lighttpd-external.conf

# OsbornePro LLC. Lighttpd Config Template
#
# This configuration file is at /etc/lighttpd/external.conf
# This is configuration I added to harden my Pi-Hole web server

# mod_evasive
evasive.max-conns-per-ip = 2
evasive.silent = "disable"
#evasive.location = "https://hostname.domain.com/302.html"

# Uncomment the below line to also load my rejections.conf template with whatever modifications you like
#include "/etc/lighttpd/rejections.conf"

$HTTP["host"] == "hostname.domain.com" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")



#================================================================================================================================================================
# When setenv.add-response-header is defined in external.conf you need to delete the matching values in lighttpd.conf as they can only be defined in one location
#================================================================================================================================================================
$HTTP["url"] =~ "^/admin/" {
    # Create a response header for debugging using curl -I
    setenv.add-response-header = (
        "Strict-Transport-Security" => "max-age=15768000; includeSubdomains; preload",
        "X-XSS-Protection" => "1; mode=block",
        "X-Pi-hole" => "The Pi-hole Web interface is working!",
        "X-Frame-Options" => "DENY"
    )
    $HTTP["url"] =~ "\.(eot|otf|tt[cf]|woff2?)$" {
        # Allow Block Page access to local fonts
        setenv.add-response-header = ( "Access-Control-Allow-Origin" => "*" )
    }
}

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/lighttpd/cert.pem"                            # Where your SSL cert is
    ssl.ca-file =  "/etc/lighttpd/ca.pem"                             # Where your SSL cert's CA file is
    # ssl.use-compression = "disable"                                 # Lighttpd v1.4.28-2 and above disables SSL compression at compile time to protect against CVE-2012-4929
    ssl.openssl.ssl-conf-cmd = ("Protocol" => "-TLSv1.1, -TLSv1")     # Add -SSLv3 or -SSLv2 to this value later on if needed
    ssl.use-sslv2 = "disable"                                         # Option will be retired with version 1.4.29 and above
    ssl.use-sslv3 = "disable"                                         # Option will be retired with version 1.4.29 and above
    ssl.dh-file = "/etc/lighttpd/dhparam4096.pem"                     # Generate using ```openssl dhparam -out /etc/lighttpd/dhparam4096.pem 4096```
    ssl.ec-curve = "secp521r1"                                        # View list of options using ```openssl ecparam -list_curves```
    ssl.disable-client-renegotiation = "enable"
    #########################################
    # Stapling requires Lighttpdv1.4.56
    #########################################
    # Correct format of stapling file can be produced using the below command
    # openssl ocsp -issuer /etc/lighttpd/ca.pem -cert /etc/lighttpd/cert.pem -respout /etc/lighttpd/ocsp-resp -noverify -no_nonce -url http://r3.o.lencr.org/ocsp
    # ssl.stapling-file = "/etc/lighttpd/ocsp-resp"
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0") # Redirect all hosts to their secure equivilants
    }
  }
}