Differences

This shows you the differences between two versions of the page.

--- servers:bsd:freenginx_php_php-fpm [2025/08/28 22:17] – removed Sean Rhone
+++ servers:bsd:freenginx_php_php-fpm [2026/03/04 18:38] (current) – [Headers] Sean Rhone
@@ Line 1: / Line 1: @@
+====== Information ======
+  * freenginx ((https://freenginx.org/en/))
+  * PHP ((https://www.php.net/))
+  * PHP-FPM
+  * [[Information:Realm of Espionage]]
+===== Prerequisites =====
+  * [[bsd:server:freebsd_16.0|FreeBSD 16.0]]
+====== Dependencies ======
+  su -
+  pkg install freenginx-devel php85
+====== Information ======
+  nginx -v
+  php -m
+====== Firewall ======
+  * TODO
+====== Services ======
+===== Enable =====
+  su -
+  sysrc nginx_enable="YES"
+  sysrc php_fpm_enable="YES"
+===== Start =====
+  su -
+  service 'nginx' start
+  service 'php_fpm' start
+==== Stop ====
+  su -
+  service 'nginx' stop
+  service 'php_fpm' stop
+====== Disable Defaults ======
+===== freenginx =====
+  su -
+  rm -fv '/usr/local/etc/freenginx/nginx.conf'
+===== PHP-FPM =====
+  su -
+  rm -fv '/usr/local/etc/php-fpm.d/www.conf'
+===== Check Defaults =====
+==== nginx ====
+****
+  ee '/usr/local/etc/freenginx/nginx.conf-dist'
+==== PHP ====
+  * TODO: Other paths
+  ee '/usr/local/etc/php-fpm.d/www.conf.default'
+  nano '/etc/php8/fpm/php-fpm.conf'
+  ee '/usr/local/etc/php.conf'
+  nano '/etc/php8/fpm/php.ini'
+  nano '/etc/php8/cli/php.ini'
+====== nginx Settings ======
+===== Notes =====
+  * ''conf.d'' contains **server-wide** modular configuration files
+  * ''default.d'' contains **site-specific** modular configuration files
+  * ''vhosts.d'' contains enabled websites
+===== Folders =====
+  su -
+  mkdir -p -m '0644' '/usr/local/etc/freenginx/conf.d' '/usr/local/etc/freenginx/default.d' '/usr/local/etc/freenginx/vhosts.d'
+===== HTTPS Redirect =====
+  * This automatically redirects non-HTTPS site links to HTTPS
+  su -
+  ee '/usr/local/etc/freenginx/conf.d/http-redirect.conf'
+<code>
+server {
+ listen '80' 'default_server';
+ listen '[::]:80' 'default_server';
+ return '301' 'https://$host$request_uri';
+}
+# End</code>
+===== Non-existent 404 =====
+  * This prevents unconfigured subdomains from loading assets from other sites ((if a site/URL doesn't exist, it'll 404))
+  su -
+  ee '/usr/local/etc/freenginx/conf.d/non-existent.conf'
+<code>
+server {
+ listen '443' 'ssl' 'default_server';
+ http2 'on';
+ server_name '_';
+ return '404';
+}
+# End</code>
+===== Headers =====
+  su -
+  ee '/usr/local/etc/freenginx/default.d/headers.conf'
+<code>
+add_header 'Strict-Transport-Security' 'max-age=63072000; includeSubdomains; preload' 'always';
+add_header 'X-Content-Type-Options' 'nosniff' 'always';
+add_header 'X-Frame-Options' 'sameorigin' 'always';
+add_header 'X-XSS-Protection' '1; mode=block' 'always';
+add_header 'Cache-Control' 'max-age=604800, no-transform, public' 'always';
+add_header 'Referrer-Policy' 'same-origin' 'always';
+add_header 'Expect-CT' 'max-age=0' 'always';
+add_header 'Permissions-Policy' 'geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()' 'always';
+# End</code>
+===== nginx =====
+  su -
+  ee '/usr/local/etc/freenginx/nginx.conf'
+<code>
+worker_processes '1';
+#error_log '/var/log/nginx/error.log';
+events {
+ multi_accept 'on';
+ worker_connections '1024';
+}
+http {
+ # Logging
+ #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+ #                  '$status $body_bytes_sent "$http_referer" '
+ #                  '"$http_user_agent" "$http_x_forwarded_for"';
+ #access_log  logs/access.log  main;
+ access_log '/dev/null';
+ # Includes
+ include '/usr/local/etc/freenginx/conf.d/*.conf';
+ include '/usr/local/etc/freenginx/vhosts.d/*.conf';
+ include '/usr/local/etc/freenginx/mime.types';
+ default_type 'application/octet-stream';
+ # Config
+ sendfile 'on';
+ tcp_nopush 'on';
+ tcp_nodelay 'on';
+ keepalive_timeout '65';
+ types_hash_max_size '4096';
+ # gzip
+ gzip 'on';
+ gzip_vary 'on';
+ gzip_proxied 'any';
+ gzip_comp_level '9';
+ gzip_types '*';
+}
+# End</code>
+====== SSL Certs ======
+===== Let's Encrypt =====
+  * See [[servers:bsd:nginx:lets_encrypt|Let's Encrypt/Certbot]] for further set-up
+  su -
+  ee '/usr/local/etc/freenginx/conf.d/ssl.conf'
+<code>
+ssl_certificate '/usr/local/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
+ssl_trusted_certificate '/usr/local/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
+ssl_certificate_key '/usr/local/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem';
+ssl_session_timeout '10m';
+ssl_session_cache 'shared:SSL:10m';
+ssl_session_tickets 'off';
+ssl_buffer_size '4k';
+ssl_protocols 'TLSv1.2' 'TLSv1.3';
+ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM';
+ssl_prefer_server_ciphers 'on';
+ssl_ecdh_curve 'secp384r1';
+# End</code>
+====== Resources ======
+  * [[https://www.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test]]