Lighttpd, also known as Lighty, is an open-source web server with a small footprint, and when installed alongside PHP and MySQL or MariaDB it can serve millions of connections reliably. Lighty also has many modules that extend its capabilities.
This document walks you through the installation of lighttpd from the core Ubuntu distribution and then explains how to update it to the latest version. It also covers installing PHP, securing PHP with an FastCGI Process Manager (FPM) pool, installing MariaDB, and securing the web server with an SSL certificate from Let's Encrypt.
A fresh Vultr Ubuntu 20.04 LTS x64 server instance
SSH, HTTP, and HTTPS connectivity to the instance
A DNS record that points to the IP address of the instance. This document uses build.example.com.
To support PHP's latest version, add the public repository hosted by one of the Ubuntu and PHP developers.
# add-apt-repository -y ppa:ondrej/php
After adding the repository, update the local apt cache.
# apt update
To get the core install of lighttpd, install the apt version:
# apt install -y lighttpd
After this completes, check the version of lighttpd you have installed.
# lighttpd -v
If you are running Ubuntu 20.04 it should return lighttpd/1.4.55 (ssl) - a light and fast webserver. Ensure the installation was successful by visiting your site, such as http://build.example.com. You should get the lighttpd placeholder page.
Add a lighttpd user and group:
# groupadd lighttpd
# useradd -g lighttpd -d /var/www/html -s /sbin/nologin lighttpd
Make the lighttpd user and group the owner of the /var/www/html directory:
# chown -R lighttpd:lighttpd /var/www/html/
Alongside lighttp, install MariaDB & PHP:
# apt install -y php-{cli,gd,fpm,mysql,curl,json,xml} mariadb-server
After the installation of MariaDB, secure the MariaDB installation.
# mysql_secure_installation
Confirm the blank root password by hitting ENTER
Agree to change the password by entering Y followed by ENTER
Enter a new secure password.
Remove the anonymous user by entering Y followed by ENTER
Disallow root login by entering Y followed by ENTER
Remove the test database by entering Y followed by ENTER
Reload the privilege table by entering Y followed by ENTER
Rename the default PHP FPM Pool to align with the web server name:
# mv /etc/php/8.0/fpm/pool.d/www.conf /etc/php/8.0/fpm/pool.d/lighttpd.conf
Change the associated user and Unix socket associated with the pool by editing the configuration file:
# nano /etc/php/8.0/fpm/pool.d/lighttpd.conf
Change four lines:
Change the top line inside the brackets that sets the pool name from [www] to [lighttpd]
Change the line user = www-data to user = lighttpd
Change the line group = www-data to group = lighttpd
Change the line listen = /run/php/php8.0-fpm.sock to listen = /run/php/php8.0-lighttpd-fpm.sock
Save the file and restart the PHP FPM Service:
# service php8.0-fpm restart
Add some packages required to build the latest version of lighttpd from source code.
# apt install -y gcc libpcre3 libpcre3-dev zlib1g-dev checkinstall libssl-dev
From the command prompt, download the latest tarball for lighttpd. At the time of writing, the latest version is 1.4.59. You can find the latest download link at https://download.lighttpd.net/lighttpd/
# wget https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.59.tar.gz
Extract the tarball.
# tar xzf lighttpd-1.4.59.tar.gz
Change to the lighttpd working directory.
# cd lighttpd-1.4.59
Configure the package to include SSL and install in the /usr/sbin directory.
# ./configure --with-openssl --sbindir=/usr/sbin
After configuration, make the package and install it.
# make
# make install
Run lighttpd -v to ensure the successful installation of version 1.4.59. The command should return lighttpd/1.4.59 (ssl) - a light and fast webserver
The older 1.4.55 version packaged with Ubuntu 20.04 has a deprecated mod_compress module that you must replace with mod_deflate. To alter the module load, edit the default configuration:
# nano /etc/lighttpd/lighttpd.conf
Change the following three lines:
Change the line containing compress.cache-dir to be deflate.cache-dir
Remove the line containing compress.filetype
Change the module configuration from mod_compress to mod_deflate and save the file.
Check the configuration by running:
# /usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf
Enable the cgi and php modules.
# lighttpd-enable-mod fastcgi
# lighttpd-enable-mod fastcgi-php
Edit the PHP configuration.
# nano /etc/lighttpd/conf-enabled/15-fastcgi-php.conf
Remove the entire file contents and replace it with the following, which configures the php module for the sock setting you made in step 3.
fastcgi.server += ( ".php" =>
((
"socket" => "/run/php/php8.0-lighttpd-fpm.sock",
"broken-scriptfilename" => "enable"
))
)
Restart the server to take the new configuration changes:
# service lighttpd restart
Add a test PHP file to ensure that PHP is running:
# nano /var/www/html/pi.php
In the file add the following contents:
<?php phpinfo();
To check the configuration, visit http://build.example.com/pi.php and find a PHP information page. In the PHP Variables section, ensure the $_SERVER['USER'] is lighttpd.
To secure the web server, add a Let's Encrypt TLS certificate and enable HTTPS protocol.
Install Let's Encrypt.
# apt install -y certbot
Request a certificate. Make sure to change build.example.com to your server's domain name.
# certbot certonly --webroot -w /var/www/html/ -d build.example.com
The wizard asks for your email address, to agree to the terms of service, and if you want to be part of the Electronic Frontier Foundation.
Enable the Lighttpd ssl module.
# lighttpd-enable-mod ssl
Edit the Lighttpd SSL configuration.
# nano /etc/lighttpd/conf-enabled/10-ssl.conf
Replace the entire $SERVER["socket"] section with the following. Change build.example.com in four places to your server's domain name.
$HTTP["scheme"] == "http" {
$HTTP["host"] == "build.example.com" {
url.redirect = ("/.*" => "https://build.example.com$0")
}
}
$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/letsencrypt/live/build.example.com/fullchain.pem"
ssl.privkey = "/etc/letsencrypt/live/build.example.com/privkey.pem"
ssl.cipher-list = "HIGH"
}
Save the file and then restart lighttpd.
# service lighttpd restart
Visit http://build.example.com to ensure it now redirects to https://build.example.com and uses the SSL certificate.
After ensuring the configuration is correct, update the Ubuntu server with the latest patches.
# apt update -y && apt dist-upgrade -y && apt autoremove -y
Reboot the server to apply the updates.
# reboot now
As well as creating a unique PHP FPM pool, it's also possible to change settings to further optimize for performance and speed. These settings are in the /etc/php/8.0/fpm/pool.d configuration file. The main setting that is often changed is the pm setting, which controls how the processes get created, be it dynamic, static or ondemand. Altering this also affects other settings in the file. As with any application, the proper server settings depend on the intended use, load, and configuration.
Lighttpd is a robust and simple web server that, when integrated with PHP and MariaDB, serves thousands of requests with a minimal footprint. Securing it with Lets Encrypt is simple and easy and adds another layer of protection to you and your visitors.