RoE | Wiki

User Tools

Site Tools

Trace: dnscrypt-proxy phpmyadmin lets_encrypt freenginx_php_php-fpm wordpress
servers:bsd:freenginx_php_php-fpm

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
servers:bsd:freenginx_php_php-fpm [2025/09/11 06:43] – created - external edit 127.0.0.1servers:bsd:freenginx_php_php-fpm [2026/03/04 18:38] (current) – [Headers] Sean Rhone
Line 1: Line 1:
 ====== Information ====== ====== Information ======
  
-  * freenginx ((https://freenginx.org/)) +  * freenginx ((https://freenginx.org/en/)) 
-  * PHP 8.4+  * PHP ((https://www.php.net/))
   * PHP-FPM   * PHP-FPM
   * [[Information:Realm of Espionage]]   * [[Information:Realm of Espionage]]
- 
-  * :!: WIP 
  
 ===== Prerequisites ===== ===== Prerequisites =====
  
-  * [[bsd:server:freebsd_14.2|FreeBSD 14.2]] +  * [[bsd:server:freebsd_16.0|FreeBSD 16.0]]
- +
-===== Resources ===== +
- +
-  * [[https://cipherli.st/|Cipherli.st]] +
-  * [[https://securityheaders.com/?q=wiki.realmofespionage.xyz&followRedirects=on|Security Headers]] +
-  * [[https://www.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test]] +
-  * [[https://dev.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test (dev)]] +
-  * https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/feature_policy/feature_policy.cc?l=138&rcl=ab90b51c5b60de15054a32b0bd18e4839536a1c9 +
-  * https://infosec.mozilla.org +
-  * https://gist.github.com/plentz/6737338 +
-  * https://scotthelme.co.uk +
-  * https://mozilla.github.io/server-side-tls/ssl-config-generator+
  
 ====== Dependencies ====== ====== Dependencies ======
Line 28: Line 14:
   su -   su -
  
-  pkg install freenginx php84+  pkg install freenginx-devel php85
  
-===== PHP Extensions =====+====== Information ======
  
-==== Verify Modules ==== +  nginx -v
- +
-****+
  
   php -m   php -m
Line 40: Line 24:
 ====== Firewall ====== ====== Firewall ======
  
-  * 80/tcp is HTTP 
-  * 443/tcp is HTTPS 
   * TODO   * TODO
- 
-  sudo firewall-cmd --add-service='http' --permanent && sudo firewall-cmd --add-service='https' --permanent && sudo firewall-cmd --reload 
  
 ====== Services ====== ====== Services ======
Line 56: Line 36:
   sysrc php_fpm_enable="YES"   sysrc php_fpm_enable="YES"
  
-====== Config Defaults ======+===== Start =====
  
-===== Backup =====+  su -
  
-  sudo mv '/etc/nginx/default.d/php.conf' '/etc/nginx/default.d/php.conf~'+  service 'nginx' start
  
-  sudo mv '/etc/nginx/conf.d/php-fpm.conf' '/etc/nginx/conf.d/php-fpm.conf~'+  service 'php_fpmstart
  
-  sudo mv '/etc/php-fpm.d/www.conf' '/etc/php-fpm.d/www.conf~'+==== Stop ====
  
-  mv -'/usr/local/etc/nginx/nginx.conf' '/usr/local/etc/nginx/nginx.conf~'+  su - 
 + 
 +  service 'nginx' stop 
 + 
 +  service 'php_fpm' stop 
 + 
 +====== Disable Defaults ====== 
 + 
 +===== freenginx ===== 
 + 
 +  su - 
 + 
 +  rm -fv '/usr/local/etc/freenginx/nginx.conf' 
 + 
 +===== PHP-FPM ===== 
 + 
 +  su - 
 + 
 +  rm -fv '/usr/local/etc/php-fpm.d/www.conf' 
 + 
 +===== Check Defaults ===== 
 + 
 +==== nginx ==== 
 + 
 +**** 
 + 
 +  ee '/usr/local/etc/freenginx/nginx.conf-dist' 
 + 
 +==== PHP ====
  
-===== View =====+  * TODO: Other paths
  
-  nano '/etc/nginx/default.d/php.conf~'+  ee '/usr/local/etc/php-fpm.d/www.conf.default'
  
-  nano '/etc/nginx/conf.d/php-fpm.conf~'+  nano '/etc/php8/fpm/php-fpm.conf'
  
-  nano '/etc/php-fpm.d/www.conf~'+  ee '/usr/local/etc/php.conf'
  
-  ee '/usr/local/etc/nginx/nginx.conf~'+  nano '/etc/php8/fpm/php.ini'
  
-  nano '/etc/php.ini'+  nano '/etc/php8/cli/php.ini'
  
 ====== nginx Settings ====== ====== nginx Settings ======
Line 88: Line 96:
   * ''vhosts.d'' contains enabled websites   * ''vhosts.d'' contains enabled websites
  
-===== Defaults =====+===== Folders =====
  
   su -   su -
  
-  mkdir -p '/usr/local/etc/nginx/conf.d' '/usr/local/etc/nginx/default.d' '/usr/local/etc/nginx/vhosts.d'+  mkdir -p -m '0644' '/usr/local/etc/freenginx/conf.d' '/usr/local/etc/freenginx/default.d' '/usr/local/etc/freenginx/vhosts.d'
  
 ===== HTTPS Redirect ===== ===== HTTPS Redirect =====
Line 100: Line 108:
   su -   su -
  
-  ee '/usr/local/etc/nginx/conf.d/http-redirect.conf'+  ee '/usr/local/etc/freenginx/conf.d/http-redirect.conf'
  
 <code> <code>
 server { server {
-    listen '80' 'default_server'; + listen '80' 'default_server'; 
-    listen '[::]:80' 'default_server';+ listen '[::]:80' 'default_server';
  
-    return '301' 'https://$host$request_uri'; + return '301' 'https://$host$request_uri'; 
-}</code>+} 
 + 
 +# End</code>
  
 ===== Non-existent 404 ===== ===== Non-existent 404 =====
Line 116: Line 126:
   su -   su -
  
-  ee '/usr/local/etc/nginx/conf.d/non-existent.conf'+  ee '/usr/local/etc/freenginx/conf.d/non-existent.conf'
  
 <code> <code>
 server { server {
-    listen '443' 'ssl' default_server; + listen '443' 'ssl'default_server'
-    http2 'on'; + http2 'on'; 
-    server_name '_';+ server_name '_';
  
-    return '404'; + return '404'; 
-}</code>+}
  
-===== Headers =====+# End</code>
  
-  * Add to individual site configs as an ''include''+===== Headers =====
  
   su -   su -
  
-  ee '/usr/local/etc/nginx/default.d/headers.conf'+  ee '/usr/local/etc/freenginx/default.d/headers.conf'
  
 <code> <code>
-add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preloadalways; +add_header 'Strict-Transport-Security' 'max-age=63072000; includeSubdomains; preload' 'always'
-add_header X-Content-Type-Options "nosniffalways; +add_header 'X-Content-Type-Options' 'nosniff' 'always'
-add_header X-Frame-Options "sameoriginalways; +add_header 'X-Frame-Options' 'sameorigin' 'always'
-add_header X-XSS-Protection "1; mode=blockalways; +add_header 'X-XSS-Protection' '1; mode=block' 'always'
-add_header Cache-Control "no-store, no-transform, publicalways; +add_header 'Cache-Control' 'max-age=604800, no-transform, public' 'always'
-add_header Referrer-Policy "same-originalways; +add_header 'Referrer-Policy' 'same-origin' 'always'
-add_header Expect-CT "max-age=0always; +add_header 'Expect-CT' 'max-age=0' 'always'
-add_header Permissions-Policy "geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()always;</code>+add_header 'Permissions-Policy' 'geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()' 'always'; 
 + 
 +# End</code>
  
 ===== nginx ===== ===== nginx =====
- 
-  * Last updated: 2024/11/30 
  
   su -   su -
  
-  ee '/usr/local/etc/nginx/nginx.conf'+  ee '/usr/local/etc/freenginx/nginx.conf'
  
 <code> <code>
-worker_processes 1; +worker_processes '1'
-#error_log  /var/log/nginx/error.log;+#error_log '/var/log/nginx/error.log';
  
 events { events {
-    worker_connections 1024;+ multi_accept 'on'; 
 + worker_connections '1024';
 } }
  
 http { http {
 + # Logging
 + #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
 + #                  '$status $body_bytes_sent "$http_referer" '
 + #                  '"$http_user_agent" "$http_x_forwarded_for"';
 + #access_log  logs/access.log  main;
  
-    # Logging + access_log '/dev/null';
-    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" ' +
-    #                  '$status $body_bytes_sent "$http_referer"+
-    #                  '"$http_user_agent" "$http_x_forwarded_for"'; +
- +
-    #access_log  logs/access.log  main;+
  
-    # Includes + # Includes 
-    include /usr/local/etc/nginx/conf.d/*.conf; + include '/usr/local/etc/freenginx/conf.d/*.conf'
-    include /usr/local/etc/nginx/vhosts.d/*.conf; + include '/usr/local/etc/freenginx/vhosts.d/*.conf'
-    include /usr/local/etc/nginx/mime.types; + include '/usr/local/etc/freenginx/mime.types'
-    default_type application/octet-stream;+ default_type 'application/octet-stream';
  
-    # Config + # Config 
-    sendfile on; + sendfile 'on'
-    tcp_nopush on; + tcp_nopush 'on'
-    tcp_nodelay on; + tcp_nodelay 'on'
-    keepalive_timeout 65; + keepalive_timeout '65'
-    types_hash_max_size 4096;+ types_hash_max_size '4096';
  
-    # gzip + # gzip 
-    gzip on; + gzip 'on'
-    gzip_vary on; + gzip_vary 'on'
-    gzip_proxied any; + gzip_proxied 'any'
-    gzip_comp_level 9; + gzip_comp_level '9'
-    gzip_types *;+ gzip_types '*';
 } }
  
 # End</code> # End</code>
- 
-==== CSP Headers ==== 
- 
-  * The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the ''include'' line(s) 
- 
-<code>    add_header Content-Security-Policy "default-src 'self'" always;</code> 
- 
-<code>    add_header Content-Security-Policy "" always;</code> 
  
 ====== SSL Certs ====== ====== SSL Certs ======
Line 209: Line 212:
   su -   su -
  
-  ee '/usr/local/etc/nginx/conf.d/ssl.conf'+  ee '/usr/local/etc/freenginx/conf.d/ssl.conf'
  
 <code> <code>
Line 225: Line 228:
 ssl_prefer_server_ciphers 'on'; ssl_prefer_server_ciphers 'on';
 ssl_ecdh_curve 'secp384r1'; ssl_ecdh_curve 'secp384r1';
- 
-ssl_stapling 'on'; 
-ssl_stapling_verify 'on'; 
  
 # End</code> # End</code>
 +
 +====== Resources ======
 +
 +  * [[https://www.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test]]
  
/usr/local/www/wiki/data/attic/servers/bsd/freenginx_php_php-fpm.1757587392.txt.gz · Last modified: by 127.0.0.1