How to setup Lighttpd with ssl and proxy - ssl

I'm trying setup Lighttpd with ssl and proxy but I cannot make it work.
I've installed the certificate and private-key and they works, however when I try to enable the ssl, the port (443) doesn't respond.
My configuration file is (conf-enabled/10-proxy.conf):
$HTTP["host"] == "host.com.br" {
proxy.server = ( "" => ((
"host" => "200.1.1.1",
"port" => 9004
)))
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/private_key.pem"
ssl.ca-file = "/etc/lighttpd/ssl/certificate_file.crt"
}
My lighttpd.conf is:
server.modules = (
"mod_access",
"mod_alias",
"mod_compress",
"mod_redirect",
# "mod_rewrite",
)
server.document-root = "/var/www"
server.upload-dirs = ( "/var/cache/lighttpd/uploads" )
server.errorlog = "/var/log/lighttpd/error.log"
server.pid-file = "/var/run/lighttpd.pid"
server.username = "www-data"
server.groupname = "www-data"
index-file.names = ( "index.php", "index.html",
"index.htm", "default.htm",
" index.lighttpd.html" )
url.access-deny = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
include_shell "/usr/share/lighttpd/use-ipv6.pl"
dir-listing.encoding = "utf-8"
server.dir-listing = "enable"
compress.cache-dir = "/var/cache/lighttpd/compress/"
compress.filetype = ( "application/x-javascript", "text/css", "text/html", "text/plain" )
include_shell "/usr/share/lighttpd/create-mime.assign.pl"
include_shell "/usr/share/lighttpd/include-conf-enabled.pl"

According in the docs Lighttpd at 1.4.52 doesn´t support SSL/TLS with mod_proxy.

You need to tell lighttpd to listen on port 443:
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/private_key.pem"
ssl.ca-file = "/etc/lighttpd/ssl/certificate_file.crt"
}

Related

Lighttpd Reverse Proxy with Pi-hole

Aware this question has being asked a few times and I've read a lot of the solutions but I still cannot get my reverse proxy to work.
I have a Raspberry Pi with Pi-hole.
Hostname: pi-hole.local
IP address: 192.168.1.254
Lighttpd port: 8080
I want to visit http://pi-hole.local in my browser without :8080 and view the Pi-hole admin page.
ATM, I have to type http://pi-hole.local:8080.
I have added mod_proxy to:
server.modules = (
...
mod_proxy
...
)
I have server.port = 8080 and I have this block:
$HTTP["url"] =~ "pi-hole.local" {
proxy.server = ( "" => ("" => ( "host" => "192.168.1.254", "port" => 8080 )))
}
pi-hole.local is the URI authority, not the url-path.
$HTTP["host"] =~ "pi-hole.local" {
proxy.server = ( "" => ("" => ( "host" => "192.168.1.254", "port" => 8080 )))
}
Separately, for http://pi-hole.local to work, lighttpd also needs to be listening on port 80. Is that the case on your system? Is something else listening on port 80? If not, then $SERVER["socket"] == "*:80" {} will have lighttpd additionally listening on port 80, in addition to server.port = 8080. However, I have not looked into how pi-hole uses this, so you should test that pi-hole still works the way you want it to.
Instead of mod_proxy, a better way might be mod_redirect.
server.modules += ("mod_redirect")
$HTTP["host"] =~ "pi-hole.local" {
url.redirect = ("" => "http://pi-hole.local:8080${url.path}${qsa}")
}

Gitlab External Https Url is not working anymore

I am having a problem with GitLab server external URL
here is what I did :
I changed my GitLab.rb conf
external_url 'https://gitlab.tools.ex.com/'
and here is what I'm using
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "smtp.gmail.com"
gitlab_rails['smtp_port'] = 465
gitlab_rails['smtp_user_name'] = "gitlab"
gitlab_rails['smtp_password'] = "XXXXX"
gitlab_rails['smtp_domain'] = "ex.com"
gitlab_rails['smtp_authentication'] = "gitlab#ex.com"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_tls'] = false
gitlab_rails['smtp_openssl_verify_mode'] = 'none' # Can be: 'none', 'peer', 'client_once', 'fail_if_no_peer_cert', see http://api.rubyon$
gitlab_rails['smtp_ca_path'] = "/etc/ssl/certs"
gitlab_rails['smtp_ca_file'] = "/etc/ssl/certs/ca-certificates.crt"
first problem was a certificate problem :
ssl problem
after generating a certificate here is what I'm getting :
after generating
thanks in advance !

Activate SSL with lighttpd on a Raspberry Pi

I've been looking for a while, unfortunately without resolution: how to switch to HTTPS a lighttpd server functional in HTTP on a Raspberry Pi?
Important to know: this website being connected to my router, it is accessible thanks to a dynamic DNS under a domain: name.ddns.net (also ports 80 and 443 are open on this router).
Here is my process:
generate the keys:
openssl req -new -newkey rsa:2048 -nodes -keyout domain.tld.key -out domain.tld.csr
openssl x509 -req -days 365 -in domain.tld.csr -signkey domain.tld.key -out domain.tld.crt
combine the certificates with key:
cat domain.tld.key domain.tld.crt > domain.tld.pem
Here is the configuration in lighttpd.conf:
server.modules = (
"mod_access",
"mod_accesslog",
"mod_alias",
"mod_compress",
"mod_redirect",
"mod_rewrite",
)
server.document-root = "/var/www/html"
server.upload-dirs = ( "/var/cache/lighttpd/uploads" )
server.errorlog = "/var/log/lighttpd/error.log"
server.pid-file = "/var/run/lighttpd.pid"
server.username = "www-data"
server.groupname = "www-data"
server.port = 80 #443 with #gstrauss answer
index-file.names = ( "index.php", "index.html", "index.lighttpd.html" )
url.access-deny = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
compress.cache-dir = "/var/cache/lighttpd/compress/"
compress.filetype = ( "application/javascript", "text/css", "text/html", "text/plain" )
# default listening port for IPv6 falls back to the IPv4 port
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.assign.pl"
include_shell "/usr/share/lighttpd/include-conf-enabled.pl"
# Log access
accesslog.filename = "/var/log/lighttpd/access.log"
# SSL Server settings
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/domain.tld.pem"
ssl.ca-file = "/etc/lighttpd/ssl/domain.tld.crt"
server.name = "domain.tld"
server.document-root = "/var/www/html"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.use-compression = "disable"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA"
}
And: nothing! (after /etc/init.d/lighttpd restartof course), my website is still in HTTP.
Do you have a solution or an idea to test?
Thanks in advance!
lighttpd listens on port 80 by default. If want to stop listening on port 80, then tell lighttpd to listen on port 443 by default:
server.port = 443
Succeeded! for some reason unfortunately I don't know it was enough to transform the SSL part into:
# SSL Server settings
server.port = 443
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/domain.tld.pem"
ssl.ca-file = "/etc/lighttpd/ssl/domain.tld.crt"
server.name = "domain.tld"
server.document-root = "/var/www/html"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
#ssl.use-compression = "disable"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA"
Must therefore :
Remove condition
(optional) comment on ssl compression because useless

Cannot redirect Traefik dashboard to https and set up password

I want the traefik dashboard to only connect via https but at the same time provide authentication. I also want traefik to automatically redirect to https if I access the http address.
I've tried configuring myself by adding traefik dashboard http redirection to https and adding htpasswd authentication. But sadly it doesn't work.
debug = true
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https", "traefik", "traefik-https"]
[entryPoints]
[entryPoints.traefik]
address = ":8080"
compress = true
[entryPoints.traefik.redirect]
entryPoint = "traefik-https"
[entryPoints.traefik-https.tls]
[entryPoints.traefik-https.auth]
[entryPoints.traefik-https.auth.basic]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
]
sniStrict = true
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
]
[entryPoints.traefik-https.tls.defaultCertificate]
certFile = "/etc/letsencrypt/live/example.com/fullchain.pem"
keyFile = "/etc/letsencrypt/live/example.com/privkey.pem"
[[entryPoints.traefik-https.tls.certificates]]
certFile = "/etc/letsencrypt/live/example.com/fullchain.pem"
keyFile = "/etc/letsencrypt/live/example.com/privkey.pem"
[entryPoints.http]
address = ":80"
compress = true
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
compress = true
[entryPoints.https.tls]
sniStrict = true
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
]
[entryPoints.https.tls.defaultCertificate]
certFile = "/etc/letsencrypt/live/example.com/fullchain.pem"
keyFile = "/etc/letsencrypt/live/example.com/privkey.pem"
[[entryPoints.https.tls.certificates]]
certFile = "/etc/letsencrypt/live/example.com/fullchain.pem"
keyFile = "/etc/letsencrypt/live/example.com/privkey.pem"
[api]
entryPoint = "traefik"
dashboard = true
debug = true
[file]
[frontends]
[frontends.frontend1]
backend = "backend1"
[frontends.frontend1.routes.test_1]
rule = "Host: example.com,www.example.com"
[frontends.frontend2]
backend = "backend2"
[frontends.frontend2.routes.test_1]
rule = "Host: duplicati.example.com,www.duplicati.example.com"
[frontends.frontend3]
entryPoints = ["traefik"]
backend = "backend3"
[frontends.frontend3.routes.test_1]
rule = "Host: traefik.example.com"
[backends]
[backends.backend1]
[backends.backend1.servers.server1]
url = "http://127.0.0.1:56000"
weight = 1
[backends.backend2]
[backends.backend2.servers.server1]
url = "http://127.0.0.1:57000"
weight = 1
[backends.backend3]
[backends.backend3.servers.server1]
url = "http://127.0.0.1:8080"
weight = 1
I expected it to redirect to https automatically when I access http://example.com:8080. Like this http://example.com:8080 --> https://example.com:8080. But when I access https://example.com:8080 it gave me an error Client sent an HTTP request to an HTTPS server.
What am I doing wrong?
I successfully fixed the problem. I don't know how I did it but I started from zero, refered to the Traefik docs, test my code, try, try, and try again until my code works!
Here is the code just in case someone needs it as a future reference
debug = true
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https", "traefik", "traefik-https"]
[entryPoints]
[entryPoints.foo]
address=":58080"
compress = true
[entryPoints.foo.redirect]
entrypoint="traefik-https"
[entryPoints.traefik-https]
address = ":58443"
compress = true
[entryPoints.traefik-https.tls]
sniStrict = true
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
]
[entryPoints.traefik-https.tls.defaultCertificate]
certFile = "/etc/letsencrypt/live/example.com/fullchain.pem"
keyFile = "/etc/letsencrypt/live/example.com/privkey.pem"
[[entryPoints.traefik-https.tls.certificates]]
certFile = "/etc/letsencrypt/live/example.com/fullchain.pem"
keyFile = "/etc/letsencrypt/live/example.com/privkey.pem"
[entryPoints.traefik-https.auth]
[entryPoints.traefik-https.auth.basic]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
[entryPoints.http]
address = ":80"
compress = true
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
compress = true
[entryPoints.https.tls]
sniStrict = true
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
]
[entryPoints.https.tls.defaultCertificate]
certFile = "/etc/letsencrypt/live/example.com/fullchain.pem"
keyFile = "/etc/letsencrypt/live/example.com/privkey.pem"
[[entryPoints.https.tls.certificates]]
certFile = "/etc/letsencrypt/live/example.com/fullchain.pem"
keyFile = "/etc/letsencrypt/live/example.com/privkey.pem"
[api]
entryPoint = "traefik-https"
dashboard = true
debug = true
[file]
[frontends]
[frontends.frontend1]
backend = "backend1"
[frontends.frontend1.routes.test_1]
rule = "Host: example.com,www.example.com"
[frontends.frontend2]
backend = "backend2"
[frontends.frontend2.routes.test_1]
rule = "Host: duplicati.example.com,www.duplicati.example.com"
# [frontends.frontend3]
# entryPoints = ["traefik"]
# backend = "backend3"
# [frontends.frontend3.routes.test_1]
# rule = "Host: traefik.example.com"
[backends]
[backends.backend1]
[backends.backend1.servers.server1]
url = "http://127.0.0.1:56000"
weight = 1
[backends.backend2]
[backends.backend2.servers.server1]
url = "http://127.0.0.1:57000"
weight = 1
# [backends.backend3]
# [backends.backend3.servers.server1]
# url = "http://127.0.0.1:8080"
# weight = 1
Traefik docs that I've refered to:
https://docs.traefik.io/configuration/backends/web/
https://docs.traefik.io/configuration/entrypoints/

Lighttpd reverse proxy

I have a reverse proxy setting in my Apache's httpd.conf:
ProxyPass "/endpoint" "https://someurl.com/endpoint"
ProxyPassReverse "/endpoint" "https://someurl.com/endpoint"
And I need to replicate this in Lighttpd. I'm running a JS app which calls localhost:8080/endpoint to retrieve some data. I'd like to set up a proxy to always redirect /endpoint to https://someurl.com/endpoint.
In my lighttpd.conf I have the following settings:
server.modules = ("mod_proxy")
$HTTP["url"] =~ "^.*endpoint" {
proxy.server = ( "" => (( "host" => "https://someurl.com/endpoint" ) ) )
}
based on this SO answer.
I have also tried:
server.modules = ("mod_proxy")
proxy.server = ( "/endpoint" => (( "host" => "https://someurl.com/endpoint" )))
based on the lighttpd docs.
In both cases, I'm still hitting localhost:8080/endpoint which results in a 404 error. How do I set up the proxy correctly?
In lighttpd 1.4.46 and later, you can use proxy.header. See
https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModProxy
server.modules = ("mod_proxy")
$HTTP["url"] == "/endpoint" {
proxy.server = ( "" => (( "host" => "someurl.com" )))
proxy.header = ( "map-host-request" => ( "-" => "someurl.com"),
"map-host-response" => ("-" => "-"))
}