Jason Mun's Blog: Let's Encrypt - Lighttpd

2017年1月23日星期一

Let's Encrypt - Lighttpd - HTTPS 免费

1. 准备 SSL 证书

$ su

生成 SSL 证书
http://jasonmun.blogspot.my/2017/01/lets-encrypt-nginx-https.html

然后,

$ cd /etc/letsencrypt/live/member.dlinkddns.com
$ cat privkey.pem cert.pem > ssl.pem

$ cd /etc/ssl/certs
$ openssl dhparam -out dhparam.pem 4096

2. 设置

Ubuntu (安装的 Lighttpd 是 Ubuntu 版)
$ gedit /etc/lighttpd/conf-available/10-ssl.conf
其它 Linux
$ gedit /etc/lighttpd/lighttpd.conf

$SERVER["socket"] == ":443" {

ssl.engine = "enable"

ssl.pemfile = "/etc/letsencrypt/live/member.dlinkddns.com/ssl.pem"
ssl.ca-file = "/etc/letsencrypt/live/member.dlinkddns.com/fullchain.pem"

ssl.dh-file = "/etc/ssl/certs/dhparam.pem"
ssl.ec-curve = "secp384r1"

ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
# ssl.use-compression = "disable"

setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=63072000; includeSubdomains; preload",
"X-Frame-Options" => "DENY",
"X-Content-Type-Options" => "nosniff"
)

ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
}

强制用 HTTPS
$ gedit /etc/lighttpd/lighttpd.conf

$HTTP["scheme"] == "http" {
# capture vhost name with regex conditiona -> %0 in redirect pattern
# must be the most inner block to the redirect rule
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}

3. 开启 HSTS

$ gedit /etc/lighttpd/lighttpd.conf

server.modules += ( "mod_setenv" )

$HTTP["scheme"] == "https" {
setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; preload")
}

4. 添加模块

Ubuntu (安装的 Lighttpd 是 Ubuntu 版)
$ lighty-enable-mod ssl

5. 重启

$ lighttpd -t -f /etc/lighttpd/lighttpd.conf

$ systemctl restart lighttpd

Jason Mun's Blog

广告

2017年1月23日星期一

Let's Encrypt - Lighttpd - HTTPS 免费

没有评论:

发表评论