Difference between revisions of "Lighttpd for SSL and non-SSL"

From ArchWiki
Jump to navigation Jump to search
(Updated. Changed many things, feel free to edit.)
m (<pre> -> bc, <code> -> ic)
Line 7: Line 7:
 
The lighttpd website gives a good definition.
 
The lighttpd website gives a good definition.
  
<pre>
+
{{bc|
 
"lighttpd a secure, fast, compliant and very flexible web-server which has been optimized
 
"lighttpd a secure, fast, compliant and very flexible web-server which has been optimized
 
for high-performance environments. It has a very low memory footprint compared to other
 
for high-performance environments. It has a very low memory footprint compared to other
Line 14: Line 14:
 
webserver-software for every server that is suffering load problems."
 
webserver-software for every server that is suffering load problems."
 
-- http://www.lighttpd.net/
 
-- http://www.lighttpd.net/
</pre>
+
}}
  
 
==Goals==
 
==Goals==
Line 145: Line 145:
 
}}
 
}}
  
{{Tip|I additionally set <code>safe_mod</code> to <code>On</code> in my setup, but this is not required.}}
+
{{Tip|I additionally set {{ic|safe_mod}} to {{ic|On}} in my setup, but this is not required.}}
  
 
===Step 4: Setup fcgi-php prespawns===
 
===Step 4: Setup fcgi-php prespawns===

Revision as of 13:31, 9 January 2012

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.


Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어


External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: please use the first argument of the template to provide a brief explanation. (Discuss in Talk:Lighttpd for SSL and non-SSL#)

Merge-arrows-2.pngThis article or section is a candidate for merging with Lighttpd.Merge-arrows-2.png

Notes: Talk:Lighttpd#Merging (Discuss in Talk:Lighttpd for SSL and non-SSL#)

What is Lighttpd?

The lighttpd website gives a good definition.

"lighttpd a secure, fast, compliant and very flexible web-server which has been optimized
for high-performance environments. It has a very low memory footprint compared to other
webservers and takes care of cpu-load. Its advanced feature-set (FastCGI, CGI, Auth,
Output-Compression, URL-Rewriting and many more) make lighttpd the perfect
webserver-software for every server that is suffering load problems."
-- http://www.lighttpd.net/

Goals

The goal of this how to is to setup lighttpd for servicing both ssl and non-ssl connections. php will be setup via a fastcgi prespawn, that will service both ssl and non-ssl connections. The php-fcgi instances will be run as a different user than the lighttpd daemon. eaccelerator will also be setup to increase the efficiency of our php scripts.

Pacman packages

AUR packages

Lighttpd Installation

Step 1: Install the lighttpd package

I have lighttpd in my repository, and there is also a version in the AUR, courtesy of klapmuetz. The one in my repository currently contains a few extra things that we will be utilizing for this how to, but they can be obtained individually from my subversion repository if needed. The compiled binaries are the same in the two packages. Just a few different scripts and helper files.

# pacman -S lighttpd

Step 2: Add a user

lighttpd uses http as default user and group. Create them if necessary. We will use /srv/http as webserver root.

# groupadd http
# useradd -g http -s /bin/false http

Step 3: Ensure permissions are properly set

# chown -R http.http /srv/http /var/log/lighttpd

Step 4: Add own config file

We will use a seperate config file for our changes to make upgrading easier.

/etc/lighttpd/additions.conf
server.modules = (
            "mod_expire",
            "mod_access",
            "mod_alias",
            "mod_accesslog",
            "mod_compress",
            "mod_fastcgi",
            "mod_auth",
            "mod_rewrite",
)

index-file.names += ( "index.htm", "index.php")

# Prevent direct access to some files
url.access-deny = ( ".inc", ".htaccess", ".htpasswd" )

# corrects some issues with displaying CSS, adds .htm/.xhtml
mimetype.assign	+= (
	".htm" => "text/html",
	".xhtml" => "text/html",
	".css" => "text/css"
)

Include additions.conf:

/etc/lighttpd/lighttpd.conf
[...]
include "additions.conf"

Step 5: Test your setup

To test the install

# rc.d start lighttpd

Check /var/log/lighttpd/*.log for any errors.

# touch /srv/http/index.html
# chmod 755 /srv/http/index.html
# echo 'TestMe!' >> /srv/http/index.html

Then point your browser to localhost, and you should see the test page.

You may want to add lighttpd to the daemons list in /etc/rc.conf to start the server on boot.

Example configuration files are available in /usr/share/doc/lighttpd/.

Lighttpd SSL

Make the SSL directories:

# mkdir -p /srv/http-ssl/html /srv/http-ssl/cache

Create the SSL certificate:

# cd /srv/http/ssl
# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# chown http.http server.pem
# chmod 600 server.pem

Add the following to the config file:

/etc/lighttpd/additions.conf
$SERVER["socket"] == ":443" {
server.document-root = "/srv/http-ssl/html" # use your ssl directory here
ssl.engine                 = "enable"
ssl.pemfile                = "/srv/http-ssl/server.pem"  # use the path where you created your pem file
}

Then restart lighttpd:

# /etc/rc.d/lighttpd restart

Redirection

The following steps will redirect only certain pages or directories to ssl. For the example, we will use a squirrelmail directory. Edit the config file and add the following:

/etc/lighttpd/additions.conf
$SERVER["socket"] == ":80" {
  $HTTP["url"] =~ "^/squirrelmail/*" {
   $HTTP["host"] =~ "(.*)" {
    url.redirect = ( "^/(.*)" => "https://%1/$1" )
   }
  } 
 }

This will redirect any normal http requests for squirrelmail to https://host/squirrelmail

FastCGI and PHP with eAccelerator

Step 1: Install packages

# pacman -S fcgi php

Install eacceleratorAUR from the AUR.

Step 2: Create a php user

# mkdir -p /home/phpuser/eaccelerator/cache
# groupadd phpuser
# useradd -g phpuser -d /home/phpuser -s /bin/false phpuser
# chown -R phpuser.phpuser /home/phpuser

Step 3: Add own config file for eaccelerator

/etc/php/conf.d/eaccelerator-own.ini
zlib.output_compression = On
cgi.fix_pathinfo=1
eaccelerator.cache_dir="/home/phpuser/eaccelerator/cache"
Tip: I additionally set safe_mod to On in my setup, but this is not required.

Step 4: Setup fcgi-php prespawns

Now we are going to setup a mechanism for spawning php instances to handle requests.

# chmod 755 /etc/rc.d/spawn-php

Step 5: Modify /etc/conf.d/spawn-php

You need to edit a few parts of the spawn-php init script. Change the following to reflect the php user you created earlier:

USERID=phpuser
GROUPID=phpuser
FCGISOCKET="/tmp/php-fastcgi.socket"

Step 6: Spawn the php instances

# /etc/rc.d/spawn-php start

You should get some sort of message saying that is has started child processes. To check to see if it indeed has (the spawn script is a bit buggy yet, I haven't worked out the kinks in the wrapper portion).

$ ps afx || grep php
3192 ?        Ss     0:00 /usr/bin/php
3193 ?        S      0:00  \_ /usr/bin/php
3194 ?        S      0:00  \_ /usr/bin/php
3195 ?        S      0:00  \_ /usr/bin/php
3196 ?        S      0:00  \_ /usr/bin/php
3197 ?        S      0:00  \_ /usr/bin/php
3198 ?        S      0:00  \_ /usr/bin/php
3199 ?        S      0:00  \_ /usr/bin/php
3200 ?        S      0:00  \_ /usr/bin/php
3201 ?        S      0:00  \_ /usr/bin/php
3202 ?        S      0:00  \_ /usr/bin/php
3203 ?        S      0:00  \_ /usr/bin/php
3204 ?        S      0:00  \_ /usr/bin/php

Step 7: Setup lighttpd to use the instances

Change the config file.

/etc/lighttpd/additions.conf
fastcgi.server             = ( ".php" =>
                               ( "localhost" =>
                                 (
                                   "socket" => "/tmp/php-fastcgi.socket",
                                   "bin-path" => "/usr/bin/php-cgi"
                                 )
                               )
                            )

Step 8: Restart the daemon

# /etc/rc.d/lighttpd restart

Check /var/log/lighttpd/error.log for errors.

Step 9: Try a php page

Create the following php page, name it index.php, and place a copy in both /srv/http/ and /srv/http-ssl/html/

<?php
phpinfo();
?>

Try navigating with a web browser to both the http and https address of your server. If you see the phpinfo page, then you are almost done! Hooray!

Step 10: Check on eaccelerator caching

# ls -l /home/phpuser/eaccelerator/cache

If the above command outputs the following:

-rw-------  1 phpuser phpuser 456 2005-05-05 14:53 eaccelerator-277.58081
-rw-------  1 phpuser phpuser 452 2005-05-05 14:53 eaccelerator-277.88081

Then you are done! Eaccelerator is happily caching your php scripts to help speed things up.