diff options
| author | Glenn Strauss <gstrauss@gluelogic.com> | 2020-10-13 23:56:58 +0300 |
|---|---|---|
| committer | Glenn Strauss <gstrauss@gluelogic.com> | 2021-04-03 03:25:19 +0300 |
| commit | 4ab91583948212a38fc1f15f4618670b55963653 (patch) | |
| tree | 779fdc07c27d5d44f6f72b075e26174e8ebeed26 | |
| parent | d1232aeaf92463c694f351a402fc626911be3716 (diff) | |
lighttpd updates for lighttpd 1.4.56
| -rwxr-xr-x | src/js/configs.js | 2 | ||||
| -rw-r--r-- | src/templates/partials/lighttpd.hbs | 32 |
2 files changed, 33 insertions, 1 deletions
diff --git a/src/js/configs.js b/src/js/configs.js index 253db83..619de41 100755 --- a/src/js/configs.js +++ b/src/js/configs.js @@ -88,7 +88,7 @@ module.exports = { }, lighttpd: { highlighter: 'nginx', - latestVersion: '1.4.55', + latestVersion: '1.4.56', name: 'lighttpd', tls13: '1.4.48' }, diff --git a/src/templates/partials/lighttpd.hbs b/src/templates/partials/lighttpd.hbs index 227e87f..37de26a 100644 --- a/src/templates/partials/lighttpd.hbs +++ b/src/templates/partials/lighttpd.hbs @@ -25,6 +25,37 @@ $HTTP["scheme"] == "https" { } {{/if}} +{{#if (minver "1.4.56" form.serverVersion)}} +# select one TLS module: "mod_openssl" "mod_mbedtls" "mod_gnutls" "mod_wolfssl" "mod_nss" +#server.modules += ("mod_openssl") + +# lighttpd 1.4.56 and later will inherit ssl.* from the global scope if +# $SERVER["socket"] contains ssl.engine = "enable" and no other ssl.* options +# (to avoid having to repeat ssl.* directives in both ":443" and "[::]:443") +$SERVER["socket"] == ":443" { ssl.engine = "enable" } +$SERVER["socket"] == "[::]:443" { ssl.engine = "enable" } +ssl.privkey = "/path/to/private_key" +ssl.pemfile = "/path/to/signed_cert_plus_intermediates" + {{#if (minver "1.0.2" form.opensslVersion)}} + {{#if (minver "1.1.0" form.opensslVersion)}} +ssl.openssl.ssl-conf-cmd = ("MinProtocol" => {{#if (includes "TLSv1" output.protocols)}}"TLSv1"{{else if (includes "TLSv1.1" output.protocols)}}"TLSv1.1"{{else if (includes "TLSv1.2" output.protocols)}}"TLSv1.2"{{else}}"TLSv1.3"{{/if}}) + {{else}} +ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3{{#unless (includes "TLSv1" output.protocols)}}, -TLSv1{{/unless}}{{#unless (includes "TLSv1.1" output.protocols)}}, -TLSv1.1{{/unless}}{{#unless (includes "TLSv1.2" output.protocols)}}, -TLSv1.2{{/unless}}") + {{/if}} +ssl.openssl.ssl-conf-cmd += ("Options" => "{{#if output.serverPreferredOrder}}+{{else}}-{{/if}}ServerPreference") +# TLS modules besides mod_openssl might name ciphers differently +# See https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL +ssl.openssl.ssl-conf-cmd += ("CipherString" => "{{{join output.ciphers ":"}}}") +# OCSP stapling (input file must be maintained by external script) +# https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#OCSP-Stapling +#ssl.stapling-file = "/path/to/cert-staple.der" + {{else}} +ssl.use-sslv2 = "disable" +ssl.use-sslv3 = "disable" +ssl.honor-cipher-order = "{{#if output.serverPreferredOrder}}enable{{else}}disable{{/if}}" +ssl.cipher-list = "{{{join output.ciphers ":"}}}" + {{/if}} +{{else}} $SERVER["socket"] == ":443" { ssl.engine = "enable" @@ -63,3 +94,4 @@ $SERVER["socket"] == ":443" { ssl.cipher-list = "{{{join output.ciphers ":"}}}" } #$SERVER["socket"] == "[::]:443" { ... } # repeat entire $SERVER["socket"] == ":443" { ... } config above for IPv6 +{{/if}} |