diff options
| author | mischa <mischa@rx.high5.nl> | 2019-03-17 11:13:41 +0100 |
|---|---|---|
| committer | mischa <mischa@rx.high5.nl> | 2019-03-17 11:13:41 +0100 |
| commit | 16d4ddb8b1d6bac9c5e78c5f89ba2a348200397e (patch) | |
| tree | 8449c60c2126a99c40a512beec06e6824f8401e5 /lighttpd.conf | |
| parent | 9be3fe10a74019d8b8474f2829fea7c06f681e32 (diff) | |
ssl upate and url.access-deny
Diffstat (limited to 'lighttpd.conf')
| -rw-r--r-- | lighttpd.conf | 24 |
1 files changed, 19 insertions, 5 deletions
diff --git a/lighttpd.conf b/lighttpd.conf index 62c70b5..2cd5425 100644 --- a/lighttpd.conf +++ b/lighttpd.conf @@ -22,9 +22,13 @@ server.bind = "0.0.0.0" $SERVER["socket"] == "[::]:80" { } $SERVER["socket"] == "[::]:443" { } $SERVER["socket"] == ":443" { - ssl.engine = "enable" - ssl.pemfile = "/usr/local/etc/acme/certs/example.com/combined.pem" - ssl.ca-file = "/usr/local/etc/acme/certs/example.com/chain.pem" + ssl.engine = "enable" + ssl.pemfile = "/usr/local/etc/acme/certs/example.com/combined.pem" + ssl.ca-file = "/usr/local/etc/acme/certs/example.com/chain.pem" + ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH" + ssl.dh-file = "/usr/local/etc/ssl/certs/dhparam.pem" + ssl.ec-curve = "secp384r1" + setenv.add-response-header = ("Strict-Transport-Security" => "max-age=31536000; includeSubdomains") } server.username = "www" @@ -54,8 +58,8 @@ alias.url += ("/.well-known/acme-challenge/" => "/usr/local/www/acme/") compress.cache-dir = "/tmp/lighttpdcompress/" compress.filetype = ("text/plain","text/css", "text/xml", "text/javascript") -#auth.backend = "htpasswd" -#auth.backend.htpasswd.userfile = "/usr/local/etc/lighttpd/htpasswd" +auth.backend = "htpasswd" +auth.backend.htpasswd.userfile = "/usr/local/etc/lighttpd/htpasswd" # pdf fix $HTTP["url"] =~ "\.pdf$" { @@ -70,6 +74,16 @@ $HTTP["url"] =~ ".(js|css|png|jpg|jpeg|gif|ico)" { expire.url = ( "" => "access plus 1 months" ) } +$HTTP["request-method"] =~ "^(PUT|PATCH|DELETE)$" { + url.access-deny = ("") +} +$HTTP["url"] =~ "/(?:uploads|files|wp-content|wp-includes).*.(php|phps|txt|md|exe)$" { + url.access-deny = ("") +} +$HTTP["url"] =~ "/(wp-config|xmlrpc).php" { + url.access-deny = ("") +} + $HTTP["host"] =~ "www1.example.com" { auth.require = ( "/admin/" => ( "method" => "basic", |