####################################################################### ## ## /etc/lighttpd/lighttpd.conf ## ## check /etc/lighttpd/conf.d/*.conf for the configuration of modules. ## ####################################################################### ####################################################################### ## ## Some Variable definition which will make chrooting easier. ## ## if you add a variable here. Add the corresponding variable in the ## chroot example aswell. ## var.log_root = "/var/log/lighttpd" var.server_root = "/var/www" var.state_dir = "/var/run" var.home_dir = "/var/lib/lighttpd" var.conf_dir = "/etc/lighttpd" ## ## run the server chrooted. ## ## This requires root permissions during startup. ## ## If you run Chrooted set the the variables to directories relative to ## the chroot dir. ## ## example chroot configuration: ## #var.log_root = "/logs" #var.server_root = "/" #var.state_dir = "/run" #var.home_dir = "/lib/lighttpd" #var.vhosts_dir = "/vhosts" #var.conf_dir = "/etc" # #server.chroot = "/srv/www" ## ## Some additional variables to make the configuration easier ## ## ## Base directory for all virtual hosts ## ## used in: ## conf.d/evhost.conf ## conf.d/simple_vhost.conf ## vhosts.d/vhosts.template ## var.vhosts_dir = server_root + "/vhosts" ## ## Cache for mod_compress ## ## used in: ## conf.d/compress.conf ## var.cache_dir = "/var/cache/lighttpd" ## ## Base directory for sockets. ## ## used in: ## conf.d/fastcgi.conf ## conf.d/scgi.conf ## var.socket_dir = home_dir + "/sockets" ## ####################################################################### ####################################################################### ## ## Load the modules. include "modules.conf" ## ####################################################################### ####################################################################### ## ## Basic Configuration ## --------------------- ## server.port = 80 ## ## Use IPv6? ## server.use-ipv6 = "disable" ## ## bind to a specific IP ## #server.bind = "localhost" ## ## Run as a different username/groupname. ## This requires root permissions during startup. ## server.username = "lighttpd" server.groupname = "lighttpd" ## ## enable core files. ## #server.core-files = "disable" ## ## Document root ## #server.document-root = server_root + "/lighttpd" ## ## The value for the "Server:" response field. ## ## It would be nice to keep it at "lighttpd". ## #server.tag = "lighttpd" ## ## store a pid file ## server.pid-file = state_dir + "/lighttpd.pid" ## ####################################################################### ####################################################################### ## ## Logging Options ## ------------------ ## ## all logging options can be overwritten per vhost. ## ## Path to the error log file ## server.errorlog = log_root + "/error.log" ## ## If you want to log to syslog you have to unset the ## server.errorlog setting and uncomment the next line. ## #server.errorlog-use-syslog = "enable" ## ## Access log config ## include "conf.d/access_log.conf" ## ## The debug options are moved into their own file. ## see conf.d/debug.conf for various options for request debugging. ## include "conf.d/debug.conf" ## ####################################################################### ####################################################################### ## ## Tuning/Performance ## -------------------- ## ## corresponding documentation: ## http://www.lighttpd.net/documentation/performance.html ## ## set the event-handler (read the performance section in the manual) ## ## possible options on linux are: ## ## select ## poll ## linux-sysepoll ## ## linux-sysepoll is recommended on kernel 2.6. ## server.event-handler = "linux-sysepoll" ## ## The basic network interface for all platforms at the syscalls read() ## and write(). Every modern OS provides its own syscall to help network ## servers transfer files as fast as possible ## ## linux-sendfile - is recommended for small files. ## writev - is recommended for sending many large files ## server.network-backend = "linux-sendfile" ## ## As lighttpd is a single-threaded server, its main resource limit is ## the number of file descriptors, which is set to 1024 by default (on ## most systems). ## ## If you are running a high-traffic site you might want to increase this ## limit by setting server.max-fds. ## ## Changing this setting requires root permissions on startup. see ## server.username/server.groupname. ## ## By default lighttpd would not change the operation system default. ## But setting it to 2048 is a better default for busy servers. ## ## With SELinux enabled, this is denied by default and needs to be allowed ## by running the following once : setsebool -P httpd_setrlimit on #server.max-fds = 2048 ## ## Stat() call caching. ## ## lighttpd can utilize FAM/Gamin to cache stat call. ## ## possible values are: ## disable, simple or fam. ## server.stat-cache-engine = "simple" ## ## Fine tuning for the request handling ## ## max-connections == max-fds/2 (maybe /3) ## means the other file handles are used for fastcgi/files ## #server.max-connections = 1024 ## ## How many seconds to keep a keep-alive connection open, ## until we consider it idle. ## ## Default: 5 ## #server.max-keep-alive-idle = 5 ## ## How many keep-alive requests until closing the connection. ## ## Default: 16 ## #server.max-keep-alive-requests = 16 ## ## Maximum size of a request in kilobytes. ## By default it is unlimited (0). ## ## Uploads to your server cant be larger than this value. ## #server.max-request-size = 0 ## ## Time to read from a socket before we consider it idle. ## ## Default: 60 ## #server.max-read-idle = 60 ## ## Time to write to a socket before we consider it idle. ## ## Default: 360 ## #server.max-write-idle = 360 ## ## Traffic Shaping ## ----------------- ## ## see /usr/share/doc/lighttpd/traffic-shaping.txt ## ## Values are in kilobyte per second. ## ## Keep in mind that a limit below 32kB/s might actually limit the ## traffic to 32kB/s. This is caused by the size of the TCP send ## buffer. ## ## per server: ## #server.kbytes-per-second = 128 ## ## per connection: ## #connection.kbytes-per-second = 32 ## ####################################################################### ####################################################################### ## ## Filename/File handling ## ------------------------ ## ## files to check for if .../ is requested ## index-file.names = ( "index.php", "index.rb", "index.html", ## "index.htm", "default.htm" ) ## index-file.names += ( "index.xhtml", "index.html", "index.htm", "default.htm", "index.php" ) ## ## deny access the file-extensions ## ## ~ is for backupfiles from vi, emacs, joe, ... ## .inc is often used for code includes which should in general not be part ## of the document-root url.access-deny = ( "~", ".inc" ) ## ## disable range requests for pdf files ## workaround for a bug in the Acrobat Reader plugin. ## $HTTP["url"] =~ "\.pdf$" { server.range-requests = "disable" } ## ## url handling modules (rewrite, redirect) ## #url.rewrite = ( "^/$" => "/server-status" ) #url.redirect = ( "^/wishlist/(.+)" => "http://www.example.com/$1" ) ## ## both rewrite/redirect support back reference to regex conditional using %n ## #$HTTP["host"] =~ "^www\.(.*)" { # url.redirect = ( "^/(.*)" => "http://%1/$1" ) #} ## ## which extensions should not be handle via static-file transfer ## ## .php, .pl, .fcgi are most often handled by mod_fastcgi or mod_cgi ## static-file.exclude-extensions = ( ".php", ".pl", ".fcgi", ".scgi" ) ## ## error-handler for status 404 ## #server.error-handler-404 = "/error-handler.html" #server.error-handler-404 = "/error-handler.php" ## ## Format: .html ## -> ..../status-404.html for 'File not found' ## #server.errorfile-prefix = "/srv/www/htdocs/errors/status-" ## ## mimetype mapping ## include "conf.d/mime.conf" ## ## directory listing configuration ## include "conf.d/dirlisting.conf" ## ## Should lighttpd follow symlinks? ## server.follow-symlink = "enable" ## ## force all filenames to be lowercase? ## #server.force-lowercase-filenames = "disable" ## ## defaults to /var/tmp as we assume it is a local harddisk ## server.upload-dirs = ( "/var/tmp" ) ## ####################################################################### ####################################################################### ## ## SSL Support ## ------------- ## ## To enable SSL for the whole server you have to provide a valid ## certificate and have to enable the SSL engine.:: ## ## ssl.engine = "enable" ## ssl.pemfile = "/path/to/server.pem" ## ## The HTTPS protocol does not allow you to use name-based virtual ## hosting with SSL. If you want to run multiple SSL servers with ## one lighttpd instance you must use IP-based virtual hosting: :: ## ## $SERVER["socket"] == "10.0.0.1:443" { ## ssl.engine = "enable" ## ssl.pemfile = "/etc/ssl/private/www.example.com.pem" ## # ## # Mitigate BEAST attack: ## # ## # A stricter base cipher suite. For details see: ## # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html ## # ## ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" ## # ## # Make the server prefer the order of the server side cipher suite instead of the client suite. ## # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms). ## # This option is enabled by default, but only used if ssl.cipher-list is set. ## # ## # ssl.honor-cipher-order = "enable" ## # ## # Mitigate CVE-2009-3555 by disabling client triggered renegotation ## # This is enabled by default. ## # ## # ssl.disable-client-renegotiation = "enable" ## # ## server.name = "www.example.com" ## ## server.document-root = "/srv/www/vhosts/example.com/www/" ## } ## ## If you have a .crt and a .key file, cat them together into a ## single PEM file: ## $ cat /etc/ssl/private/lighttpd.key /etc/ssl/certs/lighttpd.crt \ ## > /etc/ssl/private/lighttpd.pem ## #ssl.pemfile = "/etc/ssl/private/lighttpd.pem" ## ## optionally pass the CA certificate here. ## ## #ssl.ca-file = "" ## ####################################################################### ####################################################################### ## ## custom includes like vhosts. ## #include "conf.d/config.conf" #include_shell "cat /etc/lighttpd/vhosts.d/*.conf" ## ####################################################################### # TI Stuff starts here # The conf.d directory isn't automatically loaded. There are examples above # where a specific script is loaded from that directory. For these three, # the script adds the module, then includes a lot of commented out items, so # the scripts aren't very interesting. server.modules += ( "mod_expire" ) server.modules += ( "mod_proxy" ) server.modules += ( "mod_scgi" ) server.max-fds = 20000 server.max-connections = 10000 server.max-keep-alive-requests = 5000 server.max-keep-alive-idle = 10 server.max-read-idle = 10 server.max-write-idle = 10 # This should never be used. The rules below should send every request to # another server or another directory. I'm making this the default just in # case. If I missed a rule, people will be sent to an empty directory for # security reasons. # # I'm not using the default, /var/www/lighttpd. That's filled with old # files. As part of the transition I'm temporarily leaving the old files # in that directory, where they've always been. I've created new directories # for the new stuff. Some items exist in both places. server.document-root = server_root + "/empty" $HTTP["url"] =~ "\.nocache\." { expire.url = ( "" => "access plus 0 seconds" ) } $HTTP["url"] =~ "\.cache\." { expire.url = ( "" => "access plus 1 years" ) } proxy-core.balancer = "round-robin" $SERVER["socket"] == ":443" { #### SSL engine ssl.engine = "enable" ssl.pemfile = "/etc/lighttpd/ssl/secure.pem" ssl.ca-file = "/etc/lighttpd/ssl/intermediate.crt" #causing oauth issue? #ssl.use-sslv2 = "disable" #ssl.use-sslv3 = "disable" $HTTP["url"] =~ "^/Scott(/.*)$" { # I installed myPhpAdmin for scott on Marvin. I'm piping the requests # through our HTTPS address for security. proxy.server = ( "" => ( ( "host" => "69.43.145.252", "port" => "8009" ))) } else $HTTP["url"] =~ "^/Pablo(/.*)$" { # I installed myPhpAdmin for scott on Pablo (test). I'm piping the request # through our HTTPS address for security. proxy.server = ( "" => ( ( "host" => "69.43.145.251", "port" => "8009" ))) } else $HTTP["url"] =~ "^((/static/)|(/mapreduce/))" { # Simple files. Handle these directly. server.document-root = server_root + "/vhost/secure/" } else $HTTP["url"] =~ "^/jsproxy/" { scgi.server = ("" => (( "host" => "192.168.1.205", "port" => 4433, "disable-time" => 2, "check-local" => "disable"), ( "host" => "192.168.1.202", "port" => 4433, "disable-time" => 2, "check-local" => "disable")) ) setenv.add-request-header = ( "X-Proxy-test" => "test #1" ) } else $HTTP["url"] =~ "^/jsproxy-dice/" { # dice scgi.server = ("" => (( "host" => "192.168.1.205", "port" => 4433, "disable-time" => 2, "check-local" => "disable")) ) setenv.add-request-header = ( "X-Proxy-test" => "test #2" ) } else $HTTP["url"] =~ "^/jsproxy-dana/" { # dana scgi.server = ("" => (( "host" => "192.168.1.202", "port" => 4433, "disable-time" => 2, "check-local" => "disable")) ) setenv.add-request-header = ( "X-Proxy-test" => "test #3" ) } #else $HTTP["url"] =~ "^/eSignal/" { # # Temporarily sending this to will for testing. This will get moved to # # bob-saget eventually for deployment. We will need to be on bob-saget, # # or somewhere similar, so we can have read/write access to the database. # proxy.server = ( "" => ( ( "host" => "69.43.145.248", "port" => "80") ) ) #} else $SERVER["socket"] != "else" { # Everything else goes to our normal apache server. This port is reserved # for forwarded https requests. proxy.server = ( "" => ( ( "host" => "192.168.1.227", "port" => "9443" ))) } # $HTTP["url"] =~ "^/Lightspeed(/.*)$" { # # This will go to will for testing. This will eventually be moved to # # Bob saget, with our back office and most of our other PHP scripts. # proxy.server = ( "" => ( ( "host" => "69.43.145.248", "port" => "80") # } } else $SERVER["socket"] != ":443" { # Not HTTPS. $HTTP["url"] =~ "^/jsproxy/" { scgi.server = ("" => (( "host" => "192.168.1.205", "port" => 4433, "disable-time" => 2, "check-local" => "disable"), ( "host" => "192.168.1.202", "port" => 4433, "disable-time" => 2, "check-local" => "disable")) ) setenv.add-request-header = ( "X-Proxy-test" => "test #11" ) } else $HTTP["url"] =~ "^/jsproxy-dice/" { # dice scgi.server = ("" => (( "host" => "192.168.1.205", "port" => 4433, "disable-time" => 2, "check-local" => "disable")) ) setenv.add-request-header = ( "X-Proxy-test" => "test #12" ) } else $HTTP["url"] =~ "^/jsproxy-dana/" { # dana scgi.server = ("" => (( "host" => "192.168.1.202", "port" => 4433, "disable-time" => 2, "check-local" => "disable")) ) setenv.add-request-header = ( "X-Proxy-test" => "test #11" ) } else $HTTP["host"] == "hadoop.trade-ideas.com" { # Simple static files that were made to go with /jsproxy/. Mostly stuff # created by GWT with very simple HTML files to get them started. New # projects can be part of any web site that goes through this proxy. # Originally ony the hadoop domain pointed to the /jsproxy/. server.document-root = server_root + "/vhost/hadoop/" } else $HTTP["host"] == "static.trade-ideas.com" { # Simple static files like icons which don't have to go through Apache. # Serve them directly through lighttpd for effeciency. server.document-root = server_root + "/vhost/static/" } else $HTTP["host"] == "scott-staging.trade-ideas.com" { # The original test set up. This will go away soon. We don't plan # to support this long term. proxy.server = ( "/wp-content" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/wp-includes" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/wp-login" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/wp-admin" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/faqs/" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/home" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/about-us" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/products" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/services" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/support-and-education" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/trade-ideas-university" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/import-tags-page" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "" => ( ( "host" => "69.43.145.252", "port" => 80 ) ) ) $HTTP["url"] =~ "^[/]+$" { proxy.server = ("" => ( ( "host" => "69.43.145.252", "port" => 80 ) ) ) } } else $HTTP["host"] == "www.trade-ideas.com" { # The main web site. The word press / CMS stuff will go to marvin. The # interesting code will go to bob-saget. We use a special port number # on bob-saget to match these requests. proxy.server = ( "/wp-content" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/wp-includes" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/wp-login" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/wp-admin" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/awtotw" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/wp-cron.php" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/buy29awoffer" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/awtipro29" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/cta-tow-screener" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/27-scanner-offer" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/towmar112015" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/ti2015" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/faqs/" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/home/phil/" => ( ( "host" => "192.168.1.227", "port" => 9980 ) ), "/home" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/about-us" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/products" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/glossary" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/services" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/sitemap" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/faq-category/" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/go/" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/testimonial/" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/testimonials/" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/cta/" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/BigTable" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/support-and-education" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/trade-ideas-university" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/import-tags-page" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/alpha/" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/cms_static/" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "/strategy-development/" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "" => ( ( "host" => "192.168.1.227", "port" => 9980 ) ) ) $HTTP["url"] =~ "^[/]+$" { proxy.server = ("" => ( ( "host" => "69.43.145.252", "port" => 80 ) ) ) } $HTTP["url"] =~ "^.*sitemap\.xml$" { proxy.server = ("" => ( ( "host" => "69.43.145.252", "port" => 80 ) ) ) } } else $HTTP["host"] == "lab.trade-ideas.com" { # Test setup mirroring the live setup above. Instead of bob-saget and # marvin, this points to will and pablo. include "lab-bob-saget-test.conf" $HTTP["url"] =~ "^[/]+$" { proxy.server = ("" => ( ( "host" => "69.43.145.251", "port" => 80 ) ) ) } $HTTP["url"] =~ "^.*sitemap\.xml$" { proxy.server = ("" => ( ( "host" => "69.43.145.251", "port" => 80 ) ) ) } } else $HTTP["host"] == "legacy.trade-ideas.com" { # The old but current main web site. Most stuff goes to bob-saget # like normal. The BigTable directory is goes to marvin. This is # part of the migration to the new web setup. BigTable contains files # that are not part of the CMS, but are under direct control of the # marketing department. In particular, the welcome screen for E*TRADE # is here. proxy.server = ( "/BigTable" => ( ( "host" => "69.43.145.252", "port" => 80 ) ), "" => ( ( "host" => "192.168.1.227", "port" => 80 ) ) ) } else $SERVER["socket"] != "else" { # Any other non-HTTPS virtual host goes to bob-saget. This goes to the # the normal port, port 80, to minimize the changes. Only the main # site, which was mostly redone, moves to the new port. proxy.server = ("" => ( ( "host" => "192.168.1.227", "port" => 80 ) ) ) } } # Note: There's a reason why we have two copies of the jsproxy logic. It # seems like maybe a bug in lighttpd. If I have an outer if that looks for # the URL, and an inner if that looks at $SERVER[socket"], and inside of that # I'm doing proxying, it seems to get confused. Doing a redirect instead of # proxy, but keeping the if's the same, seemed to work as expected. My work- # around was to move the $SERVER["socket"] to the outside and move the # $HTTP["url"] =~ "^/jsproxy/" to the inside. That required me to duplicate # some lines. # Note: lighttpd -t -f lighttpd.conf # That's a useful command. It seems that if I'm missing a } and I restart, # lighttpd will fail badly, without an error message. That command will report # any errors to the standard output without putting you in any danger.