Home Explore Help
Sign In
fr33domlover
/
Rel4tion-Wiki
mirror of git://seek-together.space/wiki.git
Watch 1
Star 0
Fork 0
Files Issues 0 Wiki
Tree: 8b3b2bbab2
Branches Tags
Rel4tion-Wiki
/
maint
/
admin
/
Lighttpd_SSL.mdwn

Lighttpd_SSL.mdwn 4.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105 
  1. If you followed the [[tools/systems/admin-guides/SSL]] guide, you probably want
    2. 

  2. your website to use the certificate you generated. And even if you don't run a
    3. 

  3. website, but some other service, you want to make the revocation list and the
    4. 

  4. CA policy page available.
    5. 

  5. 

  6. You can also make the CA certificate available on your website, but that's not
    7. 

  7. the point of this guide. You could also give it to friends on USB sticks or
    8. 

  8. publish it as a torrent or anything like that. What you really need on the
    9. 

  9. server side is:
    10. 

  10. 

  11. 1. Revocation list
    12. 

  12. 2. Policy page
    13. 

  13. 3. Server key
    14. 

  14. 4. Server certificate
    15. 

  15. 

  16. If some information is missing from this page, you can probably find it in
    17. 

  17. lighttpd's documentation, which is more thorough:
    18. 

  18. [here](https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL)
    19. 

  19. 

  20. In the SSL guide, the examples set the revocation list to be at the address
    21. 

  21. <http://cert.partager.null/partager-ca-crl.pem>. Assuming you didn't use a
    22. 

  22. "cert" subdomain until now, it requires that you update your DNS records (add an
    23. 

  23. A record for the "cert" subdomain). Then, in the lighttpd config file
    24. 

  24. `/etc/lighttpd/lighttpd.conf` add a section like this:
    25. 

  25. 

  26. 	## cert host
    27. 

  27. 	$HTTP["host"] == "cert.partager.null" {
    28. 

  28. 	    server.document-root = "/var/www/cert"
    29. 

  29. 	}
    30. 

  30. 

  31. Then place the revocation list inside the document root folder, e.g.
    32. 

  32. `/var/www/cert/partager-ca-crl.pem`.
    33. 

  33. 

  34. The policy page is just a regular page on your website, at the address you
    35. 

  35. specified when creating the CA. I use ikiwiki and the page is
    36. 

  36. <http://www.partager.null/ssl>, so I have an *ssl.mdwn* file on the top-level of
    37. 

  37. my ikiwiki source repository.
    38. 

  38. 

  39. Some servers take the server key and the server certificate as two separate
    40. 

  40. files. But lighttpd doesn't. It takes a single file which is a concatenation of
    41. 

  41. them. The order doesn't matter. You can use a command like this to create the
    42. 

  42. concatenated file:
    43. 

  43. 

  44. 	cat host.key host.crt > host.pem
    45. 

  45. 

  46. Place the resulting PEM file in the folder `/etc/ssl/private` (it's not critical
    47. 

  47. but having all the keys in one folder makes managing them easier). I usually
    48. 

  48. name these files `<host>.pem`, for example `www.partager.null.pem`. Make the
    49. 

  49. file readable obly, only by root. These commands can do that:
    50. 

  50. 

  51. 	# chown root:root www.partager.null.pem
    52. 

  52. 	# chmod 400 www.partager.null.pem
    53. 

  53. 

  54. If you want your website to use *only* SSL, you can put lines like these in the
    55. 

  55. main configuration file:
    56. 

  56. 

  57. 	ssl.engine = "enable" 
    58. 

  58. 	ssl.pemfile = "/etc/ssl/private/www.partager.null.pem"
    59. 

  59. 

  60. You may also need to set the server port to 443.
    61. 

  61. 

  62. If you want to support both HTTP and HTTPS, you can use `$SERVER["socket"]` to
    63. 

  63. make lighttpd enable SSL conditionally. For example:
    64. 

  64. 

  65. 	$SERVER["socket"] == ":443" {
    66. 

  66. 		ssl.engine  = "enable"
    67. 

  67. 		ssl.pemfile = "/etc/ssl/private/www.partager.null.pem"
    68. 

  68. 		
    69. 

  69. 		$HTTP["host"] == "www.partager.null" {
    70. 

  70. 			ssl.pemfile = "/etc/ssl/private/www.partager.null.pem"
    71. 

  71. 		}
    72. 

  72. 		
    73. 

  73. 		$HTTP["host"] == "git.partager.null" {
    74. 

  74. 			ssl.pemfile = "/etc/ssl/private/git.partager.null.pem"
    75. 

  75. 		}
    76. 

  76. 		
    77. 

  77. 		$HTTP["host"] == "files.partager.null" {
    78. 

  78. 			ssl.pemfile = "/etc/ssl/private/files.partager.null.pem"
    79. 

  79. 		}
    80. 

  80. 	}
    81. 

  81. 

  82. The *ssl.pemfile* at the top is the default one used when the *host* is not
    83. 

  83. matched by the `$HTTP["host"]` clauses. It will probably not be used if you
    84. 

  84. define a pemfile for each host you have, but a default pemfile still must be
    85. 

  85. defined.
    86. 

  86. 

  87. Now restart the server:
    88. 

  88. 

  89. 	# service lighttpd restart
    90. 

  90. 

  91. Try browsing to your website using HTTPS. If you haven't told your computer
    92. 

  92. and/or your browser to trust your CA, some browers will display a warning while
    93. 

  93. others will load the webpage but signify somehow that the certificate is not
    94. 

  94. authenticated, e.g. by displaying an open lock image. Firefox derivatives will
    95. 

  95. display an error, while Epiphany and Midori will load the page.
    96. 

  96. 

  97. After this initial test with the browser, you can go to the
    98. 

  98. [[tools/systems/user-guides]] section and learn how a client is configured to
    99. 

  99. trust your CA. Follow the guidelines, and test HTTPS again. You may need to
    100. 

  100. close and reopen the browser. If you see a closed lock icon and no complaints
    101. 

  101. from the browser, you have successfuly managed to add SSL support to your web
    102. 

  102. server.
    103. 

  103. 

  104. [[!img https.png class="center"]]
    105. 

  105.