Lighttpd for SSL and non-SSL

From ArchWiki
Revision as of 21:47, 23 July 2005 by Maxsipos (Talk | contribs) (Import from phpwiki and fix)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


Lighttpd for both ssl and non-ssl

by CacTus


What is Lighttpd?

The lighttpd website gives a good definition.

"lighttpd a secure, fast, compliant and very flexible web-server which has been optimized
for high-performance environments. It has a very low memory footprint compared to other
webservers and takes care of cpu-load. Its advanced feature-set (FastCGI, CGI, Auth,
Output-Compression, URL-Rewriting and many more) make lighttpd the perfect
webserver-software for every server that is suffering load problems."
-- http://www.lighttpd.net/

Goals

The goal of this how to is to setup lighttpd for servicing both ssl and non-ssl connections. php will be setup via a fastcgi prespawn, that will service both ssl and non-ssl connections. The php-fcgi instances will be run as a different user than the lighttpd daemon. eaccelerator will also be setup to increase the efficiency of our php scripts.

Required packages:

  • lighttpd (compiled for mysql support)
  • php-cgi (compiled for cgi/fcgi support)
  • fast-cgi
  • eaccelerator
  • ssl

If you have trouble finding a package specific to this How-To, try the resources link at the bottom.

Lighttpd Installation

Step 1: Install the lighttpd package

I have lighttpd in my repository, and there is also a version in the AUR, courtesy of klapmuetz. The one in my repository currently contains a few extra things that we will be utilizing for this how to, but they can be obtained individually from my subversion repository if needed. The compiled binaries are the same in the two packages. Just a few different scripts and helper files.

[[root@computer]]$ pacman -Sy lighttpd

Step 2: Add a user

We are going to be running lighttpd as a non-root user. So, we first need to create a user for this purpose, and a home directory. We will create a group too.

[[root@computer]]$ mkdir /home/lighttpd
[[root@computer]]$ groupadd lighttpd
[[root@computer]]$ useradd -g lighttpd -d /home/lighttpd -s /bin/false lighttpd

Step 3: Ensure permissions are properly set.

[[root@computer]]$ chown -R lighttpd.lighttpd /home/lighttpd

Step 4: Edit the lighttpd.conf file located at /etc/lighttpd/lighttpd.conf

  • Uncomment modfastcgi and modcompress.
  • Uncomment and change server.username to "lighttpd"
  • Uncomment and change server.groupname to "lighttpd"
  • Uncomment compress.cache-dir and compress.filetype

Save your changes

Step 5: Create logfile/edit permissions

Since we are not running the daemon as root first, the daemon will not be able to create the logfiles on its own. We can give it a little help.

[[root@computer]]$ touch /var/log/lighttpd/error.log
[[root@computer]]$ touch /var/log/lighttpd/access.log
[[root@computer]]$ chown lighttpd /var/log/lighttpd/*.log

Step 6: Start the daemon.

[[root@computer]]$ /etc/rc.d/lighttpd start

Check /var/log/lighttpd/error.log for any errors. Try bringing up a web page on the server. The default index page should come up. Hooray! You got lighttpd running as a user.

It is currently only servicing port 80 (non-ssl), so next we add ssl to the mix.

Lighttpd SSL

Step 1: First things first

Lighttpd can only service either ssl or non-ssl at one time. No problem. We can easily run two daemons. We need to do a little maintenance work in the lighttpd user directory first.

[[root@computer]]$ /etc/rc.d/lighttpd stop
[[root@computer]]$ mkdir -p /home/lighttpd/ssl/html /home/lighttpd/ssl/cache
[[root@computer]]$ mkdir /home/lighttpd/nonssl/cache
[[root@computer]]$ mv /home/lighttpd/html /home/lighttpd/nonssl
[[root@computer]]$ mv /home/lighttpd/cache /home/lighttpd/nonssl
[[root@computer]]$ cp /home/lighttpd/nonssl/html/index.html /home/lighttpd/ssl/html
[[root@computer]]$ chown -R lighttpd.lighttpd /home/lighttpd

Step 2: Copy things

Now we need to setup a seperate config script, and init script for the ssl version.

[[root@computer]]$ cp /usr/sbin/lighttpd /usr/sbin/lighttpd-ssl
[[root@computer]]$ cp /etc/rc.d/lighttpd /etc/rc.d/lighttpd-ssl
[[root@computer]]$ cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd-ssl.conf

Step 3: Edit /etc/rc.d/lighttpd-ssl

Change to the following:

DAEMON_NAME="lighttpd-ssl"
DAEMON_CONF="/etc/lighttpd/lighttpd-ssl.conf"
DAEMON_PATH="/usr/sbin/lighttpd-ssl"
DAEMON_ERRLOG="/var/log/lighttpd/error-ssl.log"

Step 4: Create logfiles for the new daemon

[[root@computer]]$ touch /var/log/lighttpd/error-ssl.log
[[root@computer]]$ touch /var/log/lighttpd/access-ssl.log
[[root@computer]]$ chown lighttpd /var/log/lighttpd/*.log

Step 5: Edit /etc/lighttpd/lighttpd-ssl.conf

Change to the following:

server.document-root = "/home/lighttpd/ssl/html"
server.errorlog = "/var/log/lighttpd/error-ssl.log"
accesslog.filename = "/var/log/lighttpd/access-ssl.log"
server.pid-file = "/var/run/lighttpd-ssl.pid"
compress.cache-dir = "/home/lighttpd/ssl/cache"
ssl.engine = "enable"
ssl.pemfile = "/home/lighttpd/ssl/server.pem"

Step 6: Edit /etc/lighttpd/lighttpd.conf

Now that the ssl version is correct, we have to slightly modify the non-ssl version to deal with our new directory structure.

server.document-root        = "/home/lighttpd/nonssl/html"
compress.cache-dir         = "/home/lighttpd/nonssl/cache"

Step 7: Create the self signed certificate

[[root@computer]]$ cd /home/lighttpd/ssl
[[root@computer]]$ openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
[[root@computer]]$ chown lighttpd.lighttpd server.pem
[[root@computer]]$ chmod 600 server.pem

Step 8: Start the daemons

[[root@computer]]$ /etc/rc.d/lighttpd start
[[root@computer]]$ /etc/rc.d/lighttpd-ssl start

Check /var/log/lighttpd/error.log and /var/log/lighttpd/error-ssl.log for errors.

Step 9: Test

Try navigating with a web browser to both the http and https address of your server. Hoory! You just setup for ssl and nonssl serving using lighttpd.

FastCGI and PHP with eAcceleration

Step 1: Install fastcgi and php compiled for cgi/fcgi

[[root@computer]]$ pacman -S fcgi cactus/php-cgi eaccelerator
[[root@computer]]$ /etc/rc.d/lighttpd-ssl start

Step 2: Create a php user

[[root@computer]]$ mkdir -p /home/phpuser/eaccelerator/cache
[[root@computer]]$ groupadd phpuser
[[root@computer]]$ useradd -g phpuser -d /home/phpuser -s /bin/false phpuser
[[root@computer]]$ chown -R phpuser.phpuser /home/phpuser

Step 3: Add eaccelerator to php.ini and make additional changes

Note. Make sure you use >> in the following command. If you use a single >, you will overwrite, instead of append. not good.

[[root@computer]]$ cat /usr/share/eaccelerator/eaccelerator.ini >> /etc/php.ini

Step 4: Edit php.ini

zlib.output_compression = On
cgi.fix_pathinfo=1
eaccelerator.cache_dir="/home/phpuser/eaccelerator/cache"

I additionally set safe_mod to On in my setup, but this is not required.

Step 5: Setup fcgi-php prespawns

Now we are going to setup a mechanism for spawning php instances to handle requests.

 [[root@computer]]$ cp /usr/share/lighttpd/spawn-php /etc/rc.d/
 [[root@computer]]$ chmod 755 /etc/rc.d/spawn-php

Step 6: Modify /etc/rc.d/spawn-php

You need to edit a few parts of the spawn-php init script. The following should be set to appropriate values for your setup.

## bind to tcp-port on localhost
FCGIPORT=\"1066\"
## number of PHP childs to spawn
PHP''FCGI''CHILDREN=12
## number of request server by a single php-process until is will be restarted
PHP''FCGI''MAX_REQUESTS=1000

Also, change the following to reflect the php user you created earlier:

USERID=phpuser
GROUPID=phpuser

Step 7: Spawn the php instances

 [[root@computer]]$ /etc/rc.d/spawn-php start

You should get some sort of message saying that is has started child processes.

To check to see if it indeed has (the spawn script is a bit buggy yet, I haven't worked out the kinks in the wrapper portion).

[[root@computer]]$ ps afx || grep php
 3192 ?        Ss     0:00 /usr/bin/php
 3193 ?        S      0:00  \_ /usr/bin/php
 3194 ?        S      0:00  \_ /usr/bin/php
 3195 ?        S      0:00  \_ /usr/bin/php
 3196 ?        S      0:00  \_ /usr/bin/php
 3197 ?        S      0:00  \_ /usr/bin/php
 3198 ?        S      0:00  \_ /usr/bin/php
 3199 ?        S      0:00  \_ /usr/bin/php
 3200 ?        S      0:00  \_ /usr/bin/php
 3201 ?        S      0:00  \_ /usr/bin/php
 3202 ?        S      0:00  \_ /usr/bin/php
 3203 ?        S      0:00  \_ /usr/bin/php
 3204 ?        S      0:00  \_ /usr/bin/php

Step 8: Setup lighttpd and lighttpd-ssl to use the instances

Edit both /etc/lighttpd/lighttpd.conf and /etc/lighttpd/lighttpd-ssl.conf to contain the following:

fastcgi.server <code> ( \".php\" </code>>
                   ( \"localhost\" =>
                     (
                       \"host\" => \"127.0.0.1\",
                       \"port\" => 1066
                     )
                   )
                 )

Step 9: Restart both daemons

[[root@computer]]$ /etc/rc.d/lighttpd restart
[[root@computer]]$ /etc/rc.d/lighttpd-ssl restart

Check /var/log/lighttpd/error.log and /var/log/lighttpd/error-ssl.log for errors.

Step 10: Try a php page.

Create the following php page, name it index.php, and place a copy in both /home/lighttpd/ssl/html and /home/lighttpd/nonssl/html

<?php
phpinfo();
?>

Try navigating with a web browser to both the http and https address of your server. If you see the phpinfo page, then you are almost done! Hooray!

Step 11: Check on eaccelerator caching..

 [[root@computer]]$ ls -l /home/phpuser/eaccelerator/cache

If the above command outputs the following:

-rw-------  1 phpuser phpuser 456 2005-05-05 14:53 eaccelerator-277.58081
-rw-------  1 phpuser phpuser 452 2005-05-05 14:53 eaccelerator-277.88081

Then you are done! Eaccelerator is happily cachine your php scripts to help speed things up. Good luck with your setup. :D

Resources:

fastcgi and lighttpd - klapmuetz's how to on using lighttpd for ruby on rails. It also has good information on lighttpd setup.%%% [|http://e.solarblue.net/index.php/arch-repo/ Cacuts Repo Information] - Information about my Archlinux repository. Packages used in this howto can be found there.