If you are testing an application (web based) or just want secure login page for your application, you can create a self signed SSL Certificates. I have already explained the procedure for installing real third party signed SSL certificate.
Procedure is as follows:
Step # 1: Create self signed SSL Certificates
Create a directory to store SSL certificate:
# mkdir /etc/lighttpd/ssl/domain.com -p
# cd /etc/lighttpd/ssl/domain.com
# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# chown lighttpd:lighttpd /etc/lighttpd/ssl -R
# chmod 0600 /etc/lighttpd/ssl/domain.com
You need to provide information such as country name, your domain name etc.
Step # 2: Configure Lighttpd
Open lighttpd configuration file:
# vi /etc/lighttpd/lighttpd.conf Add config directives as follows:
$SERVER["socket"] == "192.168.1.100:443" {
server.document-root = "/home/lighttpd/domain.com"
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/domain.com/server.pem"
}
Make sure you replace ip 192.168.1.100 with your actual IP address.
Step # 3: Restart Lighttpd
Test config file for errors:
# lighttpd -t -f /etc/lighttpd/lighttpd.conf
Now Restart lighttpd:
# /etc/init.d/lighttpd restart
Make sure port 443 is open
# netstat -tulpn | grep :443
Configure firewall/iptables and open port 443. Following is sample iptabables rules. You need to append code to your iptables shell script:
SERVER_IP="192.168.1.100"
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $SERVER_IP --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 443 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
Redirect plain text login page to secure login page
Let us assume you would like to redirect all incoming wordpress requests http://domain.com/blog/wp-login.php request to https://domain.com/blog/wp-login.php
Add following code snippet to your lighttpd.conf file’s port 80 section:
$HTTP["url"] =~ "^/blog/wp-login.php*" {
url.redirect = ( "^/(.*)" => "https://www.domain.com/$1" )
}
You may need to modify your login page to submit form over SSL.
🐧 Get the latest tutorials on Linux, Open Source & DevOps via:
- RSS feed or Weekly email newsletter
- Share on Twitter • Facebook • 9 comments... add one ↓
| Category | List of Unix and Linux commands |
|---|---|
| File Management | cat |
| Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
| Network Utilities | dig • host • ip • nmap |
| OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
| Package Manager | apk • apt |
| Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
| Searching | grep • whereis • which |
| User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
| WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
Worked great for me first time. Not one issue. Great instructions.
Really helpful guides for lighttpd. I got up and running in no time. Thanks a lot!
Thanks for the tutorial, but lighttpd with openssl produce error:
(network.c.601) SSL: failed to initialize TLS servername callback, openssl library does not support TLS servername extension
freebsd 7.3
openssl-0.9.8m
lighttpd-1.4.26
Hi,
Thanks for the tutorial!
I discovered that the key generation command asked for information but gave fairly misleading guidance which led to some confusion.
The important one was this prompt:
-> Common Name (eg, YOUR name) []:
This actually needs to be the exact hostname ie “www.domain.com” of the server you’re generating the key for. You’d be forgiven for thinking otherwise!
Info from http://sial.org/howto/openssl/self-signed/
I wonder if you could update the HOWTO to clarify this point?
Thanks,
Paul
Please help
I’m still getting the following error in FF,
The connection was interrupted….
and i couldn’t do the following line,
chown lighttpd:lighttpd /etc/lighttpd/ssl -R
it says “invalid user”
I’m trying to implement ssl over my ruby app.
please help and thank you for the great post
— sameera
What a wounderful post! It’s been a little tough finding a good, simple, but effective site to help me get https connections working on my lighttpd setup!
Many Thanks! This post helped ALOT!
the certificate pops up as if it owned by . how do you fix that
Matt,
Thanks for heads up!
To avoid confusion, example has been modified.
Correction:
ssl.pemfile = “/etc/lighttpd/ssl/domain.com/domain.com”
Otherwise lighttpd will try to open the directory as the key file and will fail with
SSL: Private key does not match the certificate public key, reason: error:0906D06C:PEM routines:PEM_read_bio:no start line