Categories: Web Development

Raspberry Pi and Lighttpd

I’m familiar with apache but not lighttpd. There is very little I could find on how to setup lighttpd with ssl. I don’t have time todo a full blog post but here’s my example lighttpd.conf file for those of you who it might help. It has 2 virtual servers both using ssl. It does not listen on port 80 (non-ssl) at all.

#server.bind = ""
#this is to make sure that it doesn't listent to port 80 port 585 is used by ssl below
server.port = 585 #THIS IS THE PORT THE SERVER IS LISTENING ON, you can change this to any available port
server.tag ="lighttpd"
fastcgi.debug = 1
server.modules = (
        "mod_access",
        "mod_alias",
        "mod_accesslog",
        "mod_compress",
        "mod_expire",
        "mod_redirect",
        "mod_rewrite",
        "mod_fastcgi"
        
)

mimetype.assign   = ( ".png"  => "image/png",
                      ".jpg"  => "image/jpeg",
                      ".jpeg" => "image/jpeg",
                      ".html" => "text/html",
       ".htm" => "text/html",
                      ".txt"  => "text/plain" )

$HTTP["host"] =~ "Subdomain1\.duckdns\.org" { #CHANGE Subdomain1YOUR DUCKDNS SUBDOMAIN

server.document-root = "/var/www/hal8000"
server.errorlog = "/var/log/lighttpd/Subdomain1/error.log"
index-file.names = ( "index.php", "index.py", "index.html", "index.htm" )
accesslog.filename = "/var/log/lighttpd/Subdomain2/access.log"
server.error-handler-404 = "/e404.php"

compress.filetype = ( "text/plain", "text/html", "text/css", "text/xml", "text/x-js", "text/javascript", "application/x-javascript", "application/javascript" )
}

$HTTP["host"] =~ "Subdomain2\.duckdns\.org" {

server.document-root = "/var/www/smilez"
server.errorlog = "/var/log/lighttpd/Subdomain2/error.log"
index-file.names = ( "index.php", "index.py", "index.html", "index.htm" )
accesslog.filename = "/var/log/lighttpd/Subdomain2/access.log"
server.error-handler-404 = "/e404.php"

compress.filetype = ( "text/plain", "text/html", "text/css", "text/xml", "text/x-js", "text/javascript", "application/x-javascript", "application/javascript" )
}
# You would uncomment this if only want ssl if he socket is 444 this is a condtitional. but we want ssl all the time
#$SERVER["socket"] == ":585" {


     ssl.engine                  = "enable" 
     ssl.pemfile                 = "/etc/letsencrypt/live/Subdomain1.duckdns.org/ssl.pem" 
     ssl.ca-file   =  "/etc/letsencrypt/live/Subdomain1.duckdns.org/fullchain.pem"
     ssl.dh-file = "/etc/ssl/certs/dhparam.pem" 
     ssl.ec-curve = "secp384r1"
     ssl.honor-cipher-order = "enable"
     ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
     ssl.use-compression = "disable"
     setenv.add-response-header = (
    "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; preload",
    "X-Frame-Options" => "DENY",
    "X-Content-Type-Options" => "nosniff"
)
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
#} # end ofconditionalwe are not using



server.document-root = "/var/www/html"
index-file.names = ( "index.php", "index.py", "index.html", "index.htm" )

accesslog.filename = "/var/log/lighttpd/access.log"
server.errorlog = "/var/log/lighttpd/error.log"
server.upload-dirs = ( "/var/cache/lighttpd/uploads" )

server.username = "lighttpd"
server.groupname = "lighttpd"
server.pid-file = "/var/run/lighttpd.pid"

## Deny access to the source code of these files:
static-file.exclude-extensions = ( ".php", ".pl", ".py", ".fcgi" )

## Deny access the file-extensions
url.access-deny = ( "~", ".inc" )

## Enable/Disable Directory Listings
dir-listing.encoding = "utf-8"
dir-listing.activate = "disable"
dir-listing.hide-dotfiles = "enable"

## eTags
etag.use-inode = "enable"
etag.use-mtime = "enable"
etag.use-size = "enable"
static-file.etags = "enable"

## Compress module
compress.cache-dir = "/var/cache/lighttpd/compress/"
compress.filetype = ( "text/plain", "text/html", "text/css", "text/xml", "text/x-js", "text/javascript", "application/x-javascript", "application/javascript" )

## Expire Models
$HTTP["url"] =~ "(css|js|png|jpg|ico|gif)$" {
        expire.url = ( "" => "access 7 days" )
}
#expire.url = (
#       "/images/" => "access plus 7 days",
#       "/jquery/" => "access plus 2 weeks",
#       "/js/" => "access plus 2 months",
#       "/misc" => "access plus 1 days",
#       "/themes/" => "access plus 7 days",
#       "/modules/" => "access plus 24 hours"
#)

## Enable PHP
fastcgi.server = ( ".php" => ((
        #"bin-path" => "/usr/bin/php5-cgi",
        "bin-path" => "/usr/bin/php5-cgi",
        "socket" => "/tmp/php.socket"
)))

## Load enabled configuration files
#include_shell "/usr/share/lighttpd/include-conf-enabled.pl"
#include_shell "/usr/local/share/lighttpd/include-sites-enabled.pl"

I also followed this tutorial from the Nwgat blog to setup letsencrypt ssl certificates (the only one I could find that worked for me). I’m copying the steps below in case that link goes dead:

https://nwgat.ninja/setting-up-letsencrypt-with-lighttpd/

  1. Stop lighttpd
  2. sudo service lighttpd stop
    
    
  3. then run letsencrypt client
  4. 
        git clone https://github.com/letsencrypt/letsencrypt && cd letsencrypt
        ./letsencrypt-auto --agree-dev-preview --server \
          https://acme-v01.api.letsencrypt.org/directory auth
    

  5. combine files into ssl.pem
  6. 
        sudo su (login as root)
        cd /etc/letsencrypt/live/yourdomain
        cat privkey.pem cert.pem > ssl.pem
    

  7. Forward Secrecy & Diffie Hellman Ephemeral Parameters
  8. 
        cd /etc/ssl/certs
        openssl dhparam -out dhparam.pem 4096
    

  9. Copy and paste the following into /etc/lighttpd/lighttpd.conf dont forget to change yourdomain to your domain
    or you can put it into /etc/lighttpd/conf-enabled as letsencrypt.yourdomain.conf
  10. $SERVER["socket"] == ":443" {
         ssl.engine                  = "enable" 
         ssl.pemfile                 = "/etc/letsencrypt/live/yourdomain/ssl.pem" 
         ssl.ca-file   =  "/etc/letsencrypt/live/yourdomain/fullchain.pem"
         ssl.dh-file = "/etc/ssl/certs/dhparam.pem" 
         ssl.ec-curve = "secp384r1"
         ssl.honor-cipher-order = "enable"
         ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
         ssl.use-compression = "disable"
         setenv.add-response-header = (
        "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; preload",
        "X-Frame-Options" => "DENY",
        "X-Content-Type-Options" => "nosniff"
    )
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
    }
  11. now open port and start lighttpd
  12. sudo ufw allow 443
    sudo service lighttpd start

Charlie

Share
Published by
Charlie

Recent Posts

Creating a Shortcut to Windows Terminal (Or Any Other App That Doesn’t Show Shortcut Option)

Weirdly, Windows Terminal does not allow you to create a shortcut - there's no obvious…

3 months ago

Simplest Wireguard Setup Ever

Wireguard Wireguard is the newest way to setup a VPN for your home servers. What…

4 months ago

Fix Your Smart Home – Stop Tasmota Devices From Switching Randomly

While working on fixing my KuLED light switches from magically but unexpectedly switching on, I…

7 months ago

Using WP-CLI to Access MySQL Running in A LAMP Docker Container

WP-CLI is a great command line tool to help you manage Wordpress. I had trouble…

9 months ago

Dunzip – Download and Unzip in Linux With One Command

Tired of downloading zip or tar files, decompressing, and then having to delete the compressed…

10 months ago

Backing Up an SD Card or Hard Drive to A VHD File (Virtual Hard Disk)

  The Microsoft Virtual Hard Disk - An Ideal Backup Image Format Microsoft's Virtual Hard…

10 months ago