Lets encrypt with lighttpd and wordpress

Question

I am trying to implement let's encrypt with certbot and I am using lighttpd on CentOS 6

So this is my full conf file for my host

$SERVER["socket"] == ":443" {
  ssl.engine = "enable"
  ssl.pemfile = "/etc/letsencrypt/live/mysite.com/web.pem"
  ssl.ca-file = "/etc/letsencrypt/live/mysite.com/chain.pem"
  server.name = "mysite.com"
  server.document-root = "/home/mysite/public_html"
  server.errorlog = "/var/log/lighttpd/mysite.com_error.log"
  accesslog.filename = "/var/log/lighttpd/mysite.com_access.log"
  ssl.cipher-list = "ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-CHACHA20-POLY1305 AES128+EECDH:AES128+EDH:!aNULL:!eNULL"
  ssl.honor-cipher-order = "enable"
  ssl.disable-client-renegotiation = "enable"
  ssl.use-sslv2= "disable"
  ssl.use-sslv3 = "disable"
}

$HTTP["scheme"] == "http" {
  $HTTP["host"] =~ "^(www.)?mysite.com$" {
    server_name = "mysite.com"

    server.document-root = "/home/mysite/public_html"
    accesslog.filename = "/home/mysite/logs/access.log"

    fastcgi.server = ( ".php" =>
      ( "localhost" =>
        (
            "socket" => "/var/run/lighttpd/php-fpm.socket.mysite"
        )
      )
    )

    url.rewrite-once = (

      # Exclude some directories from rewriting
      "^/(\.well-known|wp-admin|wp-includes|wp-content|phpmyadmin)/(.*)" => "$0",

      # Exclude .php files at root from rewriting
      "^/(.*.php)" => "$0",

      # Handle search correctly
      "^/(.*)?(?s=)(.*)$" => "/search/$3",

      # Handle permalinks and feeds
      "^/(.*)$" => "/index.php/$1",

      "^/?$" => "/index.php",

    )


    alias.url = ("/phpmyadmin" => "/usr/share/phpmyadmin/")

  }
}

So first problem I am having is that when i try to go to https:// mysite.com i get content without images and style so that is a url-rewrite problem but i don't see that https is enabled. Is still get warning from browser that my site is not secure.

Second issue is when i add url.redirect = (".*" => "https://%0$0") i get too many redirect ERROR.

So I am puzzled. I think problem might be with rewrites, but it's odd that i don't even have https enabled.

P.S. And yes I got success message from certbot before all this.

THE SOLUTION was just to install WP plugin that would turn all my http links to images and styles to https and now it's working. @mrkoopie answer helped me think about the solution in that way so I am accepting it.

Answer 1

The good news is that your server is configured correct if you don't have a certificate error upon accessing the website via HTTPS. The bad news is that your website is configured incorrectly.

What is happening is that the HTML content is loaded over HTTPS. So far, so good and secure. But what goes wrong is that the objects that your HTML content is referring to, such as images, css and js, are referred with HTTP instead of HTTPS. This is bad, as browser won't download any non-encrypted file when the HTML code is loaded over HTTPS.

To resolve this make sure that your website refers to every file with HTTPS. In WordPress this can be done easily, however you did not provide what system you are using and for each system this is different.

So why is loading objects over HTTP bad when the HTML code is loaded over HTTPS? Well, the fact that you use HTTPS means that you want to load your content securely. The main objective is that nobody can alter or view the content. If you load any object over HTTP, it is vulnerable for malicious injections and anyone can see what content is being loaded (assuming that they can get your traffic). As this reduces the security by a lot, browsers simply ignore any object that is referred by HTTP when the HTML content is loaded via HTTPS. Configuring your server to redirect http traffic to https won't work as the browser will not attempt to load the objects anyways.

Hope this helps.

Answer 2

Notes:

1. lighttpd for CentOS 7 and 8 uses different lighttpd configuration file structure (conf.d directory and modules.conf).

2. CentOS 6 has the old OpenSSL version which will not work well due to OpenSSL security bug. You may need to upgrade your server to CentOS7/8 with latest OpenSSL to support TLS 1.3 version.

3. Make sure you already installed lighttpd and certbot on your CentOS 7/8 Linux server with latest versions as listed here (as of Jan 2021).

   lighttpd/1.4.55 (ssl) 
   OpenSSL 1.1.1g FIPS  21 Apr 2020
   certbot 1.11.0
   

Here's the updated details that will work well with lighttpd, Wordpress and certbot:

1. in your Linux, run:

   openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
   

2. Enable/add mod_openssl and mod_setenv in server.modules in /etc/lighttpd/modules.conf

3. Run

   certbot certonly --webroot -w /home/website -d domain.com
   

   (Replace domain.com with your domain name)

   Output:

   IMPORTANT NOTES:
   - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/domain.com/fullchain.pem
   
   Your key file has been saved at:
   /etc/letsencrypt/live/domain.com/privkey.pem
   
   Your cert will expire on 2021-01-16. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   certbot renew
   

4. Add

   certbot renew 
   

   to cronjob and run it every month.

5. Directive in lighttpd.conf for ssl

   $HTTP["host"] =~ "domain\.com$" {
   
      server.document-root = "/home/website"
   
      url.rewrite = (
          "^/(.*)\.(.+)$" => "$0",
          "^/(phpMyAdmin)/?(.*)" => "$0",
          "^/(.+)/?$" => "/index.php/$1"
      )
   
      url.access-deny = ( "~", "xmlrpc.php")
      server.error-handler-404 = "/index.php"
      dir-listing.activate       = "disable"
   }
   
   $SERVER["socket"] == ":80" {
           $HTTP["host"] =~ "(.*)" {
                   url.redirect = ( "^/(.*)" => "https://%1/$1" )
           }
   }
   
   
   $SERVER["socket"] == "0.0.0.0:443" {
           ssl.engine   = "enable"
           ssl.disable-client-renegotiation = "enable"
   
           ssl.privkey = "/etc/letsencrypt/live/domain.com/privkey.pem"
           ssl.pemfile = "/etc/letsencrypt/live/domain.com/fullchain.pem"
   
     $HTTP["host"] =~ "domain\.com$" {
           ssl.privkey = "/etc/letsencrypt/live/domain.com/privkey.pem"
           ssl.pemfile = "/etc/letsencrypt/live/domain.com/fullchain.pem"
     }
   
           ssl.dh-file = "/etc/ssl/certs/dhparam.pem"
   
     # ECDH/ECDHE ciphers curve strength
           ssl.ec-curve            = "secp384r1"
           ssl.use-compression     = "disable"
   
     # Environment flag for HTTPS enabled
     setenv.add-environment = (
              "HTTPS" => "on"
     )
   
   
     ssl.use-sslv2 = "disable"
     ssl.use-sslv3 = "disable"
     ssl.openssl.ssl-conf-cmd = ("Protocol" => "-TLSv1.1, -TLSv1, -SSLv3")
     ssl.honor-cipher-order    = "disable"
     ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
   :ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
   
     # HSTS(15768000 seconds = 6 months)
   
     $HTTP["scheme"] == "https" {
           setenv.add-response-header  = ( "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; ")
     }
   
   
     $HTTP["host"] =~ "domain\.com$" {
   
        url.rewrite = (
           "^/(.*)\.(.+)$" => "$0",
           "^/(phpMyAdmin)/?(.*)" => "$0",
           "^/(.+)/?$" => "/index.php/$1"
        )
   
        url.access-deny = ( "~", "xmlrpc.php")
        server.error-handler-404 = "/index.php"
        dir-listing.activate       = "disable"
   
     }
   
   }
   ## end zone - $SERVER["socket"] == "0.0.0.0:443"
   

   Then restart your lighttpd server.

SSL Server TEST https://www.ssllabs.com/ssltest/index.html and enter your domain name. This SSL directive above should your site with A+ score on SSL test.