients.

Build 8

[New Feature] Use Client IP in Header can now be set to use the last IP listed in the X-Forwarded-For header for servers behind AWS ELB.
[Bug Fix] Address cp_switch_ws.sh issues when switching back to Apache.
[Bug Fix] Invisible reCAPTCHA now works properly with IE 11 browser.
[Bug Fix] Correct a crash bug in cache engine.
[Tuning] Separate IPv4 and IPv6 virtual hosts now share cached pages for the same domain.

Build 7

[New Feature] For CloudLinux Python/Ruby/NodeJS selector application, applies header modification configuration in .htaccess to dynamic response.
[Bug Fix] A mod_security engine bug that causes random crash.
[Bug Fix] A bug in access log format validation.

Build 6

[Bug Fix] Fixed Plesk log rotation issue when LSWS override Apache rc script with symbolic link. 
[Bug Fix] Fixed a crash when NodeJS default was not properly set in httpd_config.xml. 

Build 5

[Security] Blocks overriding LD_PRELOAD environment variable from .htaccess.
[Bug Fix] Fixed a corner case that causes hanging HTTP/2 response when bandwidth throttling is enabled. 
[Bug Fix] Properly apply UMASK configuration for external application. 

Build 4

[New Feature] Added the ability to load extra ECC certificate for Apache virtual host when multi-cert support is enabled.
[Improvement] New Ruby 2.0+ compatible RackRunner script for ruby-lsapi 5.0. 
[Tuning] Disable cache if a request is blocked by mod_security.
[Bug Fix] Minor bug fixes in cache engine. 
[Bug Fix] Minor bug fix in mod_security engine.

Build 3

[Bug Fix] Fixed an HTTP/2 protocol bug encountered when a PHP page failed without sending back a response header.
[Bug Fix] Fixed an internal memory management bug that caused random crashing.

Build 2

[Bug Fix] Fixed an AJPv13 protocol bug that caused requests containing a request body to hang.
[Tuning] Improved reCAPATCHA verification to make it compatible with WordPress password protected pages.

Build 0

[Security] Fixed a symbolic link attack in directory auto index script. Thank you KnownHost for the bug report. (CloudLinux user is not affected.)
[New Feature] Added strict suEXEC and ownership checking on scripts.
[New Feature] Added ability to configure static/dynamic request per second limit for Apache ghost.
[Bug Fix] Fixed reCAPTCHA triggering for the first access of an allowed robot.
[Bug Fix] Added "Cache-Control: no-cache" to reCAPTCHA verification page to disallow CDN/proxy cache.
[Bug fix] Fixed delayed .htaccess loading.
[Bug fix] Fixed a delayed server response bug with HTTP/2.
[Bug fix] Fixed a NodeJS websocket backend configuration bug.
[Bug fix] Shared lib for lscmctl script is now updated on server install/update.
[Tuning] Prevent ports 443 and 80 from being used as WebAdmin listener port.
[Tuning] Avoid triggering 503 errors when cPanel backend services (cpcontacts, webdisk, ...) are unavailable.
[Tuning] Automatically update /proc/sys/net/core/somaxconn to 1024 whenever server performs a fresh startup.
[Tuning] Added after=lve_namespaces.service to systemd unit file.

Build 5

[Bug Fix] Fixed a bug that reCAPTCHA was shown for the first access of an allowed robot.
[Bug Fix] Added "Cache-Control: no-cache" for reCAPTCHA verify page to disallow CDN/proxy cache. 

Build 4

[Bug Fix] Minimize interference with mandatory rewrite processing when bypassing favicon URL rewrite.
[Tuning] Avoid triggering 503 errors when cPanel backend services (cpcontacts, webdisk, ...) are unavailable.

Build 3

[Bug Fix] Use request header value for RBL lookups.
[Bug Fix] Fixed a configuration parser crash.
[Bug Fix] Fixed HTTP/3 ALPN string to properly advertise h3-27.
[Tuning] Automatically update /proc/sys/net/core/somaxconn to 1024, when server performs a fresh startup.
[Tuning] Avoid adjusting external application process priority based on server's priority.

Build 2

[New Feature] Added strict suEXEC and ownership checks for scripts.
[New Feature] Added ability to configure static/dynamic request per second limit for Apache vhost.
[Tuning] Added after=lve_namespaces.service to systemd unit file.
[Bug Fix] Fixed a bug when switching vhost log file.
[Bug Fix] Fixed an HTTP/3 timestamp/ACK ping-pong bug.
[Bug Fix] Fixed a bug causing extra delay when response has content length = 0.

Build 1

[Bug fix] Fixed a bug causing delayed .htaccess loading.
[Bug fix] Fixed an HTTP/2 bug that sometimes delayed server response.
[Bug fix] Fixed a bug in NodeJS websocket backend configuration.
[Bug fix] Shared lib for lscmctl is now updated on server install/update.
[Tuning] Prevent ports 443 and 80 for use as a WebAdmin listener.

Build 0

[New Feature] Updated HTTP/3 support to include h3-27.
[Bug Fix] Fixed a bug that caused ProxyPass ws:// target to stop working for certain configuration combination.
[Bug Fix] Fixed a bug in HTTP/2 handling mismatched response content-length and actual reponse body size.
[Bug Fix] Fixed a false positive that triggered ACL denied for Plesk.
[Bug Fix] Fixed a regression that broke /tmp/lshttpd/swap auto cleanup.
[Bug Fix] Fixed a false positive when handling ModSecrurity SecRemoteRule.
[Bug Fix] Fixed a crash in ModSecurity using libinjection.
[Tuning] Set mod_security RBL DNS cache to 60 seconds.
[Tuning] Disable TLSv1.1 by default.
[Tuning] Enable SSL session tickets by default.
[Tuning] No longer add ECDHE-RSA-AES128-SHA cipher automatically.

Build 3

[Bug Fix] Fixed a false positive that triggered ACL denied for Plesk.
[Bug Fix] Fixed a regression that broke /tmp/lshttpd/swap auto cleanup.
[Bug Fix] Fixed a false positive when handling ModSecrurity SecRemoteRule.
[Bug Fix] Fixed a crash in ModSecurity using libinjection.
[Tuning] No longer add ECDHE-RSA-AES128-SHA cipher automatically.

Build 2

[Bug Fix] Minor ModSecurity compatibility fixes.
[Bug Fix] Prevent WebAdmin Console 503 error on centos8 by installing libnsl package automatically.
[Bug Fix] Minor bug fixes in HTTP/3 (QUIC) engine.
[Tuning] Added add "SameSite=Strict" attribute to ls_smartpush cookie.
[Tuning] Update cp_switch_ws.sh script to work independently of any installed control panel plugins.
[Bug Fix] Update uninstall.sh script to work properly when a control panel plugin is not installed.
[Tuning] Downgraded some modsec log messages from "error" to "warning".
[Bug Fix] Fixed a rewrite engine compatibility regression introduced in v5.4.4.

Build 1

[Bug Fix] mod_security @validateUrlEncoding operator has been turned off to avoid unnecessary false positives.
[Bug Fix] Fixed a cache engine bug that broke the "Respect Cacheable" feature.
[Bug Fix] Fixed a crash bug when detecting server startup time.
[Tuning] Made HTML pages generated by the auto index script responsive.
[Tuning] Hid confusing required/restricted permission mask configurations in WebAdmin Console.

Build 0

[New Feature] Added support for IETF HTTP/3 draft 25 (h3-25).
[New Feature] Populate GEOIP_COUNTRY_CODE environment variable using IP2Location database.
[New Feature] Added full Captcha protection for WordPress login page.
[New Feature] Optionally skip rewrite processing for Let's Encrypt verification requests.
[New Feature] Automatically patch Set-Cookie with 'secure' flag when served over HTTPS.
[Improvement] Added 'cssDecode' and 'utf8toUnicode' transformations to ModSecurity engine.
[Improvement] Added support for 'REQUEST_SCHEME' request variable.
[Improvement] Added '-vb' command line option to print out version and build number.
[Update] Updated WHM plugin to v3.3.7.
[Bug Fix] Fixed websockets hanging on upgrade.
[Bug Fix] Fixed a WebAdmin Console socket address validation bug.
[Bug Fix] Fixed .htaccess configuration changes failing to apply for Python/Ruby/NodeJS applications.
[Bug Fix] Environment variable names are no longer converted to uppercase for Apache SetEnv directive.
[Bug Fix] Fixed a NodeJS wrapper script bug that failed to handle startup files with absolute paths.
[Bug Fix] External application process startup time is now reliably detected.
[Bug Fix] Fixed a minor regression with AHO string search.
[Bug Fix] Fixed a bug using wrong log ID in error log. 

Build 8

[Bug Fix] In cPanel environment, disable rewrite bypass for Let's Encrypt verification requests if dedicate rewrite rule for 'acme-challenge' detected.

Build 7

[Bug Fix] Fixed a random crash that occurred during SSL handshakes.
[Bug Fix] Fixed a bug that rarely cased CPU usage to climb to 99% when shutting down SSL connections.

Build 6

[Bug Fix] Fixed a NodeJS wrapper script bug that failed to handle startup files with absolute paths.
[Bug Fix] Fixed a random reCAPTCHA verification failure with status code 500.
[Bug Fix] External application process startup time is now reliably detected.
[Bug Fix] Fixed a minor regression with AHO string search.

Build 5

[New Feature] Automatically patch Set-Cookie with 'secure' flag when served over HTTPS.
[Bug Fix] Fixed a regression in Python/Ruby/NodeJS application 'tmp/restart.txt' marker file handling.
[Bug Fix] Fixed a WebAdmin Console socket address validation bug.
[Bug Fix] Fixed a corner case to load trusted IP configured in document root .htaccess before reCAPTCHA verification. 

Build 4

[New Feature] Skip rewrite processing for Let's Encrypt verification requests.
[Bug Fix] Fixed websockets hanging on upgrade.
[Bug Fix] Fixed a WebAdmin Console socket address validation bug.
[Bug Fix] Fixed .htaccess configuration changes failing to apply for Python/Ruby/NodeJS applications.
[Bug Fix] Environment variable names are no longer converted to uppercase for Apache SetEnv directive.

Build 3

[New Feature] Added full Captcha protection for WordPress login page.
[Bug Fix] Fixed a connection hang regression introduced in v5.4.4 build 2.

Build 2

[New Feature] Populate GEOIP_COUNTRY_CODE environment variable using IP2Location database.
[Bug Fix] Minor bug fixes to ModSecurity engine.

Build 1

[Improvement] Fine tuned HTTP/3 and QUIC engine performance.
[Improvement] Added 'cssDecode' and 'utf8toUnicode' transformations to ModSecurity engine.
[Improvement] Added 'ctl:debugLogLevel' support to ModSecurity engine.
[Improvement] Added support for 'REQUEST_SCHEME' request variable.
[Improvement] Added '-vb' command line option to print out version and build number.
[Update] Updated WHM plugin to v3.3.6.
[Bug Fix] Minor bug fixes in ModSecurity engine.

Build 0

[New Feature] Added support for Google QUIC Q050. 
[Security] Improved WebAdmin Console security by strictly checking request URLs. 
[Bug Fix] Fixed a bug that caused HTTPS connections to stall when bandwidth throttling was enabled. 
[Bug Fix] Fixed an ESI/Litemage output corruption bug. 
[Bug Fix] Fixed a bug in AIO logging that caused the access log to stop working. 
[Bug Fix] Fixed a bug causing 100% CPU usage for FreeBSD. 
[Bug Fix] Removed an unnecessary CloudLinux CageFS mount point for "/tmp/lshttpd". 
[Bug Fix] Fixed a crash caused by memory mapped files being truncated.

Build 5

[Bug Fix] Fixed a regression for mod_security request parser introduced in 5.4.3 build 4.
[Bug Fix] Fixed a crash due to memory mapped file being truncated. 

Build 4

[Security] Improved WebAdmin console security by strictly checking request URL. 
[Bug Fix] Fixed a regression for FastCGI protocol support, introduced in 5.4.3 build 0.
[Bug Fix] There are minor bug fixes for mod_security engine. 

Build 3

[Bug Fix] Fixed a mutex dead-lock regression introduced in build 2 for AIO logging.

Build 2

[Bug Fix] Fixed a bug in AIO logging that caused access log stop working.
[Bug Fix] Fixed a bug caused 100% CPU usage for FreeBSD.
[Bug Fix] Removed an unnecessary CloudLinux CageFS mount point for "/tmp/lshttpd".

Build 1

[Bug Fix] Fixed a bug that caused HTTPS connections to stall when bandwidth throttling was enabled.
[Bug Fix] Fixed an ESI/Litemage output corruption bug.
[Tuning] Fine tuned keepalive timeout for detached PHP processes to reduce the number of idle PHP processes.

Build 0

[New Feature] Websocket backend support via the "ProxyPass" directive. 
[Enhancement] Improved WordPress brute force protection when facing large botnet attacks.
[Tuning] Updated HTTP/3 QUIC engine default congestion control method to CUBIC for better performance in good network conditions.
[Update] Updated WHM plugin to v3.3.5 (includes support for displaying "critical alerts").
[Bug Fix] Fixed a few bugs in HTTP/3 QUIC engine.
[Bug Fix] Fixed a bug in PID verification that failed to stop processes for detached applications.
[Bug Fix] Fixed a bug in modsecurity engine where LOGGING phase processing was bypassed if a client was using a QUIC connection. 
[Bug Fix] Properly count 3 character second level domains against license domain limit.
[Bug Fix] Properly parse IPv6 mapped IPv4 addresses in request header.
[Bug Fix] Fixed missing "REMOTE_USER" request environment variable when HTTP authentication is used.
[Bug Fix] Fixed a problem with utf-8 characters in request URLs for Python applications.
[Bug Fix] Improved lock contention handling when detached mode PHP processes are started concurrently by multiple server worker processes.
[Bug Fix] Fixed an ESI sub-request bug that could stall proxy to backend communication.
[Bug Fix] Fixed a DirectAdmin userdir bug.

Build 7

[Bug Fix] Fixed an HTTP/3 QUIC engine bug introduced in build 6 that could cause action connections to close at random.
[Tuning] Updated HTTP/3 QUIC engine default congestion control method to CUBIC for better performance in good network conditions.
[Tuning] Lowered WordpressProtect minimum limit from 5 to 2 to better pairing with reCAPTCHA verification.

Build 6

[Bug Fix] Fixed a few minor HTTP/3 and QUIC engine bugs.
[Bug Fix] Fixed an HTTPS bug that caused a busy loop in FreeBSD.
[Bug Fix] Properly count 3 character second level domains against license domain limit. 
[Bug Fix] Properly parse IPv6 mapped IPv4 addresses in request header.
[Bug Fix] Fixed missing "REMOTE_USER" request environment variable when HTTP authentication is used.

Build 5

[Bug Fix] Fixed a bug that caused excessive buffering for HTTP/2 connection.
[Bug Fix] Fixed a bug in QUIC, HTTP/3 engine that caused large file downloads to stall. 
[Bug Fix] Fixed a bug that caused random 404 error. 

Build 4

[Bug Fix] Improved HTTP/3 draft 24 inter-operability with other HTTP/3 clients. 
[Bug Fix] Improved lock contention handling when detached mode PHP processes are started concurrently by multiple server worker processes.
[Bug Fix] Fixed missing environment problem for Python applications.
[Bug Fix] Fixed a problem with utf-8 characters in request URLs for Python applications. 
[Bug Fix] Fixed a rare HTTP/2 connection stalling problem.

Build 3

[Bug Fix] Fixed a bug in mod_security engine @validateUrlEncoding operator resulting in false positives.
[Bug Fix] Fixed a compatibility issue with Plesk's autodiscover feature.
[Bug Fix] Fixed a random 404 error for NodeJS applications.

Build 2

[Enhancement] Improved Wordpress brute force protection when facing large botnet attacks. 
[Bugfix] Fixed HTTP/3 handshake failures when TLSv1.3 was not enabled by control panels.
[Bugfix] Fixed an ESI sub-request bug that could stall proxy to backend communication.
[Bugfix] Fixed a DirectAdmin userdir bug.
[Bugfix] Fixed a Python application compatibility bug.

Build 1

[Bug Fix] Fixed a bug introduced in v5.4.2 build 0 where some mod_security rules could cause false positives.
[Bug Fix] Fixed a bug that caused 503 errors when the configuration of python/node/ruby selector applications where updated.
[Bug Fix] Minor bug fixes in QUIC and HTTP/3 engine.

Build 0

[New Feature] Updated QUIC implementation to support IETF HTTP/3 draft 23.
[New Feature] BBR congestion control for QUIC and HTTP/3. 
[New Feature] "Require env XXXX" access control support.
[New Feature] User/Account level bandwidth throttling for Redis dynamic virtual hosting.
[Improvement] Further HTTPS SSL layer performance tuning.
[Improvement] Automatically restart running PHP processes when PHP binary changes are detected.
[Improvement] Automatically convert ea-phpXX handler configuration into a phpXX handler when an ea-php handler is not available.
[Improvement] Improved AIO access logging to minimize disk I/O.
[Improvement] Avoid reCAPTCHA verification on AJAX requests to minimize false positives.
[Improvement] Built-in error and reCAPTCHA verification pages are now responsive.
[Improvement] Remove '[' ']' enclosure for IPv6 addresses in the access log and request environment variable 'REMOTE_ADDR'.
[Improvement] Reduced memory usage to improve server scalability.
[Improvement] Improved accuracy of server real-time statistics.
[Improvement] Enable SSL SHM session cache for Apache HTTPS vhost when server level SSH session cache is enabled.
[Improvement] Disable TLSv1.0 by default for better PCI compliance.
[Improvement] Automatically disable HTTP/2, SPDY, and QUIC for CSF messenger vhosts on port 8887.
[Improvement] Added "SmartPush no-cookie" directive to disable cookies used for HTTP/2 and QUIC smart push.
[Improvement] Added `lsws/logs/critical_alert` log file for writing common license errors that could cause LSWS to stop working.
[Improvement] Improved compatibility with CloudLinux python selector.
[Improvement] Improved modsecurity engine compatibility.
[Improvement] Send "Alt-Svc" header advertising QUIC and HTTP/3 support only once per connection.
[Bug Fix] Fixed WordPress brute force protection bugs that were causing false positives and crashes.
[Bug Fix] Fixed a bug causing HTTP/2 requests to stall under rare conditions.
[Bug Fix] Fixed a bug causing broken non-keepalive HTTPS responses.
[Bug Fix] Fixed a Layer4 tunnel bug that caused random crashes.
[Bug Fix] Fixed Apache sometimes starting inside the lshttpd cgroup when switching from LSWS to Apache.
[Bug Fix] Fixed all LSPHP processes not being stopped when switching from LSWS to Apache.
[Bug Fix] Fixed an .htaccess cache bug that caused the server's default PHP handler to be used instead of configured per-vhost suEXEC handlers.
[Bug Fix] Per Apache vhost PHP 7.4 handler now runs in suEXEC mode.

Build 8

[Improvement] Improved python application configuration to allow swapping applications on the same URL. 
[Bug Fix] Disable CRIU feature to avoid server downtime after a recent CloudLinux CRIU library update began causing lscgid to crash.
[Bug Fix] Fixed a mod_security configuration bug that reordered some rules under certain conditions.
[Bug Fix] Fixed a systemd warning under Plesk 18.0.

Build 7

[Improvement] Automatically disable HTTP/2, SPDY, and QUIC for CSF messenger vhost on port 8887.
[Improvement] Added "SmartPush no-cookie" directive to disable cookies used for HTTP/2 and QUIC smart push.
[Improvement] Added `lsws/logs/critical_alert` log file for writing common licensing problems that could cause LSWS to stop working.
[Bug Fix] Fixed a compatibility issue with CloudLinux python selector.

Build 6

[Bug Fix] Fixed a bug introduced in build 5 that caused the server to crash when "require env xxxx" was used.
[Bug Fix] Fixed QUIC support for FreeBSD.
[Bug Fix] Changed "Accept-Encoding" value to be case insensitive.
[Improvement] Use 'pkill' instead of 'killall' in various scripts to minimize dependencies on installed system packages.
[Improvement] Update "Alt-Svc" string for gQUIC advertising.

Build 5

[FEATURE] Enable SSL SHM session cache for Apache HTTPS vhost when server level SSH session cache is enabled. 
[FEATURE] Added support for "Require env XXXX" access control. 
[TUNING] Disable TLSv1.0 by default for better PCI compliance. 
[BUGFIX] Make statistics more accurate for requests processed . 
[BUGFIX] Fixed a minor regression in 5.4 that performs redirect before rewrite when URL without a trailing slash pointing to a directory. 

Build 4

[Improvement] Automatically restart running PHP processes after detecting PHP binary updates.
[Improvement] Automatically converted ea-phpXX handler configuration to phpXX handler when ea-php handler is not available.
[Improvement] Improved AIO access logging to minimize disk I/O.
[Bug Fix] Close unused REUSEPORT socket.
[Bug Fix] Make "requests processed" counter more accurate in real-time report.
[Bug Fix] Make per Apache vhost PHP 7.4 handler run in suEXEC mode.
[Bug Fix] Fixed a bug reading CGI 'umask' configuration as an octal number.

Build 3

[Bug Fix] Fixed a .htaccess cache bug that caused the server's default PHP handler to be used instead of per-vhost suEXEC handlers.
[Bug Fix] Fixed a WP brute force protection bug that occasionally caused 100% CPU usage.
[Bug Fix] Fixed a divide by zero bug that was causing server crashes.
[Bug Fix] Fixed a mod_security engine bug where `@geolookup` would not work properly with new MaxMind DB files.
[Tuning] Reduced Brotli compression memory usage.
[Tuning] Allow mapping www.TLD.com and TLD.com to different native virtual hosts.

Build 2

[New Feature] Added an option to allow generation of full real time status report, including idle virtual host and external app stats.
[Bug Fix] Fixed an RBL compatibility issue with modsecurity rules from Imunify360.
[Bug Fix] Fixed a Layer4 tunnel bug that caused random crashes.
[Bug Fix] Fixed Apache sometimes starting inside the lshttpd cgroup when switching from LSWS to Apache.
[Bug Fix] Fixed all LSPHP processes not being stopped when switching from LSWS to Apache.
[Bug Fix] Fixed a QuicEngine bug that sometimes caused a server crash.

Build 1

[Improvement] Avoid reCAPTCHA verification on AJAX requests to minimize false positives.
[Improvement] Make built-in error and reCAPTCHA verification pages responsive.
[Improvement] Remove '[' ']' enclosure for IPv6 addresses in the access log and request environment variable REMOTE_ADDR.
[Bug Fix] Fixed a bug that caused HTTP/2 requests to stall under rare conditions.
[Bug Fix] Fixed a bug that caused broken non-keepalive HTTPS responses.
[Bug Fix] Fixed a bug that caused WordPress brute force protection false positive.

Build 0

[Security] Addressed recent HTTP/2 DoS advisories (https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md). Fixed CVE-2019-9516 ""0-Length Headers Leak"" vulnerability. Completely blocks unaffected attacks:  CVE-2019-9511 ""Data Dribble"", CVE-2019-9512 ""Ping Flood"", CVE-2019-9513 ""Resource Loop"", CVE-2019-9514 ""Reset Flood"", CVE-2019-9515 ""Settings Flood"", CVE-2019-9517 ""Internal Data Buffering"", and CVE-2019-9518 ""Empty Frames Flood"".
[New Feature] Updated HTTP/3 support to Internet Draft 22.
[New Feature] Smart server PUSH uses cookies to track pushed assets, avoiding pushing the same asset repeatedly.
[Improvement] reCAPTCHA engine has been improved to reduce false positives. 
[Bug fix] Fixed a chunk encoding bug that could cause data corruption.
[Bug Fix] Fixed a bug that could cause truncated response bodies to be transferred over non-keepalive HTTPS connections. This usually affects front-end CDN services.
[Bug Fix] Fixed a regression that prevented Apache vhosts from using PHP daemon mode.
[Bug Fix] Fixed a cache engine bug that failed to forward the `X-Litespeed-purge2` response header to front-end ADC cache engines. 
[Bug Fix] Fixed a bug that causes Python WSGI applications to fork child processes frequently.

Build 3

[Bug Fix] Fixed a bug that could cause truncated response bodies to be transferred over non-keepalive HTTPS connections. This usually affects front-end CDN services.

Build 2

[New Feature] Updated HTTP/3 support to Internet Draft 22 .
[New Feature] Smart server PUSH uses cookies to track pushed assets, avoiding pushing the same asset repeatedly.
[Improvement] Re-enabled PHP graceful shutdown now that the PHP LiteSpeed SAPI 7.5 package is ready.
[Improvement] Tuned reCAPTCHA verification to avoid requesting verification on image/css/js files.
[Bug Fix] Minor bug fixes for 404 logging and some rare crashes.

Build 1

[Update] Updated cPanel/WHM plugins to v1.2.3.3 and v3.3.3.5 respectively.
[Bug fix] Fixed a chunk encoding bug that could cause data corruption.
[Bug fix] Fixed a bug with customized reCAPTCHA pages.
[Bug fix] Fixed a QUIC engine bug that affected graceful restarts.
[Bug fix] Fixed a BAN request method parsing bug.

Build 0

[Major Improvement] Massive HTTP/2 HTTPS performance boost (up to 5x faster than LSWS v5.3.x).
[Major New Feature] Experimental HTTP/3 draft 20 support.
[Major New Feature] Redis and rewrite based dynamic virtual hosting.
[Major New Feature] Server level reCAPTCHA protection efficiently defends against layer-7 DDoS attacks of any size.
[New Feature] Added support for Q046 in QUIC engine.
[New Feature] HTTPS accelerator with direct dynamic TLS record packaging, improving both HTTPS throughput and TTFB without compromise.
[New Feature] HTTPS handshake offloading, improving HTTPS handshake speed and avoiding clogging the server's main event loop. (No extra configuration required)
[New Feature] SO_REUSEPORT support, improving multi-worker scalability for high traffic deployments.
[New Feature] HTTPS certificate compression, reducing the size of HTTPS handshake exchange data.
[Improvement] Improved HTTP/2 stream prioritization for a better user browsing experience.

RC4

[New Feature] Support for SO_REUSEPORT for multi-worker license.
[New Feature] HTTPS/QUIC handshake offloading.
[New Feature] TLSv1.3 certificate compression.
[New Feature] High Availability for Redis dynamic vhost setup.
[New Feature] Support for Google QUIC 046.
[New Feature] Experimental IETF QUIC draft-20.

RC3

[Major New Feature] Dynamic Virtual Host configuration through REDIS backend.
[Major Improvement] Greatly improved HTTP/2 performance -- up to 7x faster than previous implementations.
[Bug fix] Improved QUIC engine performance and stability.
[Bug fix] All bug fixes and enhancements on 5.3.x branch included.

RC2

[Major New Feature] Dynamic virtual hosting through rewrite rules.
[Improvement] Improved HTTP/2 performance.
[New Feature] QUIC proxy backend support for backend communication through QUIC.
[Bug fix] All applicable bug fixes from the 5.3 branch.
[Bug fix] Fixed a few server crash bugs.

RC1

[New Feature] Recaptcha verification for DDoS attack mitigation.
[New Feature] Support for Ruby/Python/Nodejs applications in native configuration.
[New Feature] Added Virtual Host level trusted IP control, managed through .htaccess.
[Major Improvement] Added LiteSpeed TLS Accelerator, maximizing HTTPS & HTTP/2 performance.
[Major Improvement] HTTP/2 performance has been improved with a better header compression/decompression work flow.
[Bug fix] All bug fixes from LSWS 5.3.5 incremental builds included.

Build 6

[Update] Updated cPanel/WHM plugins v1.2.3.2 and v3.3.3.4 respectively.
[Bug fix] Temporarily stop PHP processes with SIGKILL as a workaround for problems caused by clean shutdown logic added to PHP LiteSpeed SAPI v7.4.3.
[Bug fix] Added websocket proxy support for cPanel and webmail subdomains in addition to WHM subdomains.
[Bug fix] Fixed a QUIC engine bug and made QUIC more DoS attack resistant.

Build 5

[Bug Fix] Updated WHM plugin to v3.3.3.2 to fix a bug introduced in the previous version that caused most plugin actions to result in a PHP fatal error.
[Bug Fix] To avoid server crash, PCLMUL will be disabled in the zlib library if the server CPU does not support PCLMUL instructions.

Build 4

[New feature] Web Cache Manager CLI support for DirectAdmin.
[Bug fix] Fixed websocket proxy from https to ws:// backend; made WHM terminal work properly through proxy.
[Bug fix] Improved compatibility with Apache; "Require ip xxx" can bypass HTTP authentication.
[Bug fix] Added support for "AddEncoding br ..." to avoid double compression.
[Bug fix] Updated WebAdmin code to avoid some E_STRICT warnings.
[Bug fix] Fixed server PUSH parsing problem when 'Link' header contains multiple URLs.

Build 3

[Bug fix] Fixed an ACL bug occurring when environment variables are used in Allow/Deny configurations.
[Bug fix] Fixed a request parser bug which caused the server to crash when a partition holding a temp file is out of space.
[Bug fix] Fixed a cache engine bug that caused requests to certain URLs to hang.

Build 2

[Bug fix] Fixed a regression in PHP daemon mode that causes 503 errors.

Build 1

[Bug fix] Fixed an IP2Location configuration bug that could cause the server to crash during startup.
[Bug fix] Fixed a bug with nested ESI subrequests that caused random crashes.

Build 0

[Security] Added built-in filter to block attempts at hacking LiteMage with crafted ESI requests.
[New Feature] lscmctl script can now be used to install/uninstall the LiteSpeed Web Cache Manager user-end plugin for cPanel. 
[New Feature] Recommend a plugin or broadcast a message to all discovered WordPress installations with the dash notify feature, available in both the lscmctl script and WHM plugin.
[Improvement] Bundled WHM and user-end cPanel plugins have been updated to v3.3.1 and v1.2.0.2 respectively.
[Improvement] Support request header sizes of up to 64K.
[Improvement] Ignore <if> <else> <elseif> configuration contexts.
[Improvement] Added support for Apache configuration directive ""Require ip ..."".
[Improvement] Improved lsup.sh with stable release tier.
[Improvement] Improved rc-inst.sh to install systemd unit file for Plesk + Debain/Ubuntu.
[Improvement] Improved NodeJS application compatibility and mod_passenger configuration handling.
[Improvement] Added autoconfig for PHP 7.4.
[Improvement] Improved compatibility with LSAPI 7.3 .
[Improvement] Improved HPACK encoding performance.
[Improvement] Cache engine now updates ""X-LiteSpeed-Cache-Control max-age"" value based on actual expire time when a front-end lscache proxy exists. 
[Improvement] Improved compatibility with Apache mod_security on variables REQUEST_BODY, REQUEST_FILENAME and LAST_UPDATE_TIME.
[Improvement] Fixed PHP handler compatibility issues with Plesk's updated configuration template.
[Improvement] Improved WordPress brute force detection IP logging.
[Bug fix] Fixed an Apache SSL vhost SNI configuration bug.
[Bug fix] Fixed a QuicEngine bug that could cause broken responses.
[Bug fix] Fixed a cache + ESI engine bug that caused random server crashes.
[Bug fix] Fixed rewrite engine infinite loop when rewrite map file is stored in an NFS mount.
[Bug fix] Improved detached mode process manager to accurately stop detached processes when requested.
[Bug Fix] Added User-Agent and Referer headers to server pushed requests to avoid failing possible checks in a user's custom configuration.
[Bug Fix] Fixed FreeBSD 100% cpu usage for kqueue event loops when AIO logging is enabled.
[Bug Fix] Fixed an SSL OCSP stapling bug.
[Bug Fix] Fixed broken server restart when port offset had been set.
[Bug Fix] Fixed a memory leak in the GeoIP module.

Build 8

[Bug Fix] Fixed a cache + ESI bug that could cause random crashes.
[Bug Fix] Fixed a rewrite engine bug.
[Bug Fix] Fixed a memory leak in the GeoIP module.
[Bug Fix] Fixed a Plesk compatibility issue.

Build 7

[Improvement] Better WordPress brute force detection IP logging.
[Improvement] Allow request header sizes greater than 32K.
[Improvement] Added PID to error log messages for worker processes.
[Bug fix] Fixed a Ruby selector regression introduced in v5.3.7 build 3.
[Bug fix] Fixed an SSL OCSP stapling bug.
[Bug Fix] Fixed broken server restart when port offset had been set.

Build 6

[New Feature] Added the ability to install/uninstall the LiteSpeed Web Cache Manager user-end plugin for cPanel using the lscmctl script.
[Improvement] Fixed PHP handler compatibility issues with Plesk's updated configuration template.
[Improvement] Improved LSAPI compatibility with LSAPI 7.3 .
[Improvement] Improved HPACK encoding performance.
[Improvement] Cache engine now updates X-LiteSpeed-Cache-Control max-age value based on actual expire time when a front-end lscache proxy exists.
[Improvement] Natively configured detached PHP process groups are now gracefully restarted. 

Build 5

[New Feature] Recommend a plugin or broadcast a message to all discovered WordPress installations with the dash notify feature available in the lscmctl script and WHM plugin.
[Improvement] Ignore <if> <else> <elseif> configuration contexts.
[Improvement] Added autoconfig for PHP 7.4.
[Update] Updated WHM plugin to v3.3 and user-end cPanel plugin to v1.2.
[Bug Fix] ESI engine bug fix.
[Bug Fix] Fixed freeBSD 100% cpu usage for kqueue event loops.
[Bug Fix] Fixed a detached mode process manager bug that accidentally killed other lshttpd worker processes. 

Build 4

[Improvement] Improved lsup.sh with stable tier.
[Improvement] Improved NodeJS application compatibility and mod_passenger configuration handling.
[Bug Fix] Fixed a bug in detached mode process manager that failed to stop running processes under certain server environments.
[Bug Fix] Added User-Agent and Referer headers to server pushed requests to avoid failing possible checks in a user's custom configuration.
[Bug Fix] Implemented mod_security REQUEST_BODY as a dedicate variable.

Build 3

[Improvement] Improved rc-inst.sh to install systemd unit file for Plesk + Debain/Ubuntu.
[Bug fix] Fixed an ESI engine memory management bug that caused random server crashes.
[Bug fix] Fixed rewrite engine infinite loop when rewrite map file is stored in an NFS mount.

Build 2

[Bug Fix] Fixed a detached mode process manager bug introduced in build 1.

Build 1

[Security] Added built-in filter to block attempts to hack LitemMage with crafted ESI request.
[Bug Fix] Fixed a detached mode process manager bug made killing other unrelated processes possible.
[Bug Fix] Fixed an Apache SSL vhost SNI configuration bug.
[Bug Fix] Fixed a QuicEngine bug that could cause broken responses.

Build 0

[Security] Fixed a XSS vulnerability in directory auto index script.
[Improvement] Improved QUIC transport protocol performance and reliability.
[Improvement] Improved default configuration for servers with heavy disk I/O wait.
[Improvement] Made IP based SSL SNI configuration exactly match Apache's.
[Improvement] Made .rtreport symbolic links root owned to avoid LFD file warnings.
[Improvement] Improved ESI support for JSON responses.
[Improvement] Improved lsup.sh script to check build number against latest build.
[Update] Updated bundled WHM plugin to v3.2.0.3 and user-end cPanel plugin to v1.1.1.2 to address an integration issue with the recent LSCWP release.
[Bug Fix] Fixed a file descriptor leak in piped logger.
[Bug Fix] Fixed a bug that prevented changing the Cache-Control or Expire headers within PHP.
[Bug Fix] Fixed inaccurate real-time statistics.
[Bug Fix] Fixed a rewrite engine compatibility issue.
[Bug Fix] Fixed a regression in "Redirect" directive handling.
[Bug Fix] Fixed a QUIC engine bug when handling extra long response headers.
[Bug Fix] Fixed a regression that broke the "SetHandler" directive.
[Bug fix] Fixed a rewrite engine bug where target URLs containing "../" could cause problems.
[Bug fix] Fixed an external loop redirect detection bug.
[Bug Fix] Fixed a mod_security bug stopping response headers from being logged to the audit_log.
[Bug Fix] Fixed a mod_security engine bug that was mistakenly skipping some rules for POST requests.
[Bug Fix] Fixed an ESI engine bug that broke detection for looping includes, causing the server to run out of memory.
[Bug Fix] Increased logging for detach mode process manager. A forced lock release will now occur if a dead lock is detected when starting detach mode processes.
[Bug Fix] Fixed systemd unit file lshttpd.service by requiring network-online.target.
[Bug Fix] Allow xx.xx.xx.xx/32 as valid IP in ACL configuration.

Build 6

[Security] .rtreport no longer world readable.
[Improvement] Improved QUIC transport protocol performance and reliability.
[Improvement] Made IP based SSL SNI configuration exactly match Apache's.
[Improvement] Made .rtreport symbolic links root owned to avoid LFD file warnings.
[Bug Fix] Fixed inaccurate real-time statistics.

Build 5

[Update] Updated bundled WHM plugin to v3.2.0.3 and user-end cPanel plugin to v1.1.1.2.
[Improvement] Improved lsup.sh script to check build number against latest build.
[Bug Fix] Fixed systemd unit file lshttpd.service, by requiring network-online.target.
[Bug Fix] Allow xx.xx.xx.xx/32 as valid IP in ACL configuration.

Build 4

[Update] Updated bundled WHM plugin to v3.2.0.2 and user-end cPanel plugin to v1.1.1.1 to address an integration issue with the recent LSCWP v2.9.3.
[Bug Fix] Fixed a mod_security engine bug that was mistakenly skipping some rules for POST requests.
[Bug Fix] Fixed an ESI engine bug that broke detection for looping includes, causing the server to run out of memory.
[Bug Fix] Increased logging for detach mode process manager. A forced lock release will now occur if a dead lock is detected when starting detach mode processes.

Build 3

[Improvement] Improved ESI support for JSON responses.
[Bug fix] Fixed rewrite engine bug where target URLs containing "../" could cause problems.
[Bug fix] Fixed an external loop redirect detection bug.
[Bug Fix] Fixed a mod_security bug stopping response headers from being logged to the audit_log.

Build 2

[Bug Fix] Fixed a regression that broke the "SetHandler" directive.
[Bug Fix] OCSP cache directory now properly adjusted in chroot environments.

Build 1

[Improvement] Improved default configuration for servers with heavy disk I/O wait.
[Bug Fix] Fixed a rewrite engine compatibility issue.
[Bug Fix] Fixed a regression in "Redirect" directive handling.
[Bug Fix] Fixed a QUIC engine bug when handling extra long response headers.

Build 0

[New Feature] lscmctl script can now be used to set custom server and virtual host cache roots with the 'setcacheroot' command.
[Improvement] Added "ProxyPass"/"ProxyPassMatch" support for AJP backend.
[Improvement] Added support for "IP:port" in "X-Forwarded-For" header.
[Improvement] Reliably switch back to Apache in the case of a LiteSpeed licensing problem.
[Improvement] Added back support for SecFilterEngine and SecFilterScanPOST directives for backward compatibility.
[Update] Updated bundled WHM plugin to v3.2.0.1 and user-end cPanel plugin to v1.1.1. 
[Bug Fix] Fixed AddHandler directive behavior to be the same as AddType.
[Bug Fix] Fixed an OCSP stapling bug that caused Mozilla connection issues.
[Bug Fix] Stopped PHP from logging errors into the error log when stderr.log was disabled.
[Bug Fix] Fixed a SecRemoteRule handling bug.
[Bug Fix] Fixed a bug causing detached PHP processes to be stopped during graceful restarts, which may cause random 503 errors.
[Bug Fix] Fixed a bug in processing GeoIP2 mmdb database.
[Bug Fix] Fixed a bug introduced in v5.3.5 build 5 that broke cPanel/WHM's "redirect to closest matched domain" feature.
[Bug Fix] Fixed cPanel two factor authentication.
[Bug Fixes] Minor bug fixes involving Apache compatibility issues.

Build 9

[Bug Fix] Fixed a bug causing detached PHP processes to be stopped during graceful restarts.

Build 8

[Bug Fix] Fixed an OCSP response verification bug (introduced in the previous build) that caused crashing.
[Bugfix] Fixed a bug in processing GeoIP2 mmdb database. 
[Bugfix] Fixed a bug introduced in 5.3.5 build 5 that breaks cPanel/WHM redirect to closest matched domain feature.

Build 7

[Enhancement] Added extra validation on OCSP response to avoid outdated response for newly renewed certificate. 
[Integration] Made LSWS compatible with Apache configuration generated by cPanel v78.
[Bug Fix] Fixed AddHandler directive behavior to be the same as AddType.

Build 6

[New Feature] Added "ProxyPass"/"ProxyPassMatch" support for AJP backend.
[New Feature] Added support for "IP:port" in "X-Forwarded-For" header.
[Improvement] Detached PHP processes are now detected and restarted more reliably.
[Bug Fix] Applied a SecRemoteRules fix to avoid rule file corruption.
[Bug Fix] Fixed a bug that could cause a blank response body for pre-compressed content.

Build 5

[Update] Updated default welcome page content.
[Bug Fix] Fixed a SecRemoteRule handling bug.
[Bug Fix] Fixed a bug causing detached mode PHP processes to log PHP stderr messages to the server's error log file.
[Bug Fix] Fixed an awstats integration bug that broke dynamic page generation mode.
[Bug Fix] Fixed an infinite loop bug that occurred with badly configured contexts.

Build 4

[Improvement] Reliably switch back to Apache when there is a LiteSpeed licensing problem.
[Improvement] Added back support for SecFilterEngine and SecFilterScanPOST directives for backward compatibility.
[Bug Fix] Stopped PHP error logging into error log when stderr.log is disabled.

Build 3

[Bug Fix] Fixed a bug that causes excessive requests to OSCP responder.
[Bug Fix] Fixed a bug that failed to handle some types of Node.js selector configurations.
[Bug Fix] Fixed a bug that failed cPanel two factor authentication.
[Bug Fix] Fixed a bug in LiteMage combined subrequest handling.

Build 0

[Improvement] Improvements to HTTP/2, QUIC, and rewrite engine.
[Bug Fix] HTTP/2, QUIC, and rewrite engine bug fixes.
[Bug Fix] Fixed mod_security engine not handling skipAfter properly in the `SecAction` directive.
[Bug Fix] Fixed server failing to automatically fix cache directory permission problems.

Build 8

[Bug Fix] Fixed a rewrite engine bug introduced in 5.3.4 build 7, which could cause ERR_SPDY_PROTOCOL_ERROR and redirect problems.

Build 7

[Improvement] Improved mod_rewrite compatibility.
[Improvement] Improved QUIC engine by dynamically adjust batch size of outgoing packets.

Build 5

[Improvement] Improved PHP process abort feature to occur in a more timely manner.
[Bug Fix] Fixed an HTTP/2 engine bug that caused connections to reset under certain situations.

Build 4

[Improvement] Improved mod_security engine with UNIQUE_ID support.
[Update] Disabled 503 auto fix by default.
[Bug Fix] Fixed an SSL OCSP stapling bug.
[Bug Fix] Fixed memory and resource leaks.
[Bug Fix] Fixed incompatible behavior with Python selector support.
[Bug Fix] Fixed a license information display bug in WebAdmin Console.

Build 2

[Improvement] Improved compatibility for WebCache manager.
[Bug Fix] This build include a fix for gQUIC v044 support

Build 1

[Improvement] Improved NODEJS support.
[Improvement] Detect curl + HTTP/2 combination and disable HTTP/2 for future access.
[Update] Updated WHM plugin to v3.1.3.2 to address a compatibility issue with newer versions of the LSCWP plugin.
[Update] Updated cPanel user-end plugin to v1.0.2.1 to address a compatibility issue with newer versions of the LSCWP plugin.

Build 0

[MAJOR NEW FEATURE] Added support for Google QUIC v44. 
[NEW FEATURE] Improved Ruby/Python selector support and apply engine version changes on the fly.
[NEW FEATURE] Allow overriding external application environment at vhost level.
[NEW FEATURE] Log HTTP/2 in access log for HTTP/2 connection.
[NEW FEATURE] Auto detect and use cPanel signed certificate for WebAdmin.
[NEW FEATURE] Auto correct bad HTTPS proxy backend configured as HTTP.
[IMPROVEMENT] Improved compatibility with ColdFusion engine.
[UPDATE] Updated bundled WHM plugin to v3.1.3.1
[UPDATE] Updated bundled cPanel user-end plugin to v1.0.2.
[BUGFIX] Fixed mod_security engine compatibility issue with latest COMODO ruleset.
[BUGFIX] Added "Accept-Range: bytes" header back for static files.
[BUGFIX] Fixed bug in rewrite engine loop redirection detection.

Build 3

[Bug Fix]  Fixed a mod_security engine bug that caused incorrect behavior with the comodo ruleset.

Build 2

[Bug Fix] Made adjustments to PHP handler configuration to fix broken PHP selector.
[Bug Fix] Fixed a memory leak in HTTP/2.
[Bug Fix] Fixed a crash when parsing Apache configuration.

Build 0

[Bug Fix] Emergency release to ignore faulty rewrite rule introduced by cPanel
  • Admin
  • Last modified: 2020/08/12 13:43
  • by Lucas Rolff