Deprecated TLS options have been removed.

[packages/lighttpd.git] / ssl.conf

# lighttpd support for SSLv2 and SSLv3
#
# Documentation: https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL
# https://www.ssllabs.com/projects/best-practices/index.html
# https://cipherli.st/
# https://wiki.mozilla.org/Security/Server_Side_TLS
# https://mozilla.github.io/server-side-tls/ssl-config-generator/

$SERVER["socket"] == ":443" {
        protocol = "https://"
        ssl.engine = "enable"

        # ssl.pemfile: path to the PEM file for SSL support
        # (Should contain both the private key and the certificate)
        ## If you have a .crt and a .key file, cat them together into a single PEM file:
        ## $ cat lighttpd.key lighttpd.crt > lighttpd.pem
        ssl.pemfile = "/etc/lighttpd/ssl/server.pem"
        # ssl.ca-file: path to the CA file for support of chained certificates
#       ssl.ca-file = "/etc/lighttpd/ssl/chain.pem"

        # Compression is by default off at compile-time, but use if needed
#       ssl.use-compression = "disable"

        # Environment flag for HTTPS enabled
#       setenv.add-environment = (
#               "HTTPS" => "on"
#       )

        # https://ssl-config.mozilla.org/#server=lighttpd&server-version=1.4.54&config=intermediate
        # intermediate configuration, tweak to your needs
        #
        ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1")
        ssl.cipher-list           = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"

        # HTTP Strict Transport Security (63072000 seconds
        # setenv.add-response-header  = (
        #       "Strict-Transport-Security" => "max-age=63072000"
        # )

        $HTTP["useragent"] =~ "MSIE" {
                server.max-keep-alive-requests = 0
        }
}