Differences

This shows you the differences between two versions of the page.

--- servers:bsd:freenginx_php_php-fpm [2024/11/30 08:53] – WIP Sean Rhone
+++ servers:bsd:freenginx_php_php-fpm [2026/03/06 00:20] (current) – old revision restored (2026/03/04 18:38) Sean Rhone
@@ Line 1: / Line 1: @@
 ====== Information ======
-  * freenginx ((https://freenginx.org/))
+  * freenginx ((https://freenginx.org/en/))
-  * PHP
+  * PHP ((https://www.php.net/))
   * PHP-FPM
   * [[Information:Realm of Espionage]]
@@ Line 8: / Line 8: @@
 ===== Prerequisites =====
-  * [[bsd:server:freebsd_14.2|FreeBSD 14.2]]
+  * [[bsd:server:freebsd_16.0|FreeBSD 16.0]]
-===== Resources =====
-  * [[https://cipherli.st/|Cipherli.st]]
-  * [[https://securityheaders.com/?q=wiki.realmofespionage.xyz&followRedirects=on|Security Headers]]
-  * [[https://www.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test]]
-  * [[https://dev.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test (dev)]]
-  * https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/feature_policy/feature_policy.cc?l=138&rcl=ab90b51c5b60de15054a32b0bd18e4839536a1c9
-  * https://infosec.mozilla.org
-  * https://gist.github.com/plentz/6737338
-  * https://scotthelme.co.uk
-  * https://mozilla.github.io/server-side-tls/ssl-config-generator
 ====== Dependencies ======
-  su -l
+  su -
-  pkg install freenginx php84
+  pkg install freenginx-devel php85
-===== PHP Extensions =====
+====== Information ======
-==== Verify Modules ====
+  nginx -v
-****
   php -m
@@ Line 38: / Line 24: @@
 ====== Firewall ======
-  * 80/tcp is HTTP
-  * 443/tcp is HTTPS
   * TODO
-  sudo firewall-cmd --add-service='http' --permanent && sudo firewall-cmd --add-service='https' --permanent && sudo firewall-cmd --reload
 ====== Services ======
@@ Line 49: / Line 30: @@
 ===== Enable =====
-  su -l
+  su -
   sysrc nginx_enable="YES"
@@ Line 55: / Line 36: @@
   sysrc php_fpm_enable="YES"
-====== Config Defaults ======
+===== Start =====
-===== Backup =====
+  su -
-  sudo mv '/etc/nginx/default.d/php.conf' '/etc/nginx/default.d/php.conf~'
+  service 'nginx' start
-  sudo mv '/etc/nginx/conf.d/php-fpm.conf' '/etc/nginx/conf.d/php-fpm.conf~'
+  service 'php_fpm' start
-  sudo mv '/etc/php-fpm.d/www.conf' '/etc/php-fpm.d/www.conf~'
+==== Stop ====
-  sudo mv '/etc/nginx/nginx.conf' '/etc/nginx/nginx.conf~'
+  su -
-===== View =====
+  service 'nginx' stop
-  nano '/etc/nginx/default.d/php.conf~'
+  service 'php_fpm' stop
-  nano '/etc/nginx/conf.d/php-fpm.conf~'
+====== Disable Defaults ======
-  nano '/etc/php-fpm.d/www.conf~'
+===== freenginx =====
-  nano '/etc/nginx/nginx.conf~'
+  su -
-  nano '/etc/php.ini'
+  rm -fv '/usr/local/etc/freenginx/nginx.conf'
+===== PHP-FPM =====
+  su -
+  rm -fv '/usr/local/etc/php-fpm.d/www.conf'
+===== Check Defaults =====
+==== nginx ====
+****
+  ee '/usr/local/etc/freenginx/nginx.conf-dist'
+==== PHP ====
+  * TODO: Other paths
+  ee '/usr/local/etc/php-fpm.d/www.conf.default'
+  nano '/etc/php8/fpm/php-fpm.conf'
+  ee '/usr/local/etc/php.conf'
+  nano '/etc/php8/fpm/php.ini'
+  nano '/etc/php8/cli/php.ini'
 ====== nginx Settings ======
@@ Line 85: / Line 94: @@
   * ''conf.d'' contains **server-wide** modular configuration files
   * ''default.d'' contains **site-specific** modular configuration files
-  * ''vhosts.d'' contains enabled websites ((this folder needs created))
+  * ''vhosts.d'' contains enabled websites
-===== Defaults =====
+===== Folders =====
-==== vhosts.d ====
+  su -
-****
+  mkdir -p -m '0644' '/usr/local/etc/freenginx/conf.d' '/usr/local/etc/freenginx/default.d' '/usr/local/etc/freenginx/vhosts.d'
-  sudo mkdir -p '/etc/nginx/vhosts.d'
 ===== HTTPS Redirect =====
@@ Line 99: / Line 106: @@
   * This automatically redirects non-HTTPS site links to HTTPS
-  sudo -e '/etc/nginx/conf.d/http-redirect.conf'
+  su -
+  ee '/usr/local/etc/freenginx/conf.d/http-redirect.conf'
 <code>
 server {
-    listen '80' 'default_server';
+ listen '80' 'default_server';
-    listen '[::]:80' 'default_server';
+ listen '[::]:80' 'default_server';
-    return '301' 'https://$host$request_uri';
+ return '301' 'https://$host$request_uri';
-}</code>
+}
+# End</code>
 ===== Non-existent 404 =====
@@ Line 113: / Line 124: @@
   * This prevents unconfigured subdomains from loading assets from other sites ((if a site/URL doesn't exist, it'll 404))
-  sudo -e '/etc/nginx/conf.d/non-existent.conf'
+  su -
+  ee '/usr/local/etc/freenginx/conf.d/non-existent.conf'
 <code>
 server {
-    listen '443' 'ssl' default_server;
+ listen '443' 'ssl' 'default_server';
-    http2 'on';
+ http2 'on';
-    server_name '_';
+ server_name '_';
-    return '404';
+ return '404';
-}</code>
+}
+# End</code>
 ===== Headers =====
-  * Last updated: 2024/02/07
+  su -
-  * Add to individual site configs as an ''include''
-  sudo -e '/etc/nginx/default.d/headers.conf'
+  ee '/usr/local/etc/freenginx/default.d/headers.conf'
 <code>
-add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
+add_header 'Strict-Transport-Security' 'max-age=63072000; includeSubdomains; preload' 'always';
-add_header X-Content-Type-Options "nosniff" always;
+add_header 'X-Content-Type-Options' 'nosniff' 'always';
-add_header X-Frame-Options "sameorigin" always;
+add_header 'X-Frame-Options' 'sameorigin' 'always';
-add_header X-XSS-Protection "1; mode=block" always;
+add_header 'X-XSS-Protection' '1; mode=block' 'always';
-add_header Cache-Control "no-store, no-transform, public" always;
+add_header 'Cache-Control' 'max-age=604800, no-transform, public' 'always';
-add_header Referrer-Policy "same-origin" always;
+add_header 'Referrer-Policy' 'same-origin' 'always';
-add_header Expect-CT "max-age=0" always;
+add_header 'Expect-CT' 'max-age=0' 'always';
-add_header Permissions-Policy "geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()" always;</code>
+add_header 'Permissions-Policy' 'geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()' 'always';
+# End</code>
 ===== nginx =====
-  * Last updated: 2023/09/12
+  su -
-  sudo -e '/etc/nginx/nginx.conf'
+  ee '/usr/local/etc/freenginx/nginx.conf'
 <code>
-user nginx;
+worker_processes '1';
-worker_processes auto;
+#error_log '/var/log/nginx/error.log';
-error_log /var/log/nginx/error.log notice;
-pid /run/nginx.pid;
-include /usr/share/nginx/modules/*.conf;
 events {
-    worker_connections 1024;
+ multi_accept 'on';
+ worker_connections '1024';
 }
 http {
+ # Logging
+ #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+ #                  '$status $body_bytes_sent "$http_referer" '
+ #                  '"$http_user_agent" "$http_x_forwarded_for"';
+ #access_log  logs/access.log  main;
-    # Logging
+ access_log '/dev/null';
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent "$http_referer" '
-                      '"$http_user_agent" "$http_x_forwarded_for"';
-    access_log  /var/log/nginx/access.log  main;
+ # Includes
+ include '/usr/local/etc/freenginx/conf.d/*.conf';
+ include '/usr/local/etc/freenginx/vhosts.d/*.conf';
+ include '/usr/local/etc/freenginx/mime.types';
+ default_type 'application/octet-stream';
-    # Includes
+ # Config
-    include /etc/nginx/conf.d/*.conf;
+ sendfile 'on';
-    include /etc/nginx/vhosts.d/*.conf;
+ tcp_nopush 'on';
-    include /etc/nginx/mime.types;
+ tcp_nodelay 'on';
-    default_type application/octet-stream;
+ keepalive_timeout '65';
+ types_hash_max_size '4096';
-    # Config
+ # gzip
-    sendfile on;
+ gzip 'on';
-    tcp_nopush on;
+ gzip_vary 'on';
-    tcp_nodelay on;
+ gzip_proxied 'any';
-    keepalive_timeout 65;
+ gzip_comp_level '9';
-    types_hash_max_size 4096;
+ gzip_types '*';
-    # gzip
-    gzip on;
-    gzip_vary on;
-    gzip_proxied any;
-    gzip_comp_level 9;
-    gzip_types *;
 }
 # End</code>
-==== CSP Headers ====
-  * The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the ''include'' line(s)
-<code>    add_header Content-Security-Policy "default-src 'self'" always;</code>
-<code>    add_header Content-Security-Policy "" always;</code>
 ====== SSL Certs ======
@@ Line 203: / Line 208: @@
 ===== Let's Encrypt =====
-  * See [[servers;linux;nginx;lets_encrypt|Let's Encrypt/Certbot]] for further set-up
+  * See [[servers:bsd:nginx:lets_encrypt|Let's Encrypt/Certbot]] for further set-up
-  sudo -e '/etc/nginx/conf.d/ssl.conf'
+  su -
+  ee '/usr/local/etc/freenginx/conf.d/ssl.conf'
 <code>
-ssl_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
+ssl_certificate '/usr/local/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
-ssl_trusted_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
+ssl_trusted_certificate '/usr/local/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
-ssl_certificate_key '/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem';
+ssl_certificate_key '/usr/local/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem';
 ssl_session_timeout '10m';
@@ Line 217: / Line 224: @@
 ssl_buffer_size '4k';
-ssl_protocols 'TLSv1.3';
+ssl_protocols 'TLSv1.2' 'TLSv1.3';
 ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM';
 ssl_prefer_server_ciphers 'on';
 ssl_ecdh_curve 'secp384r1';
-ssl_stapling 'on';
-ssl_stapling_verify 'on';
 # End</code>
+====== Resources ======
+  * [[https://www.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test]]