====== Information ======
* freenginx ((https://freenginx.org/))
* PHP + PHP-CGI ((https://windows.php.net/download/))
* [[Information:Realm of Espionage]]
===== Prerequisites =====
* [[windows:10|Windows 10]]
====== Install ======
===== freenginx =====
* https://freenginx.org/en/download.html
* Last tested: ''freenginx-1.27.4.zip''
* Extract to root system drive for ''C:\freenginx-1.27.4\nginx.exe''
explorer "%SystemDrive%"
CD "%SystemDrive%\freenginx-"*"\" && "nginx.exe" -v
===== PHP-CGI =====
==== 8.4 ====
* https://windows.php.net/download/
* x64 Non Thread Safe
* Last tested: ''php-8.4.3-nts-Win32-vs17-x64.zip''
* Extract to root system drive for ''C:\php-8.4.3-nts-Win32-vs17-x64\php-cgi.exe''
* Add to user ''Path''
explorer "%SystemDrive%"
CD "%SystemDrive%\php-8.4"*"-nts-Win32-"*"-x64\" && "php.exe" -v
====== Firewall ======
* 80/tcp is HTTP
* 443/tcp is HTTPS
netsh advfirewall firewall add rule name="nginx HTTP" dir="in" action="allow" protocol="TCP" localport="80"
netsh advfirewall firewall add rule name="nginx HTTPS" dir="in" action="allow" protocol="TCP" localport="443"
====== nginx Settings ======
===== Folders =====
MKDIR "%SystemDrive%\www\php"
MKDIR "%SystemDrive%\www\nginx\conf.d"
MKDIR "%SystemDrive%\www\nginx\default.d"
MKDIR "%SystemDrive%\www\nginx\vhosts.d"
explorer "%SystemDrive%\www"
===== PHP freenginx Report =====
* ''nginx/'' to ''freenginx/''
* [[https://forum.dokuwiki.org/d/22842-where-is-webserver-in-popularity-feedback-polled-from|Thread]]
* TODO: Put under site-specifics instead ((''fastcgi_params'' ''1.27.4'' folder is already hard-coded [[servers;windows;nginx;dokuwiki#php-cgi|under site-specifics]]))
notepad "%SystemDrive%\freenginx-1.27.4\conf\fastcgi_params"
fastcgi_param SERVER_SOFTWARE freenginx/$nginx_version;
===== HTTPS Redirect =====
* This automatically redirects non-HTTPS site links to HTTPS
notepad "%SystemDrive%\www\nginx\conf.d\http-redirect.conf"
server {
listen 80 default_server;
listen [::]:80 default_server;
return 301 https://$host$request_uri;
}
# End
===== Non-existent 404 =====
* This prevents unconfigured subdomains from loading assets from other sites ((if a site/URL doesn't exist, it'll 404))
notepad "%SystemDrive%\www\nginx\conf.d\non-existent.conf"
server {
listen "443" "ssl" "default_server";
http2 "on";
server_name "_";
return "404";
}
# End
===== Headers =====
* Add to individual site configs as an ''include''
notepad "%SystemDrive%\www\nginx\default.d\headers.conf"
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Cache-Control "no-store, no-transform, public" always;
add_header Referrer-Policy "same-origin" always;
add_header Expect-CT "max-age=0" always;
add_header Permissions-Policy "geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()" always;
# End
===== nginx =====
* :!: ''mime.types'' include hard-coded to freenginx version path
notepad "%SystemDrive%\www\nginx\nginx.conf"
worker_processes 1;
events {
worker_connections 1024;
}
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
http {
# Logging
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
# Includes
include C:/www/nginx/conf.d/*.conf;
include C:/www/nginx/vhosts.d/*.conf;
include C:/freenginx-1.27.4/conf/mime.types;
default_type application/octet-stream;
# Config
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
server_names_hash_bucket_size 64;
# gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 9;
gzip_types *;
}
# End
==== CSP Headers ====
* The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the ''include'' line(s)
add_header Content-Security-Policy "default-src 'self'" always;
add_header Content-Security-Policy "" always;
====== SSL Certs ======
===== Let's Encrypt =====
* See [[servers;windows;nginx;lets_encrypt|Let's Encrypt/Certbot]] for further set-up
==== Settings ====
notepad "%SystemDrive%\www\nginx\conf.d\ssl.conf"
ssl_certificate "C:/Certbot/live/realmofespionage.xyz/fullchain.pem";
ssl_trusted_certificate "C:/Certbot/live/realmofespionage.xyz/fullchain.pem";
ssl_certificate_key "C:/Certbot/live/realmofespionage.xyz/privkey.pem";
ssl_session_timeout "10m";
ssl_session_cache "shared:SSL:10m";
ssl_session_tickets "off";
ssl_buffer_size "4k";
ssl_protocols "TLSv1.2" "TLSv1.3";
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM";
ssl_prefer_server_ciphers "on";
ssl_ecdh_curve "secp384r1";
ssl_stapling "on";
ssl_stapling_verify "on";
resolver "1.1.1.2" "1.0.0.2" "[2606:4700:4700::1112]" "[2606:4700:4700::1002]" "valid=300s";
resolver_timeout "5s";
# End
====== Batch Files ======
MKDIR "%SystemDrive%\www\scripts\freenginx"
explorer "%SystemDrive%\www\scripts\freenginx"
===== Start =====
notepad "%SystemDrive%\www\scripts\freenginx\Start.bat"
CD "%SystemDrive%\freenginx-"*"\"
"nginx.exe" -c "%SystemDrive%\www\nginx\nginx.conf"
:: End
==== Autostart ====
explorer "%ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp"
"%SystemDrive%\www\scripts\freenginx\Start.bat"
freenginx
===== Stop =====
notepad "%SystemDrive%\www\scripts\freenginx\Stop.bat"
CD "%SystemDrive%\freenginx-"*"\"
"nginx.exe" -s quit
:: End
===== Reload =====
notepad "%SystemDrive%\www\scripts\freenginx\Reload.bat"
CD "%SystemDrive%\freenginx-"*"\"
"nginx.exe" -s reload
"nginx.exe" -s reopen
:: End
====== TODOs ======
===== Resources =====
* https://nginx.org/en/docs/windows.html
* https://gist.github.com/odan/b5f7de8dfbdbf76bef089776c868fea1
* https://certbot.eff.org/instructions?ws=other&os=pip
* https://community.letsencrypt.org/t/using-certbot-in-windows-the-pragmatic-way/173929
* https://www.php.net/manual/en/image.installation.php