7 - ESP32 OpenSSL support for client and server
9 - ESP32 4 x WLAN credential slots may be configured
11 - Libevent event loop support
13 - SOCKS5 proxy support
15 - lws_meta protocol for websocket connection multiplexing
17 - lws_vhost_destroy() added... allows dynamic removal of listening
18 vhosts. Vhosts with shared listen sockets adopt the listen socket
19 automatically if the owner is destroyed.
23 - Improved CGI handling suitable for general CGI scripting, eg, PHP
25 - Convert even the "old style" test servers to use statically included
28 - LWS_WITH_STATS cmake option dumps resource usage and timing information
29 every few seconds to debug log, including latency information about
30 delay from asking for writeable callback to getting it
32 - Large (> 2GB) files may be served
34 - LWS_WITH_HTTP_PROXY Cmake option adds proxying mounts
36 - Workaround for libev build by disabling -Werror on the test app
38 - HTTP2 support disabled since no way to serve websockets on it
46 - A mount can be protected by Basic Auth... in lwsws it looks like this
50 "mountpoint": "/basic-auth",
51 "origin": "file://_lws_ddir_/libwebsockets-test-server/private",
52 "basic-auth": "/var/www/balogins-private"
56 The text file named in `basic-auth` contains user:password information
59 See README.lwsws.md for more information.
61 - RFC7233 RANGES support in lws server... both single and multipart.
62 This allows seeking for multimedia file serving and download resume.
63 It's enabled by default but can be disabled by CMake option.
65 - On Linux, lwsws can reload configuration without dropping ongoing
66 connections, when sent a SIGHUP. The old configuration drops its
67 listen sockets so the new configuration can listen on them.
68 New connections connect to the server instance with the new
69 configuration. When all old connections eventually close, the old
70 instance automatically exits. This is equivalent to
71 `systemctl reload apache`
73 - New `adopt` api allow adoption including SSL negotiation and
74 for raw sockets and file descriptors.
76 - Chunked transfer encoding supported for client and server
78 - Adaptations to allow operations inside OPTEE Secure World
80 - ESP32 initial port - able to do all test server functions. See
83 - Serving gzipped files from inside a ZIP file is supported... this
84 includes directly serving the gzipped content if the client
85 indicated it could accept it (ie, almost all browsers) saving
86 bandwidth and time. For clients that can't accept it, lws
87 automatically decompresses and serves the content in memory-
88 efficient chunks. Only a few hundred bytes of heap are needed
89 to serve any size file from inside the zip. See README.coding.md
91 - RAW file descriptors may now be adopted into the lws event loop,
92 independent of event backend (including poll service).
95 - RAW server socket descriptors may now be enabled on the vhost if
96 the first thing sent on the connection is not a valid http method.
97 The user code can associate these with a specific protocol per
98 vhost, and RAW-specific callbacks appear there for creation, rx,
99 writable and close. See libwebsockets-test-server-v2.0 for an example.
102 - RAW client connections are now possible using the method "RAW".
103 After connection, the socket is associated to the protocol
104 named in the client connection info and RAW-specific callbacks
105 appear there for creation, rx, writable and close.
106 See libwebsockets-test-client (with raw://) for an example.
115 - Support POST arguments, including multipart and file attachment
117 - Move most of lwsws into lws, make the stub CC0
119 - Add loopback test plugin to confirm client ws / http coexistence
121 - Integrate lwsws testing on Appveyor (ie, windows)
123 - Introduce helpers for sql, urlencode and urldecode sanitation
125 - Introduce LWS_CALLBACK_HTTP_BIND_PROTOCOL / DROP_PROTOCOL that
126 are compatible with http:/1.1 pipelining and different plugins
127 owning different parts of the URL space
129 - lwsgs - Generic Sessions plugin supports serverside sessions,
130 cookies, hashed logins, forgot password etc
132 - Added APIs for sending email to SMTP servers
134 - Messageboard example plugin for lwsgs
136 - Automatic PING sending at fixed intervals and close if no response
138 - Change default header limit in ah to 4096 (from 1024)
140 - Add SNI matching for wildcards if no specific wildcard vhost name match
142 - Convert docs to Doxygen
159 - There are only api additions, the api is compatible with v1.7.x. But
160 there is necessarily an soname bump to 8.
162 - If you are using lws client, you mainly need to be aware the option
163 LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT is needed at context-creation time
166 - If you are using lws for serving, the above is also true but there are
167 many new features to simplify your code (and life). There is a
170 https://libwebsockets.org/lws-2.0-new-features.html
172 but basically the keywords are vhosts, mounts and plugins. You can now
173 do the web serving part from lws without any user callback code at all.
174 See ./test-server/test-server-v2.0.c for an example, it has no user
175 code for ws either since it uses the protocol plugins... that one C file
176 is all that is needed to do the whole test server function.
178 You now have the option to use a small generic ws-capable webserver
179 "lwsws" and write your ws part as a plugin. That eliminates even
180 cut-and-pasting the test server code and offers more configurable
181 features like control over http cacheability in JSON.
187 These are already in 1.7.x series
189 1) MAJOR (Windows-only) fix assert firing
191 2) MAJOR http:/1.1 connections handled by lws_return_http_status() did not
192 get sent a content-length resulting in the link hanging until the peer closed
193 it. attack.sh updated to add a test for this.
195 3) MINOR An error about hdr struct in _lws_ws_related is corrected, it's not
196 known to affect anything until after it was fixed
198 4) MINOR During the close shutdown wait state introduced at v1.7, if something
199 requests callback on writeable for the socket it will busywait until the
202 5) MAJOR Although the test server has done it for a few versions already, it
203 is now required for the user code to explicitly call
205 if (lws_http_transaction_completed(wsi))
208 when it finishes replying to a transaction in http. Previously the library
209 did it for you, but that disallowed large, long transfers with multiple
210 trips around the event loop (and cgi...).
212 6) MAJOR connections on ah waiting list that closed did not get removed from
215 7) MAJOR since we added the ability to hold an ah across http keepalive
216 transactions where more headers had already arrived, we broke the ability
217 to tell if more headers had arrived. Result was if the browser didn't
218 close the keepalive, we retained ah for the lifetime of the keepalive,
221 8) MAJOR windows-only-POLLHUP was not coming
223 9) Client should not send ext hdr if no exts
228 1) MINOR test-server gained some new switches
230 -C <file> use external SSL cert file
231 -K <file> use external SSL key file
232 -A <file> use external SSL CA cert file
234 -u <uid> set effective uid
235 -g <gid> set effective gid
237 together you can use them like this to have the test-server work with the
238 usual purchased SSL certs from an official CA.
240 --ssl -C your.crt -K your.key -A your.cer -u 99 -g 99
242 2) MINOR the OpenSSL magic to setup ECDH cipher usage is implemented in the
243 library, and the ciphers restricted to use ECDH only.
244 Using this, the lws test server can score an A at SSLLABS test
246 3) MINOR STS (SSL always) header is added to the test server if you use --ssl. With
247 that, we score A+ at SSLLABS test
249 4) MINOR daemonize function (disabled at cmake by default) is updated to work
252 5) MINOR example systemd .service file now provided for test server
253 (not installed by default)
255 6) test server html is updated with tabs and a new live server monitoring
256 feature. Input sanitization added to the js.
258 7) client connections attempted when no ah is free no longer fail, they are
259 just deferred until an ah becomes available.
261 8) The test client pays attention to if you give it an http:/ or https://
262 protocol string to its argument in URL format. If so, it stays in http[s]
263 client mode and doesn't upgrade to ws[s], allowing you to do generic http client
264 operations. Receiving transfer-encoding: chunked is supported.
266 9) If you enable -DLWS_WITH_HTTP_PROXY=1 at cmake, the test server has a
267 new URI path http://localhost:7681/proxytest If you visit here, a client
268 connection to http://example.com:80 is spawned, and the results piped on
269 to your original connection.
271 10) Also with LWS_WITH_HTTP_PROXY enabled at cmake, lws wants to link to an
272 additional library, "libhubbub". This allows lws to do html rewriting on the
273 fly, adjusting proxied urls in a lightweight and fast way.
275 11) There's a new context creation flag LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT,
276 this is included automatically if you give any other SSL-related option flag.
277 If you give no SSL-related option flag, nor this one directly, then even
278 though SSL support may be compiled in, it is never initialized nor used for the
279 whole lifetime of the lws context.
281 Conversely in order to prepare the context to use SSL, even though, eg, you
282 are not listening on SSL but will use SSL client connections later, you must
283 give this flag explicitly to make sure SSL is initialized.
289 1) MINOR APIBREAK There's a new member in struct lws_context_creation_info, ecdh_curve,
290 which lets you set the name of the ECDH curve OpenSSL should use. By
291 default (if you leave ecdh_curve NULL) it will use "prime256v1"
293 2) MINOR NEWAPI It was already possible to adopt a foreign socket that had not
294 been read from using lws_adopt_socket() since v1.7. Now you can adopt a
295 partially-used socket if you don't need SSL, by passing it what you read
296 so it can drain that before reading from the socket.
298 LWS_VISIBLE LWS_EXTERN struct lws *
299 lws_adopt_socket_readbuf(struct lws_context *context, lws_sockfd_type accept_fd,
300 const char *readbuf, size_t len);
302 3) MINOR NEWAPI CGI type "network io" subprocess execution is now possible from
305 LWS_VISIBLE LWS_EXTERN int
306 lws_cgi(struct lws *wsi, char * const *exec_array, int script_uri_path_len,
309 LWS_VISIBLE LWS_EXTERN int
310 lws_cgi_kill(struct lws *wsi);
312 To use it, you must first set the cmake option
314 $ cmake .. -DLWS_WITH_CGI=1
316 See test-server-http.c and test server path
318 http://localhost:7681/cgitest
320 stdin gets http body, you can test it with wget
322 $ echo hello > hello.txt
323 $ wget http://localhost:7681/cgitest --post-file=hello.txt -O- --quiet
327 The test script returns text/html table showing /proc/meminfo. But the cgi
328 support is complete enough to run cgit cgi.
330 4) There is a helper api for forming logging timestamps
333 lwsl_timestamp(int level, char *p, int len)
335 this generates this kind of timestamp for use as logging preamble
337 lwsts[13116]: [2016/01/25 14:52:52:8386] NOTICE: Initial logging level 7
339 5) struct lws_client_connect_info has a new member
343 If it's NULL, then everything happens as before, lws_client_connect_via_info()
344 makes a ws or wss connection to the address given.
346 If you set method to a valid http method like "GET", though, then this method
347 is used and the connection remains in http[s], it's not upgraded to ws[s].
349 So with this, you can perform http[s] client operations as well as ws[s] ones.
351 There are 4 new related callbacks
353 LWS_CALLBACK_ESTABLISHED_CLIENT_HTTP = 44,
354 LWS_CALLBACK_CLOSED_CLIENT_HTTP = 45,
355 LWS_CALLBACK_RECEIVE_CLIENT_HTTP = 46,
356 LWS_CALLBACK_COMPLETED_CLIENT_HTTP = 47,
358 6) struct lws_client_connect_info has a new member
360 const char *parent_wsi
362 if non-NULL, the client wsi is set to be a child of parent_wsi. This ensures
363 if parent_wsi closes, then the client child is closed just before.
365 7) If you're using SSL, there's a new context creation-time option flag
366 LWS_SERVER_OPTION_REDIRECT_HTTP_TO_HTTPS. If you give this, non-ssl
367 connections to the server listen port are accepted and receive a 301
368 redirect to / on the same host and port using https://
370 8) User code may set per-connection extension options now, using a new api
371 "lws_set_extension_option()".
373 This should be called from the ESTABLISHED callback like this
375 lws_set_extension_option(wsi, "permessage-deflate",
376 "rx_buf_size", "12"); /* 1 << 12 */
378 If the extension is not active (missing or not negotiated for the
379 connection, or extensions are disabled on the library) the call is
380 just returns -1. Otherwise the connection's extension has its
381 named option changed.
383 The extension may decide to alter or disallow the change, in the
384 example above permessage-deflate restricts the size of his rx
385 output buffer also considering the protocol's rx_buf_size member.
388 New application lwsws
389 ---------------------
391 A libwebsockets-based general webserver is built by default now, lwsws.
393 It's configured by JSON, by default in
397 which contains global lws context settings like this
410 which contains zero or more files describing vhosts, like this
414 { "name": "warmcat.com",
416 "host-ssl-key": "/etc/pki/tls/private/warmcat.com.key",
417 "host-ssl-cert": "/etc/pki/tls/certs/warmcat.com.crt",
418 "host-ssl-ca": "/etc/pki/tls/certs/warmcat.com.cer",
421 { "home": "file:///var/www/warmcat.com" },
422 { "default": "index.html" }
438 1) There is now a "permessage-deflate" / RFC7692 implementation. It's very
439 similar to "deflate-frame" we have offered for a long while; deflate-frame is
440 now provided as an alias of permessage-deflate.
442 The main differences are that the new permessage-deflate implementation:
444 - properly performs streaming respecting input and output buffer limits. The
445 old deflate-frame implementation could only work on complete deflate input
446 and produce complete inflate output for each frame. The new implementation
447 only mallocs buffers at initialization.
449 - goes around the event loop after each input package is processed allowing
450 interleaved output processing. The RX flow control api can be used to
451 force compressed input processing to match the rate of compressed output
452 processing (test--echo shows an example of how to do this).
454 - when being "deflate-frame" for compatibility he uses the same default zlib
455 settings as the old "deflate-frame", but instead of exponentially increasing
456 malloc allocations until the whole output will fit, he observes the default
457 input and output chunking buffer sizes of "permessage-deflate", that's
458 1024 in and 1024 out at a time.
460 2) deflate-stream has been disabled for many versions (for over a year) and is
461 now removed. Browsers are now standardizing on "permessage-deflate" / RFC7692
463 3) struct lws_extension is simplified, and lws extensions now have a public
464 api (their callback) for use in user code to compose extensions and options
465 the user code wants. lws_get_internal_exts() is deprecated but kept around
466 as a NOP. The changes allow one extension implementation to go by different
467 names and allows the user client code to control option offers per-ext.
469 The test client and server are updated to use the new way. If you use
470 the old way it should still work, but extensions will be disabled until you
473 Extensions are now responsible for allocating and per-instance private struct
474 at instance construction time and freeing it when the instance is destroyed.
475 Not needing to know the size means the extension's struct can be opaque
482 1) The info struct gained three new members
484 - max_http_header_data: 0 for default (1024) or set the maximum amount of known
485 http header payload that lws can deal with. Payload in unknown http
486 headers is dropped silently. If for some reason you need to send huge
487 cookies or other HTTP-level headers, you can now increase this at context-
490 - max_http_header_pool: 0 for default (16) or set the maximum amount of http
491 headers that can be tracked by lws in this context. For the server, if
492 the header pool is completely in use then accepts on the listen socket
493 are disabled until one becomes free. For the client, if you simultaneously
494 have pending connects for more than this number of client connections,
495 additional connects will fail until some of the pending connections timeout
498 - timeout_secs: 0 for default (currently 20s), or set the library's
499 network activity timeout to the given number of seconds
501 HTTP header processing in lws only exists until just after the first main
502 callback after the HTTP handshake... for ws connections that is ESTABLISHED and
503 for HTTP connections the HTTP callback.
505 So these settings are not related to the maximum number of simultaneous
506 connections, but the number of HTTP handshakes that may be expected or ongoing,
507 or have just completed, at one time. The reason it's useful is it changes the
508 memory allocation for header processing to be one-time at context creation
509 instead of every time there is a new connection, and gives you control over
512 Setting max_http_header_pool to 1 is fine it will just queue incoming
513 connections before the accept as necessary, you can still have as many
514 simultaneous post-header connections as you like. Since the http header
515 processing is completed and the allocation released after ESTABLISHED or the
516 HTTP callback, even with a pool of 1 many connections can be handled rapidly.
518 2) There is a new callback that allows the user code to get acccess to the
519 optional close code + aux data that may have been sent by the peer.
521 LWS_CALLBACK_WS_PEER_INITIATED_CLOSE:
522 The peer has sent an unsolicited Close WS packet. @in and
523 @len are the optional close code (first 2 bytes, network
524 order) and the optional additional information which is not
525 defined in the standard, and may be a string or non-human-
527 If you return 0 lws will echo the close and then close the
528 connection. If you return nonzero lws will just close the
531 As usual not handling it does the right thing, if you're not interested in it
534 The test server has "open and close" testing buttons at the bottom, if you
535 open and close that connection, on close it will send a close code 3000 decimal
536 and the string "Bye!" as the aux data.
538 The test server dumb-increment callback handles this callback reason and prints
540 lwsts[15714]: LWS_CALLBACK_WS_PEER_INITIATED_CLOSE: len 6
541 lwsts[15714]: 0: 0x0B
542 lwsts[15714]: 1: 0xB8
543 lwsts[15714]: 2: 0x42
544 lwsts[15714]: 3: 0x79
545 lwsts[15714]: 4: 0x65
546 lwsts[15714]: 5: 0x21
548 3) There is a new API to allow the user code to control the content of the
549 close frame sent when about to return nonzero from the user callback to
550 indicate the connection should close.
553 * lws_close_reason - Set reason and aux data to send with Close packet
554 * If you are going to return nonzero from the callback
555 * requesting the connection to close, you can optionally
556 * call this to set the reason the peer will be told if
559 * @wsi: The websocket connection to set the close reason on
560 * @status: A valid close status from websocket standard
561 * @buf: NULL or buffer containing up to 124 bytes of auxiliary data
562 * @len: Length of data in @buf to send
564 LWS_VISIBLE LWS_EXTERN void
565 lws_close_reason(struct lws *wsi, enum lws_close_status status,
566 unsigned char *buf, size_t len);
568 An extra button is added to the "open and close" test server page that requests
569 that the test server close the connection from his end.
571 The test server code will do so by
573 lws_close_reason(wsi, LWS_CLOSE_STATUS_GOINGAWAY,
574 (unsigned char *)"seeya", 5);
577 The browser shows the close code and reason he received
579 websocket connection CLOSED, code: 1001, reason: seeya
581 4) There's a new context creation time option flag
583 LWS_SERVER_OPTION_VALIDATE_UTF8
585 if you set it in info->options, then TEXT and CLOSE frames will get checked to
586 confirm that they contain valid UTF-8. If they don't, the connection will get
589 5) ECDH Certs are now supported. Enable the CMake option
591 cmake .. -DLWS_SSL_SERVER_WITH_ECDH_CERT=1
593 **and** the info->options flag
595 LWS_SERVER_OPTION_SSL_ECDH
597 to build in support and select it at runtime.
599 6) There's a new api lws_parse_uri() that simplifies chopping up
600 https://xxx:yyy/zzz uris into parts nicely. The test client now uses this
601 to allow proper uris as well as the old address style.
603 7) SMP support is integrated into LWS without any internal threading. It's
604 very simple to use, libwebsockets-test-server-pthread shows how to do it,
605 use -j <n> argument there to control the number of service threads up to 32.
607 Two new members are added to the info struct
609 unsigned int count_threads;
610 unsigned int fd_limit_per_thread;
612 leave them at the default 0 to get the normal singlethreaded service loop.
614 Set count_threads to n to tell lws you will have n simultaneous service threads
615 operating on the context.
617 There is still a single listen socket on one port, no matter how many
620 When a connection is made, it is accepted by the service thread with the least
621 connections active to perform load balancing.
623 The user code is responsible for spawning n threads running the service loop
624 associated to a specific tsi (Thread Service Index, 0 .. n - 1). See
625 the libwebsockets-test-server-pthread for how to do.
627 If you leave fd_limit_per_thread at 0, then the process limit of fds is shared
628 between the service threads; if you process was allowed 1024 fds overall then
629 each thread is limited to 1024 / n.
631 You can set fd_limit_per_thread to a nonzero number to control this manually, eg
632 the overall supported fd limit is less than the process allowance.
634 You can control the context basic data allocation for multithreading from Cmake
635 using -DLWS_MAX_SMP=, if not given it's set to 32. The serv_buf allocation
636 for the threads (currently 4096) is made at runtime only for active threads.
638 Because lws will limit the requested number of actual threads supported
639 according to LWS_MAX_SMP, there is an api lws_get_count_threads(context) to
640 discover how many threads were actually allowed when the context was created.
642 It's required to implement locking in the user code in the same way that
643 libwebsockets-test-server-pthread does it, for the FD locking callbacks.
645 If LWS_MAX_SMP=1, then there is no code related to pthreads compiled in the
646 library. If more than 1, a small amount of pthread mutex code is built into
651 LWS_VISIBLE struct lws *
652 lws_adopt_socket(struct lws_context *context, lws_sockfd_type accept_fd)
654 allows foreign sockets accepted by non-lws code to be adopted by lws as if they
655 had just been accepted by lws' own listen socket.
657 9) X-Real-IP: header has been added as WSI_TOKEN_HTTP_X_REAL_IP
659 10) Libuv support is added, there are new related user apis
661 typedef void (lws_uv_signal_cb_t)(uv_loop_t *l, uv_signal_t *w, int revents);
663 LWS_VISIBLE LWS_EXTERN int
664 lws_uv_sigint_cfg(struct lws_context *context, int use_uv_sigint,
665 lws_uv_signal_cb_t *cb);
667 LWS_VISIBLE LWS_EXTERN int
668 lws_uv_initloop(struct lws_context *context, uv_loop_t *loop, int tsi);
671 lws_uv_sigint_cb(uv_loop_t *loop, uv_signal_t *watcher, int revents);
681 1) LWS_SEND_BUFFER_POST_PADDING is now 0 and deprecated. You can remove it; if
682 you still use it, obviously it does nothing. Old binary code with nonzero
683 LWS_SEND_BUFFER_POST_PADDING is perfectly compatible, the old code just
684 allocated a buffer bigger than the library is going to use.
686 The example apps no longer use LWS_SEND_BUFFER_POST_PADDING.
688 The only path who made use of it was sending with LWS_WRITE_CLOSE --->
690 2) Because of lws_close_reason() formalizing handling close frames,
691 LWS_WRITE_CLOSE is removed from libwebsockets.h. It was only of use to send
692 close frames...close frame content should be managed using lws_close_reason()
695 3) We check for invalid CLOSE codes and complain about protocol violation in
696 our close code. But it changes little since we were in the middle of closing
699 4) zero-length RX frames and zero length TX frames are now allowed.
701 5) Pings and close used to be limited to 124 bytes, the correct limit is 125
702 so that is now also allowed.
704 6) LWS_PRE is provided as a synonym for LWS_SEND_BUFFER_PRE_PADDING, either is
707 7) There's generic support for RFC7462 style extension options built into the
708 library now. As a consequence, a field "options" is added to lws_extension.
709 It can be NULL if there are no options on the extension. Extension internal
710 info is part of the public abi because extensions may be implemented outside
713 8) WSI_TOKEN_PROXY enum was accidentally defined to collide with another token
714 of value 73. That's now corrected and WSI_TOKEN_PROXY moved to his own place at
717 9) With the addition of libuv support, libev is not the only event loop
718 library in town and his api names must be elaborated with _ev_
720 Callback typedef: lws_signal_cb ---> lws_ev_signal_cb_t
721 lws_sigint_cfg --> lws_ev_sigint_cfg
722 lws_initloop --> lws_ev_initloop
723 lws_sigint_cb --> lws_ev_sigint_cb
725 10) Libev support is made compatible with multithreaded service,
726 lws_ev_initloop (was lws_initloop) gets an extra argument for the
727 thread service index (use 0 if you will just have 1 service thread).
729 LWS_VISIBLE LWS_EXTERN int
730 lws_ev_initloop(struct lws_context *context, ev_loop_t *loop, int tsi);
733 (for earlier changelogs, see the tagged releases)