Difference between revisions of "Lighttpd 1.4.35 - OpenSSL 1.1.1"

From wiki
Jump to navigation Jump to search
(Created new page with Lighttpd config.)
(No difference)

Revision as of 12:35, 16 September 2019

Below is an SSL Configuration for an Lighttpd webserver (version 1.4.35) and OpenSSL (version 1.1.1). This configuration was made with the Mozilla SSL Configuration Generator.

# generated 2019-09-09, https://ssl-config.mozilla.org/#server=lighttpd&server-version=1.4.35&config=intermediate&openssl-version=1.1.1
$SERVER["socket"] == ":80" {
    $HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0$0")
    }
}

$SERVER["socket"] == ":443" {
    protocol     = "https://"
    ssl.engine   = "enable"
    ssl.disable-client-renegotiation = "enable"

    # pemfile is cert+privkey, ca-file is the intermediate chain in one file
    ssl.pemfile               = "/path/to/signed_cert_plus_private_key.pem"
    ssl.ca-file               = "/path/to/intermediate_certificate.pem"

    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
    ssl.dh-file               = "/path/to/dhparam.pem"

    # Environment flag for HTTPS enabled
    setenv.add-environment = (
        "HTTPS" => "on"
    )

    # intermediate configuration, tweak to your needs
    # Please upgrade to 1.4.48 or else you cannot fully disable deprecated protocols
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
    ssl.cipher-list           = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
    ssl.honor-cipher-order    = "disable"

    # HTTP Strict Transport Security (63072000 seconds
    setenv.add-response-header  = (
        "Strict-Transport-Security" => "max-age=63072000"
    )
}