Ubuntu Reference Guide

part of the WillPowered Inc. network
© 2011 William Hall <5/> - This site uses HTML5

Lighttpd\SSL

You need an SSL certificate for a number of reasons including processing authentication requests with digest or LDAP or just wanting some more security for a website.

Note that this may require you to "sudo -i" into being root to allow you to create the files.

You can buy an SSL certificate. Here is how to generate a self-signed certificate. Start by installing openssl and going to the lighttpd directory.

$ sudo apt-get install openssl $ cd /etc/lighttpd

Now we have to generate an RSA key.

$ sudo openssl genrsa 2048 > the.key

Next we generate the certificate. First run the command, then answer the questions as shown below. Note the days value means this certificate is valid for a year.

$ sudo openssl req -new -x509 -nodes -sha1 -days 365 -key the.key > the.cert Country Name (2 letter code) [AU]:UK State or Province Name (full name) [Some-State]:Lincolnshire Locality Name (eg, city) []:Lincoln Organization Name (eg, company) [Internet Widgits Pty Ltd]:WillPowered Inc. Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:*.example.org Email Address []:support@example.org

Note that the common name is actually the domain to which the certificate protects. Using *. means that this is a wildcard certificate that will secure multiple example.org subdomains.

Finally, we combine the key and the certificate to make a pem file. You must destroy the key afterwards as it is no longer necessary and could be a security risk if left as is. We also apply security to the remaining files to restrict access to them as needed.

$ sudo cat the.cert the.key > the.pem $ sudo rm the.key the.cert $ sudo chown root:root the.pem $ sudo chmod 400 the.pem

Now we have to make a seperate directory to store the SSL website in. Can't use /var/www or a subdirectory because that would mean people could bypass the SSL.

$ sudo mkdir /var/https

Having made the certificate and the directory, we have to combine the two in the configuration file. Add the following to the end of the file.

$SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/etc/lighttpd/the.pem" $HTTP["host"] == "ssl.example.org" { server.document-root = "/var/https" } $HTTP["host"] != "ssl.example.org" { $HTTP["host"] =~ "^(.*)$" { url.redirect = ( "^.*" => "http://%1" ) } } } $SERVER["socket"] == ":80" { $HTTP["host"] == "ssl.example.org" { url.redirect = ( "^.*" => "https://ssl.example.org" ) } }

If you are going to use multiple SSL certificates then your lighttpd.conf entry could look like this:

$SERVER["socket"] == ":443" { ssl.engine = "enable" $HTTP["host"] == "ssl.example.org" { ssl.pemfile = "/etc/lighttpd/certs/ssl.example.org.pem" server.document-root = "/var/https" } $HTTP["host"] == "ssl2.example.org" { ssl.pemfile = "/etc/lighttpd/certs/ssl2.example.org.pem" server.document-root = "/var/https2" } $HTTP["host"] !~ "^(ssl|ssl2)\.example.org" { $HTTP["host"] =~ "^(.*)$" { url.redirect = ( "^.*" => "http://%1" ) } } } $SERVER["socket"] == ":80" { $HTTP["host"] =~ "^(ssl|ssl2)\.(example.org)" { url.redirect = ( "^.*" => "https://%1.%2" ) } }

You might also specify ssl.ca-file's for each ssl.pemfile.

If you are just using a single wildcard SSL certificate, you would simply omit the ssl.pemfile from each $HTTP["host"] entry above and add it below the ssl.engine line.

References
Useful links