Lighttpd Advanced security

From Alpine Linux
Revision as of 12:43, 4 November 2013 by Ginjachris (talk | contribs) (Generate the certificates with openssl)
Jump to: navigation, search

For higher security Lighttpd can be configured to allow https access.

Generate the certificates with openssl

To generate certificates, openssl is needed.

apk add openssl

Change to the lighttpd configuration directory

cd /etc/lighttpd

With the command below the certificates are generated. Answer all questions.

openssl req -newkey rsa:2048 -x509 -keyout server.pem -out server.pem -days 365 -nodes

Adjust the permissions

chmod 400 /etc/lighttpd/server.pem

Generate the certificates with acf

Install the ACF


Copy the generated certificate to the lighttpd configuration directory.

mv /etc/ssl/mini_httpd/server.pem /etc/lighttpd/server.pem

Adjust the permissions

chown root:root /etc/lighttpd/server.pem

chmod 400 /etc/lighttpd/server.pem

mini_http is no longer needed.

/etc/init.d/mini_httpd stop && rc-update del mini_httpd

Removing the mini_http package

apk del mini_httpd

Configure Lighttpd

The configuration of lighttpd needs to be modified.

nano /etc/lighttpd/lighttpd.conf

Uncomment this section and adjust the path. Or copy the example below into your configuration file.

ssl.engine    = "enable"
ssl.pemfile   = "/etc/lighttpd/server.pem"

You'll also want to set the server to listen on port 443. Replace this:

server.port		= 80

with this:

server.port		= 443

Restart lighttpd

/etc/init.d/lighttpd restart


To help mitigate the BEAST attack add the following to your configuration:

#### Mitigate BEAST attack:

# A stricter base cipher suite. For details see:
# or

ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
# Make the server prefer the order of the server side cipher suite instead of the client suite.
# This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms).
# This option is enabled by default, but only used if ssl.cipher-list is set.
ssl.honor-cipher-order = "enable"

# Mitigate CVE-2009-3555 by disabling client triggered renegotiation
# This option is enabled by default.
ssl.disable-client-renegotiation = "enable"

More details