RoE | Wiki

User Tools

Site Tools

Trace:
servers:bsd:freenginx_php_php-fpm

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
servers:bsd:freenginx_php_php-fpm [2024/11/30 08:53] – WIP Sean Rhoneservers:bsd:freenginx_php_php-fpm [2025/10/30 23:42] (current) Sean Rhone
Line 2: Line 2:
  
   * freenginx ((https://freenginx.org/))   * freenginx ((https://freenginx.org/))
-  * PHP 
   * PHP-FPM   * PHP-FPM
   * [[Information:Realm of Espionage]]   * [[Information:Realm of Espionage]]
Line 8: Line 7:
 ===== Prerequisites ===== ===== Prerequisites =====
  
-  * [[bsd:server:freebsd_14.2|FreeBSD 14.2]] +  * [[bsd:server:freebsd_15.0|FreeBSD 15.0]]
- +
-===== Resources ===== +
- +
-  * [[https://cipherli.st/|Cipherli.st]] +
-  * [[https://securityheaders.com/?q=wiki.realmofespionage.xyz&followRedirects=on|Security Headers]] +
-  * [[https://www.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test]] +
-  * [[https://dev.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test (dev)]] +
-  * https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/feature_policy/feature_policy.cc?l=138&rcl=ab90b51c5b60de15054a32b0bd18e4839536a1c9 +
-  * https://infosec.mozilla.org +
-  * https://gist.github.com/plentz/6737338 +
-  * https://scotthelme.co.uk +
-  * https://mozilla.github.io/server-side-tls/ssl-config-generator+
  
 ====== Dependencies ====== ====== Dependencies ======
  
-  su -l+  su -
  
-  pkg install freenginx php84+  pkg install freenginx-devel php85
  
-===== PHP Extensions ===== +===== PHP Modules =====
- +
-==== Verify Modules ====+
  
 **** ****
  
   php -m   php -m
- 
-====== Firewall ====== 
- 
-  * 80/tcp is HTTP 
-  * 443/tcp is HTTPS 
-  * TODO 
- 
-  sudo firewall-cmd --add-service='http' --permanent && sudo firewall-cmd --add-service='https' --permanent && sudo firewall-cmd --reload 
- 
  
 ====== Services ====== ====== Services ======
Line 49: Line 25:
 ===== Enable ===== ===== Enable =====
  
-  su -l+  su -
  
   sysrc nginx_enable="YES"   sysrc nginx_enable="YES"
Line 59: Line 35:
 ===== Backup ===== ===== Backup =====
  
-  sudo mv '/etc/nginx/default.d/php.conf' '/etc/nginx/default.d/php.conf~'+  su -
  
-  sudo mv '/etc/nginx/conf.d/php-fpm.conf' '/etc/nginx/conf.d/php-fpm.conf~'+  mv -v '/usr/local/etc/freenginx/nginx.conf' '/usr/local/etc/freenginx/nginx.conf~'
  
-  sudo mv '/etc/php-fpm.d/www.conf' '/etc/php-fpm.d/www.conf~' +  mv -v '/usr/local/etc/php-fpm.d/www.conf' '/usr/local/etc/php-fpm.d/www.conf~'
- +
-  sudo mv '/etc/nginx/nginx.conf' '/etc/nginx/nginx.conf~' +
- +
-===== View ===== +
- +
-  nano '/etc/nginx/default.d/php.conf~' +
- +
-  nano '/etc/nginx/conf.d/php-fpm.conf~' +
- +
-  nano '/etc/php-fpm.d/www.conf~+
- +
-  nano '/etc/nginx/nginx.conf~' +
- +
-  nano '/etc/php.ini'+
  
 ====== nginx Settings ====== ====== nginx Settings ======
- 
-===== Notes ===== 
- 
-  * ''conf.d'' contains **server-wide** modular configuration files 
-  * ''default.d'' contains **site-specific** modular configuration files 
-  * ''vhosts.d'' contains enabled websites ((this folder needs created)) 
  
 ===== Defaults ===== ===== Defaults =====
  
-==== vhosts.d ==== +  su -
- +
-****+
  
-  sudo mkdir -p '/etc/nginx/vhosts.d'+  mkdir -p -m '0644' '/usr/local/etc/freenginx/conf.d' '/usr/local/etc/freenginx/default.d' '/usr/local/etc/freenginx/vhosts.d'
  
 ===== HTTPS Redirect ===== ===== HTTPS Redirect =====
Line 99: Line 53:
   * This automatically redirects non-HTTPS site links to HTTPS   * This automatically redirects non-HTTPS site links to HTTPS
  
-  sudo -'/etc/nginx/conf.d/http-redirect.conf'+  su - 
 + 
 +  ee '/usr/local/etc/freenginx/conf.d/http-redirect.conf'
  
 <code> <code>
 server { server {
-    listen '80' 'default_server'+    listen 80 default_server; 
-    listen '[::]:80' 'default_server';+    listen [::]:80 default_server;
  
-    return '301' 'https://$host$request_uri'+    return 301 https://$host$request_uri; 
-}</code>+} 
 + 
 +# End</code>
  
 ===== Non-existent 404 ===== ===== Non-existent 404 =====
Line 113: Line 71:
   * This prevents unconfigured subdomains from loading assets from other sites ((if a site/URL doesn't exist, it'll 404))   * This prevents unconfigured subdomains from loading assets from other sites ((if a site/URL doesn't exist, it'll 404))
  
-  sudo -'/etc/nginx/conf.d/non-existent.conf'+  su - 
 + 
 +  ee '/usr/local/etc/freenginx/conf.d/non-existent.conf'
  
 <code> <code>
 server { server {
-    listen '443' 'ssldefault_server; +    listen 443 ssl default_server; 
-    http2 'on'+    http2 on; 
-    server_name '_';+    server_name _;
  
-    return '404'+    return 404; 
-}</code>+} 
 + 
 +# End</code>
  
 ===== Headers ===== ===== Headers =====
  
-  * Last updated: 2024/02/07 +  su -
-  * Add to individual site configs as an ''include''+
  
-  sudo -e '/etc/nginx/default.d/headers.conf'+  ee '/usr/local/etc/freenginx/default.d/headers.conf'
  
 <code> <code>
Line 139: Line 100:
 add_header Referrer-Policy "same-origin" always; add_header Referrer-Policy "same-origin" always;
 add_header Expect-CT "max-age=0" always; add_header Expect-CT "max-age=0" always;
-add_header Permissions-Policy "geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()" always;</code>+add_header Permissions-Policy "geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()" always; 
 + 
 +# End</code>
  
 ===== nginx ===== ===== nginx =====
  
-  * Last updated: 2023/09/12+  su -
  
-  sudo -e '/etc/nginx/nginx.conf'+  ee '/usr/local/etc/freenginx/nginx.conf'
  
 <code> <code>
-user nginx; +worker_processes 1
-worker_processes auto+#error_log  /var/log/nginx/error.log;
-error_log /var/log/nginx/error.log notice; +
-pid /run/nginx.pid; +
- +
-include /usr/share/nginx/modules/*.conf;+
  
 events { events {
Line 162: Line 121:
  
     # Logging     # Logging
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request"+    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request"
-                      '$status $body_bytes_sent "$http_referer"+    #                  '$status $body_bytes_sent "$http_referer"
-                      '"$http_user_agent" "$http_x_forwarded_for"';+    #                  '"$http_user_agent" "$http_x_forwarded_for"';
  
-    access_log  /var/log/nginx/access.log  main;+    #access_log  logs/access.log  main;
  
     # Includes     # Includes
-    include /etc/nginx/conf.d/*.conf; +    include /usr/local/etc/freenginx/conf.d/*.conf; 
-    include /etc/nginx/vhosts.d/*.conf; +    include /usr/local/etc/freenginx/vhosts.d/*.conf; 
-    include /etc/nginx/mime.types;+    include /usr/local/etc/freenginx/mime.types;
     default_type application/octet-stream;     default_type application/octet-stream;
  
Line 190: Line 149:
  
 # End</code> # End</code>
- 
-==== CSP Headers ==== 
- 
-  * The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the ''include'' line(s) 
- 
-<code>    add_header Content-Security-Policy "default-src 'self'" always;</code> 
- 
-<code>    add_header Content-Security-Policy "" always;</code> 
  
 ====== SSL Certs ====== ====== SSL Certs ======
Line 203: Line 154:
 ===== Let's Encrypt ===== ===== Let's Encrypt =====
  
-  * See [[servers;linux;nginx;lets_encrypt|Let's Encrypt/Certbot]] for further set-up+  * See [[servers:bsd:nginx:lets_encrypt|Let's Encrypt/Certbot]] for further set-up 
 + 
 +  su -
  
-  sudo -e '/etc/nginx/conf.d/ssl.conf'+  ee '/usr/local/etc/freenginx/conf.d/ssl.conf'
  
 <code> <code>
-ssl_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem'; +ssl_certificate '/usr/local/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem'; 
-ssl_trusted_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem'; +ssl_trusted_certificate '/usr/local/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem'; 
-ssl_certificate_key '/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem';+ssl_certificate_key '/usr/local/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem';
  
 ssl_session_timeout '10m'; ssl_session_timeout '10m';
Line 217: Line 170:
 ssl_buffer_size '4k'; ssl_buffer_size '4k';
  
-ssl_protocols 'TLSv1.3';+ssl_protocols 'TLSv1.2' 'TLSv1.3';
 ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM'; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM';
 ssl_prefer_server_ciphers 'on'; ssl_prefer_server_ciphers 'on';
 ssl_ecdh_curve 'secp384r1'; ssl_ecdh_curve 'secp384r1';
- 
-ssl_stapling 'on'; 
-ssl_stapling_verify 'on'; 
  
 # End</code> # End</code>
 +
 +====== Resources ======
 +
 +===== Original confs =====
 +
 +  ee '/usr/local/etc/freenginx/nginx.conf~'
 +
 +  ee '/usr/local/etc/php-fpm.d/www.conf~'
  
/srv/www/wiki/data/attic/servers/bsd/freenginx_php_php-fpm.1732974828.txt.gz · Last modified: by Sean Rhone
Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki