Last updated: 2026-02-11
Lighttpd TLS/SSL Configuration Guide
This guide provides recommended TLS/SSL settings for Lighttpd, a lightweight and fast web server optimized for high-performance environments. Lighttpd 1.4.56+ uses mod_openssl for TLS support.
Prerequisites
- Lighttpd 1.4.56 or later (for
mod_opensslandssl-conf-cmdsupport) - OpenSSL 1.1.1 or later (for TLS 1.3 support)
- A valid SSL/TLS certificate
Lighttpd expects the certificate and private key in a combined PEM file, or as separate files depending on your version.
Enable mod_openssl
Load the TLS module in your Lighttpd configuration (/etc/lighttpd/lighttpd.conf):
server.modules += ("mod_openssl")
Protocol Versions
Set the minimum TLS version to 1.2 using ssl.openssl.ssl-conf-cmd:
ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")
Cipher Suites
Configure strong cipher suites for TLS 1.2 and TLS 1.3:
ssl.openssl.ssl-conf-cmd += ("CipherString" => "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305")
ssl.openssl.ssl-conf-cmd += ("Ciphersuites" => "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256")
- CipherString controls TLS 1.2 cipher suites (OpenSSL format).
- Ciphersuites controls TLS 1.3 cipher suites.
Since all ciphers in the list are equally strong, disable server cipher preference:
ssl.honor-cipher-order = "disable"
Certificate Configuration
Using a combined PEM file (certificate + private key):
ssl.pemfile = "/etc/lighttpd/ssl/server.pem"
ssl.ca-file = "/etc/lighttpd/ssl/chain.pem"
Using separate files (Lighttpd 1.4.53+):
ssl.privkey = "/etc/lighttpd/ssl/privkey.pem"
ssl.pemfile = "/etc/lighttpd/ssl/fullchain.pem"
OCSP Stapling
Lighttpd supports OCSP stapling automatically when the CA chain is provided via ssl.ca-file. Ensure the full certificate chain is available:
ssl.stapling-file = "/etc/lighttpd/ssl/ocsp-response.der"
To generate the OCSP response file:
openssl ocsp -issuer chain.pem -cert cert.pem -url http://ocsp.example.com -respout /etc/lighttpd/ssl/ocsp-response.der
HSTS
Add the HSTS header using mod_setenv:
server.modules += ("mod_setenv")
setenv.add-response-header = ("Strict-Transport-Security" => "max-age=63072000; includeSubDomains; preload")
HTTPS Redirect
Redirect HTTP to HTTPS using conditional configuration:
$SERVER["socket"] == ":80" {
$HTTP["host"] =~ "(.*)" {
url.redirect = ("^/(.*)" => "https://%1/$1")
}
}
Disable Session Tickets
ssl.openssl.ssl-conf-cmd += ("Options" => "-ServerPreference,-SessionTicket")
Complete Configuration Example
server.modules += (
"mod_openssl",
"mod_setenv"
)
# HTTPS listener
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
# Certificate files
ssl.privkey = "/etc/lighttpd/ssl/privkey.pem"
ssl.pemfile = "/etc/lighttpd/ssl/fullchain.pem"
ssl.ca-file = "/etc/lighttpd/ssl/chain.pem"
# Protocol and cipher settings
ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")
ssl.openssl.ssl-conf-cmd += ("CipherString" => "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305")
ssl.openssl.ssl-conf-cmd += ("Ciphersuites" => "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256")
ssl.openssl.ssl-conf-cmd += ("Options" => "-ServerPreference,-SessionTicket")
ssl.honor-cipher-order = "disable"
# HSTS
setenv.add-response-header = ("Strict-Transport-Security" => "max-age=63072000; includeSubDomains; preload")
}
# HTTP to HTTPS redirect
$SERVER["socket"] == ":80" {
$HTTP["host"] =~ "(.*)" {
url.redirect = ("^/(.*)" => "https://%1/$1")
}
}
Verification
Test the configuration and restart Lighttpd:
lighttpd -t -f /etc/lighttpd/lighttpd.conf
systemctl restart lighttpd
Test your TLS connection:
openssl s_client -connect example.com:443 -tls1_2
openssl s_client -connect example.com:443 -tls1_3
Test your configuration externally using Qualys SSL Labs at https://www.ssllabs.com/ssltest/.