Bug #2806

1.4.45 : 404 on local redirection from CGI script, regardless of cgi.local_redir setting

Added by DavidAnderson684 5 months ago. Updated 5 months ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Missing in 1.5.x:


Situation: lighttpd 1.4.45, running WordPress at /mysite and WooCommerce, via PHP running via CGI.

On WooCommerce's password resets, it runs code which ultimately results in an output header:

Location: /mysite/my-account/lost-shop-password/?reset-lost-password=true

This results in lighttpd returning its standard 404 output.

Entering directly into my browser works.

Googling indicated that possible the cgi.local-redir setting in lighttpd is relevant. I set it to both "enable" and "disable", and restarted the server. There was no difference in the outcome.

Looking in the lighttpd bug tracker indicates issues with this in the past, related to url.rewrite-once settings.

The site has this in its configuration:

url.rewrite-once += (
   "^/mysite/(wp-.+).*/?" => "$0",
   "^/mysite/sitemap.xml(.gz)?" => "$0",
   "^/mysite/xmlrpc.php(\?.*)?" => "$0",
   "^/mysite/keyword/([A-Za-z_0-9\-]+)/?$" => "/mysite/index.php?keyword=$1",
   "^/mysite/.*?(\?.*)?$" => "/mysite/index.php$1" 

It has another url.rewrite-once fragment (hence the plus, above), but that's prefixed with a different directory, so presumably not relevant.


#1 Updated by gstrauss 5 months ago

  • Status changed from New to Fixed
  • Target version changed from 1.4.x to 1.4.46

cgi.local-redir is documented as being available since lighttpd 1.4.46 (not yet released)

See GetLighttpd and InstallFromSource if you would like to test with cgi.local-redir.

#2 Updated by DavidAnderson684 5 months ago


Thank you. I don't want to waste your time, but I don't fully understand what I've read about cgi.local-redir being off by default. On my reading of the CGI spec (incredibly brief!), lighttpd is non-compliant, because local Location: results should be handled internally by the server. Moreover, this always used to work in previous lighttpd versions (at least, the application I'm using did, and I've verified that it has not changed in the header it is outputing).

So, cgi.local-redir seems like an "unbreak me and return me to my previous working state" option... what is it that leads to it being turned off by default, given that it restores previous/working behaviour?


#3 Updated by gstrauss 5 months ago

Behavior prior to lighttpd 1.4.40 was to send the Location header back to the client, even if just a URL-path, and then the client would issue a new request. Having cgi.local-redir off by default returns lighttpd to the pre-lighttpd 1.4.40 behavior, unless the admin opts in to the behavior. Adding the configuration directive also provides a config switch to disable the behavior if it does not work as intended or expected.

Hopefully the next version of lighttpd with cgi.local-redir will fix this issue for you.

Also available in: Atom