diff options
| author | mischa <mischa@rx.high5.nl> | 2019-03-23 13:21:03 +0100 |
|---|---|---|
| committer | mischa <mischa@rx.high5.nl> | 2019-03-23 13:21:03 +0100 |
| commit | e69e1be0e4a10e94737293a7acf7c60a941a8826 (patch) | |
| tree | 88aa183df8ac9de8465ffc3c6618ac2e9f6f0a8f | |
| parent | 71b43a372bbe2cc39ce02bea4adc47ff246016d4 (diff) | |
| -rw-r--r-- | lighttpd.conf | 40 |
1 files changed, 34 insertions, 6 deletions
diff --git a/lighttpd.conf b/lighttpd.conf index da4ab07..dd07cd5 100644 --- a/lighttpd.conf +++ b/lighttpd.conf @@ -19,14 +19,38 @@ server.modules = ( server.port = "80" server.bind = "0.0.0.0" -$SERVER["socket"] == "[::]:80" { } -$SERVER["socket"] == "[::]:443" { } +$SERVER["socket"] == ":80" { + $HTTP["host"] =~ "(.*)" { + url.redirect = ("^/(.*)" => "https://%1/$1") + } +} +$SERVER["socket"] == "[::]:80" { + $HTTP["host"] =~ "(.*)" { + url.redirect = ("^/(.*)" => "https://%1/$1") + } +} $SERVER["socket"] == ":443" { - ssl.engine = "enable" - ssl.pemfile = "/usr/local/etc/acme/certs/example.com/combined.pem" - ssl.ca-file = "/usr/local/etc/acme/certs/example.com/chain.pem" + ssl.engine = "enable" + ssl.pemfile = "/usr/local/etc/dehydrated/certs/www2.high5.nl/combined.pem" + ssl.ca-file = "/usr/local/etc/dehydrated/certs/www2.high5.nl/chain.pem" + ssl.cipher-list = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384" + ssl.dh-file = "/usr/local/etc/ssl/dhparam.pem" + ssl.ec-curve = "secp384r1" + setenv.add-response-header = ( + "Strict-Transport-Security" => "max-age=31536000; includeSubdomains", + "X-Frame-Options" => "SAMEORIGIN", + "X-XSS-Protection" => "1; mode=block", + "X-Content-Type-Options" => "nosniff", + "Referrer-Policy" => "no-referrer", + "Feature-Policy" => "geolocation none; midi none; notifications none; push none; sync-xhr none; microphone none; camera none; magnetometer none; gyroscope none; speaker none; vibrate none; fullscreen self; payment none; usb none;" + ) +} +$SERVER["socket"] == "[::]:443" { + ssl.engine = "enable" + ssl.pemfile = "/usr/local/etc/dehydrated/certs/www2.high5.nl/combined.pem" + ssl.ca-file = "/usr/local/etc/dehydrated/certs/www2.high5.nl/chain.pem" ssl.cipher-list = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384" - ssl.dh-file = "/usr/local/etc/ssl/certs/dhparam.pem" + ssl.dh-file = "/usr/local/etc/ssl/dhparam.pem" ssl.ec-curve = "secp384r1" setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=31536000; includeSubdomains", @@ -103,6 +127,10 @@ $HTTP["host"] =~ "(www\.)?example.com" { url.redirect = ("^/(.*)" => "https://www.example.com/$1") } +$HTTP["host"] =~ "(www\.)?example.com" { + server.document-root = "/var/www/htdocs/example.com" +} + $HTTP["host"] =~ "^(www.)?[^.]+\.[^.]+$" { evhost.path-pattern = "/usr/local/www/www.%2.%1/" } |