Lighttpd

From Segfault
Jump to navigation Jump to search

Installation

lighttpd

sudo apt-get install libtool automake zlib1g-dev libev-dev pkg-config \
                     libpcre2-dev libssl-dev libgnutls28-dev

Checkout the source:

git clone https://git.lighttpd.net/lighttpd/lighttpd1.4.git lighttpd1.4-git
cd lighttpd1.4-git

./autogen.sh
./configure --prefix=/opt/lighttpd with-openssl --with-gnutls --with-zlib --with-libev
make
sudo make install

Note: It's really important to install pkg-config, otherwise autoconf will fail.[1]

spawn-fcgi

spawn-fcgi runs our FastCGI scripts:

git clone https://git.lighttpd.net/lighttpd/spawn-fcgi.git spawn-fcgi-git
cd spawn-fcgi-git

./autogen.sh && ./configure --prefix=/opt/spawn-fcgi && make
sudo make install

Configuration

A very basic configuration:

lighttpd.conf

A very basic lighttpd.conf:

server.modules = (
       "mod_access",
       "mod_accesslog"
       "mod_alias",
       "mod_redirect",
       "mod_rewrite",
#      "mod_status",
#      "mod_fastcgi",
       "mod_setenv",
)

server.errorlog         = "/var/log/lighttpd/error.log"
accesslog.filename      = "/var/log/lighttpd/access.log"

# server.bind           = "0.0.0.0"                            # Not needed just yet
server.port             = 80
server.pid-file         = "/var/run/lighttpd.pid"
server.username         = "lighttpd"
server.groupname        = "lighttpd"

dir-listing.activate           = "enable"
index-file.names               = ( "index.php", "index.html" )
url.access-deny                = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

# PHP-FPM
fastcgi.server = (
    ".php" => (
      "localhost" => ( 
        "socket" => "/var/run/php5-fpm.sock",
        "broken-scriptfilename" => "enable"
      ))
)

# CGI scripts
# cgi.assign = (
#   ".pl"  => "/usr/bin/perl",
#   ".cgi" => "/usr/bin/perl"
# )

include_shell      "/usr/share/lighttpd/create-mime.conf.pl"
include            "/etc/lighttpd/local.conf"

local.conf

# HTTP
$SERVER["socket"] == ":80" { }
$SERVER["socket"] == "[::]:80" { }

# HTTPS
$SERVER["socket"] == ":443" {
        include         "tls.conf"
        include         "vhosts.conf"
}

$SERVER["socket"] == "[::]:443" {
        include         "tls.conf"
        include         "vhosts.conf"
}

# HTTP redirect
$HTTP["scheme"] == "http" {
        url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
        url.redirect-code = 308
}

# HSTS
$HTTP["scheme"] == "https" {
        setenv.add-response-header += ( "Strict-Transport-Security" => "max-age=31536000; includeSubDomains" )
}

tls.conf

A basic TLS configuration,[2] a lot of other SSL options are no longer necessary:

ssl.engine      = "enable"
ssl.pemfile     = "/etc/ssl/private/example.net.pem"            # ??
ssl.openssl.ssl-conf-cmd  = ("MinProtocol" => "TLSv1.3")
ssl.openssl.ssl-conf-cmd += ("Options" => "-ServerPreference")

vhosts.conf

Multiple virtual hosts with TLS certificates:[3]

$HTTP["host"] =~ "example.net" {
        server.name             = "example.net"
        server.document-root    = "/var/www/example.net/"
        ssl.pemfile             = "/etc/ssl/private/example.net.pem"
        accesslog.filename      = "/var/www/logs/access_example.net.log"
        alias.url               = ( "/bits" => "/var/www/example.net/foo" )
        $HTTP["url"] =~ "^/foo/" {
                dir-listing.activate = "enable"
        }
}

$HTTP["host"] == "sub.example.net" {
        server.name             = "sub.example.net"
        server.document-root    = "/var/www/sub.example.net/"
        ssl.pemfile             = "/etc/ssl/private/sub.example.net.pem"
        accesslog.filename      = "/var/www/logs/access_sub.example.net.log"
}

With all that, lighttpd should listen on all necessary interfaces:

$ ss -lnt4p | grep -e :80 -e :443 && ss -lnt6p | grep -e :80 -e :443
LISTEN 0      0            0.0.0.0:80        0.0.0.0:*    users:(("lighttpd",pid=2811,fd=4))
LISTEN 0      0            0.0.0.0:443       0.0.0.0:*    users:(("lighttpd",pid=2811,fd=6))

LISTEN 0      0                  *:80              *:*    users:(("lighttpd",pid=2811,fd=5))
LISTEN 0      0                  *:443             *:*    users:(("lighttpd",pid=2811,fd=7))

Tuning

Some advanced configuration directives:

  • server.max-fds is set to 1024 by default on most platforms. Increasing this value might help on busy servers. If SELinux is enabled, use "setsebool -P httpd_setrlimit on" to allow increasing ulimits.

Example:

server.max-fds          = 1024
server.max-connections  =  512
server.event-handler    = linux-sysepoll
server.network-backend  = linux-sendfile

See also

Links

References