Production Web server: Lighttpd: Difference between revisions
Mckaygerhard (talk | contribs) (start production good made documents..for lighttpd into the professional wiki pages series) |
Mckaygerhard (talk | contribs) (start production good made documents.. finished well made lighttpd professional deploy) |
||
| Line 5: | Line 5: | ||
Production environment only will handle need packages.. so no doc or manages allowed: | Production environment only will handle need packages.. so no doc or manages allowed: | ||
# run apk for need pacakges | |||
# make the htdos public web root directories | |||
# change default port to production one, http are used with 80 | |||
# use FAM stule (gamin) file alteration monitor, increases performance | |||
# use linux event handler, increases performance due Alpine are linux only | |||
# added the servide to the default runlevel, not to boot, because need networking activated | |||
# started the web server service | |||
<pre> | <pre> | ||
| Line 10: | Line 18: | ||
apk add lighttpd gamin | apk add lighttpd gamin | ||
mkdir -p /var/www/localhost/htdocs | mkdir -p /var/www/localhost/htdocs /var/log/lighttpd /var/lib/lighttpd | ||
sed -i -r 's#\#.*server.port.*=.*#server.port = 80#g' /etc/lighttpd/lighttpd.conf | sed -i -r 's#\#.*server.port.*=.*#server.port = 80#g' /etc/lighttpd/lighttpd.conf | ||
| Line 17: | Line 25: | ||
sed -i -r 's#\#.*server.event-handler = "linux-sysepoll".*#server.event-handler = "linux-sysepoll"#g' /etc/lighttpd/lighttpd.conf | sed -i -r 's#\#.*server.event-handler = "linux-sysepoll".*#server.event-handler = "linux-sysepoll"#g' /etc/lighttpd/lighttpd.conf | ||
mkdir -p /var/lib/lighttpd | |||
chown -R lighttpd:lighttpd /var/www/localhost/ | |||
chown -R lighttpd:lighttpd /var/lib/lighttpd | |||
chown -R lighttpd:lighttpd /var/log/lighttpd | |||
rc-update add lighttpd default | rc-update add lighttpd default | ||
rc-service lighttpd restart | rc-service lighttpd restart | ||
echo "it works" > /var/www/localhost/htdocs/index.html | |||
</nowiki> | </nowiki> | ||
</pre> | </pre> | ||
**For testing open a broser and go to <code><nowiki>http://<webserveripaddres></nowiki></code> and you will see "it works". The "webserveripaddres" are the ip address of your setup/server machine. | |||
**There's a problem in Alpine linux, FAM (gamin) are activated as a lighttpd only service**, that's make sense in dockers but in servers could be a problem if FAM (gamin) are also need for others services at the same time. | |||
=== Controlling Lighttpd === | |||
'''''Start lighttpd''''': After the installation lighttpd is not running. As we made in first section was started already but if you want to start lightttpd manually use: | |||
{{Cmd|rc-service lighttpd start}} | |||
You will get a feedback about the status. | |||
<pre> | |||
* Caching service dependencies [ ok ] | |||
* Starting lighttpd... [ ok ] | |||
</pre> | |||
'''''Stop lighttpd''''': If you want to stop the web server use ''stop'' in the same way of previous command: | |||
{{Cmd|rc-service lighttpd stop}} | |||
'''''Restart lighttpd''''': After changing the configuration file lighttpd needs to be restarted. | |||
{{Cmd|rc-service lighttpd restart}} | |||
'''''Proper Runlevel''''': By default no services are added to start process, sysadmin must know what we want and what will services do, also other main reason are due in dockers there's no runlevels per se and Alpine linux are mostly used in dockers containers. You must added the servide only to the default runlevel, not to boot, because need networking activated | |||
{{Cmd|rc-update add lighttpd default}} | |||
== Lighttpd Configuration == | == Lighttpd Configuration == | ||
Due to the minimalism of alpine linux, unfortunately the lighttpd packaging is the worst ever seen, '''its configuration file makes it impossible to configure with only single line commands''' so the commands for quick configuration with cares of | |||
'''If you just want to serve simple HTML pages lighttpd can be used out-of-box. No further configuration needed.''' | |||
Due to the minimalism of alpine linux, unfortunately the lighttpd packaging is the worst ever seen, '''its configuration file makes it impossible to configure with only single line commands''' so the commands for quick configuration with cares of overwriting are very dedicated. | |||
=== Status special page === | === Status special page === | ||
| Line 33: | Line 83: | ||
# Enable the mod_status at the config files | # Enable the mod_status at the config files | ||
# change path in the config file | # change path in the config file, we are using security by obfuscation | ||
# restart the service | # restart the service to see changes at the browser | ||
<pre> | <pre> | ||
| Line 52: | Line 102: | ||
=== CGI bin directory support === | === CGI bin directory support === | ||
By default packages | By default packages assign a directory under localhost main domain, other linux uses a global cgi directory and aliasing.. the most profesional way, but think about it, this per domain configuration allows isolation: | ||
# enable the mod_alias at the config file, due need of a specific path for cgi files into security | # enable the mod_alias at the config file, due need of a specific path for cgi files into security | ||
# create the directory due packager dont make any reference to that neither in the lighttpd-doc | # create the directory due packager dont make any reference to that neither in the lighttpd-doc | ||
# enable the config cgi file | # enable the config cgi file | ||
# restart the service to see changes at the browser | |||
<pre> | <pre> | ||
| Line 74: | Line 125: | ||
Plus this config file enables that all .cgi files are perl procesed.. that's wrong, | Plus this config file enables that all .cgi files are perl procesed.. that's wrong, | ||
but at the moment that are very specific, each development must document how to deploy property and only enables cgi in specific way. | but at the moment that are very specific, each development must document how to deploy property and only enables cgi in specific way. | ||
=== Make special errors (404 or 500) pages for clients and visitors === | |||
This pages will be show to visitors when a page or path are not in the server, or when a internal error happened, | |||
this are to do not show a horrible message of development to visitors.. and just a nice message or "away from here" message: | |||
# create the directory for put the html files to show when that errors happened in the way | |||
# create the simple files for each message in the directory | |||
# set the proper in the configuration file | |||
# restart the service to see the changes at the browser (just request a non existing page and you will see it) | |||
<pre> | |||
<nowiki> | |||
mkdir -p /var/www/localhost/errors | |||
cat > /var/www/localhost/errors/status-404.html << EOF | |||
<h1>The page that you requested are not yet here anymore, sorry was moved or updated, search or visit another one</h1> | |||
EOF | |||
cat > /var/www/localhost/errors/status-500.html << EOF | |||
<h1>Please wait a moment, there's something happens and we are give support maintenance right now to resolve</h1> | |||
EOF | |||
cp /var/www/localhost/errors/status-404.html /var/www/localhost/errors/status-403.html | |||
cp /var/www/localhost/errors/status-500.html /var/www/localhost/errors/status-501.html | |||
cp /var/www/localhost/errors/status-500.html /var/www/localhost/errors/status-503.html | |||
sed -i -r 's#.*server.errorfile-prefix.*#server.errorfile-prefix = var.basedir + "/errors/status-"#g' /etc/lighttpd/lighttpd.conf | |||
rc-service lighttpd restart | |||
</nowiki> | |||
</pre> | |||
=== Userdir public_html support === | |||
== Lighttpd SSL support == | |||
The package as we said is made in a limited way, and only have vague references, in the configuration file for the SSL, only put two lines of configuration, and if you try to uncomment that lines, the service will not start, since there is no line for the openssl module and must be put manually. | |||
Best way to do that are by external include files, Debian counterpart has a good mechanism that enables configuration files, we will made for SSL support in the same way.. all SSL related will be in a specific file.. but that file must be includen first thatn the rest of the configurations, but just after the modules loading, to make effect in https cases. | |||
=== SSL : making self signed certificate === | |||
We need to created a sefl-signed certificate, so openssl are need in any case either if used a remote made certificate: | |||
# install openssl | |||
# create the self signed certificate | |||
# set proper permissions | |||
# create a SSL module configuration file for lighttpd | |||
# activate the openssl module missing from config file | |||
# activate the mod_redirect in case of global http to https redirections | |||
# restart the service to see changes | |||
<pre> | |||
<nowiki> | |||
apk add openssl | |||
mkdir -p /etc/ssl/certs/ | |||
openssl req -x509 -days 1460 -nodes -newkey rsa:4096 \ | |||
-subj "/C=VE/ST=Bolivar/L=Upata/O=VenenuX/OU=Systemas:hozYmartillo/CN=$(hostname -d)" \ | |||
-keyout /etc/ssl/certs/$(hostname -d).pem -out /etc/ssl/certs/$(hostname -d).pem | |||
chmod 640 /etc/ssl/certs/$(hostname -d).pem | |||
cat > /etc/lighttpd/mod_ssl.conf << EOF | |||
server.modules += ("mod_openssl") | |||
\$SERVER["socket"] == "0.0.0.0:443" { | |||
ssl.engine = "enable" | |||
ssl.pemfile = "/etc/ssl/certs/$(hostname -d).pem" | |||
ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" | |||
ssl.honor-cipher-order = "enable" | |||
} | |||
\$HTTP["scheme"] == "http" { | |||
\$HTTP["host"] =~ ".*" { | |||
url.redirect = (".*" => "https://%0\$0") | |||
} | |||
} | |||
EOF | |||
sed -i -r 's#\#.*mod_redirect.*,.*# "mod_redirect",#g' /etc/lighttpd/lighttpd.conf | |||
checkssl="";checkssl=$(grep 'include "mod_ssl.conf' /etc/lighttpd/lighttpd.conf);[[ "$checkssl" != "" ]] && echo listo || sed -i -r 's#.*include "mime-types.conf".*#include "mime-types.conf"\ninclude "mod_ssl.conf"#g' /etc/lighttpd/lighttpd.conf | |||
rc-service lighttpd restart | |||
</nowiki> | |||
</pre> | |||
For deploy usage of Lets Encrypt without chain-tools (just add water) read [[Production Lets Encrypt: dehydrated]]. | |||
== Lighttpd advanced == | |||
=== Lighttpd_Advanced_security === | |||
See at [[Lighttpd_Advanced_security]] wikip page. | |||
=== Lighttpd and PHP with fpm === | |||
In production web, LAMP means '''L'''inux + '''A'''pache + '''M'''ysql + '''P'''hp installed and integrated, but today the "A" of apache are more used as Nginx or Lighttpd, and the "M" of MySQL are more used as Mariadb, the LAMP focused documents are: | |||
* LAMP deploy of the Web Server with PHP, user html_dir and MariaDB: [[Production LAMP system: Lighttpd + PHP + MySQL]] | |||
= See Also = | |||
* [[Production LAMP system: Lighttpd + PHP + MySQL]] | |||
* [[Production Lets Encrypt: dehydrated]] | |||
* [[Alpine newbie developer]] | |||
* [[Alpine newbie lammers]] | |||
[[Category:Newbie]] | |||
[[Category:Server]] | |||
[[Category:Web_Server]] | |||
[[Category:Monitoring]] | |||
[[Category:Development]] | |||
[[Category:Security]] | |||
[[Category:Production]] | |||
Revision as of 21:28, 1 March 2020
lighttpd is a simple, standards-compliant, secure, and flexible web server.
Lighttpd Installation
Production environment only will handle need packages.. so no doc or manages allowed:
- run apk for need pacakges
- make the htdos public web root directories
- change default port to production one, http are used with 80
- use FAM stule (gamin) file alteration monitor, increases performance
- use linux event handler, increases performance due Alpine are linux only
- added the servide to the default runlevel, not to boot, because need networking activated
- started the web server service
apk add lighttpd gamin mkdir -p /var/www/localhost/htdocs /var/log/lighttpd /var/lib/lighttpd sed -i -r 's#\#.*server.port.*=.*#server.port = 80#g' /etc/lighttpd/lighttpd.conf sed -i -r 's#.*server.stat-cache-engine.*=.*# server.stat-cache-engine = "fam"#g' /etc/lighttpd/lighttpd.conf sed -i -r 's#\#.*server.event-handler = "linux-sysepoll".*#server.event-handler = "linux-sysepoll"#g' /etc/lighttpd/lighttpd.conf mkdir -p /var/lib/lighttpd chown -R lighttpd:lighttpd /var/www/localhost/ chown -R lighttpd:lighttpd /var/lib/lighttpd chown -R lighttpd:lighttpd /var/log/lighttpd rc-update add lighttpd default rc-service lighttpd restart echo "it works" > /var/www/localhost/htdocs/index.html
- For testing open a broser and go to
http://<webserveripaddres>and you will see "it works". The "webserveripaddres" are the ip address of your setup/server machine.
- For testing open a broser and go to
- There's a problem in Alpine linux, FAM (gamin) are activated as a lighttpd only service**, that's make sense in dockers but in servers could be a problem if FAM (gamin) are also need for others services at the same time.
Controlling Lighttpd
Start lighttpd: After the installation lighttpd is not running. As we made in first section was started already but if you want to start lightttpd manually use:
rc-service lighttpd start
You will get a feedback about the status.
* Caching service dependencies [ ok ] * Starting lighttpd... [ ok ]
Stop lighttpd: If you want to stop the web server use stop in the same way of previous command:
rc-service lighttpd stop
Restart lighttpd: After changing the configuration file lighttpd needs to be restarted.
rc-service lighttpd restart
Proper Runlevel: By default no services are added to start process, sysadmin must know what we want and what will services do, also other main reason are due in dockers there's no runlevels per se and Alpine linux are mostly used in dockers containers. You must added the servide only to the default runlevel, not to boot, because need networking activated
rc-update add lighttpd default
Lighttpd Configuration
If you just want to serve simple HTML pages lighttpd can be used out-of-box. No further configuration needed.
Due to the minimalism of alpine linux, unfortunately the lighttpd packaging is the worst ever seen, its configuration file makes it impossible to configure with only single line commands so the commands for quick configuration with cares of overwriting are very dedicated.
Status special page
- Taking care of the status web server:* those special pages are just minimal info of the running web server, are need to view from outside in a case of emergency, do not take the wrong approach of hide behind a filtered ip or filtered network, you must have access in all time in all the web to see problems. The creation of the directory in the htdocs main root web files are just to remember you so then can avoid hiring a staff that becomes indispensable, thus allowing to save costs in knowledge theft by technical staff.
- Enable the mod_status at the config files
- change path in the config file, we are using security by obfuscation
- restart the service to see changes at the browser
mkdir -p /var/www/localhost/htdocs/stats sed -i -r 's#\#.*mod_status.*,.*# "mod_status",#g' /etc/lighttpd/lighttpd.conf sed -i -r 's#.*status.status-url.*=.*#status.status-url = "/stats/server-status"#g' /etc/lighttpd/lighttpd.conf sed -i -r 's#.*status.config-url.*=.*#status.config-url = "/stats/server-config"#g' /etc/lighttpd/lighttpd.conf rc-service lighttpd restart
CGI bin directory support
By default packages assign a directory under localhost main domain, other linux uses a global cgi directory and aliasing.. the most profesional way, but think about it, this per domain configuration allows isolation:
- enable the mod_alias at the config file, due need of a specific path for cgi files into security
- create the directory due packager dont make any reference to that neither in the lighttpd-doc
- enable the config cgi file
- restart the service to see changes at the browser
mkdir -p /var/www/localhost/cgi-bin sed -i -r 's#\#.*mod_alias.*,.*# "mod_alias",#g' /etc/lighttpd/lighttpd.conf sed -i -r 's#.*include "mod_cgi.conf".*# include "mod_cgi.conf"#g' /etc/lighttpd/lighttpd.conf rc-service lighttpd restart
After that, all the files under the /var/www/localhost/cgi-bin directory will be showed as http://localhost/cgi-bin/ path
Plus this config file enables that all .cgi files are perl procesed.. that's wrong, but at the moment that are very specific, each development must document how to deploy property and only enables cgi in specific way.
Make special errors (404 or 500) pages for clients and visitors
This pages will be show to visitors when a page or path are not in the server, or when a internal error happened, this are to do not show a horrible message of development to visitors.. and just a nice message or "away from here" message:
- create the directory for put the html files to show when that errors happened in the way
- create the simple files for each message in the directory
- set the proper in the configuration file
- restart the service to see the changes at the browser (just request a non existing page and you will see it)
mkdir -p /var/www/localhost/errors cat > /var/www/localhost/errors/status-404.html << EOF <h1>The page that you requested are not yet here anymore, sorry was moved or updated, search or visit another one</h1> EOF cat > /var/www/localhost/errors/status-500.html << EOF <h1>Please wait a moment, there's something happens and we are give support maintenance right now to resolve</h1> EOF cp /var/www/localhost/errors/status-404.html /var/www/localhost/errors/status-403.html cp /var/www/localhost/errors/status-500.html /var/www/localhost/errors/status-501.html cp /var/www/localhost/errors/status-500.html /var/www/localhost/errors/status-503.html sed -i -r 's#.*server.errorfile-prefix.*#server.errorfile-prefix = var.basedir + "/errors/status-"#g' /etc/lighttpd/lighttpd.conf rc-service lighttpd restart
Userdir public_html support
Lighttpd SSL support
The package as we said is made in a limited way, and only have vague references, in the configuration file for the SSL, only put two lines of configuration, and if you try to uncomment that lines, the service will not start, since there is no line for the openssl module and must be put manually.
Best way to do that are by external include files, Debian counterpart has a good mechanism that enables configuration files, we will made for SSL support in the same way.. all SSL related will be in a specific file.. but that file must be includen first thatn the rest of the configurations, but just after the modules loading, to make effect in https cases.
SSL : making self signed certificate
We need to created a sefl-signed certificate, so openssl are need in any case either if used a remote made certificate:
- install openssl
- create the self signed certificate
- set proper permissions
- create a SSL module configuration file for lighttpd
- activate the openssl module missing from config file
- activate the mod_redirect in case of global http to https redirections
- restart the service to see changes
apk add openssl
mkdir -p /etc/ssl/certs/
openssl req -x509 -days 1460 -nodes -newkey rsa:4096 \
-subj "/C=VE/ST=Bolivar/L=Upata/O=VenenuX/OU=Systemas:hozYmartillo/CN=$(hostname -d)" \
-keyout /etc/ssl/certs/$(hostname -d).pem -out /etc/ssl/certs/$(hostname -d).pem
chmod 640 /etc/ssl/certs/$(hostname -d).pem
cat > /etc/lighttpd/mod_ssl.conf << EOF
server.modules += ("mod_openssl")
\$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/ssl/certs/$(hostname -d).pem"
ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
ssl.honor-cipher-order = "enable"
}
\$HTTP["scheme"] == "http" {
\$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0\$0")
}
}
EOF
sed -i -r 's#\#.*mod_redirect.*,.*# "mod_redirect",#g' /etc/lighttpd/lighttpd.conf
checkssl="";checkssl=$(grep 'include "mod_ssl.conf' /etc/lighttpd/lighttpd.conf);[[ "$checkssl" != "" ]] && echo listo || sed -i -r 's#.*include "mime-types.conf".*#include "mime-types.conf"\ninclude "mod_ssl.conf"#g' /etc/lighttpd/lighttpd.conf
rc-service lighttpd restart
For deploy usage of Lets Encrypt without chain-tools (just add water) read Production Lets Encrypt: dehydrated.
Lighttpd advanced
Lighttpd_Advanced_security
See at Lighttpd_Advanced_security wikip page.
Lighttpd and PHP with fpm
In production web, LAMP means Linux + Apache + Mysql + Php installed and integrated, but today the "A" of apache are more used as Nginx or Lighttpd, and the "M" of MySQL are more used as Mariadb, the LAMP focused documents are:
- LAMP deploy of the Web Server with PHP, user html_dir and MariaDB: Production LAMP system: Lighttpd + PHP + MySQL