====== Information ======

  * nginx ((https://nginx.org/en))
  * PHP
  * PHP-FPM
  * [[Information:Realm of Espionage]]

===== Prerequisites =====

  * [[distros:fedora_server|Fedora Server]]

===== Resources =====

  * [[https://cipherli.st/|Cipherli.st]]
  * [[https://securityheaders.com/?q=wiki.realmofespionage.xyz&followRedirects=on|Security Headers]]
  * [[https://www.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test]]
  * [[https://dev.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test (dev)]]
  * https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/feature_policy/feature_policy.cc?l=138&rcl=ab90b51c5b60de15054a32b0bd18e4839536a1c9
  * https://infosec.mozilla.org
  * https://gist.github.com/plentz/6737338
  * https://scotthelme.co.uk
  * https://mozilla.github.io/server-side-tls/ssl-config-generator

====== Dependencies ======

****

  sudo dnf install git nginx php-fpm php-cli

===== PHP Extensions =====

==== Verify Modules ====

****

  php -m

====== Firewall ======

  * 80/tcp is HTTP
  * 443/tcp is HTTPS

  sudo firewall-cmd --add-service='http' --permanent && sudo firewall-cmd --add-service='https' --permanent && sudo firewall-cmd --reload

====== SELinux ======

===== DokuWiki =====

  * 2023/09/12

  sudo setsebool -P 'httpd_graceful_shutdown' '1'

  sudo setsebool -P 'nis_enabled' '1'

  sudo setsebool -P 'httpd_can_network_connect' '1'

  sudo setsebool -P 'httpd_can_network_relay' '1'

====== Services ======

===== Enable =====

****

  sudo systemctl enable 'nginx' 'php-fpm' --now

====== Permissions ======

****

  sudo chown --recursive 'nginx':'nginx' '/var/lib/php/opcache' '/var/lib/php/session' '/var/lib/php/wsdlcache' '/var/lib/php/peclxml'

====== Config Defaults ======

===== Backup =====

  sudo mv '/etc/nginx/default.d/php.conf' '/etc/nginx/default.d/php.conf~'

  sudo mv '/etc/nginx/conf.d/php-fpm.conf' '/etc/nginx/conf.d/php-fpm.conf~'

  sudo mv '/etc/php-fpm.d/www.conf' '/etc/php-fpm.d/www.conf~'

  sudo mv '/etc/nginx/nginx.conf' '/etc/nginx/nginx.conf~'

===== View =====

  nano '/etc/nginx/default.d/php.conf~'

  nano '/etc/nginx/conf.d/php-fpm.conf~'

  nano '/etc/php-fpm.d/www.conf~'

  nano '/etc/nginx/nginx.conf~'

  nano '/etc/php.ini'

====== nginx Settings ======

===== Notes =====

  * ''conf.d'' contains **server-wide** modular configuration files
  * ''default.d'' contains **site-specific** modular configuration files
  * ''vhosts.d'' contains enabled websites ((this folder needs created))

===== Defaults =====

==== vhosts.d ====

****

  sudo mkdir -p '/etc/nginx/vhosts.d'

===== HTTPS Redirect =====

  * This automatically redirects non-HTTPS site links to HTTPS

  sudo -e '/etc/nginx/conf.d/http-redirect.conf'

<code>
server {
    listen 80 default_server;
    listen [::]:80 default_server;

    return 301 https://$host$request_uri;
}</code>

===== Non-existent 404 =====

  * This prevents unconfigured subdomains from loading assets from other sites ((if a site/URL doesn't exist, it'll 404))

  sudo -e '/etc/nginx/conf.d/non-existent.conf'

<code>
server {
    listen '443' 'ssl' 'http2' default_server;
    server_name '_';

    return '404';
}</code>

===== Headers =====

  * Last updated: 2024/02/07
  * Add to individual site configs as an ''include''

  sudo -e '/etc/nginx/default.d/headers.conf'

<code>
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Cache-Control "no-store, no-transform, public" always;
add_header Referrer-Policy "same-origin" always;
add_header Expect-CT "max-age=0" always;
add_header Permissions-Policy "geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()" always;</code>

===== nginx =====

  * :!: Last updated: 2023/09/12

  sudo -e '/etc/nginx/nginx.conf'

<code>
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {

    # Logging
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    # Includes
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/vhosts.d/*.conf;
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    # Config
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 4096;

    # gzip
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 9;
    gzip_types *;
}

# End</code>

==== CSP Headers ====

  * The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the ''include'' line(s)

<code>    add_header Content-Security-Policy "default-src 'self'" always;</code>

<code>    add_header Content-Security-Policy "" always;</code>

====== SSL Certs ======

===== Let's Encrypt =====

  * See [[Servers:nginx:Lets Encrypt]] for further set-up

==== Settings ====

  sudo -e '/etc/nginx/conf.d/ssl.conf'

<code>
ssl_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
ssl_trusted_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
ssl_certificate_key '/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem';

ssl_session_timeout '10m';
ssl_session_cache 'shared:SSL:10m';
ssl_session_tickets 'off';
ssl_buffer_size '4k';

ssl_protocols 'TLSv1.3';
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM';
ssl_prefer_server_ciphers 'on';
ssl_ecdh_curve 'secp384r1';

ssl_stapling 'on';
ssl_stapling_verify 'on';
resolver '127.0.0.1' '9.9.9.9' '149.112.112.112' '[::1]' '[2620:fe::fe]' '[2620:fe::9]' 'valid=300s';
resolver_timeout '5s';

# End</code>

===== Self-signed =====

  * :!: This likely needs refactored

==== Generate Certs ====

****

  sudo openssl ecparam -name secp521r1 -genkey -out '/etc/ssl/certs/nginx.key && sudo openssl req -new -x509 -key '/etc/ssl/certs/nginx.key' -out '/etc/ssl/certs/nginx.crt' -days 730

==== Settings ====

  sudo -e '/etc/nginx/conf.d/ssl.conf'

  ssl_certificate '/etc/ssl/certs/nginx.crt';
  ssl_certificate_key '/etc/ssl/certs/nginx.key';
  
  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:50m;
  ssl_session_tickets off;
  
  ssl_protocols TLSv1.3;
  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
  ssl_prefer_server_ciphers on;
  ssl_ecdh_curve secp384r1;