Project

General

Profile

Forums » Support »

[UE] Help me complete this lighttpd.conf file generated by moz://a SSL Configuration Generator

Added by walterbyrd over 3 years ago

I am finding it difficult to add an SSL cert to lighttpd. I found a site where mozilla would generate a lighttpd.conf file to be used with my SSL cert. Here is the site:

https://ssl-config.mozilla.org/#server=lighttpd

I have the entire file below. It seems unusually short, to me.

This line is giving me the most trouble:

$SERVER["socket"] == ":80" {
    url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
}

I suppose I'm supposed to substitute values here. I guess I understand ${url.path} part. But shouldn't the redirect looks something like: https://www.mydomain.com ? I guess I could find the ${url.authority} but what is ${qsa} ?

Also, I was able to generate this ssl.dh-file. But I don't know what it is.

# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path to/dhparam
ssl.dh-file               = "/etc/lighttpd/ssl/mydomain.com/dhparam"

Here is the entire lighttpd.conf that mozilla generated:


# generated 2020-12-23, Mozilla Guideline v5.6, lighttpd 1.4.55, OpenSSL 1.1.1d, intermediate configuration
# https://ssl-config.mozilla.org/#server=lighttpd&version=1.4.55&config=intermediate&openssl=1.1.1d&guideline=5.6
# https://redmine.lighttpd.net/projects/lighttpd/boards/2

$SERVER["socket"] == ":80" {
    url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
}

$SERVER["socket"] == ":443" {
    ssl.engine   = "enable" 

    # pemfile is cert+privkey, ca-file is the intermediate chain in one file
    ssl.pemfile               = "/etc/lighttpd/ssl/cyctera.com/mydomain_com.pem" 
    ssl.ca-file               = "/etc/lighttpd/ssl/mydomain.com/intermediate.crt" 

    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path to/dhparam
    ssl.dh-file               = "/etc/lighttpd/ssl/mydomain.com/dhparam" 

    # intermediate configuration
    ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1")
    ssl.cipher-list           = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" 
    ssl.honor-cipher-order    = "disable" 

    # HTTP Strict Transport Security (63072000 seconds)
    setenv.add-response-header  = (
        "Strict-Transport-Security" => "max-age=63072000"

Replies (7)

RE: Help me complete this lighttpd.conf file generated by moz://a SSL Configuration Generator - Added by maxentry over 3 years ago

Assuming you have set your port as:

server.port = 80

Then this should work if you have all the files where you have pointed them to be (including the dhparam file that you generated).
PS: You do not need to touch the port 80 / none https redirect to

$HTTP["scheme"] == "http" {
   url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
}

$SERVER["socket"] == ":443" {
    ssl.engine   = "enable" 

    ssl.pemfile               = "/etc/lighttpd/ssl/cyctera.com/mydomain_com.pem" 
    ssl.ca-file               = "/etc/lighttpd/ssl/mydomain.com/intermediate.crt" 

    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path to/dhparam
    ssl.dh-file               = "/etc/lighttpd/ssl/mydomain.com/dhparam" 

    # intermediate configuration
    ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1")
    ssl.cipher-list           = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" 
    ssl.honor-cipher-order    = "disable" 

    # HTTP Strict Transport Security (63072000 seconds)
    setenv.add-response-header  = (
        "Strict-Transport-Security" => "max-age=63072000" )
}

I'd personally suggest you start off with a minimal set of settings like:

$HTTP["scheme"] == "http" {
   url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
}

$SERVER["socket"] == ":443" {
    ssl.engine   = "enable" 
    ssl.pemfile               = "/etc/lighttpd/ssl/cyctera.com/mydomain_com.pem" 
    ssl.ca-file               = "/etc/lighttpd/ssl/mydomain.com/intermediate.crt" 
    setenv.add-response-header  = ( "Strict-Transport-Security" => "max-age=63072000" )
}

Also check the error log to see if there are any errors logged if lighty fails to start (or fails to serve pages)

RE: Help me complete this lighttpd.conf file generated by moz://a SSL Configuration Generator - Added by walterbyrd over 3 years ago

I have checked the error logs and they tell me nothing useful, i.e. "system exited with an error code."

Aside from the lighttpd.conf file, are there other files that need to be edited?

For example, in one set of instructions that I have found
the /etc/lighttpd/conf-available/10-ssl.conf file was was supposed to be modified like:

# /usr/share/doc/lighttpd/ssl.txt

server.modules += ( "mod_openssl" )

$SERVER["socket"] == "0.0.0.0:443" {
        ssl.engine  = "enable" 
        ssl.pemfile = "/etc/lighttpd/ssl/mydomain.com/mydomain_com.pem" 
        ssl.ca-file = "/etc/lighttpd/ssl/mydomain.com/intermediate.crt" 
        ssl.dh-file = "/etc/lighttpd/ssl/mydomain.com/dhparam.pem" 
        ssl.use-sslv2 = "disable" 
        ssl.use-sslv3 = "disable" 
        ssl.honor-cipher-order = "enable" 
        ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" 
}

RE: Help me complete this lighttpd.conf file generated by moz://a SSL Configuration Generator - Added by maxentry over 3 years ago

Right, for now, it is best you include your FULL lighttpd.conf file.
Also what version of lighty are you running (see board sticky) and on what OS?

RE: Help me complete this lighttpd.conf file generated by moz://a SSL Configuration Generator - Added by walterbyrd over 3 years ago

I tried the short file you recommended. I just got the usual: Job for lighttpd.service failed because the control process exited with error code. The error messages, and log files, don't tell me anything useful.

# journalctl -xe
-- Support: http://www.ubuntu.com/support
-- 
-- A start job for unit lighttpd.service has finished with a failure.
-- 
-- The job identifier is 1756 and the job result is failed.

# systemctl status lighttpd.service
● lighttpd.service - Lighttpd Daemon
     Loaded: loaded (/lib/systemd/system/lighttpd.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Mon 2020-12-28 15:01:46 MST; 11s ago
    Process: 1245 ExecStartPre=/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf (code=exited, statu>

Dec 28 15:01:46 www systemd[1]: lighttpd.service: Control process exited, code=exited, status=255/EXCEPT>
Dec 28 15:01:46 www systemd[1]: lighttpd.service: Failed with result 'exit-code'.
Dec 28 15:01:46 www systemd[1]: Failed to start Lighttpd Daemon.
Dec 28 15:01:46 www systemd[1]: lighttpd.service: Scheduled restart job, restart counter is at 5.
Dec 28 15:01:46 www systemd[1]: Stopped Lighttpd Daemon.
Dec 28 15:01:46 www systemd[1]: lighttpd.service: Start request repeated too quickly.
Dec 28 15:01:46 www systemd[1]: lighttpd.service: Failed with result 'exit-code'.
Dec 28 15:01:46 www systemd[1]: Failed to start Lighttpd Daemon.

RE: Help me complete this lighttpd.conf file generated by moz://a SSL Configuration Generator - Added by maxentry over 3 years ago

Post output of:
1. #/usr/sbin/lighttpd -v
2. #cat /etc/lighttpd/lighttpd.conf

PS: the snippet conf I provided was just that, a snippet!

RE: Help me complete this lighttpd.conf file generated by moz://a SSL Configuration Generator - Added by walterbyrd over 3 years ago

Thank you reply. I am getting the same thing.

# lighttpd -v
lighttpd/1.4.55 (ssl) - a light and fast webserver


# cat /etc/lighttpd/lighttpd.conf

$HTTP["scheme"] == "http" {
   url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
}

$SERVER["socket"] == ":443" {
    ssl.engine   = "enable" 
    ssl.pemfile               = "/etc/lighttpd/ssl/mydomain.com/mydomain_com.pem" 
    ssl.ca-file               = "/etc/lighttpd/ssl/mydomain.com/intermediate.crt" 

    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path to/dhparam
    ssl.dh-file               = "/etc/lighttpd/ssl/mydomain.com/dhparam.pem" 

    # intermediate configuration
    ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1")
    ssl.cipher-list           = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" 
    ssl.honor-cipher-order    = "disable" 

    # HTTP Strict Transport Security (63072000 seconds)
    setenv.add-response-header  = (
        "Strict-Transport-Security" => "max-age=630c72000" )
}

# cat /etc/lighttpd/conf-available/10-ssl.conf

# /usr/share/doc/lighttpd/ssl.txt

server.modules += ( "mod_openssl" )

$SERVER["socket"] == "0.0.0.0:443" {
        ssl.engine  = "enable" 
        ssl.pemfile = "/etc/lighttpd/ssl/mydomain.com/mydomain_com.pem" 
        ssl.ca-file = "/etc/lighttpd/ssl/mydomain.com/intermediate.crt" 
        ssl.dh-file = "/etc/lighttpd/ssl/mydomain.com/dhparam.pem" 
#       ssl.use-sslv2 = "disable" 
#       ssl.use-sslv3 = "disable" 
#       ssl.honor-cipher-order = "enable" 
#       ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" 
        ssl.cipher-list = "HIGH" 
}

RE: Help me complete this lighttpd.conf file generated by moz://a SSL Configuration Generator - Added by gstrauss about 3 years ago

@walterbyrd

Similar to https://redmine.lighttpd.net/boards/2/topics/9558, you are posting on this site, so you should read the documentation on this site, which has the authoritative documentation for lighttpd.
lighttpd TLS docs
mod_redirect

    (1-7/7)