Lighty delivery ssl configuration is recreated with turris update

jobus · October 29, 2023, 5:48pm

After updating my turris omnia the lighty configuration file

 /etc/lighttpd/conf.d/40-ssl-enable.conf

is written new. That’s unexpected to me; I had removed it because I configured a

 /etc/lighttpd/conf.d/40-ssl-enable-my-setup.conf

of my own instead. This happened with the latest turris update too, so I guess it is the standard behaviour. This recreation of the - as I can see normally unmodified - 40-ssl-enable.conf does hide my setup.

My question:
Is the recreation of 40-ssl-enable.conf intended or is it a bug ? If the recreation is intended, probably I have not understood how to persist my ssl configuration with lighty and I do something wrong.

Additionally I have a setup of my own for

 /etc/lighttpd/conf.d/30-proxy-my-setup.conf

and removed

 /etc/lighttpd/conf.d/30-proxy.conf

too. It is the same pattern as I used for the ssl configuration. The 30-proxy.conf is not recreated with a turris update.
I have installed Turris OS 6.4.4.
Thanks in advance.

ssdnvv · October 30, 2023, 4:04pm

Hi
Have a look inside the newly created file - it is part of a standard package and therefore will be recreated again after most of TOS upgrades. Therefore uninstall the package (which might have consequences I do not know of) and enter it as manual uninstallation to updater config. That is the official way to do it, the file will not appear again.
I deal with that a little bit different: I check after each update if the webinterface is reachable (which means lighttpd service is running so the file was not automatically recreated), and in case of no webif delete the newly created one manually and restart lighttpd. If you want to, you can put the related steps to /etc/rc.local and that way will never get bothered again as the file will be automatically deleted and lighttpd restarted.

jobus · October 30, 2023, 6:23pm

Yes, you describe the manual procedure, I have done yesterday after upgrading to 6.4.4. But I did not think of the possibility to automate that via rc.local, which is a pretty good idea.
Thank you very much for your explanation and sharing your solution; I will solve it that way

ssdnvv · October 31, 2023, 10:43am

Other solution (more straight forward):
create the following file /etc/updater/conf.d/user.lua
add the following lines

-- List below your own installed packages that updater needs to care about
Uninstall("lighttpd-https-cert")
Install("lighttpd-mod-openssl")
Install("libseccomp")

and afterwards run updater once via cli → pkgupdate.
That way the dependencies from lighttpd-https-cert, that are needed for TLS-operations, stay installed.

jobus · October 31, 2023, 5:30pm

I 'm not familiar with lua; I googled it…
Let me summarize my understanding:

With installing “lighttpd-https-cert” the dependencies
“lighttpd-mod-openssl” and “libseccomp” and the configuration file
“/etc/lighttpd/conf.d/40-ssl-enable.conf” are installed.

With your “/etc/updater/conf.d/user.lua” I get rid of the configuration file
“/etc/lighttpd/conf.d/40-ssl-enable.conf” which is probably deployed with the
installation by “lighttpd-https-cert”. But I keep the depending libs.

That’s a clean and proper solution.

system · November 3, 2023, 5:31pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.