# /etc/lighttpd/lighttpd.conf # # Copyright: ©2011–2015, Güralp Systems Ltd. # Author: Laurence Withers # License: GPLv3 # # Configuration file for the web server. # # Bind to both IPv4 and IPv6 sockets. Works regardless of the setting of # net.ipv6.bindv6only . server.bind = "[::]" $SERVER["socket"] == "0.0.0.0:80" { } $SERVER["socket"] == "[::]:443" { ssl.engine = "enable", ssl.pemfile = "/etc/lighttpd/lighttpd.pem.local", # generated via `openssl ciphers HIGH | sed -e 's/:/ /g'` ssl.cipher-list = "SRP-DSS-AES-256-CBC-SHA SRP-RSA-AES-256-CBC-SHA DHE-DSS-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-DSS-AES256-SHA256 DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA DHE-RSA-CAMELLIA256-SHA DHE-DSS-CAMELLIA256-SHA SRP-AES-256-CBC-SHA ADH-AES256-GCM-SHA384 ADH-AES256-SHA256 ADH-AES256-SHA ADH-CAMELLIA256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA CAMELLIA256-SHA PSK-AES256-CBC-SHA SRP-DSS-3DES-EDE-CBC-SHA SRP-RSA-3DES-EDE-CBC-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA SRP-3DES-EDE-CBC-SHA ADH-DES-CBC3-SHA DES-CBC3-SHA DES-CBC3-MD5 PSK-3DES-EDE-CBC-SHA SRP-DSS-AES-128-CBC-SHA SRP-RSA-AES-128-CBC-SHA DHE-DSS-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-DSS-AES128-SHA256 DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA DHE-RSA-CAMELLIA128-SHA DHE-DSS-CAMELLIA128-SHA SRP-AES-128-CBC-SHA ADH-AES128-GCM-SHA256 ADH-AES128-SHA256 ADH-AES128-SHA ADH-CAMELLIA128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA CAMELLIA128-SHA PSK-AES128-CBC-SHA" } $SERVER["socket"] == "0.0.0.0:443" { ssl.engine = "enable", ssl.pemfile = "/etc/lighttpd/lighttpd.pem.local", ssl.cipher-list = "SRP-DSS-AES-256-CBC-SHA SRP-RSA-AES-256-CBC-SHA DHE-DSS-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-DSS-AES256-SHA256 DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA DHE-RSA-CAMELLIA256-SHA DHE-DSS-CAMELLIA256-SHA SRP-AES-256-CBC-SHA ADH-AES256-GCM-SHA384 ADH-AES256-SHA256 ADH-AES256-SHA ADH-CAMELLIA256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA CAMELLIA256-SHA PSK-AES256-CBC-SHA SRP-DSS-3DES-EDE-CBC-SHA SRP-RSA-3DES-EDE-CBC-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA SRP-3DES-EDE-CBC-SHA ADH-DES-CBC3-SHA DES-CBC3-SHA DES-CBC3-MD5 PSK-3DES-EDE-CBC-SHA SRP-DSS-AES-128-CBC-SHA SRP-RSA-AES-128-CBC-SHA DHE-DSS-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-DSS-AES128-SHA256 DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA DHE-RSA-CAMELLIA128-SHA DHE-DSS-CAMELLIA128-SHA SRP-AES-128-CBC-SHA ADH-AES128-GCM-SHA256 ADH-AES128-SHA256 ADH-AES128-SHA ADH-CAMELLIA128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA CAMELLIA128-SHA PSK-AES128-CBC-SHA" } server.modules = ( "mod_auth", # HTTP digest authentication (user login) "mod_cgi", # plain old CGI support "mod_fastcgi", ) server.errorlog-use-syslog = "enable" # Tell server where to find its files server.document-root = "/srv/http" server.indexfiles = ( "index.cgi", "index.html", "index.xhtml" ) cgi.assign = ( ".cgi" => "" ) # Some CGI scripts (e.g. formatting) can take a really long time to run server.max-write-idle = 3600 # Set up authentication auth.backend = "htdigest" auth.backend.htdigest.userfile = "/etc/lighttpd/htdigest.local" # This is a workaround for CURL queries etc. server.reject-expect-100-with-417 = "disable" auth.require = ( # special exception: has to be in /cgi-bin/ as it's part of the API, but # we must authenticate users of it "/cgi-bin/xmlrpc-control.cgi" => ( "method" => "digest", "realm" => "Platinum web authentication", "require" => "valid-user" ), # the majority of our CGI scripts live here, and require us to be an # authorised user "/cgi-bin.auth/" => ( "method" => "digest", "realm" => "Platinum web authentication", "require" => "valid-user" ), # the Pt-web app requires auth for now, since it doesn't have its own # auth framework yet "/app" => ( "method" => "digest", "realm" => "Platinum web authentication", "require" => "valid-user" ), # anything else doesn't require auth (mainly CSS/static content etc.). ) # Pt-web FastCGI integration fastcgi.server = ( "/app" => (( "socket" => "/var/run/Pt-web.wt.fcgi", "check-local" => "disable", "bin-path" => "/srv/http/cgi-bin.auth/Pt-web.wt", "max-procs" => 1, "bin-copy-environment" => ( "PATH" ), "bin-environment" => ( "WT_CONFIG_XML" => "/etc/Pt-web.xml", "WT_APP_ROOT" => "/usr/share/Pt-web", ), )), ) # MIME types mimetype.use-xattr = "disable" mimetype.assign = ( ".pdf" => "application/pdf", ".sig" => "application/pgp-signature", ".class" => "application/octet-stream", ".ps" => "application/postscript", ".xhtml" => "application/xhtml+xml", ".torrent" => "application/x-bittorrent", ".dvi" => "application/x-dvi", ".gz" => "application/x-gzip", ".tar.gz" => "application/x-tgz", ".tgz" => "application/x-tgz", ".tar" => "application/x-tar", ".zip" => "application/zip", ".mp3" => "audio/mpeg", ".ogg" => "application/ogg", ".wav" => "audio/x-wav", ".gif" => "image/gif", ".jpg" => "image/jpeg", ".jpeg" => "image/jpeg", ".png" => "image/png", ".xpm" => "image/x-xpixmap", ".css" => "text/css", ".html" => "text/html", ".htm" => "text/html", ".js" => "text/javascript", ".asc" => "text/plain", ".c" => "text/plain", ".cpp" => "text/plain", ".log" => "text/plain", ".conf" => "text/plain", ".text" => "text/plain", ".txt" => "text/plain", ".spec" => "text/plain", ".dtd" => "text/xml", ".xml" => "text/xml", ".mpeg" => "video/mpeg", ".mpg" => "video/mpeg", ".bz2" => "application/x-bzip", ".tbz" => "application/x-bzip-compressed-tar", ".tar.bz2" => "application/x-bzip-compressed-tar", ".rpm" => "application/x-rpm", # make the default mime type application/octet-stream. "" => "application/octet-stream", )