servers:linux:nginx_php_php-fpm
Table of Contents
Information
- nginx
- PHP
- PHP-FPM
Prerequisites
Dependencies
sudo zypper install git-core nginx php8-cli php8-fpm php8-opcache
Information
nginx -v
php -m
Firewall
- TODO:
QUIC
sudo firewall-cmd --add-service='http' --permanent && sudo firewall-cmd --add-service='https' --permanent && sudo firewall-cmd --reload
Services
sudo systemctl enable 'nginx' 'php-fpm'
sudo systemctl stop 'nginx' 'php-fpm'
Start
sudo systemctl start 'nginx'
sudo systemctl start 'php-fpm'
Disable Defaults
nginx
sudo mv '/etc/nginx/nginx.conf' '/etc/nginx/nginx.conf~'
PHP-FPM
sudo mv '/etc/php8/fpm/php-fpm.d/www.conf' '/etc/php8/fpm/php-fpm.d/www.conf~'
Check Defaults
nginx
nano '/etc/nginx/nginx.conf~'
PHP
nano '/etc/php8/fpm/php-fpm.d/www.conf~'
nano '/etc/php8/fpm/php-fpm.conf'
nano '/etc/php8/fpm/php.ini'
nano '/etc/php8/cli/php.ini'
nginx Settings
Notes
conf.dcontains server-wide modular configuration filesdefault.dcontains site-specific modular configuration filesvhosts.dcontains enabled websites 1)
Folders
sudo mkdir -p '/etc/nginx/default.d' '/etc/nginx/vhosts.d'
HTTPS Redirect
- This automatically redirects non-HTTPS site links to HTTPS
sudo -e '/etc/nginx/conf.d/http-redirect.conf'
server {
listen '80' 'default_server';
listen '[::]:80' 'default_server';
return '301' 'https://$host$request_uri';
}
# End
Non-existent 404
- This prevents unconfigured subdomains from loading assets from other sites 2)
sudo -e '/etc/nginx/conf.d/non-existent.conf'
server {
listen '443' 'ssl' 'default_server';
http2 'on';
server_name '_';
return '404';
}
# End
Headers
- Add to individual site configs as an
include
sudo -e '/etc/nginx/default.d/headers.conf'
add_header 'Strict-Transport-Security' 'max-age=63072000; includeSubdomains; preload' 'always'; add_header 'X-Content-Type-Options' 'nosniff' 'always'; add_header 'X-Frame-Options' 'sameorigin' 'always'; add_header 'X-XSS-Protection' '1; mode=block' 'always'; add_header 'Cache-Control' 'no-store, no-transform, public' 'always'; add_header 'Referrer-Policy' 'same-origin' 'always'; add_header 'Expect-CT' 'max-age=0' 'always'; add_header 'Permissions-Policy' 'geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()' 'always'; # End
nginx
sudo -e '/etc/nginx/nginx.conf'
events {
multi_accept 'on';
worker_connections '1024';
}
#error_log '/var/log/nginx/error.log';
http {
# Logging
#log_format main '$time_local - $http_host - $remote_addr - $status "$request" $body_bytes_sent - $http_referer - "$http_user_agent"';
#access_log '/var/log/nginx/access.log main';
access_log '/dev/null';
# Includes
include '/etc/nginx/conf.d/*.conf';
include '/etc/nginx/vhosts.d/*.conf';
include '/etc/nginx/mime.types';
default_type 'application/octet-stream';
# Config
sendfile 'on';
tcp_nopush 'on';
tcp_nodelay 'on';
keepalive_timeout '65';
types_hash_max_size '4096';
# gzip
gzip 'on';
gzip_vary 'on';
gzip_proxied 'any';
gzip_comp_level '9';
gzip_types '*';
}
# End
CSP Headers
- The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the
includeline(s)
add_header Content-Security-Policy "default-src 'self'" always;
add_header Content-Security-Policy "" always;
SSL Certs
Let's Encrypt
- See Let's Encrypt/Certbot for further set-up
sudo -e '/etc/nginx/conf.d/ssl.conf'
ssl_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem'; ssl_trusted_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem'; ssl_certificate_key '/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem'; ssl_session_timeout '10m'; ssl_session_cache 'shared:SSL:10m'; ssl_session_tickets 'off'; ssl_buffer_size '4k'; ssl_protocols 'TLSv1.2' 'TLSv1.3'; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM'; ssl_prefer_server_ciphers 'on'; ssl_ecdh_curve 'secp384r1'; # End
TODOs
Resources
Old
/usr/local/www/wiki/data/pages/servers/linux/nginx_php_php-fpm.txt · Last modified: by Sean Rhone