Introduction
Lighttpd, also known as Lighty, is an open-source web server with a small footprint, and when installed alongside PHP and MySQL or MariaDB it can serve millions of connections reliably. Lighty also has many modules that extend its capabilities.
This document walks you through the installation of lighttpd from the core Ubuntu distribution and then explains how to update it to the latest version. It also covers installing PHP, securing PHP with an FastCGI Process Manager (FPM) pool, installing MariaDB, and securing the web server with an SSL certificate from Let’s Encrypt.
Prerequisites
- A fresh Vultr Ubuntu 20.04 LTS x64 server instance
- SSH, HTTP, and HTTPS connectivity to the instance
- A DNS record that points to the IP address of the instance. This document uses
build.example.com
.
1. Add PHP Repository
To support PHP’s latest version, add the public repository hosted by one of the Ubuntu and PHP developers.
# add-apt-repository -y ppa:ondrej/php
After adding the repository, update the local apt cache.
# apt update
2. Install Lighttpd
To get the core install of lighttpd, install the apt version:
# apt install -y lighttpd
After this completes, check the version of lighttpd you have installed.
# lighttpd -v
If you are running Ubuntu 20.04 it should return lighttpd/1.4.55 (ssl) - a light and fast webserver
. Ensure the installation was successful by visiting your site, such as http://build.example.com
. You should get the lighttpd placeholder page.
Add a lighttpd
user and group:
# groupadd lighttpd
# useradd -g lighttpd -d /var/www/html -s /sbin/nologin lighttpd
Make the lighttpd
user and group the owner of the /var/www/html
directory:
# chown -R lighttpd:lighttpd /var/www/html/
3. Install MariaDB and PHP
Alongside lighttp, install MariaDB & PHP:
# apt install -y php-{cli,gd,fpm,mysql,curl,json,xml} mariadb-server
After the installation of MariaDB, secure the MariaDB installation.
# mysql_secure_installation
- Confirm the blank root password by hitting ENTER
- Agree to change the password by entering Y followed by ENTER
- Enter a new secure password.
- Remove the anonymous user by entering Y followed by ENTER
- Disallow root login by entering Y followed by ENTER
- Remove the test database by entering Y followed by ENTER
- Reload the privilege table by entering Y followed by ENTER
Rename the default PHP FPM Pool to align with the web server name:
# mv /etc/php/8.0/fpm/pool.d/www.conf /etc/php/8.0/fpm/pool.d/lighttpd.conf
Change the associated user and Unix socket associated with the pool by editing the configuration file:
# nano /etc/php/8.0/fpm/pool.d/lighttpd.conf
Change four lines:
- Change the top line inside the brackets that sets the pool name from
[www]
to[lighttpd]
- Change the line
user = www-data
touser = lighttpd
- Change the line
group = www-data
togroup = lighttpd
- Change the line
listen = /run/php/php8.0-fpm.sock
tolisten = /run/php/php8.0-lighttpd-fpm.sock
Save the file and restart the PHP FPM Service:
# service php8.0-fpm restart
4. Upgrade Lighttpd
Add some packages required to build the latest version of lighttpd from source code.
# apt install -y gcc libpcre3 libpcre3-dev zlib1g-dev checkinstall libssl-dev
From the command prompt, download the latest tarball for lighttpd. At the time of writing, the latest version is 1.4.59. You can find the latest download link here.
# wget https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.59.tar.gz
Extract the tarball.
# tar xzf lighttpd-1.4.59.tar.gz
Change to the lighttpd working directory.
# cd lighttpd-1.4.59
Configure the package to include SSL and install in the /usr/sbin
directory.
# ./configure --with-openssl --sbindir=/usr/sbin
After configuration, make the package and install it.
# make
# make install
Run lighttpd -v
to ensure the successful installation of version 1.4.59. The command should return lighttpd/1.4.59 (ssl) - a light and fast webserver
5. Configure Lighttpd
The older 1.4.55 version packaged with Ubuntu 20.04 has a deprecated mod_compress
module that you must replace with mod_deflate
. To alter the module load, edit the default configuration:
# nano /etc/lighttpd/lighttpd.conf
Change the following three lines:
- Change the line containing
compress.cache-dir
to bedeflate.cache-dir
- Remove the line containing
compress.filetype
- Change the module configuration from
mod_compress
tomod_deflate
and save the file.
Check the configuration by running:
# /usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf
6. Configure PHP for Lighttpd
Enable the cgi
and php
modules.
# lighttpd-enable-mod fastcgi
# lighttpd-enable-mod fastcgi-php
Edit the PHP configuration.
# nano /etc/lighttpd/conf-enabled/15-fastcgi-php.conf
Remove the entire file contents and replace it with the following, which configures the php
module for the sock setting you made in step 3.
fastcgi.server += ( ".php" =>
((
"socket" => "/run/php/php8.0-lighttpd-fpm.sock",
"broken-scriptfilename" => "enable"
))
)
Restart the server to take the new configuration changes:
# service lighttpd restart
Add a test PHP file to ensure that PHP is running:
# nano /var/www/html/pi.php
In the file add the following contents:
<?php phpinfo();
To check the configuration, visit http://build.example.com/pi.php
and find a PHP information page. In the PHP Variables
section, ensure the $_SERVER['USER']
is lighttpd
.
7. Secure Lighttpd
To secure the web server, add a Let’s Encrypt TLS certificate and enable HTTPS protocol.
Install Let’s Encrypt.
# apt install -y certbot
Request a certificate. Make sure to change build.example.com
to your server’s domain name.
# certbot certonly --webroot -w /var/www/html/ -d build.example.com
The wizard asks for your email address, to agree to the terms of service, and if you want to be part of the Electronic Frontier Foundation.
Enable the Lighttpd ssl
module.
# lighttpd-enable-mod ssl
Edit the Lighttpd SSL configuration.
# nano /etc/lighttpd/conf-enabled/10-ssl.conf
Replace the entire $SERVER["socket"]
section with the following. Change build.example.com
in four places to your server’s domain name.
$HTTP["scheme"] == "http" {
$HTTP["host"] == "build.example.com" {
url.redirect = ("/.*" => "https://build.example.com$0")
}
}
$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/letsencrypt/live/build.example.com/fullchain.pem"
ssl.privkey = "/etc/letsencrypt/live/build.example.com/privkey.pem"
ssl.cipher-list = "HIGH"
}
Save the file and then restart lighttpd.
# service lighttpd restart
Visit http://build.example.com
to ensure it now redirects to https://build.example.com
and uses the SSL certificate.
8. Update the Server
After ensuring the configuration is correct, update the Ubuntu server with the latest patches.
# apt update -y && apt dist-upgrade -y && apt autoremove -y
Reboot the server to apply the updates.
# reboot now
9. More Settings
As well as creating a unique PHP FPM pool, it’s also possible to change settings to further optimize for performance and speed. These settings are in the /etc/php/8.0/fpm/pool.d
configuration file. The main setting that is often changed is the pm
setting, which controls how the processes get created, be it dynamic
, static
or ondemand
. Altering this also affects other settings in the file. As with any application, the proper server settings depend on the intended use, load, and configuration.
Conclusion
Lighttpd is a robust and simple web server that, when integrated with PHP and MariaDB, serves thousands of requests with a minimal footprint. Securing it with Lets Encrypt is simple and easy and adds another layer of protection to you and your visitors.
Leave a Reply
Du må være innlogget for å kunne kommentere.