1 # lighttpd support for SSLv2 and SSLv3
3 # Documentation: https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL
4 # https://www.ssllabs.com/projects/best-practices/index.html
6 # https://wiki.mozilla.org/Security/Server_Side_TLS
7 # https://mozilla.github.io/server-side-tls/ssl-config-generator/
9 $SERVER["socket"] == ":443" {
13 # ssl.pemfile: path to the PEM file for SSL support
14 # (Should contain both the private key and the certificate)
15 ## If you have a .crt and a .key file, cat them together into a single PEM file:
16 ## $ cat lighttpd.key lighttpd.crt > lighttpd.pem
17 ssl.pemfile = "/etc/lighttpd/ssl/server.pem"
18 # ssl.ca-file: path to the CA file for support of chained certificates
19 # ssl.ca-file = "/etc/lighttpd/ssl/chain.pem"
21 # Compression is by default off at compile-time, but use if needed
22 # ssl.use-compression = "disable"
24 # Environment flag for HTTPS enabled
25 # setenv.add-environment = (
29 # https://ssl-config.mozilla.org/#server=lighttpd&server-version=1.4.54&config=intermediate
30 # intermediate configuration, tweak to your needs
32 ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1")
33 ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
35 # HTTP Strict Transport Security (63072000 seconds
36 # setenv.add-response-header = (
37 # "Strict-Transport-Security" => "max-age=63072000"
40 $HTTP["useragent"] =~ "MSIE" {
41 server.max-keep-alive-requests = 0