[packages/lighttpd.git] / ssl.conf

# lighttpd support for SSLv2 and SSLv3
#
# Documentation: https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL
# https://www.ssllabs.com/projects/best-practices/index.html
# https://cipherli.st/
# https://wiki.mozilla.org/Security/Server_Side_TLS
#
# generated 2023-05-28, Mozilla Guideline v5.7, lighttpd 1.4.70, OpenSSL 3.1.0, intermediate configuration
# https://ssl-config.mozilla.org/#server=lighttpd&version=1.4.70&config=intermediate&openssl=3.1.0&guideline=5.7

$HTTP["scheme"] == "http" {
	url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
}

# lighttpd 1.4.56 and later will inherit ssl.* from the global scope if
# $SERVER["socket"] contains ssl.engine = "enable" and no other ssl.* options
# (to avoid having to repeat ssl.* directives in both ":443" and "[::]:443")
$SERVER["socket"] ==     ":443" { ssl.engine = "enable" }
$SERVER["socket"] == "[::]:443" { ssl.engine = "enable" }

$HTTP["scheme"] == "https" {
	protocol = "https://"
	# ssl.pemfile: path to the PEM file for SSL support
	# (Should contain both the private key and the certificate)
	## If you have a .crt and a .key file, cat them together into a single PEM file:
	## $ cat lighttpd.key lighttpd.crt > lighttpd.pem
	ssl.pemfile = "/etc/lighttpd/ssl/server.pem"
#	ssl.privkey = "/path/to/private_key"
	# ssl.ca-file: path to the CA file for support of chained certificates
#	ssl.ca-file = "/etc/lighttpd/ssl/chain.pem"

	# OCSP stapling (input file must be maintained by external script)
	# https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#OCSP-Stapling
#	ssl.stapling-file = "/path/to/cert-staple.der"

	# Compression is by default off at compile-time, but use if needed
#	ssl.use-compression = "disable"

	# Environment flag for HTTPS enabled
#	setenv.add-environment = (
#		"HTTPS" => "on"
#	)

	ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")
	ssl.openssl.ssl-conf-cmd += ("Options" => "-ServerPreference")
	# TLS modules besides mod_openssl might name ciphers differently
	# See https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL
	ssl.openssl.ssl-conf-cmd += ("CipherString" => "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305")

	# HTTP Strict Transport Security (63072000 seconds is around 2 years)
	setenv.add-response-header = (
		"Strict-Transport-Security" => "max-age=63072000"
	)

	$HTTP["useragent"] =~ "MSIE" {
		server.max-keep-alive-requests = 0
	}
}
Commit	Line	Data
e026bd5c ER	1	# lighttpd support for SSLv2 and SSLv3
e026bd5c ER	2	#
2910375f ER	3	# Documentation: https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL
	4	# https://www.ssllabs.com/projects/best-practices/index.html
	5	# https://cipherli.st/
	6	# https://wiki.mozilla.org/Security/Server_Side_TLS
3abef207 ER	7	#
	8	# generated 2023-05-28, Mozilla Guideline v5.7, lighttpd 1.4.70, OpenSSL 3.1.0, intermediate configuration
	9	# https://ssl-config.mozilla.org/#server=lighttpd&version=1.4.70&config=intermediate&openssl=3.1.0&guideline=5.7
bd6c17df	10
3abef207 ER	11	$HTTP["scheme"] == "http" {
	12	url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
	13	}
b0de199c	14
3abef207 ER	15	# lighttpd 1.4.56 and later will inherit ssl.* from the global scope if
	16	# $SERVER["socket"] contains ssl.engine = "enable" and no other ssl.* options
	17	# (to avoid having to repeat ssl.* directives in both ":443" and "[::]:443")
	18	$SERVER["socket"] == ":443" { ssl.engine = "enable" }
	19	$SERVER["socket"] == "[::]:443" { ssl.engine = "enable" }
	20
	21	$HTTP["scheme"] == "https" {
	22	protocol = "https://"
2910375f ER	23	# ssl.pemfile: path to the PEM file for SSL support
	24	# (Should contain both the private key and the certificate)
	25	## If you have a .crt and a .key file, cat them together into a single PEM file:
b0de199c	26	## $ cat lighttpd.key lighttpd.crt > lighttpd.pem
4cfd6496	27	ssl.pemfile = "/etc/lighttpd/ssl/server.pem"
3abef207	28	# ssl.privkey = "/path/to/private_key"
9ff27247	29	# ssl.ca-file: path to the CA file for support of chained certificates
4cfd6496	30	# ssl.ca-file = "/etc/lighttpd/ssl/chain.pem"
34b8d937	31
3abef207 ER	32	# OCSP stapling (input file must be maintained by external script)
	33	# https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#OCSP-Stapling
	34	# ssl.stapling-file = "/path/to/cert-staple.der"
	35
2910375f ER	36	# Compression is by default off at compile-time, but use if needed
	37	# ssl.use-compression = "disable"
	38
	39	# Environment flag for HTTPS enabled
	40	# setenv.add-environment = (
	41	# "HTTPS" => "on"
	42	# )
	43
3abef207 ER	44	ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")
	45	ssl.openssl.ssl-conf-cmd += ("Options" => "-ServerPreference")
	46	# TLS modules besides mod_openssl might name ciphers differently
	47	# See https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL
	48	ssl.openssl.ssl-conf-cmd += ("CipherString" => "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305")
2910375f	49
8f3808f4	50	# HTTP Strict Transport Security (63072000 seconds is around 2 years)
3abef207 ER	51	setenv.add-response-header = (
	52	"Strict-Transport-Security" => "max-age=63072000"
	53	)
2910375f	54
e026bd5c	55	$HTTP["useragent"] =~ "MSIE" {
cf9b1bc9	56	server.max-keep-alive-requests = 0
e026bd5c ER	57	}
e026bd5c ER	58	}