From ba8f3e6af057e414a8fdc1dad63b020e7d67b741 Mon Sep 17 00:00:00 2001 From: John Berninger Date: Sun, 14 Jun 2020 16:16:55 -0400 Subject: [PATCH 1/3] Add commented-out HTTPS configuration section In recent versions of Firefox and (especially) Chrome, ".dev" domains are force-redirected to a secure connection (HTTPS) instead of HTTP. Not supporting an HTTPS connection makes for a bad user experience, so we want to make enabling SSL support easy. Since we don't issue certificates, this section is commented out by default, and it will require modification. This is done primarily for PiAware, though it is applicable to just the Dump1090 project. --- debian/lighttpd/89-dump1090-fa.conf | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/debian/lighttpd/89-dump1090-fa.conf b/debian/lighttpd/89-dump1090-fa.conf index 287fd4f..7446e3d 100644 --- a/debian/lighttpd/89-dump1090-fa.conf +++ b/debian/lighttpd/89-dump1090-fa.conf @@ -25,3 +25,31 @@ server.modules += ( "mod_setenv" ) $HTTP["url"] =~ "^/dump1090-fa/data/.*\.json$" { setenv.add-response-header = ( "Access-Control-Allow-Origin" => "*" ) } + +# Uncomment this section to enable SSL traffic (HTTPS) - especially useful +# for .dev domains +## Listen on 8443 for SSL connections +#$HTTP["host"] == "piaware.example.com" { +# $SERVER["socket"] == ":8443" { +# ssl.engine = "enable" +# ssl.pemfile = "/root/ssl_certificate/combined.pem" +# ssl.ca-file = "/root/ssl_certificate/fullchain.cer" +# ssl.honor-cipher-order = "enable" +# ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" +# ssl.use-sslv2 = "disable" +# ssl.use-sslv3 = "disable" +# +# alias.url += ( +# "/data/" => "/run/dump1090-fa/", +# "/" => "/usr/share/dump1090-fa/html/" +# ) +# } +# +# # Redirect HTTP to HTTPS +# $HTTP["scheme"] == "http" { +# $HTTP["host"] =~ ".*" { +# url.redirect = (".*" => "https://%0$0") +# } +# } +#} + From d3658b9fe6fd4dad22cc0c5e5484deb0b90341d1 Mon Sep 17 00:00:00 2001 From: John Berninger Date: Sun, 14 Jun 2020 16:33:11 -0400 Subject: [PATCH 2/3] Add mod_openssl module to avoid warning --- debian/lighttpd/89-dump1090-fa.conf | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/debian/lighttpd/89-dump1090-fa.conf b/debian/lighttpd/89-dump1090-fa.conf index 7446e3d..eac6250 100644 --- a/debian/lighttpd/89-dump1090-fa.conf +++ b/debian/lighttpd/89-dump1090-fa.conf @@ -29,6 +29,7 @@ $HTTP["url"] =~ "^/dump1090-fa/data/.*\.json$" { # Uncomment this section to enable SSL traffic (HTTPS) - especially useful # for .dev domains ## Listen on 8443 for SSL connections +#server.modules += ( "mod_openssl" ) #$HTTP["host"] == "piaware.example.com" { # $SERVER["socket"] == ":8443" { # ssl.engine = "enable" @@ -44,12 +45,12 @@ $HTTP["url"] =~ "^/dump1090-fa/data/.*\.json$" { # "/" => "/usr/share/dump1090-fa/html/" # ) # } +#} # -# # Redirect HTTP to HTTPS -# $HTTP["scheme"] == "http" { -# $HTTP["host"] =~ ".*" { -# url.redirect = (".*" => "https://%0$0") -# } +## Redirect HTTP to HTTPS +#$HTTP["scheme"] == "http" { +# $HTTP["host"] =~ ".*" { +# url.redirect = (".*" => "https://%0$0") # } #} From ae12414eedf88c19cf8784e14b10c870e4f70ea9 Mon Sep 17 00:00:00 2001 From: John Berninger Date: Tue, 16 Jun 2020 08:17:26 -0400 Subject: [PATCH 3/3] Change SSL certificate and chain location example --- debian/lighttpd/89-dump1090-fa.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/lighttpd/89-dump1090-fa.conf b/debian/lighttpd/89-dump1090-fa.conf index eac6250..e8fad4e 100644 --- a/debian/lighttpd/89-dump1090-fa.conf +++ b/debian/lighttpd/89-dump1090-fa.conf @@ -33,8 +33,8 @@ $HTTP["url"] =~ "^/dump1090-fa/data/.*\.json$" { #$HTTP["host"] == "piaware.example.com" { # $SERVER["socket"] == ":8443" { # ssl.engine = "enable" -# ssl.pemfile = "/root/ssl_certificate/combined.pem" -# ssl.ca-file = "/root/ssl_certificate/fullchain.cer" +# ssl.pemfile = "/etc/ssl/certs/combined.pem" +# ssl.ca-file = "/etc/ssl/certs/fullchain.cer" # ssl.honor-cipher-order = "enable" # ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" # ssl.use-sslv2 = "disable"