====== Information ======
* nginx
* PHP
* PHP-FPM
* [[information:realm_of_espionage|Realm of Espionage]]
===== Prerequisites =====
* [[linux:distros:server:ubuntu_server|Ubuntu Server]]
====== Dependencies ======
****
sudo apt install git nginx-light php-fpm
====== Information ======
nginx -v
php -m
====== Firewall ======
* [[linux:notes:ufw_uncomplicated_firewall|ufw Notes]]
* TODO: ''QUIC''
sudo ufw allow 'Nginx HTTP'
sudo ufw allow 'Nginx HTTPS'
===== Disable IPv6 =====
sudo ufw status numbered
sudo ufw delete '5'
sudo ufw delete '4'
====== Services ======
sudo systemctl enable 'nginx' 'php8.4-fpm'
sudo systemctl stop 'nginx' 'php8.4-fpm'
===== Start =====
sudo systemctl start 'nginx'
sudo systemctl start 'php8.4-fpm'
====== Disable Defaults ======
===== nginx =====
sudo rm '/etc/nginx/sites-enabled/default'
sudo mv '/etc/nginx/modules-enabled/50-mod-http-echo.conf' '/etc/nginx/modules-available/50-mod-http-echo.conf'
sudo mv '/etc/nginx/nginx.conf' '/etc/nginx/nginx.conf~'
===== PHP-FPM =====
* :!: Run after [[servers:linux:nginx:dokuwiki#dependencies|first website set-up]] ((breaks ''apt-get'' PHP module install when ''dpkg'' restarts the FPM service; no existing conf causes daemon to fail to restart))
sudo mv '/etc/php/8.4/fpm/pool.d/www.conf' '/etc/php/8.4/fpm/pool.d/www.conf~'
===== Check Defaults =====
==== nginx ====
nano '/etc/nginx/sites-available/default'
nano '/etc/nginx/nginx.conf~'
==== PHP ====
* ''php.ini'' is in both ''fpm'' and ''cli'' folders
nano '/etc/php/8.4/fpm/pool.d/www.conf~'
nano '/etc/php/8.4/fpm/php-fpm.conf'
nano '/etc/php/8.4/fpm/php.ini'
nano '/etc/php/8.4/cli/php.ini'
====== nginx Settings ======
===== HTTPS Redirect =====
* This automatically redirects non-HTTPS site links to HTTPS
sudo -e '/etc/nginx/conf.d/http-redirect.conf'
server {
listen '80' 'default_server';
listen '[::]:80' 'default_server';
return '301' 'https://$host$request_uri';
}
# End
===== Non-existent 404 =====
* This prevents unconfigured subdomains from loading assets from other sites ((if a site/URL doesn't exist, it'll 404))
sudo -e '/etc/nginx/conf.d/non-existent.conf'
server {
listen '443' 'ssl' 'default_server';
http2 'on';
server_name '_';
return '404';
}
# End
===== Headers =====
* Add to individual site configs as an ''include''
sudo -e '/etc/nginx/snippets/headers.conf'
add_header 'Strict-Transport-Security' 'max-age=63072000; includeSubdomains; preload' 'always';
add_header 'X-Content-Type-Options' 'nosniff' 'always';
add_header 'X-Frame-Options' 'sameorigin' 'always';
add_header 'X-XSS-Protection' '1; mode=block' 'always';
add_header 'Cache-Control' 'no-store, no-transform, public' 'always';
add_header 'Referrer-Policy' 'same-origin' 'always';
add_header 'Expect-CT' 'max-age=0' 'always';
add_header 'Permissions-Policy' 'geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()' 'always';
# End
===== nginx =====
sudo -e '/etc/nginx/nginx.conf' && sudo nginx -t
user www-data;
worker_processes auto;
worker_cpu_affinity auto;
pid /run/nginx.pid;
events {
multi_accept 'on';
worker_connections '1024';
}
#error_log '/var/log/nginx/error.log';
http {
# Logging
access_log '/dev/null';
# access_log '/var/log/nginx/access.log';
# Includes
include '/etc/nginx/conf.d/*.conf';
include '/etc/nginx/sites-enabled/*.conf';
include '/etc/nginx/mime.types';
default_type 'application/octet-stream';
# Config
sendfile 'on';
tcp_nopush 'on';
tcp_nodelay 'on';
keepalive_timeout '65';
types_hash_max_size '4096';
# gzip
gzip 'on';
gzip_vary 'on';
gzip_proxied 'any';
gzip_comp_level '9';
gzip_types '*';
}
# End
==== CSP Headers ====
* The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the ''include'' line(s)
add_header Content-Security-Policy "default-src 'self'" always;
add_header Content-Security-Policy "" always;
====== SSL Certs ======
===== Let's Encrypt =====
* See [[servers;linux;nginx;lets_encrypt|Let's Encrypt/Certbot]] for further set-up
sudo -e '/etc/nginx/conf.d/ssl.conf'
ssl_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
ssl_trusted_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
ssl_certificate_key '/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem';
ssl_session_timeout '10m';
ssl_session_cache 'shared:SSL:10m';
ssl_session_tickets 'off';
ssl_buffer_size '4k';
ssl_protocols 'TLSv1.2' 'TLSv1.3';
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM';
ssl_prefer_server_ciphers 'on';
ssl_ecdh_curve 'secp384r1';
# End
====== TODOs ======
===== Resources =====
* https://nginx.org/en/docs/windows.html
* https://gist.github.com/odan/b5f7de8dfbdbf76bef089776c868fea1
* https://certbot.eff.org/instructions?ws=other&os=pip
* https://community.letsencrypt.org/t/using-certbot-in-windows-the-pragmatic-way/173929
* https://www.php.net/manual/en/image.installation.php
* [[https://www.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test]]
==== Old ====
* [[https://cipherli.st/|Cipherli.st]]
* [[https://securityheaders.com/?q=wiki.realmofespionage.xyz&followRedirects=on|Security Headers]]
* [[https://dev.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test (dev)]]
* https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/feature_policy/feature_policy.cc?l=138&rcl=ab90b51c5b60de15054a32b0bd18e4839536a1c9
* https://infosec.mozilla.org
* https://gist.github.com/plentz/6737338
* https://scotthelme.co.uk
* https://mozilla.github.io/server-side-tls/ssl-config-generator
* [[https://www.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test]]
* https://fedoraproject.org/wiki/Nginx