Lighttpd for SSL and non-SSL

From ArchWiki
Revision as of 13:31, 9 January 2012 by Kynikos (talk | contribs) (<pre> -> bc, <code> -> ic)
Jump to navigation Jump to search

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.

Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어

External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: please use the first argument of the template to provide a brief explanation. (Discuss in Talk:Lighttpd for SSL and non-SSL#)

Merge-arrows-2.pngThis article or section is a candidate for merging with Lighttpd.Merge-arrows-2.png

Notes: Talk:Lighttpd#Merging (Discuss in Talk:Lighttpd for SSL and non-SSL#)

What is Lighttpd?

The lighttpd website gives a good definition.

"lighttpd a secure, fast, compliant and very flexible web-server which has been optimized
for high-performance environments. It has a very low memory footprint compared to other
webservers and takes care of cpu-load. Its advanced feature-set (FastCGI, CGI, Auth,
Output-Compression, URL-Rewriting and many more) make lighttpd the perfect
webserver-software for every server that is suffering load problems."


The goal of this how to is to setup lighttpd for servicing both ssl and non-ssl connections. php will be setup via a fastcgi prespawn, that will service both ssl and non-ssl connections. The php-fcgi instances will be run as a different user than the lighttpd daemon. eaccelerator will also be setup to increase the efficiency of our php scripts.

Pacman packages

AUR packages

Lighttpd Installation

Step 1: Install the lighttpd package

I have lighttpd in my repository, and there is also a version in the AUR, courtesy of klapmuetz. The one in my repository currently contains a few extra things that we will be utilizing for this how to, but they can be obtained individually from my subversion repository if needed. The compiled binaries are the same in the two packages. Just a few different scripts and helper files.

# pacman -S lighttpd

Step 2: Add a user

lighttpd uses http as default user and group. Create them if necessary. We will use /srv/http as webserver root.

# groupadd http
# useradd -g http -s /bin/false http

Step 3: Ensure permissions are properly set

# chown -R http.http /srv/http /var/log/lighttpd

Step 4: Add own config file

We will use a seperate config file for our changes to make upgrading easier.

server.modules = (

index-file.names += ( "index.htm", "index.php")

# Prevent direct access to some files
url.access-deny = ( ".inc", ".htaccess", ".htpasswd" )

# corrects some issues with displaying CSS, adds .htm/.xhtml
mimetype.assign	+= (
	".htm" => "text/html",
	".xhtml" => "text/html",
	".css" => "text/css"

Include additions.conf:

include "additions.conf"

Step 5: Test your setup

To test the install

# rc.d start lighttpd

Check /var/log/lighttpd/*.log for any errors.

# touch /srv/http/index.html
# chmod 755 /srv/http/index.html
# echo 'TestMe!' >> /srv/http/index.html

Then point your browser to localhost, and you should see the test page.

You may want to add lighttpd to the daemons list in /etc/rc.conf to start the server on boot.

Example configuration files are available in /usr/share/doc/lighttpd/.

Lighttpd SSL

Make the SSL directories:

# mkdir -p /srv/http-ssl/html /srv/http-ssl/cache

Create the SSL certificate:

# cd /srv/http/ssl
# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# chown http.http server.pem
# chmod 600 server.pem

Add the following to the config file:

$SERVER["socket"] == ":443" {
server.document-root = "/srv/http-ssl/html" # use your ssl directory here
ssl.engine                 = "enable"
ssl.pemfile                = "/srv/http-ssl/server.pem"  # use the path where you created your pem file

Then restart lighttpd:

# /etc/rc.d/lighttpd restart


The following steps will redirect only certain pages or directories to ssl. For the example, we will use a squirrelmail directory. Edit the config file and add the following:

$SERVER["socket"] == ":80" {
  $HTTP["url"] =~ "^/squirrelmail/*" {
   $HTTP["host"] =~ "(.*)" {
    url.redirect = ( "^/(.*)" => "https://%1/$1" )

This will redirect any normal http requests for squirrelmail to https://host/squirrelmail

FastCGI and PHP with eAccelerator

Step 1: Install packages

# pacman -S fcgi php

Install eacceleratorAUR from the AUR.

Step 2: Create a php user

# mkdir -p /home/phpuser/eaccelerator/cache
# groupadd phpuser
# useradd -g phpuser -d /home/phpuser -s /bin/false phpuser
# chown -R phpuser.phpuser /home/phpuser

Step 3: Add own config file for eaccelerator

zlib.output_compression = On
Tip: I additionally set safe_mod to On in my setup, but this is not required.

Step 4: Setup fcgi-php prespawns

Now we are going to setup a mechanism for spawning php instances to handle requests.

# chmod 755 /etc/rc.d/spawn-php

Step 5: Modify /etc/conf.d/spawn-php

You need to edit a few parts of the spawn-php init script. Change the following to reflect the php user you created earlier:


Step 6: Spawn the php instances

# /etc/rc.d/spawn-php start

You should get some sort of message saying that is has started child processes. To check to see if it indeed has (the spawn script is a bit buggy yet, I haven't worked out the kinks in the wrapper portion).

$ ps afx || grep php
3192 ?        Ss     0:00 /usr/bin/php
3193 ?        S      0:00  \_ /usr/bin/php
3194 ?        S      0:00  \_ /usr/bin/php
3195 ?        S      0:00  \_ /usr/bin/php
3196 ?        S      0:00  \_ /usr/bin/php
3197 ?        S      0:00  \_ /usr/bin/php
3198 ?        S      0:00  \_ /usr/bin/php
3199 ?        S      0:00  \_ /usr/bin/php
3200 ?        S      0:00  \_ /usr/bin/php
3201 ?        S      0:00  \_ /usr/bin/php
3202 ?        S      0:00  \_ /usr/bin/php
3203 ?        S      0:00  \_ /usr/bin/php
3204 ?        S      0:00  \_ /usr/bin/php

Step 7: Setup lighttpd to use the instances

Change the config file.

fastcgi.server             = ( ".php" =>
                               ( "localhost" =>
                                   "socket" => "/tmp/php-fastcgi.socket",
                                   "bin-path" => "/usr/bin/php-cgi"

Step 8: Restart the daemon

# /etc/rc.d/lighttpd restart

Check /var/log/lighttpd/error.log for errors.

Step 9: Try a php page

Create the following php page, name it index.php, and place a copy in both /srv/http/ and /srv/http-ssl/html/


Try navigating with a web browser to both the http and https address of your server. If you see the phpinfo page, then you are almost done! Hooray!

Step 10: Check on eaccelerator caching

# ls -l /home/phpuser/eaccelerator/cache

If the above command outputs the following:

-rw-------  1 phpuser phpuser 456 2005-05-05 14:53 eaccelerator-277.58081
-rw-------  1 phpuser phpuser 452 2005-05-05 14:53 eaccelerator-277.88081

Then you are done! Eaccelerator is happily caching your php scripts to help speed things up.