Setting up https on lighttpd
Dan Bikle -- http://bikle.com -- 2009-07-29 I just finished setting up https on lighttpd. I wrote some notes and captured some screenshots along the way. I started with a google of "lighttpd https" and found this page: http://redmine.lighttpd.net/wiki/lighttpd/Docs:SSL I read the page and then took the next obvious step to see if my copy of lighttpd had ssl linked in:
[bikle@ion ~]$
[bikle@ion ~]$
[bikle@ion ~]$ /l/sbin/lighttpd -v
lighttpd-1.4.20 - a light and fast webserver
Build-Date: Dec 20 2008 00:26:02
[bikle@ion ~]$
[bikle@ion ~]$
[bikle@ion ~]$
[bikle@ion ~]$
[bikle@ion ~]$
[bikle@ion ~]$
[bikle@ion ~]$
[bikle@ion ~]$ yum list installed openssl
Loading "fastestmirror" plugin
Loading mirror speeds from cached hostfile
* base: mirrors.cmich.edu
* updates: mirror.fdcservers.net
* addons: mirrors.cmich.edu
* extras: mirror.fdcservers.net
Excluding Packages in global exclude list
Finished
Installed Packages
openssl.i686 0.9.8b-10.el5 installed
[bikle@ion ~]$
[bikle@ion ~]$
[bikle@ion ~]$
[bikle@ion ~]$
[bikle@ion w]$
[bikle@ion w]$
[bikle@ion w]$ ll /usr/lib/*ssl*
lrwxrwxrwx 1 root root 27 Nov 4 2008 /usr/lib/libgnutls-openssl.so.13 -> libgnutls-openssl.so.13.0.6*
-rwxr-xr-x 1 root root 99068 May 21 2008 /usr/lib/libgnutls-openssl.so.13.0.6*
-rwxr-xr-x 1 root root 205084 Sep 24 2008 /usr/lib/libssl3.so*
-rw-r--r-- 1 root root 441236 May 25 2008 /usr/lib/libssl.a
lrwxrwxrwx 1 root root 26 Nov 7 2008 /usr/lib/libssl.so -> ../../lib/libssl.so.0.9.8b*
/usr/lib/openssl:
total 44
drwxr-xr-x 3 root root 4096 Jun 14 2008 ./
drwxr-xr-x 64 root root 24576 Jun 23 15:48 ../
drwxr-xr-x 2 root root 4096 Nov 7 2008 engines/
[bikle@ion w]$
[bikle@ion w]$
[bikle@ion w]$
[bikle@ion w]$
[root@ion w]#
[root@ion w]#
[root@ion w]# mkdir /home/lssl/
[root@ion w]# chown bikle /home/lssl/
[root@ion w]# cd /
[root@ion /]# ln -s /home/lssl .
[root@ion /]#
[root@ion /]#
[bikle@ion software]$
[bikle@ion software]$ mkdir lighttpd-1.4.20-ssl
[bikle@ion software]$ cd lighttpd-1.4.20-ssl/
[bikle@ion lighttpd-1.4.20-ssl]$ tar jxf ../lighttpd-1.4.20.tar.bz2
[bikle@ion lighttpd-1.4.20-ssl]$ ls -la
total 12
drwxr-xr-x 3 bikle dba 4096 Jul 29 05:28 ./
drwxr-xr-x 10 bikle dba 4096 Jul 29 05:28 ../
drwxr-xr-x 7 bikle dba 4096 Sep 29 2008 lighttpd-1.4.20/
[bikle@ion lighttpd-1.4.20-ssl]$ cd lighttpd-1.4.20/
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20]$ ./configure --prefix=/lssl --with-openssl --with-openssl-libs=/usr/lib
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
checking target system type... i686-pc-linux-gnu
snip...
checking for bzip2 support... yes
checking for BZ2_bzCompress in -lbz2... no
configure: error: bzip2-headers and/or libs where not found, install them or build with --without-bzip2
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20-ssl]$
[bikle@ion lighttpd-1.4.20-ssl]$
[bikle@ion lighttpd-1.4.20-ssl]$ rm -rf lighttpd-1.4.20/
[bikle@ion lighttpd-1.4.20-ssl]$
[bikle@ion lighttpd-1.4.20-ssl]$
[bikle@ion lighttpd-1.4.20-ssl]$ tar jxf ../lighttpd-1.4.20.tar.bz2
[bikle@ion lighttpd-1.4.20-ssl]$
[bikle@ion lighttpd-1.4.20-ssl]$
[bikle@ion lighttpd-1.4.20-ssl]$ cd lighttpd-1.4.20/
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20]$ ./configure --prefix=/lssl --with-openssl --with-openssl-libs=/usr/lib --without-bzip2
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
checking target system type... i686-pc-linux-gnu
snip...
config.status: creating openwrt/control
config.status: creating openwrt/lighttpd.mk
config.status: creating config.h
config.status: executing depfiles commands
Plugins:
enabled:
mod_access
mod_accesslog
mod_alias
mod_auth
mod_cgi
mod_compress
mod_dirlisting
mod_evhost
mod_expire
mod_extforward
mod_fastcgi
mod_flv_streaming
mod_indexfiles
mod_proxy
mod_redirect
mod_rewrite
mod_rrdtool
mod_scgi
mod_secdownload
mod_setenv
mod_simple_vhost
mod_ssi
mod_staticfile
mod_status
mod_trigger_b4_dl
mod_userdir
mod_usertrack
mod_webdav
disabled:
mod_cml
mod_magnet
mod_mysql_vhost
Features:
enabled:
auth-crypt
compress-deflate
compress-gzip
large-files
network-ipv6
network-openssl
regex-conditionals
disabled:
auth-ldap
compress-bzip2
stat-cache-fam
storage-gdbm
storage-memcache
webdav-locks
webdav-properties
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20]$ make
make all-recursive
make[1]: Entering directory `/home/bikle/software/lighttpd-1.4.20-ssl/lighttpd-1.4.20'
Making all in src
make[2]: Entering directory `/home/bikle/software/lighttpd-1.4.20-ssl/lighttpd-1.4.20/src'
gcc -DHAVE_CONFIG_H -DLIBRARY_DIR="\"/lssl/lib\"" -DSBIN_DIR="\"/lssl/sbin\"" -I. -I.. -D_REENTRANT -D__EXTENSIONS__ -DOPENSSL_NO_KRB5 -I/usr/local/in\
clude -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGE_FILES -g -O2 -Wall -W -Wshadow -pedantic -std=gnu99 -MT lemon.o -MD -MP -MF .deps/lemon.Tpo -\
c -o lemon.o lemon.c
snip....
make[2]: Entering directory `/home/bikle/software/lighttpd-1.4.20-ssl/lighttpd-1.4.20'
make[2]: Nothing to be done for `all-am'.
make[2]: Leaving directory `/home/bikle/software/lighttpd-1.4.20-ssl/lighttpd-1.4.20'
make[1]: Leaving directory `/home/bikle/software/lighttpd-1.4.20-ssl/lighttpd-1.4.20'
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20]$ make install
Making install in src
make[1]: Entering directory `/home/bikle/software/lighttpd-1.4.20-ssl/lighttpd-1.4.20/src'
make install-am
make[2]: Entering directory `/home/bikle/software/lighttpd-1.4.20-ssl/lighttpd-1.4.20/src'
make[3]: Entering directory `/home/bikle/software/lighttpd-1.4.20-ssl/lighttpd-1.4.20/src'
test -z "/lssl/lib" || /bin/mkdir -p "/lssl/lib"
/bin/sh ../libtool --mode=install /usr/bin/install -c 'mod_flv_streaming.la' '/lssl/lib/mod_flv_streaming.la'
/usr/bin/install -c .libs/mod_flv_streaming.so /lssl/lib/mod_flv_streaming.so
/usr/bin/install -c .libs/mod_flv_streaming.lai /lssl/lib/mod_flv_streaming.la
PATH="$PATH:/sbin" ldconfig -n /lssl/lib
----------------------------------------------------------------------
Libraries have been installed in:
/lssl/lib
snip...
make[1]: Leaving directory `/home/bikle/software/lighttpd-1.4.20-ssl/lighttpd-1.4.20/openwrt'
make[1]: Entering directory `/home/bikle/software/lighttpd-1.4.20-ssl/lighttpd-1.4.20'
make[2]: Entering directory `/home/bikle/software/lighttpd-1.4.20-ssl/lighttpd-1.4.20'
make[2]: Nothing to be done for `install-exec-am'.
make[2]: Nothing to be done for `install-data-am'.
make[2]: Leaving directory `/home/bikle/software/lighttpd-1.4.20-ssl/lighttpd-1.4.20'
make[1]: Leaving directory `/home/bikle/software/lighttpd-1.4.20-ssl/lighttpd-1.4.20'
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20]$ /lssl/sbin/lighttpd -v
lighttpd-1.4.20 (ssl) - a light and fast webserver
Build-Date: Jul 29 2009 05:38:24
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20]$
[bikle@ion lighttpd-1.4.20-ssl]$
[bikle@ion lighttpd-1.4.20-ssl]$
[bikle@ion lighttpd-1.4.20-ssl]$ which openssl
/usr/bin/openssl
[bikle@ion lighttpd-1.4.20-ssl]$
[bikle@ion lighttpd-1.4.20-ssl]$ openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
Generating a 1024 bit RSA private key
........++++++
.........................................++++++
writing new private key to 'server.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:NV
Locality Name (eg, city) [Newbury]:LASVEGAS
Organization Name (eg, company) [My Company Ltd]:BIKLE.COM
Organizational Unit Name (eg, section) []:DanBikle
Common Name (eg, your name or your server's hostname) []:forumgrouper.com
Email Address []:support@forumgrouper.com
[bikle@ion lighttpd-1.4.20-ssl]$
[bikle@ion lighttpd-1.4.20-ssl]$
[bikle@ion lighttpd-1.4.20-ssl]$
[bikle@ion w]$
[bikle@ion w]$
[bikle@ion w]$ cat lighttpd_ion_fg12_ssl.conf
#
######## ######## ######## ######## ######## ########
# lighttpd_ion_fg12_ssl.conf
ssl.engine = "enable"
ssl.pemfile = "/lssl/server.pem"
server.name = "forumgrouper.com"
## change uid to (default: don't care)
# uncomment line below if we are on server.port = 443
server.username = "bikle"
server.port = 443
# server.port = 3443
## change uid to (default: don't care)
server.groupname = "dba"
server.bind = "204.13.55.55"
server.modules = ( "mod_rewrite", "mod_accesslog", "mod_fastcgi", "mod_compress", "mod_expire" )
server.error-handler-404 = "/dispatch.fcgi"
fg = "/pt/w/fg/fg12"
server.pid-file = fg + "/tmp/pids/lighttpd_ssl.pid"
server.document-root = fg + "/public/"
server.errorlog = fg + "/log/lighttpd_ssl.error.log"
accesslog.filename = fg + "/log/lighttpd_ssl.access.log"
url.rewrite = ( "^/$" => "index.html", "^([^.]+)$" => "$1.html" )
compress.filetype = ( "text/plain", "text/html", "text/css", "text/javascript" )
compress.cache-dir = fg + "/tmp/cache"
expire.url = ( "/favicon.ico" => "access 3 days",
"/images/" => "access 3 days",
"/stylesheets/" => "access 3 days",
"/javascripts/" => "access 3 days" )
# Change *-procs to 2 if you need to use Upload Progress or other tasks that
# *need* to execute a second request while the first is still pending.
fastcgi.server = ( ".fcgi" => ( "localhost" => (
"min-procs" => 1,
"max-procs" => 1,
"socket" => fg + "/tmp/sockets/fcgi.socket",
"bin-path" => fg + "/public/dispatch.fcgi",
"bin-environment" => ( "RAILS_ENV" => "production" )
) ) )
mimetype.assign = (
".css" => "text/css",
".gif" => "image/gif",
".htm" => "text/html",
".html" => "text/html",
".jpeg" => "image/jpeg",
".jpg" => "image/jpeg",
".js" => "text/javascript",
".png" => "image/png",
".swf" => "application/x-shockwave-flash",
".txt" => "text/plain"
)
######## ######## ######## ######## ######## ########
[bikle@ion w]$
[bikle@ion w]$
[bikle@ion w]$
[root@ion /]#
[root@ion /]#
[root@ion /]# /lssl/sbin/lighttpd -f /pt/w/lighttpd_ion_fg12_ssl.conf
[root@ion /]# Starting Lighttpd
[root@ion /]#
Wed Jul 29 12:46 ~/pt/webprops maco$
Wed Jul 29 12:46 ~/pt/webprops maco$
Wed Jul 29 12:46 ~/pt/webprops maco$
Wed Jul 29 12:47 ~/pt/webprops maco$ openssl s_client -connect forumgrouper.com:443
CONNECTED(00000006)
depth=0 /C=US/ST=NV/L=LASVEGAS/O=BIKLE.COM/OU=DanBikle/CN=forumgrouper.com/emailAddress=support@forumgrouper.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=NV/L=LASVEGAS/O=BIKLE.COM/OU=DanBikle/CN=forumgrouper.com/emailAddress=support@forumgrouper.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=NV/L=LASVEGAS/O=BIKLE.COM/OU=DanBikle/CN=forumgrouper.com/emailAddress=support@forumgrouper.com
i:/C=US/ST=NV/L=LASVEGAS/O=BIKLE.COM/OU=DanBikle/CN=forumgrouper.com/emailAddress=support@forumgrouper.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDsjCCAxugAwIBAgIJAJvYoJv4SRGrMA0GCSqGSIb3DQEBBQUAMIGYMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCTlYxETAPBgNVBAcTCExBU1ZFR0FTMRIwEAYDVQQK
EwlCSUtMRS5DT00xETAPBgNVBAsTCERhbkJpa2xlMRkwFwYDVQQDExBmb3J1bWdy
b3VwZXIuY29tMScwJQYJKoZIhvcNAQkBFhhzdXBwb3J0QGZvcnVtZ3JvdXBlci5j
b20wHhcNMDkwNzI5MTA1MjAxWhcNMTAwNzI5MTA1MjAxWjCBmDELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAk5WMREwDwYDVQQHEwhMQVNWRUdBUzESMBAGA1UEChMJQklL
TEUuQ09NMREwDwYDVQQLEwhEYW5CaWtsZTEZMBcGA1UEAxMQZm9ydW1ncm91cGVy
LmNvbTEnMCUGCSqGSIb3DQEJARYYc3VwcG9ydEBmb3J1bWdyb3VwZXIuY29tMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCXf9nZmr/4oCAbBxiInmEwzk+GpbMB
XumbcU4jfeAD5yOpE4AGtbEw9X0jg6/4e9640vtu5oj3vykxN+0gEdBUYBkEjkFv
6bCkIpTJCjXGF/lyrflUoS1k/S65JqX0pcBSLGY0dXN3PPGKLtSo2WwhOOgcumTw
W6V/B2f6H2Mo5wIDAQABo4IBADCB/TAdBgNVHQ4EFgQUQGU7pRPxk9Tg9OEK9Ugu
T1ltNVMwgc0GA1UdIwSBxTCBwoAUQGU7pRPxk9Tg9OEK9UguT1ltNVOhgZ6kgZsw
gZgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOVjERMA8GA1UEBxMITEFTVkVHQVMx
EjAQBgNVBAoTCUJJS0xFLkNPTTERMA8GA1UECxMIRGFuQmlrbGUxGTAXBgNVBAMT
EGZvcnVtZ3JvdXBlci5jb20xJzAlBgkqhkiG9w0BCQEWGHN1cHBvcnRAZm9ydW1n
cm91cGVyLmNvbYIJAJvYoJv4SRGrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
BQADgYEAbaSCE5f867ayLle08tisR5Lp9hs9qfOWPmgQUWG5cPtFV2OZK14UUZNN
OP13VxMW5B5F+BY08jObeu1dIj7snVWBkWvP6LuUuOjqcY15baZhR0aYhBSRSuxb
heet+H4QAT+9uiGSaXy2mHLXqIq5/lCZSAmL4PkOky0RRnqc9F8=
-----END CERTIFICATE-----
subject=/C=US/ST=NV/L=LASVEGAS/O=BIKLE.COM/OU=DanBikle/CN=forumgrouper.com/emailAddress=support@forumgrouper.com
issuer=/C=US/ST=NV/L=LASVEGAS/O=BIKLE.COM/OU=DanBikle/CN=forumgrouper.com/emailAddress=support@forumgrouper.com
---
No client certificate CA names sent
---
SSL handshake has read 1112 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 39803AFEC9FE7B168ED428E843F1E22997CFECFF77A7F880FF641C2B6AD29E32
Session-ID-ctx:
Master-Key: 276889D5C9F5E4991A7F9CF37D23F46AE75A8C558D91B5B5CCFCEBFB3070C7614B388F8B7CB36BB35B7B7FF91A2C3952
Key-Arg : None
Start Time: 1248896831
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
Firefox complained about the self-signed certificate but did allow me to connect after I signalled that I trusted
https://forumgrouper.com
Here are some screenshots of how opera reacted to the site:
After I press the approve button, Opera allows me to connect:
