[Solved] hardening lighttpd serving WPAD Raspberry PI Zero 2 W
Added by jonathanlee 4 months ago
Hello fellow Lighttpd community members can you please help?
I am running WPAD over lighttpd on a Raspberry Pi Zero. Is there any security hardening that can be done with changing permissions on the /var/www/html files, and or adding users or groups? Or should one just leave it as default?
Thanks, It is very basic as the http server manages wpad only. However not many users out there use WPAD proxy.pac wpad.dat wpad.da files over lighttpd. I have asked several places however no replies.
Thanks for all you do.
Side note I really do not understand why WPAD has never been updated to something like WPAD2.0 protocol because of the associated risks with it. It seems from a security perspective that big tech should update this older protocol.
Replies (9)
RE: WPAD Raspberry PI Zero 2 W - Added by gstrauss 4 months ago
Security hardening of any webserver starts with restricting permissions to only what is needed.
If you do not need the webserver to run as root, then you should run the webserver as a less-privileged user, e.g. I believe Raspberry Pi Zero runs lighttpd as user www-data by default, but you should check. The Debian-based Raspberry Pi sets up various permissions and locations for lighttpd to write access and error logs, jobs to clean up temp files, etc, so changing user under which the webserver runs requires additional steps to get back the functionality. Prefer to use www-data.
If you do not need the webserver to be public-facing, make sure to configure the webserver and/or firewall so that the webserver can only serve requests from the local networks.
If you do not need the webserver to do anything besides access files read-only, then you should might consider making the document root owned by a different user and read-only to webserver user.
For lighttpd, if you are only serving read-only files, then you should restrict the size of HTTP requests to a low (non-zero) number. (0 disables the limit) See server.max-request-size
For resource-constrained servers like the Raspberry Pi Zero, you might tune the server to reduce the chance that malicious clients can deny service to others. However, if you're serving wpad, that should be on an internal network, not internet-facing, so you should configure lighttpd to listen only on your internal network IP, and not on a public-facing IP. You could also configure lighttpd and/or your firewall to only allow access to port 80 via the local network.
If you do not need access logs, then you might disable access logging in lighttpd to reduce resource usage.
If you are only serving static files, you might reduce connection timeouts since you expect lighttpd to serve files very quickly.
If you are only serving wpad, then you might reduce the number of keep-alive requests allowed per client before lighttpd closes the connection.
Besides running as non-root, and listening and serving clients only from local network (not internet), which are strongly recommended for security hardening, the rest is resource tuning for availability and performance. Still, even without extra tuning on a Raspberry Pi Zero, you should find that lighttpd can serve thousands of requests per second for a small, static wpad file (proxy.pac or wpad.dat)
See WikiStart and links to
Docs_ConfigurationOptions
Docs_ResourceTuning
Docs_Performance
Side note I really do not understand why WPAD has never been updated to something like WPAD2.0 protocol because of the associated risks with it. It seems from a security perspective that big tech should update this older protocol.
Look up "zero trust architecture" in a search engine.
If the clients already have pre-installed an SSL certificate for the the proxy you assign, and only uses https, then a malicious wpad won't be able to direct the client to send http requests through a rogue server without certificate failures.
Still, on new networks, if you have not already pre-configured (more secure), then many architectures follow TOFU (trust on first use) principles.
RE: [Solved] hardening lighttpd serving WPAD Raspberry PI Zero 2 W - Added by jonathanlee 4 months ago
Thank you for your reply
RE: [Solved] hardening lighttpd serving WPAD Raspberry PI Zero 2 W - Added by jonathanlee 4 months ago
$HTTP["remoteip"] != "192.168.1.0/27" {
url.access-deny = ( "" )
}
Or more granular:
$HTTP["remoteip"] != "192.168.1.0/27" {
$HTTP["url"] =~ "^/(?:wpad.dat?|proxy.pac)" {
url.access-deny = ( "" )
}
}
RE: [Solved] hardening lighttpd serving WPAD Raspberry PI Zero 2 W - Added by jonathanlee 2 months ago
Does anyone know how to adapt this for an ipv6 /64 subnet ??
!= "192.168.1.0/27" || "ipv6 here/64"
I tried ( "ipv4/cider" || "ipv6/64" ) it would not start, I wonder if it needs []
RE: [Solved] hardening lighttpd serving WPAD Raspberry PI Zero 2 W - Added by jonathanlee 2 months ago
I found the issues
bug: lighttpd 1.4.40 rejects IPv6 addrs in $HTTP["remoteip"]
RE: [Solved] hardening lighttpd serving WPAD Raspberry PI Zero 2 W - Added by jonathanlee 2 months ago
I think this issue is still present this made it so my server would not boot with the or statement for ipv6 addresses, firefox wants to access the wpad with ipv6 because the laptop is auto assigned for some reason turn it off and it works with firefox for my wpad, also my /var/log/lighttpd/error reflects that if I added the ipv6 to lighttpd.conf that the server will not start
RE: [Solved] hardening lighttpd serving WPAD Raspberry PI Zero 2 W - Added by gstrauss 2 months ago
I tried ( "ipv4/cider" || "ipv6/64" ) it would not start, I wonder if it needs []
I wonder if you read the lighttpd documentation.
Configuration: File Syntax
Not reading the documentation and fabricating invalid syntax is an excellent way to get ignored on this site.
RE: [Solved] hardening lighttpd serving WPAD Raspberry PI Zero 2 W - Added by jonathanlee 2 months ago
Thanks for the reply I am a full computer science student,
I got it to work only this way
$HTTP["remoteip"] != ["192.168.1.0/27"|"redacted:a::/64"] {
url.access-deny = ( "" )
}
$HTTP["url"] =~ "^/wpad.dat" {
$HTTP["remoteip"] == ["192.168.1.0/27"|"redacted:a::/64"] {
}
else {
url.access-deny = ( "" )
}
}
$HTTP["url"] =~ "^/proxy.pac" {
$HTTP["remoteip"] == ["192.168.1.0/27"|"redacted:a::/64"] {
}
else {
url.access-deny = ( "" )
}
}
$HTTP["url"] =~ "^/wpad.da" {
$HTTP["remoteip"] == ["192.168.1.0/27"|"redacted:a::/64"] {
}
else {
url.access-deny = ( "" )
}
}
This is the only way it would start for me
root@Zero:~# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.1.6:8085 0.0.0.0:* LISTEN 582/sshd: /usr/sbin
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 10085/lighttpd
tcp6 0 0 :::80 :::* LISTEN 10085/lighttpd
udp6 0 0 fe80::2a60:39f5:d44:546 :::* 507/NetworkManager
root@Zero:~# systemctl status lighttpd.service
● lighttpd.service - Lighttpd Daemon
Loaded: loaded (/lib/systemd/system/lighttpd.service; enabled; preset: enabled)
Active: active (running) since Wed 2025-02-05 19:40:15 PST; 2min 33s ago
Process: 10066 ExecStartPre=/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf (code=exited, status=0/SUCCESS)
Main PID: 10085 (lighttpd)
Tasks: 1 (limit: 179)
CPU: 2.267s
CGroup: /system.slice/lighttpd.service
└─10085 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
Feb 05 19:40:14 Zero systemd[1]: Starting lighttpd.service - Lighttpd Daemon...
Feb 05 19:40:15 Zero systemd[1]: Started lighttpd.service - Lighttpd Daemon.
Thanks for showing me the link to the correct syntax
<string> : '"' [text] '"'
I really missed reading that.
RE: [Solved] hardening lighttpd serving WPAD Raspberry PI Zero 2 W - Added by gstrauss 2 months ago
I suggest that anyone reading this topic ignore the computer science student who has posted untested and invalid syntax.