Lighttpd and dualstack IPv6/IPv4 and SSL

Reading over the internet you can find a lot of information over all kind of related issues. However, nearly no one is, as far I can see, trying to get and a dualstack connection and a SSL connection working. Due to this, you can try to combine all kind of possible configuration issues, but you will find it is hard to get the correct one.

Getting lighttpd to listen on IPv6 and IPv4 (So dualstack) is not hard at all. Once you have SSL working with that together, it is not that difficult, however trying to find the right option is.

After a long try I came up with the next config file, what has a seperate SERVER[“socket”] section for both IPv4 and IPv6. Not ideal, but is works, this site is visible via both IPv4 as IPv6, and thats the thing we wanted. For now iam going to use this, and hope there once will be a better solution. (As note, I also have a required redirect here, as I require the full site to be over SSL).

var.confdir  = "/etc/ssl/cert"
$SERVER["socket"] == "91.196.170.37:443" {
    ssl.engine    = "enable"
    ssl.pemfile   = var.confdir + "/www_domain_nl.pem"
    ssl.ca-file   = var.confdir + "/AddTrustExternalCARoot.crt" 
    server.name   = "domain.nl" 
    server.document-root = "/var/www2/"
}
#// 2a02:27f8:1001::2:1
$SERVER["socket"] == "[2a02:27f8:1001::2:1]:443" {
    server.use-ipv6 = "enable"
    ssl.engine    = "enable"
    ssl.pemfile   = var.confdir + "/www_domain_nl.pem"
    ssl.ca-file   = var.confdir + "/AddTrustExternalCARoot.crt"
    server.name   = "domain.nl"
    server.document-root = "/var/www2/"
}
$HTTP["host"] == "www.domain.nl" {
    $HTTP["scheme"] == "http" {
            url.redirect = ("^/(.*)" => "https://www.domain.nl/$1")
    }
}

3 thoughts on “Lighttpd and dualstack IPv6/IPv4 and SSL

  1. rather than doubling up the config, I found this works, without having to repeat the SSL config details:

    $SERVER[“socket”] == “:443″ {
    ssl.engine = “enable”
    ssl.pemfile = “…”
    ssl.ca-file = “…”

    ssl.cipher-list = “ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM”
    ssl.honor-cipher-order = “enable”
    }

    $SERVER[“socket”] == “[::]:443″ {
    }

    1. sorry the second conditional should be:

      $SERVER[“socket”] == “[::]:443″ {
      server.use-ipv6=”enable”
      }

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>