X-Git-Url: https://git.tld-linux.org/?p=packages%2Flighttpd.git;a=blobdiff_plain;f=ssl.conf;h=15bfb6aeec0daebc1109be5909cda6ee9a7b6ab5;hp=e9c1a2108ed7accfda7d42304a6e812035df4ac3;hb=HEAD;hpb=8239b3691d1ae536833b6d53a2efd289956ccbcd diff --git a/ssl.conf b/ssl.conf index e9c1a21..6e45428 100644 --- a/ssl.conf +++ b/ssl.conf @@ -4,52 +4,50 @@ # https://www.ssllabs.com/projects/best-practices/index.html # https://cipherli.st/ # https://wiki.mozilla.org/Security/Server_Side_TLS -# https://mozilla.github.io/server-side-tls/ssl-config-generator/ - -$SERVER["socket"] == ":443" { - protocol = "https://" - ssl.engine = "enable" - ssl.disable-client-renegotiation = "enable" - - # ssl.pemfile: path to the PEM file for SSL support - # (Should contain both the private key and the certificate) - ## If you have a .crt and a .key file, cat them together into a single PEM file: - ## $ cat lighttpd.key lighttpd.crt > lighttpd.pem - ssl.pemfile = "/etc/lighttpd/ssl/server.pem" - # ssl.ca-file: path to the CA file for support of chained certificates +# +# generated 2023-05-28, Mozilla Guideline v5.7, lighttpd 1.4.70, OpenSSL 3.1.0, intermediate configuration +# https://ssl-config.mozilla.org/#server=lighttpd&version=1.4.70&config=intermediate&openssl=3.1.0&guideline=5.7 + +$HTTP["scheme"] == "http" { + url.redirect = ("" => "https://${url.authority}${url.path}${qsa}") +} + +# lighttpd 1.4.56 and later will inherit ssl.* from the global scope if +# $SERVER["socket"] contains ssl.engine = "enable" and no other ssl.* options +# (to avoid having to repeat ssl.* directives in both ":443" and "[::]:443") +$SERVER["socket"] == ":443" { ssl.engine = "enable" } +$SERVER["socket"] == "[::]:443" { ssl.engine = "enable" } + +$HTTP["scheme"] == "https" { + # HTTP Strict Transport Security (63072000 seconds is around 2 years) + setenv.add-response-header = ( + "Strict-Transport-Security" => "max-age=63072000" + ) +} + +# ssl.pemfile: path to the PEM file for SSL support +# (Should contain both the private key and the certificate) +## If you have a .crt and a .key file, cat them together into a single PEM file: +## $ cat lighttpd.key lighttpd.crt > lighttpd.pem +ssl.pemfile = "/etc/lighttpd/ssl/server.pem" +# ssl.privkey = "/path/to/private_key" +# ssl.ca-file: path to the CA file for support of chained certificates # ssl.ca-file = "/etc/lighttpd/ssl/chain.pem" - # for DH/DHE ciphers, dhparam should be >= 2048-bit - # Generate with: - # openssl dhparam -out dh2048.pem -outform PEM -2 2048 -# ssl.dh-file = "/etc/lighttpd/ssl/dhparam.pem" - # ECDH/ECDHE ciphers curve strength (see `openssl ecparam -list_curves`) -# ssl.ec-curve = "secp384r1" - # Compression is by default off at compile-time, but use if needed +# OCSP stapling (input file must be maintained by external script) +# https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#OCSP-Stapling +# ssl.stapling-file = "/path/to/cert-staple.der" + +# Compression is by default off at compile-time, but use if needed # ssl.use-compression = "disable" - # Environment flag for HTTPS enabled +# Environment flag for HTTPS enabled # setenv.add-environment = ( # "HTTPS" => "on" # ) - # intermediate configuration, tweak to your needs - ssl.use-sslv2 = "disable" - ssl.use-sslv3 = "disable" - ssl.honor-cipher-order = "enable" - # If you know you have RSA keys (standard), you can use: - #ssl.cipher-list = "aRSA+HIGH !3DES +kEDH +kRSA !kSRP !kPSK" - # The more generic version (without the restriction to RSA keys) is - #ssl.cipher-list = "HIGH !aNULL !3DES +kEDH +kRSA !kSRP !kPSK" - # List from https://mozilla.github.io/server-side-tls/ssl-config-generator/ - ssl.cipher-list = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" - - # HSTS(15768000 seconds = 6 months) -# setenv.add-response-header = ( -# "Strict-Transport-Security" => "max-age=15768000;" -# ) - - $HTTP["useragent"] =~ "MSIE" { - server.max-keep-alive-requests = 0 - } -} +ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2") +ssl.openssl.ssl-conf-cmd += ("Options" => "-ServerPreference") +# TLS modules besides mod_openssl might name ciphers differently +# See https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL +ssl.openssl.ssl-conf-cmd += ("CipherString" => "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305")