Lighttpd

This howto will help you setup lighttpd (pronounced "lighty"), a web server designed to be secure, fast, standards-compliant, and flexible while being optimized for speed-critical environments. If you are not interested in these features, you may be interested in Apache

Installation
The fun part of any servers, the installation. In this section, we will set useflags and emerge the required package(s).

USE flags
Before emerging Lighttpd, you should set some USE Flags.

The possible USE flags for lighttpd are:
 * - Use the bzlib compression library
 * - Adds extra documentation (API, Javadoc, etc). It is recommended to enable per package instead of globally
 * - Enable FAM (File Alteration Monitor) support
 * - Adds support for sys-libs/gdbm (GNU database libraries)
 * - Adds support for IP version 6
 * - Adds kerberos support
 * - Adds LDAP support (Lightweight Directory Access Protocol)
 * - Enable fdevent handler
 * - Enable Lua scripting support
 * - Enable memcache support for mod_cml and mod_trigger_b4_dl
 * - Install a very minimal build (disables, for example, plugins, fonts, most drivers, non-critical features)
 * - Adds mySQL Database support
 * - Adds support for Perl Compatible Regular Expressions
 * - Include support for the PHP language
 * - Enable rrdtool support via mod_rrdtool
 * - Adds support for Secure Socket Layer connections
 * - Workaround to pull in packages needed to run with FEATURES=test. Portage-2.1.2 handles this internally, so don't set it in make.conf/package.use anymore
 * - Apply experimental patch for upload progress module
 * - Enable webdav properties
 * - Adds support for extended attributes (filesystem-stored metadata)
 * - Adds support for zlib (de)compression

For information about setting USE flags, see USE Flags

Example:

Emerging Lighttpd
Ok, now for the fun and easy part. Lets emerge lighttpd:

Check your useflags, make sure they look good, then press enter to start emerging.

Configuring Lighttpd
Now, we have to configure Lighttpd.

Fire up your editor to and lets get started editing. We won't cover more advanced things such as FastCGI, mod_simple_vhost, mod_cml, etc. Go though the configuration file and edit anything that you feel you need to edit. (TODO: Expand on this more)

Starting Lighttpd
Let's get Lighttpd started. To start it, you can use the init scripts provided:

* Starting lighttpd ... [ ok ]

Point your web browser to http://127.0.0.1, and, if you are successful, you should get a 404 Not Found. Time to fill your folder with some HTML files, etc. But what if you want to do more?...

Setting up PHP with Lighttpd
If your USE flags included php (and cgi or fastcgi), then you are already set.

Emerging PHP
Set your USE Flags for PHP, you should enable, and probably as well

Now emerge PHP:

Check for FastCGI support
To check for FastCGI support, run

If you don't see this, try emerging php again with the correct useflags.

Configure Lighttpd for FastCGI/PHP
Open up your file with your favorite editor, and uncomment the following line:

Then, open up your file, and uncomment the following large block of code. You may also need to modify the bin-path to the PHP installation:

If you have projects that use other file extensions than ".php" you can map it with the line below to your fastcgi backend with it.

For those who wants to use an opcode cacher like XCache, must set the max_procs for mod_fastcgi to 1. To handle more requests you have to increase the number of PHP_FCGI_CHILDREN and PHP_FCGI_MAX_REQUESTS.

Here an example configuration

Configure Lighttpd for vhosts
If you want to run several websites or domains on one lighttpd server, you will need vhosts. Add mod_simple_vhost to the list of modules to load. Then, add to your config:

Configure Lighttpd for user directories
Add mod_userdir to the list of modules to load.

Restarting Lighttpd
Run the magical restart command, and enjoy your Lighttpd/PHP setup:

* Stopping lighttpd ... [ ok ]
 * Starting lighttpd ...                 [ ok ]

Preparation
Set your USE Flags for www-servers/lighttpd to include the flag. Don't forget, if you just added this line to you will need to rebuild lighttpd prior to putting your new, SSL-enabled configuration in place and restarting the daemon.

Key Creation
In this step, you will use OpenSSL to generate an RSA key, save an insecure copy of the key, and generate a certificate signing request (CSR) which will be sent to a certificate authority (CA) to be signed.

1) Create a folder to contain your certificate files

2) Create the 2048bit RSA key and secure it with PBE (password based encryption) using AES-256

3) Enter a password to encrypt the RSA private key Generating RSA private key, 2048 bit long modulus ...............................+++ ..................................+++ unable to write 'random state' e is 65537 (0x10001) Enter pass phrase for www.example.com.key: Verifying - Enter pass phrase for www.example.com.key:

4) Save an insecure version of the key. Lighttpd will need a clear-text version of the key later in the process.

5) Enter the password you used in step #3, and openssl will write an insecure version of the key Enter pass phrase for www.example.com.key: writing RSA key

6) Change the permissions on this file to ensure no one else can read it!

7) Create the CSR for submission to the CA. A CA is a company like Verisign or Thawte that one purchases their services to sign your certificate.  This signing allows a trustworthy SSL connection between the server and its clients.  One can also self-sign a key by signing it with a CA which they create.  This method can be secure in certain environments but is not a recommended solution for truly sensitive data as it doesn't assure the same level of security.  At this time, this topic is beyond the scope of this section.

8) OpenSSL is then going to query you for the metadata to be embedded in the certificate describing the purchasing organization/individual and also the domain name(s) that the certificate will be valid for. For this example, the defaults in  are accurate so no alterations are needed. You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [US]: State or Province Name (full name) [Florida]: Locality Name (eg, city) [Armstrong]: Organization Name (eg, company) [My Example Company, L.L.C.]: Organizational Unit Name (eg, section) [Secure Intranet]: Common Name (eg, YOUR name) [www.example.com]: Email Address [admin@example.com]:

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name [My Example Company, L.L.C.]:

9) The CA will issue a certificate to be stored on the server.

10) The CA's certificate is also required. The acquisition of such is also beyond the scope of this document.

11) Lighttpd requires the insecure key and certificate to be in the same file. We already saved the insecure key to  so we'll output the certificate and pipe it.

Configuring Lighttpd
Globally -- Meaning that all sockets Lighttpd accepts from will be treated as an SSL connection

Individually -- Setup with rules for what explicit socket/host/port matched connections should be treated as SSL

Tips
For dynamic compression (php)

For static compression (html) using mod_compress

The compress directory mentioned in the cache-dir line should be owned by the user who runs the lighttpd daemon.

Lighttpd