lighttpd: Enable SSL for mail.stdout.nl.

diff --git a/etc/lighttpd/lighttpd.conf b/etc/lighttpd/lighttpd.conf
index 5a0dc8d8d7046fe7ffc7c438de5185ee882a8d35..c410fb93533153c079da630b45bb97d97c51b3d7 100644 (file)
--- a/etc/lighttpd/lighttpd.conf
+++ b/etc/lighttpd/lighttpd.conf
@@ -69,6 +69,19 @@ server.groupname           = "www-data"
 # Make mysqll frontend available in all domains
 alias.url                  += ("/mysql" => "/usr/share/phpmyadmin")
 
+$SERVER["socket"] == ":443" {
+       ssl.engine = "enable" 
+       # The CA certificates (in particular, this contains the intermediate
+       # certificate used by startcom). It seems that even without this
+       # option, it already works, probably because openssl ships some
+       # certificates. But, let's put it here to be safe anyway.
+       ssl.cafile = "/etc/lighttpd/ssl/ca/startssl-all-ca.pem"
+       # Use the mail.stdout.nl certificate as the default certificate (for
+       # non-SNI browsers and domains without their own certificate), since
+       # it is currently the only one we have anyway.
+       ssl.pemfile = "/etc/lighttpd/ssl/mail.stdout.nl.pem" 
+}
+
 #### external configuration files
 ## mimetype mapping
 include_shell var.conf-dir + "/scripts/create-mime.assign.pl"

diff --git a/etc/lighttpd/ssl/README b/etc/lighttpd/ssl/README
new file mode 100644 (file)
index 0000000..df25363
--- /dev/null
+++ b/etc/lighttpd/ssl/README
@@ -0,0 +1,26 @@
+# Generate key 2048 bit rsa key with out passphrase:
+
+DOMAIN=mail.stdout.nl.key
+sudo touch $DOMAIN.key
+sudo chmod 400 $DOMAIN.key
+sudo openssl genrsa  -out $DOMAIN.key 2048
+
+# Generate CSR with:
+sudo openssl req -new -key $DOMAIN.key -out $DOMAIN.csr
+
+# After receiving the .crt file from the issuer, make sure you cat the .key
+# and .crt file together into a .pem file, which lighttpd's ssl.pemfile points
+# to.
+
+# Optionally, you can use a config file to set attributes of the CSR (so you
+# can leave out stuff like "Location" and "State"). However, when using
+# StartSSL, al the details from the CSR will be ignored anyway, so don't
+# bother. Anyway, the file to pass to -config should like this:
+
+[ req ]
+distinguished_name     = req_distinguished_name
+prompt=no
+
+[ req_distinguished_name ]
+C                      = NL
+CN                     = mail.stdout.nl

diff --git a/etc/lighttpd/vhosts/stdout-nl b/etc/lighttpd/vhosts/stdout-nl
index 64956e5cea833007afa6b9dc37b14357aa1b4f39..5ca8a714acf1c0f0fabe205145870dbcd407d99f 100644 (file)
--- a/etc/lighttpd/vhosts/stdout-nl
+++ b/etc/lighttpd/vhosts/stdout-nl
@@ -19,4 +19,13 @@ $HTTP["host"] =~ ".stdout.nl$" {
                        alias.url += ( "/hastymail" => var.site-dir + "/applications/hastymail2" )
                }
        }
+
+       $HTTP["host"] == "mail.stdout.nl" {
+               # Specify the certificate for this domain (uses SNI)
+               ssl.pemfile = "/etc/lighttpd/ssl/mail.stdout.nl.pem" 
+               # Redirect HTTP to HTTPS for mail.stdout.nl
+               $HTTP["scheme"] == "http" {
+                   url.redirect = ( "^(.*)" => "https://mail.stdout.nl$1" )
+               }
+       }
 }