From dc6b02477d9fff2f6d0bf5cfec549cad62bce5d5 Mon Sep 17 00:00:00 2001
From: Rik Veenboer <rik.veenboer@gmail.com>
Date: Wed, 27 Nov 2024 09:01:59 +0100
Subject: [PATCH] snapshot lighttpd config

---
 lighttpd/etc/.lighttpdpassword    |  1 +
 lighttpd/etc/lighttpd/blog.conf   | 26 ++++++++++++++
 lighttpd/etc/lighttpd/global.conf | 57 +++++++++++++++++++++++++++++++
 3 files changed, 84 insertions(+)
 create mode 100644 lighttpd/etc/.lighttpdpassword
 create mode 100644 lighttpd/etc/lighttpd/blog.conf
 create mode 100644 lighttpd/etc/lighttpd/global.conf

diff --git a/lighttpd/etc/.lighttpdpassword b/lighttpd/etc/.lighttpdpassword
new file mode 100644
index 0000000..7553633
--- /dev/null
+++ b/lighttpd/etc/.lighttpdpassword
@@ -0,0 +1 @@
+user:dummy
diff --git a/lighttpd/etc/lighttpd/blog.conf b/lighttpd/etc/lighttpd/blog.conf
new file mode 100644
index 0000000..a4e7afa
--- /dev/null
+++ b/lighttpd/etc/lighttpd/blog.conf
@@ -0,0 +1,26 @@
+server.modules += ("mod_accesslog", "mod_alias")
+
+$SERVER["socket"] == ":1992" {
+    accesslog.filename = "/host/var/log/lighttpd/blog-lara.log"
+    server.document-root = "/host/var/www/blog/lara/site"
+    alias.url = ("/asset" => "/host/var/www/blog/lara/asset")
+    server.errorfile-prefix = "/host/var/www/blog/lara/site/error/http-"
+
+    # Authentication
+    auth.backend = "plain"
+    auth.backend.plain.userfile = "/host/etc/.lighttpdpassword"
+    auth.require = (
+       "/" => (
+           "method" => "basic",
+           "realm" => "Password protected area",
+           "require" => "valid-user"
+       )
+    )
+}
+
+$SERVER["socket"] == ":3838" {
+    accesslog.filename = "/host/var/log/lighttpd/blog-scotland.log"
+    server.document-root = "/host/var/www/blog/scotland/site"
+    alias.url = ("/asset" => "/host/var/www/blog/scotland/asset")
+    server.errorfile-prefix = "/host/var/www/blog/scotland/site/error/http-"
+}
diff --git a/lighttpd/etc/lighttpd/global.conf b/lighttpd/etc/lighttpd/global.conf
new file mode 100644
index 0000000..cbfeb0a
--- /dev/null
+++ b/lighttpd/etc/lighttpd/global.conf
@@ -0,0 +1,57 @@
+server.modules += ("mod_auth", "mod_setenv")
+
+$SERVER["socket"] == ":81" {
+    server.document-root = "/host/var/www/global"
+    auth.backend = "plain"
+    auth.backend.plain.userfile = "/host/etc/.lighttpdpassword"
+
+    $HTTP["url"] !~ "^(/public/.*|/.well-known/.*)" {
+        auth.require = (
+            "/" => (
+                "method" => "basic",
+                "realm" => "Password protected area",
+                "require" => "valid-user"
+            )
+        )
+    }
+}
+
+$SERVER["socket"] == ":443" {
+    server.document-root = "/host/var/www/global"
+
+    # Enable SSL
+    ssl.engine = "enable"
+    ssl.pemfile = "/host/etc/certs/key+certificate.pem"
+    ssl.ca-file = "/host/etc/certs/intermediate.pem"
+    ssl.dh-file = "/host/etc/certs/dh.pem"
+
+    # Increased security, from https://cipherli.st/
+    ssl.honor-cipher-order = "enable"
+    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
+    setenv.add-response-header = (
+        "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; preload",
+        "X-Frame-Options" => "DENY",
+        "X-Content-Type-Options" => "nosniff"
+    )
+    ssl.use-sslv2 = "disable"
+    ssl.use-sslv3 = "disable"
+
+    # Increased security, from https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html
+    $HTTP["scheme"] == "https" {
+        setenv.add-response-header = (
+            # "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; preload",
+            "X-Frame-Options" => "DENY"
+        )
+    }
+
+    # Authentication
+    auth.backend = "plain"
+    auth.backend.plain.userfile = "/host/etc/.lighttpdpassword"
+    auth.require = (
+        "/" => (
+            "method" => "basic",
+            "realm" => "Password protected area",
+            "require" => "valid-user"
+        )
+    )
+}