# https://www.ssllabs.com/projects/best-practices/index.html
# https://cipherli.st/
# https://wiki.mozilla.org/Security/Server_Side_TLS
-# https://mozilla.github.io/server-side-tls/ssl-config-generator/
-
-$SERVER["socket"] == ":443" {
- protocol = "https://"
- ssl.engine = "enable"
- ssl.disable-client-renegotiation = "enable"
-
- # ssl.pemfile: path to the PEM file for SSL support
- # (Should contain both the private key and the certificate)
- ## If you have a .crt and a .key file, cat them together into a single PEM file:
- ## $ cat lighttpd.key lighttpd.crt > lighttpd.pem
- ssl.pemfile = "/etc/lighttpd/ssl/server.pem"
- # ssl.ca-file: path to the CA file for support of chained certificates
+#
+# generated 2023-05-28, Mozilla Guideline v5.7, lighttpd 1.4.70, OpenSSL 3.1.0, intermediate configuration
+# https://ssl-config.mozilla.org/#server=lighttpd&version=1.4.70&config=intermediate&openssl=3.1.0&guideline=5.7
+
+$HTTP["scheme"] == "http" {
+ url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
+}
+
+# lighttpd 1.4.56 and later will inherit ssl.* from the global scope if
+# $SERVER["socket"] contains ssl.engine = "enable" and no other ssl.* options
+# (to avoid having to repeat ssl.* directives in both ":443" and "[::]:443")
+$SERVER["socket"] == ":443" { ssl.engine = "enable" }
+$SERVER["socket"] == "[::]:443" { ssl.engine = "enable" }
+
+$HTTP["scheme"] == "https" {
+ # HTTP Strict Transport Security (63072000 seconds is around 2 years)
+ setenv.add-response-header = (
+ "Strict-Transport-Security" => "max-age=63072000"
+ )
+}
+
+# ssl.pemfile: path to the PEM file for SSL support
+# (Should contain both the private key and the certificate)
+## If you have a .crt and a .key file, cat them together into a single PEM file:
+## $ cat lighttpd.key lighttpd.crt > lighttpd.pem
+ssl.pemfile = "/etc/lighttpd/ssl/server.pem"
+# ssl.privkey = "/path/to/private_key"
+# ssl.ca-file: path to the CA file for support of chained certificates
# ssl.ca-file = "/etc/lighttpd/ssl/chain.pem"
- # for DH/DHE ciphers, dhparam should be >= 2048-bit
- # Generate with:
- # openssl dhparam -out dh2048.pem -outform PEM -2 2048
-# ssl.dh-file = "/etc/lighttpd/ssl/dhparam.pem"
- # ECDH/ECDHE ciphers curve strength (see `openssl ecparam -list_curves`)
-# ssl.ec-curve = "secp384r1"
- # Compression is by default off at compile-time, but use if needed
+# OCSP stapling (input file must be maintained by external script)
+# https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#OCSP-Stapling
+# ssl.stapling-file = "/path/to/cert-staple.der"
+
+# Compression is by default off at compile-time, but use if needed
# ssl.use-compression = "disable"
- # Environment flag for HTTPS enabled
+# Environment flag for HTTPS enabled
# setenv.add-environment = (
# "HTTPS" => "on"
# )
- # https://ssl-config.mozilla.org/#server=lighttpd&server-version=1.4.54&config=intermediate
- # intermediate configuration, tweak to your needs
- #
- ssl.use-sslv2 = "disable"
- ssl.use-sslv3 = "disable"
- # intermediate configuration, tweak to your needs
- ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1")
- ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
- ssl.honor-cipher-order = "disable"
-
- # HTTP Strict Transport Security (63072000 seconds
- # setenv.add-response-header = (
- # "Strict-Transport-Security" => "max-age=63072000"
- # )
-
- $HTTP["useragent"] =~ "MSIE" {
- server.max-keep-alive-requests = 0
- }
-}
+ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")
+ssl.openssl.ssl-conf-cmd += ("Options" => "-ServerPreference")
+# TLS modules besides mod_openssl might name ciphers differently
+# See https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL
+ssl.openssl.ssl-conf-cmd += ("CipherString" => "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305")