I’m familiar with apache but not lighttpd. There is very little I could find on how to setup lighttpd with ssl. I don’t have time todo a full blog post but here’s my example lighttpd.conf file for those of you who it might help. It has 2 virtual servers both using ssl. It does not listen on port 80 (non-ssl) at all.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 |
#server.bind = "" #this is to make sure that it doesn't listent to port 80 port 585 is used by ssl below server.port = 585 #THIS IS THE PORT THE SERVER IS LISTENING ON, you can change this to any available port server.tag ="lighttpd" fastcgi.debug = 1 server.modules = ( "mod_access", "mod_alias", "mod_accesslog", "mod_compress", "mod_expire", "mod_redirect", "mod_rewrite", "mod_fastcgi" ) mimetype.assign = ( ".png" => "image/png", ".jpg" => "image/jpeg", ".jpeg" => "image/jpeg", ".html" => "text/html", ".htm" => "text/html", ".txt" => "text/plain" ) $HTTP["host"] =~ "Subdomain1\.duckdns\.org" { #CHANGE Subdomain1YOUR DUCKDNS SUBDOMAIN server.document-root = "/var/www/hal8000" server.errorlog = "/var/log/lighttpd/Subdomain1/error.log" index-file.names = ( "index.php", "index.py", "index.html", "index.htm" ) accesslog.filename = "/var/log/lighttpd/Subdomain2/access.log" server.error-handler-404 = "/e404.php" compress.filetype = ( "text/plain", "text/html", "text/css", "text/xml", "text/x-js", "text/javascript", "application/x-javascript", "application/javascript" ) } $HTTP["host"] =~ "Subdomain2\.duckdns\.org" { server.document-root = "/var/www/smilez" server.errorlog = "/var/log/lighttpd/Subdomain2/error.log" index-file.names = ( "index.php", "index.py", "index.html", "index.htm" ) accesslog.filename = "/var/log/lighttpd/Subdomain2/access.log" server.error-handler-404 = "/e404.php" compress.filetype = ( "text/plain", "text/html", "text/css", "text/xml", "text/x-js", "text/javascript", "application/x-javascript", "application/javascript" ) } # You would uncomment this if only want ssl if he socket is 444 this is a condtitional. but we want ssl all the time #$SERVER["socket"] == ":585" { ssl.engine = "enable" ssl.pemfile = "/etc/letsencrypt/live/Subdomain1.duckdns.org/ssl.pem" ssl.ca-file = "/etc/letsencrypt/live/Subdomain1.duckdns.org/fullchain.pem" ssl.dh-file = "/etc/ssl/certs/dhparam.pem" ssl.ec-curve = "secp384r1" ssl.honor-cipher-order = "enable" ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" ssl.use-compression = "disable" setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; preload", "X-Frame-Options" => "DENY", "X-Content-Type-Options" => "nosniff" ) ssl.use-sslv2 = "disable" ssl.use-sslv3 = "disable" #} # end ofconditionalwe are not using server.document-root = "/var/www/html" index-file.names = ( "index.php", "index.py", "index.html", "index.htm" ) accesslog.filename = "/var/log/lighttpd/access.log" server.errorlog = "/var/log/lighttpd/error.log" server.upload-dirs = ( "/var/cache/lighttpd/uploads" ) server.username = "lighttpd" server.groupname = "lighttpd" server.pid-file = "/var/run/lighttpd.pid" ## Deny access to the source code of these files: static-file.exclude-extensions = ( ".php", ".pl", ".py", ".fcgi" ) ## Deny access the file-extensions url.access-deny = ( "~", ".inc" ) ## Enable/Disable Directory Listings dir-listing.encoding = "utf-8" dir-listing.activate = "disable" dir-listing.hide-dotfiles = "enable" ## eTags etag.use-inode = "enable" etag.use-mtime = "enable" etag.use-size = "enable" static-file.etags = "enable" ## Compress module compress.cache-dir = "/var/cache/lighttpd/compress/" compress.filetype = ( "text/plain", "text/html", "text/css", "text/xml", "text/x-js", "text/javascript", "application/x-javascript", "application/javascript" ) ## Expire Models $HTTP["url"] =~ "(css|js|png|jpg|ico|gif)$" { expire.url = ( "" => "access 7 days" ) } #expire.url = ( # "/images/" => "access plus 7 days", # "/jquery/" => "access plus 2 weeks", # "/js/" => "access plus 2 months", # "/misc" => "access plus 1 days", # "/themes/" => "access plus 7 days", # "/modules/" => "access plus 24 hours" #) ## Enable PHP fastcgi.server = ( ".php" => (( #"bin-path" => "/usr/bin/php5-cgi", "bin-path" => "/usr/bin/php5-cgi", "socket" => "/tmp/php.socket" ))) ## Load enabled configuration files #include_shell "/usr/share/lighttpd/include-conf-enabled.pl" #include_shell "/usr/local/share/lighttpd/include-sites-enabled.pl" |
I also followed this tutorial from the Nwgat blog to setup letsencrypt ssl certificates (the only one I could find that worked for me). I’m copying the steps below in case that link goes dead:
https://nwgat.ninja/setting-up-letsencrypt-with-lighttpd/
- Stop lighttpd
- combine files into ssl.pem
- Forward Secrecy & Diffie Hellman Ephemeral Parameters
- Copy and paste the following into /etc/lighttpd/lighttpd.conf dont forget to change yourdomain to your domain
or you can put it into /etc/lighttpd/conf-enabled as letsencrypt.yourdomain.conf - now open port and start lighttpd
1 2 3 4 5 6 7 8 9 10 |
sudo service lighttpd stop <li>then run letsencrypt client</li> <pre class="lang:default decode:true " > git clone https://github.com/letsencrypt/letsencrypt && cd letsencrypt ./letsencrypt-auto --agree-dev-preview --server \ https://acme-v01.api.letsencrypt.org/directory auth |
1 2 3 |
sudo su (login as root) cd /etc/letsencrypt/live/yourdomain cat privkey.pem cert.pem > ssl.pem |
1 2 |
cd /etc/ssl/certs openssl dhparam -out dhparam.pem 4096 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
$SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/etc/letsencrypt/live/yourdomain/ssl.pem" ssl.ca-file = "/etc/letsencrypt/live/yourdomain/fullchain.pem" ssl.dh-file = "/etc/ssl/certs/dhparam.pem" ssl.ec-curve = "secp384r1" ssl.honor-cipher-order = "enable" ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" ssl.use-compression = "disable" setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; preload", "X-Frame-Options" => "DENY", "X-Content-Type-Options" => "nosniff" ) ssl.use-sslv2 = "disable" ssl.use-sslv3 = "disable" } |
sudo ufw allow 443
sudo service lighttpd start