Install and setup LigHTTPd on Debian
LigHTTPd is HTTP server with a low memory print. It is a interesting Apache 2 alternative for systems with little available RAM. This post help you to setup LigHTTPd with PHP5.
This howto is tested on:
- Debian 5.0 Lenny
- Debian 6.0 Squeeze
Prerequisites
This howto recommends the use of DFind blocking rules described in the article Block the vulnerability scanner DFind.
Installation
Install the server software:
command apt-get install lighttpd libterm-readline-gnu-perl
The lighty-tools script ease the LigHTTPd administration. This site's howtos make a extensive ute of it. Install the script:
command wget "http://howto.biapy.com/fr/debian-gnu-linux/serveurs/http/installer-et-configurer-lighttpd-sur-debian/lighty-tools/at_download/file" \
--output-document="/usr/bin/lighty-tools"
command chmod +x "/usr/bin/lighty-tools"
Display the script help:
command lighty-tools
Example usage of this tool is available later in this page.
Security enhancement with fail2ban
Install fail2ban :
command apt-get install fail2ban
Add the LigHTTPd rules (based on Apache 2 rules) to fail2ban configuration:
if [ ! -e '/etc/fail2ban/jail.local' ]; then
command touch '/etc/fail2ban/jail.local'
fi
if [ -z "$(command grep "[lighttpd]" '/etc/fail2ban/jail.local')" ]; then
echo "
[lighttpd]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/lihttpd/*error.log
maxretry = 6
[lighttpd-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/lighttpd/*error.log
maxretry = 6
[lighttpd-overflows]
enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/lighttpd/*error.log
maxretry = 2
" >> '/etc/fail2ban/jail.local'
fi
Restart fail2ban:
/etc/init.d/fail2ban restart
PHP5 setup
Install PHP5 CGI version:
command apt-get install php5-cgi
Make sure that LigHTTPd FastCGI configuration use PHP5 (on Debian Lenny):
if [ -n "$(command grep '/usr/bin/php4-cgi' /etc/lighttpd/conf-available/10-fastcgi.conf)" ]; then
command cp "/etc/lighttpd/conf-available/10-fastcgi.conf" "/etc/lighttpd/conf-available/10-fastcgi-php5.conf"
command sed -i -e 's/php4/php/g' "/etc/lighttpd/conf-available/10-fastcgi-php5.conf"
fi
Enable FastCGI module:
if [ -e "/etc/lighttpd/conf-available/10-fastcgi-php5.conf" ]; then
command lighty-enable-mod fastcgi-php5
elif [ -e "/etc/lighttpd/conf-available/10-fastcgi-php.conf" ]; then
command lighty-enable-mod fastcgi-php
elif [ -e "/etc/lighttpd/conf-available/15-fastcgi-php.conf" ]; then
command lighty-enable-mod fastcgi
command lighty-enable-mod fastcgi-php
else
command lighty-enable-mod fastcgi
fi
Reload the server configuration:
/etc/init.d/lighttpd force-reload
PHP5 configuration
Harden the PHP5 security:
if [ -d '/etc/php5/conf.d' ]; then
echo '; Harden PHP5 security
; Disable PHP exposureexpose_php = Off;Dangerous : disable system functions. This can break some administration softwares.
;disable_functions = symlink,shell_exec,exec,proc_close,proc_open,popen,system,dl,passthru,escapeshellarg,escapeshellcmd
' > '/etc/php5/conf.d/security-hardened.ini'
echo '; Set mbstring defaults to UTF-8
mbstring.language=UTF-8
mbstring.internal_encoding=UTF-8
mbstring.http_input=UTF-8
mbstring.http_output=UTF-8
mbstring.detect_order=auto' \
> '/etc/php5/conf.d/mbstring.ini'
fi
Reload the configuration:
/etc/init.d/lighttpd force-reload
Enabling X-SendFile for PHP
The X-Sendfile header allow PHP Web applications to delegate download of static files to the HTTP server. This offer a great deal of performance optimization.
Detect the FastCGI configuration file path:
PHP_FCGI_FILE="/etc/lighttpd/conf-available/15-fastcgi-php.conf"
if [ ! -e "${PHP_FCGI_FILE}" ]; then
PHP_FCGI_FILE="/etc/lighttpd/conf-available/10-fastcgi-php5.conf"
if [ ! -e "${PHP_FCGI_FILE}" ]; then
PHP_FCGI_FILE="/etc/lighttpd/conf-available/10-fastcgi-php.conf"
fi
fi
Enable X-SendFile functionality:
if [ -z "$(command grep "x-send-file" "${PHP_FCGI_FILE}")" ]; then
command sed -i -e '/bin-path/a\
\t\t"allow-x-send-file" => "enable",' \
"${PHP_FCGI_FILE}"
fi
Reload the configuration:
/etc/init.d/lighttpd force-reload
Here is an example usage of this HTTP header with PHP:
// as this is an example, here's the static file. Usually, you may
// have something like /download.php?file_id=500 etc.
$file_on_harddisk = "/var/www/archive.tar.gz";
$file_to_download = "download.tar.gz";
header( sprintf('Content-Disposition: attachment; filename="%s"', $file_to_download) );
Header( sprintf("X-LIGHTTPD-send-file: %s", $file_on_harddisk) );
Disabling folders listing
By default, LigHTTPd list the folder contents when no index file is available. This behaviour ease the fetch of the files available on the server. Disable this functionnality with:
command echo '## directory listing configuration
## we disable the directory listing by default
##
$HTTP["url"] =~ "^/" {
dir-listing.activate = "disable"
}' > '/etc/lighttpd/conf-available/20-disable-listing.conf'
Enable the configuration:
command lighty-enable-mod disable-listing
Reload the configuration:
/etc/init.d/lighttpd force-reload
Simple setup with lighty-tools
Creation of a virtual host
To setup a virtual host displaying a folder contents, use (adjust bolded values to your needs):
command lighty-tools add-virtual-host "www.mon-domaine-exemple.com" "/opt/folder"
Setting up a redirection
To setup a virtual host redirecting a domain to another URL, use (adjust bolded values to your needs):
command lighty-tools add-redirect "www.example.com" "http://www.target.com/"
Advanced settings
URL Rewriting
Unlike Apache 2, LigHTTPd can not do complex URL rewriting. However, there is a simple way to implement URL rewriting to some Web applications, including Wordpress and Symfony applications. Set up the "index.php" file of these Web applications as the 404 errors manager by adding this line to the virtual host configuration file (adjust the bold value to the application):
server.error-handler-404 = "/index.php"
Setting up content expiration dates
Adding content expiration dates to static content is an optimization that maximize the use of browsers' cache. To set expiration dates for your sites' static content, add these options to your virtual hosts configurations:
Enable the expire module:
server.modules += ( "mod_expire" )
Set a expiration date for each static content path. For example, a Symfony framework based site will use (adjust the bold values to your needs):
expire.url = (
"/images/" => "access plus 1 years",
"/css/" => "access plus 1 years",
"/js/" => "access plus 1 years",
"/favicon.ico" => "access plus 1 years"
)
Check the server configuration:
command lighttpd -t -f /etc/lighttpd/lighttpd.conf
Reload the configuration:
/etc/init.d/lighttpd force-reload
Setting up HTTPS
You need a SSL certificate to follow this section. A SSL certificate creation method is available in the howto Create a SSL / TLS certificate on Debian.
Merge the SSL certificate private and public keys in the file /etc/lighttpd/server.pem (adjust the keys paths to your configuration):
command cp '/etc/ssl/private/www.domain.com.key' '/etc/lighttpd/server.pem' command cat '/etc/ssl/certificates/www.domain.com.crt' >> '/etc/lighttpd/server.pem'
Protect the access to server.pem:
command chown root:root /etc/lighttpd/server.pem command chmod go-rw /etc/lighttpd/server.pem
If your certificate has been signed by a certification authority that provides root and intermediate certificates, merge them in the file ca-certs.pem:
command cp '/etc/ssl/roots/www.domain.com-root.key' '/etc/lighttpd/ca-certs.pem' command cat '/etc/ssl/chains/www.domain.com.ca' >> '/etc/lighttpd/ca-certs.pem'
Update the LigHTTPd configuration to make use of ca-certs.pem:
command echo '$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server.pem"
ssl.ca-file = "/etc/lighttpd/ca-certs.pem"
}' > /etc/lighttpd/conf-available/10-ssl-with-ca.conf
Enable the Lighttpd SSL module (use the "ssl" module if your certificate does not use a intermediate certificate):
command lighty-enable-mod ssl-with-ca
Check the server configuration:
command lighttpd -t -f /etc/lighttpd/lighttpd.conf
Reload the configuration:
/etc/init.d/lighttpd force-reload
References
This book can help you:
Thanks
- Thanks to LigHTTPd developers.
- Thanks to Mayflower Blog for Make the download of large files with PHP (and lighty) very easy.
- Thanks to StartCom for HOWTO: Certificate installation instructions for Lighttpd.