Skip to main content
Security & Cloud 24/7

How to implement SSL on Lighttpd 1.4.26

·276 words·2 mins
Eyal Estrin
Author
Eyal Estrin
Author of Cloud Security Handbook & Security for Cloud Native Applications. Cloud Adoption & Cybersecurity expert.

Pre-installation notes The guide bellow is based on the previous guide Hardening guide for Lighttpd 1.4.26 on RedHat 5.5 (64bit edition)

SSL implementation phase

  1. Login to the server using Root account.
  2. Create folder for the SSL certificate files: mkdir -p /etc/lighttpd/ssl chmod 600 /etc/lighttpd/ssl
  3. Run the command bellow to generate a key pair: /usr/bin/openssl genrsa -des3 -out /etc/lighttpd/ssl/server.key 1024 Note: Specify a complex pass phrase for the private key (and document it)
  4. Run the command bellow to generate the CSR: /usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /etc/lighttpd/ssl/server.key -out /tmp/lighttpd.csr Note: The command above should be written as one line.
  5. Send the file /tmp/lighttpd.csr to a Certificate Authority server.
  6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt”
  7. Copy the file “server.crt” using SCP into /etc/lighttpd/ssl/
  8. Combine the content of both the private key (server.key) and the public key (server.crt) into one file: cat /etc/lighttpd/ssl/server.key /etc/lighttpd/ssl/server.crt > /etc/lighttpd/ssl/server.pemNote: The command above should be written as one line.
  9. Remove the original server.crt file: rm -f /etc/lighttpd/ssl/server.crt
  10. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
  11. Copy the file “ca-bundle.crt” using SCP into /etc/lighttpd/ssl
  12. Edit using VI the file /etc/lighttpd/lighttpd.conf and add the following strings: $SERVER["socket"] == "Server_FQDN:443" { ssl.engine = "enable" ssl.pemfile = "/etc/lighttpd/ssl/server.pem" ssl.ca-file = "/etc/lighttpd/ssl/ca-bundle.crt" server.name = "Server_FQDN" server.document-root = "/www" server.errorlog = "/var/log/lighttpd/serror.log" accesslog.filename = "/var/log/lighttpd/saccess.log" ssl.use-sslv2 = "disable" ssl.cipher-list ="HIGH:!MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH" }
  13. Restart the Lighttpd service.