RoE | Wiki

User Tools

Site Tools

Trace: doomsday_engine
servers:linux:nginx_php_php-fpm

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
servers:linux:nginx_php_php-fpm [2024/08/13 17:59] – external edit 127.0.0.1servers:linux:nginx_php_php-fpm [2026/06/03 00:27] (current) – [Let's Encrypt] more PQC Sean Rhone
Line 1: Line 1:
 ====== Information ====== ====== Information ======
  
-  * nginx ((https://nginx.org/en))+  * nginx
   * PHP   * PHP
   * PHP-FPM   * PHP-FPM
-  * [[Information:Realm of Espionage]]+  * [[information:realm_of_espionage|Realm of Espionage]]
  
 ===== Prerequisites ===== ===== Prerequisites =====
  
-  * [[linux;distros;server;fedora_server|Fedora Server]] +  * [[linux:distros:server:opensuse_tumbleweed_server|openSUSE Tumbleweed (Server)]]
- +
-===== Resources ===== +
- +
-  * [[https://cipherli.st/|Cipherli.st]] +
-  * [[https://securityheaders.com/?q=wiki.realmofespionage.xyz&followRedirects=on|Security Headers]] +
-  * [[https://www.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test]] +
-  * [[https://dev.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test (dev)]] +
-  * https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/feature_policy/feature_policy.cc?l=138&rcl=ab90b51c5b60de15054a32b0bd18e4839536a1c9 +
-  * https://infosec.mozilla.org +
-  * https://gist.github.com/plentz/6737338 +
-  * https://scotthelme.co.uk +
-  * https://mozilla.github.io/server-side-tls/ssl-config-generator+
  
 ====== Dependencies ====== ====== Dependencies ======
Line 26: Line 14:
 **** ****
  
-  sudo dnf install git nginx php-fpm php-cli+  sudo zypper install git-core nginx php8-cli php8-fpm
  
-===== PHP Extensions =====+====== Information ======
  
-==== Verify Modules ==== +  nginx -v
- +
-****+
  
   php -m   php -m
Line 38: Line 24:
 ====== Firewall ====== ====== Firewall ======
  
-  * 80/tcp is HTTP +  * [[linux:notes:firewalld|Firewalld Notes]] 
-  * 443/tcp is HTTPS+  * TODO: ''QUIC''
  
   sudo firewall-cmd --add-service='http' --permanent && sudo firewall-cmd --add-service='https' --permanent && sudo firewall-cmd --reload   sudo firewall-cmd --add-service='http' --permanent && sudo firewall-cmd --add-service='https' --permanent && sudo firewall-cmd --reload
  
-====== SELinux ======+====== Services ======
  
-===== DokuWiki =====+  sudo systemctl enable 'nginx' 'php-fpm'
  
-  * 2023/09/12+  sudo systemctl stop 'nginx' 'php-fpm'
  
-  sudo setsebool -P 'httpd_graceful_shutdown' '1'+====== Disable Defaults ======
  
-  sudo setsebool -P 'nis_enabled' '1' +===== nginx =====
- +
-  sudo setsebool -P 'httpd_can_network_connect' '1' +
- +
-  sudo setsebool -P 'httpd_can_network_relay' '1' +
- +
-====== Services ====== +
- +
-===== Enable =====+
  
 **** ****
  
-  sudo systemctl enable 'nginx' 'php-fpm--now+  sudo mv -fv '/etc/nginx/nginx.conf' '/etc/nginx/nginx.conf~'
  
-====== Permissions ======+===== PHP-FPM =====
  
 **** ****
  
-  sudo chown --recursive 'nginx':'nginx' '/var/lib/php/opcache' '/var/lib/php/session' '/var/lib/php/wsdlcache' '/var/lib/php/peclxml'+  sudo mv -fv '/etc/php8/fpm/php-fpm.d/www.conf' '/etc/php8/fpm/php-fpm.d/www.conf~'
  
-====== Config Defaults ======+===== Check Defaults =====
  
-===== Backup =====+==== nginx ====
  
-  sudo mv '/etc/nginx/default.d/php.conf' '/etc/nginx/default.d/php.conf~'+****
  
-  sudo mv '/etc/nginx/conf.d/php-fpm.conf' '/etc/nginx/conf.d/php-fpm.conf~'+  nano '/etc/nginx/nginx.conf~'
  
-  sudo mv '/etc/php-fpm.d/www.conf' '/etc/php-fpm.d/www.conf~'+==== PHP ====
  
-  sudo mv '/etc/nginx/nginx.conf' '/etc/nginx/nginx.conf~'+  nano '/etc/php8/fpm/php-fpm.d/www.conf~'
  
-===== View =====+  nano '/etc/php8/fpm/php-fpm.conf'
  
-  nano '/etc/nginx/default.d/php.conf~'+  nano '/etc/php8/fpm/php.ini'
  
-  nano '/etc/nginx/conf.d/php-fpm.conf~' +  nano '/etc/php8/cli/php.ini'
- +
-  nano '/etc/php-fpm.d/www.conf~' +
- +
-  nano '/etc/nginx/nginx.conf~' +
- +
-  nano '/etc/php.ini'+
  
 ====== nginx Settings ====== ====== nginx Settings ======
Line 103: Line 75:
   * ''vhosts.d'' contains enabled websites ((this folder needs created))   * ''vhosts.d'' contains enabled websites ((this folder needs created))
  
-===== Defaults ===== +===== Folders =====
- +
-==== vhosts.d ====+
  
 **** ****
  
-  sudo mkdir -p '/etc/nginx/vhosts.d'+  sudo mkdir -p '/etc/nginx/default.d' '/etc/nginx/vhosts.d'
  
 ===== HTTPS Redirect ===== ===== HTTPS Redirect =====
Line 119: Line 89:
 <code> <code>
 server { server {
-    listen '80' 'default_server'; + listen '80' 'default_server'; 
-    listen '[::]:80' 'default_server';+ listen '[::]:80' 'default_server';
  
-    return '301' 'https://$host$request_uri'; + return '301' 'https://$host$request_uri'; 
-}</code>+} 
 + 
 +# End</code>
  
 ===== Non-existent 404 ===== ===== Non-existent 404 =====
Line 133: Line 105:
 <code> <code>
 server { server {
-    listen '443' 'ssl' default_server; + listen '443' 'ssl'default_server'
-    http2 'on'; + http2 'on'; 
-    server_name '_';+ server_name '_';
  
-    return '404'; + return '404'; 
-}</code>+} 
 + 
 +# End</code>
  
 ===== Headers ===== ===== Headers =====
  
-  * Last updated: 2024/02/07 
   * Add to individual site configs as an ''include''   * Add to individual site configs as an ''include''
  
Line 148: Line 121:
  
 <code> <code>
-add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preloadalways; + add_header 'Strict-Transport-Security' 'max-age=63072000; includeSubdomains; preload' 'always'
-add_header X-Content-Type-Options "nosniffalways; + add_header 'X-Content-Type-Options' 'nosniff' 'always'
-add_header X-Frame-Options "sameoriginalways; + add_header 'X-Frame-Options' 'sameorigin' 'always'
-add_header X-XSS-Protection "1; mode=blockalways; + add_header 'X-XSS-Protection' '1; mode=block' 'always'
-add_header Cache-Control "no-store, no-transform, publicalways; + add_header 'Cache-Control' 'max-age=604800, no-transform, public' 'always'
-add_header Referrer-Policy "same-originalways; + add_header 'Referrer-Policy' 'same-origin' 'always'
-add_header Expect-CT "max-age=0always; + add_header 'Expect-CT' 'max-age=0' 'always'
-add_header Permissions-Policy "geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()always;</code>+ add_header 'Permissions-Policy' 'geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()' 'always'; 
 + 
 +# End</code>
  
 ===== nginx ===== ===== nginx =====
- 
-  * Last updated: 2023/09/12 
  
   sudo -e '/etc/nginx/nginx.conf'   sudo -e '/etc/nginx/nginx.conf'
  
 <code> <code>
-user nginx; 
-worker_processes auto; 
-error_log /var/log/nginx/error.log notice; 
-pid /run/nginx.pid; 
- 
-include /usr/share/nginx/modules/*.conf; 
- 
 events { events {
-    worker_connections 1024;+ multi_accept 'on'; 
 + worker_connections '1024';
 } }
 +
 +#error_log '/var/log/nginx/error.log';
 +error_log '/dev/null';
  
 http { http {
  
-    Logging + #log_format main '$time_local - $http_host - $remote_addr - $status "$request" $body_bytes_sent $http_referer - "$http_user_agent"'; 
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" + #access_log '/var/log/nginx/access.log main';
-                      '$status $body_bytes_sent "$http_referer"+
-                      '"$http_user_agent" "$http_x_forwarded_for"';+
  
-    access_log  /var/log/nginx/access.log  main;+ access_log '/dev/null';
  
-    # Includes + include '/etc/nginx/conf.d/*.conf'
-    include /etc/nginx/conf.d/*.conf; + include '/etc/nginx/vhosts.d/*.conf'
-    include /etc/nginx/vhosts.d/*.conf; + include '/etc/nginx/mime.types'
-    include /etc/nginx/mime.types; + default_type 'application/octet-stream';
-    default_type application/octet-stream;+
  
-    # Config + sendfile 'on'
-    sendfile on; + tcp_nopush 'on'
-    tcp_nopush on; + tcp_nodelay 'on'
-    tcp_nodelay on; + keepalive_timeout '65'
-    keepalive_timeout 65; + types_hash_max_size '4096';
-    types_hash_max_size 4096;+
  
-    # gzip + gzip 'on'
-    gzip on; + gzip_vary 'on'
-    gzip_vary on; + gzip_proxied 'any'
-    gzip_proxied any; + gzip_comp_level '9'
-    gzip_comp_level 9; + gzip_types '*';
-    gzip_types *;+
 } }
  
Line 211: Line 176:
   * The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the ''include'' line(s)   * The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the ''include'' line(s)
  
-<code>    add_header Content-Security-Policy "default-src 'self'" always;</code>+<code>add_header Content-Security-Policy "default-src 'self'" always;</code>
  
-<code>    add_header Content-Security-Policy "" always;</code>+<code>add_header Content-Security-Policy "" always;</code>
  
 ====== SSL Certs ====== ====== SSL Certs ======
Line 220: Line 185:
  
   * See [[servers;linux;nginx;lets_encrypt|Let's Encrypt/Certbot]] for further set-up   * See [[servers;linux;nginx;lets_encrypt|Let's Encrypt/Certbot]] for further set-up
- 
-==== Settings ==== 
- 
-  * [[notes:dns_servers#for_families|1.1.1.1 for Families]], see [[notes:dns_servers]] for other servers for ''resolver'' 
  
   sudo -e '/etc/nginx/conf.d/ssl.conf'   sudo -e '/etc/nginx/conf.d/ssl.conf'
  
 <code> <code>
-ssl_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem'; + ssl_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem'; 
-ssl_trusted_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem'; + ssl_trusted_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem'; 
-ssl_certificate_key '/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem';+ ssl_certificate_key '/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem';
  
-ssl_session_timeout '10m'; + ssl_session_timeout '10m'; 
-ssl_session_cache 'shared:SSL:10m'; + ssl_session_cache 'shared:SSL:10m'; 
-ssl_session_tickets 'off'; + ssl_session_tickets 'off'; 
-ssl_buffer_size '4k';+ ssl_buffer_size '4k';
  
-ssl_protocols 'TLSv1.3'; + ssl_protocols 'TLSv1.2' 'TLSv1.3'; 
-ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM'; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM'; 
-ssl_prefer_server_ciphers 'on'; + ssl_prefer_server_ciphers 'on'; 
-ssl_ecdh_curve 'secp384r1'; + ssl_ecdh_curve 'secp384r1:SecP384r1MLKEM1024:SecP256r1MLKEM768:X25519MLKEM768';
- +
-ssl_stapling 'on'; +
-ssl_stapling_verify 'on'; +
-resolver '1.1.1.2' '1.0.0.2' '[2606:4700:4700::1112]' '[2606:4700:4700::1002]' 'valid=300s'; +
-resolver_timeout '5s';+
  
 # End</code> # End</code>
  
-===== Self-signed =====+====== TODOs ======
  
-  * :!: This likely needs refactored+===== Resources =====
  
-==== Generate Certs ====+  * https://nginx.org/en/docs/windows.html 
 +  * https://gist.github.com/odan/b5f7de8dfbdbf76bef089776c868fea1 
 +  * https://certbot.eff.org/instructions?ws=other&os=pip 
 +  * https://community.letsencrypt.org/t/using-certbot-in-windows-the-pragmatic-way/173929 
 +  * https://www.php.net/manual/en/image.installation.php 
 +  * [[https://www.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test]]
  
-****+==== Old ====
  
-  sudo openssl ecparam -name secp521r1 -genkey -out '/etc/ssl/certs/nginx.key && sudo openssl req -new -x509 -key '/etc/ssl/certs/nginx.key' -out '/etc/ssl/certs/nginx.crt' -days 730 +  * [[https://cipherli.st/|Cipherli.st]] 
- +  * [[https://securityheaders.com/?q=wiki.realmofespionage.xyz&followRedirects=on|Security Headers]] 
-==== Settings ==== +  * [[https://dev.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test (dev)]] 
- +  * https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/feature_policy/feature_policy.cc?l=138&rcl=ab90b51c5b60de15054a32b0bd18e4839536a1c9 
-  sudo -e '/etc/nginx/conf.d/ssl.conf' +  * https://infosec.mozilla.org 
- +  * https://gist.github.com/plentz/6737338 
-  ssl_certificate '/etc/ssl/certs/nginx.crt'; +  * https://scotthelme.co.uk 
-  ssl_certificate_key '/etc/ssl/certs/nginx.key'; +  * https://mozilla.github.io/server-side-tls/ssl-config-generator 
-   +  * https://fedoraproject.org/wiki/Nginx
-  ssl_session_timeout 1d; +
-  ssl_session_cache shared:SSL:50m; +
-  ssl_session_tickets off; +
-   +
-  ssl_protocols TLSv1.3; +
-  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; +
-  ssl_prefer_server_ciphers on; +
-  ssl_ecdh_curve secp384r1;+
  
/srv/www/wiki/data/attic/servers/linux/nginx_php_php-fpm.1723586378.txt.gz · Last modified: by 127.0.0.1
Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki