Differences

This shows you the differences between two versions of the page.

--- servers:bsd:freenginx_php_php-fpm [2025/08/28 22:17] – removed Sean Rhone
+++ servers:bsd:freenginx_php_php-fpm [2025/09/11 06:43] (current) – created - external edit 127.0.0.1
@@ Line 1: / Line 1: @@
+====== Information ======
+  * freenginx ((https://freenginx.org/))
+  * PHP 8.4
+  * PHP-FPM
+  * [[Information:Realm of Espionage]]
+  * :!: WIP
+===== Prerequisites =====
+  * [[bsd:server:freebsd_14.2|FreeBSD 14.2]]
+===== Resources =====
+  * [[https://cipherli.st/|Cipherli.st]]
+  * [[https://securityheaders.com/?q=wiki.realmofespionage.xyz&followRedirects=on|Security Headers]]
+  * [[https://www.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test]]
+  * [[https://dev.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test (dev)]]
+  * https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/feature_policy/feature_policy.cc?l=138&rcl=ab90b51c5b60de15054a32b0bd18e4839536a1c9
+  * https://infosec.mozilla.org
+  * https://gist.github.com/plentz/6737338
+  * https://scotthelme.co.uk
+  * https://mozilla.github.io/server-side-tls/ssl-config-generator
+====== Dependencies ======
+  su -
+  pkg install freenginx php84
+===== PHP Extensions =====
+==== Verify Modules ====
+****
+  php -m
+====== Firewall ======
+  * 80/tcp is HTTP
+  * 443/tcp is HTTPS
+  * TODO
+  sudo firewall-cmd --add-service='http' --permanent && sudo firewall-cmd --add-service='https' --permanent && sudo firewall-cmd --reload
+====== Services ======
+===== Enable =====
+  su -
+  sysrc nginx_enable="YES"
+  sysrc php_fpm_enable="YES"
+====== Config Defaults ======
+===== Backup =====
+  sudo mv '/etc/nginx/default.d/php.conf' '/etc/nginx/default.d/php.conf~'
+  sudo mv '/etc/nginx/conf.d/php-fpm.conf' '/etc/nginx/conf.d/php-fpm.conf~'
+  sudo mv '/etc/php-fpm.d/www.conf' '/etc/php-fpm.d/www.conf~'
+  mv -v '/usr/local/etc/nginx/nginx.conf' '/usr/local/etc/nginx/nginx.conf~'
+===== View =====
+  nano '/etc/nginx/default.d/php.conf~'
+  nano '/etc/nginx/conf.d/php-fpm.conf~'
+  nano '/etc/php-fpm.d/www.conf~'
+  ee '/usr/local/etc/nginx/nginx.conf~'
+  nano '/etc/php.ini'
+====== nginx Settings ======
+===== Notes =====
+  * ''conf.d'' contains **server-wide** modular configuration files
+  * ''default.d'' contains **site-specific** modular configuration files
+  * ''vhosts.d'' contains enabled websites
+===== Defaults =====
+  su -
+  mkdir -p '/usr/local/etc/nginx/conf.d' '/usr/local/etc/nginx/default.d' '/usr/local/etc/nginx/vhosts.d'
+===== HTTPS Redirect =====
+  * This automatically redirects non-HTTPS site links to HTTPS
+  su -
+  ee '/usr/local/etc/nginx/conf.d/http-redirect.conf'
+<code>
+server {
+    listen '80' 'default_server';
+    listen '[::]:80' 'default_server';
+    return '301' 'https://$host$request_uri';
+}</code>
+===== Non-existent 404 =====
+  * This prevents unconfigured subdomains from loading assets from other sites ((if a site/URL doesn't exist, it'll 404))
+  su -
+  ee '/usr/local/etc/nginx/conf.d/non-existent.conf'
+<code>
+server {
+    listen '443' 'ssl' default_server;
+    http2 'on';
+    server_name '_';
+    return '404';
+}</code>
+===== Headers =====
+  * Add to individual site configs as an ''include''
+  su -
+  ee '/usr/local/etc/nginx/default.d/headers.conf'
+<code>
+add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
+add_header X-Content-Type-Options "nosniff" always;
+add_header X-Frame-Options "sameorigin" always;
+add_header X-XSS-Protection "1; mode=block" always;
+add_header Cache-Control "no-store, no-transform, public" always;
+add_header Referrer-Policy "same-origin" always;
+add_header Expect-CT "max-age=0" always;
+add_header Permissions-Policy "geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()" always;</code>
+===== nginx =====
+  * Last updated: 2024/11/30
+  su -
+  ee '/usr/local/etc/nginx/nginx.conf'
+<code>
+worker_processes 1;
+#error_log  /var/log/nginx/error.log;
+events {
+    worker_connections 1024;
+}
+http {
+    # Logging
+    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+    #                  '$status $body_bytes_sent "$http_referer" '
+    #                  '"$http_user_agent" "$http_x_forwarded_for"';
+    #access_log  logs/access.log  main;
+    # Includes
+    include /usr/local/etc/nginx/conf.d/*.conf;
+    include /usr/local/etc/nginx/vhosts.d/*.conf;
+    include /usr/local/etc/nginx/mime.types;
+    default_type application/octet-stream;
+    # Config
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 4096;
+    # gzip
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 9;
+    gzip_types *;
+}
+# End</code>
+==== CSP Headers ====
+  * The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the ''include'' line(s)
+<code>    add_header Content-Security-Policy "default-src 'self'" always;</code>
+<code>    add_header Content-Security-Policy "" always;</code>
+====== SSL Certs ======
+===== Let's Encrypt =====
+  * See [[servers:bsd:nginx:lets_encrypt|Let's Encrypt/Certbot]] for further set-up
+  su -
+  ee '/usr/local/etc/nginx/conf.d/ssl.conf'
+<code>
+ssl_certificate '/usr/local/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
+ssl_trusted_certificate '/usr/local/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
+ssl_certificate_key '/usr/local/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem';
+ssl_session_timeout '10m';
+ssl_session_cache 'shared:SSL:10m';
+ssl_session_tickets 'off';
+ssl_buffer_size '4k';
+ssl_protocols 'TLSv1.2' 'TLSv1.3';
+ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM';
+ssl_prefer_server_ciphers 'on';
+ssl_ecdh_curve 'secp384r1';
+ssl_stapling 'on';
+ssl_stapling_verify 'on';
+# End</code>