summaryrefslogtreecommitdiffstats
path: root/lighttpd.conf
diff options
context:
space:
mode:
authormischa <mischa@rx.high5.nl>2019-03-23 13:21:03 +0100
committermischa <mischa@rx.high5.nl>2019-03-23 13:21:03 +0100
commite69e1be0e4a10e94737293a7acf7c60a941a8826 (patch)
tree88aa183df8ac9de8465ffc3c6618ac2e9f6f0a8f /lighttpd.conf
parent71b43a372bbe2cc39ce02bea4adc47ff246016d4 (diff)
IPv6 config needs to be specifiedHEADmaster
Diffstat (limited to 'lighttpd.conf')
-rw-r--r--lighttpd.conf40
1 files changed, 34 insertions, 6 deletions
diff --git a/lighttpd.conf b/lighttpd.conf
index da4ab07..dd07cd5 100644
--- a/lighttpd.conf
+++ b/lighttpd.conf
@@ -19,14 +19,38 @@ server.modules = (
server.port = "80"
server.bind = "0.0.0.0"
-$SERVER["socket"] == "[::]:80" { }
-$SERVER["socket"] == "[::]:443" { }
+$SERVER["socket"] == ":80" {
+ $HTTP["host"] =~ "(.*)" {
+ url.redirect = ("^/(.*)" => "https://%1/$1")
+ }
+}
+$SERVER["socket"] == "[::]:80" {
+ $HTTP["host"] =~ "(.*)" {
+ url.redirect = ("^/(.*)" => "https://%1/$1")
+ }
+}
$SERVER["socket"] == ":443" {
- ssl.engine = "enable"
- ssl.pemfile = "/usr/local/etc/acme/certs/example.com/combined.pem"
- ssl.ca-file = "/usr/local/etc/acme/certs/example.com/chain.pem"
+ ssl.engine = "enable"
+ ssl.pemfile = "/usr/local/etc/dehydrated/certs/www2.high5.nl/combined.pem"
+ ssl.ca-file = "/usr/local/etc/dehydrated/certs/www2.high5.nl/chain.pem"
+ ssl.cipher-list = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384"
+ ssl.dh-file = "/usr/local/etc/ssl/dhparam.pem"
+ ssl.ec-curve = "secp384r1"
+ setenv.add-response-header = (
+ "Strict-Transport-Security" => "max-age=31536000; includeSubdomains",
+ "X-Frame-Options" => "SAMEORIGIN",
+ "X-XSS-Protection" => "1; mode=block",
+ "X-Content-Type-Options" => "nosniff",
+ "Referrer-Policy" => "no-referrer",
+ "Feature-Policy" => "geolocation none; midi none; notifications none; push none; sync-xhr none; microphone none; camera none; magnetometer none; gyroscope none; speaker none; vibrate none; fullscreen self; payment none; usb none;"
+ )
+}
+$SERVER["socket"] == "[::]:443" {
+ ssl.engine = "enable"
+ ssl.pemfile = "/usr/local/etc/dehydrated/certs/www2.high5.nl/combined.pem"
+ ssl.ca-file = "/usr/local/etc/dehydrated/certs/www2.high5.nl/chain.pem"
ssl.cipher-list = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384"
- ssl.dh-file = "/usr/local/etc/ssl/certs/dhparam.pem"
+ ssl.dh-file = "/usr/local/etc/ssl/dhparam.pem"
ssl.ec-curve = "secp384r1"
setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=31536000; includeSubdomains",
@@ -103,6 +127,10 @@ $HTTP["host"] =~ "(www\.)?example.com" {
url.redirect = ("^/(.*)" => "https://www.example.com/$1")
}
+$HTTP["host"] =~ "(www\.)?example.com" {
+ server.document-root = "/var/www/htdocs/example.com"
+}
+
$HTTP["host"] =~ "^(www.)?[^.]+\.[^.]+$" {
evhost.path-pattern = "/usr/local/www/www.%2.%1/"
}