lighttpd + ipv6 + tls (dehydrated)

Tue, 26. Apr 2022

Categories: en sysadmin Tags: lighttpd letsencrypt TLS ipv6

Years after having set up letsencrypt with dehydrated (a big thank you!), I was forced to revisit the configs due to an OS update (devuan chimaera).

And, finally, I wanted an ipv6 dual stack if possible. The prospect of having all lighttpd ssl configuration settings duplicated was unpleasant, however.

The final result came with a nice surprise in simplicity (line 18 and 19) because no other ssl config is required to achieve an ssllabs ‘A+’ rate:

 1# /etc/lighttpd/conf-available/12-tls-dehydrated.conf
 2$HTTP["scheme"] == "http" {
 3  # https://github.com/letsencrypt/letsencrypt/issues/94#issuecomment-156695088
 4  # http://redmine.lighttpd.net/projects/1/wiki/Docs_ModAlias
 5  # https://github.com/lukas2511/dehydrated/blob/master/docs/wellknown.md#lighttpd-example-config
 6  alias.url += (
 7    # must match WELLKNOWN in /var/www/dehydrate/config
 8    "/.well-known/acme-challenge/" => "/var/www/dehydrated/well-known/"
 9  )
10}
11
12# https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#Cipher-Selection
13# https://ssl-config.mozilla.org/#server=lighttpd&version=1.4.59&config=intermediate&openssl=1.1.1n&guideline=5.6
14server.modules += (
15  "mod_openssl",
16)
17
18$SERVER["socket"] == ":443"     { ssl.engine = "enable" } # ipv4
19$SERVER["socket"] == "[::]:443" { ssl.engine = "enable" } # ipv6
20
21ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")
22ssl.openssl.ssl-conf-cmd += ("Options" => "-ServerPreference")
23# TLS modules besides mod_openssl might name ciphers differently
24# See https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL
25ssl.openssl.ssl-conf-cmd += ("CipherString" => "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384")
26
27ssl.pemfile = "/var/www/dehydrated/certs/mro.name/privcert.pem"
28
29include_shell "/etc/lighttpd/conf-available/12-tls-dehydrated.sh"

With the companion dash script

 1# /etc/lighttpd/conf-available/12-tls-dehydrated.sh
 2#!/bin/sh
 3# find domain names with certs managed with https://dehydrated.io/
 4
 5ls /var/www/dehydrated/certs/*/privcert.pem \
 6| while read -r pem
 7do
 8  # TODO replace . with \.
 9  dom="$(basename "$(dirname "${pem}")")"
10  cat <<EOF
11  \$HTTP["host"] =~ "^(.+\.)?${dom}" { ssl.pemfile = "${pem}" }
12EOF
13done

The only duplicate setting is enabling ssl.engine at all! Everything else suffices once in the global scope! And these settings come ready specific for the precise lighttpd version from ssl-config.mozilla.org!

Lighttpd brings the rest by default.

Activate that and be good:

$ sudo /usr/sbin/lighty-enable-mod tls-dehydrated
$ sudo service lighttpd restart