]> TLD Linux GIT Repositories - packages/lighttpd.git/blob - ssl.conf
TLD / packages / lighttpd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
- updated to 1.4.73, build with lua54
[packages/lighttpd.git] / ssl.conf
1 # lighttpd support for SSLv2 and SSLv3
2 #
3 # Documentation: https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL
4 # https://www.ssllabs.com/projects/best-practices/index.html
5 # https://cipherli.st/
6 # https://wiki.mozilla.org/Security/Server_Side_TLS
7 #
8 # generated 2023-05-28, Mozilla Guideline v5.7, lighttpd 1.4.70, OpenSSL 3.1.0, intermediate configuration
9 # https://ssl-config.mozilla.org/#server=lighttpd&version=1.4.70&config=intermediate&openssl=3.1.0&guideline=5.7
10
11 $HTTP["scheme"] == "http" {
12         url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
13 }
14
15 # lighttpd 1.4.56 and later will inherit ssl.* from the global scope if
16 # $SERVER["socket"] contains ssl.engine = "enable" and no other ssl.* options
17 # (to avoid having to repeat ssl.* directives in both ":443" and "[::]:443")
18 $SERVER["socket"] ==     ":443" { ssl.engine = "enable" }
19 $SERVER["socket"] == "[::]:443" { ssl.engine = "enable" }
20
21 $HTTP["scheme"] == "https" {
22         # HTTP Strict Transport Security (63072000 seconds is around 2 years)
23         setenv.add-response-header = (
24                 "Strict-Transport-Security" => "max-age=63072000"
25         )
26 }
27
28 # ssl.pemfile: path to the PEM file for SSL support
29 # (Should contain both the private key and the certificate)
30 ## If you have a .crt and a .key file, cat them together into a single PEM file:
31 ## $ cat lighttpd.key lighttpd.crt > lighttpd.pem
32 ssl.pemfile = "/etc/lighttpd/ssl/server.pem"
33 #       ssl.privkey = "/path/to/private_key"
34 # ssl.ca-file: path to the CA file for support of chained certificates
35 #       ssl.ca-file = "/etc/lighttpd/ssl/chain.pem"
36
37 # OCSP stapling (input file must be maintained by external script)
38 # https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#OCSP-Stapling
39 #       ssl.stapling-file = "/path/to/cert-staple.der"
40
41 # Compression is by default off at compile-time, but use if needed
42 #       ssl.use-compression = "disable"
43
44 # Environment flag for HTTPS enabled
45 #       setenv.add-environment = (
46 #               "HTTPS" => "on"
47 #       )
48
49 ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")
50 ssl.openssl.ssl-conf-cmd += ("Options" => "-ServerPreference")
51 # TLS modules besides mod_openssl might name ciphers differently
52 # See https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL
53 ssl.openssl.ssl-conf-cmd += ("CipherString" => "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305")
Fast and light HTTP server