lighttpd

Posted on 2018-12-19 Edited on 2023-01-17 In linux , services , web , lighttpd Symbols count in article: 9.2k Reading time ≈ 8 mins.

[TOC]

Install lighttpd

1
2
3

:~$ sudo apt-get install lighttpd
:~$ sudo lighty-enable-mod fastcgi-php
:~$ sudo systemctl restart lighttpd

Raspberry Pi

1	:~$ sudo apt-get install lighttpd

Configuration

server.modules = (
    "mod_access",
    "mod_alias",
    "mod_compress",
#   "mod_redirect",
#   "mod_fastcgi",
    "mod_rewrite",
)

server.document-root        = "/var/www/"
server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/var/run/lighttpd.pid"
server.username             = "www-data"   # 以此用户运行
server.groupname            = "www-data"   #
server.port                 = 80

index-file.names            = ( "index.php", "index.html", "index.lighttpd.html" )
url.access-deny             = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

compress.cache-dir          = "/var/cache/lighttpd/compress/"
compress.filetype           = ( "application/javascript", "text/css", "text/html", "text/plain" )

# default listening port for IPv6 falls back to the IPv4 port
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.assign.pl"
include_shell "/usr/share/lighttpd/include-conf-enabled.pl"

#fastcgi.server = ( ".php" => ((
#  "bin-path" => "/usr/bin/php5-cgi",
#  "socket" => "/tmp/php.socket"
#)))
# 禁止目录浏览功能
dir-listing.activate = "disable"
$HTTP["host"] == "pi.net" {
    ssl.engine              = "disable"   # 开启全局HTTPS，禁止HTTP
    ssl.pemfile             = "/etc/lighttpd/server.pem"
    dir-listing.activate    = "disable" #允许目录浏览功能
    server.document-root    = "/var/www/"
}

# 50003端口对pi.net开启https
$SERVER["socket"] == ":50003" { 
    $HTTP["host"] =~ "pi.net" {
        server.name                         = "pi.net" 
        server.document-root                = "/home/www/yaaw"
        ssl.engine                          = "enable"
        ssl.pemfile                         = "/etc/lighttpd/server.pem"
        ssl.disable-client-renegotiation    = "enable"
        url.redirect                        = ( "^/(.*)" => "https://pi.net:50003/$1" )
    } 
    $HTTP["host"] == "blog.net" {
        server.name                         = "blog.net"
        server.document-root                = "/home/www/blog/public"
        ssl.engine                          = "disable"
    }
}

配置https

通过编辑配置文件/etc/lighttpd/lighttpd.conf来启用ssl，有几种方式可供选择。配置完成后要重启lighttpd服务生效。

# Check the conf file
:~$ lighttpd -tt -f /etc/lighttpd/lighttpd.conf
:~$ sudo systemctl restart lighttpd.service
# PEM file
:~$ cat ca.crt ca.key > ca.pem
:~$ cat pi.net.crt pi.net.key > pi.net.pem

1. 让服务器仅提供https访问，全局设置中添加ssl配置，更改服务端口为443

ssl.engine                  = "enable"
ssl.pemfile                 = "/etc/lighttpd/pi.net.pem"
ssl.ca-file                 = "/etc/lighttpd/ca.pem"
server.port                 = 443  ＃将原来的端口改为443

2. 不改变原配置，添加443端口访问

:~$ sudo echo '
$SERVER["socket"] == ":443" {  
    ssl.engine   = "enable"   
    ssl.pemfile  = "/etc/lighttpd/pi.net.pem" 
    ssl.ca-file  = "/etc/lighttpd/ca.pem"
}
' > /etc/lighttpd/conf-avaliable/99-https.conf
:~$ sudo ln -s /etc/lighttpd/conf-avaliable/99-https.conf /etc/lighttpd/conf-enable/99-https.conf

3. 设置443端口为新的虚拟主机

:~$ sudo echo '
$SERVER["socket"] == ":443" {  
    server.document-root = "/srv/ssl" # use your ssl directory here  
    ssl.engine  = "enable"   
    ssl.pemfile  = >"/etc/lighttpd/certs/pi.net.pem"    
    ssl.ca-file  = "/etc/lighttpd/ca.pem"
}
' > /etc/lighttpd/conf-avaliable/99-https.conf
:~$ sudo ln -s /etc/lighttpd/conf-avaliable/99-https.conf /etc/lighttpd/conf-enable/99-https.conf

4. 为不同的虚拟主机配置不同的证书文件

:`$ echo '
$HTTP["host"] == "www.example.org" {  
    ssl.pemfile = "/etc/lighttpd/certs/www.example.org.pem"   
    sl.ca-file  = "/etc/lighttpd/ca.pem"  
}  
$HTTP["host"] == "mail.example.org" {    
    ssl.pemfile = "/etc/lighttpd/certs/mail.example.org.pem"   
    sl.ca-file  = "/etc/lighttpd/ca.pem"  
}  
' > /etc/lighttpd/conf-avaliable/99-https.conf
:~$ sudo ln -s /etc/lighttpd/conf-avaliable/99-https.conf /etc/lighttpd/conf-enable/99-https.conf

php in lighttpd

# install php
:~$ sudo apt-get install php php-cgi php-fpm
# enable lighttpd-fastcgi
:~$ sudo lighty-enable-mod fastcgi-php
# or
:~$ sudo vim /etc/lighttpd/lighttpd.conf
server.modules   = ( "mod_rewrite",
...
                     "mod_fastcgi",
...
# restart lighttpd
:~$ sudo systemctl restart lighttpd

原文

webdav

WebDAV stands for Web-based Distributed Authoring and Versioning and is a set of extensions to the HTTP protocol that allow users to directly edit files on the lighttpd server so that they do not need to be downloaded/uploaded via FTP. Of course, WebDAV can also be used to upload and download files.

Installing WebDAV

You can install lighttpd (if it’s not already installed), the lighttpd WebDAV module and the apache2-utils package (which contains the tool htpasswd which we will need later on to generate a password file for the WebDAV share) as follows:

1	sudo apt-get install lighttpd lighttpd-mod-webdav apache2-utils

Afterwards, we must make sure that the directory /var/run/lighttpd is owned by the www-data user and group. This directory will contain an SQLite database needed by WebDAV:

1	sudo chown www-data:www-data /var/run/lighttpd/

Next, we enable the modules mod_auth and mod_webdav:

1 2	sudo lighty-enable-mod auth sudo lighty-enable-mod webdav

Reload lighttpd afterwards:

1	sudo systemctl restart lighttpd

Creating A Virtual Host

I will now create a lighttpd vhost (www.example.com) in the directory /var/www/web1/web. If you already have a vhost for which you’d like to enable WebDAV, you must adjust this tutorial to your situation.

First, we create the directory /var/www/web1/web and make the lighttpd user (www-data) the owner of that directory:

1 2	sudo mkdir -p /var/www/web1/web sudo chown www-data:www-data /var/www/web1/web

Then we open /etc/lighttpd/lighttpd.conf and add the following vhost to the end of the file:

vi /etc/lighttpd/lighttpd.conf
[...]
$HTTP["host"] == "www.example.com" {
  server.document-root = "/var/www/web1/web"
}

Afterwards we restart lighttpd:

1	sudo systemctl restart lighttpd

Configure The Virtual Host For WebDAV

Now we create the WebDAV password file /var/www/web1/passwd.dav with the user test (the -c switch creates the new password file):

1	htpasswd -c /var/www/web1/passwd.dav test

You will be asked to type in a password for the user test.

(Please don’t use the -c switch if /var/www/web1/passwd.dav is already existing because this will recreate the file from scratch, meaning you lose all users in that file!)

Now we change the permissions of the /var/www/web1/passwd.dav file so that only root and the members of the www-data group can access it:

1 2	chown root:www-data /var/www/web1/passwd.dav chmod 640 /var/www/web1/passwd.dav

Now we modify our vhost in /etc/lighttpd/lighttpd.conf so that it looks as follows:

vim /etc/lighttpd/lighttpd.conf

$HTTP["host"] == "www.example.com" {
    server.document-root      = "/var/www/web1/web"
    alias.url                 = ( "/webdav" => "/var/www/web1/web" )
    $HTTP["url"]              =~ "^/webdav($|/)" {
        dir-listing.activate    = "enable"
        dir-listing.encoding    = "utf-8"
        webdav.activate         = "enable"
        webdav.is-readonly      = "disable"
        webdav.sqlite-db-name   = "/var/run/lighttpd/lighttpd.webdav_lock.db"
        auth.backend            = "htpasswd"
        auth.backend.htpasswd.userfile = "/var/www/web1/passwd.dav"
        auth.require            = ( "" =>
                                    (
                                        "method" => "basic",
                                        "realm" => "webdav",
                                        "require" => "valid-user"
                                    )
                                  )
  }
}

The alias.url directive makes (together with $HTTP[“url”] =~ “^/webdav($|/)”) that when you call /webdav, WebDAV is invoked, but you can still access the whole document root of the vhost. All other URLs of that vhost are still “normal” HTTP.

Restart lighttpd afterwards:

1	sudo systemctl restart lighttpd

Test WebDAV

Browser

1	firefox http://www.example.com/webdav

WebDAV client–cadaver

We will now install cadaver, a command-line WebDAV client:

1	apt-get install cadaver

To test if WebDAV works, type:

1	cadaver http://www.example.com/webdav/

You should be prompted for a user name. Type in test and then the password for the user test. If all goes well, you should be granted access which means WebDAV is working ok. Type quit to leave the WebDAV shell:

root@server1:~# cadaver http://www.example.com/webdav/
Authentication required for webdav on server `www.example.com':
Username: test
Password:
dav:/webdav/> quit
Connection to `www.example.com' closed.
root@server1:~#

Modules

lighttpd docs

mod_auth

wiki

Supported Methods

lighttpd supports both authentication methods described by RFC 2617:

basic

The Basic method transfers the username and the password in
cleartext over the network (base64 encoded) and might result
in security problems if not used in conjunction with a crypted
channel between client and server.

digest

The Digest method only transfers a hashed value over the
network which performs a lot of work to harden the
authentication process in insecure networks.

Backends

Depending on the method lighttpd provides various way to store
the credentials used for the authentication.

For basic auth:
plain
htpasswd
htdigest
ldap
gssapi
mysql
pam
sasl
For digest auth:
plain
htdigest

mod_compress

static files compress

1
2
3

# /etc/lighttpd/lighttp.conf
compress.cache-dir         = “/var/tmp/lighttpd/cache/”
compress.filetype          = (”text/plain”, “text/html”, “text/css”, “text/javascript”)

php file

1 2	# /etc/php/7.0/fpm/php.ini zlib.output_compression = On