====== Information ======
* nginx
* PHP-FPM
* [[Information:Realm of Espionage]]
===== Prerequisites =====
* [[bsd:server:freebsd_14.2|FreeBSD 14.2]]
====== Dependencies ======
su -
pkg install nginx-lite php84
===== PHP Extensions =====
==== Verify Modules ====
****
php -m
====== Services ======
===== Enable =====
su -
sysrc nginx_enable="YES"
sysrc php_fpm_enable="YES"
====== Config Defaults ======
===== Backup =====
su -
mv -v '/usr/local/etc/nginx/nginx.conf' '/usr/local/etc/nginx/nginx.conf~'
mv -v '/usr/local/etc/php-fpm.d/www.conf' '/usr/local/etc/php-fpm.d/www.conf~'
====== nginx Settings ======
===== Defaults =====
su -
mkdir -p '/usr/local/etc/nginx/conf.d' '/usr/local/etc/nginx/default.d' '/usr/local/etc/nginx/vhosts.d'
===== HTTPS Redirect =====
* This automatically redirects non-HTTPS site links to HTTPS
su -
ee '/usr/local/etc/nginx/conf.d/http-redirect.conf'
server {
listen 80 default_server;
listen [::]:80 default_server;
return 301 https://$host$request_uri;
}
# End
===== Non-existent 404 =====
* This prevents unconfigured subdomains from loading assets from other sites ((if a site/URL doesn't exist, it'll 404))
* 2025/05/16: ''http2'' disabled due to freshports note about gcc disabled; might need ''nginx-full'' or non-lite too?
su -
ee '/usr/local/etc/nginx/conf.d/non-existent.conf'
server {
listen 443 ssl default_server;
# http2 on;
server_name _;
return 404;
}
# End
===== Headers =====
su -
ee '/usr/local/etc/nginx/default.d/headers.conf'
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Cache-Control "no-store, no-transform, public" always;
add_header Referrer-Policy "same-origin" always;
add_header Expect-CT "max-age=0" always;
add_header Permissions-Policy "geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()" always;
# End
===== nginx =====
su -
ee '/usr/local/etc/nginx/nginx.conf'
worker_processes 1;
#error_log /var/log/nginx/error.log;
events {
worker_connections 1024;
}
http {
# Logging
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
# Includes
include /usr/local/etc/nginx/conf.d/*.conf;
include /usr/local/etc/nginx/vhosts.d/*.conf;
include /usr/local/etc/nginx/mime.types;
default_type application/octet-stream;
# Config
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
# gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 9;
gzip_types *;
}
# End
====== SSL Certs ======
===== Let's Encrypt =====
* See [[servers:bsd:nginx:lets_encrypt|Let's Encrypt/Certbot]] for further set-up
su -
ee '/usr/local/etc/nginx/conf.d/ssl.conf'
ssl_certificate '/usr/local/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
ssl_trusted_certificate '/usr/local/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
ssl_certificate_key '/usr/local/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem';
ssl_session_timeout '10m';
ssl_session_cache 'shared:SSL:10m';
ssl_session_tickets 'off';
ssl_buffer_size '4k';
ssl_protocols 'TLSv1.2' 'TLSv1.3';
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM';
ssl_prefer_server_ciphers 'on';
ssl_ecdh_curve 'secp384r1';
# End
====== dos2unix ======
* Useful for restoring files as-is from Windows
su -
pkg install 'dos2unix'
find /usr/local/www/media -type f -print0 | xargs -0 dos2unix --
chown -R 'www':'www' '/usr/local/www'