lighttpd.conf setting for https ssl

在編譯 lighttpd 時，
要在設定時，加上 --with-openssl，這樣才會使用 openssl 。
如下：
./configure --with-openssl
只需要在 lighttpd.conf 裡加上，以下兩行，
ssl.engine = "enable"
ssl.pemfile = "server.pem"
至於，server.pem 是要怎麼製作出來的，
就要靠 openssl 去產生，如下：
openssl req -new -nodes -x509 -keyout server.pem -out server.pem -days 365
當然，port number 最好是設在 443。
server.port = 443

不過，如果是要讓 80 port 和 443 port 同時使用，
可以改為以下：
server.port = 80
$SERVER["socket"]==":443" {
ssl.engine = "enable"
ssl.pemfile = "server.pem"

}

 

lighty的官方文件對SSL配置寫的已經比較詳細了，搞懂SSL簽名流程就可以了

SSL簽名流程如下

下載

apt-get install openssl*

配置原始碼時加上 ./configure --with-openssl --with-openssl-libs=/usr/lib
用 lighttpd -v ,可以看到(ssl)
lighttpd/1.4.28 (ssl) - a light and fast webserver
Build-Date: Dec 24 2010 17:19:54


生成包含私鑰和ca的檔案，自我認證。可以通過第三方鏈條驗證
openssl req -new -x509  -keyout server.pem -out server.pem  -days 365 -nodes

在conf檔案中至少進行如下配置，SSL的預設埠為443

$SERVER["socket"] == ":443" {
       ssl.engine   = "enable"
       ssl.pemfile  = "/home/jli/network/lighttpd-1.4.28/conf/server.pem"
}

在conf檔案中至少進行如下配置，SSL的預設埠為443

$SERVER["socket"] == ":443" {
       ssl.engine   = "enable"
       ssl.pemfile  = "/home/jli/network/lighttpd-1.4.28/conf/server.pem"
}

ssl.engine     enable/disable ssl engine
ssl.pemfile     path to the PEM file for SSL support 包含私鑰和ca認證檔案
ssl.ca-file     path to the CA file for support of chained certificates。
ssl.use-sslv2     enable/disable use of SSL version 2 (lighttpd < 1.4.21 only, newer version don't support SSLv2)
ssl.cipher-list     Configure the allowed SSL ciphers
ssl.verifyclient.activate     enable/disable client verification
ssl.verifyclient.enforce     enable/disable enforcing client verification
ssl.verifyclient.depth     certificate depth for client verification
ssl.verifyclient.exportcert     enable/disable client certificate export to env:SSL_CLIENT_CERT
ssl.verifyclient.username     client certificate entity to export as env:REMOTE_USER (eg. SSL_CLIENT_S_DN_emailAddress, SSL_CLIENT_S_DN_UID, etc.)

fastcgi.server             = ( ".php" =>
                               ( "localhost" =>
                                 (
                                   "socket" => "/tmp/php-fastcgi.socket",
                                   "bin-path" => "/usr/bin/php-cgi"
                                 )
                               )
                            )

server.modules = (
    "mod_access", 
    "mod_fastcgi", 
# "mod_alias", 
# "mod_auth", 
# "mod_evasive", 
# "mod_redirect", 
# "mod_rewrite", 
# "mod_setenv", 
# "mod_usertrack", 
) 

How to Enable HTTPS on the Raspberry Pi Apache Web Server

Note that this enables only “self-signed” certificates. I followed these directions but invariably encountered problems that were not addressed. Running Wheezy on a Raspberrry Pi B v1.

As usual, update first.

$ sudo apt-get update

Then make sure Apache and OpenSSL is installed:

$ sudo apt-get install apache2 openssl

If it is already installed, like it was on mine, then you will see:

Reading package lists... Done
Building dependency tree
Reading state information... Done
apache2 is already the newest version.
openssl is already the newest version.
openssl set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.

Your external certs are installed in /etc/ssl/certs. You won’t put these certs there.

Create a new directory for local certificates (-p means no error if existing, make parent directories as needed):

$ sudo mkdir -p /etc/ssl/localcerts

The next line starts the certificate generation. The cert is good for 365 days – you can change that.

$ sudo openssl req -new -x509 -days 365 -nodes -out /etc/ssl/localcerts/apache.pem -keyout /etc/ssl/localcerts/apache.key

The result of this command is:

Generating a 2048 bit RSA private key
......., etc.

Next, you will enter the answers to the following questions. This is where I effed up, so don’t you do it too. the FQDN name is the name of your Apache web server. For me, since I’m just running it locally, that would be the server name, like “raspberrypi” – if you kept the default. That server name is mapped to an internal IP, like 192.168.1.11 or something.

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:PaynsName
Organizational Unit Name (eg, section) []:SysOpsProgFest
Common Name (e.g. server FQDN or YOUR name) []:raspberrypi_orwhatever
Email Address []:noNeed@forrealemail.com

When that is done, you will have two new files in this directory: /etc/ssl/localcerts

Then chmod those files:

$ sudo chmod 600 /etc/ssl/localcerts/apache*

Enable SSL:

$ sudo a2ensite ssl

If you get a “not found” error, try:

sudo a2ensite default-ssl

I think my ssl file already existed in /etc/apache2/sites-available.

Now you need to edit the ssl configuration file in the /etc/apache2/sites-available directory.

$ cd /etc/apache2/sites-available 
$ ls -l

See what’s in there. For me, it looked like this:

-rw-r--r-- 1 root root 692 Jul 19 2016 default
-rw-r--r-- 1 root root 7461 Mar 18 14:51 default-ssl

Copy the default-ssl to a new file named the same name as your FQDN name above – for this example:

$ sudo cp default-ssl raspberrypi_orwhatever

Then edit it:

$ sudo nano raspberrypi_orwhatever

Change this line:

 <VirtualHost _default_:443>

to this:

 <VirtualHost raspberrypi_orwhatever:443>

and change these two lines:

SSLCertificateFile    /etc$
SSLCertificateKeyFile /etc$

to this (your new key location):

SSLCertificateFile /etc/ssl/localcerts/apache.pem
SSLCertificateKeyFile /etc/ssl/localcerts/apache.key

Save, close, then do:

$ sudo a2ensite raspberrypi_orwhatever

The link above says to enable port 443 in /etc/apache2/ports.conf, but mine already had it enabled with these lines:

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

So I didn’t modify that file.

Now restart Apache:

$ sudo service apache2 restart

And what you should get is a browser error, telling you that the site is not secure. That means it’s working! Because you didn’t pay a service to generate a validated certificate, you have to take your own word for it that it’s valid.

FireFox

Click on I Understand the Risks, then click on Add Exception….

Next click on Get Certificate, and finally Confirm Security Exception to bypass SSL warning in FireFox.

Chrome

Click on Advanced, then Proceed to example.com (unsafe) to bypass SSL warning in Chrome.

Internet Explorer

Click on Continue to this website (not recommended) to bypass SSL warning in Internet Explorer. 

資料來源: https://variax.wordpress.com/2017/03/18/adding-https-to-the-raspberry-pi-apache-web-server/comment-page-1/