How to modify the lighttpd chroot, to service both SSL and cleartext connections

Version [1.4.0], 17 July 2004


 

This procedure is part of a modular series which allows building of various components using as a base the chroot Slackware environment described in Howto create a Slackware environment using chroot. This module follows on from How to create a lighttpd web server chroot using daemontools, adding cleartext serving capability to the previously SSL-configured lighttpd server.

Other modules you will need to cover before attempting this procedure are Howto create a Slackware build environment using chroot, Howto create a daemontools chroot for running of services and How to generate your own SSL certificates.


Why?

lighttpd can serve secure SSL connections, or cleartext connections, but not both at the same time from a single process. To service both types of requests using lighttpd it is currently necessary to run two instances of lighttpd - one servicing in cleartext, the other using SSL.
 


How?

Both instances of lighttpd can be run from the same binary, within the same chroot. All that is needed is to provide a different configuration file for each. Logging is to seperate files for convenience - logging to the same log file is untested.

After creating the new config. file, we then copy and modify the daemontools startup script so that both servers may be started automatically, or stopped and restarted independently.

Possible CGI interactions are not covered in this document, buggy CGI may be problematic, but any sanely written CGI software should work without problems. Caveat emptor.
 


The procedure

Conventions used

Throughout this procedure, red text denotes a literal command, or input or output, when that command, input or output is mentioned in the midst of a non-literal context.

Text in orange boxes is input to be typed at the linux terminal command line. All wrapped input lines have a backslash character \ at the wrap-point, which the shell recognises. You should be able to simply copy-and-paste the input text, omitting the prompt, straight into a terminal window using the mouse.

Note that no spaces occur after the backslash, if you add spaces, the shell will misunderstand and correspondingly, appear to misbehave.

If an input line looks like it is wrapped, but has no terminating \, then it is not wrapped, and the subsequent lines are output shown for your information.

Commands which are to be entered while logged in as a regular user are shown prefixed with a common user prompt character, the dollar sign $.

Commands which are to be entered while logged in as root (after using su to become root) are denoted with a common root user prompt, the hash sign #.

Prompts are shown as markers, and should be omitted when copy-and-paste'ing the input to the terminal.

Text in blue boxes is informational, or may contain text to be entered into script or configuration files, again copy-and-paste is the best way to do this.


Duplicate and edit existing config file

First up, copy the lighttpd config file created previously.

# cp /chroot/dtools01/daemons/light01/etc/lighttpd_ssl.conf \
/chroot/dtools01/daemons/light01/etc/lighttpd_clear.conf

Now edit the new file using your favorite text editor. It is suggested to alter the following definitions, shown out of context, with their new values. The third option is the one which switches off SSL, you also need to comment out any ssl.pemfile definition, as shown.

The first two options shown set things so that the two servers send their log output to seperate files. This is purely for your own benefit, there should be no problem if both log to a single file - but I haven't tested it.

## where to send error-messages to
server.errorlog = "/logs/errors_clear.log"

#### accesslog module
accesslog.filename = "/logs/access_clear.log"

#### SSL engine
ssl.engine = "disable"
# ssl.pemfile = "/etc/hacktavista.pem"


Create a new run script

As when we set up the original server, we create a start script and associated directory in /tmp, then when complete, moved to the daemontool services directory atomically.

As before, the script contents should be entered into the terminal after the cat command is given, and ended with ctrl-d.

# mkdir /tmp/lighttpd_clear
# cat > /tmp/lighttpd_clear/run

#!/bin/sh

cd /daemons/light01 && \
chroot /daemons/light01 /sbin/lighttpd \
-D -f /etc/lighttpd_clear.conf


Make script executable and moved to daemontools' service directory.

# chmod a+x /tmp/lighttpd_clear/run
# mv /tmp/lighttpd_clear /chroot/dtools01/service/


End of procedure

Now we have two lighttpd servers running!

You can verify this by using ps -A | grep lighttpd

You could alternitively use ps -afx to see a tree-graph of processes, which helps you identify which process to kill, if you want to kill only one of the two.

You should now be able to reach connections using either http:// or https:// prefixed to your domain name (or IP address).

It is left as an exercise for the reader to figure out appropriate commands to stop either or both servers, and restart them. It should be easy to extrapolate from the commands given previously in How to create a lighttpd web server chroot using daemontools.


Changelog

2004 July 17, 1.4.0 - match up to current chroot_lighttpd.html by changing paths of logs etc in config

2004 July 6, 1.1.3 - Adopt changelog, various fixups re seperate dirs or files for the two servers.


To do

  • Fix up blue box formatting throughout series so it uses the same HTML markup as other boxes.

Simeon Scott 2004 <email shevek at bur dot st>
Please copy, modify and distribute this file, acknowledging me as author and link to original source.