Difference between revisions of "Lighttpd for SSL and non-SSL"

From ArchWiki
Jump to: navigation, search
m (<pre> -> bc, <code> -> ic)
(Merge to Lighttpd)
 
Line 1: Line 1:
{{i18n|Lighttpd for SSL and non-SSL}}
+
#REDIRECT [[Lighttpd]]
[[Category:Web Server (English)]]
+
 
+
{{accuracy}}
+
{{Merge|Lighttpd|Talk:Lighttpd#Merging}}
+
==What is Lighttpd?==
+
The lighttpd website gives a good definition.
+
 
+
{{bc|
+
"lighttpd a secure, fast, compliant and very flexible web-server which has been optimized
+
for high-performance environments. It has a very low memory footprint compared to other
+
webservers and takes care of cpu-load. Its advanced feature-set (FastCGI, CGI, Auth,
+
Output-Compression, URL-Rewriting and many more) make lighttpd the perfect
+
webserver-software for every server that is suffering load problems."
+
-- http://www.lighttpd.net/
+
}}
+
 
+
==Goals==
+
The goal of this how to is to setup lighttpd for servicing both ssl and non-ssl connections. php will be setup via a fastcgi prespawn, that will service both ssl and non-ssl connections. The php-fcgi instances will be run as a different user than the lighttpd daemon. eaccelerator will also be setup to increase the efficiency of our php scripts.
+
 
+
===Pacman packages===
+
* {{Pkg|lighttpd}}
+
* {{Pkg|php}} and {{Pkg|php-cgi}}
+
* {{Pkg|fcgi}}
+
* {{Pkg|openssl}}
+
 
+
===AUR packages===
+
* {{AUR|eaccelerator}}
+
 
+
==Lighttpd Installation==
+
===Step 1: Install the lighttpd package===
+
I have lighttpd in my repository, and there is also a version in the AUR, courtesy of klapmuetz. The one in my repository currently contains a few extra things that we will be utilizing for this how to, but they can be obtained individually from my subversion repository if needed. The compiled binaries are the same in the two packages. Just a few different scripts and helper files.
+
# pacman -S lighttpd
+
 
+
===Step 2: Add a user===
+
lighttpd uses http as default user and group. Create them if necessary. We will use /srv/http as webserver root.
+
# groupadd http
+
# useradd -g http -s /bin/false http
+
 
+
===Step 3: Ensure permissions are properly set===
+
# chown -R http.http /srv/http /var/log/lighttpd
+
 
+
===Step 4: Add own config file===
+
We will use a seperate config file for our changes to make upgrading easier.
+
{{hc|/etc/lighttpd/additions.conf|
+
<nowiki>server.modules = (
+
            "mod_expire",
+
            "mod_access",
+
            "mod_alias",
+
            "mod_accesslog",
+
            "mod_compress",
+
            "mod_fastcgi",
+
            "mod_auth",
+
            "mod_rewrite",
+
)
+
 
+
index-file.names += ( "index.htm", "index.php")
+
 
+
# Prevent direct access to some files
+
url.access-deny = ( ".inc", ".htaccess", ".htpasswd" )
+
 
+
# corrects some issues with displaying CSS, adds .htm/.xhtml
+
mimetype.assign += (
+
".htm" => "text/html",
+
".xhtml" => "text/html",
+
".css" => "text/css"
+
)</nowiki>}}
+
 
+
Include additions.conf:
+
{{hc|/etc/lighttpd/lighttpd.conf|
+
[...]
+
include "additions.conf"
+
}}
+
 
+
===Step 5: Test your setup===
+
To test the install
+
 
+
# rc.d start lighttpd
+
 
+
Check /var/log/lighttpd/*.log for any errors.
+
 
+
# touch /srv/http/index.html
+
# chmod 755 /srv/http/index.html
+
# echo 'TestMe!' >> /srv/http/index.html
+
 
+
Then point your browser to localhost, and you should see the test page.
+
 
+
You may want to add lighttpd to the daemons list in {{ic|/etc/rc.conf}} to start the server on boot.
+
 
+
Example configuration files are available in {{ic|/usr/share/doc/lighttpd/}}.
+
 
+
==Lighttpd SSL==
+
Make the SSL directories:
+
# mkdir -p /srv/http-ssl/html /srv/http-ssl/cache
+
Create the SSL certificate:
+
# cd /srv/http/ssl
+
# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
+
# chown http.http server.pem
+
# chmod 600 server.pem
+
 
+
Add the following to the config file:
+
 
+
{{hc|/etc/lighttpd/additions.conf|
+
<nowiki>$SERVER["socket"] == ":443" {
+
server.document-root = "/srv/http-ssl/html" # use your ssl directory here
+
ssl.engine                = "enable"
+
ssl.pemfile                = "/srv/http-ssl/server.pem"  # use the path where you created your pem file
+
}</nowiki>}}
+
 
+
Then restart lighttpd:
+
# /etc/rc.d/lighttpd restart
+
 
+
===Redirection===
+
The following steps will redirect only certain pages or directories to ssl. For the example, we will use a squirrelmail directory.
+
Edit the config file and add the following:
+
 
+
{{hc|/etc/lighttpd/additions.conf|
+
<nowiki>$SERVER["socket"] == ":80" {
+
  $HTTP["url"] =~ "^/squirrelmail/*" {
+
  $HTTP["host"] =~ "(.*)" {
+
    url.redirect = ( "^/(.*)" => "https://%1/$1" )
+
  }
+
  }
+
}</nowiki>}}
+
 
+
This will redirect any normal http requests for squirrelmail to https://host/squirrelmail
+
 
+
==FastCGI and PHP with eAccelerator==
+
===Step 1: Install packages===
+
# pacman -S fcgi php
+
Install {{AUR|eaccelerator}} from the AUR.
+
 
+
===Step 2: Create a php user===
+
# mkdir -p /home/phpuser/eaccelerator/cache
+
# groupadd phpuser
+
# useradd -g phpuser -d /home/phpuser -s /bin/false phpuser
+
# chown -R phpuser.phpuser /home/phpuser
+
 
+
===Step 3: Add own config file for eaccelerator===
+
 
+
{{hc|/etc/php/conf.d/eaccelerator-own.ini|2=
+
zlib.output_compression = On
+
cgi.fix_pathinfo=1
+
eaccelerator.cache_dir="/home/phpuser/eaccelerator/cache"
+
}}
+
 
+
{{Tip|I additionally set {{ic|safe_mod}} to {{ic|On}} in my setup, but this is not required.}}
+
 
+
===Step 4: Setup fcgi-php prespawns===
+
Now we are going to setup a mechanism for spawning php instances to handle requests.
+
# chmod 755 /etc/rc.d/spawn-php
+
 
+
===Step 5: Modify /etc/conf.d/spawn-php===
+
You need to edit a few parts of the spawn-php init script. Change the following to reflect the php user you created earlier:
+
USERID=phpuser
+
GROUPID=phpuser
+
FCGISOCKET="/tmp/php-fastcgi.socket"
+
 
+
===Step 6: Spawn the php instances===
+
# /etc/rc.d/spawn-php start
+
You should get some sort of message saying that is has started child processes. To check to see if it indeed has (the spawn script is a bit buggy yet, I haven't worked out the kinks in the wrapper portion).
+
$ ps afx || grep php
+
3192 ?        Ss    0:00 /usr/bin/php
+
3193 ?        S      0:00  \_ /usr/bin/php
+
3194 ?        S      0:00  \_ /usr/bin/php
+
3195 ?        S      0:00  \_ /usr/bin/php
+
3196 ?        S      0:00  \_ /usr/bin/php
+
3197 ?        S      0:00  \_ /usr/bin/php
+
3198 ?        S      0:00  \_ /usr/bin/php
+
3199 ?        S      0:00  \_ /usr/bin/php
+
3200 ?        S      0:00  \_ /usr/bin/php
+
3201 ?        S      0:00  \_ /usr/bin/php
+
3202 ?        S      0:00  \_ /usr/bin/php
+
3203 ?        S      0:00  \_ /usr/bin/php
+
3204 ?        S      0:00  \_ /usr/bin/php
+
 
+
===Step 7: Setup lighttpd to use the instances===
+
Change the config file.
+
{{hc|/etc/lighttpd/additions.conf|
+
<nowiki>fastcgi.server            = ( ".php" =>
+
                              ( "localhost" =>
+
                                (
+
                                  "socket" => "/tmp/php-fastcgi.socket",
+
                                  "bin-path" => "/usr/bin/php-cgi"
+
                                )
+
                              )
+
                            )</nowiki>}}
+
 
+
===Step 8: Restart the daemon===
+
# /etc/rc.d/lighttpd restart
+
Check /var/log/lighttpd/error.log for errors.
+
 
+
===Step 9: Try a php page===
+
Create the following php page, name it index.php, and place a copy in both /srv/http/ and /srv/http-ssl/html/
+
<?php
+
phpinfo();
+
?>
+
Try navigating with a web browser to both the http and https address of your server. If you see the phpinfo page, then you are almost done! Hooray!
+
 
+
===Step 10: Check on eaccelerator caching===
+
# ls -l /home/phpuser/eaccelerator/cache
+
If the above command outputs the following:
+
-rw-------  1 phpuser phpuser 456 2005-05-05 14:53 eaccelerator-277.58081
+
-rw-------  1 phpuser phpuser 452 2005-05-05 14:53 eaccelerator-277.88081
+
Then you are done! Eaccelerator is happily caching your php scripts to help speed things up.
+

Latest revision as of 07:57, 11 January 2012

Redirect to: