RoE | Wiki

User Tools

Site Tools

Trace: nginx_php_php-fpm nginx_php_php-cgi
servers:linux:nginx_php_php-fpm

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
servers:linux:nginx_php_php-fpm [2024/10/19 20:39] – [Settings] Sean Rhoneservers:linux:nginx_php_php-fpm [2025/04/25 01:12] (current) – [php-fpm] Sean Rhone
Line 1: Line 1:
 ====== Information ====== ====== Information ======
  
-  * nginx ((https://nginx.org/en))+  * nginx
   * PHP   * PHP
   * PHP-FPM   * PHP-FPM
Line 8: Line 8:
 ===== Prerequisites ===== ===== Prerequisites =====
  
-  * [[linux;distros;server;fedora_server|Fedora Server]]+  * [[linux:distros:server:opensuse_tumbleweed_server|openSUSE Tumbleweed (Server)]]
  
 ===== Resources ===== ===== Resources =====
 +
 +  * [[https://www.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test]]
 +  * https://fedoraproject.org/wiki/Nginx
 +
 +==== Old ====
  
   * [[https://cipherli.st/|Cipherli.st]]   * [[https://cipherli.st/|Cipherli.st]]
   * [[https://securityheaders.com/?q=wiki.realmofespionage.xyz&followRedirects=on|Security Headers]]   * [[https://securityheaders.com/?q=wiki.realmofespionage.xyz&followRedirects=on|Security Headers]]
-  * [[https://www.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test]] 
   * [[https://dev.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test (dev)]]   * [[https://dev.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test (dev)]]
   * https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/feature_policy/feature_policy.cc?l=138&rcl=ab90b51c5b60de15054a32b0bd18e4839536a1c9   * https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/feature_policy/feature_policy.cc?l=138&rcl=ab90b51c5b60de15054a32b0bd18e4839536a1c9
Line 26: Line 30:
 **** ****
  
-  sudo dnf install git-core nginx php-fpm php-cli+  sudo zypper install git-core nginx php8-cli php8-fpm php8-opcache
  
-===== PHP Extensions =====+====== Information ======
  
-==== Verify Modules ==== +  nginx -v
- +
-****+
  
   php -m   php -m
Line 38: Line 40:
 ====== Firewall ====== ====== Firewall ======
  
-  80/tcp is HTTP +****
-  443/tcp is HTTPS+
  
   sudo firewall-cmd --add-service='http' --permanent && sudo firewall-cmd --add-service='https' --permanent && sudo firewall-cmd --reload   sudo firewall-cmd --add-service='http' --permanent && sudo firewall-cmd --add-service='https' --permanent && sudo firewall-cmd --reload
  
 ====== SELinux ====== ====== SELinux ======
 +
 +===== php-fpm =====
 +
 +  * 2025/04/25
 +
 +  sudo setsebool -P 'httpd_execmem' '1'
  
 ===== DokuWiki ===== ===== DokuWiki =====
  
-  * 2023/09/12+  * [[servers:linux:nginx:dokuwiki]] 
 +  * 2025/04/25 
 + 
 +  sudo setsebool -P 'httpd_can_network_connect' '1' 
 + 
 +===== Other =====
  
   sudo setsebool -P 'httpd_graceful_shutdown' '1'   sudo setsebool -P 'httpd_graceful_shutdown' '1'
  
   sudo setsebool -P 'nis_enabled' '1'   sudo setsebool -P 'nis_enabled' '1'
- 
-  sudo setsebool -P 'httpd_can_network_connect' '1' 
  
   sudo setsebool -P 'httpd_can_network_relay' '1'   sudo setsebool -P 'httpd_can_network_relay' '1'
 +
 +===== Global restorecon =====
 +
 +****
 +
 +  sudo restorecon -F -I -R '/etc/nginx' '/etc/php8/fpm/php-fpm.d' '/srv/www'
  
 ====== Services ====== ====== Services ======
Line 64: Line 80:
  
   sudo systemctl enable 'nginx' 'php-fpm' --now   sudo systemctl enable 'nginx' 'php-fpm' --now
- 
-====== Permissions ====== 
- 
-**** 
- 
-  sudo chown --recursive 'nginx':'nginx' '/var/lib/php/opcache' '/var/lib/php/session' '/var/lib/php/wsdlcache' '/var/lib/php/peclxml' 
  
 ====== Config Defaults ====== ====== Config Defaults ======
  
-===== Backup =====+===== php-fpm Default Pool =====
  
-  sudo mv '/etc/nginx/default.d/php.conf' '/etc/nginx/default.d/php.conf~'+  sudo mv '/etc/php8/fpm/php-fpm.d/www.conf' '/etc/php8/fpm/php-fpm.d/www.conf~'
  
-  sudo mv '/etc/nginx/conf.d/php-fpm.conf' '/etc/nginx/conf.d/php-fpm.conf~'+  nano '/etc/php8/fpm/php-fpm.d/www.conf~'
  
-  sudo mv '/etc/php-fpm.d/www.conf' '/etc/php-fpm.d/www.conf~'+===== nginx.conf =====
  
   sudo mv '/etc/nginx/nginx.conf' '/etc/nginx/nginx.conf~'   sudo mv '/etc/nginx/nginx.conf' '/etc/nginx/nginx.conf~'
  
-===== View =====+  nano '/etc/nginx/nginx.conf~'
  
-  nano '/etc/nginx/default.d/php.conf~' +===== php.ini =====
- +
-  nano '/etc/nginx/conf.d/php-fpm.conf~' +
- +
-  nano '/etc/php-fpm.d/www.conf~' +
- +
-  nano '/etc/nginx/nginx.conf~'+
  
-  nano '/etc/php.ini'+  nano '/etc/php8/cli/php.ini'
  
 ====== nginx Settings ====== ====== nginx Settings ======
Line 118: Line 122:
  
 <code> <code>
 +# nginx/conf.d/http-redirect.conf
 +
 server { server {
     listen '80' 'default_server';     listen '80' 'default_server';
Line 123: Line 129:
  
     return '301' 'https://$host$request_uri';     return '301' 'https://$host$request_uri';
-}</code>+} 
 + 
 +# End</code>
  
 ===== Non-existent 404 ===== ===== Non-existent 404 =====
Line 132: Line 140:
  
 <code> <code>
 +# nginx/conf.d/non-existent.conf
 +
 server { server {
     listen '443' 'ssl' default_server;     listen '443' 'ssl' default_server;
Line 138: Line 148:
  
     return '404';     return '404';
-}</code>+} 
 + 
 +# End</code>
  
 ===== Headers ===== ===== Headers =====
  
-  * Last updated: 2024/02/07 
   * Add to individual site configs as an ''include''   * Add to individual site configs as an ''include''
  
Line 148: Line 159:
  
 <code> <code>
 +# nginx/default.d/headers.conf
 +
 add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
 add_header X-Content-Type-Options "nosniff" always; add_header X-Content-Type-Options "nosniff" always;
Line 155: Line 168:
 add_header Referrer-Policy "same-origin" always; add_header Referrer-Policy "same-origin" always;
 add_header Expect-CT "max-age=0" always; add_header Expect-CT "max-age=0" always;
-add_header Permissions-Policy "geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()" always;</code>+add_header Permissions-Policy "geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()" always; 
 + 
 +# End</code>
  
 ===== nginx ===== ===== nginx =====
- 
-  * Last updated: 2023/09/12 
  
   sudo -e '/etc/nginx/nginx.conf'   sudo -e '/etc/nginx/nginx.conf'
  
 <code> <code>
-user nginx+nginx/nginx.conf
-worker_processes auto; +
-error_log /var/log/nginx/error.log notice; +
-pid /run/nginx.pid; +
- +
-include /usr/share/nginx/modules/*.conf;+
  
 events { events {
-    worker_connections 1024;+ multi_accept 'on'; 
 + worker_connections '1024';
 } }
  
-http {+#error_log /var/log/nginx/error.log;
  
-    # Logging +http {
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request"+
-                      '$status $body_bytes_sent "$http_referer"+
-                      '"$http_user_agent" "$http_x_forwarded_for"';+
  
-    access_log  /var/log/nginx/access.log  main;+ # Logging 
 + #log_format main '$time_local - $http_host - $remote_addr - $status "$request" $body_bytes_sent - $http_referer - "$http_user_agent"'; 
 + #access_log '/var/log/nginx/access.log main';
  
-    # Includes + # Includes 
-    include /etc/nginx/conf.d/*.conf; + include '/etc/nginx/conf.d/*.conf'
-    include /etc/nginx/vhosts.d/*.conf; + include '/etc/nginx/vhosts.d/*.conf'
-    include /etc/nginx/mime.types; + include '/etc/nginx/mime.types'
-    default_type application/octet-stream;+ default_type 'application/octet-stream';
  
-    # Config + # Config 
-    sendfile on; + sendfile 'on'
-    tcp_nopush on; + tcp_nopush 'on'
-    tcp_nodelay on; + tcp_nodelay 'on'
-    keepalive_timeout 65; + keepalive_timeout '65'
-    types_hash_max_size 4096;+ types_hash_max_size '4096';
  
-    # gzip + # gzip 
-    gzip on; + gzip 'on'
-    gzip_vary on; + gzip_vary 'on'
-    gzip_proxied any; + gzip_proxied 'any'
-    gzip_comp_level 9; + gzip_comp_level '9'
-    gzip_types *;+ gzip_types '*';
 } }
  
Line 220: Line 228:
  
   * See [[servers;linux;nginx;lets_encrypt|Let's Encrypt/Certbot]] for further set-up   * See [[servers;linux;nginx;lets_encrypt|Let's Encrypt/Certbot]] for further set-up
- 
-==== Settings ==== 
  
   sudo -e '/etc/nginx/conf.d/ssl.conf'   sudo -e '/etc/nginx/conf.d/ssl.conf'
  
 <code> <code>
 +# nginx/conf.d/ssl.conf
 +
 ssl_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem'; ssl_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
 ssl_trusted_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem'; ssl_trusted_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
Line 235: Line 243:
 ssl_buffer_size '4k'; ssl_buffer_size '4k';
  
-ssl_protocols 'TLSv1.3';+ssl_protocols 'TLSv1.2' 'TLSv1.3';
 ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM'; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM';
 ssl_prefer_server_ciphers 'on'; ssl_prefer_server_ciphers 'on';
Line 244: Line 252:
  
 # End</code> # End</code>
- 
-===== Self-signed ===== 
- 
-  * :!: This likely needs refactored 
- 
-==== Generate Certs ==== 
- 
-**** 
- 
-  sudo openssl ecparam -name secp521r1 -genkey -out '/etc/ssl/certs/nginx.key && sudo openssl req -new -x509 -key '/etc/ssl/certs/nginx.key' -out '/etc/ssl/certs/nginx.crt' -days 730 
- 
-==== Settings ==== 
- 
-  sudo -e '/etc/nginx/conf.d/ssl.conf' 
- 
-  ssl_certificate '/etc/ssl/certs/nginx.crt'; 
-  ssl_certificate_key '/etc/ssl/certs/nginx.key'; 
-   
-  ssl_session_timeout 1d; 
-  ssl_session_cache shared:SSL:50m; 
-  ssl_session_tickets off; 
-   
-  ssl_protocols TLSv1.3; 
-  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; 
-  ssl_prefer_server_ciphers on; 
-  ssl_ecdh_curve secp384r1; 
  
/srv/www/wiki/data/attic/servers/linux/nginx_php_php-fpm.1729384795.txt.gz · Last modified: by Sean Rhone