====== Information ======
* freenginx ((https://freenginx.org/en/))
* PHP ((https://www.php.net/))
* PHP-FPM
* [[Information:Realm of Espionage]]
===== Prerequisites =====
* [[bsd:server:freebsd_16.0|FreeBSD 16.0]]
====== Dependencies ======
su -
pkg install freenginx-devel php85
====== Information ======
nginx -v
php -m
====== Firewall ======
* TODO
====== Services ======
===== Enable =====
su -
sysrc nginx_enable="YES"
sysrc php_fpm_enable="YES"
===== Start =====
su -
service 'nginx' start
service 'php_fpm' start
==== Stop ====
su -
service 'nginx' stop
service 'php_fpm' stop
====== Disable Defaults ======
===== freenginx =====
su -
rm -fv '/usr/local/etc/freenginx/nginx.conf'
===== PHP-FPM =====
su -
rm -fv '/usr/local/etc/php-fpm.d/www.conf'
===== Check Defaults =====
==== nginx ====
****
ee '/usr/local/etc/freenginx/nginx.conf-dist'
==== PHP ====
* TODO: Other paths
ee '/usr/local/etc/php-fpm.d/www.conf.default'
nano '/etc/php8/fpm/php-fpm.conf'
ee '/usr/local/etc/php.conf'
nano '/etc/php8/fpm/php.ini'
nano '/etc/php8/cli/php.ini'
====== nginx Settings ======
===== Notes =====
* ''conf.d'' contains **server-wide** modular configuration files
* ''default.d'' contains **site-specific** modular configuration files
* ''vhosts.d'' contains enabled websites
===== Folders =====
su -
mkdir -p -m '0644' '/usr/local/etc/freenginx/conf.d' '/usr/local/etc/freenginx/default.d' '/usr/local/etc/freenginx/vhosts.d'
===== HTTPS Redirect =====
* This automatically redirects non-HTTPS site links to HTTPS
su -
ee '/usr/local/etc/freenginx/conf.d/http-redirect.conf'
server {
listen '80' 'default_server';
listen '[::]:80' 'default_server';
return '301' 'https://$host$request_uri';
}
# End
===== Non-existent 404 =====
* This prevents unconfigured subdomains from loading assets from other sites ((if a site/URL doesn't exist, it'll 404))
su -
ee '/usr/local/etc/freenginx/conf.d/non-existent.conf'
server {
listen '443' 'ssl' 'default_server';
http2 'on';
server_name '_';
return '404';
}
# End
===== Headers =====
su -
ee '/usr/local/etc/freenginx/default.d/headers.conf'
add_header 'Strict-Transport-Security' 'max-age=63072000; includeSubdomains; preload' 'always';
add_header 'X-Content-Type-Options' 'nosniff' 'always';
add_header 'X-Frame-Options' 'sameorigin' 'always';
add_header 'X-XSS-Protection' '1; mode=block' 'always';
add_header 'Cache-Control' 'max-age=604800, no-transform, public' 'always';
add_header 'Referrer-Policy' 'same-origin' 'always';
add_header 'Expect-CT' 'max-age=0' 'always';
add_header 'Permissions-Policy' 'geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()' 'always';
# End
===== nginx =====
su -
ee '/usr/local/etc/freenginx/nginx.conf'
worker_processes '1';
#error_log '/var/log/nginx/error.log';
events {
multi_accept 'on';
worker_connections '1024';
}
http {
# Logging
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
access_log '/dev/null';
# Includes
include '/usr/local/etc/freenginx/conf.d/*.conf';
include '/usr/local/etc/freenginx/vhosts.d/*.conf';
include '/usr/local/etc/freenginx/mime.types';
default_type 'application/octet-stream';
# Config
sendfile 'on';
tcp_nopush 'on';
tcp_nodelay 'on';
keepalive_timeout '65';
types_hash_max_size '4096';
# gzip
gzip 'on';
gzip_vary 'on';
gzip_proxied 'any';
gzip_comp_level '9';
gzip_types '*';
}
# End
====== SSL Certs ======
===== Let's Encrypt =====
* See [[servers:bsd:nginx:lets_encrypt|Let's Encrypt/Certbot]] for further set-up
su -
ee '/usr/local/etc/freenginx/conf.d/ssl.conf'
ssl_certificate '/usr/local/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
ssl_trusted_certificate '/usr/local/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
ssl_certificate_key '/usr/local/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem';
ssl_session_timeout '10m';
ssl_session_cache 'shared:SSL:10m';
ssl_session_tickets 'off';
ssl_buffer_size '4k';
ssl_protocols 'TLSv1.2' 'TLSv1.3';
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM';
ssl_prefer_server_ciphers 'on';
ssl_ecdh_curve 'secp384r1';
# End
====== Resources ======
* [[https://www.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test]]