Lighttpd

Historically, mod_openssl was the only TLS option in lighttpd. Since lighttpd 1.4.56, multiple TLS options are available, including mod_gnutls. The warning message you posted above is telling you that you did not specify a TLS module in server.modules in your lighttpd.conf, but that your lighttpd.conf (or includes) contains ssl.* directives.

Many people will receiving that message will understand "add mod_openssl" better than "add a TLS module".

Also, the message is telling you that lighttpd loaded mod_openssl, but that a future version of lighttpd might not automatically load mod_openssl.

I hit ctrl+enter by accident and it submitted my text. I can't figure out how to go back and edit that post. I wasn't finshed typing... sorry

Anyways. I received the warning about using ssl.* directives in my config file even though I have not included mod_openssl. I DID however include mod_gnutls. It is my understanding from reading the documentation that mod_gnutls implements the same ssl directives as mod_openssl. It would seem that all the ssl modules are interchangeable apart from having limited support for the ssl-conf-cmd directive. Is that not the case?

This looks like a false warning to me but I just wanted to ask in case it wasn't. If necessary, I can switch to using mod_openssl instead of gnutls. The only reason I picked gnutls in the first place was because I thought the documentation was a bit better.

I will paste my config file in the next message. Thank you.

# lighttpd.conf

# {{{ variables
var.basedir  = "/var/www/empty" 
var.statedir = "/var/lib/lighttpd" 
# }}}

# {{{ modules
# At the very least, mod_access and mod_accesslog should be enabled.
# All other modules should only be loaded if necessary.
# NOTE: the order of modules is important.
server.modules = (
#    "mod_rewrite",
    "mod_redirect",
    "mod_alias",
    "mod_access",
#    "mod_magnet",
    "mod_auth",
#    "mod_status",
#    "mod_setenv",
    "mod_proxy",
#    "mod_simple_vhost",
#    "mod_evhost",
#    "mod_userdir",
#    "mod_deflate",
#    "mod_ssi",
#    "mod_usertrack",
#    "mod_expire",
#    "mod_secdownload",
#    "mod_rrdtool",
#    "mod_webdav",
    "mod_accesslog" 
    "mod_gnutls" 
)
# }}}

# {{{ includes
include "include/mime-types.conf" 
# fcgi and cgi are included below
# }}}

# {{{ server settings
server.username      = "lighttpd" 
server.groupname     = "lighttpd" 

server.pid-file      = "/run/lighttpd/lighttpd.pid" 

server.document-root = var.basedir

# use syslog
accesslog.use-syslog = "enable" 
server.errorlog-use-syslog = "enable" 

# Enable debug logging
debug.log-request-handling = "enable" 

# event handler (defaults to "poll")
# see performance.txt
# for >= linux-2.6
server.event-handler = "linux-sysepoll" 

# Enable IPv6 because why not
server.use-ipv6 = "enable" 

# redirect all http requests to https
$HTTP["scheme"] == "http" {
    url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
    url.redirect-code = 308
}

# Enable gnutls 
$SERVER["socket"] == ":443" {
    ssl.engine = "enable" 
    ssl.pemfile = ".pem" 
    ssl.privkey = ".pem" 

}

Anyways. I received the warning about using ssl.* directives in my config file even though I have not included mod_openssl. I DID however include mod_gnutls. It is my understanding from reading the documentation that mod_gnutls implements the same ssl directives as mod_openssl. It would seem that all the ssl modules are interchangeable apart from having limited support for the ssl-conf-cmd directive. Is that not the case?

Your understanding is correct.

It looks like you are missing a comma after "mod_accesslog". Did you not get a warning from lighttpd when you tested the config?

#    "mod_webdav",
    "mod_accesslog" 
    "mod_gnutls" 
)

Test your config: lighttpd -f /etc/lighttpd/lighttpd.conf -tt

You ought to use full, absolute paths to those files.

    ssl.pemfile = ".pem" 
    ssl.privkey = ".pem" 

Also, best practices are to omit config directives that are identical to lighttpd defaults.

# event handler (defaults to "poll")
# see performance.txt
# for >= linux-2.6
server.event-handler = "linux-sysepoll" 

# Enable IPv6 because why not
server.use-ipv6 = "enable" 

I'll see if I can get the config parser to warn about the missing ',' in your server.modules list, as that is your issue. The warning about mod_openssl is not issued when the list is properly formated and includes mod_gnutls.

Thank you for the rapid feedback!

I did not realize the comma was missing. The only warning I received was about mod_openssl and the pem files which I had not yet installed. I just installed my certificates and added the comma. My config file is now validating successfully.

Also I will see if the default config file distributed with the Gentoo package ought to be updated.

Ugh! Looks like there is a bug in the upstream LEMON parser which showed up in lighttpd 1.4.69 when I updated the ancient version in lighttpd to the maintained version from SQLite. (lighttpd source code commit f9d60e3e)

I've added a patch for the next version of lighttpd which will detect this and error. Strings may be concatenated with '+', or should be separated by ',' or '=>' in lists in the lighttpd config.