-
Notifications
You must be signed in to change notification settings - Fork 2
lighttpd
Valerio Arnaboldi edited this page Mar 23, 2018
·
1 revision
Location: /etc/lighttpd/lighttpd.conf on Ubuntu
server.modules = (
"mod_access",
"mod_alias",
"mod_compress",
"mod_redirect",
"mod_accesslog",
# "mod_rewrite",
)
#set doc root to tpc root
server.document-root = "/usr/lib/cgi-bin/tc/"
server.upload-dirs = ( "/var/cache/lighttpd/uploads" )
server.errorlog = "/var/log/lighttpd/error.log"
server.pid-file = "/var/run/lighttpd.pid"
server.username = "www-data"
server.groupname = "www-data"
#server.port = 80
index-file.names = ( "index.php", "index.html", "index.lighttpd.html" )
url.access-deny = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
compress.cache-dir = "/var/cache/lighttpd/compress/"
compress.filetype = ( "application/javascript", "text/css", "text/html", "text/plain" )
# default listening port for IPv6 falls back to the IPv4 port
## Use ipv6 if available
#include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.assign.pl"
include_shell "/usr/share/lighttpd/include-conf-enabled.pl"
server.breakagelog = "/var/log/lighttpd/breakage.log"
accesslog.filename = "/var/log/lighttpd/access.log"
#configure tpc cgi
server.modules += ( "mod_fastcgi" )
fastcgi.server += ("/tpc" =>
("tpc" =>
("socket" => "/usr/wt/socket",
"bin-path" => "/usr/lib/cgi-bin/tc/tpc",
"max-procs" => 100,
"idle-timeout" => 60,
"check-local" => "enable",
"bin-environment" => ("FOO" => "bar")
)
)
)
#redirect root to tpc
url.redirect = ("^/$" => "/tpc" )
#increase number of files that can be opened. Required by Lucene
server.max-fds = 4096
server.max-keep-alive-idle = 100
server.max-read-idle = 100
server.max-write-idle = 360
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.ca-file = "/etc/letsencrypt/live/textpressocentral.org/chain.pem"
ssl.pemfile = "/etc/letsencrypt/live/textpressocentral.org/combined.pem"
ssl.honor-cipher-order = "enable"
#redirect traffic on port 80 to secure connection
$SERVER["socket"] == ":80" {
url.redirect = (
"^/(.*)" => "https://www.textpressocentral.org/$1"
)
}
#used for letsencrypt validation
$HTTP["url"] =~ "^/.well-known/" {
server.document-root = "/var/certbot/public_html/.well-known/"
alias.url = ( "/.well-known/" => "/var/certbot/public_html/.well-known/" )
dir-listing.activate = "enable"
}
Information taken from this page: https://www.mikeshultz.com/setting-up-lets-encrypt-with-lighttpd-and-certbot.html
To generate the certificate, you need to set the configuration for letsencrypt validation in lighttpd.conf (as described in the sample file above) and restart the server. Then, you need to create a new webroot for letsencrypt and restart lighttpd:
sudo mkdir -p /var/certbot/public_html/.well-known
sudo chwon www-data /var/certbot/public_html/.well-known
sudo chmod g+s /var/certbot/public_html/.well-known
sudo service lighttpd restart
Hence, run certbot:
sudo certbot certonly --webroot -w /var/certbot/public_html -d textpressocentral.org -d www.textpressocentral.org
Combine the certs in lighttpd format:
cat /etc/letsencrypt/live/example.com/privkey.pem etc/letsencrypt/live/example.com/cert.pem > /etc/letsencrypt/live/example.com/combined.pem
Give lighttpd the right permissions:
chown :www-data /etc/letsencrypt
chown :www-data /etc/letsencrypt/live
chmod g+x /etc/letsencrypt
chmod g+x /etc/letsencrypt/live
Finally, restart lighttpd.
install the following crontab for monthly renewal:
0 0 1 * * certbot renew; cat /etc/letsencrypt/live/textpressocentral.org/privkey.pem /etc/letsencrypt/live/textpressocentral.org/cert.pem > /etc/letsencrypt/live/textpressocentral.org/combined.pem