Lighttpd Advanced security: Difference between revisions
Ginjachris (talk | contribs) |
Ginjachris (talk | contribs) |
||
Line 60: | Line 60: | ||
{{Cmd|/etc/init.d/lighttpd restart}} | {{Cmd|/etc/init.d/lighttpd restart}} | ||
== Security == | |||
To help mitigate the BEAST attack add the following to your configuration: | |||
#### Mitigate BEAST attack: | |||
# A stricter base cipher suite. For details see: | |||
# http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389 | |||
# or | |||
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389 | |||
ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" | |||
# Make the server prefer the order of the server side cipher suite instead of the client suite. | |||
# This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms). | |||
# This option is enabled by default, but only used if ssl.cipher-list is set. | |||
# | |||
ssl.honor-cipher-order = "enable" | |||
# Mitigate CVE-2009-3555 by disabling client triggered renegotiation | |||
# This option is enabled by default. | |||
# | |||
ssl.disable-client-renegotiation = "enable" | |||
# | |||
== More details == | == More details == |
Revision as of 19:38, 3 November 2013
For higher security Lighttpd can be configured to allow https access.
Generate the certificates with openssl
To generate certificates, openssl is needed.
apk add openssl
Change to the lighttpd configuration directory
cd /etc/lighttpd
With the command below the certificates are generated. Answer all questions.
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
Adjust the permissions
chmod 400 /etc/lighttpd/server.pem
Generate the certificates with acf
Install the ACF
setup-acf
Copy the generated certificate to the lighttpd configuration directory.
mv /etc/ssl/mini_httpd/server.pem /etc/lighttpd/server.pem
Adjust the permissions
chown root:root /etc/lighttpd/server.pem
chmod 400 /etc/lighttpd/server.pem
mini_http is no longer needed.
/etc/init.d/mini_httpd stop && rc-update del mini_httpd
Removing the mini_http package
apk del mini_httpd
Configure Lighttpd
The configuration of lighttpd needs to be modified.
nano /etc/lighttpd/lighttpd.conf
Uncomment this section and adjust the path. Or copy the example below into your configuration file.
ssl.engine = "enable" ssl.pemfile = "/etc/lighttpd/server.pem"
You'll also want to set the server to listen on port 443. Replace this:
server.port = 80
with this:
server.port = 443
Restart lighttpd
/etc/init.d/lighttpd restart
Security
To help mitigate the BEAST attack add the following to your configuration:
#### Mitigate BEAST attack: # A stricter base cipher suite. For details see: # http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389 # or # http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389 ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" # Make the server prefer the order of the server side cipher suite instead of the client suite. # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms). # This option is enabled by default, but only used if ssl.cipher-list is set. # ssl.honor-cipher-order = "enable" # Mitigate CVE-2009-3555 by disabling client triggered renegotiation # This option is enabled by default. # ssl.disable-client-renegotiation = "enable" #