Lighttpd Advanced security - Revision history

Zcrayfish: Condense the HTTPS stuff down even further and remove the ridiculous contradiction with the "redirecting HTTP to HTTPS" section.

2024-01-09T02:07:56Z

Condense the HTTPS stuff down even further and remove the ridiculous contradiction with the "redirecting HTTP to HTTPS" section.

← Older revision		Revision as of 02:07, 9 January 2024
Line 69:		Line 69:
	</pre>		</pre>

	== ~~Mitigation of well-known attacks~~ ==		== Modern HTTPS access ==

	Most well-known attacks have been mitigated in lighttpd 1.4.54 and up found in modern versions of Alpine (3.11 and up), however if your userbase supports it, it is recommended to disable support for older versions of TLS in your server configuration, ensuring protection against regressions that can enable the BEAST or POODLE attacks:		For higher security [[lighttpd]] 1.4.56 and up can be configured to allow HTTPS access with modern TLS versions and ciphersuites.

	~~For lighttpd 1.4.54 and 1.4.55:~~
	~~<pre>~~
	~~ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3", "Options" => "-SessionTicket")~~
	~~ssl.honor-cipher-order = "disable"~~
	~~</pre>~~

	For lighttpd 1.4.64 and up:
	~~<pre>~~
	~~ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3")~~
	~~ssl.openssl.ssl-conf-cmd += ("Options" => "-ServerPreference")~~
	~~</pre>~~

	~~== Https access ==~~

	~~For higher security [[Lighttpd]]~~ can be configured to allow ~~https~~ access.

	The configuration of lighttpd needs to be modified.		The configuration of lighttpd needs to be modified.
Line 93:		Line 77:
	{{Cmd\|nano /etc/lighttpd/lighttpd.conf}}		{{Cmd\|nano /etc/lighttpd/lighttpd.conf}}

	~~Uncomment this section and adjust~~ the ~~path~~ so 'ssl.pemfile' ~~points~~ to where ~~our~~ cert/key ~~pair is~~ stored. ~~Or copy the example below into your configuration file if you saved it to /etc/lighttpd/server.pem.~~		Adjust the paths below so 'ssl.pemfile' and 'ssl.privkey' point to where the cert and private key are stored.

	<pre>		<pre>
	ssl.engine = "enable"		$SERVER["socket"] == "[::]:80" { }
	ssl.pemfile = "/etc/lighttpd/server.pem"		$SERVER["socket"] == ":443" { ssl.engine = "enable" }
			$SERVER["socket"] == "[::]:443" { ssl.engine = "enable" }
			ssl.privkey = "/etc/lighttpd/server.key"
			ssl.pemfile = "/etc/lighttpd/server.pem"
			ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3")
			ssl.openssl.ssl-conf-cmd += ("Options" => "-ServerPreference")
	</pre>		</pre>

	~~You'll also want to set the server to listen on port 443. Replace this:~~
	~~<pre>server.port = 80</pre>~~
	~~with this:~~
	~~<pre>server.port = 443</pre>~~

	Restart lighttpd		Restart lighttpd
Line 123:		Line 108:
	With the command below the self-signed certificate and key pair are generated. A 2048 bit key is the minimum recommended at the time of writing, so we use '-newkey rsa:2048' in the command. Change to suit your needs. Answer all questions.		With the command below the self-signed certificate and key pair are generated. A 2048 bit key is the minimum recommended at the time of writing, so we use '-newkey rsa:2048' in the command. Change to suit your needs. Answer all questions.

	{{Cmd\|openssl req -newkey rsa:2048 -x509 -keyout server.~~pem~~ -out server.pem -days 365 -nodes}}		{{Cmd\|openssl req -newkey rsa:2048 -x509 -keyout server.key -out server.pem -days 365 -nodes}}

	Adjust the permissions		Adjust the permissions

Zcrayfish: Removed PFS section entirely; forcing TLSv1.3 pretty much accomplishes that anyway.

2024-01-09T01:50:07Z

Removed PFS section entirely; forcing TLSv1.3 pretty much accomplishes that anyway.

@@ Line 67: / Line 67: @@
   #     url.access-deny = ( "" )
   #  }
 </pre>

Zcrayfish: /* Mitigation of well know-ed attacks */ Greatly simplify this section as between lighttpd, openssl, and Alpine Linux packages, most of these options are no longer needed.

2024-01-09T01:44:44Z

Mitigation of well know-ed attacks: Greatly simplify this section as between lighttpd, openssl, and Alpine Linux packages, most of these options are no longer needed.

@@ Line 80: / Line 80: @@
 </pre>
-== Mitigation of well know-ed attacks ==
+== Mitigation of well-known attacks ==
-=== BEAST attack, CVE-2011-3389 ===
+Most well-known attacks have been mitigated in lighttpd 1.4.54 and up found in modern versions of Alpine (3.11 and up), however if your userbase supports it, it is recommended to disable support for older versions of TLS in your server configuration, ensuring protection against regressions that can enable the BEAST or POODLE attacks:
 <pre>
-:!EXPORT
+ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3", "Options" => "-SessionTicket")
 </pre>
-Although now might be a good time to review the cipher list in use, and use a stronger, explicit set like the one from the Perfect Forward Secrecy section, or another example:
+For lighttpd 1.4.64 and up:
 <pre>
-ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"
+ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3")
 </pre>
 == Https access ==

Sertonix: replace /etc/init.d with rc-service

2023-11-17T10:49:20Z

replace /etc/init.d with rc-service

← Older revision		Revision as of 10:49, 17 November 2023
Line 195:		Line 195:
	mini_http is no longer needed.		mini_http is no longer needed.

	{{Cmd\|~~/etc/init.d/~~mini_httpd stop && rc-update del mini_httpd}}		{{Cmd\|rc-service mini_httpd stop && rc-update del mini_httpd}}

	Removing the mini_http package		Removing the mini_http package

Zcrayfish: /* More details */ Changed a hyperlink to https

2023-07-26T21:44:51Z

More details: Changed a hyperlink to https

← Older revision		Revision as of 21:44, 26 July 2023
Line 220:		Line 220:
	== More details ==		== More details ==

	* [~~http~~://redmine.lighttpd.net/wiki/1/Docs:SSL Lighttpd documentation]		* [https://redmine.lighttpd.net/wiki/1/Docs:SSL Lighttpd documentation]

	[[Category:Web Server]]		[[Category:Web Server]]
	[[Category:Security]]		[[Category:Security]]

Zcrayfish: /* BEAST attack, CVE-2011-3389 */ changed hyperlinks to https

2023-07-26T21:44:02Z

BEAST attack, CVE-2011-3389: changed hyperlinks to https

← Older revision		Revision as of 21:44, 26 July 2023
Line 90:		Line 90:

	# A stricter base cipher suite. For details see:		# A stricter base cipher suite. For details see:
	# ~~http~~://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389		# https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389
	# or		# or
	# ~~http~~://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389		# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389

	ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"		ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"

Arrogance at 06:41, 30 May 2023

2023-05-30T06:41:30Z

← Older revision		Revision as of 06:41, 30 May 2023
Line 222:		Line 222:
	* [http://redmine.lighttpd.net/wiki/1/Docs:SSL Lighttpd documentation]		* [http://redmine.lighttpd.net/wiki/1/Docs:SSL Lighttpd documentation]

	[[Category:Server]]		[[Category:Web Server]]
	[[Category:Security]]		[[Category:Security]]

Mckaygerhard: /* Access Control List */ negative comparison explained

2019-08-28T13:47:46Z

Access Control List: negative comparison explained

← Older revision		Revision as of 13:47, 28 August 2019
Line 12:		Line 12:
	</pre>		</pre>

	* <code>remoteip</code> will be compared again single ip only, in that example again 3 ip's. The <nowiki>!~</nowiki> are only used for ~~one~~ ip ~~event range of~~, ~~for that see next example~~.		* <code>remoteip</code> will be compared again single ip only, in that example again 3 ip's. The <nowiki>!~</nowiki> are only used for those ip's that ar allowed, the rest will be denied (negative comparison).
	* <code>hidden_dir</code> are the name of the relative path under your root htdocs webserver place, or absolute path where are the files that are served.		* <code>hidden_dir</code> are the name of the relative path under your root htdocs webserver place, or absolute path where are the files that are served.

Mckaygerhard: fix Access Control List access rules and improve the example, with citation docs

2019-08-28T13:46:38Z

fix Access Control List access rules and improve the example, with citation docs

← Older revision		Revision as of 13:46, 28 August 2019
Line 1:		Line 1:
	== ~~access control list~~ ==		== Access Control List ==

	This is a way you can define a directory and only allow clients coming from the specified ~~ips~~ to have access. This might be nice to allow internal LAN clients access to the status pages or employee contact information and deny other clients.		This is a way you can define a directory and only allow clients coming from the specified ip's to have access. This might be nice to allow internal LAN clients access to the status pages or employee contact information and deny other clients.

	<pre>		<pre>
	#### access control list for hidden_dir (not for use behind proxies) CAUTION REMOVE "#" to work		#### access control list for hidden_dir (not for use behind proxies) CAUTION REMOVE "#" to work
	# $HTTP["remoteip"] !~ "127.0.0.1\|10.10.10.2\|20.10.20.30" {		$HTTP["remoteip"] !~ "127.0.0.1\|10.10.10.2\|20.10.20.30" {
	# $HTTP["url"] =~ "^/hidden_dir/" {		$HTTP["url"] =~ "^/hidden_dir/" {
	# url.access-deny = ( "" )		url.access-deny = ( "" )
	# }		}
	# }		}
	</pre>		</pre>

			* <code>remoteip</code> will be compared again single ip only, in that example again 3 ip's. The <nowiki>!~</nowiki> are only used for one ip event range of, for that see next example.
			* <code>hidden_dir</code> are the name of the relative path under your root htdocs webserver place, or absolute path where are the files that are served.

			<pre>
			$HTTP["url"] =~ "^/hidden_dir/" {
			$HTTP["remoteip"] == "33.222.0.0/16" {
			}
			else $HTTP["remoteip"] == "75.209.116.4" {
			}
			else $HTTP["remoteip"] == "79.31.34.79" {
			}
			else $HTTP["remoteip"] != "" { # (dummy match everything)
			url.access-deny = ( "" )
			}
			}
			</pre>

			* <nowiki>33.222.0.0/16</nowiki> in this case, we first match the denied entry to, then check the ip that access to that entry and for each network range at the last will be the acces deny rule.

			===== See also =====

			* https://redmine.lighttpd.net/boards/2/topics/1279
			* https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModAccess

	== stop image hijacking ==		== stop image hijacking ==

Mckaygerhard: advanced lighttpd security and configurartion .. also merged with https

2019-08-26T17:48:47Z

advanced lighttpd security and configurartion .. also merged with https

Show changes