Categories: Web Development

Raspberry Pi and Lighttpd

I’m familiar with apache but not lighttpd. There is very little I could find on how to setup lighttpd with ssl. I don’t have time todo a full blog post but here’s my example lighttpd.conf file for those of you who it might help. It has 2 virtual servers both using ssl. It does not listen on port 80 (non-ssl) at all.

#server.bind = ""
#this is to make sure that it doesn't listent to port 80 port 585 is used by ssl below
server.port = 585 #THIS IS THE PORT THE SERVER IS LISTENING ON, you can change this to any available port
server.tag ="lighttpd"
fastcgi.debug = 1
server.modules = (
        "mod_access",
        "mod_alias",
        "mod_accesslog",
        "mod_compress",
        "mod_expire",
        "mod_redirect",
        "mod_rewrite",
        "mod_fastcgi"
        
)

mimetype.assign   = ( ".png"  => "image/png",
                      ".jpg"  => "image/jpeg",
                      ".jpeg" => "image/jpeg",
                      ".html" => "text/html",
       ".htm" => "text/html",
                      ".txt"  => "text/plain" )

$HTTP["host"] =~ "Subdomain1\.duckdns\.org" { #CHANGE Subdomain1YOUR DUCKDNS SUBDOMAIN

server.document-root = "/var/www/hal8000"
server.errorlog = "/var/log/lighttpd/Subdomain1/error.log"
index-file.names = ( "index.php", "index.py", "index.html", "index.htm" )
accesslog.filename = "/var/log/lighttpd/Subdomain2/access.log"
server.error-handler-404 = "/e404.php"

compress.filetype = ( "text/plain", "text/html", "text/css", "text/xml", "text/x-js", "text/javascript", "application/x-javascript", "application/javascript" )
}

$HTTP["host"] =~ "Subdomain2\.duckdns\.org" {

server.document-root = "/var/www/smilez"
server.errorlog = "/var/log/lighttpd/Subdomain2/error.log"
index-file.names = ( "index.php", "index.py", "index.html", "index.htm" )
accesslog.filename = "/var/log/lighttpd/Subdomain2/access.log"
server.error-handler-404 = "/e404.php"

compress.filetype = ( "text/plain", "text/html", "text/css", "text/xml", "text/x-js", "text/javascript", "application/x-javascript", "application/javascript" )
}
# You would uncomment this if only want ssl if he socket is 444 this is a condtitional. but we want ssl all the time
#$SERVER["socket"] == ":585" {


     ssl.engine                  = "enable" 
     ssl.pemfile                 = "/etc/letsencrypt/live/Subdomain1.duckdns.org/ssl.pem" 
     ssl.ca-file   =  "/etc/letsencrypt/live/Subdomain1.duckdns.org/fullchain.pem"
     ssl.dh-file = "/etc/ssl/certs/dhparam.pem" 
     ssl.ec-curve = "secp384r1"
     ssl.honor-cipher-order = "enable"
     ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
     ssl.use-compression = "disable"
     setenv.add-response-header = (
    "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; preload",
    "X-Frame-Options" => "DENY",
    "X-Content-Type-Options" => "nosniff"
)
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
#} # end ofconditionalwe are not using



server.document-root = "/var/www/html"
index-file.names = ( "index.php", "index.py", "index.html", "index.htm" )

accesslog.filename = "/var/log/lighttpd/access.log"
server.errorlog = "/var/log/lighttpd/error.log"
server.upload-dirs = ( "/var/cache/lighttpd/uploads" )

server.username = "lighttpd"
server.groupname = "lighttpd"
server.pid-file = "/var/run/lighttpd.pid"

## Deny access to the source code of these files:
static-file.exclude-extensions = ( ".php", ".pl", ".py", ".fcgi" )

## Deny access the file-extensions
url.access-deny = ( "~", ".inc" )

## Enable/Disable Directory Listings
dir-listing.encoding = "utf-8"
dir-listing.activate = "disable"
dir-listing.hide-dotfiles = "enable"

## eTags
etag.use-inode = "enable"
etag.use-mtime = "enable"
etag.use-size = "enable"
static-file.etags = "enable"

## Compress module
compress.cache-dir = "/var/cache/lighttpd/compress/"
compress.filetype = ( "text/plain", "text/html", "text/css", "text/xml", "text/x-js", "text/javascript", "application/x-javascript", "application/javascript" )

## Expire Models
$HTTP["url"] =~ "(css|js|png|jpg|ico|gif)$" {
        expire.url = ( "" => "access 7 days" )
}
#expire.url = (
#       "/images/" => "access plus 7 days",
#       "/jquery/" => "access plus 2 weeks",
#       "/js/" => "access plus 2 months",
#       "/misc" => "access plus 1 days",
#       "/themes/" => "access plus 7 days",
#       "/modules/" => "access plus 24 hours"
#)

## Enable PHP
fastcgi.server = ( ".php" => ((
        #"bin-path" => "/usr/bin/php5-cgi",
        "bin-path" => "/usr/bin/php5-cgi",
        "socket" => "/tmp/php.socket"
)))

## Load enabled configuration files
#include_shell "/usr/share/lighttpd/include-conf-enabled.pl"
#include_shell "/usr/local/share/lighttpd/include-sites-enabled.pl"

I also followed this tutorial from the Nwgat blog to setup letsencrypt ssl certificates (the only one I could find that worked for me). I’m copying the steps below in case that link goes dead:

https://nwgat.ninja/setting-up-letsencrypt-with-lighttpd/

  1. Stop lighttpd
  2. sudo service lighttpd stop
    
    
  3. then run letsencrypt client
  4. 
        git clone https://github.com/letsencrypt/letsencrypt && cd letsencrypt
        ./letsencrypt-auto --agree-dev-preview --server \
          https://acme-v01.api.letsencrypt.org/directory auth
    

  5. combine files into ssl.pem
  6. 
        sudo su (login as root)
        cd /etc/letsencrypt/live/yourdomain
        cat privkey.pem cert.pem > ssl.pem
    

  7. Forward Secrecy & Diffie Hellman Ephemeral Parameters
  8. 
        cd /etc/ssl/certs
        openssl dhparam -out dhparam.pem 4096
    

  9. Copy and paste the following into /etc/lighttpd/lighttpd.conf dont forget to change yourdomain to your domain
    or you can put it into /etc/lighttpd/conf-enabled as letsencrypt.yourdomain.conf
  10. $SERVER["socket"] == ":443" {
         ssl.engine                  = "enable" 
         ssl.pemfile                 = "/etc/letsencrypt/live/yourdomain/ssl.pem" 
         ssl.ca-file   =  "/etc/letsencrypt/live/yourdomain/fullchain.pem"
         ssl.dh-file = "/etc/ssl/certs/dhparam.pem" 
         ssl.ec-curve = "secp384r1"
         ssl.honor-cipher-order = "enable"
         ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
         ssl.use-compression = "disable"
         setenv.add-response-header = (
        "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; preload",
        "X-Frame-Options" => "DENY",
        "X-Content-Type-Options" => "nosniff"
    )
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
    }
  11. now open port and start lighttpd
  12. sudo ufw allow 443
    sudo service lighttpd start

Charlie

Share
Published by
Charlie

Recent Posts

Using WP-CLI to Access MySQL Running in A LAMP Docker Container

WP-CLI is a great command line tool to help you manage Wordpress. I had trouble…

2 days ago

Dunzip – Download and Unzip in Linux With One Command

Tired of downloading zip or tar files, decompressing, and then having to delete the compressed…

2 weeks ago

Backing Up an SD Card or Hard Drive to A VHD File (Virtual Hard Disk)

  The Microsoft Virtual Hard Disk - An Ideal Backup Image Format Microsoft's Virtual Hard…

3 weeks ago

Ultimate Ad-Free Browsing

Browser getting cluttered with Ads ? Want to achieve a nearly total ad-free browsing experience…

6 months ago

How to Monitor Your Home Remotely With Skype

Want to peek in on your dog ? Have an elderly parent or friend that…

6 months ago

Freedom from Ads with Pi-Hole and Macvlan

Block Ads to Your Entire Network Using Pi-Hole Pi-Hole is a fantastic ad-blocking software that…

7 months ago