Lighttpd (pronounced “lighty”) is purposefully lightweight Web (HTTP) server software that promises to provide fast responses to HTTP requests by making efficient use of existing hardware resources, such as CPU speed. This makes Lighttpd an especially good choice for hosting Web sites that are hosted on relatively underpowered devices, such as a Raspberry Pi.
- 1 Installing
- 2 Configuring
- 3 Hardening
- 3.1 Disable logging
- 3.2 Disable banners in HTTP responses
- 3.3 Disallow access to the source of executable resources
- 3.4 Disallow command execution via server-side includes
- 4 Provisioning
On Debian-derived GNU/Linux distributions, install
sudo apt install lighttpd
- Configure the
lighttpdprocess itself. This is done by writing a configuration file and placing it in a conventional place, which is usually
- TK-TODO: If you did an
apt install lighttpd, this file probably already exists and has mostly sensible defaults already. Thanks, Debian Lighttpd package maintainers! :)
- When finished, ensure that the new configuration is sound by testing it for syntax errors, loading and initializing the defined modules, and then exiting:
sudo lighttpd -tt -f /etc/lighttpd/lighttpd.conf
Lighttpd performs no logging by default. :) Thanks, Lighttpd, developers! If you are troubleshooting an issue with your Lighttpd instance, you can enable error logging by placing
server.errorlog into your server’s configuration file(s):
# Uncomment to (re-)enable error logging. #server.errorlog = "/var/log/lighttpd/error.log"
Disable banners in HTTP responses¶
By default, Lighttpd will identify itself in the
Server HTTP response header as the software servicing the client’s request. We have no need for this. You can disable this by applying the following Lighttpd configuration value:
server.tag = ""
Disallow access to the source of executable resources¶
# Never respond to requests for files ending in `.php` (PHP), `.pl` (Perl), or `.fcgi` (can be various languages) # with the source code contained in the file itself. These are programs whose output should be returned to the # requesting client, not files whose contents should be handed to the client verbatim. static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" ) # Be sure to include in this list any additional file extensions that you use for executables.
Disallow command execution via server-side includes¶
If you are using Lighttpd’s
mod_ssi (the server-side includes, or SSI module), be cautious about enabling arbitrary command execution:
# Earlier in the configuration… server.modules = ( "mod_ssi", ) # …and some time later in the configuration: ssi.exec = "disable"
The AnarchoTech NYC collective provides an Ansible role for provisioning a Lighttpd server that runs on a Raspberry Pi. It can be installed in your local
$ANSIBLE_ROLES_PATH (see Ansible Configuration Settings) for use with an Ansible project with:
ansible-galaxy install https://github.com/AnarchoTechNYC/ansible-role-lighttpd/archive/master.tar.gz