Lighttpd Secure Configuration

Reference:

In the core lighttpd.conf, specify the following for security:

server.username = "lighttpd"
server.groupname = "lighttpd"
 This will drop the root privilege
server.tag ="lighttpd" Use to setup lighttpd name and version number (default). This is security feature. You can setup it as follows:
server.tag ="myWebServer v1.0" 
index-file.names = ( "index.php", "index.html" ) A list of files to search for if a directory is requested. You should only include the files you know you will use.
dir-listing.activate = "disabled" The default for "dir-listing.activate" is "disabled". So you don't really need to add this to the config file. For more information on this feature, you can reference http://redmine.lighttpd.net/wiki/lighttpd/Docs:ModDirlisting

You may need to enable the following modules:

server.modules = (
"mod_access",
"mod_accesslog",
"mod_fastcgi",
"mod_rewrite",
"mod_auth"
)

  • mod_access: The access module is used to deny access to files with given trailing path names.
  • mod_accesslog: Use to write CLF log, flexible like apache
  • mod_fastcgi : FastCGI for perl/PHP etc
  • mod_rewrite : Good for writing SEO urls
  • mod_auth: Authntication (password protected directory)

To deny certain files:

mod_access must be enabled. Then add the following into lighttpd.conf if you want to deny access to any file ending with '~' or '.inc':

url.access-deny = ( "~", ".inc" )

To protect different directory with different password files:

Lighttpd Protect Different Directories With Different Password Files gives a very clear instruction on this.

Allow only certain IPs to have access to a directory:

In lighttd.conf, add the following limit access to www.example.org/admin:

$HTTP["host"] == "www.example.org" {
    #!~ is a perl style regular expression not match
    $HTTP["remoteip"] !~ "^(200\.19\.1\.5|210\.45\.2\.7)$" {
        $HTTP["url"] =~ "^/admin/" {
            url.access-deny = ( "" )
        }
    }
}

Deny access unless the user comes from 10.0.0.0/8:

$HTTP["host"] == "www.example.org" {
    $HTTP["remoteip"] != "10.0.0.0/8" {
        url.access-deny = ( "" )
    }
}  

Enable ssl:

Reference:

Enable https and multiple sockets:

# multiple sockets
$SERVER["socket"] == "127.0.0.1:81" {
    server.document-root = "..."
}
$SERVER["socket"] == "127.0.0.1:443" {
    ssl.pemfile = "/var/www/certs/localhost.pem"
    ssl.engine = "enable"
    server.document-root = "/var/www/htdocs/secure.example.org/pages/"
}  

Set up Strong Encryption

SSLv2 should be disabled in lighttpd.conf:

ssl.use-sslv2 = "disable"