Difference between revisions of "Lighttpd for SSL and non-SSL"

From ArchWiki
Jump to: navigation, search
(Step 1: First things first)
(Step 2: Copy things)
Line 87: Line 87:
[[root@computer]]$ cp /usr/sbin/lighttpd /usr/sbin/lighttpd-ssl
[[root@computer]]$ cp /usr/sbin/lighttpd /usr/sbin/lighttpd-ssl
[[root@computer]]$ cp /etc/rc.d/lighttpd /etc/rc.d/lighttpd-ssl
[[root@computer]]$ cp /etc/rc.d/lighttpd /etc/rc.d/lighttpd-ssl
[[root@computer]]$ cp /etc/conf.d/lighttpd /etc/conf.d/lighttpd-ssl
[[root@computer]]$ cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd-ssl.conf
[[root@computer]]$ cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd-ssl.conf

Revision as of 10:56, 15 May 2006

Lighttpd for both ssl and non-ssl

by CacTus

What is Lighttpd?

The lighttpd website gives a good definition.

"lighttpd a secure, fast, compliant and very flexible web-server which has been optimized
for high-performance environments. It has a very low memory footprint compared to other
webservers and takes care of cpu-load. Its advanced feature-set (FastCGI, CGI, Auth,
Output-Compression, URL-Rewriting and many more) make lighttpd the perfect
webserver-software for every server that is suffering load problems."
-- http://www.lighttpd.net/


The goal of this how to is to setup lighttpd for servicing both ssl and non-ssl connections. php will be setup via a fastcgi prespawn, that will service both ssl and non-ssl connections. The php-fcgi instances will be run as a different user than the lighttpd daemon. eaccelerator will also be setup to increase the efficiency of our php scripts.

Required packages:

  • lighttpd (compiled for mysql support)
  • php-cgi (compiled for cgi/fcgi support)
  • fast-cgi
  • eaccelerator
  • ssl

If you have trouble finding a package specific to this How-To, try the resources link at the bottom.

Lighttpd Installation

Step 1: Install the lighttpd package

I have lighttpd in my repository, and there is also a version in the AUR, courtesy of klapmuetz. The one in my repository currently contains a few extra things that we will be utilizing for this how to, but they can be obtained individually from my subversion repository if needed. The compiled binaries are the same in the two packages. Just a few different scripts and helper files.

[[root@computer]]$ pacman -Sy lighttpd

Step 2: Add a user

We are going to be running lighttpd as a non-root user. So, we first need to create a user for this purpose, and a home directory. We will create a group too.

[[root@computer]]$ groupadd lighttpd
[[root@computer]]$ useradd -g lighttpd -d /home/lighttpd -s /bin/false lighttpd

Step 3: Ensure permissions are properly set.

[[root@computer]]$ chown -R lighttpd.lighttpd /home/lighttpd

Step 4: Edit the lighttpd.conf file located at /etc/lighttpd/lighttpd.conf

  • Uncomment modfastcgi and modcompress.
  • Uncomment and change server.username to "lighttpd"
  • Uncomment and change server.groupname to "lighttpd"
  • Uncomment compress.cache-dir and compress.filetype

Save your changes

Step 5: Change logfile permissions

Since we are running the daemon as lighttpd user, we need to change the lofile permissions.

[[root@computer]]$ chown lighttpd /var/log/lighttpd/*.log

Step 6: Start the daemon.

[[root@computer]]$ /etc/rc.d/lighttpd start

Check /var/log/lighttpd/error.log for any errors. Try bringing up a web page on the server. The default index page should come up. Hooray! You got lighttpd running as a user.

It is currently only servicing port 80 (non-ssl), so next we add ssl to the mix.

Lighttpd SSL

Step 1: First things first

Lighttpd can only service either ssl or non-ssl at one time. No problem. We can easily run two daemons. We need to do a little maintenance work in the lighttpd user directory first.

[[root@computer]]$ /etc/rc.d/lighttpd stop
[[root@computer]]$ mkdir -p /home/lighttpd/ssl/html /home/lighttpd/ssl/cache
[[root@computer]]$ mkdir /home/lighttpd/nonssl
[[root@computer]]$ mv /home/lighttpd/html /home/lighttpd/nonssl
[[root@computer]]$ mv /home/lighttpd/cache /home/lighttpd/nonssl
[[root@computer]]$ cp /home/lighttpd/nonssl/html/index.html /home/lighttpd/ssl/html
[[root@computer]]$ chown -R lighttpd.lighttpd /home/lighttpd

Step 2: Copy things

Now we need to setup a seperate config script, and init script for the ssl version.

[[root@computer]]$ cp /usr/sbin/lighttpd /usr/sbin/lighttpd-ssl
[[root@computer]]$ cp /etc/rc.d/lighttpd /etc/rc.d/lighttpd-ssl
[[root@computer]]$ cp /etc/conf.d/lighttpd /etc/conf.d/lighttpd-ssl
[[root@computer]]$ cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd-ssl.conf

Step 3: Edit /etc/rc.d/lighttpd-ssl

Change to the following:


Step 4: Create logfiles for the new daemon

[[root@computer]]$ touch /var/log/lighttpd/error-ssl.log
[[root@computer]]$ touch /var/log/lighttpd/access-ssl.log
[[root@computer]]$ chown lighttpd /var/log/lighttpd/*.log

Step 5: Edit /etc/lighttpd/lighttpd-ssl.conf

Change to the following:

server.document-root = "/home/lighttpd/ssl/html"
server.errorlog = "/var/log/lighttpd/error-ssl.log"
accesslog.filename = "/var/log/lighttpd/access-ssl.log"
server.pid-file = "/var/run/lighttpd-ssl.pid"
compress.cache-dir = "/home/lighttpd/ssl/cache"
ssl.engine = "enable"
ssl.pemfile = "/home/lighttpd/ssl/server.pem"

Step 6: Edit /etc/lighttpd/lighttpd.conf

Now that the ssl version is correct, we have to slightly modify the non-ssl version to deal with our new directory structure.

server.document-root        = "/home/lighttpd/nonssl/html"
compress.cache-dir         = "/home/lighttpd/nonssl/cache"

Step 7: Create the self signed certificate

[[root@computer]]$ cd /home/lighttpd/ssl
[[root@computer]]$ openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
[[root@computer]]$ chown lighttpd.lighttpd server.pem
[[root@computer]]$ chmod 600 server.pem

Step 8: Start the daemons

[[root@computer]]$ /etc/rc.d/lighttpd start
[[root@computer]]$ /etc/rc.d/lighttpd-ssl start

Check /var/log/lighttpd/error.log and /var/log/lighttpd/error-ssl.log for errors.

Step 9: Test

Try navigating with a web browser to both the http and https address of your server. Hoory! You just setup for ssl and nonssl serving using lighttpd.

FastCGI and PHP with eAcceleration

Step 1: Install fastcgi and php compiled for cgi/fcgi

You may first need to uncomment these lines in /etc/pacman.conf.

Include = /etc/pacman.d/community
[[root@computer]]$ pacman -Sy fcgi php-cgi eaccelerator
[[root@computer]]$ /etc/rc.d/lighttpd-ssl start

N.B eaccelerator currently doesnt work with php 5.1.x

Step 2: Create a php user

[[root@computer]]$ mkdir -p /home/phpuser/eaccelerator/cache
[[root@computer]]$ groupadd phpuser
[[root@computer]]$ useradd -g phpuser -d /home/phpuser -s /bin/false phpuser
[[root@computer]]$ chown -R phpuser.phpuser /home/phpuser

Step 3: Add eaccelerator to php.ini and make additional changes

Note. Make sure you use >> in the following command. If you use a single >, you will overwrite, instead of append. not good.

[[root@computer]]$ cat /usr/share/eaccelerator/eaccelerator.ini >> /etc/php.ini

Step 4: Edit php.ini

zlib.output_compression = On

I additionally set safe_mod to On in my setup, but this is not required.

Step 5: Setup fcgi-php prespawns

Now we are going to setup a mechanism for spawning php instances to handle requests.

 [[root@computer]]$ chmod 755 /etc/rc.d/spawn-php

Step 6: Modify /etc/conf.d/spawn-php

You need to edit a few parts of the spawn-php init script

Change the following to reflect the php user you created earlier:


Step 7: Spawn the php instances

 [[root@computer]]$ /etc/rc.d/spawn-php start

You should get some sort of message saying that is has started child processes.

To check to see if it indeed has (the spawn script is a bit buggy yet, I haven't worked out the kinks in the wrapper portion).

[[root@computer]]$ ps afx || grep php
 3192 ?        Ss     0:00 /usr/bin/php
 3193 ?        S      0:00  \_ /usr/bin/php
 3194 ?        S      0:00  \_ /usr/bin/php
 3195 ?        S      0:00  \_ /usr/bin/php
 3196 ?        S      0:00  \_ /usr/bin/php
 3197 ?        S      0:00  \_ /usr/bin/php
 3198 ?        S      0:00  \_ /usr/bin/php
 3199 ?        S      0:00  \_ /usr/bin/php
 3200 ?        S      0:00  \_ /usr/bin/php
 3201 ?        S      0:00  \_ /usr/bin/php
 3202 ?        S      0:00  \_ /usr/bin/php
 3203 ?        S      0:00  \_ /usr/bin/php
 3204 ?        S      0:00  \_ /usr/bin/php

Step 8: Setup lighttpd and lighttpd-ssl to use the instances

Uncomment both /etc/lighttpd/lighttpd.conf and /etc/lighttpd/lighttpd-ssl.conf to the following:

fastcgi.server             = ( ".php" =>
                               ( "localhost" =>
                                   "socket" => "/tmp/php-fastcgi.socket",
                                   "bin-path" => "/usr/bin/php-cgi"

Step 9: Restart both daemons

[[root@computer]]$ /etc/rc.d/lighttpd restart
[[root@computer]]$ /etc/rc.d/lighttpd-ssl restart

Check /var/log/lighttpd/error.log and /var/log/lighttpd/error-ssl.log for errors.

Step 10: Try a php page.

Create the following php page, name it index.php, and place a copy in both /home/lighttpd/ssl/html and /home/lighttpd/nonssl/html


Try navigating with a web browser to both the http and https address of your server. If you see the phpinfo page, then you are almost done! Hooray!

N.B eaccelerator currently doesnt work with php 5.1.x

Step 11: Check on eaccelerator caching..

 [[root@computer]]$ ls -l /home/phpuser/eaccelerator/cache

If the above command outputs the following:

-rw-------  1 phpuser phpuser 456 2005-05-05 14:53 eaccelerator-277.58081
-rw-------  1 phpuser phpuser 452 2005-05-05 14:53 eaccelerator-277.88081

Then you are done! Eaccelerator is happily cachine your php scripts to help speed things up. Good luck with your setup. :D


fastcgi and lighttpd - klapmuetz's how to on using lighttpd for ruby on rails. It also has good information on lighttpd setup.
Cacuts Repo Information - Information about my Archlinuxrepository. Packages used in this howto can be found there.