$SERVER["socket"] == ":443" {
protocol = "https://"
ssl.engine = "enable"
- ssl.disable-client-renegotiation = "enable"
# ssl.pemfile: path to the PEM file for SSL support
# (Should contain both the private key and the certificate)
# ssl.ca-file: path to the CA file for support of chained certificates
# ssl.ca-file = "/etc/lighttpd/ssl/chain.pem"
- # for DH/DHE ciphers, dhparam should be >= 2048-bit
- # Generate with:
- # openssl dhparam -out dh2048.pem -outform PEM -2 2048
-# ssl.dh-file = "/etc/lighttpd/ssl/dhparam.pem"
- # ECDH/ECDHE ciphers curve strength (see `openssl ecparam -list_curves`)
-# ssl.ec-curve = "secp384r1"
# Compression is by default off at compile-time, but use if needed
# ssl.use-compression = "disable"
# https://ssl-config.mozilla.org/#server=lighttpd&server-version=1.4.54&config=intermediate
# intermediate configuration, tweak to your needs
#
- ssl.use-sslv2 = "disable"
- ssl.use-sslv3 = "disable"
- # intermediate configuration, tweak to your needs
ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1")
ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
- ssl.honor-cipher-order = "disable"
# HTTP Strict Transport Security (63072000 seconds
# setenv.add-response-header = (