Lighttpd

Lighttpd (pronounced “lighty”) is purposefully lightweight Web (HTTP) server software that promises to provide fast responses to HTTP requests by making efficient use of existing hardware resources, such as CPU speed. This makes Lighttpd an especially good choice for hosting Web sites that are hosted on relatively underpowered devices, such as a Raspberry Pi.

Installing

On Debian-derived GNU/Linux distributions, install lighttpd with:

sudo apt install lighttpd

Configuring

  1. Configure the lighttpd process itself. This is done by writing a configuration file and placing it in a conventional place, which is usually /etc/lighttpd/lighttpd.conf.
  2. TK-TODO: If you did an apt install lighttpd, this file probably already exists and has mostly sensible defaults already. Thanks, Debian Lighttpd package maintainers! :)
  3. When finished, ensure that the new configuration is sound by testing it for syntax errors, loading and initializing the defined modules, and then exiting:
    sudo lighttpd -tt
    

Hardening

Disable logging

Lighttpd performs no logging by default. :) Thanks, Lighttpd, developers! If you are troubleshooting an issue with your Lighttpd instance, you can enable error logging by placing server.errorlog into your server’s configuration file(s):

# Uncomment to (re-)enable error logging.
#server.errorlog = "/var/log/lighttpd/error.log"

Disable banners in HTTP responses

By default, Lighttpd will identify itself in the Server HTTP response header as the software servicing the client’s request. We have no need for this. You can disable this by applying the following Lighttpd configuration value:

server.tag = ""

Disallow access to the source of executable resources

# Never respond to requests for files ending in `.php` (PHP), `.pl` (Perl), or `.fcgi` (can be various languages)
# with the source code contained in the file itself. These are programs whose output should be returned to the
# requesting client, not files whose contents should be handed to the client verbatim.
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
# Be sure to include in this list any additional file extensions that you use for executables.

Disallow command execution via server-side includes

If you are using Lighttpd’s mod_ssi (the server-side includes, or SSI module), be cautious about enabling arbitrary command execution:

# Earlier in the configuration…
server.modules = (
        "mod_ssi",
)

# …and some time later in the configuration:
ssi.exec = "disable"