Red bulbs aside

Configuring A+ Level SSL with Certbot for a multidomain configuration

lighttpd-1.4.55 with py37-certbot-1.5.0,1 on FreeBSD 12.1

Tested on…

• Cryptcheck : https://cryptcheck.fr
• SSL labs : https://www.ssllabs.com
• Mozilla's Observatory : https://observatory.mozilla.org

Choose ciphers and SSL parameters

Why restricting ciphers ?

With time, older ciphers have become weak but are still available in default configurations. We will set up Lighttpd to use only EECDH and EDH ciphers to allow Forward Secrecy.

How to ?

EDH will need a dhparam key so :

$ cd /usr/local/etc/lighttpd/
# openssl dhparam -out dhparam.pem 4096

Then we modify the SSL parameters in lighttpd.conf.

in lighttpd.conf

$SERVER["socket"] == ":443" {
     ssl.engine                 = "enable"
     ssl.honor-cipher-order = "enable"
     ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM"   
     ssl.dh-file = "/usr/local/etc/lighttpd/dhparam.pem"
     ssl.use-sslv2 = "disable"
     ssl.use-sslv3 = "disable"
     ssl.ec-curve = "secp384r1"
}

Do not forget to set up ssl.pemfile and ssl.ca-file as seen in Episode01 or Episode02.

Add HSTS support

What is HSTS ?

HSTS stands for HTTP Strict Transport Security. It indicates to browsers to interact strictly with the server with HTTPS.

How to ?

HSTS is served by HTTP headers so we need to activate the mod_setenv module in Lighttpd configuration. For that be sure that the following line is not commented in /usr/local/etc/lighttpd/modules.conf :

"mod_setenv",

Then we can add at the end of lighttpd.conf the following lines

in lighttpd.conf

###SET_ENV module configuration to add HSTS support
$HTTP["scheme"] == "https" {
 setenv.add-response-header = (
    "Strict-Transport-Security" => "max-age=63072000; includeSubDomains; preload",
    "X-Frame-Options" => "DENY",
    "X-Content-Type-Options" => "nosniff"
 )
}

As you see, we have set up HSTS here but also added X-Frame-Options and X-Content-Type-Options.

Add HTTP to HTTPS redirection

Last step we force a redirection by the webserver of any HTTP request to HTTPS. For that, the following lines can be added at the end of lighttpd.conf.

in lighttpd.conf

###AND ADD HTTP TO HTTPS REDIRECTION
$HTTP["scheme"] == "http" {
# capture vhost name with regex conditiona -> %0 in redirect pattern
# must be the most inner block to the redirect rule
    $HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0$0")
    }

}

Bonus - CAA records

I add it as a bonus because not required to obtain a A+ SSL grade. Adding CAA records tells who is allowed to issue certificate for your domain. For example if you use Let's encrypt, configure your DNS records adding :

in DNS records

@ IN CAA 0 issue "lesencrypt.org"
@ IN CAA 0 issuewild "letsencrypt.org"

Links

• Cipherlist.eu Strong Ciphers for Apache, nginx and Lighttpd : https://cipherlist.eu/

Comment ?

Should you have any comment on this page, get in touch !