You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 
lighttpd2/doc/mod_openssl.xml

119 lines
3.9 KiB

<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:lighttpd.net:lighttpd2/doc1">
<short>listens on separate sockets for TLS connections (https) using OpenSSL</short>
<setup name="openssl">
<short>setup a TLS socket</short>
<parameter name="options">
<table>
<entry name="listen">
<short>(mandatory) the socket address to listen on (same as "listen":plugin_core.html#plugin_core__setup_listen), can be specified more than once to setup multiple sockets with the same options</short>
</entry>
<entry name="pemfile">
<short>(mandatory) file containing the private key, certificate and (optionally) intermediate certificates (the root certificate is usually not included)</short>
</entry>
<entry name="ca-file">
<short>file containing the intermediate certificates</short>
</entry>
<entry name="ciphers">
<short>OpenSSL ciphers string (default: "HIGH !aNULL !3DES +kEDH +kRSA !kSRP !kPSK")</short>
</entry>
<entry name="dh-params">
<short>filename with generated dh-params (default: fixed 4096-bit parameters)</short>
</entry>
<entry name="ecdh-curve">
<short>OpenSSL ecdh-curve name</short>
</entry>
<entry name="options">
<short>list of OpenSSL options (default: NO_SSLv2, NO_SSLv3, CIPHER_SERVER_PREFERENCE, NO_COMPRESSION, SINGLE_DH_USE, SINGLE_ECDH_USE)</short>
</entry>
<entry name="verify">
<short>enable client certificate verification (default: false)</short>
</entry>
<entry name="verify-any">
<short>allow all CAs and self-signed certificates, for manual checking (default: false)</short>
</entry>
<entry name="verify-depth">
<short>sets client verification depth (default: 1)</short>
</entry>
<entry name="verify-require">
<short>abort clients failing verification (default: false)</short>
</entry>
<entry name="client-ca-file">
<short>file containing client CA certificates (to verify client certificates)</short>
</entry>
</table>
</parameter>
<description>
<textile>
For @ciphers@ see OpenSSL "ciphers":https://www.openssl.org/docs/manmaster/man1/ciphers.html string
For @options@ see "options":https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html. Explicitly specify the reverse flag by toggling the "NO_" prefix to override defaults.
</textile>
</description>
<example title="Simple TLS on IPv4 and IPv6">
<config>
setup {
module_load "mod_openssl";
openssl [
"listen" => "0.0.0.0:443",
"listen" => "[::]:443",
"pemfile" => "/etc/certs/lighttpd.pem",
"options" => ["ALL", "NO_TICKET"],
];
}
</config>
</example>
<example title="TLS with client certificate verification">
<config>
setup {
module_load "mod_openssl";
openssl (
"listen" => "0.0.0.0:443",
"listen" => "[::]:443",
"pemfile" => "/etc/certs/lighttpd.pem",
"client-ca-file" => "/etc/certs/myCA.pem",
"verify" => true,
"verify-require" => true
);
}
</config>
</example>
<example title="TLS with any client certificate">
<config>
setup {
module_load "mod_openssl";
openssl (
"listen" => "0.0.0.0:443",
"listen" => "[::]:443",
"pemfile" => "/etc/certs/lighttpd.pem",
"verify" => true,
"verify-any" => true,
"verify-depth" => 9
);
}
openssl.setenv "client-cert";
</config>
</example>
</setup>
<action name="openssl.setenv">
<short>set SSL environment strings</short>
<parameter name="list">
<short>list of subsets to export</short>
</parameter>
<description>
<textile>
Supported subsets:
* "client" - set @SSL_CLIENT_S_DN_@ short-named entries
* "client-cert" - set @SSL_CLIENT_CERT@ to client certificate PEM
* "server" - set @SSL_SERVER_S_DN_@ short-named entries
* "server-cert" - set @SSL_SERVER_CERT@ to server certificate PEM
</textile>
</description>
</action>
</module>