FreeBSD Lighttpd Installation and Configuration Plus Mod OpenSSL

This web server distributed under the BSD license is among the lightest, safest and fastest web servers. Lighttpd is very reliable in high-performance environments with a small amount of memory compared to other web servers, and serves to effectively manage CPU load from an extended set of functions such as SCGI, Output-Compression, Auth, FastCGI, URL Rewriting and many others.

For users who experience workload when operating a web server, Lighttpd is the ideal solution for servers experiencing workload problems. Lighttpd is a great alternative to the widely used Nginx and Apache web servers. Because Lighttpd is a lightweight open source web server optimized for high-speed environments and low resource usage thereby reducing CPU performance.

In the web server process, you must have known that some sites process thousands of files in parallel, so a large amount of memory is required and the maximum number of threads or processes is also high.

To address the issue, Dan Kegel has detailed problems processing thousands of concurrent requests on his C10K issues page. In 2003, a German MySQL developer named Jan Kneschke became interested in this problem and decided that he could write a web server that was faster than Apache, by focusing on the right techniques.

Then Jan Kneschke designed lighttpd as a single process with one thread and non-blocking I/O. It also uses the fastest event handler on the poll target system, epoll, kqueue, or /dev/polling. It prefers ungrounded system calls such as sendfile over reads and writes. The fruit of his labor was that, within a few months, lighttpd started processing static files faster than Apache.

In this article, you will learn how to install and configure Lighttpd on a FreeBSD server. Not only that, to improve the security of the Lighttp web server, we have also added Openssl mode to the contents of this article.


1. System specifications

OS: FreeBSD 13.2 Stable
Hostname: ns5
IP Address: 192.168.5.2
Domain: datainchi.com
Lighttpd version: lighttpd/1.4.67 (ssl) - a light and fast webserver


2. Installing Lighttpd

As you know, on the FreeBSD server there are two ways to install each application, namely the port system and the PKG package. Especially for the Lighttp installation, we prefer to use the port system, because it can build all the libraries that Lighttpd needs.

Before we start the process of installing Lighttpd, you first install the Lighttpd dependencies, namely "Build dependencies" and "Library dependencies". Here's how to install these dependencies.
root@ns5:~ # pkg install cmake-core ninja pkgconf
The above command is used to install "Build dependencies". Now we install the "Library dependencies" that Lighttpd will use.
root@ns5:~ # pkg install pcre2 nettle lua54
We have installed all the dependencies, we continue by installing Lighttpd.
root@ns5:~ # cd /usr/ports/www/lighttpd
root@ns5:/usr/ports/www/lighttpd # make config
In the "make config" command, you have to activate several options, because we will use the OpenSSL mod, activate the "OPENSSL" option.





Use the command "make install clean", to start the installation process.
root@ns5:/usr/ports/www/lighttpd # make install clean


3. Start Up rc.d

You definitely don't want every application to be run manually. What happens if Lighttpd is run manually, it will be very troublesome. The following is how to get Lighttpd to run automatically on your FreeBSD server.

Linux has systemd to make applications run automatically, while FreeBSD has rc.d. So that your Lihttpd can run automatically, open the "/etc/rc/conf" file and type the command below in the file.

lighttpd_enable="YES"
lighttpd_conf="/usr/local/etc/lighttpd/lighttpd.conf"
lighttpd_pidfile="/var/run/lighttpd.pid"
lighttpd_instances=""

In the script above, the Lighttpd configuration file is in the "/usr/local/etc/lighttpd" folder, with the config file name "lighttpd.conf".

You can run Lighttpd with the following command.
root@ns5:~ # service lighttpd restart


4. Configuration Lighttpd

Lighttpd's main configuration file is "/usr/local/etc/lighttpd/lighttpd.conf", you open the file and edit only the scripts you need. To activate private ports and IP addresses, activate the script below.

server.port = 80
server.use-ipv6 = "disable"
server.bind = "192.168.5.2"
server.username  = "www"
server.groupname = "www"
server.document-root = "/usr/local/www" + "/data"
server.pid-file = state_dir + "/lighttpd.pid"

For those of you who are new to Lighttpd, the "log" configuration is important, because often, many things fail or Lighttpd doesn't run, because of the wrong "log" configuration. Follow the script below to configure "log".

server.errorlog-use-syslog = "enable"
include conf_dir + "/conf.d/debug.conf"

The log configuration above will give LightTPD privileges to manage its own logs.

Often when running Lighttpd an error message like the following appears.

2024-01-15 10:31:51: (configfile.c.1287) WARNING: unknown config-key: dir-listing.encoding (ignored)
2024-01-15 10:31:51: (configfile.c.1287) WARNING: unknown config-key: dir-listing.exclude (ignored)

To overcome this, you can activate the "dir-listing.activate" option in the "/usr/local/etc/lighttpd/lighttpd.conf" file.

include conf_dir + "/conf.d/dirlisting.conf"
dir-listing.activate = "enable"

Now you run Lighttpd.
root@ns5:~ # service lighttpd restart
Performing sanity check on lighttpd configuration:
Stopping lighttpd.
Waiting for PIDS: 12730.
Starting lighttpd.
You can see the complete script for the "/usr/local/etc/lighttpd/lighttpd.conf" file on Github unixwinbsd.

All Lighttpd data is stored in the "/usr/local/www/data" folder. Create an index.html file and type in the script you downloaded on Github unixwinbsd.
root@ns5:~ # cd /usr/local/www
root@ns5:/usr/local/www # mkdir -p data
root@ns5:/usr/local/www # cd data
root@ns5:/usr/local/www/data # touch index.html
root@ns5:/usr/local/www/data # chown -R www:www /usr/local/www/data/


5. Mod Openssl

The main function of encryption is to convert plain text communications into cipher text that cannot be read by unauthorized parties. All sensitive user data such as login credentials and personal information is encrypted before being sent over the network. Then only recipients with the correct decryption key can access the website.

Generally web servers have two main encryption protocols used on websites are:

SSL: Secure Sockets Layer
TLS:  Transport Layer Security (replacement for SSL)

Lighttpd also has very advanced encryption capabilities. There are many ways to encrypt a web server. In this article we only discuss how to encrypt with OpenSSL.

As a first step we will Generate Private Keys and CSR. We will save the private key and CSR file in the directory on FreeBSD, namely /etc/ssl. Activate the directory and run the command below.
root@ns5:~ # cd /etc/ssl
root@ns5:/etc/ssl # openssl genrsa -out /etc/ssl/unixwinbsd.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
....................................................................................................................................................++++
.........................++++
e is 65537 (0x010001)
For better security, set limited file permissions to 400 or 600.
root@ns5:/etc/ssl # chmod 400 /etc/ssl/unixwinbsd.key
The next step is, create a .csr file that provides the necessary domain/organization details about your website.
root@ns5:/etc/ssl # openssl req -new -sha256 -key /etc/ssl/unixwinbsd.key -out /etc/ssl/unixwinbsd.csr
Sign your CSR file.
root@ns5:/etc/ssl # openssl x509 -req -days 365 -in unixwinbsd.csr -signkey unixwinbsd.key -out unixwinbsd.crt
Signature ok
Combine the master certificate, intermediate, and private key into one.
root@ns5:/etc/ssl # cat unixwinbsd.crt unixwinbsd.key > unixwinbsd-ssl.pem
After you have successfully created an SSL certificate, edit the Lighttpd configuration file, namely "/usr/local/etc/lighttpd/lighttpd.conf".

Type the script below to activate OpenSSL on Lighttpd.

server.modules += ( "mod_openssl" )
ssl.pemfile = "/etc/ssl/unixwinbsd-ssl.pem"

   $SERVER["socket"] == "*:443" {
     ssl.engine  = "enable"
   }



6. Test Lighttpd

As the final step in the configuration above, we carry out a test, run the Lighttpd web server first with the following command.
root@ns5:/etc/ssl # service lighttpd restart
If with the command above, there is an error with the SSL file, because Lighttpd is often slow in responding to the SSL file you created, to avoid this, you can repeat the command.
root@ns5:/etc/ssl # openssl x509 -req -days 365 -in unixwinbsd.csr -signkey unixwinbsd.key -out unixwinbsd.crt
root@ns5:/etc/ssl # cat unixwinbsd.crt unixwinbsd.key > unixwinbsd-ssl.pem
Now you open the Google Chrome web browser, in the address bar menu type "http://192.168.5.2" or "https://192.168.5.2". The result will look like the image below.





In conclusion, Lighttpd is a lightweight, efficient, powerful and versatile web server that stands out among many other web server software such as NGINX and Apache. Its event-driven architecture, advanced features, and focus on security make it an excellent choice for serving web content in a variety of environments.
Iwan Setiawan

I Like Adventure: Mahameru Mount, Rinjani Mount I Like Writer FreeBSD

Post a Comment

Previous Post Next Post