====== Information ======
* freenginx ((https://freenginx.org/en/))
* PHP ((https://windows.php.net/))
* PHP-CGI
* [[information;realm_of_espionage|Realm of Espionage]]
===== Prerequisites =====
* [[windows;10_ltsc_server|Windows 10 (21H2)]]
====== Install ======
===== freenginx =====
* https://freenginx.org/en/download.html ([[https://freenginx.org/en/CHANGES|CHANGES]])
* Last tested: ''freenginx-1.29.6.zip''
* Extract to root system drive for ''C:\freenginx-1.29.6\nginx.exe''
"%SystemRoot%\explorer.exe" "%SystemDrive%"
===== PHP-CGI =====
* https://www.php.net/downloads.php
* https://www.php.net/pre-release-builds.php
* x64 Non Thread Safe
* Last tested: ''php-8.5.5RC1-nts-Win32-vs17-x64.zip''
* Extract to root system drive for ''C:\php-*\php-cgi.exe''
* Add to user ''Path''
"%SystemRoot%\explorer.exe" "%SystemDrive%"
"%SystemRoot%\System32\SystemPropertiesAdvanced.exe"
C:\php-8.5.5RC1-nts-Win32-vs17-x64
====== Firewall ======
****
CD "%SystemDrive%\freenginx-"*"\" && "%SystemRoot%\System32\netsh.exe" advfirewall firewall add rule name="nginx" dir="in" action="allow" profile="any" program="%CD%\nginx.exe" protocol="tcp" localport="80,443"
===== Delete Rule =====
****
"%SystemRoot%\System32\netsh.exe" advfirewall firewall delete rule name="nginx"
====== Check Defaults ======
==== freenginx ====
****
CD "%SystemDrive%\freenginx-"*"\conf" && "%SystemRoot%\System32\notepad.exe" "nginx.conf"
==== PHP ====
CD "%SystemDrive%\php-"*"-nts-Win32-"*"-x64\" && "%SystemRoot%\System32\notepad.exe" "php.ini-production"
CD "%SystemDrive%\php-"*"-nts-Win32-"*"-x64\" && "%SystemRoot%\System32\notepad.exe" "php.ini-development"
====== freenginx Settings ======
===== confs =====
MKDIR "%SystemDrive%\www\nginx\conf" & CD "%SystemDrive%\freenginx-"*"\conf" && COPY /Y "fastcgi_params" "%SystemDrive%\www\nginx\conf\fastcgi_params"
MKDIR "%SystemDrive%\www\nginx\conf" & CD "%SystemDrive%\freenginx-"*"\conf" && COPY /Y "mime.types" "%SystemDrive%\www\nginx\conf\mime.types"
===== Folders =====
****
MKDIR "%SystemDrive%\www\php" "%SystemDrive%\www\nginx\conf.d" "%SystemDrive%\www\nginx\default.d" "%SystemDrive%\www\nginx\vhosts.d"
===== HTTPS Redirect =====
* This automatically redirects non-HTTPS site links to HTTPS
"%SystemRoot%\System32\notepad.exe" "%SystemDrive%\www\nginx\conf.d\http-redirect.conf"
server {
listen "80" "default_server";
listen "[::]:80" "default_server";
return "301" "https://$host$request_uri";
}
# End
===== Non-existent 404 =====
* This prevents unconfigured subdomains from loading assets from other sites ((if a site/URL doesn't have a ''vhosts.d\*.conf'', it'll 404))
"%SystemRoot%\System32\notepad.exe" "%SystemDrive%\www\nginx\conf.d\non-existent.conf"
server {
listen "443" "ssl" "default_server";
http2 "on";
server_name "_";
return "404";
}
# End
===== Headers =====
* Add to individual site configs as an ''include''
"%SystemRoot%\System32\notepad.exe" "%SystemDrive%\www\nginx\default.d\headers.conf"
add_header "Strict-Transport-Security" "max-age=63072000; includeSubdomains; preload" "always";
add_header "X-Content-Type-Options" "nosniff" "always";
add_header "X-Frame-Options" "sameorigin" "always";
add_header "X-XSS-Protection" "1; mode=block" "always";
add_header "Cache-Control" "max-age=604800, no-transform, public" "always";
add_header "Referrer-Policy" "same-origin" "always";
add_header "Expect-CT" "max-age=0" "always";
add_header "Permissions-Policy" "geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()" "always";
# End
===== nginx =====
"%SystemRoot%\System32\notepad.exe" "%SystemDrive%\www\nginx\nginx.conf"
worker_processes "1";
error_log "logs/error.log" "emerg";
events {
multi_accept "on";
worker_connections "1024";
}
http {
access_log "off";
include "C:/www/nginx/conf.d/*.conf";
include "C:/www/nginx/vhosts.d/*.conf";
include "C:/www/nginx/conf/mime.types";
default_type "application/octet-stream";
sendfile "on";
tcp_nopush "on";
tcp_nodelay "on";
keepalive_timeout "65";
types_hash_max_size "4096";
server_names_hash_bucket_size "64";
gzip "on";
gzip_vary "on";
gzip_proxied "any";
gzip_comp_level "9";
gzip_types "*";
}
# End
CD "%SystemDrive%\freenginx-"*"\" && "nginx.exe" -c "%SystemDrive%\www\nginx\nginx.conf" -t
==== CSP Headers ====
* The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the ''include'' line(s)
add_header Content-Security-Policy "default-src 'self'" always;
add_header Content-Security-Policy "" always;
====== SSL Certs ======
===== Let's Encrypt =====
* See [[servers;windows;nginx;lets_encrypt|Let's Encrypt/Certbot]] for further set-up
==== Settings ====
"%SystemRoot%\System32\notepad.exe" "%SystemDrive%\www\nginx\conf.d\ssl.conf"
ssl_certificate "C:/Certbot/live/realmofespionage.xyz/fullchain.pem";
ssl_trusted_certificate "C:/Certbot/live/realmofespionage.xyz/fullchain.pem";
ssl_certificate_key "C:/Certbot/live/realmofespionage.xyz/privkey.pem";
ssl_session_timeout "10m";
ssl_session_cache "shared:SSL:10m";
ssl_session_tickets "off";
ssl_buffer_size "4k";
ssl_protocols "TLSv1.2" "TLSv1.3";
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM";
ssl_prefer_server_ciphers "on";
ssl_ecdh_curve "secp384r1";
# End
====== Scripts ======
MKDIR "%SystemDrive%\www\scripts\nginx"
"%SystemRoot%\explorer.exe" "%SystemDrive%\www\scripts\nginx"
===== Start =====
"%SystemRoot%\System32\notepad.exe" "%SystemDrive%\www\scripts\nginx\Start.bat"
@echo off
TITLE nginx
CD "%SystemDrive%\freenginx-"*"\"
"nginx.exe" -c "%SystemDrive%\www\nginx\nginx.conf"
:: End
"%SystemDrive%\www\scripts\nginx\Start.bat"
===== Stop =====
"%SystemRoot%\System32\notepad.exe" "%SystemDrive%\www\scripts\nginx\Stop.bat"
@echo off
TITLE nginx Stop
CD "%SystemDrive%\freenginx-"*"\"
"nginx.exe" -s "quit"
"%SystemRoot%\System32\timeout.exe" /T "2" /NOBREAK
"%SystemRoot%\System32\taskkill.exe" /IM "nginx.exe" /T /F
CD "%Temp%"
:: End
"%SystemDrive%\www\scripts\nginx\Stop.bat"
===== Reload =====
"%SystemRoot%\System32\notepad.exe" "%SystemDrive%\www\scripts\nginx\Reload.bat"
@echo off
CD "%SystemDrive%\freenginx-"*"\"
"nginx.exe" -s "reload"
"nginx.exe" -s "reopen"
CD "%Temp%"
:: End
"%SystemDrive%\www\scripts\nginx\Reload.bat"
====== Task Scheduler ======
===== nginx =====
* Auto-start
"%SystemRoot%\System32\schtasks.exe" /Create /SC "ONLOGON" /TN "nginx" /TR "%SystemDrive%\www\scripts\nginx\Start.bat" /F
====== Resources ======
* https://nginx.org/en/docs/windows.html
* https://gist.github.com/odan/b5f7de8dfbdbf76bef089776c868fea1
* https://certbot.eff.org/instructions?ws=other&os=pip
* https://community.letsencrypt.org/t/using-certbot-in-windows-the-pragmatic-way/173929
* https://www.php.net/manual/en/image.installation.php
* [[https://www.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test]]
====== TODO ======
===== Exploit Protection =====
* https://learn.microsoft.com/en-us/defender-endpoint/exploit-protection-reference
==== nginx ====
nginx.exe
* Arbitrary code guard (ACG): On
* ''[ ]'' Allow thread opt-out
* Block low integrity images: On
* Block remote images: On
* Block untrusted fonts: On
* Control integrity guard: On
* ''[ ]'' Also allow loading of images signed by Microsoft Store
* Control flow guard (CFG): On
* :!: ''[ ]'' Use strict CFG
* Data Execution Prevention (DEP): On
* ''[ ]'' Enable ATL thunk emulation
* Disable extension points: On
* :!: Disable Win32k system calls: Off
* :!: Do not allow child processes: Off
* Export address filtering (EAF): On
* ''[x]'' Validate access for modules that are commonly abused by exploits.
* Force randomization for images (Mandatory ASLR): On
* ''[x]'' Do not allow stripped images
* Hardware-enforced Stack Protection: On
* ''[x]'' Enforce for all modules instead of only compatible modules
* Import address filtering (IAF): On
* Randomize memory allocations (Bottom-up ASLR): On
* ''[ ]'' Don't use high entropy
* Simulate execution (SimExec): On
* Validate API invocation (CallerCheck): On
* Validate exception chains (SEHOP): On
* Validate handle usage: On
* Validate heap integrity: On
* Validate image dependency integrity: On
* Validate stack integrity (StackPivot): On
==== PHP-CGI ====
php-cgi.exe
* :!: Arbitrary code guard (ACG): Off
* Block low integrity images: On
* Block remote images: On
* Block untrusted fonts: On
* :!: Control integrity guard: Off
* Control flow guard (CFG): On
* :!: ''[ ]'' Use strict CFG
* Data Execution Prevention (DEP): On
* ''[ ]'' Enable ATL thunk emulation
* Disable extension points: On
* :!: Disable Win32k system calls: Off
* :!: Do not allow child processes: Off
* Export address filtering (EAF): On
* ''[x]'' Validate access for modules that are commonly abused by exploits.
* Force randomization for images (Mandatory ASLR): On
* ''[x]'' Do not allow stripped images
* Hardware-enforced Stack Protection: On
* ''[x]'' Enforce for all modules instead of only compatible modules
* Import address filtering (IAF): On
* Randomize memory allocations (Bottom-up ASLR): On
* ''[ ]'' Don't use high entropy
* Simulate execution (SimExec): On
* Validate API invocation (CallerCheck): On
* Validate exception chains (SEHOP): On
* Validate handle usage: On
* Validate heap integrity: On
* Validate image dependency integrity: On
* Validate stack integrity (StackPivot): On