Welcome to mirror list, hosted at ThFree Co, Russian Federation.

lighttpd.hbs « partials « templates « src - github.com/mozilla/ssl-config-generator.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
blob: 227e87f9607565b7f259a3aa96b82be02424e5e5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# {{output.header}}
# {{{output.link}}}
#server.modules += ("mod_redirect")
#server.modules += ("mod_setenv")
#server.modules += ("mod_openssl")
#server.port = 80
$SERVER["socket"] == "[::]:80" { }

{{#if form.hsts}}
$HTTP["scheme"] == "http" {
{{#if (minver "1.4.50" form.serverVersion)}}
    url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
{{else}}
    $HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0$0")
    }
{{/if}}
}

$HTTP["scheme"] == "https" {
    # HTTP Strict Transport Security ({{output.hstsMaxAge}} seconds)
    setenv.add-response-header = (
        "Strict-Transport-Security" => "max-age={{output.hstsMaxAge}}"
    )
}
{{/if}}

$SERVER["socket"] == ":443" {
    ssl.engine  = "enable"

  {{#if (minver "1.4.53" form.serverVersion)}}
    ssl.privkey = "/path/to/private_key"
    ssl.pemfile = "/path/to/signed_cert"
    ssl.ca-file = "/path/to/intermediate_certificate"
  {{else}}
    # pemfile is cert+privkey, ca-file is the intermediate chain in one file
    ssl.pemfile = "/path/to/signed_cert_plus_private_key"
    ssl.ca-file = "/path/to/intermediate_certificate"
  {{/if}}
{{#if output.usesDhe}}
    {{#if (minver "1.4.29" form.serverVersion)}}

    # {{output.dhCommand}} > /path/to/dhparam
    ssl.dh-file = "/path/to/dhparam"
    {{/if}}
{{/if}}

    # {{form.config}} configuration
 {{#if (minver "1.4.48" form.serverVersion)}}
  {{#if (minver "1.1.0" form.opensslVersion)}}
    ssl.openssl.ssl-conf-cmd = ("MinProtocol" => {{#if (includes "TLSv1" output.protocols)}}"TLSv1"{{else if (includes "TLSv1.1" output.protocols)}}"TLSv1.1"{{else if (includes "TLSv1.2" output.protocols)}}"TLSv1.2"{{else}}"TLSv1.3"{{/if}}, "Options" => "-SessionTicket")
  {{else if (minver "1.0.2" form.opensslVersion)}}
    ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3{{#unless (includes "TLSv1" output.protocols)}}, -TLSv1{{/unless}}{{#unless (includes "TLSv1.1" output.protocols)}}, -TLSv1.1{{/unless}}{{#unless (includes "TLSv1.2" output.protocols)}}, -TLSv1.2{{/unless}}", "Options" => "-SessionTicket")
  {{else}}
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
  {{/if}}
 {{else}}
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
 {{/if}}
    ssl.honor-cipher-order = "{{#if output.serverPreferredOrder}}enable{{else}}disable{{/if}}"
    ssl.cipher-list = "{{{join output.ciphers ":"}}}"
}
#$SERVER["socket"] == "[::]:443" { ... } # repeat entire $SERVER["socket"] == ":443" { ... } config above for IPv6