Configurer HTTPS avec Letsencrypt pour Lighttp

N4T0R4 · Message par **N4T0R4** » lun. déc. 21, 2020 12:45 pm

Installation de Letsencrypt

apt update && apt install letsencrypt

Générer un certificat

Code : Tout sélectionner

certbot certonly --webroot -w /var/www/domain.tld -d domain.tld -d www.domain.tld

Générer une clé combinée

Code : Tout sélectionner

cd /etc/letsencrypt/live/domain.tld/
cat privkey.pem cert.pem > combined.pem

Configurer Lighttpd :

Code : Tout sélectionner

mkdir /etc/lighttpd/conf-hosts

Code : Tout sélectionner

nano /etc/lighttpd/conf-hosts/hosts-ssl.conf

Code : Tout sélectionner

$SERVER["socket"] == ":443" {
    protocol = "https://"

    ssl.engine = "enable"
    server.name = "domain.tld"
    server.document-root = "/var/www/"

    # Environment flag for HTTPS enabled
    #setenv.add-environment = "HTTPS" => "on"

    # pemfile is cert + privkey,
    # ca-file is the intermediate
    # chain in one file
    ssl.dh-file = "/etc/lighttpd/ssl/dh2048.pem"
    ssl.ca-file = "/etc/letsencrypt/live/domain.tld/fullchain.pem"
    ssl.pemfile = "/etc/letsencrypt/live/domain.tld/combined.pem"

    $HTTP["host"] == "domain.tld" {
        server.document-root = "/var/www/domain.tld/"
        ssl.ca-file = "/etc/letsencrypt/live/domain.tld/fullchain.pem"
        ssl.pemfile = "/etc/letsencrypt/live/domain.tld/combined.pem"
    }
    # ECDH/ECDHE ciphers curve strength (see `openssl ecparam -list_curves`)
    ssl.ec-curve = "secp384r1"

    # Make the server prefer the order of the server side cipher suite instead of the client suite.
    # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms).
    # This option is enabled by default, but only used if ssl.cipher-list is set.
    #
    ssl.honor-cipher-order  = "enable"

    # Mitigate BEAST attack:
    #
    # A stricter base cipher suite. For details see:
    # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
    #
    #ssl.cipher-list = "ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-CHACHA20-POLY1305 AES128+EECDH:AES128+EDH:!aNULL:!eNULL"
    ssl.cipher-list = "HIGH"

    # Mitigate CVE-2009-3555 by disabling client triggered renegotation
    # This is enabled by default.
    #
    ssl.disable-client-renegotiation = "enable"

    # HSTS (15768000 seconds = 6 months)
    setenv.set-response-header = (
            "Strict-Transport-Security" => "max-age=15768000; includeSubdomains; preload",
            "X-Frame-Options" => "DENY",
            "X-Content-Type-Options" => "nosniff"
    )

    # Disable SSLv2 because is insecure
    ssl.use-sslv2 = "disable"

    # Disable SSLv3 (can break compatibility with some old browser) /cares
    ssl.use-sslv3 = "disable"
   
    # Disable TLS v1.0 and TLS v1.1
    ssl.openssl.ssl-conf-cmd = ("Protocol" => "-TLSv1.1, -TLSv1, -SSLv3")
}

Créer un lien symbolique pour activer la configuration

Code : Tout sélectionner

cd /etc/lighttpd/conf-enabled
ln -s ../conf_hosts/hosts-ssl.conf .

Recharger la configuration du serveur

Code : Tout sélectionner

sudo service lighttpd force-reload

ou

Code : Tout sélectionner

sudo service lighttpd restart

Serveur de test SSL

https://www.ssllabs.com/ssltest/