Dual stack Lighttpd without repeating the SSL configuration
I'm trying out Lighttpd and I've stumbled across a small but very annoying problem; the IPv6 configuration is a total mess and requires you to duplicate your SSL settings two times; see for yourself :
# listen to ipv4
server.bind = "0.0.0.0"
server.port = "80"
# listen to ipv6
$SERVER["socket"] == "[::]:80" { }
# if you need ssl
$SERVER["socket"] == "0.0.0.0:443" { <here your ssl options> }
$SERVER["socket"] == "[::]:443" { <here your ssl options again> } // sadness
Does anyone know a way to avoid that ? I'd say if there was such a way it would be in the documentation, but after seeing how empty conditional blocks can be used to bind to additional sockets I wouldn't be surprised if there was some other "magic" and undocumented method to achieve what I want.
I've tried multiple combinations of setting server.bind
to either [::]
or 0.0.0.0
, setting the conditionals to [::]:443
, 0.0.0.0:443
or simply :443
, but I always ended up with one of the HTTPS sockets missing, either over IPv4 or IPv6 depending on the combination (can't post the exact results, I didn't keep track of them and redoing the tests is quite annoying).
You can use variables and include configuration from files, see Configuration file syntax for the core module. We can use the latter here:
$SERVER["socket"] == "0.0.0.0:443" { include "ssl.conf" }
$SERVER["socket"] == "[::]:443" { include "ssl.conf" }
and then do the configuration in ssl.conf
:
ssl.engine = "enable"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.pemfile = "/etc/ssl/private/example.pem"
ssl.ca-file = "/etc/ssl/certs/example.crt"