The Dev Blog

Lighttpd with SSL

Posted by Guy Naor Mon, 01 May 2006 03:51:00 GMT

I need SSL (https) support for famundo - it is our expectation that almost everything on famundo will be accessed through https, as the information our customers will put on it might be sensitive, and in any case, there are always privacy issues that need to be taken care of.

My web server of choice is lighttpd, and while implementing the SSL (https) part, I had two problems and finding the solution took some digging. So here's what I did to get it to work.

1. Listening to both http and https on the same server process - once ssl is activated in lighty using: ssl.engine = "enable", the server start listening on port 443 only. It's the SSL port, and now I can connect with https. But no more http connections are accepted. To solve this, the server needs to be instructed to bind to the SSL port as well as the regular port. In the config:

   $SERVER["socket"] == "0.0.0.0:443" {
       ssl.engine = "enable"
       ssl.pemfile = "/etc/lighttpd/server.pem"
   

   }

2. Using a chained certificate will not work correctly with this setting. You will get https communications, but the browser will complain that the certificate isn't authorizing correctly. To fix that, add the following line to thew config file:

   ssl.ca-file = "/etc/lighttpd/YourCACert.crt"

The ceret file you point to, is of the certification authority that signed your certificate. The client will then authenticate fully.