]>
Commit | Line | Data |
---|---|---|
e026bd5c ER |
1 | # lighttpd support for SSLv2 and SSLv3 |
2 | # | |
2910375f ER |
3 | # Documentation: https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL |
4 | # https://www.ssllabs.com/projects/best-practices/index.html | |
5 | # https://cipherli.st/ | |
6 | # https://wiki.mozilla.org/Security/Server_Side_TLS | |
3abef207 ER |
7 | # |
8 | # generated 2023-05-28, Mozilla Guideline v5.7, lighttpd 1.4.70, OpenSSL 3.1.0, intermediate configuration | |
9 | # https://ssl-config.mozilla.org/#server=lighttpd&version=1.4.70&config=intermediate&openssl=3.1.0&guideline=5.7 | |
bd6c17df | 10 | |
3abef207 ER |
11 | $HTTP["scheme"] == "http" { |
12 | url.redirect = ("" => "https://${url.authority}${url.path}${qsa}") | |
13 | } | |
b0de199c | 14 | |
3abef207 ER |
15 | # lighttpd 1.4.56 and later will inherit ssl.* from the global scope if |
16 | # $SERVER["socket"] contains ssl.engine = "enable" and no other ssl.* options | |
17 | # (to avoid having to repeat ssl.* directives in both ":443" and "[::]:443") | |
18 | $SERVER["socket"] == ":443" { ssl.engine = "enable" } | |
19 | $SERVER["socket"] == "[::]:443" { ssl.engine = "enable" } | |
20 | ||
21 | $HTTP["scheme"] == "https" { | |
331a1d28 ER |
22 | # HTTP Strict Transport Security (63072000 seconds is around 2 years) |
23 | setenv.add-response-header = ( | |
24 | "Strict-Transport-Security" => "max-age=63072000" | |
25 | ) | |
26 | } | |
27 | ||
28 | # ssl.pemfile: path to the PEM file for SSL support | |
29 | # (Should contain both the private key and the certificate) | |
30 | ## If you have a .crt and a .key file, cat them together into a single PEM file: | |
31 | ## $ cat lighttpd.key lighttpd.crt > lighttpd.pem | |
32 | ssl.pemfile = "/etc/lighttpd/ssl/server.pem" | |
3abef207 | 33 | # ssl.privkey = "/path/to/private_key" |
331a1d28 | 34 | # ssl.ca-file: path to the CA file for support of chained certificates |
4cfd6496 | 35 | # ssl.ca-file = "/etc/lighttpd/ssl/chain.pem" |
34b8d937 | 36 | |
331a1d28 ER |
37 | # OCSP stapling (input file must be maintained by external script) |
38 | # https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#OCSP-Stapling | |
3abef207 ER |
39 | # ssl.stapling-file = "/path/to/cert-staple.der" |
40 | ||
331a1d28 | 41 | # Compression is by default off at compile-time, but use if needed |
2910375f ER |
42 | # ssl.use-compression = "disable" |
43 | ||
331a1d28 | 44 | # Environment flag for HTTPS enabled |
2910375f ER |
45 | # setenv.add-environment = ( |
46 | # "HTTPS" => "on" | |
47 | # ) | |
48 | ||
331a1d28 ER |
49 | ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2") |
50 | ssl.openssl.ssl-conf-cmd += ("Options" => "-ServerPreference") | |
51 | # TLS modules besides mod_openssl might name ciphers differently | |
52 | # See https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL | |
53 | ssl.openssl.ssl-conf-cmd += ("CipherString" => "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305") |