RogerBW's Blog

Happiness is a warm SSLLabs test 11 August 2018

I've recently set up HTTPS on the servers at work, running in parallel with HTTP. For reasons which were good at the time and are still not entirely wrong, we're using lighttpd as a front-end, and the process was less trivial than I'd have preferred.

Because of the system architecture, I wanted DNS validation, which in practice meant certbot in manual mode. OK, we can do that. But what to do with the various files it produces? It turns out that the answer is, and I put this here for anyone else who has to fight the documentation:

  • concatenate cert.pem and privkey.pem to server.pem on the server
  • copy chain.pem to the server under that name
  • put both those files in the right place, owned and readable only by root
  • then include them in the server configuration, as well as a modern cipher set (note different syntax from Apache, replacing + with - and space with colon; note also cargo-culted list with obvious inconsistency)
  • and finally, enable HSTS

The server configuration ends up looking like this:

server.modules += ( "mod_setenv" )
setenv.add-response-header = \
  ( "Strict-Transport-Security" => "max-age=15768000"  )

$SERVER["socket"] == ":443" {
  ssl.engine  = "enable"
  ssl.pemfile = "/etc/lighttpd/server.pem"
  ssl.ca-file = "/etc/lighttpd/chain.pem"
  ssl.cipher-list = "EECDH-ECDSA-AESGCM:EECDH-aRSA-AESGCM:\
    EECDH-ECDSA-SHA384:EECDH-ECDSA-SHA256:EECDH-aRSA-SHA384:\
    EECDH-aRSA-SHA256:EECDH-aRSA-RC4:EECDH:EDH-aRSA:RC4:\
    !aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4"
  ssl.honor-cipher-order = "enable"
}

(Note that I don't know whether \ continuations actually work in lighttpd config - I've just put them in to make it more readable by splitting up long lines.)

and I have an A+ SSLLabs test result.


  1. Posted by Ashley R Pollard at 09:10pm on 11 August 2018

    I had to reduce the page to 67% to see all the text and side-bar.

Comments on this post are now closed. If you have particular grounds for adding a late comment, comment on a more recent post quoting the URL of this one.

Search
Archive
Tags 1920s 1930s 1940s 1950s 1960s 1970s 1980s 1990s 2000s 2010s 3d printing action advent of code aeronautics aikakirja anecdote animation anime army astronomy audio audio tech aviation base commerce battletech beer boardgaming book of the week bookmonth chain of command children chris chronicle church of no redeeming virtues cold war comedy computing contemporary cornish smuggler cosmic encounter coup covid-19 crime cthulhu eternal cycling dead of winter doctor who documentary drama driving drone ecchi economics en garde espionage essen 2015 essen 2016 essen 2017 essen 2018 essen 2019 essen 2022 essen 2023 existential risk falklands war fandom fanfic fantasy feminism film firefly first world war flash point flight simulation food garmin drive gazebo genesys geocaching geodata gin gkp gurps gurps 101 gus harpoon historical history horror hugo 2014 hugo 2015 hugo 2016 hugo 2017 hugo 2018 hugo 2019 hugo 2020 hugo 2022 hugo-nebula reread in brief avoid instrumented life javascript julian simpson julie enfield kickstarter kotlin learn to play leaving earth linux liquor lovecraftiana lua mecha men with beards mpd museum music mystery naval noir non-fiction one for the brow opera parody paul temple perl perl weekly challenge photography podcast politics postscript powers prediction privacy project woolsack pyracantha python quantum rail raku ranting raspberry pi reading reading boardgames social real life restaurant reviews romance rpg a day rpgs ruby rust scala science fiction scythe second world war security shipwreck simutrans smartphone south atlantic war squaddies stationery steampunk stuarts suburbia superheroes suspense television the resistance the weekly challenge thirsty meeples thriller tin soldier torg toys trailers travel type 26 type 31 type 45 vietnam war war wargaming weather wives and sweethearts writing about writing x-wing young adult
Special All book reviews, All film reviews
Produced by aikakirja v0.1