As the name implies, the main advantage of lighttpd over Apache2 and Nginx is the lower resource usage, making it suitable for handling high traffic with less memory and CPU usage.

Because of its weight, it is the recommended web server t run on a Raspberry Pi Zero, even though any of them would work but the performance might vary.


INSTALLING WEB SERVER PLUS PHP

sudo apt update && sudo apt upgrade -y
sudo apt install lighttpd -y
sudo apt install php7.4 php7.4-fpm php7.4-mysql php7.4-cli php7.4-curl php7.4-xml curl -y
sudo nano /etc/php/7.4/fpm/pool.d/www.conf
;listen = /run/php/php7.4-fpm.sock
listen = 127.0.0.1:9000
                #"bin-path" => "/usr/bin/php-cgi",
                #"socket" => "/var/run/lighttpd/php.socket",
                "host" => "127.0.0.1",
                "port" => "9000",
sudo lighty-enable-mod fastcgi
sudo lighty-enable-mod fastcgi-php
sudo systemctl restart lighttpd php7.4-fpm
rm /var/www/html/index.lighttpd.html
echo '<?php echo "HTTP_HOST: " . $_SERVER["HTTP_HOST"] . " SERVER_NAME: " . $_SERVER["SERVER_NAME"] ?>' | sudo tee /var/www/html/index.php
sudo chown -R www-data: /var/www/html/ && sudo chmod -R 755 /var/www/html/

At this point, any HTTP request to this server will be server with the same page. Consider using Virtual Hosts to server multiple sites based on its Host header.


SETTING A VIRTUAL HOST

sudo nano /etc/lighttpd/lighttpd.conf
...
include_shell "/usr/share/lighttpd/create-mime.conf.pl"
include_shell "cat /etc/lighttpd/vhosts.d/*.conf"
include "/etc/lighttpd/conf-enabled/*.conf"
...
sudo mkdir -p /etc/lighttpd/vhosts.d/
sudo nano /etc/lighttpd/vhosts.d/localhost.conf
$HTTP["host"] =~ "(^|.)localhost$" {
    server.document-root = "/var/www/html/localhost"
}
sudo mkdir -p /var/www/html/localhost
echo 'VHOST: localhost' | sudo tee /var/www/html/localhost/index.html
sudo lighttpd -t -f /etc/lighttpd/lighttpd.conf && sudo systemctl restart lighttpd.service
curl http://127.0.0.1
curl http://localhost

While the first request is served with the default site, the second request will be server with a different content.


DEPLOYING A SELF-SIGNED CERTIFICATE

Replace the fake domain example.com accordingly.

sudo mkdir -p /etc/lighttpd/ssl/example.com
cd /etc/lighttpd/ssl/example.com
sudo apt install lighttpd-mod-openssl -y
sudo lighttpd-enable-mod ssl
sudo openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
sudo nano /etc/lighttpd/conf-enabled/10-ssl.conf
# /usr/share/doc/lighttpd/ssl.txt
server.modules += ( "mod_openssl" )
$HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0$0")
    }
}
$SERVER["socket"] == "0.0.0.0:443" {
        ssl.engine  = "enable"
        ssl.pemfile = "/etc/lighttpd/ssl/domain.com/server.pem"
        ssl.cipher-list = "HIGH"
}
sudo lighttpd -t -f /etc/lighttpd/lighttpd.conf && sudo systemctl restart lighttpd.service

ISSUING A FREE PUBLIC CERTIFICATE

Replace the fake domain example.com with a real public domain that has a record that points to the webs server.

add-apt-repository ppa:certbot/certbot && sudo apt install certbot -y
sudo lighttpd-enable-mod ssl
sudo certbot certonly --webroot -w /var/www/html -d example.com -d www.example.com
ls -l /etc/letsencrypt/live/example.com
sudo nano /etc/lighttpd/lighttpd.conf
# /usr/share/doc/lighttpd/ssl.txt
server.modules += ( "mod_openssl" )
$HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0$0")
    }
}
$SERVER["socket"] == "0.0.0.0:443" {
        ssl.engine  = "enable"
        ssl.pemfile = "/etc/letsencrypt/live/example.com/fullchain.pem"
        ssl.privkey = "/etc/letsencrypt/live/example.com/privkey.pem"
        ssl.cipher-list = "HIGH"
}
sudo lighttpd -t -f /etc/lighttpd/lighttpd.conf && sudo systemctl restart lighttpd.service

RENEWING THE PUBLIC CERTIFICATE

Certbot (that used Let’s Encrypt) does not automatically renew he free 90 days public certificates.

Follows the manual renewal command that can be easily scheduled to periodically happens as a cronjob:

sudo certbot renew --force-renewal -d example.com -d www.example.com

BONUS

Reverse proxy for a VHOST:

$HTTP["host"] =~ "(^|.)example.com$" {
    proxy.server = ( "" => ( ( "host" => "127.0.0.1", "port" => 8080 ) ) )
}

Reverse proxy for a PATH rewriting the HEADER:

$HTTP["url"] =~ "(^/path)" {
    proxy.header = ( "map-urlpath" => ( "/path" => "/") )
    proxy.server = ( "" => ( ( "host" => "127.0.0.1", "port" => 8080 ) ) )
}

Another way of creating a self-signed certificate would be:

sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt

Note: the different file output format.


REFLECTIONS

Lighttpd is a powerful lightweight web server very suitable to run with minimal resources. If that is the case, I would recommend to keep it behind a reverse proxy that terminates the SSL/TLS certificate to offload the server. A CDN provider, such as Cloud Flare, would not only serve as a shield for many types threats but would also terminate the encrypted connections.

Do not forget to enable and minimise the firewall rules to the bare minimum necessary. If for instance a CDN is used, whitelist connections to restricts connections only from the CDN vendor’s network.

For web sites that contains sensitive information or requires end-to-end encryption because it uses passwords, for example, it is recommended to at least offer a self-signed certificate.