====== Information ======
* nginx
* PHP
* PHP-FPM
* [[Information:Realm of Espionage]]
===== Prerequisites =====
* [[linux:distros:server:opensuse_tumbleweed_server|openSUSE Tumbleweed (Server)]]
===== Resources =====
* [[https://www.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test]]
* https://fedoraproject.org/wiki/Nginx
==== Old ====
* [[https://cipherli.st/|Cipherli.st]]
* [[https://securityheaders.com/?q=wiki.realmofespionage.xyz&followRedirects=on|Security Headers]]
* [[https://dev.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test (dev)]]
* https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/feature_policy/feature_policy.cc?l=138&rcl=ab90b51c5b60de15054a32b0bd18e4839536a1c9
* https://infosec.mozilla.org
* https://gist.github.com/plentz/6737338
* https://scotthelme.co.uk
* https://mozilla.github.io/server-side-tls/ssl-config-generator
====== Dependencies ======
****
sudo zypper install git-core nginx php8-cli php8-fpm php8-opcache
====== Information ======
nginx -v
php -m
====== Firewall ======
****
sudo firewall-cmd --add-service='http' --permanent && sudo firewall-cmd --add-service='https' --permanent && sudo firewall-cmd --reload
====== SELinux ======
===== php-fpm =====
* 2025/04/25
sudo setsebool -P 'httpd_execmem' '1'
===== DokuWiki =====
* [[servers:linux:nginx:dokuwiki]]
* 2025/04/25
sudo setsebool -P 'httpd_can_network_connect' '1'
===== Other =====
sudo setsebool -P 'httpd_graceful_shutdown' '1'
sudo setsebool -P 'nis_enabled' '1'
sudo setsebool -P 'httpd_can_network_relay' '1'
===== Global restorecon =====
****
sudo restorecon -F -I -R '/etc/nginx' '/etc/php8/fpm/php-fpm.d' '/srv/www'
====== Services ======
===== Enable =====
****
sudo systemctl enable 'nginx' 'php-fpm' --now
====== Config Defaults ======
===== php-fpm Default Pool =====
sudo mv '/etc/php8/fpm/php-fpm.d/www.conf' '/etc/php8/fpm/php-fpm.d/www.conf~'
nano '/etc/php8/fpm/php-fpm.d/www.conf~'
===== nginx.conf =====
sudo mv '/etc/nginx/nginx.conf' '/etc/nginx/nginx.conf~'
nano '/etc/nginx/nginx.conf~'
===== php.ini =====
nano '/etc/php8/cli/php.ini'
====== nginx Settings ======
===== Notes =====
* ''conf.d'' contains **server-wide** modular configuration files
* ''default.d'' contains **site-specific** modular configuration files
* ''vhosts.d'' contains enabled websites ((this folder needs created))
===== Defaults =====
==== vhosts.d ====
****
sudo mkdir -p '/etc/nginx/vhosts.d'
===== HTTPS Redirect =====
* This automatically redirects non-HTTPS site links to HTTPS
sudo -e '/etc/nginx/conf.d/http-redirect.conf'
# nginx/conf.d/http-redirect.conf
server {
listen '80' 'default_server';
listen '[::]:80' 'default_server';
return '301' 'https://$host$request_uri';
}
# End
===== Non-existent 404 =====
* This prevents unconfigured subdomains from loading assets from other sites ((if a site/URL doesn't exist, it'll 404))
sudo -e '/etc/nginx/conf.d/non-existent.conf'
# nginx/conf.d/non-existent.conf
server {
listen '443' 'ssl' default_server;
http2 'on';
server_name '_';
return '404';
}
# End
===== Headers =====
* Add to individual site configs as an ''include''
sudo -e '/etc/nginx/default.d/headers.conf'
# nginx/default.d/headers.conf
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Cache-Control "no-store, no-transform, public" always;
add_header Referrer-Policy "same-origin" always;
add_header Expect-CT "max-age=0" always;
add_header Permissions-Policy "geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()" always;
# End
===== nginx =====
sudo -e '/etc/nginx/nginx.conf'
# nginx/nginx.conf
events {
multi_accept 'on';
worker_connections '1024';
}
#error_log /var/log/nginx/error.log;
http {
# Logging
#log_format main '$time_local - $http_host - $remote_addr - $status "$request" $body_bytes_sent - $http_referer - "$http_user_agent"';
#access_log '/var/log/nginx/access.log main';
# Includes
include '/etc/nginx/conf.d/*.conf';
include '/etc/nginx/vhosts.d/*.conf';
include '/etc/nginx/mime.types';
default_type 'application/octet-stream';
# Config
sendfile 'on';
tcp_nopush 'on';
tcp_nodelay 'on';
keepalive_timeout '65';
types_hash_max_size '4096';
# gzip
gzip 'on';
gzip_vary 'on';
gzip_proxied 'any';
gzip_comp_level '9';
gzip_types '*';
}
# End
==== CSP Headers ====
* The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the ''include'' line(s)
add_header Content-Security-Policy "default-src 'self'" always;
add_header Content-Security-Policy "" always;
====== SSL Certs ======
===== Let's Encrypt =====
* See [[servers;linux;nginx;lets_encrypt|Let's Encrypt/Certbot]] for further set-up
sudo -e '/etc/nginx/conf.d/ssl.conf'
# nginx/conf.d/ssl.conf
ssl_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
ssl_trusted_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
ssl_certificate_key '/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem';
ssl_session_timeout '10m';
ssl_session_cache 'shared:SSL:10m';
ssl_session_tickets 'off';
ssl_buffer_size '4k';
ssl_protocols 'TLSv1.2' 'TLSv1.3';
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM';
ssl_prefer_server_ciphers 'on';
ssl_ecdh_curve 'secp384r1';
ssl_stapling 'on';
ssl_stapling_verify 'on';
# End