rss logo

Configurer plusieurs dossiers partagés avec Lighttpd sur GNU/Linux

Lighttpd logo

Dans un article précédent, j'ai expliqué comment installer Lighttpd et partager des fichiers via le protocole HTTP. Vous pouvez consulter ce guide en cliquant ici. Récemment, j'ai eu besoin de partager deux répertoires distincts, chacun protégé par ses propres identifiants d’authentification. Dans cet article, je vais vous guider pas à pas dans la configuration de ce système — qui, vous le verrez, demande quelques ajustements subtils.

Installation de Lighttpd

Commencez par installer Lighttpd et préparer les répertoires que vous souhaitez partager.

  • Installer Lighttpd :
root@host:~# apt-get install lighttpd
  • Créer les répertoires de partage :
root@host:~# mkdir /var/www/upload1
root@host:~# mkdir /var/www/upload2
  • Définir les bons droits de propriété :
root@host:~# chown -R www-data:www-data /var/www/upload1
root@host:~# chown -R www-data:www-data /var/www/upload2
  • Créer les fichiers d’authentification :
root@host:~# echo "user1:PASSWORD1" > /etc/lighttpd/upload1-plain.user
root@host:~# echo "user2:PASSWORD2" > /etc/lighttpd/upload2-plain.user

Modifier le fichier de configuration de Lighttpd

Ouvrez ensuite le fichier de configuration de Lighttpd afin de définir les règles d’accès et d’activer l’authentification spécifique à chaque dossier :

  • Modifier le fichier /etc/lighttpd/lighttpd.conf
server.modules = (
        "mod_indexfile",
        "mod_access",
        "mod_alias",
        "mod_redirect",
        "mod_auth",
        "mod_authn_file"
)

auth.backend = "plain"

#UPLOAD1 (http://X.X.X.X/)
$HTTP["url"] =~ "^/$" {
        auth.backend.plain.userfile = "/etc/lighttpd/upload1-plain.user"
        auth.require = ( "" =>
                (
                "method" => "basic",
                "realm" => "Auth",
                "require" => "valid-user"
                )
        )
}
#UPLOAD2 (http://X.X.X.X/upload2)
$HTTP["url"] =~ "^/upload2($|/)" {
        auth.backend.plain.userfile = "/etc/lighttpd/upload2-plain.user"
        server.dir-listing          = "enable"
        alias.url = ( "/upload2" => "/var/www/upload2/" )
        auth.require = ( "" =>
                (
                "method" => "basic",
                "realm" => "Auth",
                "require" => "valid-user"
                )
        )
}

#UPLOAD1 (DEFAULT)
server.document-root        = "/var/www/upload1/"
server.dir-listing          = "enable"
dir-listing.encoding = "utf-8"
server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/run/lighttpd.pid"
server.username             = "www-data"
server.groupname            = "www-data"
server.port                 = 80

# features
#https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_feature-flagsDetails
server.feature-flags       += ("server.h2proto" => "enable")
server.feature-flags       += ("server.h2c"     => "enable")
server.feature-flags       += ("server.graceful-shutdown-timeout" => 5)
#server.feature-flags       += ("server.graceful-restart-bg" => "enable")

# strict parsing and normalization of URL for consistency and security
# https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_http-parseoptsDetails
# (might need to explicitly set "url-path-2f-decode" = "disable"
#  if a specific application is encoding URLs inside url-path)
server.http-parseopts = (
  "header-strict"           => "enable",# default
  "host-strict"             => "enable",# default
  "host-normalize"          => "enable",# default
  "url-normalize-unreserved"=> "enable",# recommended highly
  "url-normalize-required"  => "enable",# recommended
  "url-ctrls-reject"        => "enable",# recommended
  "url-path-2f-decode"      => "enable",# recommended highly (unless breaks app)
 #"url-path-2f-reject"      => "enable",
  "url-path-dotseg-remove"  => "enable",# recommended highly (unless breaks app)
 #"url-path-dotseg-reject"  => "enable",
 #"url-query-20-plus"       => "enable",# consistency in query string
)

index-file.names            = ( "index.php", "index.html" )
url.access-deny             = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

# default listening port for IPv6 falls back to the IPv4 port
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.conf.pl"
include "/etc/lighttpd/conf-enabled/*.conf"

#server.compat-module-load   = "disable"
server.modules += (
        "mod_dirlisting",
        "mod_staticfile",
)
  • Redémarrer le service Lighttpd pour appliquer les modifications :
root@host:~# systemctl restart lighttpd.service