servers:bsd:freenginx_php_php-fpm
Table of Contents
Information
- freenginx 1)
- PHP 8.4
- PHP-FPM
- WIP
Prerequisites
Resources
Dependencies
su -
pkg install freenginx php84
PHP Extensions
Verify Modules
php -m
Firewall
- 80/tcp is HTTP
- 443/tcp is HTTPS
- TODO
sudo firewall-cmd --add-service='http' --permanent && sudo firewall-cmd --add-service='https' --permanent && sudo firewall-cmd --reload
Services
Enable
su -
sysrc nginx_enable="YES"
sysrc php_fpm_enable="YES"
Config Defaults
Backup
sudo mv '/etc/nginx/default.d/php.conf' '/etc/nginx/default.d/php.conf~'
sudo mv '/etc/nginx/conf.d/php-fpm.conf' '/etc/nginx/conf.d/php-fpm.conf~'
sudo mv '/etc/php-fpm.d/www.conf' '/etc/php-fpm.d/www.conf~'
mv -v '/usr/local/etc/nginx/nginx.conf' '/usr/local/etc/nginx/nginx.conf~'
View
nano '/etc/nginx/default.d/php.conf~'
nano '/etc/nginx/conf.d/php-fpm.conf~'
nano '/etc/php-fpm.d/www.conf~'
ee '/usr/local/etc/nginx/nginx.conf~'
nano '/etc/php.ini'
nginx Settings
Notes
conf.d
contains server-wide modular configuration filesdefault.d
contains site-specific modular configuration filesvhosts.d
contains enabled websites
Defaults
su -
mkdir -p '/usr/local/etc/nginx/conf.d' '/usr/local/etc/nginx/default.d' '/usr/local/etc/nginx/vhosts.d'
HTTPS Redirect
- This automatically redirects non-HTTPS site links to HTTPS
su -
ee '/usr/local/etc/nginx/conf.d/http-redirect.conf'
server { listen '80' 'default_server'; listen '[::]:80' 'default_server'; return '301' 'https://$host$request_uri'; }
Non-existent 404
- This prevents unconfigured subdomains from loading assets from other sites 2)
su -
ee '/usr/local/etc/nginx/conf.d/non-existent.conf'
server { listen '443' 'ssl' default_server; http2 'on'; server_name '_'; return '404'; }
Headers
- Add to individual site configs as an
include
su -
ee '/usr/local/etc/nginx/default.d/headers.conf'
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "sameorigin" always; add_header X-XSS-Protection "1; mode=block" always; add_header Cache-Control "no-store, no-transform, public" always; add_header Referrer-Policy "same-origin" always; add_header Expect-CT "max-age=0" always; add_header Permissions-Policy "geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()" always;
nginx
- Last updated: 2024/11/30
su -
ee '/usr/local/etc/nginx/nginx.conf'
worker_processes 1; #error_log /var/log/nginx/error.log; events { worker_connections 1024; } http { # Logging #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; # Includes include /usr/local/etc/nginx/conf.d/*.conf; include /usr/local/etc/nginx/vhosts.d/*.conf; include /usr/local/etc/nginx/mime.types; default_type application/octet-stream; # Config sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 4096; # gzip gzip on; gzip_vary on; gzip_proxied any; gzip_comp_level 9; gzip_types *; } # End
CSP Headers
- The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the
include
line(s)
add_header Content-Security-Policy "default-src 'self'" always;
add_header Content-Security-Policy "" always;
SSL Certs
Let's Encrypt
- See Let's Encrypt/Certbot for further set-up
su -
ee '/usr/local/etc/nginx/conf.d/ssl.conf'
ssl_certificate '/usr/local/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem'; ssl_trusted_certificate '/usr/local/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem'; ssl_certificate_key '/usr/local/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem'; ssl_session_timeout '10m'; ssl_session_cache 'shared:SSL:10m'; ssl_session_tickets 'off'; ssl_buffer_size '4k'; ssl_protocols 'TLSv1.2' 'TLSv1.3'; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM'; ssl_prefer_server_ciphers 'on'; ssl_ecdh_curve 'secp384r1'; ssl_stapling 'on'; ssl_stapling_verify 'on'; # End
/usr/local/www/wiki/data/pages/servers/bsd/freenginx_php_php-fpm.txt · Last modified: by Sean Rhone