RogerBW's Blog

Happiness is a warm SSLLabs test 11 August 2018

I've recently set up HTTPS on the servers at work, running in parallel with HTTP. For reasons which were good at the time and are still not entirely wrong, we're using lighttpd as a front-end, and the process was less trivial than I'd have preferred.

Because of the system architecture, I wanted DNS validation, which in practice meant certbot in manual mode. OK, we can do that. But what to do with the various files it produces? It turns out that the answer is, and I put this here for anyone else who has to fight the documentation:

  • concatenate cert.pem and privkey.pem to server.pem on the server
  • copy chain.pem to the server under that name
  • put both those files in the right place, owned and readable only by root
  • then include them in the server configuration, as well as a modern cipher set (note different syntax from Apache, replacing + with - and space with colon; note also cargo-culted list with obvious inconsistency)
  • and finally, enable HSTS

The server configuration ends up looking like this:

server.modules += ( "mod_setenv" )
setenv.add-response-header = \
  ( "Strict-Transport-Security" => "max-age=15768000"  )

$SERVER["socket"] == ":443" {
  ssl.engine  = "enable"
  ssl.pemfile = "/etc/lighttpd/server.pem"
  ssl.ca-file = "/etc/lighttpd/chain.pem"
  ssl.cipher-list = "EECDH-ECDSA-AESGCM:EECDH-aRSA-AESGCM:\
    EECDH-ECDSA-SHA384:EECDH-ECDSA-SHA256:EECDH-aRSA-SHA384:\
    EECDH-aRSA-SHA256:EECDH-aRSA-RC4:EECDH:EDH-aRSA:RC4:\
    !aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4"
  ssl.honor-cipher-order = "enable"
}

(Note that I don't know whether \ continuations actually work in lighttpd config - I've just put them in to make it more readable by splitting up long lines.)

and I have an A+ SSLLabs test result.


  1. Posted by Ashley R Pollard at 09:10pm on 11 August 2018

    I had to reduce the page to 67% to see all the text and side-bar.

Comments on this post are now closed. If you have particular grounds for adding a late comment, comment on a more recent post quoting the URL of this one.

Search
Archive
Tags 1920s 1930s 1940s 1950s 1960s 1970s 1980s 1990s 2000s 2010s 3d printing action aeronautics aikakirja anecdote animation anime army astronomy audio audio tech base commerce battletech beer boardgaming bookmonth chain of command children chronicle church of no redeeming virtues cold war comedy computing contemporary cornish smuggler cosmic encounter coup cycling dead of winter doctor who documentary drama driving drone ecchi economics espionage essen 2015 essen 2016 essen 2017 essen 2018 existential risk falklands war fandom fantasy film firefly first world war flash point food garmin drive gazebo geodata gin gurps gurps 101 harpoon historical history horror hugo 2014 hugo 2015 hugo 2016 hugo 2017 hugo 2018 hugo 2019 hugo-nebula reread humour in brief avoid instrumented life kickstarter learn to play leaving earth linux mecha men with beards museum mystery naval non-fiction one for the brow opera perl perl weekly challenge photography podcast politics powers prediction privacy project woolsack pyracantha quantum rail ranting raspberry pi reading reading boardgames social real life restaurant reviews romance rpg a day rpgs science fiction scythe second world war security shipwreck simutrans smartphone south atlantic war squaddies stationery steampunk stuarts suburbia superheroes suspense television the resistance thirsty meeples thriller tin soldier torg toys trailers travel type 26 type 31 type 45 vietnam war war wargaming weather wives and sweethearts writing about writing x-wing young adult
Special All book reviews, All film reviews
Produced by aikakirja v0.1