snapshot lighttpd config

lighttpd/etc/.lighttpdpassword

@@ -0,0 +1 @@
+user:dummy

lighttpd/etc/lighttpd/blog.conf

@@ -0,0 +1,26 @@
+server.modules += ("mod_accesslog", "mod_alias")
+
+$SERVER["socket"] == ":1992" {
+    accesslog.filename = "/host/var/log/lighttpd/blog-lara.log"
+    server.document-root = "/host/var/www/blog/lara/site"
+    alias.url = ("/asset" => "/host/var/www/blog/lara/asset")
+    server.errorfile-prefix = "/host/var/www/blog/lara/site/error/http-"
+
+    # Authentication
+    auth.backend = "plain"
+    auth.backend.plain.userfile = "/host/etc/.lighttpdpassword"
+    auth.require = (
+       "/" => (
+           "method" => "basic",
+           "realm" => "Password protected area",
+           "require" => "valid-user"
+       )
+    )
+}
+
+$SERVER["socket"] == ":3838" {
+    accesslog.filename = "/host/var/log/lighttpd/blog-scotland.log"
+    server.document-root = "/host/var/www/blog/scotland/site"
+    alias.url = ("/asset" => "/host/var/www/blog/scotland/asset")
+    server.errorfile-prefix = "/host/var/www/blog/scotland/site/error/http-"
+}

lighttpd/etc/lighttpd/global.conf

@@ -0,0 +1,57 @@
+server.modules += ("mod_auth", "mod_setenv")
+
+$SERVER["socket"] == ":81" {
+    server.document-root = "/host/var/www/global"
+    auth.backend = "plain"
+    auth.backend.plain.userfile = "/host/etc/.lighttpdpassword"
+
+    $HTTP["url"] !~ "^(/public/.*|/.well-known/.*)" {
+        auth.require = (
+            "/" => (
+                "method" => "basic",
+                "realm" => "Password protected area",
+                "require" => "valid-user"
+            )
+        )
+    }
+}
+
+$SERVER["socket"] == ":443" {
+    server.document-root = "/host/var/www/global"
+
+    # Enable SSL
+    ssl.engine = "enable"
+    ssl.pemfile = "/host/etc/certs/key+certificate.pem"
+    ssl.ca-file = "/host/etc/certs/intermediate.pem"
+    ssl.dh-file = "/host/etc/certs/dh.pem"
+
+    # Increased security, from https://cipherli.st/
+    ssl.honor-cipher-order = "enable"
+    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
+    setenv.add-response-header = (
+        "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; preload",
+        "X-Frame-Options" => "DENY",
+        "X-Content-Type-Options" => "nosniff"
+    )
+    ssl.use-sslv2 = "disable"
+    ssl.use-sslv3 = "disable"
+
+    # Increased security, from https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html
+    $HTTP["scheme"] == "https" {
+        setenv.add-response-header = (
+            # "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; preload",
+            "X-Frame-Options" => "DENY"
+        )
+    }
+
+    # Authentication
+    auth.backend = "plain"
+    auth.backend.plain.userfile = "/host/etc/.lighttpdpassword"
+    auth.require = (
+        "/" => (
+            "method" => "basic",
+            "realm" => "Password protected area",
+            "require" => "valid-user"
+        )
+    )
+}