server.modules = (
	"mod_access",
	"mod_alias",
	"mod_compress",
 	"mod_redirect",
	"mod_setenv",
	"mod_accesslog"
)

accesslog.use-syslog        = "enable"

server.document-root        = "/var/www/html"
server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/var/run/lighttpd.pid"
server.username             = "www-data"
server.groupname            = "www-data"
server.port                 = 80


index-file.names            = ( "index.php", "index.html", "index.lighttpd.html" )
url.access-deny             = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

compress.cache-dir          = "/var/cache/lighttpd/compress/"
compress.filetype           = ( "application/javascript", "text/css", "text/html", "text/plain" )

# default listening port for IPv6 falls back to the IPv4 port
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.assign.pl"
include_shell "/usr/share/lighttpd/include-conf-enabled.pl"


$SERVER["socket"] == ":443" {
    ssl.engine              = "enable"
    ssl.ca-file             = "/etc/letsencrypt/live/your-site-name-here.com/chain.pem"
    ssl.pemfile             = "/etc/letsencrypt/live/your-site-name-here.com/combined.pem"
    ssl.honor-cipher-order  = "enable"
    # The following is OPTIONAL
    ssl.cipher-list         = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
    ssl.use-sslv2           = "disable"
    ssl.use-sslv3           = "disable"
}


$SERVER["socket"] == ":80" {
    $HTTP["host"] =~ "(.*)" {
         url.redirect = ( "^/(.*)" => "https://%1/$1" )
         url.redirect-code = 308
    }
}

# Set HSTS for six months including all subdomains

$HTTP["scheme"] == "https" {
    setenv.add-response-header = ( "X-Frame-Options" => "DENY")
    setenv.add-response-header += ( "Strict-Transport-Security" => "max-age=15768000; includeSubdomains"  )
    setenv.add-response-header += ("X-XSS-Protection" => "1; mode=block")
    setenv.add-response-header += ("X-Content-Type-Options" => "nosniff")
    setenv.add-response-header += ("Content-Security-Policy" => "script-src 'self'; object-src 'self'")
    setenv.add-response-header += ("X-Permitted-Cross-Domain-Policies" => "none")
}