You are here: Home / Debian GNU/Linux / Servers / HTTP / Install and setup LigHTTPd on Debian

Install and setup LigHTTPd on Debian

by Pierre-Yves Landuré last modified Mar 02, 2018 08:35

LigHTTPd is HTTP server with a low memory print. It is a interesting Apache 2 alternative for systems with little available RAM. This post help you to setup LigHTTPd with PHP5.

This howto is tested on:

  • Debian 5.0 Lenny
  • Debian 6.0 Squeeze


This howto recommends the use of DFind blocking rules described in the article Block the vulnerability scanner DFind.


Install the server software:

command apt-get install lighttpd libterm-readline-gnu-perl

The lighty-tools script ease the LigHTTPd administration. This site's howtos make a extensive ute of it. Install the script:

command wget "" \
command chmod +x "/usr/bin/lighty-tools"

Display the script help:

command lighty-tools

Example usage of this tool is available later in this page.

Security enhancement with fail2ban

Install fail2ban :

command apt-get install fail2ban

Add the LigHTTPd rules (based on Apache 2 rules) to fail2ban configuration:

if [ ! -e '/etc/fail2ban/jail.local' ]; then
  command touch '/etc/fail2ban/jail.local'
if [ -z "$(command grep "[lighttpd]" '/etc/fail2ban/jail.local')" ]; then
echo "
enabled = true
port  = http,https
filter  = apache-auth
logpath = /var/log/lihttpd/*error.log
maxretry = 6

enabled = true
port    = http,https
filter  = apache-noscript
logpath = /var/log/lighttpd/*error.log
maxretry = 6

enabled = true
port    = http,https
filter  = apache-overflows
logpath = /var/log/lighttpd/*error.log
maxretry = 2
" >> '/etc/fail2ban/jail.local'

Restart fail2ban:

/etc/init.d/fail2ban restart

PHP5 setup

Install PHP5 CGI version:

command apt-get install php5-cgi

Make sure that LigHTTPd FastCGI configuration use PHP5 (on Debian Lenny):

if [ -n "$(command grep '/usr/bin/php4-cgi' /etc/lighttpd/conf-available/10-fastcgi.conf)" ]; then
command cp "/etc/lighttpd/conf-available/10-fastcgi.conf" "/etc/lighttpd/conf-available/10-fastcgi-php5.conf"
command sed -i -e 's/php4/php/g' "/etc/lighttpd/conf-available/10-fastcgi-php5.conf"

Enable FastCGI module:

if [ -e "/etc/lighttpd/conf-available/10-fastcgi-php5.conf" ]; then
command lighty-enable-mod fastcgi-php5
elif [ -e "/etc/lighttpd/conf-available/10-fastcgi-php.conf" ]; then
command lighty-enable-mod fastcgi-php
elif [ -e "/etc/lighttpd/conf-available/15-fastcgi-php.conf" ]; then
command lighty-enable-mod fastcgi
command lighty-enable-mod fastcgi-php
command lighty-enable-mod fastcgi

Reload the server configuration:

/etc/init.d/lighttpd force-reload

PHP5 configuration

Harden the PHP5 security:

if [ -d '/etc/php5/conf.d' ]; then
echo '; Harden PHP5 security

; Disable PHP exposure
expose_php = Off

;Dangerous : disable system functions. This can break some administration softwares.
;disable_functions = symlink,shell_exec,exec,proc_close,proc_open,popen,system,dl,passthru,escapeshellarg,escapeshellcmd
' > '/etc/php5/conf.d/security-hardened.ini'

echo '; Set mbstring defaults to UTF-8
mbstring.detect_order=auto' \
> '/etc/php5/conf.d/mbstring.ini'

Reload the configuration:

/etc/init.d/lighttpd force-reload

Enabling X-SendFile for PHP

The X-Sendfile header allow PHP Web applications to delegate download of static files to the HTTP server. This offer a great deal of performance optimization.

Detect the FastCGI configuration file path:

if [ ! -e "${PHP_FCGI_FILE}" ]; then

if [ ! -e "${PHP_FCGI_FILE}" ]; then

Enable X-SendFile functionality:

if [ -z "$(command grep "x-send-file" "${PHP_FCGI_FILE}")" ]; then
command sed -i -e '/bin-path/a\
\t\t"allow-x-send-file" => "enable",' \

Reload the configuration:

/etc/init.d/lighttpd force-reload

Here is an example usage of this HTTP header with PHP:

// as this is an example, here's the static file. Usually, you may
// have something like /download.php?file_id=500 etc.
$file_on_harddisk = "/var/www/archive.tar.gz";
$file_to_download = "download.tar.gz";

header( sprintf('Content-Disposition: attachment; filename="%s"', $file_to_download) );
Header( sprintf("X-LIGHTTPD-send-file: %s", $file_on_harddisk) );

Disabling folders listing

By default, LigHTTPd list the folder contents when no index file is available. This behaviour ease the fetch of the files available on the server. Disable this functionnality with:

command echo '## directory listing configuration
## we disable the directory listing by default

$HTTP["url"] =~ "^/" {
  dir-listing.activate = "disable"
}' > '/etc/lighttpd/conf-available/20-disable-listing.conf'

Enable the configuration:

command lighty-enable-mod disable-listing

Reload the configuration:

/etc/init.d/lighttpd force-reload

Simple setup with lighty-tools

Creation of a virtual host

To setup a virtual host displaying a folder contents, use (adjust bolded values to your needs):

command lighty-tools add-virtual-host "" "/opt/folder"

Setting up a redirection

To setup a virtual host redirecting a domain to another URL, use (adjust bolded values to your needs):

command lighty-tools add-redirect "" ""

Advanced settings

URL Rewriting

Unlike Apache 2, LigHTTPd can not do complex URL rewriting. However, there is a simple way to implement URL rewriting to some Web applications, including Wordpress and Symfony applications. Set up the "index.php" file of these Web applications as the 404 errors manager by adding this line to the virtual host configuration file (adjust the bold value to the application):

server.error-handler-404 = "/index.php"

Setting up content expiration dates

Adding content expiration dates to static content is an optimization that maximize the use of browsers' cache. To set expiration dates for your sites' static content, add these options to your virtual hosts configurations:

Enable the expire module:

server.modules += ( "mod_expire" )

Set a expiration date for each static content path. For example, a Symfony framework based site will use (adjust the bold values to your needs):

expire.url = (
"/images/" => "access plus 1 years",
"/css/" => "access plus 1 years",
"/js/" => "access plus 1 years",
"/favicon.ico" => "access plus 1 years"

Check the server configuration:

command lighttpd -t -f /etc/lighttpd/lighttpd.conf

Reload the configuration:

/etc/init.d/lighttpd force-reload

Setting up HTTPS

You need a SSL certificate to follow this section. A SSL certificate creation method is available in the howto  Create a SSL / TLS certificate on Debian.

Merge the SSL certificate private and public keys in the file /etc/lighttpd/server.pem (adjust the keys paths to your configuration):

command cp '/etc/ssl/private/' '/etc/lighttpd/server.pem'
command cat '/etc/ssl/certificates/' >> '/etc/lighttpd/server.pem'

Protect the access to server.pem:

command chown root:root /etc/lighttpd/server.pem
command chmod go-rw /etc/lighttpd/server.pem

If your certificate has been signed by a certification authority that provides root and intermediate certificates, merge them in the file ca-certs.pem:

command cp '/etc/ssl/roots/' '/etc/lighttpd/ca-certs.pem'
command cat '/etc/ssl/chains/' >> '/etc/lighttpd/ca-certs.pem'

Update the LigHTTPd configuration to make use of ca-certs.pem:

command echo '$SERVER["socket"] == "" {
ssl.engine  = "enable"
ssl.pemfile = "/etc/lighttpd/server.pem" = "/etc/lighttpd/ca-certs.pem"
}' > /etc/lighttpd/conf-available/10-ssl-with-ca.conf

Enable the Lighttpd SSL module (use the "ssl" module if your certificate does not use a intermediate certificate):

command lighty-enable-mod ssl-with-ca

Check the server configuration:

command lighttpd -t -f /etc/lighttpd/lighttpd.conf

Reload the configuration:

/etc/init.d/lighttpd force-reload


This book can help you: