Wiki Index All Recent Edit Bottom

Web Server Configuration

1.   Lighttpd
1.1   PHP5
1.2   CGI
1.3   Authentication
1.4   Minor Security Tweaks
1.5   Compression
1.6   Virtual Hosts
1.7   SSL
1.8   Log Rotation

Lighttpd

If you are using the Debian Etch Backports, install as follows...

 aptitude -t etch-backports install lighttpd

...or do this.

 aptitude install lighttpd

Now direct your browser to http://www.yourserver.com, and you should see the Lighttpd placeholder page, which includes the following useful information.

• Configuration files can be found in /etc/lighttpd. Please read /etc/lighttpd/conf-available/README file.
• The DocumentRoot, which is the directory under which all your HTML files should exist, is set to /var/www.
• CGI scripts are looked for in /usr/lib/cgi-bin, which is where Debian packages will place their scripts. You can enable cgi module by using command "lighty-enable-mod cgi".
• Log files are placed in /var/log/lighttpd, and will be rotated weekly. The frequency of rotation can be easily changed by editing /etc/logrotate.d/lighttpd.
• The default directory index is index.html, meaning that requests for a directory /foo/bar/ will give the contents of the file /var/www/foo/bar/index.html if it exists (assuming that /var/www is your DocumentRoot).
• You can enable user directories by using command "lighty-enable-mod userdir"

PHP5

We can make PHP5 work in Lighttpd through FastCGI. Fortunately, Debian provides a FastCGI-enabled PHP5 package.

 aptitude install php5-cgi php5-mysql

Configuring Lighttpd And PHP5

If you want to use PATH_INFO and PHP_SELF in you PHP scripts you have to update PHP configuration with the following...

 echo "cgi.fix_pathinfo = 1" > /etc/php5/cgi/conf.d/cgi.ini

Now we must enable fastcgi and PHP

 lighty-enable-mod fastcgi

Change all instances of php4 to php5, this may not be required if using the lighttpd package from the Debian backports or Ubuntu packages.

 nano /etc/lighttpd/conf-enabled/10-fastcgi.conf

Reload lighttpd.

 /etc/init.d/lighttpd force-reload

lighty is now PHP5 enabled :-) You can test it by creating a simple PHP program...

 echo "<?php phpinfo(); ?>" > /var/www/info.php

...and opening it in your browser http://www.yourserver.com/info.php

Other PHP5 Modules

To find the other available PHP5 module do the following...

 aptitude search php5

You should only install the PHP5 modules your web applications actually need, to keep resource requirements low and reduce vulnerability exposure.

References

• http://www.howtoforge.com/lighttpd_mysql_php_debian_etch
• http://trac.lighttpd.net/trac/wiki/TutorialLighttpdAndPHP
• http://www.cyberciti.biz/tips/howto-setup-lighttpd-php-mysql-chrooted-jail.html

CGI

I use CGI, this wiki is a cgi script. Enabling CGI in Lighty is simple enough.

 lighty-enable-mod cgi
 /etc/init.d/lighttpd force-reload

I limit CGI use per virtual host, see the virtual Host section below for more details.

References

• http://flakshack.com/anti-spam/wiki/index.php

Authentication

First, enable the authentication module.

 lighty-enable-mod auth
 /etc/init.d/lighttpd force-reload

Then I simply use the 'lighty-digest.sh' script, taken the reference URL below, to manage my lighttpd user/password list. See the VirtualHostessSVN

References

• http://trac.lighttpd.net/trac/wiki/Docs:ModAuth

Minor Security Tweaks

Prevent Directory Listing

 nano /etc/lighhtpd/lighttpd.conf

Find...

 server.dir-listing          = "enable"

...and change it to...

 server.dir-listing          = "disable"

Hide lighttpd version

 nano /etc/lighttpd/lighttpd.conf

Add the following...

 server.tag = "lighttpd"

References

• http://trac.lighttpd.net/trac/wiki/server.use-tagDetails

Compression

Output compression reduces the network load and can improve the overall throughput of the webserver. All major http-clients support compression by announcing it in the Accept-Encoding header. This is used to negotiate the most suitable compression method. lighty supports deflate, gzip and bzip2 and compression is currently limited to static files only.

mod_compress can also store compressed files on disk to optimize the compression on a additional requests. As soon as compress.cache-dir is set the files are compressed.

You will need to create the cache directory if it doesn't already exist. The web server will not do this for you. The directory will also need the proper ownership.

 mkdir -p /var/cache/lighttpd/compress/
 chown www-data:www-data /var/cache/lighttpd/compress/

The names of the cache files are made of the filename, the compression method and the etag associated to the file. Cleaning the cache is left to the user. A cron job deleting files older than 10 days could do it:

 nano /etc/cron.daily/lighttpd-maint

#!/bin/sh
find /var/cache/lighttpd/compress/ -type f -mtime +10 | xargs -r rm
find /home/virtual/*/var/cache/compress/ -type f -mtime +10 | xargs -r rm

 nano /etc/lighttpd/lighttpd.conf

Uncomment the following line...

 "mod_compress",

...then find these two lines and uncomment them as well.

 compress.cache-dir          = "/var/cache/lighttpd/compress/"
 compress.filetype           = ("text/plain", "text/html", "application/x-javascript", "text/css")

Save, exit and reload lighttpd configuration.

 /etc/init.d/lighttpd force-reload

PHP dynamic content compression

NOTE! Enabling dynamic content compression can cause minor compatibility issues with some web applications.

If you want to compress dynamic content with PHP, then it needs enabling as PHP provides compression support itself.

 echo "zlib.output_compression = On" > /etc/php5/cgi/conf.d/zlib.ini

Reload lighttpd configuration.

 /etc/init.d/lighttpd force-reload

Test that the static index.html and info.php (that we create earlier) both report compressed status when using the following testing tool.

• http://www.seoconsultants.com/tools/compression.asp

References

• http://trac.lighttpd.net/trac/wiki/Docs:ModCompress

Virtual Hosts

We can make good use of the file inclusion features in lighttpd to ease virtual host (vhost) configuration. I create a simple shell script to simplify adding new vhost configurations.

• See the VirtualHostessSVN

Adding a Virtual Host Configuration

To add a new vhost configuration, simply run the create-lighty-vhost.sh script. The optional 'cgi' parameter shown below enabled cgi-bin for the vhost.

 create-lighty-vhost.sh www.yourserver.com [--cgi]

Enabling a Virtual Host Configuration

To enable the vhost configuration you just created...

 ln -s /etc/lighttpd/conf-available/20-www.yourserver.com.vhost.conf /etc/lighttpd/conf-enabled/

...and reload Lighty.

 /etc/init.d/lighttpd force-reload

References

• http://nixcraft.com/web-servers/904-smartest-way-handle-domains-vhost.html

SSL

 aptitude install ssl-cert ca-certificates
 lighty-enable-mod ssl
 cat /etc/ssl/private/example_privatekey.pem /etc/ssl/certs/example_certificate.pem > /etc/ssl/private/example_lighttpd.pem
 chgrp www-data /etc/ssl/private/example_lighttpd.pem
 chmod 640 /etc/ssl/private/example_lighttpd.pem
 /etc/init.d/lighttpd restart

I use CA.Cart for creating my SSL certificates and my /etc/lighttpd/conf-available/10-ssl.conf looks something like this.

 ## lighttpd support for SSLv2 and SSLv3
 ## 
 ## Documentation: /usr/share/doc/lighttpd-doc/ssl.txt
 ##	http://www.lighttpd.net/documentation/ssl.html 
 
 #### SSL engine
 $SERVER["socket"] == "0.0.0.0:443" {
                   ssl.engine                  = "enable"
 		  ssl.ca-file 		      = "/usr/share/ca-certificates/cacert.org/root.crt"
 		  ssl.pemfile                 = "/etc/ssl/private/example_lighttpd.pem"
 }

References

• http://trac.lighttpd.net/trac/wiki/Docs:SSL

Log Rotation

I update the log rotation script for lighttpd so it also rotates the logs in my virtual hosts.

 nano /etc/logrotate.d/lighttpd

Find...

 /var/log/lighttpd/*.log {

...and replace it with...

 /var/log/lighttpd/*.log  /home/virtual/*/var/log/access.log {

$Id: WebServer,v 1.25 2009/02/14 11:16:41 martin Exp $

Wiki Index All Recent Edit Top

• Ubuntu