]>
Commit | Line | Data |
---|---|---|
e026bd5c ER |
1 | # lighttpd support for SSLv2 and SSLv3 |
2 | # | |
2910375f ER |
3 | # Documentation: https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL |
4 | # https://www.ssllabs.com/projects/best-practices/index.html | |
5 | # https://cipherli.st/ | |
6 | # https://wiki.mozilla.org/Security/Server_Side_TLS | |
7 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/ | |
bd6c17df | 8 | |
e026bd5c | 9 | $SERVER["socket"] == ":443" { |
2910375f | 10 | protocol = "https://" |
e026bd5c | 11 | ssl.engine = "enable" |
2910375f | 12 | ssl.disable-client-renegotiation = "enable" |
b0de199c | 13 | |
2910375f ER |
14 | # ssl.pemfile: path to the PEM file for SSL support |
15 | # (Should contain both the private key and the certificate) | |
16 | ## If you have a .crt and a .key file, cat them together into a single PEM file: | |
b0de199c | 17 | ## $ cat lighttpd.key lighttpd.crt > lighttpd.pem |
4cfd6496 | 18 | ssl.pemfile = "/etc/lighttpd/ssl/server.pem" |
9ff27247 | 19 | # ssl.ca-file: path to the CA file for support of chained certificates |
4cfd6496 | 20 | # ssl.ca-file = "/etc/lighttpd/ssl/chain.pem" |
34b8d937 | 21 | |
2910375f | 22 | # for DH/DHE ciphers, dhparam should be >= 2048-bit |
85a9ac30 ER |
23 | # Generate with: |
24 | # openssl dhparam -out dh2048.pem -outform PEM -2 2048 | |
4cfd6496 | 25 | # ssl.dh-file = "/etc/lighttpd/ssl/dhparam.pem" |
2910375f ER |
26 | # ECDH/ECDHE ciphers curve strength (see `openssl ecparam -list_curves`) |
27 | # ssl.ec-curve = "secp384r1" | |
28 | # Compression is by default off at compile-time, but use if needed | |
29 | # ssl.use-compression = "disable" | |
30 | ||
31 | # Environment flag for HTTPS enabled | |
32 | # setenv.add-environment = ( | |
33 | # "HTTPS" => "on" | |
34 | # ) | |
35 | ||
36 | # intermediate configuration, tweak to your needs | |
37 | ssl.use-sslv2 = "disable" | |
38 | ssl.use-sslv3 = "disable" | |
39 | ssl.honor-cipher-order = "enable" | |
40 | # If you know you have RSA keys (standard), you can use: | |
41 | #ssl.cipher-list = "aRSA+HIGH !3DES +kEDH +kRSA !kSRP !kPSK" | |
42 | # The more generic version (without the restriction to RSA keys) is | |
43 | #ssl.cipher-list = "HIGH !aNULL !3DES +kEDH +kRSA !kSRP !kPSK" | |
44 | # List from https://mozilla.github.io/server-side-tls/ssl-config-generator/ | |
45 | ssl.cipher-list = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" | |
46 | ||
47 | # HSTS(15768000 seconds = 6 months) | |
48 | # setenv.add-response-header = ( | |
49 | # "Strict-Transport-Security" => "max-age=15768000;" | |
50 | # ) | |
51 | ||
e026bd5c | 52 | $HTTP["useragent"] =~ "MSIE" { |
cf9b1bc9 | 53 | server.max-keep-alive-requests = 0 |
e026bd5c ER |
54 | } |
55 | } |