Lighttpd

This is intentional behavior in lighttpd to address CVE-2015-3200 (see lighttpd bug #2646)
Anything which is non-printable ASCII is encoded for logging. This has been the behavior in lighttpd since lighttpd 1.4.36, released in July 2015.

The feature request you are making is over 9 years after CVE-2015-3200. As this is not a frequent request, this does not feel like something which is an impediment to too many other people. Those affected can redirect their error logging to a local log rather than sending the log over the FastCGI error stream. After all, an application log is an application log and belongs in the specific PHP application log for that specific PHP application more than the trace belongs in the lighttpd error log.

Error logs may contain user-supplied data and that data might be malicious. It is unlikely that the average PHP developer is going to safely encode all strings passed to PHP error_log(). Therefore, lighttpd must do some encoding to the string before writing the string to the lighttpd error log. Validating whether or not the string is proper UTF-8 (and not invalid UTF-8) would be additional CPU work versus the current behavior of encoding all non-printable ASCII (which includes multi-byte UTF-8 sequences with the high bit set on each byte).

When ASCII is expected, seeing the encodings in the log may be indicative of someone trying to use UTF-8 characters which "look like" ASCII characters to try a phishing attack on someone else. However, for those whose languages are largely multi-byte UTF-8, different behavior might be desirable for the error log. As above, an existing workaround is to write such logs to a PHP application-specific log, encoding the logs as you see fit.

Maybe there should be an option to prevent escaping of regular (printable) UTF-8 characters.

That sounds more like a feature request than a bug, yet you filed this issue incorrectly as a bug. (I changed it to a Feature request.)

The code in question can be found in src/buffer.c:buffer_append_string_c_escaped()

I'll think about this feature request. Please keep in mind that lighttpd is written in C, and C that is tuned for performance. lighttpd is much, much faster than PHP.

Or an option to disable escaping completely.

No. See CVE-2015-3200. There are similar CVEs for other web server and network daemons where malicious actors could potentially initiate attacks through unescaped logs.

I have created an option to enable UTF-8 without C-escaping in the error log. However, there are some security caveats and this will not be the default behavior.

To use this feature, it will need to be enabled in lighttpd.conf:
server.feature-flags += ("server.errorlog-utf8" => "enable")

Please read the details in the commit message, which will be linked below when the commit reaches the lighttpd git master branch.

Applied in changeset 41db27ed3d75ecbcde01fa2f5919875db8ee7d82.