ssl.conf

   1 # lighttpd support for SSLv2 and SSLv3
   2 #
   3 # Documentation: https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL
   4 # https://www.ssllabs.com/projects/best-practices/index.html
   5 # https://cipherli.st/
   6 # https://wiki.mozilla.org/Security/Server_Side_TLS
   7 # https://mozilla.github.io/server-side-tls/ssl-config-generator/
   8
   9 $SERVER["socket"] == ":443" {
  10         protocol = "https://"
  11         ssl.engine = "enable"
  12         ssl.disable-client-renegotiation = "enable"
  13
  14         # ssl.pemfile: path to the PEM file for SSL support
  15         # (Should contain both the private key and the certificate)
  16         ## If you have a .crt and a .key file, cat them together into a single PEM file:
  17         ## $ cat lighttpd.key lighttpd.crt > lighttpd.pem
  18         ssl.pemfile = "/etc/lighttpd/ssl/server.pem"
  19         # ssl.ca-file: path to the CA file for support of chained certificates
  20 #       ssl.ca-file = "/etc/lighttpd/ssl/chain.pem"
  21
  22         # for DH/DHE ciphers, dhparam should be >= 2048-bit
  23         # Generate with:
  24         # openssl dhparam -out dh2048.pem -outform PEM -2 2048
  25 #       ssl.dh-file = "/etc/lighttpd/ssl/dhparam.pem"
  26         # ECDH/ECDHE ciphers curve strength (see `openssl ecparam -list_curves`)
  27 #       ssl.ec-curve = "secp384r1"
  28         # Compression is by default off at compile-time, but use if needed
  29 #       ssl.use-compression = "disable"
  30
  31         # Environment flag for HTTPS enabled
  32 #       setenv.add-environment = (
  33 #               "HTTPS" => "on"
  34 #       )
  35
  36         # https://ssl-config.mozilla.org/#server=lighttpd&server-version=1.4.54&config=intermediate
  37         # intermediate configuration, tweak to your needs
  38         #
  39         ssl.use-sslv2 = "disable"
  40         ssl.use-sslv3 = "disable"
  41         # intermediate configuration, tweak to your needs
  42         ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1")
  43         ssl.cipher-list           = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
  44         ssl.honor-cipher-order    = "disable"
  45
  46         # HTTP Strict Transport Security (63072000 seconds
  47         # setenv.add-response-header  = (
  48         #       "Strict-Transport-Security" => "max-age=63072000"
  49         # )
  50
  51         $HTTP["useragent"] =~ "MSIE" {
  52                 server.max-keep-alive-requests = 0
  53         }
  54 }