3

I'm trying out Lighttpd and I've stumbled across a small but very annoying problem; the IPv6 configuration is a total mess and requires you to duplicate your SSL settings two times; see for yourself :

# listen to ipv4
server.bind = "0.0.0.0" 
server.port = "80" 

# listen to ipv6
$SERVER["socket"] == "[::]:80" {  }

# if you need ssl
$SERVER["socket"] == "0.0.0.0:443" { <here your ssl options> }
$SERVER["socket"] == "[::]:443" { <here your ssl options again> } // sadness

Does anyone know a way to avoid that ? I'd say if there was such a way it would be in the documentation, but after seeing how empty conditional blocks can be used to bind to additional sockets I wouldn't be surprised if there was some other "magic" and undocumented method to achieve what I want.

I've tried multiple combinations of setting server.bind to either [::] or 0.0.0.0, setting the conditionals to [::]:443, 0.0.0.0:443 or simply :443, but I always ended up with one of the HTTPS sockets missing, either over IPv4 or IPv6 depending on the combination (can't post the exact results, I didn't keep track of them and redoing the tests is quite annoying).

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • With the right socket options `[::]:443` can be used to accept both IPv4 and IPv6 connections. However I don't know if that is something, you can specify in the Lighttpd configuration. – kasperd Feb 24 '15 at 19:31
  • @kasperd I though that too but couldn't get it to work, one socket was always missing. –  Feb 24 '15 at 19:32
  • Anyway I've gone back to Nginx as I just couldn't replicate my configuration with Lighttpd (no support for something like "proxy unless local file is found"). –  Feb 24 '15 at 19:33
  • You don't need two sockets. One socket is enough to listen for both IPv4 and IPv6. – kasperd Feb 24 '15 at 19:35
  • 1
    @kasperd what I meant is I always ended up with one of `curl -4 localhost`, `curl -6 localhost`, `curl -4 https://localhost`, `curl -6 https://localhost` returning "connection refused", so one of the sockets wasn't listening on either IPv6 or v4 depending on the configuration. –  Feb 24 '15 at 19:36

1 Answers1

7

You can use variables and include configuration from files, see Configuration file syntax for the core module. We can use the latter here:

$SERVER["socket"] == "0.0.0.0:443" { include "ssl.conf" }
$SERVER["socket"] == "[::]:443" { include "ssl.conf" }

and then do the configuration in ssl.conf:

ssl.engine  = "enable"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.pemfile = "/etc/ssl/private/example.pem" 
ssl.ca-file = "/etc/ssl/certs/example.crt"
sebix
  • 4,313
  • 2
  • 29
  • 47
  • Better, but still not optimal as there is not only SSL stuff that I need to put in there but the entire "virtual host" definition (which means I then need to put my config in yet another file and include that from ssl.conf)... –  Feb 24 '15 at 19:31