下载 apache 版的证书,执行下面命令,注意,域名改成自己的:
cat urdomain.xxx.key <(echo) urdomain.xxx.crt > urdomain.xxx.pem
sudo cp urdomain.xxx.pem root_bundle.crt /etc/lighttpd/ssl/
/etc/lighttd/lighttpd.conf 做如下更改:
`server.modules += ()段增加 mod_openssl
server.modules += (
"mod_openssl",
"mod_setenv",
"mod_compress",
"mod_dirlisting",
"mod_staticfile",
"mod_accesslog",
)
配置SSL文件,并将http80默认转到https443
$SERVER["socket"] == ":443" {
ssl.engine = "enable" # 是否开启SSL
ssl.pemfile = "/etc/lighttpd/ssl/urdomain.xxx.pem" # 合并后的私钥和公钥
ssl.ca-file = "/etc/lighttpd/ssl/root_bundle.crt" # 证书信任链文件路径
server.document-root = "/var/www/html/" # 网站根目录
ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE" # 配置加密方式
}
$SERVER["socket"] == ":80" {
$HTTP["host"] =~ ".*" {
url.redirect = ( ".*" => "https://%0$0" )
}
}
$HTTP["scheme"] == "https" {
setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=31536000; includeSubdomains; preload" )
}
搞掂,装载SSL:
sudo /etc/init.d/lighttpd reload
涉及软件版本:lighttpd/1.4.55 (ssl) 、Ubuntu 20.04.5 LTS