--- elwix/config/etc/default/lighttpd/lighttpd.conf.sample 2013/10/14 15:08:12 1.1.2.1 +++ elwix/config/etc/default/lighttpd/lighttpd.conf.sample 2013/10/14 15:19:37 1.1.2.2 @@ -1,326 +1,451 @@ -# lighttpd configuration file +####################################################################### +## +## /usr/local/etc/lighttpd/lighttpd.conf +## +## check /usr/local/etc/lighttpd/conf.d/*.conf for the configuration of modules. +## +####################################################################### + +####################################################################### +## +## Some Variable definition which will make chrooting easier. +## +## if you add a variable here. Add the corresponding variable in the +## chroot example aswell. +## +var.log_root = "/var/log/lighttpd" +var.server_root = "/usr/local/www/data" +var.state_dir = "/var/run" +var.home_dir = "/var/spool/lighttpd" +var.conf_dir = "/usr/local/etc/lighttpd" + +## +## run the server chrooted. +## +## This requires root permissions during startup. +## +## If you run Chrooted set the the variables to directories relative to +## the chroot dir. +## +## example chroot configuration: +## +#var.log_root = "/logs" +#var.server_root = "/" +#var.state_dir = "/run" +#var.home_dir = "/lib/lighttpd" +#var.vhosts_dir = "/vhosts" +#var.conf_dir = "/etc" # -# use it as a base for lighttpd 1.0.0 and above -# -# $Id: lighttpd.conf.sample,v 1.1.2.1 2013/10/14 15:08:12 misho Exp $ +#server.chroot = "/srv/www" -############ Options you really have to take care of #################### +## +## Some additional variables to make the configuration easier +## -## modules to load -# at least mod_access and mod_accesslog should be loaded -# all other module should only be loaded if really neccesary -# - saves some time -# - saves memory -server.modules = ( -# "mod_rewrite", -# "mod_redirect", -# "mod_alias", - "mod_access", -# "mod_trigger_b4_dl", -# "mod_auth", -# "mod_status", -# "mod_setenv", -# "mod_fastcgi", -# "mod_proxy", -# "mod_simple_vhost", -# "mod_evhost", -# "mod_userdir", -# "mod_cgi", -# "mod_compress", -# "mod_ssi", -# "mod_usertrack", -# "mod_expire", -# "mod_secdownload", -# "mod_rrdtool", - "mod_accesslog" ) +## +## Base directory for all virtual hosts +## +## used in: +## conf.d/evhost.conf +## conf.d/simple_vhost.conf +## vhosts.d/vhosts.template +## +var.vhosts_dir = server_root + "/vhosts" -## A static document-root. For virtual hosting take a look at the -## mod_simple_vhost module. -server.document-root = "/usr/local/www/data/" +## +## Cache for mod_compress +## +## used in: +## conf.d/compress.conf +## +var.cache_dir = "/var/cache/lighttpd" -## where to send error-messages to -server.errorlog = "/var/log/lighttpd.error.log" +## +## Base directory for sockets. +## +## used in: +## conf.d/fastcgi.conf +## conf.d/scgi.conf +## +var.socket_dir = home_dir + "/sockets" -# files to check for if .../ is requested -index-file.names = ( "index.php", "index.html", - "index.htm", "default.htm" ) +## +####################################################################### -## set the event-handler (read the performance section in the manual) -server.event-handler = "freebsd-kqueue" # needed on OS X +####################################################################### +## +## Load the modules. +include "modules.conf" -# mimetype mapping -mimetype.assign = ( - ".pdf" => "application/pdf", - ".sig" => "application/pgp-signature", - ".spl" => "application/futuresplash", - ".class" => "application/octet-stream", - ".ps" => "application/postscript", - ".torrent" => "application/x-bittorrent", - ".dvi" => "application/x-dvi", - ".gz" => "application/x-gzip", - ".pac" => "application/x-ns-proxy-autoconfig", - ".swf" => "application/x-shockwave-flash", - ".tar.gz" => "application/x-tgz", - ".tgz" => "application/x-tgz", - ".tar" => "application/x-tar", - ".zip" => "application/zip", - ".mp3" => "audio/mpeg", - ".m3u" => "audio/x-mpegurl", - ".wma" => "audio/x-ms-wma", - ".wax" => "audio/x-ms-wax", - ".ogg" => "application/ogg", - ".wav" => "audio/x-wav", - ".gif" => "image/gif", - ".jar" => "application/x-java-archive", - ".jpg" => "image/jpeg", - ".jpeg" => "image/jpeg", - ".png" => "image/png", - ".xbm" => "image/x-xbitmap", - ".xpm" => "image/x-xpixmap", - ".xwd" => "image/x-xwindowdump", - ".css" => "text/css", - ".html" => "text/html", - ".htm" => "text/html", - ".js" => "text/javascript", - ".asc" => "text/plain", - ".c" => "text/plain", - ".cpp" => "text/plain", - ".log" => "text/plain", - ".conf" => "text/plain", - ".text" => "text/plain", - ".txt" => "text/plain", - ".dtd" => "text/xml", - ".xml" => "text/xml", - ".mpeg" => "video/mpeg", - ".mpg" => "video/mpeg", - ".mov" => "video/quicktime", - ".qt" => "video/quicktime", - ".avi" => "video/x-msvideo", - ".asf" => "video/x-ms-asf", - ".asx" => "video/x-ms-asf", - ".wmv" => "video/x-ms-wmv", - ".bz2" => "application/x-bzip", - ".tbz" => "application/x-bzip-compressed-tar", - ".tar.bz2" => "application/x-bzip-compressed-tar", - # default mime type - "" => "application/octet-stream", - ) +## +####################################################################### -# Use the "Content-Type" extended attribute to obtain mime type if possible -#mimetype.use-xattr = "enable" +####################################################################### +## +## Basic Configuration +## --------------------- +## +server.port = 80 +## +## Use IPv6? +## +server.use-ipv6 = "enable" -## send a different Server: header -## be nice and keep it at lighttpd -# server.tag = "lighttpd" +## +## bind to a specific IP +## +#server.bind = "localhost" -#### accesslog module -accesslog.filename = "/var/log/lighttpd.access.log" +## +## Run as a different username/groupname. +## This requires root permissions during startup. +## +server.username = "www" +server.groupname = "www" -## deny access the file-extensions -# -# ~ is for backupfiles from vi, emacs, joe, ... -# .inc is often used for code includes which should in general not be part -# of the document-root -url.access-deny = ( "~", ".inc" ) +## +## enable core files. +## +#server.core-files = "disable" -$HTTP["url"] =~ "\.pdf$" { - server.range-requests = "disable" -} +## +## Document root +## +server.document-root = "/usr/local/www/data/" ## -# which extensions should not be handle via static-file transfer -# -# .php, .pl, .fcgi are most often handled by mod_fastcgi or mod_cgi -static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" ) +## The value for the "Server:" response field. +## +## It would be nice to keep it at "lighttpd". +## +#server.tag = "lighttpd" -######### Options that are good to be but not neccesary to be changed ####### +## +## store a pid file +## +server.pid-file = state_dir + "/lighttpd.pid" -## bind to port (default: 80) -#server.port = 81 +## +####################################################################### -## bind to localhost (default: all interfaces) -#server.bind = "127.0.0.1" +####################################################################### +## +## Logging Options +## ------------------ +## +## all logging options can be overwritten per vhost. +## +## Path to the error log file +## +server.errorlog = log_root + "/error.log" -## error-handler for status 404 -#server.error-handler-404 = "/error-handler.html" -#server.error-handler-404 = "/error-handler.php" +## +## If you want to log to syslog you have to unset the +## server.errorlog setting and uncomment the next line. +## +#server.errorlog-use-syslog = "enable" -## to help the rc.scripts -server.pid-file = "/var/run/lighttpd.pid" +## +## Access log config +## +include "conf.d/access_log.conf" +## +## The debug options are moved into their own file. +## see conf.d/debug.conf for various options for request debugging. +## +include "conf.d/debug.conf" -###### virtual hosts ## -## If you want name-based virtual hosting add the next three settings and load -## mod_simple_vhost +####################################################################### + +####################################################################### ## -## document-root = -## virtual-server-root + virtual-server-default-host + virtual-server-docroot -## or -## virtual-server-root + http-host + virtual-server-docroot +## Tuning/Performance +## -------------------- ## -#simple-vhost.server-root = "/srv/www/vhosts/" -#simple-vhost.default-host = "www.example.org" -#simple-vhost.document-root = "/htdocs/" +## corresponding documentation: +## http://www.lighttpd.net/documentation/performance.html +## +## set the event-handler (read the performance section in the manual) +## +## possible options on linux are: +## +## select +## poll +## linux-sysepoll +## +## linux-sysepoll is recommended on kernel 2.6. +## +server.event-handler = "freebsd-kqueue" +## +## The basic network interface for all platforms at the syscalls read() +## and write(). Every modern OS provides its own syscall to help network +## servers transfer files as fast as possible +## +## linux-sendfile - is recommended for small files. +## writev - is recommended for sending many large files +## +server.network-backend = "writev" ## -## Format: .html -## -> ..../status-404.html for 'File not found' -#server.errorfile-prefix = "/usr/share/lighttpd/errors/status-" -#server.errorfile-prefix = "/srv/www/errors/status-" +## As lighttpd is a single-threaded server, its main resource limit is +## the number of file descriptors, which is set to 1024 by default (on +## most systems). +## +## If you are running a high-traffic site you might want to increase this +## limit by setting server.max-fds. +## +## Changing this setting requires root permissions on startup. see +## server.username/server.groupname. +## +## By default lighttpd would not change the operation system default. +## But setting it to 2048 is a better default for busy servers. +## +server.max-fds = 2048 -## virtual directory listings -#dir-listing.activate = "enable" -## select encoding for directory listings -#dir-listing.encoding = "utf-8" +## +## Stat() call caching. +## +## lighttpd can utilize FAM/Gamin to cache stat call. +## +## possible values are: +## disable, simple or fam. +## +server.stat-cache-engine = "simple" -## enable debugging -#debug.log-request-header = "enable" -#debug.log-response-header = "enable" -#debug.log-request-handling = "enable" -#debug.log-file-not-found = "enable" +## +## Fine tuning for the request handling +## +## max-connections == max-fds/2 (maybe /3) +## means the other file handles are used for fastcgi/files +## +server.max-connections = 1024 -### only root can use these options -# -# chroot() to directory (default: no chroot() ) -#server.chroot = "/" +## +## How many seconds to keep a keep-alive connection open, +## until we consider it idle. +## +## Default: 5 +## +#server.max-keep-alive-idle = 5 -## change uid to (default: don't care) -server.username = "www" +## +## How many keep-alive requests until closing the connection. +## +## Default: 16 +## +#server.max-keep-alive-requests = 16 -## change uid to (default: don't care) -server.groupname = "www" +## +## Maximum size of a request in kilobytes. +## By default it is unlimited (0). +## +## Uploads to your server cant be larger than this value. +## +#server.max-request-size = 0 -#### compress module -#compress.cache-dir = "/var/cache/lighttpd/compress/" -#compress.filetype = ("text/plain", "text/html") +## +## Time to read from a socket before we consider it idle. +## +## Default: 60 +## +#server.max-read-idle = 60 -#### proxy module -## read proxy.txt for more info -#proxy.server = ( ".php" => -# ( "localhost" => -# ( -# "host" => "192.168.0.101", -# "port" => 80 -# ) -# ) -# ) +## +## Time to write to a socket before we consider it idle. +## +## Default: 360 +## +#server.max-write-idle = 360 -#### fastcgi module -## read fastcgi.txt for more info -## for PHP don't forget to set cgi.fix_pathinfo = 1 in the php.ini -#fastcgi.server = ( ".php" => -# ( "localhost" => -# ( -# "socket" => "/var/run/lighttpd/php-fastcgi.socket", -# "bin-path" => "/usr/local/bin/php-cgi-cgi" -# ) -# ) -# ) +## +## Traffic Shaping +## ----------------- +## +## see /usr/share/doc/lighttpd/traffic-shaping.txt +## +## Values are in kilobyte per second. +## +## Keep in mind that a limit below 32kB/s might actually limit the +## traffic to 32kB/s. This is caused by the size of the TCP send +## buffer. +## +## per server: +## +#server.kbytes-per-second = 128 -#### CGI module -#cgi.assign = ( ".pl" => "/usr/bin/perl", -# ".cgi" => "/usr/bin/perl" ) -# +## +## per connection: +## +#connection.kbytes-per-second = 32 -#### SSL engine -#ssl.engine = "enable" -#ssl.pemfile = "/etc/ssl/private/lighttpd.pem" +## +####################################################################### -#### status module -#status.status-url = "/server-status" -#status.config-url = "/server-config" +####################################################################### +## +## Filename/File handling +## ------------------------ -#### auth module -## read authentication.txt for more info -#auth.backend = "plain" -#auth.backend.plain.userfile = "lighttpd.user" -#auth.backend.plain.groupfile = "lighttpd.group" +## +## files to check for if .../ is requested +## index-file.names = ( "index.php", "index.rb", "index.html", +## "index.htm", "default.htm" ) +## +index-file.names += ( + "index.xhtml", "index.html", "index.htm", "default.htm", "index.php" +) -#auth.backend.ldap.hostname = "localhost" -#auth.backend.ldap.base-dn = "dc=my-domain,dc=com" -#auth.backend.ldap.filter = "(uid=$)" +## +## deny access the file-extensions +## +## ~ is for backupfiles from vi, emacs, joe, ... +## .inc is often used for code includes which should in general not be part +## of the document-root +url.access-deny = ( "~", ".inc" ) -#auth.require = ( "/server-status" => -# ( -# "method" => "digest", -# "realm" => "download archiv", -# "require" => "user=jan" -# ), -# "/server-config" => -# ( -# "method" => "digest", -# "realm" => "download archiv", -# "require" => "valid-user" -# ) -# ) +## +## disable range requests for pdf files +## workaround for a bug in the Acrobat Reader plugin. +## +$HTTP["url"] =~ "\.pdf$" { + server.range-requests = "disable" +} -#### url handling modules (rewrite, redirect, access) +## +## url handling modules (rewrite, redirect) +## #url.rewrite = ( "^/$" => "/server-status" ) -#url.redirect = ( "^/wishlist/(.+)" => "http://www.123.org/$1" ) -#### both rewrite/redirect support back reference to regex conditional using %n +#url.redirect = ( "^/wishlist/(.+)" => "http://www.example.com/$1" ) + +## +## both rewrite/redirect support back reference to regex conditional using %n +## #$HTTP["host"] =~ "^www\.(.*)" { # url.redirect = ( "^/(.*)" => "http://%1/$1" ) #} -# -# define a pattern for the host url finding -# %% => % sign -# %0 => domain name + tld -# %1 => tld -# %2 => domain name without tld -# %3 => subdomain 1 name -# %4 => subdomain 2 name -# -#evhost.path-pattern = "/srv/www/vhosts/%3/htdocs/" +## +## which extensions should not be handle via static-file transfer +## +## .php, .pl, .fcgi are most often handled by mod_fastcgi or mod_cgi +## +static-file.exclude-extensions = ( ".php", ".pl", ".fcgi", ".scgi" ) -#### expire module -#expire.url = ( "/buggy/" => "access 2 hours", "/asdhas/" => "access plus 1 seconds 2 minutes") +## +## error-handler for status 404 +## +#server.error-handler-404 = "/error-handler.html" +#server.error-handler-404 = "/error-handler.php" -#### ssi -#ssi.extension = ( ".shtml" ) +## +## Format: .html +## -> ..../status-404.html for 'File not found' +## +#server.errorfile-prefix = "/srv/www/htdocs/errors/status-" -#### rrdtool -#rrdtool.binary = "/usr/bin/rrdtool" -#rrdtool.db-name = "/var/lib/lighttpd/lighttpd.rrd" +## +## mimetype mapping +## +include "conf.d/mime.conf" -#### setenv -#setenv.add-request-header = ( "TRAV_ENV" => "mysql://user@host/db" ) -#setenv.add-response-header = ( "X-Secret-Message" => "42" ) +## +## directory listing configuration +## +include "conf.d/dirlisting.conf" -## for mod_trigger_b4_dl -# trigger-before-download.gdbm-filename = "/var/lib/lighttpd/trigger.db" -# trigger-before-download.memcache-hosts = ( "127.0.0.1:11211" ) -# trigger-before-download.trigger-url = "^/trigger/" -# trigger-before-download.download-url = "^/download/" -# trigger-before-download.deny-url = "http://127.0.0.1/index.html" -# trigger-before-download.trigger-timeout = 10 +## +## Should lighttpd follow symlinks? +## +server.follow-symlink = "enable" -#### variable usage: -## variable name without "." is auto prefixed by "var." and becomes "var.bar" -#bar = 1 -#var.mystring = "foo" +## +## force all filenames to be lowercase? +## +#server.force-lowercase-filenames = "disable" -## integer add -#bar += 1 -## string concat, with integer cast as string, result: "www.foo1.com" -#server.name = "www." + mystring + var.bar + ".com" -## array merge -#index-file.names = (foo + ".php") + index-file.names -#index-file.names += (foo + ".php") +## +## defaults to /var/tmp as we assume it is a local harddisk +## +server.upload-dirs = ( "/var/tmp" ) -#### include -#include /etc/lighttpd/lighttpd-inc.conf -## same as above if you run: "lighttpd -f /etc/lighttpd/lighttpd.conf" -#include "lighttpd-inc.conf" +## +####################################################################### -#### include_shell -#include_shell "echo var.a=1" -## the above is same as: -#var.a=1 -# Enable IPV6 and IPV4 together -server.use-ipv6 = "enable" +####################################################################### +## +## SSL Support +## ------------- +## +## To enable SSL for the whole server you have to provide a valid +## certificate and have to enable the SSL engine.:: +## +## ssl.engine = "enable" +## ssl.pemfile = "/path/to/server.pem" +## +## The HTTPS protocol does not allow you to use name-based virtual +## hosting with SSL. If you want to run multiple SSL servers with +## one lighttpd instance you must use IP-based virtual hosting: :: +## +## Mitigate CVE-2009-3555 by disabling client triggered renegotation +## This is enabled by default. +## +## IMPORTANT: this setting can only be used in the global scope. +## It does *not* work inside conditionals +## +# ssl.disable-client-renegotiation = "enable" +## +## $SERVER["socket"] == "10.0.0.1:443" { +## ssl.engine = "enable" +## ssl.pemfile = "/etc/ssl/private/www.example.com.pem" +## # +## # Mitigate BEAST attack: +## # +## # A stricter base cipher suite. For details see: +## # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html +## # +## ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" +## # +## # Make the server prefer the order of the server side cipher suite instead of the client suite. +## # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms). +## # This option is enabled by default, but only used if ssl.cipher-list is set. +## # +## # ssl.honor-cipher-order = "enable" +## # +## server.name = "www.example.com" +## +## server.document-root = "/srv/www/vhosts/example.com/www/" +## } +## + +## If you have a .crt and a .key file, cat them together into a +## single PEM file: +## $ cat /etc/ssl/private/lighttpd.key /etc/ssl/certs/lighttpd.crt \ +## > /etc/ssl/private/lighttpd.pem +## +#ssl.pemfile = "/etc/ssl/private/lighttpd.pem" + +## +## optionally pass the CA certificate here. +## +## +#ssl.ca-file = "" + +## +####################################################################### + +####################################################################### +## +## custom includes like vhosts. +## +#include "conf.d/config.conf" +#include_shell "cat /usr/local/etc/lighttpd/vhosts.d/*.conf" +## +####################################################################### + +# IPv4 listening socket $SERVER["socket"] == "0.0.0.0:80" { }