server.modules = ( "mod_access", "mod_accesslog", "mod_alias", "mod_compress", "mod_redirect", "mod_setenv", "mod_extforward", # "mod_rewrite", # often unnecessary when using lighty-enable ) server.document-root = "/var/www" server.upload-dirs = ( "/var/cache/lighttpd/uploads/" ) server.errorlog = "/var/log/lighttpd/error.log" server.pid-file = "/var/run/lighttpd.pid" server.username = "server" server.groupname = "server" server.tag = "lighttpd" server.port = 80 server.max-request-size = 1300000 etag.use-mtime = "enable" etag.use-size = "enable" static-file.etags = "enable" # logging accesslog.filename = "/var/log/lighttpd/access.log" index-file.names = ( "index.php", "index.html", "index.lighttpd.html" ) url.access-deny = ( "~", ".inc" ) static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" ) compress.cache-dir = "/var/cache/lighttpd/compress/" compress.filetype = ( "application/javascript", "text/css", "text/xml", "text/html", "text/plain", "text/vtt" ) fastcgi.server = ( ".php" => (( "bin-path" => "/usr/bin/php-cgi", "socket" => "/tmp/php.socket", "max-procs" => 1, "bin-environment" => ( "PHP_FCGI_CHILDREN" => "3", "PHP_FCGI_MAX_REQUESTS" => "100" ), "bin-copy-environment" => ( "PATH", "SHELL", "USER" ), "allow-x-send-file" => "enable", )) ) # default listening port for IPv6 falls back to the IPv4 port ## Use ipv6 if available include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port include_shell "/usr/share/lighttpd/create-mime.assign.pl" include_shell "/usr/share/lighttpd/include-conf-enabled.pl" # restore visitor IP when using CloudFlare extforward.forwarder = ( "all" => "trust" ) extforward.headers = ("CF-Connecting-IP") # first, for IPv4 $SERVER["socket"] == ":443" { ssl.engine = "enable" # disable SSLv2 and SSLv3: deprecated and POODLE attack ssl.use-sslv2 = "disable" ssl.use-sslv3 = "disable" ssl.honor-cipher-order = "enable" setenv.add-environment = ( "HTTPS" => "on" ) # limit to strong cryptography with PFS ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA " # set a dummy self-signed cert as default, and use custom-generated Diffie-Hellman prime even if ECDHE renders Logjam attack inexploitable ssl.pemfile = "/home/server/www/ssl/default.pem" ssl.dh-file="/etc/ssl/dhparams.pem" # per-host certificate settings $HTTP["host"] =~ ".foo.bar" { ssl.cipher-list = "EECDH+ECDSA+AESGCM:AES128+EECDH:AES128+EDH" ssl.pemfile = "/home/server/www/ssl/foobar.pem" ssl.ca-file = "/home/server/www/ssl/cacert.crt" } $HTTP["host"] =~ "free.bar" { ssl.cipher-list = "EECDH+ECDSA+AESGCM:AES128+EECDH:AES128+EDH" ssl.pemfile = "/home/server/www/ssl/freebar.pem" ssl.ca-file = "/home/server/www/ssl/gandi.pem" } } ### once again, for IPv6 config $SERVER["socket"] == "[::]:443" { ssl.engine = "enable" # disable SSLv2 and SSLv3: deprecated and POODLE attack ssl.use-sslv2 = "disable" ssl.use-sslv3 = "disable" ssl.honor-cipher-order = "enable" setenv.add-environment = ( "HTTPS" => "on" ) # limit to strong cryptography with PFS ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA " # set a dummy self-signed cert as default, and use custom-generated Diffie-Hellman prime even if ECDHE renders Logjam attack inexploitable ssl.pemfile = "/home/server/www/ssl/default.pem" ssl.dh-file="/etc/ssl/dhparams.pem" # per-host certificate settings $HTTP["host"] =~ ".foo.bar" { ssl.cipher-list = "EECDH+ECDSA+AESGCM:AES128+EECDH:AES128+EDH" ssl.pemfile = "/home/server/www/ssl/foobar.pem" ssl.ca-file = "/home/server/www/ssl/cacert.crt" } $HTTP["host"] =~ "free.bar" { ssl.cipher-list = "EECDH+ECDSA+AESGCM:AES128+EECDH:AES128+EDH" ssl.pemfile = "/home/server/www/ssl/freebar.pem" ssl.ca-file = "/home/server/www/ssl/gandi.pem" } } # and now the virtualhosts ! $HTTP["host"] == "www.free.bar" { server.document-root = "/home/server/www/freebar/" server.use-ipv6 = "enable" setenv.add-response-header = ( "Cache-Control" => "public, max-age=691200, must-revalidate", "Strict-Transport-Security" => "max-age=31536000; includeSubDomains", "X-Frame-Options" => "DENY", "X-Content-Type-Options" => "nosniff" ) # access deny rules $HTTP["url"] =~ "^/(owncloud/data|filebin/data|zerobin/data)/" {url.access-deny = ("") } # forcing HTTPS $HTTP["scheme"] == "http" { $HTTP["host"] =~ ".*" { url.redirect = (".*" => "https://%0$0") } } } $HTTP["host"] == "www.foo.bar" { server.document-root = "/home/server/www/foobar/" } # just a dataless redirect $HTTP["host"] =~ "(^|.)old.domain.name$" { server.document-root = "/dev/null/" url.redirect = ( "^/(.*)" => "https://foo.bar/hello.html#$1") }