Lighty / Lighttpd Config Options

Giving Lighty another try. Was wondering a bit how specific I should be in the SSL settings.

Currently running using:

ssl.engine = "enable"
ssl.pemfile = "/full/path/to/combined.pem"
ssl.ca-file = "/full/path/to/chain.pem"
ssl.cipher-list = "HIGH"

Or should I add more specific stuff like in this article (about FreeBSD lighttpd setup)?

Put differently, should I bother setting stuff like ssl.cipher-list, ssl.dh-file or ssl.ec-curve?

Setting setenv.add-response-header returned an error IIRC.

What OS are you running?

https://redmine.lighttpd.net/projects/lighttpd/wiki/HowToSimpleSSL

On Debian 10. Saw that Simple SSL article, yes (just after I managed to get dehydrated to create the combined PEM file and restart lighttpd). :laughing:

:slight_smile:

# cp ssl.crt /etc/lighttpd/ssl/yourdomain.com
# cat yourdomain.key ssl.crt > yourdomain.pem
# chmod 0600 yourdomain.pem
# chown lighttpd:lighttpd /etc/lighttpd/ssl/yourdomain.com -R

lighttpd.conf should be something like

$SERVER["socket"] == "yourdomain.com:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/yourdomain.com/yourdomain.pem"
ssl.ca-file = "/etc/lighttpd/yourdomain.com/intermediate.crt"
server.name = "yourdomain.com"
server.document-root = "/home/lighttpd/yourdomain.com/https"
server.errorlog = "/var/log/lighttpd/yourdomain.com/serror.log"
accesslog.filename = "/var/log/lighttpd/yourdomain.com/saccess.log"
}
where
ssl.engine = "enable" : Enable lighttpd SSL support
ssl.pemfile = "/etc/lighttpd/yourdomain.com/yourdomain.pem"
ssl.ca-file = "/etc/lighttpd/yourdomain.com/intermediate.crt"

These will not work (at least not on newer versions). Need separate instances if you want separate error logs, and I believe I got syntax error on accesslog.filename

Owner of log dir ? Lighty running as which user?

DEPRECATED: don't set server options in conditionals, variable: server.errorlog

According to devs never was supported.
Logging works fine, just not per virtualhost, as one might think from googling (or duckduckgo’ing)

For access log load module (lighty-enable-mod in Debian).

ah, yes…

the mods :slight_smile:

As soon as it runs, it keeps running, no exceptions ever, kind of like a swiss clockwork.

You asked about Hiawatha a while ago, well, that’s the opposite, it just frequently hangs.

Lighty and PHP work wonderfully together, nginx may have higher throughput, but also more exceptions under high load. Lighty has lower latency than nginx and way less than Apache.

This is why Wikipedia and Youtube use Lighty (with a forged Apache header, security by obscurity). Wikipedia runs heavily on PHP and shaves off some loading time with lighty’s lower latency, and Youtube just needs lower latency to keep people from zapping too soon / often.

Piratebay, from the very beginning till this day runs on Lighty too.

Ouch, that (hangs) are no good. So far (3 days) Lighty’s been running very smoothly, and it uses less resources than OpenLiteSpeed, and it feels more responsive (haven’t benchmarked, though).
Documentation might not be too impressive (dead/outdated links etc), but it’s not that complicated either. :slight_smile:

In my testing, it seems I have to specify port 443 sockets separately for IPv4 and IPv6(?). (And duplicate the SSL config line.) :thinking:

Correct.

I used to reference this often, wonder if it’s still good info: https://cipherli.st

3 Likes

Very useful, thank you.

Since I don’t like repeating, I could just make a file that include twice … Like the advanced SSL stuff … :innocent:

Looks like it says to disable SSLv3? And I thought version 3 was good … :laughing: (I don’t really know too much about this) :innocent:

TLS 1.2 / 1.3 are good these days.

SSL 3 is not secure, to say the least.

https://disablessl3.com

Nice exploit name, POODLE … :poop:

2 Likes

Dive into this subject and you’ll be amazed how much performance you can tweak out of mighty Lighty.

Simply put, if you specify PHP_FCGI_CHILDREN=0 in your config (add FCGI mod)

You use even less memory and are able to run Lighty in a 64 Mb VPS.

Serving async PHP without a hitch, not kidding you.

Ah, yes, thanks! I read something on the same subject on the Lighty wiki, indicated I should gain som stats first, so I configured/added the rrd module. Not shure how often I should run the script generating the PNG’s though. Currently on
*/5 * * * *