WordPress Administration over SSL on Lighttpd

In this tutorial we’ll walk through the steps of enabling SSL (https) for the WordPress’ admin panel when using Lighttpd as a webserver. The tutorial consists of two stages, the first is enabling SSL at the Lighttpd level and the second is in the WordPress level.


Lighttpd Setup

The first thing to do is to check that your lighttpd does support SSL. This should be the case for most distros. Look for the (ssl) after the version string.

$ lighttpd -v
lighttpd/1.4.26 (ssl) - a light and fast webserver
Build-Date: Jul 17 2010 15:02:18

We’ll generate a self-signed SSL certificate using openssl.

/etc/lighttpd$ sudo openssl req -new -x509 -newkey rsa:2048 -keyout server.pem -out server.pem -days 365 -nodes

It will ask you to provide some details. You should specify your domain name in the Common Name section. If you would like to use the domain for multiple subdomains (like guyrutenberg.com and www.guyrutenberg.com), you can use wildcards, e.g. *.guyrutenberg.com.

Now you should change the permissions of the certificate so it’s read-only and accessible by the root user:

/etc/lighttpd$ sudo chmod 0400 server.pem

Now you’re ready to enable the SSL in the Lighttpd’s configuration. Edit /etc/lighttpd/lighttpd.conf and insert the following section:

$SERVER["socket"] == ":443" {
    ssl.engine                  = "enable" 
    ssl.pemfile                 = "/etc/lighttpd/server.pem" 
}

Now make sure you didn’t do any dumb typing/copying mistake and restart the lighttpd service.

$ lighttpd -tf /etc/lighttpd/lighttpd.conf
$ sudo /etc/init.d/lighttpd restart

Now everything should be set correctly. However, if you experience the following error (happened on my Ubuntu box)

 * Starting web server lighttpd
2010-12-03 08:30:05: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 
   ...fail!

you should add the following lines to the socket section you’ve added to the lighttpd.conf:

    ssl.use-sslv2 = "enable"
    ssl.cipher-list = "TLSv1+HIGH RC4+MEDIUM !SSLv2 !3DES !aNULL @STRENGTH"

The workaround was taken from here.

Now last, but not least, don’t forget to let HTTPS (port 443) thourgh your firewall.

$ sudo ufw allow https

WordPress Setup

This part is pretty short. Basically you have two options:

  1. Enabling SSL for the whole admin session.
  2. Enabling SSL only for login.

The former is more secure, while the latter is easier on server performance-wise. I would recommend the former, unless you find it very slow. Enabling SSL for the whole session can be done by adding the following line

define('FORCE_SSL_ADMIN', true);

to your wp-config.php. Enabling SSL only for login is done by adding

  define('FORCE_SSL_LOGIN', true);

instead.

If you’ve followed so far, you should be done and able to access your WordPress admin panel in a secure manner.

Further resources:
http://redmine.lighttpd.net/wiki/1/Docs:SSL
http://codex.wordpress.org/Administration_Over_SSL

Leave a Reply

Your email address will not be published. Required fields are marked *