commit 331a1d2828d14f0d46c776b13bcb513308a24533 Author: Elan Ruusamäe <g...@pld-linux.org> Date: Sun May 28 14:39:33 2023 +0300
Fix ssl global init (configfile-glue.c.338) WARNING: ssl.openssl.ssl-conf-cmd must be in global scope or $SERVER["socket"] with '==', or else is ignored (mod_openssl.c.2674) ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl .engine is set, inheriting ssl.* from global scope ssl.conf | 47 +++++++++++++++++++++-------------------------- 1 file changed, 21 insertions(+), 26 deletions(-) --- diff --git a/ssl.conf b/ssl.conf index 341de48..6e45428 100644 --- a/ssl.conf +++ b/ssl.conf @@ -19,40 +19,35 @@ $SERVER["socket"] == ":443" { ssl.engine = "enable" } $SERVER["socket"] == "[::]:443" { ssl.engine = "enable" } $HTTP["scheme"] == "https" { - protocol = "https://" - # ssl.pemfile: path to the PEM file for SSL support - # (Should contain both the private key and the certificate) - ## If you have a .crt and a .key file, cat them together into a single PEM file: - ## $ cat lighttpd.key lighttpd.crt > lighttpd.pem - ssl.pemfile = "/etc/lighttpd/ssl/server.pem" + # HTTP Strict Transport Security (63072000 seconds is around 2 years) + setenv.add-response-header = ( + "Strict-Transport-Security" => "max-age=63072000" + ) +} + +# ssl.pemfile: path to the PEM file for SSL support +# (Should contain both the private key and the certificate) +## If you have a .crt and a .key file, cat them together into a single PEM file: +## $ cat lighttpd.key lighttpd.crt > lighttpd.pem +ssl.pemfile = "/etc/lighttpd/ssl/server.pem" # ssl.privkey = "/path/to/private_key" - # ssl.ca-file: path to the CA file for support of chained certificates +# ssl.ca-file: path to the CA file for support of chained certificates # ssl.ca-file = "/etc/lighttpd/ssl/chain.pem" - # OCSP stapling (input file must be maintained by external script) - # https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#OCSP-Stapling +# OCSP stapling (input file must be maintained by external script) +# https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#OCSP-Stapling # ssl.stapling-file = "/path/to/cert-staple.der" - # Compression is by default off at compile-time, but use if needed +# Compression is by default off at compile-time, but use if needed # ssl.use-compression = "disable" - # Environment flag for HTTPS enabled +# Environment flag for HTTPS enabled # setenv.add-environment = ( # "HTTPS" => "on" # ) - ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2") - ssl.openssl.ssl-conf-cmd += ("Options" => "-ServerPreference") - # TLS modules besides mod_openssl might name ciphers differently - # See https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL - ssl.openssl.ssl-conf-cmd += ("CipherString" => "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305") - - # HTTP Strict Transport Security (63072000 seconds is around 2 years) - setenv.add-response-header = ( - "Strict-Transport-Security" => "max-age=63072000" - ) - - $HTTP["useragent"] =~ "MSIE" { - server.max-keep-alive-requests = 0 - } -} +ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2") +ssl.openssl.ssl-conf-cmd += ("Options" => "-ServerPreference") +# TLS modules besides mod_openssl might name ciphers differently +# See https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL +ssl.openssl.ssl-conf-cmd += ("CipherString" => "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305") ================================================================ ---- gitweb: http://git.pld-linux.org/gitweb.cgi/packages/lighttpd.git/commitdiff/331a1d2828d14f0d46c776b13bcb513308a24533 _______________________________________________ pld-cvs-commit mailing list pld-cvs-commit@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit