blob: 9365a33c6789ca38e451e02475c7513c5fd9f722 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
#!/bin/bash
declare -rg CERT="/etc/lighttpd/server.pem"
declare -rg CHAIN="/etc/lighttpd/chain.pem"
declare -rg DHPARAM="/etc/lighttpd/dhparam.pem"
declare -rg REDIR_FLAG="/etc/lighttpd/redirect.flag"
if ! [ -s "$DHPARAM" ] && ! ps aux | grep 'openssl dhparam' | grep -q -v grep; then
openssl dhparam -out "$DHPARAM" 2048 >/dev/null 2>&1
fi
[ -s "$CERT" ] || exit 0
cat <<HEREDOC
\$SERVER["socket"] == ":443" {
protocol = "https://"
ssl.engine = "enable"
ssl.disable-client-renegotiation = "enable"
# pemfile is cert+privkey, ca-file is the intermediate chain in one file
ssl.pemfile = "$CERT"
# ECDH/ECDHE ciphers curve strength (see "openssl ecparam -list_curves")
ssl.ec-curve = "secp384r1"
# Compression is by default off at compile-time, but use if needed
# ssl.use-compression = "disable"
# Environment flag for HTTPS enabled
setenv.add-environment = (
"HTTPS" => "on"
)
# intermediate configuration, tweak to your needs
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
HEREDOC
[ -s "$CHAIN" ] && echo " ssl.ca-file = \"$CHAIN\""
[ -s "$DHPARAM" ] && echo " ssl.dh-file = \"$DHPARAM\""
echo "}"
[ -f "$REDIR_FLAG" ] && cat <<"HEREDOC"
$HTTP["scheme"] == "http" {
# capture vhost name with regex condition -> %0 in redirect pattern
# must be the most inner block to the redirect rule
$HTTP["host"] =~ ".*" {
url.redirect = ( "^/slx-admin/($|\?|index.php).*" => "https://%0$0" )
url.redirect-code = 302
}
}
HEREDOC
exit 0
|
