Skip to content

Instantly share code, notes, and snippets.

@BlueT BlueT/10-ssl.conf
Last active Jan 8, 2019

Embed
What would you like to do?
lighttpd + letsencrypt + my config = A+ score on ssllabs
# Replace [YOUR_DOMAIN_NAME] by your real domain
server.modules += ( "mod_setenv" ) # For HSTS
$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/letsencrypt/live/[YOUR_DOMAIN_NAME]/combined.pem"
ssl.ca-file = "/etc/letsencrypt/live/[YOUR_DOMAIN_NAME]/fullchain.pem"
ssl.dh-file = "/etc/ssl/certs/dhparam.pem"
ssl.ec-curve = "secp384r1"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
ssl.honor-cipher-order = "enable"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.use-compression = "disable"
setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=63072000; includeSubDomains; preload",
"X-Frame-Options" => "SAMEORIGIN",
"X-Content-Type-Options" => "nosniff"
)
setenv.add-environment = (
"HTTPS" => "on"
)
}
$SERVER["socket"] == "[::]:443" { # For IPv6
# ...Same setting as above...
}
alias.url += (
"/.well-known/acme-challenge/" => "/var/www/.well-known/acme-challenge/"
)
$HTTP["host"] == "[YOUR_DOMAIN_NAME]" {
server.document-root = [YOUR_SITE_CONTENT_FOLDER]
# ...Same setting as above...
}
# If you want to specify cert for dedicated domain
# Replace [YOUR_DOMAIN_NAME] by your real domain, and [YOUR_SITE_CONTENT_FOLDER] by your web content
YOUR_DOMAIN_NAME="www.example.com"
sudo apt install letsencrypt openssl
sudo letsencrypt certonly --webroot -w /var/www/ -d [YOUR_DOMAIN_NAME]
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
# Replace [YOUR_DOMAIN_NAME] by your real domain
#!/bin/bash
YOUR_DOMAIN_NAME="www.example.com"
letsencrypt renew \
&& cat /etc/letsencrypt/live/$YOUR_DOMAIN_NAME/privkey.pem /etc/letsencrypt/live/$YOUR_DOMAIN_NAME/cert.pem > /etc/letsencrypt/live/$YOUR_DOMAIN_NAME/combined.pem \
&& service lighttpd reload
# Replace [YOUR_DOMAIN_NAME] by your real domain
@keith24

This comment has been minimized.

Copy link

keith24 commented Nov 13, 2018

I have $SERVER["socket"] == ":443" in my config. Won't that work for both IPv4 and IPv6?

@bparker06

This comment has been minimized.

Copy link

bparker06 commented Jan 8, 2019

Can you also post your DH parameters please?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.