From fb8291e5712a9bf3cccb4a88a7467e9e691ba5cb Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Thu, 25 Feb 2010 14:17:12 +0100 Subject: [PATCH] lighttpd: Enable SSL for mail.stdout.nl. --- etc/lighttpd/lighttpd.conf | 13 +++++++++++++ etc/lighttpd/ssl/README | 26 ++++++++++++++++++++++++++ etc/lighttpd/vhosts/stdout-nl | 9 +++++++++ 3 files changed, 48 insertions(+) create mode 100644 etc/lighttpd/ssl/README diff --git a/etc/lighttpd/lighttpd.conf b/etc/lighttpd/lighttpd.conf index 5a0dc8d..c410fb9 100644 --- a/etc/lighttpd/lighttpd.conf +++ b/etc/lighttpd/lighttpd.conf @@ -69,6 +69,19 @@ server.groupname = "www-data" # Make mysqll frontend available in all domains alias.url += ("/mysql" => "/usr/share/phpmyadmin") +$SERVER["socket"] == ":443" { + ssl.engine = "enable" + # The CA certificates (in particular, this contains the intermediate + # certificate used by startcom). It seems that even without this + # option, it already works, probably because openssl ships some + # certificates. But, let's put it here to be safe anyway. + ssl.cafile = "/etc/lighttpd/ssl/ca/startssl-all-ca.pem" + # Use the mail.stdout.nl certificate as the default certificate (for + # non-SNI browsers and domains without their own certificate), since + # it is currently the only one we have anyway. + ssl.pemfile = "/etc/lighttpd/ssl/mail.stdout.nl.pem" +} + #### external configuration files ## mimetype mapping include_shell var.conf-dir + "/scripts/create-mime.assign.pl" diff --git a/etc/lighttpd/ssl/README b/etc/lighttpd/ssl/README new file mode 100644 index 0000000..df25363 --- /dev/null +++ b/etc/lighttpd/ssl/README @@ -0,0 +1,26 @@ +# Generate key 2048 bit rsa key with out passphrase: + +DOMAIN=mail.stdout.nl.key +sudo touch $DOMAIN.key +sudo chmod 400 $DOMAIN.key +sudo openssl genrsa -out $DOMAIN.key 2048 + +# Generate CSR with: +sudo openssl req -new -key $DOMAIN.key -out $DOMAIN.csr + +# After receiving the .crt file from the issuer, make sure you cat the .key +# and .crt file together into a .pem file, which lighttpd's ssl.pemfile points +# to. + +# Optionally, you can use a config file to set attributes of the CSR (so you +# can leave out stuff like "Location" and "State"). However, when using +# StartSSL, al the details from the CSR will be ignored anyway, so don't +# bother. Anyway, the file to pass to -config should like this: + +[ req ] +distinguished_name = req_distinguished_name +prompt=no + +[ req_distinguished_name ] +C = NL +CN = mail.stdout.nl diff --git a/etc/lighttpd/vhosts/stdout-nl b/etc/lighttpd/vhosts/stdout-nl index 64956e5..5ca8a71 100644 --- a/etc/lighttpd/vhosts/stdout-nl +++ b/etc/lighttpd/vhosts/stdout-nl @@ -19,4 +19,13 @@ $HTTP["host"] =~ ".stdout.nl$" { alias.url += ( "/hastymail" => var.site-dir + "/applications/hastymail2" ) } } + + $HTTP["host"] == "mail.stdout.nl" { + # Specify the certificate for this domain (uses SNI) + ssl.pemfile = "/etc/lighttpd/ssl/mail.stdout.nl.pem" + # Redirect HTTP to HTTPS for mail.stdout.nl + $HTTP["scheme"] == "http" { + url.redirect = ( "^(.*)" => "https://mail.stdout.nl$1" ) + } + } } -- 2.30.2