-
Notifications
You must be signed in to change notification settings - Fork 2
/
lighttpd4haproxymin.conf
81 lines (66 loc) · 2.74 KB
/
lighttpd4haproxymin.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
# debug.log-request-handling = "enable"
# debug.log-condition-handling = "enable"
# LIGHTYTOP is set by the test script
var.rootroot = env.LIGHTYTOP
server.document-root = rootroot + "/lighttpd/dir-foo.example.com"
var.log_root = rootroot + "/lighttpd/logs"
server.errorlog = log_root + "/error.log"
server.pid-file = rootroot + "/lighttpd/logs/lighttpd.pid"
# this is HTTPS only basically
server.port = 3481
# logging is handy to see how we're doing
server.modules += ( "mod_accesslog" )
accesslog.filename = log_root + "/access.log"
# add the port number after the host to access log lines
accesslog.format = "%h:%p %V %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
# not sure if this is needed, but no harm being nice to browsers
mimetype.assign = (
".html" => "text/html",
".txt" => "text/plain",
".jpg" => "image/jpeg",
".png" => "image/png"
)
server.modules += ( "mod_openssl" )
var.cadir= rootroot + "/cadir"
ssl.engine = "enable"
ssl.pemfile = cadir + "/example.com.pem"
ssl.ca-file = cadir + "/oe.csr"
# turn off p-384 so we can easily trigger HRR
ssl.openssl.ssl-conf-cmd = ("Ciphersuites" => "TLS_AES_128_GCM_SHA256")+("Protocol" => "-ALL, TLSv1.3")+("Curves" => "x25519")
ssl.ech-opts = (
"keydir" => rootroot + "/echkeydir",
"refresh" => 3600, # reload hourly
# "refresh" => 60, # reload every minute (testing)
# "refresh" => 0, # never reload
# (minimum check interval is actually 64 seconds (2^6))
# trial decryption allows clients to hide better by not sending real digests
# that is turned on by default (as we're likely a small server so no harm and
# better privacy), but you can disable it...
#"trial-decrypt" => "disable",
)
$HTTP["host"] == "foo.example.com" {
ssl.pemfile = cadir + "/foo.example.com.pem"
server.name = "foo.example.com"
}
$SERVER["socket"] == ":3480" {
ssl.engine = "disable"
server.name = "foo.example.com"
}
$SERVER["socket"] == ":3482" {
ssl.engine = "enable"
ssl.pemfile = cadir + "/foo.example.com.pem"
server.name = "foo.example.com"
}
$SERVER["socket"] == ":3484" {
ssl.engine = "enable"
server.name = "foo.example.com"
ssl.pemfile = cadir + "/foo.example.com.pem"
ssl.ca-file = cadir + "/oe.csr"
}
$SERVER["socket"] == ":3485" {
server.document-root = rootroot + "/lighttpd/dir-example.com"
ssl.engine = "enable"
server.name = "example.com"
ssl.pemfile = cadir + "/example.com.pem"
ssl.ca-file = cadir + "/oe.csr"
}