There are several forum threads and lighty wiki articles about this, but none really cover a concise example of how to do it. Many parts of the documentation are confusing and non-obvious, the situation is not helped by the fact that you cannot do name-based SSL hosting, so what you'd expect to be the logical configuration doesn't work.
After staring at these for a few hours:
- Documentation: Module: mod_redirect
- How to redirect www
- How to redirect http to https
- Simple SSL configuration
- Documentation: Secure HTTP
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ "(^|\.)without.com" {
server.name = "without.com"
server.document-root = "/var/www/without.com"
}
else $HTTP["host"] =~ "(^|\.)withssl.com" {
url.redirect = (".*" => "https://www.withssl.com$0")
}
}
$HTTP["scheme"] == "https" {
$SERVER["socket"] == "X.X.X.X:443" {
server.name = "withssl.com"
ssl.engine = "enable"
ssl.ca-file = "/etc/lighttpd/certs/ca-cert-class1.crt"
ssl.pemfile = "/etc/lighttpd/certs/withssl.com.crt"
server.document-root = "/var/www/withssl.com"
# mitigate BEAST attack
ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
# mitigate CVE-2009-3555
ssl.disable-client-renegotiation = "enable"
}
}
The "X.X.X.X" needs to be your server's IP address, the same IP which the domain in your SSL cert resolves to.
I haven't tested, but you could probably scale this up to host multiple non-SSL domains on the same host as the SSL domain. Hosting multiple SSL domains is well-covered in the lighty documentation.
The SSL cert and setup I did by following Switch to HTTPS Now, For Free over at Eric Mill's blog.
When using lighttpd, you'll also need these instructions to make a unified certificate.
No comments:
Post a Comment