1 #######################################################################
3 ## /etc/lighttpd/lighttpd.conf
5 ## check /etc/lighttpd/conf.d/*.conf for the configuration of modules.
7 #######################################################################
9 #######################################################################
11 ## Some Variable definition which will make chrooting easier.
13 ## if you add a variable here. Add the corresponding variable in the
14 ## chroot example aswell.
16 var.log_root = "/var/log/lighttpd"
17 var.server_root = "/srv/www"
18 var.state_dir = "/var/run"
19 var.home_dir = "/var/lib/lighttpd"
20 var.conf_dir = "/etc/lighttpd"
23 ## run the server chrooted.
25 ## This requires root permissions during startup.
27 ## If you run Chrooted set the the variables to directories relative to
30 ## example chroot configuration:
32 #var.log_root = "/logs"
33 #var.server_root = "/"
34 #var.state_dir = "/run"
35 #var.home_dir = "/lib/lighttpd"
36 #var.vhosts_dir = "/vhosts"
37 #var.conf_dir = "/etc"
39 #server.chroot = "/srv/www"
42 ## Some additional variables to make the configuration easier
46 ## Base directory for all virtual hosts
50 ## conf.d/simple_vhost.conf
51 ## vhosts.d/vhosts.template
53 var.vhosts_dir = server_root + "/vhosts"
56 ## Cache for mod_compress
59 ## conf.d/compress.conf
61 var.cache_dir = "/var/cache/lighttpd"
64 ## Base directory for sockets.
67 ## conf.d/fastcgi.conf
70 var.socket_dir = home_dir + "/sockets"
73 #######################################################################
75 #######################################################################
78 include "modules.conf"
81 #######################################################################
83 #######################################################################
85 ## Basic Configuration
86 ## ---------------------
93 server.use-ipv6 = "enable"
96 ## bind to a specific IP
98 #server.bind = "localhost"
101 ## Run as a different username/groupname.
102 ## This requires root permissions during startup.
104 server.username = "lighttpd"
105 server.groupname = "lighttpd"
108 ## enable core files.
110 #server.core-files = "disable"
115 server.document-root = server_root + "/htdocs"
118 ## The value for the "Server:" response field.
120 ## It would be nice to keep it at "lighttpd".
122 #server.tag = "lighttpd"
127 server.pid-file = state_dir + "/lighttpd.pid"
130 #######################################################################
132 #######################################################################
135 ## ------------------
137 ## all logging options can be overwritten per vhost.
139 ## Path to the error log file
141 server.errorlog = log_root + "/error.log"
144 ## If you want to log to syslog you have to unset the
145 ## server.errorlog setting and uncomment the next line.
147 #server.errorlog-use-syslog = "enable"
152 include "conf.d/access_log.conf"
155 ## The debug options are moved into their own file.
156 ## see conf.d/debug.conf for various options for request debugging.
158 include "conf.d/debug.conf"
161 #######################################################################
163 #######################################################################
165 ## Tuning/Performance
166 ## --------------------
168 ## corresponding documentation:
169 ## https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_Performance
171 ## set the event-handler (read the performance section in the manual)
173 ## possible options on linux are:
179 ## linux-sysepoll is recommended on kernel 2.6.
181 server.event-handler = "linux-sysepoll"
184 ## The basic network interface for all platforms at the syscalls read()
185 ## and write(). Every modern OS provides its own syscall to help network
186 ## servers transfer files as fast as possible
188 ## sendfile - is recommended for small files.
189 ## writev - is recommended for sending many large files
191 server.network-backend = "sendfile"
194 ## As lighttpd is a single-threaded server, its main resource limit is
195 ## the number of file descriptors, which is set to 1024 by default (on
198 ## If you are running a high-traffic site you might want to increase this
199 ## limit by setting server.max-fds.
201 ## Changing this setting requires root permissions on startup. see
202 ## server.username/server.groupname.
204 ## By default lighttpd would not change the operation system default.
205 ## But setting it to 2048 is a better default for busy servers.
207 server.max-fds = 2048
210 ## listen-backlog is the size of the listen() backlog queue requested when
211 ## the lighttpd server ask the kernel to listen() on the provided network
212 ## address. Clients attempting to connect() to the server enter the listen()
213 ## backlog queue and wait for the lighttpd server to accept() the connection.
215 ## The out-of-box default on many operating systems is 128 and is identified
216 ## as SOMAXCONN. This can be tuned on many operating systems. (On Linux,
217 ## cat /proc/sys/net/core/somaxconn) Requesting a size larger than operating
218 ## system limit will be silently reduced to the limit by the operating system.
220 ## When there are too many connection attempts waiting for the server to
221 ## accept() new connections, the listen backlog queue fills and the kernel
222 ## rejects additional connection attempts. This can be useful as an
223 ## indication to an upstream load balancer that the server is busy, and
224 ## possibly overloaded. In that case, configure a smaller limit for
225 ## server.listen-backlog. On the other hand, configure a larger limit to be
226 ## able to handle bursts of new connections, but only do so up to an amount
227 ## that the server can keep up with responding in a reasonable amount of
228 ## time. Otherwise, clients may abandon the connection attempts and the
229 ## server will waste resources servicing abandoned connections.
231 ## It is best to leave this setting at its default unless you have modelled
232 ## your traffic and tested that changing this benefits your traffic patterns.
236 #server.listen-backlog = 128
239 ## Stat() call caching.
241 ## lighttpd can utilize FAM/Gamin to cache stat call.
243 ## possible values are:
244 ## disable, simple or fam.
246 server.stat-cache-engine = "simple"
249 ## Fine tuning for the request handling
251 ## max-connections == max-fds/2 (maybe /3)
252 ## means the other file handles are used for fastcgi/files
254 server.max-connections = 1024
257 ## How many seconds to keep a keep-alive connection open,
258 ## until we consider it idle.
262 #server.max-keep-alive-idle = 5
265 ## How many keep-alive requests until closing the connection.
269 #server.max-keep-alive-requests = 16
272 ## Maximum size of a request in kilobytes.
273 ## By default it is unlimited (0).
275 ## Uploads to your server cant be larger than this value.
277 #server.max-request-size = 0
280 ## Time to read from a socket before we consider it idle.
284 #server.max-read-idle = 60
287 ## Time to write to a socket before we consider it idle.
291 #server.max-write-idle = 360
297 ## see /usr/share/doc/lighttpd/traffic-shaping.txt
299 ## Values are in kilobyte per second.
301 ## Keep in mind that a limit below 32kB/s might actually limit the
302 ## traffic to 32kB/s. This is caused by the size of the TCP send
307 #server.kbytes-per-second = 128
312 #connection.kbytes-per-second = 32
315 #######################################################################
317 #######################################################################
319 ## Filename/File handling
320 ## ------------------------
323 ## files to check for if .../ is requested
324 ## index-file.names = ( "index.php", "index.rb", "index.html",
325 ## "index.htm", "default.htm" )
327 index-file.names += (
328 "index.xhtml", "index.html", "index.htm", "default.htm", "index.php"
332 ## deny access the file-extensions
334 ## ~ is for backupfiles from vi, emacs, joe, ...
335 ## .inc is often used for code includes which should in general not be part
336 ## of the document-root
337 url.access-deny = ( "~", ".inc" )
340 ## disable range requests for pdf files
341 ## workaround for a bug in the Acrobat Reader plugin.
343 $HTTP["url"] =~ "\.pdf$" {
344 server.range-requests = "disable"
348 ## url handling modules (rewrite, redirect)
350 #url.rewrite = ( "^/$" => "/server-status" )
351 #url.redirect = ( "^/wishlist/(.+)" => "http://www.example.com/$1" )
354 ## both rewrite/redirect support back reference to regex conditional using %n
356 #$HTTP["host"] =~ "^www\.(.*)" {
357 # url.redirect = ( "^/(.*)" => "http://%1/$1" )
361 ## which extensions should not be handle via static-file transfer
363 ## .php, .pl, .fcgi are most often handled by mod_fastcgi or mod_cgi
365 static-file.exclude-extensions = ( ".php", ".pl", ".fcgi", ".scgi" )
368 ## error-handler for all status 400-599
370 #server.error-handler = "/error-handler.html"
371 #server.error-handler = "/error-handler.php"
374 ## error-handler for status 404
376 #server.error-handler-404 = "/error-handler.html"
377 #server.error-handler-404 = "/error-handler.php"
380 ## Format: <errorfile-prefix><status-code>.html
381 ## -> ..../status-404.html for 'File not found'
383 #server.errorfile-prefix = "/srv/www/htdocs/errors/status-"
388 include "conf.d/mime.conf"
391 ## directory listing configuration
393 include "conf.d/dirlisting.conf"
396 ## Should lighttpd follow symlinks?
398 server.follow-symlink = "enable"
401 ## force all filenames to be lowercase?
403 #server.force-lowercase-filenames = "disable"
406 ## defaults to /var/tmp as we assume it is a local harddisk
408 server.upload-dirs = ( "/var/tmp" )
411 #######################################################################
414 #######################################################################
419 ## To enable SSL for the whole server you have to provide a valid
420 ## certificate and have to enable the SSL engine.::
422 ## ssl.engine = "enable"
423 ## ssl.pemfile = "/path/to/server.pem"
425 ## The HTTPS protocol does not allow you to use name-based virtual
426 ## hosting with SSL. If you want to run multiple SSL servers with
427 ## one lighttpd instance you must use IP-based virtual hosting: ::
429 ## Mitigate CVE-2009-3555 by disabling client triggered renegotation
430 ## This is enabled by default.
432 ## IMPORTANT: this setting can only be used in the global scope.
433 ## It does *not* work inside conditionals
435 # ssl.disable-client-renegotiation = "enable"
437 ## $SERVER["socket"] == "10.0.0.1:443" {
438 ## ssl.engine = "enable"
439 ## ssl.pemfile = "/etc/ssl/private/www.example.com.pem"
441 ## # (Following SSL/TLS Deployment Best Practices 1.3 / 17 September 2013 from:
442 ## # https://www.ssllabs.com/projects/best-practices/index.html)
443 ## # - BEAST is considered mitigaed on client side now, and new weaknesses have been found in RC4,
444 ## # so it is strongly advised to disable RC4 ciphers (HIGH doesn't include RC4)
445 ## # - It is recommended to disable 3DES too (although disabling RC4 and 3DES breaks IE6+8 on Windows XP,
446 ## # so you might want to support 3DES for now - just remove the '!3DES' parts below).
447 ## # - The examples below prefer ciphersuites with "Forward Secrecy" (and ECDHE over DHE (alias EDH)), remove '+kEDH +kRSA'
448 ## # if you don't want that.
449 ## # - SRP and PSK are not supported anyway, excluding those ('!kSRP !kPSK') just keeps the list smaller (easier to review)
450 ## # Check your cipher list with: openssl ciphers -v '...' (use single quotes as your shell won't like ! in double quotes)
452 ## # If you know you have RSA keys (standard), you can use:
453 ## ssl.cipher-list = "aRSA+HIGH !3DES +kEDH +kRSA !kSRP !kPSK"
454 ## # The more generic version (without the restriction to RSA keys) is
455 ## # ssl.cipher-list = "HIGH !aNULL !3DES +kEDH +kRSA !kSRP !kPSK"
457 ## # Make the server prefer the order of the server side cipher suite instead of the client suite.
458 ## # This option is enabled by default, but only used if ssl.cipher-list is set.
460 ## # ssl.honor-cipher-order = "enable"
462 ## server.name = "www.example.com"
464 ## server.document-root = "/srv/www/vhosts/example.com/www/"
468 ## If you have a .crt and a .key file, cat them together into a
470 ## $ cat /etc/ssl/private/lighttpd.key /etc/ssl/certs/lighttpd.crt \
471 ## > /etc/ssl/private/lighttpd.pem
473 #ssl.pemfile = "/etc/ssl/private/lighttpd.pem"
476 ## optionally pass the CA certificate here.
482 ## and the CRL revocation list here.
485 #ssl.ca-crl-file = ""
488 #######################################################################
490 #######################################################################
492 ## custom includes like vhosts.
494 #include "conf.d/config.conf"
495 #include "/etc/lighttpd/vhosts.d/*.conf"
497 #######################################################################