Difference between revisions of "Lighttpd 1.4.35 - OpenSSL 1.1.1"

From wiki
Jump to navigation Jump to search
(Created page with "Below is an SSL Configuration for an Apache webserver (version 2.2.15) and OpenSSL (version 1.1.0). This configuration was made with the Mozilla SSL Configuration Generator. <...")
 
(Created new page with Lighttpd config.)
Line 1: Line 1:
Below is an SSL Configuration for an Apache webserver (version 2.2.15) and OpenSSL (version 1.1.0). This configuration was made with the Mozilla SSL Configuration Generator.
+
Below is an SSL Configuration for an Lighttpd webserver (version 1.4.35) and OpenSSL (version 1.1.1). This configuration was made with the [https://ssl-config.mozilla.org/ Mozilla SSL Configuration Generator.]
 
<pre>
 
<pre>
 
# generated 2019-09-09, https://ssl-config.mozilla.org/#server=lighttpd&server-version=1.4.35&config=intermediate&openssl-version=1.1.1
 
# generated 2019-09-09, https://ssl-config.mozilla.org/#server=lighttpd&server-version=1.4.35&config=intermediate&openssl-version=1.1.1

Revision as of 10:32, 12 September 2019

Below is an SSL Configuration for an Lighttpd webserver (version 1.4.35) and OpenSSL (version 1.1.1). This configuration was made with the Mozilla SSL Configuration Generator.

# generated 2019-09-09, https://ssl-config.mozilla.org/#server=lighttpd&server-version=1.4.35&config=intermediate&openssl-version=1.1.1
$SERVER["socket"] == ":80" {
    $HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0$0")
    }
}

$SERVER["socket"] == ":443" {
    protocol     = "https://"
    ssl.engine   = "enable"
    ssl.disable-client-renegotiation = "enable"

    # pemfile is cert+privkey, ca-file is the intermediate chain in one file
    ssl.pemfile               = "/path/to/signed_cert_plus_private_key.pem"
    ssl.ca-file               = "/path/to/intermediate_certificate.pem"

    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
    ssl.dh-file               = "/path/to/dhparam.pem"

    # Environment flag for HTTPS enabled
    setenv.add-environment = (
        "HTTPS" => "on"
    )

    # intermediate configuration, tweak to your needs
    # Please upgrade to 1.4.48 or else you cannot fully disable deprecated protocols
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
    ssl.cipher-list           = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
    ssl.honor-cipher-order    = "disable"

    # HTTP Strict Transport Security (63072000 seconds
    setenv.add-response-header  = (
        "Strict-Transport-Security" => "max-age=63072000"
    )
}