thttpd - tiny/turbo/throttling HTTP server

thttpd is a simple, small, portable, fast, and secure HTTP server.

Simple:

It handles only the minimum necessary to implement HTTP/1.1. Well, maybe a little more than the minimum.

Small:

See the comparison chart. It also has a very small run-time size, since it does not fork and is very careful about memory allocation.

Portable:

It compiles cleanly on most any Unix-like OS, specifically including FreeBSD, SunOS 4, Solaris 2, BSD/OS, Linux, OSF.

Fast:

In typical use it's about as fast as the best full-featured servers (Apache, NCSA, Netscape). Under extreme load it's much faster.

Secure:

It goes to great lengths to protect the web server machine against attacks and breakins from other sites.

• HTMLized man page
• thttpd notes
• options guide
• auxiliary programs
• web server comparisons
• a Windows port of thttpd 2.07
• other web resources

How do you pronounce thttpd? Ask Bloom County's Bill the Cat, as seen in User Friendly, the excellent geek-positive comic. You can also use this fun Bill-based thttpd badge on your own web site if you like. It was drawn by Anatole Shaw.

Are you using thttpd? There's a mailing list: thttpd@acme.com (thttpd-request@acme.com to subscribe, archived here). And an announcements-only mailing list: thttpd-announce@acme.com (thttpd-announce-request@acme.com to subscribe). Also if you have any nice quotes I can use, send 'em in. For instance:

"I got thttpd compiled and running on the web server at work in no time at all, or close enough for my purposes, and I really like it, and when I told the rest of the crew what the footprint was they almost coughed up their lunches."

-- Martin Kelly

"Our load averages have dropped significantly since we moved our graphics to thttpd."

-- Randy Cosby

"i just grabbed thttpd and set it up on my personal box to test it out, and i am amazed at how quick and easy that was. i'm a hardcore apache expert but this was just phenomenally simple. very refreshing."

-- Jon Drukman

"I switched to thttpd on my underpowered server about 20 minutes after downloading it."

-- Daniel Quinlan

"I just wanted to let you know that I installed thttpd and it works really great. The server is a P3/500 w/512 megs running FreeBSD 3.3 and when it was using apache it was at about 11 load average and kept throwing connections and errors. Now it runs dandy with thttpd and the load average is between 0.1 and 0.2. The thttpd process is at about 200 megs size and the system is usually 60% idle. The machine serves about 400 simultaneous connections (more on peak hours)."

-- Petru Paler

"I just upgraded my htdocs development box from apache to thttpd. I was looking for a httpd that would use less memory - I found one that was faster and easier to use as well :)"

-- David Brownlee

"We are using thttpd to serve all of our images. We are a huge traffic site. We moved about a month ago from a barebones apache. The load on our web servers dropped dramatically, as did the memory usage! woohoo!"

-- Jeremy from care2.com

"Configuration: Athlon 700, 800MB RAM. Before: Apache, load=170, machine unusable, capped at 4Mbits, SWAPPING. After: thttpd, load=.09 (yes, that's point-zero-nine), happy at 8Mbits, only using ~300MB of RAM."

-- Jon Oringer

• demon.net, Demon Internet, a large UK ISP
• global.net.uk, Global Internet, another large UK ISP
• bluelight.com, Kmart's web site
• img.gamespot.com, GameSpot's image server
• download.napster.com, Napster's download server
• stephenking.com, Stephen King's official site

On Red Hat Linux systems you can use RPM to install thttpd, like so:

cd /usr/src/redhat/SOURCES
wget http://www.acme.com/software/thttpd/thttpd-2.21b.tar.gz
rpm -ta thttpd-2.21b.tar.gz
rpm -i /usr/src/redhat/RPMS/i386/thttpd-2.21b-1.i386.rpm

• ANSI compile nits in timers.h and libhttpd.c. I thought I had already fixed these.
• Two small fixes to USR1 signal handling. Should be more reliable now.
• Fixed the "throttle sending count was negative" bug.
• 503 Service Overloaded errors were not getting logged.
• New throttling syslogs.
• Tuning tweaks to throttling, it's much more accurate now.
• Tweak to the sample log-rotation script.
• Allow trailing whitespace on the HTTP request line - it violates the HTTP/1.1 spec, but it's harmless, and at least one client (TiVo's v1.3 http_get [not related to my own http_get]) generates it.
• Changed the capitalization on some HTTP headers we generate, to interoperate with a client (yes, the same one) that is too stoopid to do case-insensitive matching.
• Pass Accept-Language headers to CGIs.
• Make log entries at the end of a connection instead of the beginning, so that the byte count is correct.
• Off-by-one error in base-64 decoding, from Archie Cobbs.
• Updated man page throttling section for the wildcard change in 2.17.
• Couple of fixes for top-level redirection, from KIKUCHI Takahiro.
• New option to hide thttpd's version, from Paul Fox.
• Changed include of <sys/time.h> to <time.h>.
• Fixed cross-site scripting bug relating to the built-in error pages.
• Changed the mmap cache to use ctime instead of mtime, to better handle permissions changes.
• VHOST_DIRLEVELS patch, from Vadim Belman.
• ssi missing-header bugfix, from Marcel Telka.
• Hack to deal with garbage characters after POST data generated by some browsers.
• Added -g global passwd file option, suggested by Craig Leres.
• Robustness and performance improvements for mmap cache, from Evan Jones.
• kqueue support, from Niels Provos.
• If both select and poll are available, always use poll.
• Don't syslog "Connection reset by peer" errors.
• If the logfile is "/dev/null", don't bother logging at all.
• The mmap cache now tries to keep the total number of maps below a configurable parameter. See DESIRED_MAX_MAPPED_FILES.
• Fix for garbled packets causing needless 400 errors, from John Salmon.
• Improved some status-checking and error-reporting.
• Redid the debugging stats syslog messages, and made them show up on a SIGUSR2 as well as by timer.
• Use accept filtering if available.

• Corrected version of Marcel Telka's ssi fix. My bad.

• Performance improvements to the timer package via hashing, and double-linking / sorting the lists. Partially based on a suggestion by Michal Ostrowski.
• Performance improvement to the mmap cache package, from Evan Jones.
• Minor Linux fix for open files limit, from Jordan Ritter.
• Fix for null ClientData, which picky compilers didn't like.
• Unknown sockaddr type becomes a non-fatal error, preventing a DOS attack.
• Close extraneous file descriptors on CGI calls, from Russell Dill.
• Security fixes for the external ssi program, from ghandi@dopesquad.net and Wolfgang Rupprecht.
• Fix to make the ssi program elide the HTML comment sequence, from Marcel Telka.
• Red Hat packaging updates from Bennett Todd.
• Throttling fix from Tom Pavel.

• Added hack to prevent MSIE 5 from censoring error messages.
• Minor fix to handling of shouldn't-happen error in ls().
• IPv6/Linux fix from Tero Pelander.
• Documented the -D flag.

• Fixed URL-encoding of high-bit characters - used in directory listings.
• Made a few more characters come through verbatim instead of %-encoded.
• Couple of minor code cleanups.
• Added some MIME types to support WAP/WML.
• IPv6 fix.
• Made MIME text character-set an option, with iso-8859-1 the default.

• A change in the way wildcard matching works - now a single * only matches strings that don't include a slash. To match entire pathnames including slashes you have to use **.
• On systems with IPv6, automatically bind to both v4 and v6 sockets.
• Slight change to non-local referer checking to handle older browsers.
• Tweaks to some of the error-403 syslog messages.
• Portability tweak for OSF/1.
• Portability tweak for IPv6 systems.
• Fix for ssi.c from Marcel Telka.
• Added charset=iso-8859-1 to text MIME types.
• Added wildcards to redirect.
• Changed symlinks/nosymlinks config options to symlink/nosymlink, to conform to the man page (old style still accepted).

• More explicit error pages for 403 Forbidden.
• New section in the manual page explaining how thttpd is picky about file permissions.
• Couple of CGI tweaks from David Chaiken.

• Use standard isxdigit macro instead of is_hexit routine.
• Portability fix for Debian, which lacks gai_strerror().
• Fix for .htpasswd authorization, broken by 2.14's custom error pages change.

• Fix to non-local referer code - it was trying to dereference a null pointer under some circumstances.
• Fix to If-Modified-Since - some leap year problems.
• Rewrote match() - it was using a whole lot of CPU time for patterns with lots of |'s, such as those used by the new non-local-referer filtering.
• Fix to host lookup code for -h flag.
• Fix custom error pages to work with 401 Unauthorized.
• Removed unused variable.

• Portability fix for fdwatch on systems with poll() but not select().
• Renamed nph-redirect to redirect, now that thttpd does header parsing.
• Always chdir to / after a chroot.
• Some minor de-linting changes.
• Revived code that closes stdin/stdout/stderr, after adding a fix in the CGI code to prevent descriptors from getting screwed up.
• Bugfix for CGI header parsing - if the CGI was sending binary data (e.g. images), the result could get truncated or corrupted.
• Disallow ".." listing of virtual host directory.
• Revised snprintf portability fix.
• Rearranged the hc initialization so it's all in one place.
• New IPv6 code from KIKUCHI Takahiro.
• New non-local referer filtering code from Craig Leres.
• New custom error pages code from Catalin Ionescu.

• Better heuristic for deciding between select() and poll().
• Added Red Hat RPM spec file.

• Use poll() instead of select() when favorable.
• Do lazy allocation of part of the connection data structure, to save on memory now that we can have thousands of simultaneous connections.
• Some speed optimizations.
• Add HTTP_HOST to CGI environment.
• Bugfix for rare uninitialized variable.

• Bugfix for CGI header parsing.
• Call setlogin() if it's available.

• Never do lingering-close on CGI calls - this fixes the problems some people noticed with large amounts of CGI POST data.
• Better portability fix for numeric timezone.
• CGI header parsing.

• Connection read buffers are allocated on demand, lowering typical memory use by a megabyte or so.
• Handle zero-length files better on weird systems.
• URI-encoding of weird characters in index generation.
• Enhancements to periodic stats log message.

• Added CGI_LD_LIBRARY_PATH config option.
• Solaris portability fix for numeric timezone change.
• Virtual hostnames get pounded to lower case before getting looked up.
• Fix for TILDE_MAP_2 non-existent directories.
• Fix for throttling problem seen on high-traffic sites.
• Added option to defeat explicit symlink checking.

• Portability fix for machines which don't have snprintf().
• Bugfix for generated index pages.
• Change order of chroot initialization so that pidfile works.
• Change order of signal initialization so that we don't get a startup HUP.
• Use numeric timezones in log file.
• When vhosting, prepend hostname in log entry.
• Minor install fix.
• Added AUTH_TYPE CGI variable.
• Fix to TILDE_MAP_2.
• Optional multi-level vhost directory indexing.

• New el-cheapo virtual hosting feature.
• Assorted bug fixes - non-anchored wildcard matching, truncated CGI output, throttling, authorization cache, daemonization, date-header parsing.
• Option to write pid to a file, re-open log file on SIGHUP.
• Now looks for index files from a list, instead of only index.html.
• Simple config file.

• The simple mmap cache added in version 2.01 is now more aggressive, improving performance when a small set of files gets fetched a whole lot.
• Fixed bug in filename translation.

• Fix for CGI, broken on Linux by the close-on-exec hack in 2.01.
• Do a setgroups() when root to give up supplementary groups as well as primary group.

• SunOS 4 compile fix.
• Fix for occasional SEGV when reading too-large requests.

• Mmap cache to improve performance on multiple large downloads.
• 40% CGI performance improvement via the close-on-exec flag.
• Minor optimization to the timers package, no visible effect on performance.
• Send response headers and first load of data as a single packet instead of two packets, which seems to save a network roundtrip time, drastically improving latency.
• CGI programs may now be mode 711 (execute-only).
• Some fixes to 'make install'.

• No more 5-second initial read timeout.
• Faster handling of initial connections.
• Periodic stats syslog message.
• Optional logging to a file instead of syslog.
• Misc performance improvements.

• HTTP/1.1 support.
• Basic authentication.
• Byte-range serving.
• New config options: GENERATE_INDEXES, LOG_UNKNOWN_HEADERS.
• Bug fixes.

• If-modified-since.
• POST.
• Auto-configure.
• Combined log format.