A minimal lighttpd SSL/TLS reverse proxy
Here’s a minimal lighttpd SSL/TLS reverse proxy configuration that allows for securing the traffic to plain HTTP servers using client certificates.
For easier management, the config has been broken into two modules, the main part and a list of variables. A caveat one needs to be aware of is that even though we’re interested in lighttd’s proxying capabilities only, we still need to configure everything as though lighttpd was going to serve plain HTTP traffic using static files – hence the need for configuring server.port and server.document-root.
The config files as well as the crypto material (courtesy of the Spring Python project) being used below can be also fetched from bitbucket. Of course, being uploaded to a public site, the private key is useless outside of a development environment and should never be used for anything close to production.
Enjoy 
# Include necessary modules.
server.modules = ("mod_proxy", "mod_setenv")
# Include config variables.
include "./config-variables.conf"
server.document-root = my-dummy-document-root
server.username = my-username
server.groupname = my-groupname
# IP address or hostname to listen on.
server.bind = my-host
server.port = my-plain-http-port
$SERVER["socket"] == my-host + ":" + my-ssl-client-validation-port {
ssl.engine = "enable"
ssl.use-sslv2 = "disable"
ssl.verifyclient.exportcert = "enable"
ssl.verifyclient.username = "enable"
proxy.server = ("" => (("host"=>my-backend-host,
"port"=>my-backend-plain-http-port)))
# Server certificate.
ssl.pemfile = my-ssl-server-certificate-key
# Verify client's certificate.
ssl.verifyclient.activate = "enable"
ssl.verifyclient.enforce = "enable"
ssl.verifyclient.depth = my-verifyclient-depth
ssl.ca-file = my-ca-certificate
}
var.my-host = "localhost" var.my-ssl-client-validation-port = "17443" var.my-plain-http-port = "18080" var.my-backend-host = "localhost" var.my-backend-plain-http-port = "28080" var.my-dummy-document-root="./" var.my-username="dsuch" var.my-groupname="dsuch" var.my-ssl-server-certificate-key = "server-pair.pem" var.my-ca-certificate = "./ca-chain.pem" var.my-verifyclient-depth = "3"
