instalace (postup pro funkční foris i luci s původním lighttpd)

opkg update
opkg install php5-cgi
opkg install php5-mod-calendar
opkg install php5-mod-ctype
opkg install php5-mod-curl
opkg install php5-mod-dom
opkg install php5-mod-exif
opkg install php5-mod-fileinfo
opkg install php5-mod-ftp
opkg install php5-mod-gd
opkg install php5-mod-gettext
opkg install php5-mod-gmp
opkg install php5-mod-hash
opkg install php5-mod-iconv
opkg install php5-mod-intl
opkg install php5-mod-json
opkg install php5-mod-ldap
opkg install php5-mod-mbstring
opkg install php5-mod-mcrypt
opkg install php5-mod-mysql
opkg install php5-mod-opcache
opkg install php5-mod-openssl
opkg install php5-mod-pcntl
opkg install php5-mod-pdo
opkg install php5-mod-pdo-mysql
opkg install php5-mod-session
opkg install php5-mod-shmop
opkg install php5-mod-simplexml
opkg install php5-mod-soap
opkg install php5-mod-sockets
opkg install php5-mod-sysvmsg
opkg install php5-mod-sysvsem
opkg install php5-mod-sysvshm
opkg install php5-mod-tokenizer
opkg install php5-mod-xml
opkg install php5-mod-xmlreader
opkg install php5-mod-xmlwriter
opkg install php5-mod-zip
opkg install lighttpd-mod-redirect
opkg install lighttpd-mod-rewrite
opkg install zoneinfo-core
opkg install zoneinfo-europe

Vytvořte na rootu např. adresář mujweb

do tohoto adresáře zkopírujte adresář /etc/lighttpd i s jeho obsahem

následně přepsat v /etc/lighttpd/lighttpd.conf

server.port = 80
na
server.port = 81
a zakomentujte podporu ipv6
viz:
# listen on IPv6
#$SERVER["socket"] == "[::]:81" { }

přepsat /etc/lighttpd soubor ssl-enable.conf tímto

# This settings enables https with user-generated self-signed certificate from
# package https-cert

$SERVER["socket"] == ":444" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd-self-signed.pem"
}

#$SERVER["socket"] == "[::]:444" {
# ssl.engine = "enable"
# ssl.pemfile = "/etc/lighttpd-self-signed.pem"
#}

$HTTP["scheme"] == "https" {
# Add 'HTTP Strict Transport Security' header (HSTS) to sites
# setenv.add-response-header += ( "Strict-Transport-Security" => "max-age=31536000; includeSubDomains" )
}


dále

v /mujweb/lighttpd upravte mime.conf

do položky " mimetype.assign = ( "

přidejte ".php" => "application/x-php",





v /mujweb/lighttpd v souboru lighttpd.conf přepište jeho obsah tímto:


server.modules = (
)

server.document-root = "/mujweb/www"
server.upload-dirs = ( "/tmp" )
#server.errorlog = "/mujweb/log/lighttpd/errors.log"
server.pid-file = "/var/run/lighttpds.pid"
#server.username = "http"
#server.groupname = "www-data"

index-file.names = ( "index.php", "index.html",
"index.htm", "default.htm",
"index.lighttpd.html" )

#static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

server.port = 80
server.error-handler-404 = "/ppl.php"

$SERVER["socket"] == "[::]:80" { }


##include "/mujweb/lighttpd/mime.conf"
include_shell "cat /mujweb/lighttpd/modules.d/*.load"


cgi.assign = ( ".php" => "/usr/bin/php-cgi" )

ssl.honor-cipher-order = "enable"

SSLProtocol = "+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2"

#ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
#ssl.cipher-list = "HIGH:MEDIUM:!MD5:!RC4"
#ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH"
#ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384HE-RSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHAHE-RSA-AES256-SHA256HE-RSA-AES128-SHA256HE-RSA-AES256-SHAHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHAES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
ssl.cipher-list = "ECDH+AESGCMH+AESGCM:ECDH+AES256H+AES256:ECDH+AES128H+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS"
$HTTP["scheme"] == "https" {
setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; "
}
#ssl.use-compression = "disable"
setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=63072000; includeSubDomains; preload",
"X-Frame-Options" => "DENY",
"X-Content-Type-Options" => "nosniff"
)
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"

$SERVER["socket"] == ":443" {

ssl.engine = "enable"

ssl.honor-cipher-order = "enable"

ssl.pemfile = "/mujweb/lighttpd/server.pem"
ssl.dh-file = "/etc/ssl/certs/dhparam.pem"
ssl.ec-curve = "secp384r1"

ssl.ca-file = "/mujweb/lighttpd/gd_bundle-g2-g1.crt"
SSLProtocol = "+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2"
#ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !MD5 !eNULL !3DES @STRENGTH"

#okok ssl.cipher-list = "ECDH+AESGCMH+AESGCM:ECDH+AES256H+AES256:ECDH+AES128H+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384HE-RSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHAHE-RSA-AES256-SHA256HE-RSA-AES128-SHA256HE-RSA-AES256-SHAHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHAES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
$HTTP["scheme"] == "https" {
setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; "
}
#ssl.use-compression = "disable"
setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=63072000; includeSubDomains; preload",
"X-Frame-Options" => "DENY",
"X-Content-Type-Options" => "nosniff"
)

}

$SERVER["socket"] == "[::]:443" {
ssl.engine = "enable"
ssl.pemfile = "/mujweb/lighttpd/server.pem"
ssl.ca-file = "/mujweb/lighttpd/gd_bundle-g2-g1.crt"
ssl.dh-file = "/etc/ssl/certs/dhparam.pem"
ssl.ec-curve = "secp384r1"

### okokok ssl.cipher-list = "ECDH+AESGCMH+AESGCM:ECDH+AES256H+AES256:ECDH+AES128H+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS"

ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384HE-RSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHAHE-RSA-AES256-SHA256HE-RSA-AES128-SHA256HE-RSA-AES256-SHAHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHAES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"

#ssl.use-compression = "disable"
setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=63072000; includeSubDomains; preload",
"X-Frame-Options" => "DENY",
"X-Content-Type-Options" => "nosniff"
)


dále si vytvořte dhparam.pem

cd /etc/ssl/certs
openssl dhparam -out dhparam.pem 4096

tohle bude trvat u routeru tak 3 dny

nadále je třeba ziskat server.key a server.crt (pokud nedisponujete rovnou server.pem)

certifikát server.pem je složenina server.key a server.crt a lze ji lehce vytvořit sloučením.

server.pem následně zkopírujete to /mujweb/lighttpd

take je potřeba získat certifikát
gd_bundle-g2-g1.crt
tento certifikát je složenina dvou certifikátů
a to Secure Certificate Authority certifikát certifikační agentůry a Class 2 Certification Authority.

nadále je nutné upravit php.ini v /etc

obsah vložím později...

pokud dobře upravíte php.ini tak vše poběží.

konfigurační web routeru bude na http://192.168.1.1:81 nebo na https://192.168.1.1:444

vytvořte v /mujweb adresář www a do něj nakopírujte případné php scripty/web

dále povolte otevření portu 80 a 443 na routeru
Vloženo: jos.sk @ 2:12:20 AM, 2016/12/27