Lighttpd Server with SSL

Lighttpd is one of the speediest webserver which will make you feel like you got a highspeed internet connection with low price. However , i will explain you how to create ssl certificate and use it in lighttpd vhost for accessing particular websites with particular certificate.

Imagining you have your websites document root in /var/www/site1.com. you can create multiple sites with help of this article.

If you have used /var/www/site1.com as document root you will have created two folders web and logs in there where logs will keep all error logs and web will keep all your websites files. Now for ssl certificate you will need another folder named ssl.

mkdir /var/www/site1.com/ssl/

Now create certificate and key.

sudo openssl req -x509 -nodes -days 1460 -newkey rsa:2048 -keyout /var/www/site1.com/ssl/site1.key -out /var/www/site1.com/ssl/site1.crt

You will be asked for some information. You will have to write your domain name in Common Name Section which you want as https or ssl like below.

ssl

Certificate creation is OK but if you want to get your self signed certificate valid for a long time you have to change above lines orange colored numbers. 1460 days means 4 years. If you want to get validity of that certificate of around 20 years you need to put there 7300 that means 365×20.

Now we will need to combine both key and crt file to act as one.

cat /var/www/site1.com/ssl/site1.key /var/www/site1.com/ssl/site1.crt > site1.pem

You can create pem file that means combined certificate by one command.

openssl req -new -x509 -keyout /var/www/site1.com/ssl/site1.pem -out /var/www/site1.com/ssl/site1.pem -days 1460 -nodes

Now let us use that certificate in our sites vhost.

Edit /etc/lighttpd/site1.com.conf :

nano /etc/lighttpd/site1.com.conf

Make sure it looks like below :

$HTTP["host"] =~ "(^|.)site1.com$" {
        server.document-root = "/var/www/site1.com/web/"
        server.errorlog = "/var/www/site1.com/logs/error.log"
        ssl.engine = "enable"
        ssl.pemfile = "/var/www/site1.com/ssl/site1.pem"
}

Now save the file and restart lighttpd:

service lighttpd restart

Now you can access your sites by ssl certificate or https.

If You want to redirect all http to https You have to add below lines on the configuration and restart lighttpd server.

$HTTP["scheme"] == "http" {
    $HTTP["host"] == "site1.com" {
            url.redirect = (".*" => "https://site1.com$0")
    }
}

Now restart and check the website.

service lighttpd restart

Above configuration will only work when you will set “443” port mentioned in lighttpd default configuration.

Let your servers host-name or FQDN is “server1.domain.tld”. Now create a folder in /etc/lighttpd/ssl

mkdir /etc/lighttpd/ssl

Now create an ssl keu+crt or directly pem file there by using FQDN server1.domain.tld

sudo openssl req -x509 -nodes -days 1460 -newkey rsa:2048 -keyout /etc/lighttpd/ssl/server.key -out /etc/lighttpd/ssl/server.crt

Now combine the key+crt to pem file

cat /etc/lighttpd/ssl/server.key /etc/lighttpd/ssl/server.crt > server.pem

Now open lighttpd config file.

nano /etc/lighttpd/lighttpd.conf

and put below codes before “include” of other added domains.

include_shell "/usr/share/lighttpd/create-mime.assign.pl"
include_shell "/usr/share/lighttpd/include-conf-enabled.pl"

$SERVER["socket"] == ":443" {
     ssl.engine = "enable"
        ssl.pemfile = "/etc/lighttpd/ssl/server.pem"
}

include "site1.com.conf"
include "site2.com.conf"

You can also do this by a different way. Here is a perfect http to https config for a ghost blog.

$HTTP["host"] =~ "(^|.)DOMAIN.TLD$" {

server.document-root = "/var/www/DOMAIN.TLD/web/"
cache.enable = "enable"

$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.ca-file = "/var/www/DOMAIN.TLD/ssl/DOMAIN.TLD.crt"
ssl.pemfile = "/var/www/DOMAIN.TLD/ssl/DOMAIN.TLD.pem"
server.name = "DOMAIN.TLD"
}

$SERVER["socket"] == ":80" {
        $HTTP["host"] =~ "(.*)" {
                url.redirect = ( ".*" => "https://%0" )
        }
}
#You can avoide below for normal websites like wordpress,drupal,joomla,normal html-php etc because below lines are for ghost blog.
proxy.server  = ( "" => (
     ( "host" => "111.222.333.444", "port" => "XXXX")
))
###---^PROXY^---###
}

Now you will be able to add multiple domains with different certificate for each.

Thank You.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.