From c2f9f58813d4bba92be85395a18e03e74c678b61 Mon Sep 17 00:00:00 2001 From: Pavel Raiskup Date: Sun, 10 Jan 2021 21:35:25 +0100 Subject: [PATCH] copr-backend: unify dev/prod lighttpd configuration By syncing the devel instance with production (not vice versa). The exception is that I've dropped the trailing white-spaces in production config. --- inventory/group_vars/copr_back | 2 - inventory/group_vars/copr_back_aws | 2 - inventory/group_vars/copr_back_dev | 2 - inventory/group_vars/copr_back_dev_aws | 2 - inventory/group_vars/copr_back_stg | 2 - roles/copr/backend/tasks/main.yml | 2 +- .../backend/templates/lighttpd/lighttpd.conf | 64 ++- .../templates/lighttpd/lighttpd_dev.conf | 526 ------------------ 8 files changed, 51 insertions(+), 551 deletions(-) delete mode 100644 roles/copr/backend/templates/lighttpd/lighttpd_dev.conf diff --git a/inventory/group_vars/copr_back b/inventory/group_vars/copr_back index 4fd828cb96..a80f7146b4 100644 --- a/inventory/group_vars/copr_back +++ b/inventory/group_vars/copr_back @@ -1,6 +1,4 @@ --- -_lighttpd_conf_src: "lighttpd/lighttpd.conf" - copr_nova_auth_url: "https://fedorainfracloud.org:5000/v2.0" copr_nova_tenant_id: "5d99f099b7fe4b0387f0352f6301ba6a" copr_nova_tenant_name: "copr" diff --git a/inventory/group_vars/copr_back_aws b/inventory/group_vars/copr_back_aws index e4e79f684a..81082f71bc 100644 --- a/inventory/group_vars/copr_back_aws +++ b/inventory/group_vars/copr_back_aws @@ -1,8 +1,6 @@ --- description: copr dispatcher and repo server -_lighttpd_conf_src: "lighttpd/lighttpd.conf" - copr_nova_auth_url: "https://fedorainfracloud.org:5000/v2.0" copr_nova_tenant_id: "5d99f099b7fe4b0387f0352f6301ba6a" copr_nova_tenant_name: "copr" diff --git a/inventory/group_vars/copr_back_dev b/inventory/group_vars/copr_back_dev index 23281588be..dfc809148f 100644 --- a/inventory/group_vars/copr_back_dev +++ b/inventory/group_vars/copr_back_dev @@ -1,6 +1,4 @@ --- -_lighttpd_conf_src: "lighttpd/lighttpd_dev.conf" - copr_nova_auth_url: "https://fedorainfracloud.org:5000/v2.0" copr_nova_tenant_id: "a6ff2158641c439a8426d7facab45437" copr_nova_tenant_name: "coprdev" diff --git a/inventory/group_vars/copr_back_dev_aws b/inventory/group_vars/copr_back_dev_aws index e5d464d7db..2c4e021056 100644 --- a/inventory/group_vars/copr_back_dev_aws +++ b/inventory/group_vars/copr_back_dev_aws @@ -1,8 +1,6 @@ --- description: copr dispatcher and repo server - dev instance -_lighttpd_conf_src: "lighttpd/lighttpd_dev.conf" - copr_nova_auth_url: "https://fedorainfracloud.org:5000/v2.0" copr_nova_tenant_id: "a6ff2158641c439a8426d7facab45437" copr_nova_tenant_name: "coprdev" diff --git a/inventory/group_vars/copr_back_stg b/inventory/group_vars/copr_back_stg index bbe08dfdaa..2ae271477a 100644 --- a/inventory/group_vars/copr_back_stg +++ b/inventory/group_vars/copr_back_stg @@ -1,8 +1,6 @@ --- resolvconf: "resolv.conf/cloud" -_lighttpd_conf_src: "lighttpd/lighttpd_dev.conf" - copr_nova_auth_url: "https://fedorainfracloud.org:5000/v2.0" copr_nova_tenant_id: "a6ff2158641c439a8426d7facab45437" copr_nova_tenant_name: "coprdev" diff --git a/roles/copr/backend/tasks/main.yml b/roles/copr/backend/tasks/main.yml index 5a0155cdb9..961ec6084f 100644 --- a/roles/copr/backend/tasks/main.yml +++ b/roles/copr/backend/tasks/main.yml @@ -108,7 +108,7 @@ - config - name: add config for copr-repo path - template: src="{{ _lighttpd_conf_src }}" dest=/etc/lighttpd/lighttpd.conf owner=root group=root mode=0644 + template: src="lighttpd/lighttpd.conf" dest=/etc/lighttpd/lighttpd.conf owner=root group=root mode=0644 notify: - restart lighttpd tags: diff --git a/roles/copr/backend/templates/lighttpd/lighttpd.conf b/roles/copr/backend/templates/lighttpd/lighttpd.conf index 75a6861ded..8962935ca3 100644 --- a/roles/copr/backend/templates/lighttpd/lighttpd.conf +++ b/roles/copr/backend/templates/lighttpd/lighttpd.conf @@ -19,16 +19,16 @@ var.state_dir = "/var/run" var.home_dir = "/var/lib/lighttpd" var.conf_dir = "/etc/lighttpd" -## +## ## run the server chrooted. -## +## ## This requires root permissions during startup. ## ## If you run Chrooted set the the variables to directories relative to ## the chroot dir. ## ## example chroot configuration: -## +## #var.log_root = "/logs" #var.server_root = "/" #var.state_dir = "/run" @@ -82,7 +82,9 @@ server.modules = ( "mod_redirect", "mod_rewrite", "mod_indexfile", - "mod_cgi" + "mod_cgi"{% if devel %}, + "mod_openssl" +{% endif %} ) cgi.assign = ( ".pl" => "/usr/bin/perl", @@ -114,12 +116,12 @@ server.use-ipv6 = "disable" ## ## Run as a different username/groupname. -## This requires root permissions during startup. +## This requires root permissions during startup. ## server.username = "lighttpd" server.groupname = "lighttpd" -## +## ## enable core files. ## #server.core-files = "disable" @@ -156,14 +158,14 @@ server.pid-file = state_dir + "/lighttpd.pid" server.errorlog = log_root + "/error.log" ## -## If you want to log to syslog you have to unset the +## If you want to log to syslog you have to unset the ## server.errorlog setting and uncomment the next line. ## #server.errorlog-use-syslog = "enable" ## ## Access log config -## +## include "conf.d/access_log.conf" ## @@ -198,7 +200,7 @@ server.event-handler = "linux-sysepoll" ## ## The basic network interface for all platforms at the syscalls read() ## and write(). Every modern OS provides its own syscall to help network -## servers transfer files as fast as possible +## servers transfer files as fast as possible ## ## linux-sendfile - is recommended for small files. ## writev - is recommended for sending many large files @@ -243,7 +245,7 @@ server.max-connections = 1024 ## ## How many seconds to keep a keep-alive connection open, -## until we consider it idle. +## until we consider it idle. ## ## Default: 5 ## @@ -279,7 +281,7 @@ server.max-keep-alive-idle = 2 #server.max-write-idle = 360 ## -## Traffic Shaping +## Traffic Shaping ## ----------------- ## ## see /usr/share/doc/lighttpd/traffic-shaping.txt @@ -288,7 +290,7 @@ server.max-keep-alive-idle = 2 ## ## Keep in mind that a limit below 32kB/s might actually limit the ## traffic to 32kB/s. This is caused by the size of the TCP send -## buffer. +## buffer. ## ## per server: ## @@ -376,7 +378,7 @@ include "conf.d/dirlisting.conf" ## ## Should lighttpd follow symlinks? -## +## server.follow-symlink = "enable" ## @@ -396,7 +398,7 @@ server.upload-dirs = ( "/var/tmp" ) ####################################################################### ## ## SSL Support -## ------------- +## ------------- ## ## To enable SSL for the whole server you have to provide a valid ## certificate and have to enable the SSL engine.:: @@ -461,6 +463,8 @@ server.upload-dirs = ( "/var/tmp" ) ## ####################################################################### +{% if not devel %} +# production still uses normal configuration $SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/etc/lighttpd/copr.fedorainfracloud.org.pem" @@ -470,6 +474,38 @@ $SERVER["socket"] == ":443" { ssl.use-sslv3 = "disable" ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" } +{% else %} +# devel runs on letsencrypt + + +# Used for letsencrypt validation +$HTTP["url"] =~ "^/.well-known/" { + dir-listing.activate = "enable" +} + +# Enable HTTPS +$SERVER["socket"] == ":443" { + ssl.engine = "enable" +{% for hostname, _ in letsencrypt.certificates.items() %} + ssl.ca-file = "/etc/letsencrypt/live/{{ hostname }}/chain.pem" + ssl.pemfile = "/etc/letsencrypt/live/{{ hostname }}/combined.pem" +{% endfor %} + ssl.honor-cipher-order = "enable" + # The following is OPTIONAL + ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4" + ssl.use-compression = "disable" + ssl.use-sslv2 = "disable" + ssl.use-sslv3 = "disable" +} + + +# Force HTTPS +$SERVER["socket"] == ":80" { + url.redirect = ( + "^/(.*)" => "https://copr-be-dev.cloud.fedoraproject.org/$1" + ) +} +{% endif %} url.redirect = ( "^/results/sgallagh/cockpit-preview/(.+)" => "/results/@cockpit/cockpit-preview/$1" ) diff --git a/roles/copr/backend/templates/lighttpd/lighttpd_dev.conf b/roles/copr/backend/templates/lighttpd/lighttpd_dev.conf deleted file mode 100644 index 1c9c855f58..0000000000 --- a/roles/copr/backend/templates/lighttpd/lighttpd_dev.conf +++ /dev/null @@ -1,526 +0,0 @@ -####################################################################### -## -## /etc/lighttpd/lighttpd.conf -## -## check /etc/lighttpd/conf.d/*.conf for the configuration of modules. -## -####################################################################### - -####################################################################### -## -## Some Variable definition which will make chrooting easier. -## -## if you add a variable here. Add the corresponding variable in the -## chroot example aswell. -## -var.log_root = "/var/log/lighttpd" -var.server_root = "/var/www" -var.state_dir = "/var/run" -var.home_dir = "/var/lib/lighttpd" -var.conf_dir = "/etc/lighttpd" - -## -## run the server chrooted. -## -## This requires root permissions during startup. -## -## If you run Chrooted set the the variables to directories relative to -## the chroot dir. -## -## example chroot configuration: -## -#var.log_root = "/logs" -#var.server_root = "/" -#var.state_dir = "/run" -#var.home_dir = "/lib/lighttpd" -#var.vhosts_dir = "/vhosts" -#var.conf_dir = "/etc" -# -#server.chroot = "/srv/www" - -## -## Some additional variables to make the configuration easier -## - -## -## Base directory for all virtual hosts -## -## used in: -## conf.d/evhost.conf -## conf.d/simple_vhost.conf -## vhosts.d/vhosts.template -## -var.vhosts_dir = server_root + "/vhosts" - -## -## Cache for mod_compress -## -## used in: -## conf.d/compress.conf -## -var.cache_dir = "/var/cache/lighttpd" - -## -## Base directory for sockets. -## -## used in: -## conf.d/fastcgi.conf -## conf.d/scgi.conf -## -var.socket_dir = home_dir + "/sockets" - -## -####################################################################### - -####################################################################### -## -## Load the modules. -#include "modules.conf" -server.modules = ( - "mod_access", - "mod_setenv", - "mod_redirect", - "mod_rewrite", - "mod_indexfile", - "mod_cgi", - "mod_openssl" -) - -cgi.assign = ( ".pl" => "/usr/bin/perl", - ".cgi" => "/usr/bin/perl", - ".rb" => "/usr/bin/ruby", - ".erb" => "/usr/bin/eruby", - ".py" => "/usr/bin/python", - ".php" => "/usr/bin/php-cgi" ) - -## -####################################################################### - -####################################################################### -## -## Basic Configuration -## --------------------- -## -server.port = 80 - -## -## Use IPv6? -## -server.use-ipv6 = "disable" - -## -## bind to a specific IP -## -#server.bind = "localhost" - -## -## Run as a different username/groupname. -## This requires root permissions during startup. -## -server.username = "lighttpd" -server.groupname = "lighttpd" - -## -## enable core files. -## -#server.core-files = "disable" - -## -## Document root -## -server.document-root = "/var/lib/copr/public_html" - -## -## The value for the "Server:" response field. -## -## It would be nice to keep it at "lighttpd". -## -#server.tag = "lighttpd" - -## -## store a pid file -## -server.pid-file = state_dir + "/lighttpd.pid" - -## -####################################################################### - -####################################################################### -## -## Logging Options -## ------------------ -## -## all logging options can be overwritten per vhost. -## -## Path to the error log file -## -server.errorlog = log_root + "/error.log" - -## -## If you want to log to syslog you have to unset the -## server.errorlog setting and uncomment the next line. -## -#server.errorlog-use-syslog = "enable" - -## -## Access log config -## -include "conf.d/access_log.conf" - -## -## The debug options are moved into their own file. -## see conf.d/debug.conf for various options for request debugging. -## -include "conf.d/debug.conf" - -## -####################################################################### - -####################################################################### -## -## Tuning/Performance -## -------------------- -## -## corresponding documentation: -## http://www.lighttpd.net/documentation/performance.html -## -## set the event-handler (read the performance section in the manual) -## -## possible options on linux are: -## -## select -## poll -## linux-sysepoll -## -## linux-sysepoll is recommended on kernel 2.6. -## -server.event-handler = "linux-sysepoll" - -## -## The basic network interface for all platforms at the syscalls read() -## and write(). Every modern OS provides its own syscall to help network -## servers transfer files as fast as possible -## -## linux-sendfile - is recommended for small files. -## writev - is recommended for sending many large files -## -server.network-backend = "linux-sendfile" - -## -## As lighttpd is a single-threaded server, its main resource limit is -## the number of file descriptors, which is set to 1024 by default (on -## most systems). -## -## If you are running a high-traffic site you might want to increase this -## limit by setting server.max-fds. -## -## Changing this setting requires root permissions on startup. see -## server.username/server.groupname. -## -## By default lighttpd would not change the operation system default. -## But setting it to 2048 is a better default for busy servers. -## -## With SELinux enabled, this is denied by default and needs to be allowed -## by running the following once : setsebool -P httpd_setrlimit on -#server.max-fds = 2048 - -## -## Stat() call caching. -## -## lighttpd can utilize FAM/Gamin to cache stat call. -## -## possible values are: -## disable, simple or fam. -## -server.stat-cache-engine = "simple" - -## -## Fine tuning for the request handling -## -## max-connections == max-fds/2 (maybe /3) -## means the other file handles are used for fastcgi/files -## -server.max-connections = 1024 - -## -## How many seconds to keep a keep-alive connection open, -## until we consider it idle. -## -## Default: 5 -## -#server.max-keep-alive-idle = 5 - -## -## How many keep-alive requests until closing the connection. -## -## Default: 16 -## -#server.max-keep-alive-requests = 16 - -## -## Maximum size of a request in kilobytes. -## By default it is unlimited (0). -## -## Uploads to your server cant be larger than this value. -## -#server.max-request-size = 0 - -## -## Time to read from a socket before we consider it idle. -## -## Default: 60 -## -#server.max-read-idle = 60 - -## -## Time to write to a socket before we consider it idle. -## -## Default: 360 -## -#server.max-write-idle = 360 - -## -## Traffic Shaping -## ----------------- -## -## see /usr/share/doc/lighttpd/traffic-shaping.txt -## -## Values are in kilobyte per second. -## -## Keep in mind that a limit below 32kB/s might actually limit the -## traffic to 32kB/s. This is caused by the size of the TCP send -## buffer. -## -## per server: -## -#server.kbytes-per-second = 128 - -## -## per connection: -## -#connection.kbytes-per-second = 32 - -## -####################################################################### - -####################################################################### -## -## Filename/File handling -## ------------------------ - -## -## files to check for if .../ is requested -## index-file.names = ( "index.php", "index.rb", "index.html", -## "index.htm", "default.htm" ) -## -index-file.names = ( - "/dir-generator.php" -) - -## -## deny access the file-extensions -## -## ~ is for backupfiles from vi, emacs, joe, ... -## .inc is often used for code includes which should in general not be part -## of the document-root -url.access-deny = ( "~", ".inc" ) - -## -## disable range requests for pdf files -## workaround for a bug in the Acrobat Reader plugin. -## -$HTTP["url"] =~ "\.pdf$" { - server.range-requests = "disable" -} - -## -## url handling modules (rewrite, redirect) -## -#url.rewrite = ( "^/$" => "/server-status" ) -#url.redirect = ( "^/wishlist/(.+)" => "http://www.example.com/$1" ) - -## -## both rewrite/redirect support back reference to regex conditional using %n -## -#$HTTP["host"] =~ "^www\.(.*)" { -# url.redirect = ( "^/(.*)" => "http://%1/$1" ) -#} - -## -## which extensions should not be handle via static-file transfer -## -## .php, .pl, .fcgi are most often handled by mod_fastcgi or mod_cgi -## -static-file.exclude-extensions = ( ".php", ".pl", ".fcgi", ".scgi" ) - -## -## error-handler for status 404 -## -#server.error-handler-404 = "/error-handler.html" -#server.error-handler-404 = "/error-handler.php" - -## -## Format: .html -## -> ..../status-404.html for 'File not found' -## -#server.errorfile-prefix = "/srv/www/htdocs/errors/status-" - -## -## mimetype mapping -## -include "conf.d/mime.conf" - -## -## directory listing configuration -## -include "conf.d/dirlisting.conf" - -## -## Should lighttpd follow symlinks? -## -server.follow-symlink = "enable" - -## -## force all filenames to be lowercase? -## -#server.force-lowercase-filenames = "disable" - -## -## defaults to /var/tmp as we assume it is a local harddisk -## -server.upload-dirs = ( "/var/tmp" ) - -## -####################################################################### - - -####################################################################### -## -## SSL Support -## ------------- -## -## To enable SSL for the whole server you have to provide a valid -## certificate and have to enable the SSL engine.:: -## -## ssl.engine = "enable" -## ssl.pemfile = "/path/to/server.pem" -## -## The HTTPS protocol does not allow you to use name-based virtual -## hosting with SSL. If you want to run multiple SSL servers with -## one lighttpd instance you must use IP-based virtual hosting: :: -## -## $SERVER["socket"] == "10.0.0.1:443" { -## ssl.engine = "enable" -## ssl.pemfile = "/etc/ssl/private/www.example.com.pem" -## # -## # Mitigate BEAST attack: -## # -## # A stricter base cipher suite. For details see: -## # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html -## # -## ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" -## # -## # Make the server prefer the order of the server side cipher suite instead of the client suite. -## # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms). -## # This option is enabled by default, but only used if ssl.cipher-list is set. -## # -## # ssl.honor-cipher-order = "enable" -## # -## # Mitigate CVE-2009-3555 by disabling client triggered renegotation -## # This is enabled by default. -## # -## # ssl.disable-client-renegotiation = "enable" -## # -## server.name = "www.example.com" -## -## server.document-root = "/srv/www/vhosts/example.com/www/" -## } -## - -## If you have a .crt and a .key file, cat them together into a -## single PEM file: -## $ cat /etc/ssl/private/lighttpd.key /etc/ssl/certs/lighttpd.crt \ -## > /etc/ssl/private/lighttpd.pem -## -#ssl.pemfile = "/etc/ssl/private/lighttpd.pem" - -## -## optionally pass the CA certificate here. -## -## -#ssl.ca-file = "" - - -# Used for letsencrypt validation -$HTTP["url"] =~ "^/.well-known/" { - dir-listing.activate = "enable" -} - - -# Enable HTTPS -$SERVER["socket"] == ":443" { - ssl.engine = "enable" -{% for hostname, _ in letsencrypt.certificates.items() %} - ssl.ca-file = "/etc/letsencrypt/live/{{ hostname }}/chain.pem" - ssl.pemfile = "/etc/letsencrypt/live/{{ hostname }}/combined.pem" -{% endfor %} - ssl.honor-cipher-order = "enable" - # The following is OPTIONAL - ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4" - ssl.use-compression = "disable" - ssl.use-sslv2 = "disable" - ssl.use-sslv3 = "disable" -} - - -# Force HTTPS -$SERVER["socket"] == ":80" { - url.redirect = ( - "^/(.*)" => "https://copr-be-dev.cloud.fedoraproject.org/$1" - ) -} - - -## -####################################################################### - -####################################################################### -## -## custom includes like vhosts. -## -#include "conf.d/config.conf" -#include_shell "cat /etc/lighttpd/vhosts.d/*.conf" -## -####################################################################### - -#$SERVER["socket"] == ":443" { -# ssl.engine = "enable" -# ssl.pemfile = "/etc/lighttpd/copr-be.fedoraproject.org.pem" -# ssl.ca-file = "/etc/lighttpd/DigiCertCA.crt" -# ssl.disable-client-renegotiation = "enable" -# ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" -#} - -$HTTP["url"] =~ "\.log\.gz$" { - setenv.add-response-header = ( "Content-Encoding" => "gzip") - mimetype.assign = ("" => "text/plain" ) -} - -# https://pagure.io/copr/copr/issue/762 -$HTTP["url"] =~ "\.log$" { - setenv.add-response-header = ( "Cache-Control" => "no-store") - mimetype.assign = ("" => "text/plain; charset=utf-8" ) -} - -$HTTP["url"] =~ "/repomd.xml" { - setenv.add-response-header = ( "Cache-Control" => "no-cache") -} - -url.redirect = ( - "^/results/(.*)/(.*)/mageia-(.*)-i386(.*)" => "/results/$1/$2/mageia-$3-i586$4", - "^/(.*)/redirect-live.log$" => "/$1/builder-live.log.gz" -) - -url.rewrite-if-not-file = ("^/(.*)/builder-live.log$" => "/$1/redirect-live.log") - -accesslog.filename = "|/usr/sbin/cronolog /var/log/lighttpd/access.log"