WordPress Administration over SSL on Lighttpd

In this tutorial, we’ll walk through the steps of enabling SSL (https) for the WordPress admin panel when using Lighttpd as a web server. The tutorial consists of two stages: the first is enabling SSL at the Lighttpd level, and the second is at the WordPress level.


Lighttpd Setup

The first thing to do is check that your lighttpd supports SSL. This should be the case for most distros. Look for the (ssl) after the version string.

$ lighttpd -v
lighttpd/1.4.26 (ssl) - a light and fast webserver
Build-Date: Jul 17 2010 15:02:18

We’ll generate a self-signed SSL certificate using openssl.

/etc/lighttpd$ sudo openssl req -new -x509 -newkey rsa:2048 -keyout server.pem -out server.pem -days 365 -nodes

It will ask you to provide some details. You should specify your domain name in the Common Name section. If you would like to use the domain for multiple subdomains (like guyrutenberg.com and www.guyrutenberg.com), you can use wildcards, e.g., *.guyrutenberg.com.

Now you should change the permissions of the certificate so it’s read-only and accessible by the root user:

/etc/lighttpd$ sudo chmod 0400 server.pem

Now you’re ready to enable SSL in the Lighttpd configuration. Edit /etc/lighttpd/lighttpd.conf and insert the following section:

$SERVER["socket"] == ":443" {
    ssl.engine                  = "enable" 
    ssl.pemfile                 = "/etc/lighttpd/server.pem" 
}

Now make sure you didn’t make any dumb typing/copying mistakes, and restart the lighttpd service.

$ lighttpd -tf /etc/lighttpd/lighttpd.conf
$ sudo /etc/init.d/lighttpd restart

Now everything should be set correctly. However, if you experience the following error (this happened on my Ubuntu box):

 * Starting web server lighttpd
2010-12-03 08:30:05: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 
   ...fail!

you should add the following lines to the socket section you added to lighttpd.conf:

    ssl.use-sslv2 = "enable"
    ssl.cipher-list = "TLSv1+HIGH RC4+MEDIUM !SSLv2 !3DES !aNULL @STRENGTH"

The workaround was taken from here.

Last, but not least, don’t forget to let HTTPS (port 443) through your firewall.

$ sudo ufw allow https

WordPress Setup

This part is pretty short. Basically, you have two options:

  1. Enabling SSL for the whole admin session.
  2. Enabling SSL only for login.

The former is more secure, while the latter is easier on server performance. I would recommend the former unless you find it very slow. Enabling SSL for the whole session can be done by adding the following line

define('FORCE_SSL_ADMIN', true);

to your wp-config.php. Enabling SSL only for login is done by adding

  define('FORCE_SSL_LOGIN', true);

instead.

If you’ve followed along so far, you should be done and able to access your WordPress admin panel in a secure manner.

Further resources:
http://redmine.lighttpd.net/wiki/1/Docs:SSL
http://codex.wordpress.org/Administration_Over_SSL

Leave a Reply

Your email address will not be published. Required fields are marked *