# /usr/share/doc/lighttpd/ssl.txt
$SERVER["socket"] == ":80" {
}

$HTTP["scheme"] == "http" {
    # capture vhost name with regex conditiona -> %0 in redirect pattern
    # must be the most inner block to the redirect rule
    $HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0$0")
    }
}

$SERVER["socket"] == ":443" {
	ssl.engine  = "enable"
	ssl.pemfile = "/etc/lighttpd/ssl/lighttpd.pem"
	
	ssl.use-sslv2 = "disable"
	ssl.use-sslv3 = "disable"
	ssl.use-compression = "disable"
	ssl.honor-cipher-order = "enable"
	ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
}