Difference between revisions of "Lighttpd 1.4.35 - OpenSSL 1.1.1"
Jump to navigation
Jump to search
(Created page with "Below is an SSL Configuration for an Apache webserver (version 2.2.15) and OpenSSL (version 1.1.0). This configuration was made with the Mozilla SSL Configuration Generator. <...") |
m (Greggory.elton moved page GC HTTPS Everywhere/Implementation Guidance/Lighttpd1.4.35-OSSL1.1.1 to Lighttpd 1.4.35 - OpenSSL 1.1.1: Updated Title) |
||
(2 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | Below is an SSL Configuration for an | + | Below is an SSL Configuration for an Lighttpd webserver (version 1.4.35) and OpenSSL (version 1.1.1). This configuration was made with the [https://ssl-config.mozilla.org/ Mozilla SSL Configuration Generator.] |
<pre> | <pre> | ||
# generated 2019-09-09, https://ssl-config.mozilla.org/#server=lighttpd&server-version=1.4.35&config=intermediate&openssl-version=1.1.1 | # generated 2019-09-09, https://ssl-config.mozilla.org/#server=lighttpd&server-version=1.4.35&config=intermediate&openssl-version=1.1.1 |
Latest revision as of 09:45, 24 September 2019
Below is an SSL Configuration for an Lighttpd webserver (version 1.4.35) and OpenSSL (version 1.1.1). This configuration was made with the Mozilla SSL Configuration Generator.
# generated 2019-09-09, https://ssl-config.mozilla.org/#server=lighttpd&server-version=1.4.35&config=intermediate&openssl-version=1.1.1 $SERVER["socket"] == ":80" { $HTTP["host"] =~ ".*" { url.redirect = (".*" => "https://%0$0") } } $SERVER["socket"] == ":443" { protocol = "https://" ssl.engine = "enable" ssl.disable-client-renegotiation = "enable" # pemfile is cert+privkey, ca-file is the intermediate chain in one file ssl.pemfile = "/path/to/signed_cert_plus_private_key.pem" ssl.ca-file = "/path/to/intermediate_certificate.pem" # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem ssl.dh-file = "/path/to/dhparam.pem" # Environment flag for HTTPS enabled setenv.add-environment = ( "HTTPS" => "on" ) # intermediate configuration, tweak to your needs # Please upgrade to 1.4.48 or else you cannot fully disable deprecated protocols ssl.use-sslv2 = "disable" ssl.use-sslv3 = "disable" ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" ssl.honor-cipher-order = "disable" # HTTP Strict Transport Security (63072000 seconds setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=63072000" ) }