Mercurial > hg > rlgallery-misc

comparison lighttpd/lighttpd.conf @ 57:b1d3a618c254

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Update some lighttpd configuration files.
author John "Elwin" Edwards
date Fri, 26 Dec 2014 16:46:25 -0500
parents 09ef92dc4439
children
comparison
equal deleted inserted replaced
56:5cf88bd4e556 57:b1d3a618c254
402 ## 402 ##
403 ## The HTTPS protocol does not allow you to use name-based virtual 403 ## The HTTPS protocol does not allow you to use name-based virtual
404 ## hosting with SSL. If you want to run multiple SSL servers with 404 ## hosting with SSL. If you want to run multiple SSL servers with
405 ## one lighttpd instance you must use IP-based virtual hosting: :: 405 ## one lighttpd instance you must use IP-based virtual hosting: ::
406 ## 406 ##
407 ## Mitigate CVE-2009-3555 by disabling client triggered renegotation
408 ## This is enabled by default.
409 ##
410 ## IMPORTANT: this setting can only be used in the global scope.
411 ## It does *not* work inside conditionals
412 ##
413 # ssl.disable-client-renegotiation = "enable"
414 ##
407 ## $SERVER["socket"] == "10.0.0.1:443" { 415 ## $SERVER["socket"] == "10.0.0.1:443" {
408 ## ssl.engine = "enable" 416 ## ssl.engine = "enable"
409 ## ssl.pemfile = "/etc/ssl/private/www.example.com.pem" 417 ## ssl.pemfile = "/etc/ssl/private/www.example.com.pem"
410 ## # 418 ## #
411 ## # Mitigate BEAST attack: 419 ## # (Following SSL/TLS Deployment Best Practices 1.3 / 17 September 2013 from:
420 ## # https://www.ssllabs.com/projects/best-practices/index.html)
421 ## # - BEAST is considered mitigaed on client side now, and new weaknesses have been found in RC4,
422 ## # so it is strongly advised to disable RC4 ciphers (HIGH doesn't include RC4)
423 ## # - It is recommended to disable 3DES too (although disabling RC4 and 3DES breaks IE6+8 on Windows XP,
424 ## # so you might want to support 3DES for now - just remove the '!3DES' parts below).
425 ## # - The examples below prefer ciphersuites with "Forward Secrecy" (and ECDHE over DHE (alias EDH)), remove '+kEDH +kRSA'
426 ## # if you don't want that.
427 ## # - SRP and PSK are not supported anyway, excluding those ('!kSRP !kPSK') just keeps the list smaller (easier to review)
428 ## # Check your cipher list with: openssl ciphers -v '...' (use single quotes as your shell won't like ! in double quotes)
412 ## # 429 ## #
413 ## # A stricter base cipher suite. For details see: 430 ## # If you know you have RSA keys (standard), you can use:
414 ## # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html 431 ## ssl.cipher-list = "PROFILE=SYSTEM"
415 ## # 432 ## # The more generic version (without the restriction to RSA keys) is
416 ## ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" 433 ## # ssl.cipher-list = "HIGH !aNULL !3DES +kEDH +kRSA !kSRP !kPSK"
417 ## # 434 ## #
418 ## # Make the server prefer the order of the server side cipher suite instead of the client suite. 435 ## # Make the server prefer the order of the server side cipher suite instead of the client suite.
419 ## # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms).
420 ## # This option is enabled by default, but only used if ssl.cipher-list is set. 436 ## # This option is enabled by default, but only used if ssl.cipher-list is set.
421 ## # 437 ## #
422 ## # ssl.honor-cipher-order = "enable" 438 ## # ssl.honor-cipher-order = "enable"
423 ## # 439 ## #
424 ## # Mitigate CVE-2009-3555 by disabling client triggered renegotation
425 ## # This is enabled by default.
426 ## #
427 ## # ssl.disable-client-renegotiation = "enable"
428 ## #
429 ## server.name = "www.example.com" 440 ## server.name = "www.example.com"
430 ## 441 ##
431 ## server.document-root = "/srv/www/vhosts/example.com/www/" 442 ## server.document-root = "/srv/www/vhosts/example.com/www/"
432 ## } 443 ## }
433 ## 444 ##