-
Notifications
You must be signed in to change notification settings - Fork 7
/
lighttpd-external.conf
63 lines (55 loc) · 3.4 KB
/
lighttpd-external.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# OsbornePro LLC. Lighttpd Config Template
#
# This configuration file is at /etc/lighttpd/external.conf
# This is configuration I added to harden my Pi-Hole web server
# mod_evasive
evasive.max-conns-per-ip = 2
evasive.silent = "disable"
#evasive.location = "https://hostname.domain.com/302.html"
# Uncomment the below line to also load my rejections.conf template with whatever modifications you like
#include "/etc/lighttpd/rejections.conf"
$HTTP["host"] == "hostname.domain.com" {
# Ensure the Pi-hole Block Page knows that this is not a blocked domain
setenv.add-environment = ("fqdn" => "true")
#================================================================================================================================================================
# When setenv.add-response-header is defined in external.conf you need to delete the matching values in lighttpd.conf as they can only be defined in one location
#================================================================================================================================================================
$HTTP["url"] =~ "^/admin/" {
# Create a response header for debugging using curl -I
setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=15768000; includeSubdomains; preload",
"X-XSS-Protection" => "1; mode=block",
"X-Pi-hole" => "The Pi-hole Web interface is working!",
"X-Frame-Options" => "DENY"
)
$HTTP["url"] =~ "\.(eot|otf|tt[cf]|woff2?)$" {
# Allow Block Page access to local fonts
setenv.add-response-header = ( "Access-Control-Allow-Origin" => "*" )
}
}
# Enable the SSL engine with a LE cert, only for this specific host
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/cert.pem" # Where your SSL cert is
ssl.ca-file = "/etc/lighttpd/ca.pem" # Where your SSL cert's CA file is
# ssl.use-compression = "disable" # Lighttpd v1.4.28-2 and above disables SSL compression at compile time to protect against CVE-2012-4929
ssl.openssl.ssl-conf-cmd = ("Protocol" => "-TLSv1.1, -TLSv1") # Add -SSLv3 or -SSLv2 to this value later on if needed
ssl.use-sslv2 = "disable" # Option will be retired with version 1.4.29 and above
ssl.use-sslv3 = "disable" # Option will be retired with version 1.4.29 and above
ssl.dh-file = "/etc/lighttpd/dhparam4096.pem" # Generate using ```openssl dhparam -out /etc/lighttpd/dhparam4096.pem 4096```
ssl.ec-curve = "secp521r1" # View list of options using ```openssl ecparam -list_curves```
ssl.disable-client-renegotiation = "enable"
#########################################
# Stapling requires Lighttpdv1.4.56
#########################################
# Correct format of stapling file can be produced using the below command
# openssl ocsp -issuer /etc/lighttpd/ca.pem -cert /etc/lighttpd/cert.pem -respout /etc/lighttpd/ocsp-resp -noverify -no_nonce -url http://r3.o.lencr.org/ocsp
# ssl.stapling-file = "/etc/lighttpd/ocsp-resp"
}
# Redirect HTTP to HTTPS
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0") # Redirect all hosts to their secure equivilants
}
}
}