Alpine Linux - User contributions [en]

Production Web server: Lighttpd

2023-11-02T03:22:27Z

Gstrauss: simplify TLS config; prefer modern lighttpd TLS defaults

[https://www.lighttpd.net/ lighttpd] is a simple, standards-compliant, secure, and flexible web server.

== Lighttpd Installation ==

This production environment will handle only the necessary packages... so no doc or manpages allowed.

# make the htdocs public web root directories
# added the service to the default runlevel, not to boot, because need networking activated
# start the web server service

<pre>
<nowiki>
mkdir -p /var/www/localhost/htdocs /var/log/lighttpd /var/lib/lighttpd

chown -R lighttpd:lighttpd /var/www/localhost/ /var/log/lighttpd /var/lib/lighttpd

rc-update add lighttpd default

rc-service lighttpd restart

echo "it works" > /var/www/localhost/htdocs/index.html
</nowiki>
</pre>

'''For testing, open a browser and go to <code><nowiki>http://<webserveripaddres></nowiki></code> and you will see "it works"'''. The "webserveripaddres" is the ip address of your setup/server machine.

=== Controlling Lighttpd ===

'''''Start lighttpd''''':

{{Cmd|rc-service lighttpd start}}

You will get feedback about the status.

<pre>
* Caching service dependencies [ ok ]
* Starting lighttpd... [ ok ]
</pre>

'''''Stop lighttpd''''':

{{Cmd|rc-service lighttpd stop}}

'''''Restart lighttpd''''': After changing the configuration file, lighttpd needs to be restarted.

{{Cmd|rc-service lighttpd restart}}

'''''Proper Runlevel''''': By default no services are added to start process, sysadmin must know what we want and what will services do, also other main reason are due in dockers there's no runlevels per se and Alpine linux are mostly used in dockers containers. You must added the service only to the default runlevel, not to boot, because need networking activated

{{Cmd|rc-update add lighttpd default}}

== Lighttpd Configuration ==

'''If you just want to serve simple HTML pages, lighttpd can be used out-of-box. No further configuration needed.'''

[https://wiki.lighttpd.net/Docs_ConfigurationOptions lighttpd configuration options]

=== Status page ===

'''Taking care of the status web server:''' those special pages are just minimal info of the running web server, are need to view from outside in a case of emergency, do not take the wrong approach of hide behind a filtered ip or filtered network, you must have access in all time in all the web to see problems.

[https://wiki.lighttpd.net/mod_status mod_status]

# Enable the mod_status at the config files
# change path in the config file (optional), we are using security by obfuscation
# restart the service to see changes at the browser

<pre>
<nowiki>
sed -i -r 's#\#.*mod_status.*,.*# "mod_status",#g' /etc/lighttpd/lighttpd.conf

sed -i -r 's#.*status.status-url.*=.*#status.status-url = "/stats/server-status"#g' /etc/lighttpd/lighttpd.conf

sed -i -r 's#.*status.config-url.*=.*#status.config-url = "/stats/server-config"#g' /etc/lighttpd/lighttpd.conf

rc-service lighttpd restart
</nowiki>
</pre>

=== CGI bin directory support ===

By default packages assign a directory under localhost main domain, other linux uses a global cgi directory and aliasing.. the most professional way, but think about it, this per domain configuration allows isolation:

[https://wiki.lighttpd.net/mod_cgi mod_cgi]

# enable the mod_alias at the config file, due need of a specific path for cgi files into security
# create the directory
# enable the config cgi file
# restart the service to see changes at the browser

<pre>
<nowiki>
mkdir -p /var/www/localhost/cgi-bin

sed -i -r 's#\#.*mod_alias.*,.*# "mod_alias",#g' /etc/lighttpd/lighttpd.conf

sed -i -r 's#.*include "mod_cgi.conf".*# include "mod_cgi.conf"#g' /etc/lighttpd/lighttpd.conf

rc-service lighttpd restart
</nowiki>
</pre>

After that, all the files under the <code>/var/www/localhost/cgi-bin</code> directory will be accessed under <nowiki>http://localhost/cgi-bin/</nowiki> path

.cgi and .pl scripts are run using /usr/bin/perl. Review and modify mod_cgi.conf others are needed. Then restart lighttpd to pick up the changes.

=== Make special errors (404 or 500) pages for clients and visitors ===

These pages will be shown to visitors when a page or path is not present on the server, or when an internal error happens.
These replace the default, minimal error pages and can be a nice message or "away from here" message:

[https://wiki.lighttpd.net/Server_errorfile-prefixDetails server.errorfile-prefix]

# create the directory for put the html files to show when those errors occur
# create the simple files for each message in the directory
# set the proper in the configuration file
# restart the service to see the changes at the browser (just request a non existing page and you will see it)

<pre>
<nowiki>
mkdir -p /var/www/localhost/errors

cat > /var/www/localhost/errors/status-404.html << EOF
<h1>The page that you requested are not yet here anymore, sorry was moved or updated, search or visit another one</h1>
EOF

cat > /var/www/localhost/errors/status-500.html << EOF
<h1>Please wait a moment, there's something happens and we are give support maintenance right now to resolve</h1>
EOF

cp /var/www/localhost/errors/status-404.html /var/www/localhost/errors/status-403.html

cp /var/www/localhost/errors/status-500.html /var/www/localhost/errors/status-501.html

cp /var/www/localhost/errors/status-500.html /var/www/localhost/errors/status-503.html

sed -i -r 's#.*server.errorfile-prefix.*#server.errorfile-prefix = var.basedir + "/errors/status-"#g' /etc/lighttpd/lighttpd.conf

rc-service lighttpd restart
</nowiki>
</pre>

=== Userdir public_html support ===

[https://wiki.lighttpd.net/mod_userdir mod_userdir]

== Lighttpd SSL support ==

[https://wiki.lighttpd.net/Docs_SSL lighttpd TLS doc]

Create TLS configuration for lighttpd. Best way to do that is by external include files. Debian counterpart has a good mechanism that enables configuration files. We will add SSL support in a similar way.

=== SSL : making self signed certificate ===

We need to created a self-signed certificate if we do not already have one:

# install openssl
# create the self signed certificate
# set proper permissions
# create a SSL module configuration file for lighttpd
# activate the openssl module missing from config file
# activate the mod_redirect in case of global http to https redirections
# restart the service to see changes

<pre>
<nowiki>
apk add openssl

mkdir -p /etc/ssl/certs/

openssl req -x509 -days 1460 -nodes -newkey rsa:4096 \
-subj "/C=VE/ST=Bolivar/L=Upata/O=VenenuX/OU=Systemas:hozYmartillo/CN=$(hostname -d)" \
-keyout /etc/ssl/certs/$(hostname -d).pem -out /etc/ssl/certs/$(hostname -d).pem

chmod 640 /etc/ssl/certs/$(hostname -d).pem

cat > /etc/lighttpd/mod_ssl.conf << EOF
server.modules += ("mod_openssl")
\$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/ssl/certs/$(hostname -d).pem"
}
\$HTTP["scheme"] == "http" {
url.redirect = ("" => "https://\${url.authority}\${url.path}\${qsa}")
url.redirect-code = 308
}
EOF

sed -i -r 's#\#.*mod_redirect.*,.*# "mod_redirect",#g' /etc/lighttpd/lighttpd.conf

checkssl="";checkssl=$(grep 'include "mod_ssl.conf' /etc/lighttpd/lighttpd.conf);[[ "$checkssl" != "" ]] && echo listo || sed -i -r 's#.*include "mime-types.conf".*#include "mime-types.conf"\ninclude "mod_ssl.conf"#g' /etc/lighttpd/lighttpd.conf

rc-service lighttpd restart
</nowiki>
</pre>

For deploy usage of Lets Encrypt without chain-tools (just add water) read [https://wiki.lighttpd.net/HowToSimpleSSL HowToSimpleSSL].

== Lighttpd advanced ==

Lighttpd has pretty good default settings, but a few might be tweaked if we need to respond to higher server loads.

[https://wiki.lighttpd.net/Docs_ResourceTuning lighttpd resource tuning]

=== Lighttpd tunning for aggressive load ===

[https://wiki.lighttpd.net/Docs_Performance lighttpd performance tuning]

=== More connections, More File Descriptors ===

This must be used with caution. Everything is a file to a UNIX operating system. Well, every time a visitor accesses a page, lighttpd uses three file descriptors: An IP socket to the client, a FastCGI process socket, and a filehandle for the document accessed. Lighttpd stops accepting new connections when 90% of the available sockets are in use, restarting again when usage has fallen to 80%. With the default setting of 1024 file descriptors, lighttpd can handle a maximum of 307 connections. If this number are exceded file descriptor must be increrased then. This are a delicate tune due must be check your default with <code>cat /proc/sys/fs/file-max</code> and make sure it’s over 10,000:

<pre>
<nowiki>
checkset="";checkset=$(grep 'max-fds' /etc/lighttpd/lighttpd.conf);[[ "$checkset" != "" ]] && echo listo || sed -i -r 's#server settings.*#server settings\nserver.max-fds = 2048\n#g' /etc/lighttpd/lighttpd.conf

rc-service lighttpd restart
</nowiki>
</pre>

=== HTTP Keep-Alive for aggressive load ===

One reason that file descriptors get used up so quickly is HTTP keep-alive. To improve performance, modern web servers keep client connections alive to handle multiple requests instead of building up and tearing down connections for each item in a page. Keep-alive is tremendously beneficial to performance, but tends to keep unnecessary connections alive, too. lighttpd allows 1000 keep-alive requests per connection, allows idle sessions to remain alive for 5 seconds, and gives reads and writes 1 minute and 6 minutes to complete, respectively.

# Maximum number of request within a keep-alive session before the server terminates the connection, default = 1000 (<code>server.max-keep-alive-requests</code>)
# Maximum number of seconds until an idling keep-alive connection is dropped, default = 5 (<code>server.max-keep-alive-idle</code>)
# Maximum number of seconds until a waiting, non keep-alive read times out and closes the connection, default = 60 (<code>server.max-read-idle</code>)
# Maximum number of seconds until a waiting write call times out and closes the connection, default = 360 (<code>server.max-write-idle</code>)

Although lighttpd has pretty aggressive defaults (especially compared to Apache), a period of heavy traffic and a few slow clients could see many unused connections sticking around. The server.max-keep-alive-idle setting default of 5 seconds can be reduced to as low as 2, if you assume your clients are reasonably quick about requesting data, but a value of 3 or 4 is probably realistic. You may want to increase the server.max-keep-alive-requests value from the default of 1000, but you probably don’t need to. The server.max-read-idle and server.max-write-idle settings are tempting targets, but these situations are usually fairly rare so let’s not monkey with them.

=== Lighttpd_Advanced_security ===

See at [[Lighttpd_Advanced_security]] wiki page.

=== Lighttpd and PHP with fpm ===

In production web, LAMP means '''L'''inux + '''A'''pache + '''M'''ysql + '''P'''hp installed and integrated, but today the "A" of apache are more used as Nginx or Lighttpd, and the "M" of MySQL are more used as Mariadb, the LAMP focused documents are:

* LAMP deploy of the Web Server with PHP, user html_dir and MariaDB: [[Production LAMP system: Lighttpd + PHP + MySQL]]

= See Also =

* [[Production LAMP system: Lighttpd + PHP + MySQL]]

[[Category:Newbie]]
[[Category:Server]]
[[Category:Web_Server]]
[[Category:Monitoring]]
[[Category:Development]]
[[Category:Security]]
[[Category:Production]]

Production Web server: Lighttpd

2022-12-22T17:55:57Z

Gstrauss: Undo revision 22799 by Gstrauss (talk) backslases needed in shell command

[http://www.lighttpd.net/ lighttpd] is a simple, standards-compliant, secure, and flexible web server.

== Lighttpd Installation ==

This production environment will handle only the necessary packages... so no doc or manpages allowed.

# make the htdocs public web root directories
# added the service to the default runlevel, not to boot, because need networking activated
# start the web server service

<pre>
<nowiki>
mkdir -p /var/www/localhost/htdocs /var/log/lighttpd /var/lib/lighttpd

chown -R lighttpd:lighttpd /var/www/localhost/ /var/log/lighttpd /var/lib/lighttpd

rc-update add lighttpd default

rc-service lighttpd restart

echo "it works" > /var/www/localhost/htdocs/index.html
</nowiki>
</pre>

'''For testing, open a browser and go to <code><nowiki>http://<webserveripaddres></nowiki></code> and you will see "it works"'''. The "webserveripaddres" is the ip address of your setup/server machine.

=== Controlling Lighttpd ===

'''''Start lighttpd''''':

{{Cmd|rc-service lighttpd start}}

You will get feedback about the status.

<pre>
* Caching service dependencies [ ok ]
* Starting lighttpd... [ ok ]
</pre>

'''''Stop lighttpd''''':

{{Cmd|rc-service lighttpd stop}}

'''''Restart lighttpd''''': After changing the configuration file, lighttpd needs to be restarted.

{{Cmd|rc-service lighttpd restart}}

'''''Proper Runlevel''''': By default no services are added to start process, sysadmin must know what we want and what will services do, also other main reason are due in dockers there's no runlevels per se and Alpine linux are mostly used in dockers containers. You must added the service only to the default runlevel, not to boot, because need networking activated

{{Cmd|rc-update add lighttpd default}}

== Lighttpd Configuration ==

'''If you just want to serve simple HTML pages, lighttpd can be used out-of-box. No further configuration needed.'''

[https://wiki.lighttpd.net/Docs_ConfigurationOptions lighttpd configuration options]

=== Status page ===

'''Taking care of the status web server:''' those special pages are just minimal info of the running web server, are need to view from outside in a case of emergency, do not take the wrong approach of hide behind a filtered ip or filtered network, you must have access in all time in all the web to see problems.

[https://wiki.lighttpd.net/mod_status mod_status]

# Enable the mod_status at the config files
# change path in the config file (optional), we are using security by obfuscation
# restart the service to see changes at the browser

<pre>
<nowiki>
sed -i -r 's#\#.*mod_status.*,.*# "mod_status",#g' /etc/lighttpd/lighttpd.conf

sed -i -r 's#.*status.status-url.*=.*#status.status-url = "/stats/server-status"#g' /etc/lighttpd/lighttpd.conf

sed -i -r 's#.*status.config-url.*=.*#status.config-url = "/stats/server-config"#g' /etc/lighttpd/lighttpd.conf

rc-service lighttpd restart
</nowiki>
</pre>

=== CGI bin directory support ===

By default packages assign a directory under localhost main domain, other linux uses a global cgi directory and aliasing.. the most professional way, but think about it, this per domain configuration allows isolation:

[https://wiki.lighttpd.net/mod_cgi mod_cgi]

# enable the mod_alias at the config file, due need of a specific path for cgi files into security
# create the directory
# enable the config cgi file
# restart the service to see changes at the browser

<pre>
<nowiki>
mkdir -p /var/www/localhost/cgi-bin

sed -i -r 's#\#.*mod_alias.*,.*# "mod_alias",#g' /etc/lighttpd/lighttpd.conf

sed -i -r 's#.*include "mod_cgi.conf".*# include "mod_cgi.conf"#g' /etc/lighttpd/lighttpd.conf

rc-service lighttpd restart
</nowiki>
</pre>

After that, all the files under the <code>/var/www/localhost/cgi-bin</code> directory will be accessed under <nowiki>http://localhost/cgi-bin/</nowiki> path

.cgi and .pl scripts are run using /usr/bin/perl. Review and modify mod_cgi.conf others are needed. Then restart lighttpd to pick up the changes.

=== Make special errors (404 or 500) pages for clients and visitors ===

These pages will be shown to visitors when a page or path is not present on the server, or when an internal error happens.
These replace the default, minimal error pages and can be a nice message or "away from here" message:

[https://wiki.lighttpd.net/Server_errorfile-prefixDetails server.errorfile-prefix]

# create the directory for put the html files to show when those errors occur
# create the simple files for each message in the directory
# set the proper in the configuration file
# restart the service to see the changes at the browser (just request a non existing page and you will see it)

<pre>
<nowiki>
mkdir -p /var/www/localhost/errors

cat > /var/www/localhost/errors/status-404.html << EOF
<h1>The page that you requested are not yet here anymore, sorry was moved or updated, search or visit another one</h1>
EOF

cat > /var/www/localhost/errors/status-500.html << EOF
<h1>Please wait a moment, there's something happens and we are give support maintenance right now to resolve</h1>
EOF

cp /var/www/localhost/errors/status-404.html /var/www/localhost/errors/status-403.html

cp /var/www/localhost/errors/status-500.html /var/www/localhost/errors/status-501.html

cp /var/www/localhost/errors/status-500.html /var/www/localhost/errors/status-503.html

sed -i -r 's#.*server.errorfile-prefix.*#server.errorfile-prefix = var.basedir + "/errors/status-"#g' /etc/lighttpd/lighttpd.conf

rc-service lighttpd restart
</nowiki>
</pre>

=== Userdir public_html support ===

[https://wiki.lighttpd.net/mod_userdir mod_userdir]

== Lighttpd SSL support ==

[https://wiki.lighttpd.net/Docs_SSL lighttpd TLS doc]

Create TLS configuration for lighttpd. Best way to do that is by external include files. Debian counterpart has a good mechanism that enables configuration files. We will add SSL support in a similar way.

=== SSL : making self signed certificate ===

We need to created a self-signed certificate if we do not already have one:

# install openssl
# create the self signed certificate
# set proper permissions
# create a SSL module configuration file for lighttpd
# activate the openssl module missing from config file
# activate the mod_redirect in case of global http to https redirections
# restart the service to see changes

<pre>
<nowiki>
apk add openssl

mkdir -p /etc/ssl/certs/

openssl req -x509 -days 1460 -nodes -newkey rsa:4096 \
-subj "/C=VE/ST=Bolivar/L=Upata/O=VenenuX/OU=Systemas:hozYmartillo/CN=$(hostname -d)" \
-keyout /etc/ssl/certs/$(hostname -d).pem -out /etc/ssl/certs/$(hostname -d).pem

chmod 640 /etc/ssl/certs/$(hostname -d).pem

cat > /etc/lighttpd/mod_ssl.conf << EOF
server.modules += ("mod_openssl")
\$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/ssl/certs/$(hostname -d).pem"
ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
ssl.honor-cipher-order = "enable"
}
\$HTTP["scheme"] == "http" {
url.redirect = ("" => "https://\${url.authority}\${url.path}\${qsa}")
url.redirect-code = 308
}
EOF

sed -i -r 's#\#.*mod_redirect.*,.*# "mod_redirect",#g' /etc/lighttpd/lighttpd.conf

checkssl="";checkssl=$(grep 'include "mod_ssl.conf' /etc/lighttpd/lighttpd.conf);[[ "$checkssl" != "" ]] && echo listo || sed -i -r 's#.*include "mime-types.conf".*#include "mime-types.conf"\ninclude "mod_ssl.conf"#g' /etc/lighttpd/lighttpd.conf

rc-service lighttpd restart
</nowiki>
</pre>

For deploy usage of Lets Encrypt without chain-tools (just add water) read [https://wiki.lighttpd.net/HowToSimpleSSL HowToSimpleSSL].

== Lighttpd advanced ==

Lighttpd has pretty good default settings, but a few might be tweaked if we need to respond to higher server loads.

[https://wiki.lighttpd.net/Docs_ResourceTuning lighttpd resource tuning]

=== Lighttpd tunning for aggressive load ===

[https://wiki.lighttpd.net/Docs_Performance lighttpd performance tuning]

=== More connections, More File Descriptors ===

This must be used with caution. Everything is a file to a UNIX operating system. Well, every time a visitor accesses a page, lighttpd uses three file descriptors: An IP socket to the client, a FastCGI process socket, and a filehandle for the document accessed. Lighttpd stops accepting new connections when 90% of the available sockets are in use, restarting again when usage has fallen to 80%. With the default setting of 1024 file descriptors, lighttpd can handle a maximum of 307 connections. If this number are exceded file descriptor must be increrased then. This are a delicate tune due must be check your default with <code>cat /proc/sys/fs/file-max</code> and make sure it’s over 10,000:

<pre>
<nowiki>
checkset="";checkset=$(grep 'max-fds' /etc/lighttpd/lighttpd.conf);[[ "$checkset" != "" ]] && echo listo || sed -i -r 's#server settings.*#server settings\nserver.max-fds = 2048\n#g' /etc/lighttpd/lighttpd.conf

rc-service lighttpd restart
</nowiki>
</pre>

=== HTTP Keep-Alive for aggressive load ===

One reason that file descriptors get used up so quickly is HTTP keep-alive. To improve performance, modern web servers keep client connections alive to handle multiple requests instead of building up and tearing down connections for each item in a page. Keep-alive is tremendously beneficial to performance, but tends to keep unnecessary connections alive, too. lighttpd allows 1000 keep-alive requests per connection, allows idle sessions to remain alive for 5 seconds, and gives reads and writes 1 minute and 6 minutes to complete, respectively.

# Maximum number of request within a keep-alive session before the server terminates the connection, default = 1000 (<code>server.max-keep-alive-requests</code>)
# Maximum number of seconds until an idling keep-alive connection is dropped, default = 5 (<code>server.max-keep-alive-idle</code>)
# Maximum number of seconds until a waiting, non keep-alive read times out and closes the connection, default = 60 (<code>server.max-read-idle</code>)
# Maximum number of seconds until a waiting write call times out and closes the connection, default = 360 (<code>server.max-write-idle</code>)

Although lighttpd has pretty aggressive defaults (especially compared to Apache), a period of heavy traffic and a few slow clients could see many unused connections sticking around. The server.max-keep-alive-idle setting default of 5 seconds can be reduced to as low as 2, if you assume your clients are reasonably quick about requesting data, but a value of 3 or 4 is probably realistic. You may want to increase the server.max-keep-alive-requests value from the default of 1000, but you probably don’t need to. The server.max-read-idle and server.max-write-idle settings are tempting targets, but these situations are usually fairly rare so let’s not monkey with them.

=== Lighttpd_Advanced_security ===

See at [[Lighttpd_Advanced_security]] wiki page.

=== Lighttpd and PHP with fpm ===

In production web, LAMP means '''L'''inux + '''A'''pache + '''M'''ysql + '''P'''hp installed and integrated, but today the "A" of apache are more used as Nginx or Lighttpd, and the "M" of MySQL are more used as Mariadb, the LAMP focused documents are:

* LAMP deploy of the Web Server with PHP, user html_dir and MariaDB: [[Production LAMP system: Lighttpd + PHP + MySQL]]
* LAMP deploy of the Web Server with PHP 5.6 and MariaDB: [[Production LAMP system: Lighttpd + PHP5 + MySQL]]

= See Also =

* [[Production LAMP system: Lighttpd + PHP + MySQL]]
* [[Alpine newbie developer]]

[[Category:Newbie]]
[[Category:Server]]
[[Category:Web_Server]]
[[Category:Monitoring]]
[[Category:Development]]
[[Category:Security]]
[[Category:Production]]

Production Web server: Lighttpd

2022-12-22T17:54:41Z

Gstrauss: /* SSL : making self signed certificate */ remove excess backslashes

[http://www.lighttpd.net/ lighttpd] is a simple, standards-compliant, secure, and flexible web server.

== Lighttpd Installation ==

This production environment will handle only the necessary packages... so no doc or manpages allowed.

# make the htdocs public web root directories
# added the service to the default runlevel, not to boot, because need networking activated
# start the web server service

<pre>
<nowiki>
mkdir -p /var/www/localhost/htdocs /var/log/lighttpd /var/lib/lighttpd

chown -R lighttpd:lighttpd /var/www/localhost/ /var/log/lighttpd /var/lib/lighttpd

rc-update add lighttpd default

rc-service lighttpd restart

echo "it works" > /var/www/localhost/htdocs/index.html
</nowiki>
</pre>

'''For testing, open a browser and go to <code><nowiki>http://<webserveripaddres></nowiki></code> and you will see "it works"'''. The "webserveripaddres" is the ip address of your setup/server machine.

=== Controlling Lighttpd ===

'''''Start lighttpd''''':

{{Cmd|rc-service lighttpd start}}

You will get feedback about the status.

<pre>
* Caching service dependencies [ ok ]
* Starting lighttpd... [ ok ]
</pre>

'''''Stop lighttpd''''':

{{Cmd|rc-service lighttpd stop}}

'''''Restart lighttpd''''': After changing the configuration file, lighttpd needs to be restarted.

{{Cmd|rc-service lighttpd restart}}

'''''Proper Runlevel''''': By default no services are added to start process, sysadmin must know what we want and what will services do, also other main reason are due in dockers there's no runlevels per se and Alpine linux are mostly used in dockers containers. You must added the service only to the default runlevel, not to boot, because need networking activated

{{Cmd|rc-update add lighttpd default}}

== Lighttpd Configuration ==

'''If you just want to serve simple HTML pages, lighttpd can be used out-of-box. No further configuration needed.'''

[https://wiki.lighttpd.net/Docs_ConfigurationOptions lighttpd configuration options]

=== Status page ===

'''Taking care of the status web server:''' those special pages are just minimal info of the running web server, are need to view from outside in a case of emergency, do not take the wrong approach of hide behind a filtered ip or filtered network, you must have access in all time in all the web to see problems.

[https://wiki.lighttpd.net/mod_status mod_status]

# Enable the mod_status at the config files
# change path in the config file (optional), we are using security by obfuscation
# restart the service to see changes at the browser

<pre>
<nowiki>
sed -i -r 's#\#.*mod_status.*,.*# "mod_status",#g' /etc/lighttpd/lighttpd.conf

sed -i -r 's#.*status.status-url.*=.*#status.status-url = "/stats/server-status"#g' /etc/lighttpd/lighttpd.conf

sed -i -r 's#.*status.config-url.*=.*#status.config-url = "/stats/server-config"#g' /etc/lighttpd/lighttpd.conf

rc-service lighttpd restart
</nowiki>
</pre>

=== CGI bin directory support ===

By default packages assign a directory under localhost main domain, other linux uses a global cgi directory and aliasing.. the most professional way, but think about it, this per domain configuration allows isolation:

[https://wiki.lighttpd.net/mod_cgi mod_cgi]

# enable the mod_alias at the config file, due need of a specific path for cgi files into security
# create the directory
# enable the config cgi file
# restart the service to see changes at the browser

<pre>
<nowiki>
mkdir -p /var/www/localhost/cgi-bin

sed -i -r 's#\#.*mod_alias.*,.*# "mod_alias",#g' /etc/lighttpd/lighttpd.conf

sed -i -r 's#.*include "mod_cgi.conf".*# include "mod_cgi.conf"#g' /etc/lighttpd/lighttpd.conf

rc-service lighttpd restart
</nowiki>
</pre>

After that, all the files under the <code>/var/www/localhost/cgi-bin</code> directory will be accessed under <nowiki>http://localhost/cgi-bin/</nowiki> path

.cgi and .pl scripts are run using /usr/bin/perl. Review and modify mod_cgi.conf others are needed. Then restart lighttpd to pick up the changes.

=== Make special errors (404 or 500) pages for clients and visitors ===

These pages will be shown to visitors when a page or path is not present on the server, or when an internal error happens.
These replace the default, minimal error pages and can be a nice message or "away from here" message:

[https://wiki.lighttpd.net/Server_errorfile-prefixDetails server.errorfile-prefix]

# create the directory for put the html files to show when those errors occur
# create the simple files for each message in the directory
# set the proper in the configuration file
# restart the service to see the changes at the browser (just request a non existing page and you will see it)

<pre>
<nowiki>
mkdir -p /var/www/localhost/errors

cat > /var/www/localhost/errors/status-404.html << EOF
<h1>The page that you requested are not yet here anymore, sorry was moved or updated, search or visit another one</h1>
EOF

cat > /var/www/localhost/errors/status-500.html << EOF
<h1>Please wait a moment, there's something happens and we are give support maintenance right now to resolve</h1>
EOF

cp /var/www/localhost/errors/status-404.html /var/www/localhost/errors/status-403.html

cp /var/www/localhost/errors/status-500.html /var/www/localhost/errors/status-501.html

cp /var/www/localhost/errors/status-500.html /var/www/localhost/errors/status-503.html

sed -i -r 's#.*server.errorfile-prefix.*#server.errorfile-prefix = var.basedir + "/errors/status-"#g' /etc/lighttpd/lighttpd.conf

rc-service lighttpd restart
</nowiki>
</pre>

=== Userdir public_html support ===

[https://wiki.lighttpd.net/mod_userdir mod_userdir]

== Lighttpd SSL support ==

[https://wiki.lighttpd.net/Docs_SSL lighttpd TLS doc]

Create TLS configuration for lighttpd. Best way to do that is by external include files. Debian counterpart has a good mechanism that enables configuration files. We will add SSL support in a similar way.

=== SSL : making self signed certificate ===

We need to created a self-signed certificate if we do not already have one:

# install openssl
# create the self signed certificate
# set proper permissions
# create a SSL module configuration file for lighttpd
# activate the openssl module missing from config file
# activate the mod_redirect in case of global http to https redirections
# restart the service to see changes

<pre>
<nowiki>
apk add openssl

mkdir -p /etc/ssl/certs/

openssl req -x509 -days 1460 -nodes -newkey rsa:4096 \
-subj "/C=VE/ST=Bolivar/L=Upata/O=VenenuX/OU=Systemas:hozYmartillo/CN=$(hostname -d)" \
-keyout /etc/ssl/certs/$(hostname -d).pem -out /etc/ssl/certs/$(hostname -d).pem

chmod 640 /etc/ssl/certs/$(hostname -d).pem

cat > /etc/lighttpd/mod_ssl.conf << EOF
server.modules += ("mod_openssl")
$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/ssl/certs/$(hostname -d).pem"
ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
ssl.honor-cipher-order = "enable"
}
$HTTP["scheme"] == "http" {
url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
url.redirect-code = 308
}
EOF

sed -i -r 's#\#.*mod_redirect.*,.*# "mod_redirect",#g' /etc/lighttpd/lighttpd.conf

checkssl="";checkssl=$(grep 'include "mod_ssl.conf' /etc/lighttpd/lighttpd.conf);[[ "$checkssl" != "" ]] && echo listo || sed -i -r 's#.*include "mime-types.conf".*#include "mime-types.conf"\ninclude "mod_ssl.conf"#g' /etc/lighttpd/lighttpd.conf

rc-service lighttpd restart
</nowiki>
</pre>

For deploy usage of Lets Encrypt without chain-tools (just add water) read [https://wiki.lighttpd.net/HowToSimpleSSL HowToSimpleSSL].

== Lighttpd advanced ==

Lighttpd has pretty good default settings, but a few might be tweaked if we need to respond to higher server loads.

[https://wiki.lighttpd.net/Docs_ResourceTuning lighttpd resource tuning]

=== Lighttpd tunning for aggressive load ===

[https://wiki.lighttpd.net/Docs_Performance lighttpd performance tuning]

=== More connections, More File Descriptors ===

This must be used with caution. Everything is a file to a UNIX operating system. Well, every time a visitor accesses a page, lighttpd uses three file descriptors: An IP socket to the client, a FastCGI process socket, and a filehandle for the document accessed. Lighttpd stops accepting new connections when 90% of the available sockets are in use, restarting again when usage has fallen to 80%. With the default setting of 1024 file descriptors, lighttpd can handle a maximum of 307 connections. If this number are exceded file descriptor must be increrased then. This are a delicate tune due must be check your default with <code>cat /proc/sys/fs/file-max</code> and make sure it’s over 10,000:

<pre>
<nowiki>
checkset="";checkset=$(grep 'max-fds' /etc/lighttpd/lighttpd.conf);[[ "$checkset" != "" ]] && echo listo || sed -i -r 's#server settings.*#server settings\nserver.max-fds = 2048\n#g' /etc/lighttpd/lighttpd.conf

rc-service lighttpd restart
</nowiki>
</pre>

=== HTTP Keep-Alive for aggressive load ===

One reason that file descriptors get used up so quickly is HTTP keep-alive. To improve performance, modern web servers keep client connections alive to handle multiple requests instead of building up and tearing down connections for each item in a page. Keep-alive is tremendously beneficial to performance, but tends to keep unnecessary connections alive, too. lighttpd allows 1000 keep-alive requests per connection, allows idle sessions to remain alive for 5 seconds, and gives reads and writes 1 minute and 6 minutes to complete, respectively.

# Maximum number of request within a keep-alive session before the server terminates the connection, default = 1000 (<code>server.max-keep-alive-requests</code>)
# Maximum number of seconds until an idling keep-alive connection is dropped, default = 5 (<code>server.max-keep-alive-idle</code>)
# Maximum number of seconds until a waiting, non keep-alive read times out and closes the connection, default = 60 (<code>server.max-read-idle</code>)
# Maximum number of seconds until a waiting write call times out and closes the connection, default = 360 (<code>server.max-write-idle</code>)

Although lighttpd has pretty aggressive defaults (especially compared to Apache), a period of heavy traffic and a few slow clients could see many unused connections sticking around. The server.max-keep-alive-idle setting default of 5 seconds can be reduced to as low as 2, if you assume your clients are reasonably quick about requesting data, but a value of 3 or 4 is probably realistic. You may want to increase the server.max-keep-alive-requests value from the default of 1000, but you probably don’t need to. The server.max-read-idle and server.max-write-idle settings are tempting targets, but these situations are usually fairly rare so let’s not monkey with them.

=== Lighttpd_Advanced_security ===

See at [[Lighttpd_Advanced_security]] wiki page.

=== Lighttpd and PHP with fpm ===

In production web, LAMP means '''L'''inux + '''A'''pache + '''M'''ysql + '''P'''hp installed and integrated, but today the "A" of apache are more used as Nginx or Lighttpd, and the "M" of MySQL are more used as Mariadb, the LAMP focused documents are:

* LAMP deploy of the Web Server with PHP, user html_dir and MariaDB: [[Production LAMP system: Lighttpd + PHP + MySQL]]
* LAMP deploy of the Web Server with PHP 5.6 and MariaDB: [[Production LAMP system: Lighttpd + PHP5 + MySQL]]

= See Also =

* [[Production LAMP system: Lighttpd + PHP + MySQL]]
* [[Alpine newbie developer]]

[[Category:Newbie]]
[[Category:Server]]
[[Category:Web_Server]]
[[Category:Monitoring]]
[[Category:Development]]
[[Category:Security]]
[[Category:Production]]

Production Web server: Lighttpd

2022-12-22T17:53:25Z

Gstrauss: modernize

Lighttpd

2020-12-22T03:33:28Z

Gstrauss: lighttpd 1.4.56 and later support HTTP/2; improve English language phrasing

Its name is a portmanteau of "light" and "httpd": [http://www.lighttpd.net/ lighttpd] is a simple, standards-compliant, secure, and flexible web server.

'''lighttpd is a powerful server, made long ago to handle upwards of 10,000 connections in parallel on one server'''. It was used in wikipedia server a log time ago and also some google services.

{{Note|As for minimal sites and quick-start purposes, it is recommended due to its easy configuration process and excellent performance without much configuration. Check https://w3techs.com/technologies/details/ws-lighttpd and note that it is used in high traffic and important sites like postgresql.org}}

== General information ==

{| class="wikitable"
|-
! Feature/Artifact !! Value/Name !! Observations
|-
| Main package name || lighttpd || <code><nowiki>apk add lighttpd</nowiki></code>
|-
| Manpages and DOCs packages || lighttpd-doc || <code><nowiki>apk add lighttpd-doc</nowiki></code>
|-
| Configuration file || {{Path|/etc/lighttpd/lighttpd.conf}} || A vanilla default configuration
|-
| Html place for system pages || {{Path|/var/www/localhost/htdocs/}} || Each web server in alpine has own path for that
|-
| Dynamic files (cache, extra) || {{Path|/var/lib/lighttpd/}} || Created dynamically, each server in alpine has own path for that
|-
| Log files (error, access, etc) || {{Path|/var/log/lighttpd/}} || Each web server in alpine has own path for that
|-
| User running the webserver || lighttpd || Others Linux used "www-data" alpine has as a group
|-
| Group to common to webserver || www-data || Used to share things amont others daemons or services, like redis or apache files
|-
| Programed on || C and lua || Main engine code in C, modules and config in Lua variants
|}

==== Important Limitations ====

Some common hosting panels do not handle {{Pkg|lighttpd}} configuration management.

No HTTP/3 support.

As we read previously.. main purpose was handle several request on one server, so are focused on high load.

As main front end web server are perfect and it's '''recommended as reverse proxy server for {{Pkg|apache2}} or {{Pkg|nginx}}'''.

== Install Lighttpd ==

The installation works just out of the box for only static pages, just with install you can see webserver in action by put any file inside the {{Path|/var/www/localhost/htdocs/}} directory.

Per user web files are supported by default in {{Path|/home/<user>/public_html}} directory by default if we enable it (process are described below in further section "Lighttpd configuration".

{{Pkg|lighttpd}} is available in the Alpine Linux repositories. To install, simple launch the commands below:

<pre>
<nowiki>
apk add lighttpd

rc-update add lighttpd default

rc-service lighttpd restart
</nowiki>
</pre>

== Testing Lighttpd ==

This section is assuming that lighttpd is running. If you now launch a web browser from a remote system and point it to your web server, you will see a page that says "404 - Not Found". Well, at the moment there is no content available but the server is up and running.

Let's add a simple test page to get rid of the "404 - Not Found page".

{{Cmd|echo "Lighttpd is running..." > /var/www/localhost/htdocs/index.html}}

'''For testing open a browser and go to <code><nowiki>http://127.0.0.1/</nowiki></code> and you will see "Lighttpd is running..."'''. Note that we used "127.0.0.1" if you are using alpine as the only machine for all as your main desktop/pc/machine.

If you are using alpine remotelly as web server and just install it the package, '''open a browser in your desktop machine, and go to <code><nowiki>http://<webserveripaddres>/</nowiki></code>. The "webserveripaddres" are the ip address of your setup/server machine.

== Lighttpd Configuration ==

'''If you just want to serve simple HTML pages lighttpd can be used out-of-box. No further configuration needed.'''

For production purposes the [[Production LAMP system: Lighttpd + PHP + MySQL]] wiki page will explain in details all the needs, there's the [[Production Lets Encrypt: dehydrated]] wiki page with futher information to use HTTPS and lets encrypt certificates.

Due to the minimalism of alpine linux, '''unfortunately the lighttpd packaging only provided vanilla configurations not close to alpine or easy admin maintenance''', see the [[Production LAMP system: Lighttpd + PHP + MySQL]] wiki page to goin in deep about configuring lighttpd web server.

==== Controlling Lighttpd ====

'''''Start lighttpd''''': After the installation {{Pkg|lighttpd}} is not running. As we made in first section was started already but if you want to start {{Pkg|lighttpd}} manually use:

{{Cmd|rc-service lighttpd start}}

You will get a feedback about the status.

<pre>
* Caching service dependencies [ ok ]
* Starting lighttpd... [ ok ]
</pre>

'''''Stop lighttpd''''': If you want to stop the web server use ''stop'' in the same way of previous command:

{{Cmd|rc-service lighttpd stop}}

'''''Restart lighttpd''''': After changing the configuration file lighttpd needs to be restarted.

{{Cmd|rc-service lighttpd restart}}

'''''Proper Runlevel''''': By default no services are added to start process, sysadmin must know what we want and what will services do, also other main reason are due in dockers there's no runlevels per se and Alpine linux are mostly used in dockers containers. You must added the servide only to the default runlevel, not to boot, because need networking activated

{{Cmd|rc-update add lighttpd default}}

= See Also =

In production web, LAMP means '''L'''inux + '''A'''pache + '''M'''ysql + '''P'''hp installed and integrated, but today the "A" of apache are more used as Nginx or Lighttpd, and the "M" of MySQL are more used as Mariadb, the LAMP focused documents are:

* [[Setting_Up_Lighttpd_with_PHP|Setting Up Lighttpd with PHP]]
* [[Lighttpd Advanced security]]
* [[Production Lets Encrypt: dehydrated]]
* LAMP deploy of the Web Server with PHP, user html_dir and MariaDB: [[Production LAMP system: Lighttpd + PHP + MySQL]]
* LAMP deploy of the Web Server with PHP 5.6 and MariaDB: [[Production LAMP system: Lighttpd + PHP5 + MySQL]]
* [[Alpine newbie developer]]
* [[Alpine newbie lammers]]

[[Category:Newbie]]
[[Category:Server]]
[[Category:Web_Server]]
[[Category:Development]]