802
edits
Changes
Lighttpd 1.4.35 - OpenSSL 1.1.1 (view source)
Revision as of 11:30, 12 September 2019
, 11:30, 12 September 2019Created page with "Below is an SSL Configuration for an Apache webserver (version 2.2.15) and OpenSSL (version 1.1.0). This configuration was made with the Mozilla SSL Configuration Generator. <..."
Below is an SSL Configuration for an Apache webserver (version 2.2.15) and OpenSSL (version 1.1.0). This configuration was made with the Mozilla SSL Configuration Generator.
<pre>
# generated 2019-09-09, https://ssl-config.mozilla.org/#server=lighttpd&server-version=1.4.35&config=intermediate&openssl-version=1.1.1
$SERVER["socket"] == ":80" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
$SERVER["socket"] == ":443" {
protocol = "https://"
ssl.engine = "enable"
ssl.disable-client-renegotiation = "enable"
# pemfile is cert+privkey, ca-file is the intermediate chain in one file
ssl.pemfile = "/path/to/signed_cert_plus_private_key.pem"
ssl.ca-file = "/path/to/intermediate_certificate.pem"
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
ssl.dh-file = "/path/to/dhparam.pem"
# Environment flag for HTTPS enabled
setenv.add-environment = (
"HTTPS" => "on"
)
# intermediate configuration, tweak to your needs
# Please upgrade to 1.4.48 or else you cannot fully disable deprecated protocols
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
ssl.honor-cipher-order = "disable"
# HTTP Strict Transport Security (63072000 seconds
setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=63072000"
)
}
</pre>
<pre>
# generated 2019-09-09, https://ssl-config.mozilla.org/#server=lighttpd&server-version=1.4.35&config=intermediate&openssl-version=1.1.1
$SERVER["socket"] == ":80" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
$SERVER["socket"] == ":443" {
protocol = "https://"
ssl.engine = "enable"
ssl.disable-client-renegotiation = "enable"
# pemfile is cert+privkey, ca-file is the intermediate chain in one file
ssl.pemfile = "/path/to/signed_cert_plus_private_key.pem"
ssl.ca-file = "/path/to/intermediate_certificate.pem"
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
ssl.dh-file = "/path/to/dhparam.pem"
# Environment flag for HTTPS enabled
setenv.add-environment = (
"HTTPS" => "on"
)
# intermediate configuration, tweak to your needs
# Please upgrade to 1.4.48 or else you cannot fully disable deprecated protocols
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
ssl.honor-cipher-order = "disable"
# HTTP Strict Transport Security (63072000 seconds
setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=63072000"
)
}
</pre>