diff options
Diffstat (limited to 'network/lighttpd/conf/lighttpd.conf')
| -rw-r--r-- | network/lighttpd/conf/lighttpd.conf | 171 |
1 files changed, 68 insertions, 103 deletions
diff --git a/network/lighttpd/conf/lighttpd.conf b/network/lighttpd/conf/lighttpd.conf index bc88c5bd85..e54b720aa8 100644 --- a/network/lighttpd/conf/lighttpd.conf +++ b/network/lighttpd/conf/lighttpd.conf @@ -11,11 +11,11 @@ ## Some Variable definition which will make chrooting easier. ## ## if you add a variable here. Add the corresponding variable in the -## chroot example aswell. +## chroot example as well. ## var.log_root = "/var/log/lighttpd" var.server_root = "/srv/www" -var.state_dir = "/var/run/lighttpd" +var.state_dir = "/run/lighttpd" var.home_dir = "/var/lib/lighttpd" var.conf_dir = "/etc/lighttpd" @@ -24,7 +24,7 @@ var.conf_dir = "/etc/lighttpd" ## ## This requires root permissions during startup. ## -## If you run Chrooted set the the variables to directories relative to +## If you run chroot'ed, set the variables to directories relative to ## the chroot dir. ## ## example chroot configuration: @@ -53,10 +53,10 @@ var.conf_dir = "/etc/lighttpd" var.vhosts_dir = server_root + "/vhosts" ## -## Cache for mod_compress +## Cache for mod_deflate ## ## used in: -## conf.d/compress.conf +## conf.d/deflate.conf ## var.cache_dir = "/var/cache/lighttpd" @@ -75,7 +75,7 @@ var.socket_dir = home_dir + "/sockets" ####################################################################### ## ## Load the modules. -include "modules.conf" +include conf_dir + "/modules.conf" ## ####################################################################### @@ -88,15 +88,9 @@ include "modules.conf" server.port = 80 ## -## Use IPv6? -## -# https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_use-ipv6Details -server.use-ipv6 = "disable" - -## ## bind to a specific IP +## (default: "*" for all local IPv4 interfaces) ## -# https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_bindDetails #server.bind = "localhost" ## @@ -106,6 +100,12 @@ server.use-ipv6 = "disable" server.username = "@USER@" server.groupname = "@GROUP@" +## +## Enable lighttpd to serve requests on sockets received from systemd +## https://www.freedesktop.org/software/systemd/man/systemd.socket.html +## +#server.systemd-socket-activation = "enable" + ## ## enable core files. ## @@ -114,7 +114,7 @@ server.groupname = "@GROUP@" ## ## Document root ## -server.document-root = server_root + "/htdocs-lighttpd" +server.document-root = server_root + "/htdocs" ## ## The value for the "Server:" response field. @@ -151,13 +151,13 @@ server.errorlog = log_root + "/error.log" ## ## Access log config ## -include "conf.d/access_log.conf" +include conf_dir + "/conf.d/access_log.conf" ## ## The debug options are moved into their own file. ## see conf.d/debug.conf for various options for request debugging. ## -include "conf.d/debug.conf" +include conf_dir + "/conf.d/debug.conf" ## ####################################################################### @@ -168,29 +168,26 @@ include "conf.d/debug.conf" ## -------------------- ## ## corresponding documentation: -## http://www.lighttpd.net/documentation/performance.html +## https://wiki.lighttpd.net/Docs_Performance ## ## set the event-handler (read the performance section in the manual) ## -## possible options on linux are: +## The recommended server.event-handler is chosen by default for each OS. ## -## select -## poll -## linux-sysepoll +## epoll (recommended on Linux) +## kqueue (recommended on *BSD and MacOS X) +## solaris-eventports (recommended on Solaris) +## poll (recommended if none of above are available) +## select (*not* recommended) ## -## linux-sysepoll is recommended on kernel 2.6. -## -server.event-handler = "linux-sysepoll" +#server.event-handler = "linux-sysepoll" ## ## The basic network interface for all platforms at the syscalls read() ## and write(). Every modern OS provides its own syscall to help network ## servers transfer files as fast as possible ## -## sendfile - is recommended for small files. -## writev - is recommended for sending many large files -## -server.network-backend = "sendfile" +#server.network-backend = "sendfile" ## ## As lighttpd is a single-threaded server, its main resource limit is @@ -204,9 +201,12 @@ server.network-backend = "sendfile" ## server.username/server.groupname. ## ## By default lighttpd would not change the operation system default. -## But setting it to 2048 is a better default for busy servers. +## But setting it to 16384 is a better default for busy servers. +## +## With SELinux enabled, this is denied by default and needs to be allowed +## by running the following once: setsebool -P httpd_setrlimit on ## -server.max-fds = 2048 +server.max-fds = 16384 ## ## listen-backlog is the size of the listen() backlog queue requested when @@ -243,17 +243,17 @@ server.max-fds = 2048 ## lighttpd can utilize FAM/Gamin to cache stat call. ## ## possible values are: -## disable, simple or fam. +## disable, simple, inotify, kqueue, or fam. ## -server.stat-cache-engine = "simple" +#server.stat-cache-engine = "simple" ## ## Fine tuning for the request handling ## -## max-connections == max-fds/2 (maybe /3) -## means the other file handles are used for fastcgi/files +## max-connections == max-fds/3) +## (other file handles are used for fastcgi/files) ## -server.max-connections = 1024 +#server.max-connections = 1024 ## ## How many seconds to keep a keep-alive connection open, @@ -341,10 +341,11 @@ url.access-deny = ( "~", ".inc" ) ## ## disable range requests for pdf files ## workaround for a bug in the Acrobat Reader plugin. +## (ancient; should no longer be needed) ## -$HTTP["url"] =~ "\.pdf$" { - server.range-requests = "disable" -} +#$HTTP["url"] =~ "\.pdf$" { +# server.range-requests = "disable" +#} ## ## url handling modules (rewrite, redirect) @@ -382,22 +383,22 @@ static-file.exclude-extensions = ( ".php", ".pl", ".fcgi", ".scgi" ) ## Format: <errorfile-prefix><status-code>.html ## -> ..../status-404.html for 'File not found' ## -#server.errorfile-prefix = "/srv/www/htdocs/errors/status-" +#server.errorfile-prefix = server_root + "/htdocs/errors/status-" ## ## mimetype mapping ## -include "conf.d/mime.conf" +include conf_dir + "/conf.d/mime.conf" ## ## directory listing configuration ## -include "conf.d/dirlisting.conf" +include conf_dir + "/conf.d/dirlisting.conf" ## ## Should lighttpd follow symlinks? -## -server.follow-symlink = "enable" +## default: "enable" +#server.follow-symlink = "enable" ## ## force all filenames to be lowercase? @@ -406,80 +407,44 @@ server.follow-symlink = "enable" ## ## defaults to /var/tmp as we assume it is a local harddisk -## -server.upload-dirs = ( "/var/tmp" ) +## default: "/var/tmp" +#server.upload-dirs = ( "/var/tmp" ) ## ####################################################################### - ####################################################################### ## ## SSL Support ## ------------- ## +## https://wiki.lighttpd.net/Docs_SSL +# ## To enable SSL for the whole server you have to provide a valid ## certificate and have to enable the SSL engine.:: ## -## ssl.engine = "enable" -## ssl.pemfile = "/path/to/server.pem" -## -## The HTTPS protocol does not allow you to use name-based virtual -## hosting with SSL. If you want to run multiple SSL servers with -## one lighttpd instance you must use IP-based virtual hosting: :: -## -## Mitigate CVE-2009-3555 by disabling client triggered renegotation -## This is enabled by default. -## -## IMPORTANT: this setting can only be used in the global scope. -## It does *not* work inside conditionals -## -# ssl.disable-client-renegotiation = "enable" -## -## $SERVER["socket"] == "10.0.0.1:443" { -## ssl.engine = "enable" -## ssl.pemfile = "/etc/ssl/private/www.example.com.pem" -## # -## # (Following SSL/TLS Deployment Best Practices 1.3 / 17 September 2013 from: -## # https://www.ssllabs.com/projects/best-practices/index.html) -## # - BEAST is considered mitigaed on client side now, and new weaknesses have been found in RC4, -## # so it is strongly advised to disable RC4 ciphers (HIGH doesn't include RC4) -## # - It is recommended to disable 3DES too (although disabling RC4 and 3DES breaks IE6+8 on Windows XP, -## # so you might want to support 3DES for now - just remove the '!3DES' parts below). -## # - The examples below prefer ciphersuites with "Forward Secrecy" (and ECDHE over DHE (alias EDH)), remove '+kEDH +kRSA' -## # if you don't want that. -## # - SRP and PSK are not supported anyway, excluding those ('!kSRP !kPSK') just keeps the list smaller (easier to review) -## # Check your cipher list with: openssl ciphers -v '...' (use single quotes as your shell won't like ! in double quotes) -## # -## # If you know you have RSA keys (standard), you can use: -## ssl.cipher-list = "aRSA+HIGH !3DES +kEDH +kRSA !kSRP !kPSK" -## # The more generic version (without the restriction to RSA keys) is -## # ssl.cipher-list = "HIGH !aNULL !3DES +kEDH +kRSA !kSRP !kPSK" -## # -## # Make the server prefer the order of the server side cipher suite instead of the client suite. -## # This option is enabled by default, but only used if ssl.cipher-list is set. -## # -## # ssl.honor-cipher-order = "enable" -## # -## server.name = "www.example.com" -## -## server.document-root = "/srv/www/vhosts/example.com/www/" -## } -## - -## If you have a .crt and a .key file, cat them together into a -## single PEM file: -## $ cat /etc/ssl/private/lighttpd.key /etc/ssl/certs/lighttpd.crt \ -## > /etc/ssl/private/lighttpd.pem +## server.modules += ( "mod_openssl" ) ## -#ssl.pemfile = "/etc/ssl/private/lighttpd.pem" - +## ssl.privkey = "/path/to/privkey.pem" +## ssl.pemfile = "/path/to/fullchain.pem" +## # ssl.pemfile should contain the sorted certificate chain, including +## # intermediate certificates, as provided by the certificate issuer. +## # If both privkey and cert are in same file, specify only ssl.pemfile. ## -## optionally pass the CA certificate here. +## # Check your cipher list with: openssl ciphers -v '...' +## # (use single quotes with: openssl ciphers -v '...' +## # as your shell won't like ! in double quotes) +## #ssl.cipher-list = "HIGH" # default ## +## # (recommended to accept only TLSv1.2 and TLSv1.3) +## #ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2") # default ## -#ssl.ca-file = "" - +## $SERVER["socket"] == "*:443" { +## ssl.engine = "enable" +## } +## $SERVER["socket"] == "[::]:443" { +## ssl.engine = "enable" +## } ## ####################################################################### @@ -487,7 +452,7 @@ server.upload-dirs = ( "/var/tmp" ) ## ## custom includes like vhosts. ## -#include "conf.d/config.conf" -#include_shell "cat /etc/lighttpd/vhosts.d/*.conf" +#include conf_dir + "/conf.d/config.conf" +#include conf_dir + "/vhosts.d/*.conf" ## ####################################################################### |