Robbert Haarman



muhttpd (mu HTTP deamon) is a simple but complete web server written in portable ANSI C. It supports static pages, CGI scripts, MIME type based handlers, and HTTPS. It drops privileges before accepting any connections, and it can log received requests. It has been tested on GNU/Linux, NetBSD, FreeBSD, Mac OS X, and Cygwin. It runs successfully on 32 bits and 64 bits, little endian and big endian systems.


Apart from being a useful web server, muhttpd has three major goals: it is to be

  1. simple,
  2. portable, and
  3. secure.

Simplicity is the main goal. Hopefully, it will be so simple that problems do not come up, but at least it should be simple enough that problems that do occur are easily diagnosed and remedied. Its simple code also makes muhttpd useful as an example of how one can write a simple webserver (although that is probably more true of version 1.0 and earlier than of the current incarnation), as a platform for experimentation with new features, and as a starting point for more complex software.

Another goal of muhttpd is portability. It is intended to be a simple, but basically feature-complete webserver that one can quickly deploy on any given more-or-less POSIX compliant system, be it a simple device running a custom Linux distribution or a big-iron system providing POSIX compliance as just another of its bells and whishles.

Although I am very hesitant to call any program written in C secure, security is always high on my list of priorities. So it is for muhttpd. I pay attention to security issues during development, and I regularly run Splint against the code to find and remove possible weaknesses. The .splintrc file I use specifies weak checking, plus a number of extra checks; the goal is to check everything that splint can check without having to litter the code with splint annotations. A number of possible bugs have been found and fixed already.


Latest Release

Note: If you are running a version of muhttpd earlier than 1.1.7, it is strongly recommended you upgrade to the latest version, which fixes a number of security issues.

The latest release of muhttpd is version 1.1.7, available here: muhttpd-1.1.7.tar.bz2 (19 KB).

Version 1.1.7 is a bugfix release that addresses the following issues:

  • A number of bugs in parsing and handling HTTP requests.
  • An out-of-bounds read in the configuration parser, which can be triggered with a specially crafted configuration file.
  • Added a test suite that covers some basic functionality, as well as past HTTP request handling bugs.
  • Added missing parameters to the prototype for do_request.

Version 1.1.7 also contains the fixes from version 1.1.6, which was tagged in the source code repository, but never officially released:

  • Added missing documentation for pidfile and SSL (patches by Stefan Beyer).
  • Log correct month, instead of month - 1 (patch by Stefan Beyer).
  • Removed superfluous logging from handler.c (patch by Stefan Beyer).
  • Various small improvements to the source code and portability fixes, including an implementation of clearenv.


The most up-to-date source code for muhttpd is kept in Git and can be cloned with

git clone git:// muhttpd

The code can be viewed in a Web browser at


muhttpd can be installed using the standard

make install

mantra. Various things can be set by passing arguments to configure, such as the features to compile into muhttpd, which compatibility functions (functions that muhttpd uses, but that are not provided on all systems muhttpd targets) should be compiled in, and installation directories. Please refer to the file INSTALL (included in the distribution) for details.

Once muhttpd is installed, you will want to edit the configuration file (/etc/muhttpd/muhttpd.conf by default). The various directives and their meanings are explained in the manpage, muhttpd.conf(5).

Valid XHTML 1.1! Valid CSS! Viewable with Any Browser