Differences

This shows you the differences between two versions of the page.

--- servers:linux:nginx_php_php-fpm [2024/08/13 17:59] – external edit 127.0.0.1
+++ servers:linux:nginx_php_php-fpm [2025/04/25 01:12] (current) – [php-fpm] Sean Rhone
@@ Line 1: / Line 1: @@
 ====== Information ======
-  * nginx ((https://nginx.org/en))
+  * nginx
   * PHP
   * PHP-FPM
@@ Line 8: / Line 8: @@
 ===== Prerequisites =====
-  * [[linux;distros;server;fedora_server|Fedora Server]]
+  * [[linux:distros:server:opensuse_tumbleweed_server|openSUSE Tumbleweed (Server)]]
 ===== Resources =====
+  * [[https://www.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test]]
+  * https://fedoraproject.org/wiki/Nginx
+==== Old ====
   * [[https://cipherli.st/|Cipherli.st]]
   * [[https://securityheaders.com/?q=wiki.realmofespionage.xyz&followRedirects=on|Security Headers]]
-  * [[https://www.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test]]
   * [[https://dev.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test (dev)]]
   * https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/feature_policy/feature_policy.cc?l=138&rcl=ab90b51c5b60de15054a32b0bd18e4839536a1c9
@@ Line 26: / Line 30: @@
 ****
-  sudo dnf install git nginx php-fpm php-cli
+  sudo zypper install git-core nginx php8-cli php8-fpm php8-opcache
-===== PHP Extensions =====
+====== Information ======
-==== Verify Modules ====
+  nginx -v
-****
   php -m
@@ Line 38: / Line 40: @@
 ====== Firewall ======
-  * 80/tcp is HTTP
+****
-  * 443/tcp is HTTPS
   sudo firewall-cmd --add-service='http' --permanent && sudo firewall-cmd --add-service='https' --permanent && sudo firewall-cmd --reload
 ====== SELinux ======
+===== php-fpm =====
+  * 2025/04/25
+  sudo setsebool -P 'httpd_execmem' '1'
 ===== DokuWiki =====
-  * 2023/09/12
+  * [[servers:linux:nginx:dokuwiki]]
+  * 2025/04/25
+  sudo setsebool -P 'httpd_can_network_connect' '1'
+===== Other =====
   sudo setsebool -P 'httpd_graceful_shutdown' '1'
   sudo setsebool -P 'nis_enabled' '1'
-  sudo setsebool -P 'httpd_can_network_connect' '1'
   sudo setsebool -P 'httpd_can_network_relay' '1'
+===== Global restorecon =====
+****
+  sudo restorecon -F -I -R '/etc/nginx' '/etc/php8/fpm/php-fpm.d' '/srv/www'
 ====== Services ======
@@ Line 64: / Line 80: @@
   sudo systemctl enable 'nginx' 'php-fpm' --now
-====== Permissions ======
-****
-  sudo chown --recursive 'nginx':'nginx' '/var/lib/php/opcache' '/var/lib/php/session' '/var/lib/php/wsdlcache' '/var/lib/php/peclxml'
 ====== Config Defaults ======
-===== Backup =====
+===== php-fpm Default Pool =====
-  sudo mv '/etc/nginx/default.d/php.conf' '/etc/nginx/default.d/php.conf~'
+  sudo mv '/etc/php8/fpm/php-fpm.d/www.conf' '/etc/php8/fpm/php-fpm.d/www.conf~'
-  sudo mv '/etc/nginx/conf.d/php-fpm.conf' '/etc/nginx/conf.d/php-fpm.conf~'
+  nano '/etc/php8/fpm/php-fpm.d/www.conf~'
-  sudo mv '/etc/php-fpm.d/www.conf' '/etc/php-fpm.d/www.conf~'
+===== nginx.conf =====
   sudo mv '/etc/nginx/nginx.conf' '/etc/nginx/nginx.conf~'
-===== View =====
+  nano '/etc/nginx/nginx.conf~'
-  nano '/etc/nginx/default.d/php.conf~'
+===== php.ini =====
-  nano '/etc/nginx/conf.d/php-fpm.conf~'
-  nano '/etc/php-fpm.d/www.conf~'
-  nano '/etc/nginx/nginx.conf~'
-  nano '/etc/php.ini'
+  nano '/etc/php8/cli/php.ini'
 ====== nginx Settings ======
@@ Line 118: / Line 122: @@
 <code>
+# nginx/conf.d/http-redirect.conf
 server {
     listen '80' 'default_server';
@@ Line 123: / Line 129: @@
     return '301' 'https://$host$request_uri';
-}</code>
+}
+# End</code>
 ===== Non-existent 404 =====
@@ Line 132: / Line 140: @@
 <code>
+# nginx/conf.d/non-existent.conf
 server {
     listen '443' 'ssl' default_server;
@@ Line 138: / Line 148: @@
     return '404';
-}</code>
+}
+# End</code>
 ===== Headers =====
-  * Last updated: 2024/02/07
   * Add to individual site configs as an ''include''
@@ Line 148: / Line 159: @@
 <code>
+# nginx/default.d/headers.conf
 add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
 add_header X-Content-Type-Options "nosniff" always;
@@ Line 155: / Line 168: @@
 add_header Referrer-Policy "same-origin" always;
 add_header Expect-CT "max-age=0" always;
-add_header Permissions-Policy "geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()" always;</code>
+add_header Permissions-Policy "geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()" always;
+# End</code>
 ===== nginx =====
-  * Last updated: 2023/09/12
   sudo -e '/etc/nginx/nginx.conf'
 <code>
-user nginx;
+# nginx/nginx.conf
-worker_processes auto;
-error_log /var/log/nginx/error.log notice;
-pid /run/nginx.pid;
-include /usr/share/nginx/modules/*.conf;
 events {
-    worker_connections 1024;
+ multi_accept 'on';
+ worker_connections '1024';
 }
-http {
+#error_log /var/log/nginx/error.log;
-    # Logging
+http {
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent "$http_referer" '
-                      '"$http_user_agent" "$http_x_forwarded_for"';
-    access_log  /var/log/nginx/access.log  main;
+ # Logging
+ #log_format main '$time_local - $http_host - $remote_addr - $status "$request" $body_bytes_sent - $http_referer - "$http_user_agent"';
+ #access_log '/var/log/nginx/access.log main';
-    # Includes
+ # Includes
-    include /etc/nginx/conf.d/*.conf;
+ include '/etc/nginx/conf.d/*.conf';
-    include /etc/nginx/vhosts.d/*.conf;
+ include '/etc/nginx/vhosts.d/*.conf';
-    include /etc/nginx/mime.types;
+ include '/etc/nginx/mime.types';
-    default_type application/octet-stream;
+ default_type 'application/octet-stream';
-    # Config
+ # Config
-    sendfile on;
+ sendfile 'on';
-    tcp_nopush on;
+ tcp_nopush 'on';
-    tcp_nodelay on;
+ tcp_nodelay 'on';
-    keepalive_timeout 65;
+ keepalive_timeout '65';
-    types_hash_max_size 4096;
+ types_hash_max_size '4096';
-    # gzip
+ # gzip
-    gzip on;
+ gzip 'on';
-    gzip_vary on;
+ gzip_vary 'on';
-    gzip_proxied any;
+ gzip_proxied 'any';
-    gzip_comp_level 9;
+ gzip_comp_level '9';
-    gzip_types *;
+ gzip_types '*';
 }
@@ Line 220: / Line 228: @@
   * See [[servers;linux;nginx;lets_encrypt|Let's Encrypt/Certbot]] for further set-up
-==== Settings ====
-  * [[notes:dns_servers#for_families|1.1.1.1 for Families]], see [[notes:dns_servers]] for other servers for ''resolver''
   sudo -e '/etc/nginx/conf.d/ssl.conf'
 <code>
+# nginx/conf.d/ssl.conf
 ssl_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
 ssl_trusted_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
@@ Line 237: / Line 243: @@
 ssl_buffer_size '4k';
-ssl_protocols 'TLSv1.3';
+ssl_protocols 'TLSv1.2' 'TLSv1.3';
 ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM';
 ssl_prefer_server_ciphers 'on';
@@ Line 244: / Line 250: @@
 ssl_stapling 'on';
 ssl_stapling_verify 'on';
-resolver '1.1.1.2' '1.0.0.2' '[2606:4700:4700::1112]' '[2606:4700:4700::1002]' 'valid=300s';
-resolver_timeout '5s';
 # End</code>
-===== Self-signed =====
-  * :!: This likely needs refactored
-==== Generate Certs ====
-****
-  sudo openssl ecparam -name secp521r1 -genkey -out '/etc/ssl/certs/nginx.key && sudo openssl req -new -x509 -key '/etc/ssl/certs/nginx.key' -out '/etc/ssl/certs/nginx.crt' -days 730
-==== Settings ====
-  sudo -e '/etc/nginx/conf.d/ssl.conf'
-  ssl_certificate '/etc/ssl/certs/nginx.crt';
-  ssl_certificate_key '/etc/ssl/certs/nginx.key';
-  ssl_session_timeout 1d;
-  ssl_session_cache shared:SSL:50m;
-  ssl_session_tickets off;
-  ssl_protocols TLSv1.3;
-  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
-  ssl_prefer_server_ciphers on;
-  ssl_ecdh_curve secp384r1;