User Tools

Site Tools


servers:linux:nginx_php_php-fpm

Information

Prerequisites

Resources

Dependencies

sudo dnf install git-core nginx php-fpm php-cli

PHP Extensions

Verify Modules

php -m

Firewall

  • 80/tcp is HTTP
  • 443/tcp is HTTPS
sudo firewall-cmd --add-service='http' --permanent && sudo firewall-cmd --add-service='https' --permanent && sudo firewall-cmd --reload

SELinux

DokuWiki

  • 2023/09/12
sudo setsebool -P 'httpd_graceful_shutdown' '1'
sudo setsebool -P 'nis_enabled' '1'
sudo setsebool -P 'httpd_can_network_connect' '1'
sudo setsebool -P 'httpd_can_network_relay' '1'

Services

Enable

sudo systemctl enable 'nginx' 'php-fpm' --now

Permissions

sudo chown --recursive 'nginx':'nginx' '/var/lib/php/opcache' '/var/lib/php/session' '/var/lib/php/wsdlcache' '/var/lib/php/peclxml'

Config Defaults

Backup

sudo mv '/etc/nginx/default.d/php.conf' '/etc/nginx/default.d/php.conf~'
sudo mv '/etc/nginx/conf.d/php-fpm.conf' '/etc/nginx/conf.d/php-fpm.conf~'
sudo mv '/etc/php-fpm.d/www.conf' '/etc/php-fpm.d/www.conf~'
sudo mv '/etc/nginx/nginx.conf' '/etc/nginx/nginx.conf~'

View

nano '/etc/nginx/default.d/php.conf~'
nano '/etc/nginx/conf.d/php-fpm.conf~'
nano '/etc/php-fpm.d/www.conf~'
nano '/etc/nginx/nginx.conf~'
nano '/etc/php.ini'

nginx Settings

Notes

  • conf.d contains server-wide modular configuration files
  • default.d contains site-specific modular configuration files
  • vhosts.d contains enabled websites 2)

Defaults

vhosts.d

sudo mkdir -p '/etc/nginx/vhosts.d'

HTTPS Redirect

  • This automatically redirects non-HTTPS site links to HTTPS
sudo -e '/etc/nginx/conf.d/http-redirect.conf'
server {
    listen '80' 'default_server';
    listen '[::]:80' 'default_server';

    return '301' 'https://$host$request_uri';
}

Non-existent 404

  • This prevents unconfigured subdomains from loading assets from other sites 3)
sudo -e '/etc/nginx/conf.d/non-existent.conf'
server {
    listen '443' 'ssl' default_server;
    http2 'on';
    server_name '_';

    return '404';
}

Headers

  • Last updated: 2024/02/07
  • Add to individual site configs as an include
sudo -e '/etc/nginx/default.d/headers.conf'
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Cache-Control "no-store, no-transform, public" always;
add_header Referrer-Policy "same-origin" always;
add_header Expect-CT "max-age=0" always;
add_header Permissions-Policy "geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()" always;

nginx

  • Last updated: 2023/09/12
sudo -e '/etc/nginx/nginx.conf'
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {

    # Logging
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    # Includes
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/vhosts.d/*.conf;
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    # Config
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 4096;

    # gzip
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 9;
    gzip_types *;
}

# End

CSP Headers

  • The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the include line(s)
    add_header Content-Security-Policy "default-src 'self'" always;
    add_header Content-Security-Policy "" always;

SSL Certs

Let's Encrypt

sudo -e '/etc/nginx/conf.d/ssl.conf'
ssl_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
ssl_trusted_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
ssl_certificate_key '/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem';

ssl_session_timeout '10m';
ssl_session_cache 'shared:SSL:10m';
ssl_session_tickets 'off';
ssl_buffer_size '4k';

ssl_protocols 'TLSv1.3';
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM';
ssl_prefer_server_ciphers 'on';
ssl_ecdh_curve 'secp384r1';

ssl_stapling 'on';
ssl_stapling_verify 'on';

# End
2)
this folder needs created
3)
if a site/URL doesn't exist, it'll 404
/usr/local/www/wiki/data/pages/servers/linux/nginx_php_php-fpm.txt · Last modified: by Sean Rhone