commit 331a1d2828d14f0d46c776b13bcb513308a24533
Author: Elan Ruusamäe <g...@pld-linux.org>
Date: Sun May 28 14:39:33 2023 +0300
Fix ssl global init
(configfile-glue.c.338) WARNING: ssl.openssl.ssl-conf-cmd must be in
global scope or $SERVER["socket"] with '==', or else is ignored
(mod_openssl.c.2674) ssl.pemfile has to be set in same $SERVER["socket"]
scope as other ssl.* directives, unless only ssl .engine is set,
inheriting ssl.* from global scope
ssl.conf | 47 +++++++++++++++++++++--------------------------
1 file changed, 21 insertions(+), 26 deletions(-)
---
diff --git a/ssl.conf b/ssl.conf
index 341de48..6e45428 100644
--- a/ssl.conf
+++ b/ssl.conf
@@ -19,40 +19,35 @@ $SERVER["socket"] == ":443" { ssl.engine = "enable" }
$SERVER["socket"] == "[::]:443" { ssl.engine = "enable" }
$HTTP["scheme"] == "https" {
- protocol = "https://";
- # ssl.pemfile: path to the PEM file for SSL support
- # (Should contain both the private key and the certificate)
- ## If you have a .crt and a .key file, cat them together into a single
PEM file:
- ## $ cat lighttpd.key lighttpd.crt > lighttpd.pem
- ssl.pemfile = "/etc/lighttpd/ssl/server.pem"
+ # HTTP Strict Transport Security (63072000 seconds is around 2 years)
+ setenv.add-response-header = (
+ "Strict-Transport-Security" => "max-age=63072000"
+ )
+}
+
+# ssl.pemfile: path to the PEM file for SSL support
+# (Should contain both the private key and the certificate)
+## If you have a .crt and a .key file, cat them together into a single PEM
file:
+## $ cat lighttpd.key lighttpd.crt > lighttpd.pem
+ssl.pemfile = "/etc/lighttpd/ssl/server.pem"
# ssl.privkey = "/path/to/private_key"
- # ssl.ca-file: path to the CA file for support of chained certificates
+# ssl.ca-file: path to the CA file for support of chained certificates
# ssl.ca-file = "/etc/lighttpd/ssl/chain.pem"
- # OCSP stapling (input file must be maintained by external script)
- #
https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#OCSP-Stapling
+# OCSP stapling (input file must be maintained by external script)
+# https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#OCSP-Stapling
# ssl.stapling-file = "/path/to/cert-staple.der"
- # Compression is by default off at compile-time, but use if needed
+# Compression is by default off at compile-time, but use if needed
# ssl.use-compression = "disable"
- # Environment flag for HTTPS enabled
+# Environment flag for HTTPS enabled
# setenv.add-environment = (
# "HTTPS" => "on"
# )
- ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")
- ssl.openssl.ssl-conf-cmd += ("Options" => "-ServerPreference")
- # TLS modules besides mod_openssl might name ciphers differently
- # See https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL
- ssl.openssl.ssl-conf-cmd += ("CipherString" =>
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305")
-
- # HTTP Strict Transport Security (63072000 seconds is around 2 years)
- setenv.add-response-header = (
- "Strict-Transport-Security" => "max-age=63072000"
- )
-
- $HTTP["useragent"] =~ "MSIE" {
- server.max-keep-alive-requests = 0
- }
-}
+ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")
+ssl.openssl.ssl-conf-cmd += ("Options" => "-ServerPreference")
+# TLS modules besides mod_openssl might name ciphers differently
+# See https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL
+ssl.openssl.ssl-conf-cmd += ("CipherString" =>
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305")
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/lighttpd.git/commitdiff/331a1d2828d14f0d46c776b13bcb513308a24533
_______________________________________________
pld-cvs-commit mailing list
pld-cvs-commit@lists.pld-linux.org
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
