Code : Tout sélectionner
apt update && apt install letsencrypt
Code : Tout sélectionner
certbot certonly --webroot -w /var/www/domain.tld -d domain.tld -d www.domain.tld
Code : Tout sélectionner
cd /etc/letsencrypt/live/domain.tld/
cat privkey.pem cert.pem > combined.pem
Code : Tout sélectionner
mkdir /etc/lighttpd/conf-hosts
Code : Tout sélectionner
nano /etc/lighttpd/conf-hosts/hosts-ssl.conf
Code : Tout sélectionner
$SERVER["socket"] == ":443" {
protocol = "https://"
ssl.engine = "enable"
server.name = "domain.tld"
server.document-root = "/var/www/"
# Environment flag for HTTPS enabled
#setenv.add-environment = "HTTPS" => "on"
# pemfile is cert + privkey,
# ca-file is the intermediate
# chain in one file
ssl.dh-file = "/etc/lighttpd/ssl/dh2048.pem"
ssl.ca-file = "/etc/letsencrypt/live/domain.tld/fullchain.pem"
ssl.pemfile = "/etc/letsencrypt/live/domain.tld/combined.pem"
$HTTP["host"] == "domain.tld" {
server.document-root = "/var/www/domain.tld/"
ssl.ca-file = "/etc/letsencrypt/live/domain.tld/fullchain.pem"
ssl.pemfile = "/etc/letsencrypt/live/domain.tld/combined.pem"
}
# ECDH/ECDHE ciphers curve strength (see `openssl ecparam -list_curves`)
ssl.ec-curve = "secp384r1"
# Make the server prefer the order of the server side cipher suite instead of the client suite.
# This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms).
# This option is enabled by default, but only used if ssl.cipher-list is set.
#
ssl.honor-cipher-order = "enable"
# Mitigate BEAST attack:
#
# A stricter base cipher suite. For details see:
# http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
#
#ssl.cipher-list = "ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-CHACHA20-POLY1305 AES128+EECDH:AES128+EDH:!aNULL:!eNULL"
ssl.cipher-list = "HIGH"
# Mitigate CVE-2009-3555 by disabling client triggered renegotation
# This is enabled by default.
#
ssl.disable-client-renegotiation = "enable"
# HSTS (15768000 seconds = 6 months)
setenv.set-response-header = (
"Strict-Transport-Security" => "max-age=15768000; includeSubdomains; preload",
"X-Frame-Options" => "DENY",
"X-Content-Type-Options" => "nosniff"
)
# Disable SSLv2 because is insecure
ssl.use-sslv2 = "disable"
# Disable SSLv3 (can break compatibility with some old browser) /cares
ssl.use-sslv3 = "disable"
# Disable TLS v1.0 and TLS v1.1
ssl.openssl.ssl-conf-cmd = ("Protocol" => "-TLSv1.1, -TLSv1, -SSLv3")
}
Code : Tout sélectionner
cd /etc/lighttpd/conf-enabled
ln -s ../conf_hosts/hosts-ssl.conf .
Code : Tout sélectionner
sudo service lighttpd force-reload
Code : Tout sélectionner
sudo service lighttpd restart
https://www.ssllabs.com/ssltest/