Pages - Menu

Sunday, March 16, 2014

hosting http and https domains with lighttpd

I have two domains, one with an SSL certificate and one without. I wanted to host these on the same lighttpd server which only has one IP address.

There are several forum threads and lighty wiki articles about this, but none really cover a concise example of how to do it. Many parts of the documentation are confusing and non-obvious, the situation is not helped by the fact that you cannot do name-based SSL hosting, so what you'd expect to be the logical configuration doesn't work.

After staring at these for a few hours:
And a lot of trial-and-error, here's the config I ended up using:
$HTTP["scheme"] == "http" {

  $HTTP["host"] =~ "(^|\.)" { = ""
    server.document-root = "/var/www/"

  else $HTTP["host"] =~ "(^|\.)" {
    url.redirect = (".*" => "$0")

$HTTP["scheme"] == "https" {

  $SERVER["socket"] == "X.X.X.X:443" { = ""
    ssl.engine  = "enable" = "/etc/lighttpd/certs/ca-cert-class1.crt"
    ssl.pemfile = "/etc/lighttpd/certs/"

    server.document-root = "/var/www/"

    # mitigate BEAST attack
    ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
    # mitigate CVE-2009-3555
    ssl.disable-client-renegotiation = "enable"

The "X.X.X.X" needs to be your server's IP address, the same IP which the domain in your SSL cert resolves to.

I haven't tested, but you could probably scale this up to host multiple non-SSL domains on the same host as the SSL domain. Hosting multiple SSL domains is well-covered in the lighty documentation.

The SSL cert and setup I did by following Switch to HTTPS Now, For Free over at Eric Mill's blog.

When using lighttpd, you'll also need these instructions to make a unified certificate.

No comments: