summaryrefslogtreecommitdiffstats
path: root/lighttpd.conf
blob: e4bae8be03807105cd0508dcb399688b1bf2a852 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
#
# lighttpd configuration file
#
server.modules = (
  "mod_auth",
  "mod_expire",
  "mod_compress",
  "mod_rewrite",
  "mod_redirect",
  "mod_alias",
  "mod_access",
  "mod_setenv",
  "mod_evhost",
  "mod_fastcgi",
  "mod_accesslog",
  "mod_status",
  "mod_openssl"
)

server.port = "80"
server.bind = "0.0.0.0"
$SERVER["socket"] == "[::]:80" { }
$SERVER["socket"] == "[::]:443" { }
$SERVER["socket"] == ":443" {
  ssl.engine = "enable" 
  ssl.pemfile = "/usr/local/etc/acme/certs/example.com/combined.pem"
  ssl.ca-file = "/usr/local/etc/acme/certs/example.com/chain.pem"
  ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH"
  ssl.dh-file = "/usr/local/etc/ssl/certs/dhparam.pem"
  ssl.ec-curve = "secp384r1"
  setenv.add-response-header = (
    "Strict-Transport-Security" => "max-age=31536000; includeSubdomains",
    "X-Frame-Options" => "DENY",
    "X-Content-Type-Options" => "nosniff"
  )
}

server.username = "www"
server.groupname = "www"
server.pid-file = "/var/run/lighttpd.pid"
server.event-handler = "freebsd-kqueue"
server.stat-cache-engine = "disable"
server.max-write-idle = 720

server.tag = "lighttpd"
status.status-url = "/server-status"
status.config-url = "/server-config"
status.statistics-url = "/server-stats"

server.document-root = "/usr/local/www/default/"                                    
server.error-handler-404 = "/404.html"
accesslog.filename = "/usr/local/www/logs/lighttpd.access.log"
server.errorlog = "/usr/local/www/logs/lighttpd.error.log"

index-file.names = ("index.php", "index.html", "index.htm")
url.access-deny = ("~", ".inc", ".sh", "sql", ".htaccess")
static-file.exclude-extensions = (".php", ".pl", ".fcgi")
server.dir-listing = "disable"

alias.url += ("/.well-known/acme-challenge/" => "/usr/local/www/acme/")

compress.cache-dir = "/tmp/lighttpdcompress/"
compress.filetype = ("text/plain", "text/css", "text/xml", "text/javascript")

auth.backend = "htpasswd" 
auth.backend.htpasswd.userfile = "/usr/local/etc/lighttpd/htpasswd"

# pdf fix
$HTTP["url"] =~ "\.pdf$" {
  server.range-requests = "disable"
}
# msie fix
$HTTP["useragent"] =~ "^(.*MSIE.*)|(.*AppleWebKit.*)$" {
  server.max-keep-alive-requests = 0
}

$HTTP["url"] =~ "\.(js|css|png|jpg|jpeg|gif|ico)$" {
  expire.url = ( "" => "access plus 1 months" )
}

$HTTP["request-method"] =~ "^(PUT|PATCH|DELETE)$" {
  url.access-deny = ("")
}
$HTTP["url"] =~ "/(?:uploads|files|wp-content|wp-includes).*\.(php|phps|txt|md|exe)$" {
  url.access-deny = ("")
}
$HTTP["url"] =~ "/(wp-config|xmlrpc)\.php$" {
  url.access-deny = ("")
}

$HTTP["host"] =~ "www1.example.com" {
  auth.require = ( "/admin/" => (
    "method" => "basic",
    "realm" => "Restricted",
    "require" => "valid-user" )
  )
}

$HTTP["host"] =~ "(www\.)?example.com" {
  url.redirect = ("^/(.*)" => "https://www.example.com/$1")
}

$HTTP["host"] =~ "^(www.)?[^.]+\.[^.]+$" {
  evhost.path-pattern = "/usr/local/www/www.%2.%1/"
}

url.rewrite = (
  "^/(.*)\.(.+)$" => "$0",
  "^/(.+)/?$" => "/index.php/$1"
)

fastcgi.server = ( ".php" =>
  ( "localhost" =>
    (
      "host" => "127.0.0.1",
      "port" => 9000
    )
  )
)

mimetype.assign = (
  ".php"     => "application/x-mapp-php5",
  ".pdf"     => "application/pdf",
  ".sig"     => "application/pgp-signature",
  ".spl"     => "application/futuresplash",
  ".class"   => "application/octet-stream",
  ".ps"      => "application/postscript",
  ".torrent" => "application/x-bittorrent",
  ".dvi"     => "application/x-dvi",
  ".gz"      => "application/x-gzip",
  ".pac"     => "application/x-ns-proxy-autoconfig",
  ".swf"     => "application/x-shockwave-flash",
  ".tar.gz"  => "application/x-tgz",
  ".tgz"     => "application/x-tgz",
  ".tar"     => "application/x-tar",
  ".zip"     => "application/zip",
  ".mp3"     => "audio/mpeg",
  ".m3u"     => "audio/x-mpegurl",
  ".wma"     => "audio/x-ms-wma",
  ".wax"     => "audio/x-ms-wax",
  ".ogg"     => "audio/x-wav",
  ".wav"     => "audio/x-wav",
  ".gif"     => "image/gif",
  ".jpg"     => "image/jpeg",
  ".jpeg"    => "image/jpeg",
  ".png"     => "image/png",
  ".xbm"     => "image/x-xbitmap",
  ".xpm"     => "image/x-xpixmap",
  ".xwd"     => "image/x-xwindowdump",
  ".css"     => "text/css",
  ".html"    => "text/html",
  ".htm"     => "text/html",
  ".js"      => "text/javascript",
  ".asc"     => "text/plain",
  ".c"       => "text/plain",
  ".conf"    => "text/plain",
  ".text"    => "text/plain",
  ".txt"     => "text/plain",
  ".dtd"     => "text/xml",
  ".xml"     => "text/xml",
  ".mpeg"    => "video/mpeg",
  ".mpg"     => "video/mpeg",
  ".mov"     => "video/quicktime",
  ".qt"      => "video/quicktime",
  ".avi"     => "video/x-msvideo",
  ".asf"     => "video/x-ms-asf",
  ".asx"     => "video/x-ms-asf",
  ".wmv"     => "video/x-ms-wmv",
  ".bz2"     => "application/x-bzip",
  ".tbz"     => "application/x-bzip-compressed-tar",
  ".tar.bz2" => "application/x-bzip-compressed-tar",
  ""         => "application/octet-stream"
)