Table of Contents

Information

Prerequisites

Dependencies

sudo apt install git nginx-light php-fpm

Information

nginx -v
php -m

Firewall

sudo ufw allow 'Nginx HTTP'
sudo ufw allow 'Nginx HTTPS'

Disable IPv6

sudo ufw status numbered
sudo ufw delete '5'
sudo ufw delete '4'

Services

sudo systemctl enable 'nginx' 'php8.4-fpm'
sudo systemctl stop 'nginx' 'php8.4-fpm'

Start

sudo systemctl start 'nginx'
sudo systemctl start 'php8.4-fpm'

Disable Defaults

nginx

sudo rm '/etc/nginx/sites-enabled/default'
sudo mv '/etc/nginx/modules-enabled/50-mod-http-echo.conf' '/etc/nginx/modules-available/50-mod-http-echo.conf'
sudo mv '/etc/nginx/nginx.conf' '/etc/nginx/nginx.conf~'

PHP-FPM

sudo mv '/etc/php/8.4/fpm/pool.d/www.conf' '/etc/php/8.4/fpm/pool.d/www.conf~'

Check Defaults

nginx

nano '/etc/nginx/sites-available/default'
nano '/etc/nginx/nginx.conf~'

PHP

nano '/etc/php/8.4/fpm/pool.d/www.conf~'
nano '/etc/php/8.4/fpm/php-fpm.conf'
nano '/etc/php/8.4/fpm/php.ini'
nano '/etc/php/8.4/cli/php.ini'

nginx Settings

HTTPS Redirect

sudo -e '/etc/nginx/conf.d/http-redirect.conf'
server {

 listen '80' 'default_server';
 listen '[::]:80' 'default_server';

 return '301' 'https://$host$request_uri';

}

# End

Non-existent 404

sudo -e '/etc/nginx/conf.d/non-existent.conf'
server {

 listen '443' 'ssl' 'default_server';
 http2 'on';
 server_name '_';

 return '404';

}

# End

Headers

sudo -e '/etc/nginx/snippets/headers.conf'
add_header 'Strict-Transport-Security' 'max-age=63072000; includeSubdomains; preload' 'always';
add_header 'X-Content-Type-Options' 'nosniff' 'always';
add_header 'X-Frame-Options' 'sameorigin' 'always';
add_header 'X-XSS-Protection' '1; mode=block' 'always';
add_header 'Cache-Control' 'no-store, no-transform, public' 'always';
add_header 'Referrer-Policy' 'same-origin' 'always';
add_header 'Expect-CT' 'max-age=0' 'always';
add_header 'Permissions-Policy' 'geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()' 'always';

# End

nginx

sudo -e '/etc/nginx/nginx.conf' && sudo nginx -t
user www-data;
worker_processes auto;
worker_cpu_affinity auto;
pid /run/nginx.pid;

events {
 multi_accept 'on';
 worker_connections '1024';
}

#error_log '/var/log/nginx/error.log';

http {

 # Logging
 access_log '/dev/null';
# access_log '/var/log/nginx/access.log';

 # Includes
 include '/etc/nginx/conf.d/*.conf';
 include '/etc/nginx/sites-enabled/*.conf';
 include '/etc/nginx/mime.types';
 default_type 'application/octet-stream';

 # Config
 sendfile 'on';
 tcp_nopush 'on';
 tcp_nodelay 'on';
 keepalive_timeout '65';
 types_hash_max_size '4096';

 # gzip
 gzip 'on';
 gzip_vary 'on';
 gzip_proxied 'any';
 gzip_comp_level '9';
 gzip_types '*';
}

# End

CSP Headers

    add_header Content-Security-Policy "default-src 'self'" always;
    add_header Content-Security-Policy "" always;

SSL Certs

Let's Encrypt

sudo -e '/etc/nginx/conf.d/ssl.conf'
ssl_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
ssl_trusted_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
ssl_certificate_key '/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem';

ssl_session_timeout '10m';
ssl_session_cache 'shared:SSL:10m';
ssl_session_tickets 'off';
ssl_buffer_size '4k';

ssl_protocols 'TLSv1.2' 'TLSv1.3';
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM';
ssl_prefer_server_ciphers 'on';
ssl_ecdh_curve 'secp384r1';

# End

TODOs

Resources

Old

1)
breaks apt-get PHP module install when dpkg restarts the FPM service; no existing conf causes daemon to fail to restart
2)
if a site/URL doesn't exist, it'll 404