Outils pour utilisateurs

Outils du site


config:lighttpd

Lighttpd config example

This is an example of a former pre-production Lighttpd web server running Ubuntu 15.04. This is not best practice and is for education only.

lighttpd.conf
server.modules = (
	"mod_access",
	"mod_accesslog",
	"mod_alias",
	"mod_compress",
 	"mod_redirect",
	"mod_setenv",
	"mod_extforward",
#  "mod_rewrite",    # often unnecessary when using lighty-enable
)
 
server.document-root        = "/var/www"
server.upload-dirs          = ( "/var/cache/lighttpd/uploads/" )
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/var/run/lighttpd.pid"
server.username             = "server"
server.groupname            = "server"
server.tag                  = "lighttpd"
server.port                 = 80
server.max-request-size     = 1300000
etag.use-mtime		          = "enable"
etag.use-size		          = "enable"
static-file.etags	          = "enable"
 
 
# logging
accesslog.filename		    = "/var/log/lighttpd/access.log"
 
index-file.names               = ( "index.php", "index.html", "index.lighttpd.html" )
url.access-deny                = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
 
compress.cache-dir          = "/var/cache/lighttpd/compress/"
compress.filetype           = ( "application/javascript", "text/css", "text/xml", "text/html", "text/plain", "text/vtt" )
 
fastcgi.server = (
   ".php" => ((
      "bin-path" => "/usr/bin/php-cgi",
      "socket" => "/tmp/php.socket",
      "max-procs" => 1,
      "bin-environment" => ( 
         "PHP_FCGI_CHILDREN" => "3",
         "PHP_FCGI_MAX_REQUESTS" => "100" 
      ),
      "bin-copy-environment" => (
         "PATH", "SHELL", "USER" 
      ),
      "allow-x-send-file" => "enable",
   ))
)
 
# default listening port for IPv6 falls back to the IPv4 port
## Use ipv6 if available
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.assign.pl"
include_shell "/usr/share/lighttpd/include-conf-enabled.pl"
 
# restore visitor IP when using CloudFlare
extforward.forwarder    = ( "all" => "trust" ) 
extforward.headers      = ("CF-Connecting-IP")
 
# first, for IPv4
$SERVER["socket"] == ":443" {
	ssl.engine = "enable"
 
   # disable SSLv2 and SSLv3: deprecated and POODLE attack
	ssl.use-sslv2 = "disable"
	ssl.use-sslv3 = "disable"
 
	ssl.honor-cipher-order = "enable"
	setenv.add-environment = ( "HTTPS" => "on" )
 
   # limit to strong cryptography with PFS
	ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA "
 
   # set a dummy self-signed cert as default, and use custom-generated Diffie-Hellman prime even if ECDHE renders Logjam attack inexploitable
	ssl.pemfile = "/home/server/www/ssl/default.pem" 
	ssl.dh-file="/etc/ssl/dhparams.pem"
 
 
   # per-host certificate settings
   $HTTP["host"] =~ ".foo.bar" {
      ssl.cipher-list = "EECDH+ECDSA+AESGCM:AES128+EECDH:AES128+EDH"
      ssl.pemfile = "/home/server/www/ssl/foobar.pem"
      ssl.ca-file = "/home/server/www/ssl/cacert.crt"
   }
 
   $HTTP["host"] =~ "free.bar" {
      ssl.cipher-list = "EECDH+ECDSA+AESGCM:AES128+EECDH:AES128+EDH"
      ssl.pemfile = "/home/server/www/ssl/freebar.pem"
      ssl.ca-file = "/home/server/www/ssl/gandi.pem"
   }
}
 
### once again, for IPv6 config
$SERVER["socket"] == "[::]:443" {
	ssl.engine = "enable"
 
   # disable SSLv2 and SSLv3: deprecated and POODLE attack
	ssl.use-sslv2 = "disable"
	ssl.use-sslv3 = "disable"
 
	ssl.honor-cipher-order = "enable"
	setenv.add-environment = ( "HTTPS" => "on" )
 
   # limit to strong cryptography with PFS
	ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA "
 
   # set a dummy self-signed cert as default, and use custom-generated Diffie-Hellman prime even if ECDHE renders Logjam attack inexploitable
	ssl.pemfile = "/home/server/www/ssl/default.pem" 
	ssl.dh-file="/etc/ssl/dhparams.pem"
 
 
   # per-host certificate settings
   $HTTP["host"] =~ ".foo.bar" {
      ssl.cipher-list = "EECDH+ECDSA+AESGCM:AES128+EECDH:AES128+EDH"
      ssl.pemfile = "/home/server/www/ssl/foobar.pem"
      ssl.ca-file = "/home/server/www/ssl/cacert.crt"
   }
 
   $HTTP["host"] =~ "free.bar" {
      ssl.cipher-list = "EECDH+ECDSA+AESGCM:AES128+EECDH:AES128+EDH"
      ssl.pemfile = "/home/server/www/ssl/freebar.pem"
      ssl.ca-file = "/home/server/www/ssl/gandi.pem"
   }
}
 
 
# and now the virtualhosts !
$HTTP["host"] == "www.free.bar" {
   server.document-root = "/home/server/www/freebar/"
   server.use-ipv6 = "enable"
   setenv.add-response-header = (
      "Cache-Control" => "public, max-age=691200, must-revalidate",
      "Strict-Transport-Security" => "max-age=31536000; includeSubDomains",
      "X-Frame-Options" => "DENY",
      "X-Content-Type-Options" => "nosniff"
   )
   # access deny rules
   $HTTP["url"] =~ "^/(owncloud/data|filebin/data|zerobin/data)/" {url.access-deny = ("") }
 
   # forcing HTTPS
   $HTTP["scheme"] == "http" {
      $HTTP["host"] =~ ".*" {
         url.redirect = (".*" => "https://%0$0")
      }
	}
}
 
$HTTP["host"] == "www.foo.bar" {
   server.document-root = "/home/server/www/foobar/"
}
 
# just a dataless redirect
$HTTP["host"] =~ "(^|.)old.domain.name$"  {
   server.document-root = "/dev/null/"
   url.redirect = ( "^/(.*)" => "https://foo.bar/hello.html#$1")
}
config/lighttpd.txt · Dernière modification: 2015/07/10 09:15 par mitsu