Production Web server: Lighttpd: Difference between revisions

From Alpine Linux
m (→‎See Also: Removed wikilinks to non-existent articles.)
(simplify TLS config; prefer modern lighttpd TLS defaults)
 
(7 intermediate revisions by 5 users not shown)
Line 1: Line 1:


[http://www.lighttpd.net/ lighttpd] is a simple, standards-compliant, secure, and flexible web server.  
[https://www.lighttpd.net/ lighttpd] is a simple, standards-compliant, secure, and flexible web server.  


== Lighttpd Installation ==
== Lighttpd Installation ==


Production environment only will handle need packages.. so no doc or manages allowed, Since kernel version 2.6, Linux has sys_epoll, a so-called edge-triggered polling mechanism which scales linearly with the number of connections. Due lighttpd runs over Alpine Linux only the mechanish we will use are only the "linux-sysepoll".
This production environment will handle only the necessary packages... so no doc or manpages allowed.


Lighttpd attempts to improve performance further by caching the output of the UNIX stat() command. It includes a basic (“simple”) cache which keeps the result of file system calls in memory for one second. But many Linux distributions include more advanced accelerators: FAM was the original, and a lighter-weight workalike called Gamin is now included by default in Ubuntu’s lighttpd install.
# make the htdocs public web root directories  
 
# added the service to the default runlevel, not to boot, because need networking activated
# run apk for need pacakges
# start the web server service
# make the htdos public web root directories  
# change default port to production one, http are used with 80
# use FAM stule (gamin) file alteration monitor, increases performance (OPTIONAL currentluy there's no FAM/GAMIN package)
# use linux event handler, increases performance due Alpine are linux only
# added the servide to the default runlevel, not to boot, because need networking activated
# started the web server service


<pre>
<pre>
<nowiki>
<nowiki>
apk add lighttpd gamin
mkdir -p /var/www/localhost/htdocs /var/log/lighttpd /var/lib/lighttpd
mkdir -p /var/www/localhost/htdocs /var/log/lighttpd /var/lib/lighttpd


sed -i -r 's#\#.*server.port.*=.*#server.port          = 80#g' /etc/lighttpd/lighttpd.conf
chown -R lighttpd:lighttpd /var/www/localhost/ /var/log/lighttpd /var/lib/lighttpd  
 
sed -i -r 's#\#.*server.event-handler = "linux-sysepoll".*#server.event-handler = "linux-sysepoll"#g' /etc/lighttpd/lighttpd.conf
 
mkdir -p /var/lib/lighttpd
 
chown -R lighttpd:lighttpd /var/www/localhost/
 
chown -R lighttpd:lighttpd /var/lib/lighttpd
 
chown -R lighttpd:lighttpd /var/log/lighttpd


rc-update add lighttpd default
rc-update add lighttpd default
Line 42: Line 24:
</pre>
</pre>


'''For testing open a broser and go to <code><nowiki>http://<webserveripaddres></nowiki></code> and you will see "it works"'''. The "webserveripaddres" are the ip address of your setup/server machine.
'''For testing, open a browser and go to <code><nowiki>http://<webserveripaddres></nowiki></code> and you will see "it works"'''. The "webserveripaddres" is the ip address of your setup/server machine.
 
'''There's a problem in Alpine linux, FAM (gamin) are activated as a lighttpd only service''', that's make sense in dockers but in servers could be a problem if FAM (gamin) are also need for others services at the same time.
 
'''OPTIONAL:''' '''alpine packagers are a mess, removed fam on recents''', so older releases of alpine can use compiled fam packages with <code>sed -i -r 's#.*server.stat-cache-engine.*=.*# server.stat-cache-engine = "fam"#g' /etc/lighttpd/lighttpd.conf</code>


=== Controlling Lighttpd ===
=== Controlling Lighttpd ===


'''''Start lighttpd''''': After the installation lighttpd is not running. As we made in first section was started already but if you want to start lightttpd manually use:
'''''Start lighttpd''''':


{{Cmd|rc-service lighttpd start}}
{{Cmd|rc-service lighttpd start}}


You will get a feedback about the status.
You will get feedback about the status.


<pre>
<pre>
Line 61: Line 39:
</pre>
</pre>


'''''Stop lighttpd''''': If you want to stop the web server use ''stop'' in the same way of previous command:
'''''Stop lighttpd''''':


{{Cmd|rc-service lighttpd stop}}
{{Cmd|rc-service lighttpd stop}}


'''''Restart lighttpd''''': After changing the configuration file lighttpd needs to be restarted.
'''''Restart lighttpd''''': After changing the configuration file, lighttpd needs to be restarted.


{{Cmd|rc-service lighttpd restart}}
{{Cmd|rc-service lighttpd restart}}


'''''Proper Runlevel''''': By default no services are added to start process, sysadmin must know what we want and what will services do, also other main reason are due in dockers there's no runlevels per se and Alpine linux are mostly used in dockers containers. You must added the servide only to the default runlevel, not to boot, because need networking activated
'''''Proper Runlevel''''': By default no services are added to start process, sysadmin must know what we want and what will services do, also other main reason are due in dockers there's no runlevels per se and Alpine linux are mostly used in dockers containers. You must added the service only to the default runlevel, not to boot, because need networking activated


{{Cmd|rc-update add lighttpd default}}
{{Cmd|rc-update add lighttpd default}}
Line 75: Line 53:
== Lighttpd Configuration ==
== Lighttpd Configuration ==


'''If you just want to serve simple HTML pages, lighttpd can be used out-of-box. No further configuration needed.'''


'''If you just want to serve simple HTML pages lighttpd can be used out-of-box. No further configuration needed.'''
[https://wiki.lighttpd.net/Docs_ConfigurationOptions lighttpd configuration options]


Due to the minimalism of alpine linux, unfortunately the lighttpd packaging is the worst ever seen, '''its configuration file makes it impossible to configure with only single line commands''' so the commands for quick configuration with cares of overwriting are very dedicated.
=== Status page ===


=== Status special page ===
'''Taking care of the status web server:''' those special pages are just minimal info of the running web server, are need to view from outside in a case of emergency, do not take the wrong approach of hide behind a filtered ip or filtered network, you must have access in all time in all the web to see problems.


'''Taking care of the status web server:''' those special pages are just minimal info of the running web server, are need to view from outside in a case of emergency, do not take the wrong approach of hide behind a filtered ip or filtered network, you must have access in all time in all the web to see problems. The creation of the directory in the htdocs main root web files are just to remember you so then can avoid hiring a staff that becomes indispensable, thus allowing to save costs in knowledge theft by technical staff.
[https://wiki.lighttpd.net/mod_status mod_status]


# Enable the mod_status at the config files
# Enable the mod_status at the config files
# change path in the config file, we are using security by obfuscation
# change path in the config file (optional), we are using security by obfuscation
# restart the service to see changes at the browser
# restart the service to see changes at the browser


<pre>
<pre>
<nowiki>
<nowiki>
mkdir -p /var/www/localhost/htdocs/stats
sed -i -r 's#\#.*mod_status.*,.*#    "mod_status",#g' /etc/lighttpd/lighttpd.conf
sed -i -r 's#\#.*mod_status.*,.*#    "mod_status",#g' /etc/lighttpd/lighttpd.conf


Line 104: Line 81:
=== CGI bin directory support ===
=== CGI bin directory support ===


By default packages assign a directory under localhost main domain, other linux uses a global cgi directory and aliasing.. the most profesional way, but think about it, this per domain configuration allows isolation:
By default packages assign a directory under localhost main domain, other linux uses a global cgi directory and aliasing.. the most professional way, but think about it, this per domain configuration allows isolation:
 
[https://wiki.lighttpd.net/mod_cgi mod_cgi]


# enable the mod_alias at the config file, due need of a specific path for cgi files into security
# enable the mod_alias at the config file, due need of a specific path for cgi files into security
# create the directory due packager dont make any reference to that neither in the lighttpd-doc
# create the directory
# enable the config cgi file
# enable the config cgi file
# restart the service to see changes at the browser
# restart the service to see changes at the browser
Line 123: Line 102:
</pre>
</pre>


After that, all the files under the <code>/var/www/localhost/cgi-bin</code> directory will be showed as <nowiki>http://localhost/cgi-bin/</nowiki> path
After that, all the files under the <code>/var/www/localhost/cgi-bin</code> directory will be accessed under <nowiki>http://localhost/cgi-bin/</nowiki> path


Plus this config file enables that all .cgi files are perl procesed.. that's wrong,
.cgi and .pl scripts are run using /usr/bin/perl. Review and modify mod_cgi.conf others are needed.  Then restart lighttpd to pick up the changes.
but at the moment that are very specific, each development must document how to deploy property and only enables cgi in specific way.


=== Make special errors (404 or 500) pages for clients and visitors ===
=== Make special errors (404 or 500) pages for clients and visitors ===


This pages will be show to visitors when a page or path are not in the server, or when a internal error happened,  
These pages will be shown to visitors when a page or path is not present on the server, or when an internal error happens.
this are to do not show a horrible message of development to visitors.. and just a nice message or "away from here" message:
These replace the default, minimal error pages and can be a nice message or "away from here" message:


# create the directory for put the html files to show when that errors happened in the way
[https://wiki.lighttpd.net/Server_errorfile-prefixDetails server.errorfile-prefix]
 
# create the directory for put the html files to show when those errors occur
# create the simple files for each message in the directory
# create the simple files for each message in the directory
# set the proper in the configuration file
# set the proper in the configuration file
Line 163: Line 143:


=== Userdir public_html support ===
=== Userdir public_html support ===
[https://wiki.lighttpd.net/mod_userdir mod_userdir]


== Lighttpd SSL support ==
== Lighttpd SSL support ==


The package as we said is made in a limited way, and only have vague references, in the configuration file for the SSL, only put two lines of configuration, and if you try to uncomment that lines, the service will not start, since there is no line for the openssl module and must be put manually.
[https://wiki.lighttpd.net/Docs_SSL lighttpd TLS doc]


Best way to do that are by external include files, Debian counterpart has a good mechanism that enables configuration files, we will made for SSL support in the same way.. all SSL related will be in a specific file.. but that file must be includen first thatn the rest of the configurations, but just after the modules loading, to make effect in https cases.
Create TLS configuration for lighttpd.  Best way to do that is by external include files. Debian counterpart has a good mechanism that enables configuration files.  We will add SSL support in a similar way.


=== SSL : making self signed certificate ===
=== SSL : making self signed certificate ===


We need to created a sefl-signed certificate, so openssl are need in any case either if used a remote made certificate:
We need to created a self-signed certificate if we do not already have one:


# install openssl
# install openssl
Line 197: Line 179:
server.modules += ("mod_openssl")
server.modules += ("mod_openssl")
\$SERVER["socket"] == "0.0.0.0:443" {
\$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine  = "enable"
    ssl.engine  = "enable"
ssl.pemfile = "/etc/ssl/certs/$(hostname -d).pem"
    ssl.pemfile = "/etc/ssl/certs/$(hostname -d).pem"
ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
ssl.honor-cipher-order = "enable"
}
}
\$HTTP["scheme"] == "http" {
\$HTTP["scheme"] == "http" {
     \$HTTP["host"] =~ ".*" {
     url.redirect = ("" => "https://\${url.authority}\${url.path}\${qsa}")
        url.redirect = (".*" => "https://%0\$0")
     url.redirect-code = 308
     }
}
}
EOF
EOF
Line 217: Line 196:
</pre>
</pre>


For deploy usage of Lets Encrypt without chain-tools (just add water) read [[Production Lets Encrypt: dehydrated]].
For deploy usage of Lets Encrypt without chain-tools (just add water) read [https://wiki.lighttpd.net/HowToSimpleSSL HowToSimpleSSL].


== Lighttpd advanced ==
== Lighttpd advanced ==


Lighttpd has pretty good default settings, but a few might be tweaked if we need to respond to higher server loads. The more important area of tuning is simply enabling the advanced features of the recents Alpine Linux kernel we are using: Enable sys_epoll, sendfile and disable atime updates.
Lighttpd has pretty good default settings, but a few might be tweaked if we need to respond to higher server loads.


=== Lighttpd tunning for agressive load ===
[https://wiki.lighttpd.net/Docs_ResourceTuning lighttpd resource tuning]


'''Use noatime and dont care of cache ONLY FOR MANY STATIC FILES''': although it’s not included in the official lighttpd performance document, is not updating the "atime" parameter on served pages. This is a bit of a religious issue among some UNIX administrators becose the monitoring cases, BUT we almost always mounting the entire filesystem with “noatime”, but more granular approach offered by lighttpd:
=== Lighttpd tunning for aggressive load ===


<pre>
[https://wiki.lighttpd.net/Docs_Performance lighttpd performance tuning]
<nowiki>
checkset="";checkset=$(grep 'noatime' /etc/lighttpd/lighttpd.conf);[[ "$checkset" != "" ]] && echo listo || sed -i -r 's#server settings.*#server settings"\nserver.use-noatime = "enable"\n#g' /etc/lighttpd/lighttpd.conf
 
rc-service lighttpd restart
</nowiki>
</pre>
 
'''Mechanics: Polling and Sending''': By default in this document we set the triggered polling mechanism <code>server.event-handler</code> to <code>linux-sysepoll</code>. But how to actually read and write data from the disk to the network in Linux includes a more advanced call, sendfile, which can move data around without copying it into memory. We can enable this by setting "server.network-backend" to "linux-sendfile", which ought to improve performance for larger (multi-megabyte) files without impacting smaller ones.
 
<pre>
<nowiki>
checkset="";checkset=$(grep 'network-backend' /etc/lighttpd/lighttpd.conf);[[ "$checkset" != "" ]] && echo listo || sed -i -r 's#server settings.*#server settings"\nserver.network-backend = "linux-sendfile"\n#g' /etc/lighttpd/lighttpd.conf
 
rc-service lighttpd restart
</nowiki>
</pre>


=== More connections, More File Descriptors ===
=== More connections, More File Descriptors ===


This must be used with caution, everything is a file to a UNIX operating system. Well, every time a visitor accesses a page, lighttpd uses three file descriptors: An IP socket to the client, a fastCGI process socket, and a filehandle for the document accessed. Lighttpd stops accepting new connections when 90% of the available sockets are in use, restarting again when usage has fallen to 80%. With the default setting of 1024 file descriptors, lighttpd can handle a maximum of 307 connections. If this number are exceded file descriptor must be increrased then. This are a delicate tune due must be check your default with <code>cat /proc/sys/fs/file-max</code> and make sure it’s over 10,000:
This must be used with caution.  Everything is a file to a UNIX operating system. Well, every time a visitor accesses a page, lighttpd uses three file descriptors: An IP socket to the client, a FastCGI process socket, and a filehandle for the document accessed. Lighttpd stops accepting new connections when 90% of the available sockets are in use, restarting again when usage has fallen to 80%. With the default setting of 1024 file descriptors, lighttpd can handle a maximum of 307 connections. If this number are exceded file descriptor must be increrased then. This are a delicate tune due must be check your default with <code>cat /proc/sys/fs/file-max</code> and make sure it’s over 10,000:


<pre>
<pre>
Line 260: Line 223:
=== HTTP Keep-Alive for aggressive load ===
=== HTTP Keep-Alive for aggressive load ===


One reason that file descriptors get used up so quickly is HTTP keep-alive. To improve performance, modern web servers keep client connections alive to handle multiple requests instead of building up and tearing down connections for each item in a page. Keep-alive is tremendously beneficial to performance, but tends to keep unnecessary connections alive, too. By default, lighttpd allows 16 keep-alive requests per connection, allows idle sessions to remain alive for 5 seconds, and gives reads and writes 1 minute and 6 minutes to complete, respectively.
One reason that file descriptors get used up so quickly is HTTP keep-alive. To improve performance, modern web servers keep client connections alive to handle multiple requests instead of building up and tearing down connections for each item in a page. Keep-alive is tremendously beneficial to performance, but tends to keep unnecessary connections alive, too. lighttpd allows 1000 keep-alive requests per connection, allows idle sessions to remain alive for 5 seconds, and gives reads and writes 1 minute and 6 minutes to complete, respectively.


# Maximum number of request within a keep-alive session before the server terminates the connection, default = 16 (<code>server.max-keep-alive-requests</code>)
# Maximum number of request within a keep-alive session before the server terminates the connection, default = 1000 (<code>server.max-keep-alive-requests</code>)
# Maximum number of seconds until an idling keep-alive connection is dropped, default = 5 (<code>server.max-keep-alive-idle</code>)
# Maximum number of seconds until an idling keep-alive connection is dropped, default = 5 (<code>server.max-keep-alive-idle</code>)
# Maximum number of seconds until a waiting, non keep-alive read times out and closes the connection, default = 60 (<code>server.max-read-idle</code>)
# Maximum number of seconds until a waiting, non keep-alive read times out and closes the connection, default = 60 (<code>server.max-read-idle</code>)
# Maximum number of seconds until a waiting write call times out and closes the connection, default = 360 (<code>server.max-write-idle</code>)
# Maximum number of seconds until a waiting write call times out and closes the connection, default = 360 (<code>server.max-write-idle</code>)


Although lighttpd has pretty aggressive defaults (especially compared to Apache), a period of heavy traffic and a few slow clients could see many unused connections sticking around. The server.max-keep-alive-idle setting default of 5 seconds can be reduced to as low as 2, if you assume your clients are reasonably quick about requesting data, but a value of 3 or 4 is probably realistic. You may want to increase the server.max-keep-alive-requests value from the default of 16, but you probably don’t need to. The server.max-read-idle and server.max-write-idle settings are tempting targets, but these situations are usually fairly rare so let’s not monkey with them.
Although lighttpd has pretty aggressive defaults (especially compared to Apache), a period of heavy traffic and a few slow clients could see many unused connections sticking around. The server.max-keep-alive-idle setting default of 5 seconds can be reduced to as low as 2, if you assume your clients are reasonably quick about requesting data, but a value of 3 or 4 is probably realistic. You may want to increase the server.max-keep-alive-requests value from the default of 1000, but you probably don’t need to. The server.max-read-idle and server.max-write-idle settings are tempting targets, but these situations are usually fairly rare so let’s not monkey with them.


=== Lighttpd_Advanced_security ===
=== Lighttpd_Advanced_security ===
Line 278: Line 241:


* LAMP deploy of the Web Server with PHP, user html_dir and MariaDB: [[Production LAMP system: Lighttpd + PHP + MySQL]]
* LAMP deploy of the Web Server with PHP, user html_dir and MariaDB: [[Production LAMP system: Lighttpd + PHP + MySQL]]
* LAMP deploy of the Web Server with PHP 5.6 and MariaDB: [[Production LAMP system: Lighttpd + PHP5 + MySQL]]


= See Also =
= See Also =


* [[Production LAMP system: Lighttpd + PHP + MySQL]]
* [[Production LAMP system: Lighttpd + PHP + MySQL]]
* [[Alpine newbie developer]]


[[Category:Newbie]]
[[Category:Newbie]]

Latest revision as of 03:22, 2 November 2023

lighttpd is a simple, standards-compliant, secure, and flexible web server.

Lighttpd Installation

This production environment will handle only the necessary packages... so no doc or manpages allowed.

  1. make the htdocs public web root directories
  2. added the service to the default runlevel, not to boot, because need networking activated
  3. start the web server service

mkdir -p /var/www/localhost/htdocs /var/log/lighttpd /var/lib/lighttpd

chown -R lighttpd:lighttpd /var/www/localhost/ /var/log/lighttpd /var/lib/lighttpd 

rc-update add lighttpd default

rc-service lighttpd restart

echo "it works" > /var/www/localhost/htdocs/index.html

For testing, open a browser and go to http://<webserveripaddres> and you will see "it works". The "webserveripaddres" is the ip address of your setup/server machine.

Controlling Lighttpd

Start lighttpd:

rc-service lighttpd start

You will get feedback about the status.

 * Caching service dependencies                                 [ ok ]
 * Starting lighttpd...                                         [ ok ]

Stop lighttpd:

rc-service lighttpd stop

Restart lighttpd: After changing the configuration file, lighttpd needs to be restarted.

rc-service lighttpd restart

Proper Runlevel: By default no services are added to start process, sysadmin must know what we want and what will services do, also other main reason are due in dockers there's no runlevels per se and Alpine linux are mostly used in dockers containers. You must added the service only to the default runlevel, not to boot, because need networking activated

rc-update add lighttpd default

Lighttpd Configuration

If you just want to serve simple HTML pages, lighttpd can be used out-of-box. No further configuration needed.

lighttpd configuration options

Status page

Taking care of the status web server: those special pages are just minimal info of the running web server, are need to view from outside in a case of emergency, do not take the wrong approach of hide behind a filtered ip or filtered network, you must have access in all time in all the web to see problems.

mod_status

  1. Enable the mod_status at the config files
  2. change path in the config file (optional), we are using security by obfuscation
  3. restart the service to see changes at the browser

sed -i -r 's#\#.*mod_status.*,.*#    "mod_status",#g' /etc/lighttpd/lighttpd.conf

sed -i -r 's#.*status.status-url.*=.*#status.status-url  = "/stats/server-status"#g' /etc/lighttpd/lighttpd.conf

sed -i -r 's#.*status.config-url.*=.*#status.config-url  = "/stats/server-config"#g' /etc/lighttpd/lighttpd.conf

rc-service lighttpd restart

CGI bin directory support

By default packages assign a directory under localhost main domain, other linux uses a global cgi directory and aliasing.. the most professional way, but think about it, this per domain configuration allows isolation:

mod_cgi

  1. enable the mod_alias at the config file, due need of a specific path for cgi files into security
  2. create the directory
  3. enable the config cgi file
  4. restart the service to see changes at the browser

mkdir -p /var/www/localhost/cgi-bin

sed -i -r 's#\#.*mod_alias.*,.*#    "mod_alias",#g' /etc/lighttpd/lighttpd.conf

sed -i -r 's#.*include "mod_cgi.conf".*#   include "mod_cgi.conf"#g' /etc/lighttpd/lighttpd.conf

rc-service lighttpd restart

After that, all the files under the /var/www/localhost/cgi-bin directory will be accessed under http://localhost/cgi-bin/ path

.cgi and .pl scripts are run using /usr/bin/perl. Review and modify mod_cgi.conf others are needed. Then restart lighttpd to pick up the changes.

Make special errors (404 or 500) pages for clients and visitors

These pages will be shown to visitors when a page or path is not present on the server, or when an internal error happens. These replace the default, minimal error pages and can be a nice message or "away from here" message:

server.errorfile-prefix

  1. create the directory for put the html files to show when those errors occur
  2. create the simple files for each message in the directory
  3. set the proper in the configuration file
  4. restart the service to see the changes at the browser (just request a non existing page and you will see it)

mkdir -p /var/www/localhost/errors

cat > /var/www/localhost/errors/status-404.html << EOF
<h1>The page that you requested are not yet here anymore, sorry was moved or updated, search or visit another one</h1>
EOF

cat > /var/www/localhost/errors/status-500.html << EOF
<h1>Please wait a moment, there's something happens and we are give support maintenance right now to resolve</h1>
EOF

cp /var/www/localhost/errors/status-404.html /var/www/localhost/errors/status-403.html

cp /var/www/localhost/errors/status-500.html /var/www/localhost/errors/status-501.html

cp /var/www/localhost/errors/status-500.html /var/www/localhost/errors/status-503.html

sed -i -r 's#.*server.errorfile-prefix.*#server.errorfile-prefix    = var.basedir + "/errors/status-"#g' /etc/lighttpd/lighttpd.conf

rc-service lighttpd restart

Userdir public_html support

mod_userdir

Lighttpd SSL support

lighttpd TLS doc

Create TLS configuration for lighttpd. Best way to do that is by external include files. Debian counterpart has a good mechanism that enables configuration files. We will add SSL support in a similar way.

SSL : making self signed certificate

We need to created a self-signed certificate if we do not already have one:

  1. install openssl
  2. create the self signed certificate
  3. set proper permissions
  4. create a SSL module configuration file for lighttpd
  5. activate the openssl module missing from config file
  6. activate the mod_redirect in case of global http to https redirections
  7. restart the service to see changes

apk add openssl

mkdir -p /etc/ssl/certs/

openssl req -x509 -days 1460 -nodes -newkey rsa:4096 \
   -subj "/C=VE/ST=Bolivar/L=Upata/O=VenenuX/OU=Systemas:hozYmartillo/CN=$(hostname -d)" \
   -keyout /etc/ssl/certs/$(hostname -d).pem -out /etc/ssl/certs/$(hostname -d).pem

chmod 640 /etc/ssl/certs/$(hostname -d).pem

cat > /etc/lighttpd/mod_ssl.conf << EOF
server.modules += ("mod_openssl")
\$SERVER["socket"] == "0.0.0.0:443" {
    ssl.engine  = "enable"
    ssl.pemfile = "/etc/ssl/certs/$(hostname -d).pem"
}
\$HTTP["scheme"] == "http" {
    url.redirect = ("" => "https://\${url.authority}\${url.path}\${qsa}")
    url.redirect-code = 308
}
EOF

sed -i -r 's#\#.*mod_redirect.*,.*#    "mod_redirect",#g' /etc/lighttpd/lighttpd.conf

checkssl="";checkssl=$(grep 'include "mod_ssl.conf' /etc/lighttpd/lighttpd.conf);[[ "$checkssl" != "" ]] && echo listo || sed -i -r 's#.*include "mime-types.conf".*#include "mime-types.conf"\ninclude "mod_ssl.conf"#g' /etc/lighttpd/lighttpd.conf

rc-service lighttpd restart

For deploy usage of Lets Encrypt without chain-tools (just add water) read HowToSimpleSSL.

Lighttpd advanced

Lighttpd has pretty good default settings, but a few might be tweaked if we need to respond to higher server loads.

lighttpd resource tuning

Lighttpd tunning for aggressive load

lighttpd performance tuning

More connections, More File Descriptors

This must be used with caution. Everything is a file to a UNIX operating system. Well, every time a visitor accesses a page, lighttpd uses three file descriptors: An IP socket to the client, a FastCGI process socket, and a filehandle for the document accessed. Lighttpd stops accepting new connections when 90% of the available sockets are in use, restarting again when usage has fallen to 80%. With the default setting of 1024 file descriptors, lighttpd can handle a maximum of 307 connections. If this number are exceded file descriptor must be increrased then. This are a delicate tune due must be check your default with cat /proc/sys/fs/file-max and make sure it’s over 10,000:


checkset="";checkset=$(grep 'max-fds' /etc/lighttpd/lighttpd.conf);[[ "$checkset" != "" ]] && echo listo || sed -i -r 's#server settings.*#server settings\nserver.max-fds = 2048\n#g' /etc/lighttpd/lighttpd.conf

rc-service lighttpd restart


HTTP Keep-Alive for aggressive load

One reason that file descriptors get used up so quickly is HTTP keep-alive. To improve performance, modern web servers keep client connections alive to handle multiple requests instead of building up and tearing down connections for each item in a page. Keep-alive is tremendously beneficial to performance, but tends to keep unnecessary connections alive, too. lighttpd allows 1000 keep-alive requests per connection, allows idle sessions to remain alive for 5 seconds, and gives reads and writes 1 minute and 6 minutes to complete, respectively.

  1. Maximum number of request within a keep-alive session before the server terminates the connection, default = 1000 (server.max-keep-alive-requests)
  2. Maximum number of seconds until an idling keep-alive connection is dropped, default = 5 (server.max-keep-alive-idle)
  3. Maximum number of seconds until a waiting, non keep-alive read times out and closes the connection, default = 60 (server.max-read-idle)
  4. Maximum number of seconds until a waiting write call times out and closes the connection, default = 360 (server.max-write-idle)

Although lighttpd has pretty aggressive defaults (especially compared to Apache), a period of heavy traffic and a few slow clients could see many unused connections sticking around. The server.max-keep-alive-idle setting default of 5 seconds can be reduced to as low as 2, if you assume your clients are reasonably quick about requesting data, but a value of 3 or 4 is probably realistic. You may want to increase the server.max-keep-alive-requests value from the default of 1000, but you probably don’t need to. The server.max-read-idle and server.max-write-idle settings are tempting targets, but these situations are usually fairly rare so let’s not monkey with them.

Lighttpd_Advanced_security

See at Lighttpd_Advanced_security wiki page.

Lighttpd and PHP with fpm

In production web, LAMP means Linux + Apache + Mysql + Php installed and integrated, but today the "A" of apache are more used as Nginx or Lighttpd, and the "M" of MySQL are more used as Mariadb, the LAMP focused documents are:

See Also