Includy do konfigurací aby nebylo třeba vypisovat stejná data pořád dokola. Pro snažší identifikaci si je uložíme do /etc/lighttpd/snippets/.
Include které se stará o načtení certifikátu Let's Encrypt pro každý web.
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/dehydrated/certs/example.com/fullcert.pem"
ssl.ca-file = "/etc/dehydrated/certs/example.com/fullchain.pem"
#Disabled during compile time
#ssl.use-compression = "disable"
# Environment flag for HTTPS enabled
setenv.add-environment = (
"HTTPS" => "on"
)
# modern configuration, tweak to your needs
# Generated by: https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl.disable-client-renegotiation = "enable"
# ECDH/ECDHE ciphers curve strength (see `openssl ecparam -list_curves`)
ssl.ec-curve = "secp384r1"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
}
Include které se stará o přesměrování HTTP na HTTPS mimo ověření certifikátu Let's Encrypt pro všechny weby.
#Redirect all to HTTPS
#debug.log-request-handling = "enable"
#debug.log-file-not-found = "enable"
# match all unencrypted traffic ...
$HTTP["scheme"] == "http" {
# but not the letsencrypt webroot ...
$HTTP["url"] !~ "^/\.well-known" {
# and redirect as described on https://redmine.lighttpd.net/projects/lighttpd/wiki/HowToRedirectHttpToHttps
# capture vhost name with regex conditiona -> %0 in redirect pattern
# must be the most inner block to the redirect rule
$HTTP["host"] =~ ".*" {
url.redirect = (
".*" => "https://%0$0"
)
}
}
}
alias.url += (
"/.well-known/" => "/var/www/dehydrated/.well-known/"
)