====== Information ======

  * nginx ((https://nginx.org/en/docs/windows.html))
  * PHP ((https://windows.php.net/download/))
  * PHP-CGI
  * [[information;realm_of_espionage|Realm of Espionage]]

===== Prerequisites =====

  * [[windows;10_ltsc_server|Windows 10 (21H2)]]

====== Install ======

===== nginx =====

  * https://nginx.org/en/download.html ([[https://nginx.org/en/CHANGES|CHANGES]])
  * Last tested: ''nginx-1.29.5.zip''

  * Extract to root system drive for ''C:\nginx-1.29.5\nginx.exe''

  "explorer.exe" "%SystemDrive%"

===== PHP-CGI =====

  * https://windows.php.net/download/ ([[https://windows.php.net/downloads/releases/|raw]])
  * https://windows.php.net/qa/ ([[https://windows.php.net/downloads/qa/|raw]])
  * x64 Non Thread Safe
  * Last tested: ''php-8.5.1-nts-Win32-vs17-x64.zip''

  * Extract to root system drive for ''C:\php-*\php-cgi.exe''
  * Add to user ''Path''

  "explorer.exe" "%SystemDrive%"

  "SystemPropertiesAdvanced.exe"

  C:\php-8.5.1-nts-Win32-vs17-x64

====== Firewall ======

****

  CD "%SystemDrive%\nginx-"*"\" && "netsh.exe" advfirewall firewall add rule name="nginx" dir="in" action="allow" profile="any" program="%CD%\nginx.exe" protocol="tcp" localport="80,443"

===== Delete Rule =====

****

  "netsh.exe" advfirewall firewall delete rule name="nginx"

====== Check Defaults ======

==== nginx ====

****

  CD "%SystemDrive%\nginx-"*"\conf" && "notepad.exe" "nginx.conf"

==== PHP ====

  CD "%SystemDrive%\php-"*"-nts-Win32-"*"-x64\" && "notepad.exe" "php.ini-production"

  CD "%SystemDrive%\php-"*"-nts-Win32-"*"-x64\" && "notepad.exe" "php.ini-development"

====== nginx Settings ======

===== confs =====

  MKDIR "%SystemDrive%\www\nginx\conf" & CD "%SystemDrive%\nginx-"*"\conf" && COPY /Y "fastcgi_params" "%SystemDrive%\www\nginx\conf\fastcgi_params"

  MKDIR "%SystemDrive%\www\nginx\conf" & CD "%SystemDrive%\nginx-"*"\conf" && COPY /Y "mime.types" "%SystemDrive%\www\nginx\conf\mime.types"

===== Folders =====

****

  MKDIR "%SystemDrive%\www\php" "%SystemDrive%\www\nginx\conf.d" "%SystemDrive%\www\nginx\default.d" "%SystemDrive%\www\nginx\vhosts.d"

===== HTTPS Redirect =====

  * This automatically redirects non-HTTPS site links to HTTPS

  "notepad.exe" "%SystemDrive%\www\nginx\conf.d\http-redirect.conf"

<code>
server {
 listen "80" "default_server";
 listen "[::]:80" "default_server";

 return "301" "https://$host$request_uri";
}

# End</code>

===== Non-existent 404 =====

  * This prevents unconfigured subdomains from loading assets from other sites ((if a site/URL doesn't have a ''vhosts.d\*.conf'', it'll 404))

  "notepad.exe" "%SystemDrive%\www\nginx\conf.d\non-existent.conf"

<code>
server {
 listen "443" "ssl" "default_server";
 http2 "on";
 server_name "_";

 return "404";
}

# End</code>

===== Headers =====

  * Add to individual site configs as an ''include''

  "notepad.exe" "%SystemDrive%\www\nginx\default.d\headers.conf"

<code>
add_header "Strict-Transport-Security" "max-age=63072000; includeSubdomains; preload" "always";
add_header "X-Content-Type-Options" "nosniff" "always";
add_header "X-Frame-Options" "sameorigin" "always";
add_header "X-XSS-Protection" "1; mode=block" "always";
add_header "Cache-Control" "max-age=604800, no-transform, public" "always";
add_header "Referrer-Policy" "same-origin" "always";
add_header "Expect-CT" "max-age=0" "always";
add_header "Permissions-Policy" "geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()" "always";

# End</code>

===== nginx =====

  "notepad.exe" "%SystemDrive%\www\nginx\nginx.conf"

<code>
worker_processes "1";
error_log "logs/error.log" "emerg";

events {
 multi_accept "on";
 worker_connections "1024";
}

http {
 access_log "off";

 include "C:/www/nginx/conf.d/*.conf";
 include "C:/www/nginx/vhosts.d/*.conf";
 include "C:/www/nginx/conf/mime.types";
 default_type "application/octet-stream";

 sendfile "on";
 tcp_nopush "on";
 tcp_nodelay "on";
 keepalive_timeout "65";
 types_hash_max_size "4096";
 server_names_hash_bucket_size "64";

 gzip "on";
 gzip_vary "on";
 gzip_proxied "any";
 gzip_comp_level "9";
 gzip_types "*";
}

# End</code>

  CD "%SystemDrive%\nginx-"*"\" && "nginx.exe" -c "%SystemDrive%\www\nginx\nginx.conf" -t

==== CSP Headers ====

  * The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the ''include'' line(s)

<code>add_header Content-Security-Policy "default-src 'self'" always;</code>

<code>add_header Content-Security-Policy "" always;</code>

====== SSL Certs ======

===== Let's Encrypt =====

  * See [[servers;windows;nginx;lets_encrypt|Let's Encrypt/Certbot]] for further set-up

==== Settings ====

  "notepad.exe" "%SystemDrive%\www\nginx\conf.d\ssl.conf"

<code>
ssl_certificate "C:/Certbot/live/realmofespionage.xyz/fullchain.pem";
ssl_trusted_certificate "C:/Certbot/live/realmofespionage.xyz/fullchain.pem";
ssl_certificate_key "C:/Certbot/live/realmofespionage.xyz/privkey.pem";

ssl_session_timeout "10m";
ssl_session_cache "shared:SSL:10m";
ssl_session_tickets "off";
ssl_buffer_size "4k";

ssl_protocols "TLSv1.2" "TLSv1.3";
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM";
ssl_prefer_server_ciphers "on";
ssl_ecdh_curve "secp384r1";

# End</code>

====== Scripts ======

  MKDIR "%SystemDrive%\www\scripts\nginx"

  "explorer.exe" "%SystemDrive%\www\scripts\nginx"

===== Start =====

  "notepad.exe" "%SystemDrive%\www\scripts\nginx\Start.bat"

<code>
@echo off

TITLE nginx
CD "%SystemDrive%\nginx-"*"\"

"nginx.exe" -c "%SystemDrive%\www\nginx\nginx.conf"

:: End</code>

  "%SystemDrive%\www\scripts\nginx\Start.bat"

===== Stop =====

  "notepad.exe" "%SystemDrive%\www\scripts\nginx\Stop.bat"

<code>
@echo off

TITLE nginx Stop
CD "%SystemDrive%\nginx-"*"\"

"nginx.exe" -s "quit"

TIMEOUT /T "2" /NOBREAK
TASKKILL /IM "nginx.exe" /T /F

CD "%Temp%"

:: End</code>

  "%SystemDrive%\www\scripts\nginx\Stop.bat"

===== Reload =====

  "notepad.exe" "%SystemDrive%\www\scripts\nginx\Reload.bat"

<code>
@echo off

CD "%SystemDrive%\nginx-"*"\"

"nginx.exe" -s "reload"
"nginx.exe" -s "reopen"

CD "%Temp%"

:: End</code>

  "%SystemDrive%\www\scripts\nginx\Reload.bat"

====== Task Scheduler ======

===== nginx =====

  * Auto-start

  SCHTASKS /Create /SC "ONLOGON" /TN "nginx" /TR "%SystemDrive%\www\scripts\nginx\Start.bat" /F

===== Resources =====

  * https://nginx.org/en/docs/windows.html
  * https://gist.github.com/odan/b5f7de8dfbdbf76bef089776c868fea1
  * https://certbot.eff.org/instructions?ws=other&os=pip
  * https://community.letsencrypt.org/t/using-certbot-in-windows-the-pragmatic-way/173929
  * https://www.php.net/manual/en/image.installation.php
  * [[https://www.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test]]