RoE | Wiki

User Tools

Site Tools

Trace:
servers:linux:nginx_php_php-fpm

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
servers:linux:nginx_php_php-fpm [2026/04/28 20:04] – [Headers] Sean Rhoneservers:linux:nginx_php_php-fpm [2026/06/03 00:27] (current) – [Let's Encrypt] more PQC Sean Rhone
Line 34: Line 34:
  
   sudo systemctl stop 'nginx' 'php-fpm'   sudo systemctl stop 'nginx' 'php-fpm'
- 
-===== Start ===== 
- 
-  sudo systemctl start 'nginx' 
- 
-  sudo systemctl start 'php-fpm' 
  
 ====== Disable Defaults ====== ====== Disable Defaults ======
Line 47: Line 41:
 **** ****
  
-  sudo mv '/etc/nginx/nginx.conf' '/etc/nginx/nginx.conf~'+  sudo mv -fv '/etc/nginx/nginx.conf' '/etc/nginx/nginx.conf~'
  
 ===== PHP-FPM ===== ===== PHP-FPM =====
Line 53: Line 47:
 **** ****
  
-  sudo mv '/etc/php8/fpm/php-fpm.d/www.conf' '/etc/php8/fpm/php-fpm.d/www.conf~'+  sudo mv -fv '/etc/php8/fpm/php-fpm.d/www.conf' '/etc/php8/fpm/php-fpm.d/www.conf~'
  
 ===== Check Defaults ===== ===== Check Defaults =====
Line 127: Line 121:
  
 <code> <code>
-add_header 'Strict-Transport-Security' 'max-age=63072000; includeSubdomains; preload' 'always'; + add_header 'Strict-Transport-Security' 'max-age=63072000; includeSubdomains; preload' 'always'; 
-add_header 'X-Content-Type-Options' 'nosniff' 'always'; + add_header 'X-Content-Type-Options' 'nosniff' 'always'; 
-add_header 'X-Frame-Options' 'sameorigin' 'always'; + add_header 'X-Frame-Options' 'sameorigin' 'always'; 
-add_header 'X-XSS-Protection' '1; mode=block' 'always'; + add_header 'X-XSS-Protection' '1; mode=block' 'always'; 
-add_header 'Cache-Control' 'max-age=604800, no-transform, public' 'always'; + add_header 'Cache-Control' 'max-age=604800, no-transform, public' 'always'; 
-add_header 'Referrer-Policy' 'same-origin' 'always'; + add_header 'Referrer-Policy' 'same-origin' 'always'; 
-add_header 'Expect-CT' 'max-age=0' 'always'; + add_header 'Expect-CT' 'max-age=0' 'always'; 
-add_header 'Permissions-Policy' 'geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()' 'always';+ add_header 'Permissions-Policy' 'geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()' 'always';
  
 # End</code> # End</code>
Line 149: Line 143:
  
 #error_log '/var/log/nginx/error.log'; #error_log '/var/log/nginx/error.log';
 +error_log '/dev/null';
  
 http { http {
  
- # Logging 
  #log_format main '$time_local - $http_host - $remote_addr - $status "$request" $body_bytes_sent - $http_referer - "$http_user_agent"';  #log_format main '$time_local - $http_host - $remote_addr - $status "$request" $body_bytes_sent - $http_referer - "$http_user_agent"';
  #access_log '/var/log/nginx/access.log main';  #access_log '/var/log/nginx/access.log main';
Line 158: Line 152:
  access_log '/dev/null';  access_log '/dev/null';
  
- # Includes 
  include '/etc/nginx/conf.d/*.conf';  include '/etc/nginx/conf.d/*.conf';
  include '/etc/nginx/vhosts.d/*.conf';  include '/etc/nginx/vhosts.d/*.conf';
Line 164: Line 157:
  default_type 'application/octet-stream';  default_type 'application/octet-stream';
  
- # Config 
  sendfile 'on';  sendfile 'on';
  tcp_nopush 'on';  tcp_nopush 'on';
Line 171: Line 163:
  types_hash_max_size '4096';  types_hash_max_size '4096';
  
- # gzip 
  gzip 'on';  gzip 'on';
  gzip_vary 'on';  gzip_vary 'on';
Line 185: Line 176:
   * The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the ''include'' line(s)   * The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the ''include'' line(s)
  
-<code>    add_header Content-Security-Policy "default-src 'self'" always;</code>+<code>add_header Content-Security-Policy "default-src 'self'" always;</code>
  
-<code>    add_header Content-Security-Policy "" always;</code>+<code>add_header Content-Security-Policy "" always;</code>
  
 ====== SSL Certs ====== ====== SSL Certs ======
Line 198: Line 189:
  
 <code> <code>
-ssl_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem'; + ssl_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem'; 
-ssl_trusted_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem'; + ssl_trusted_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem'; 
-ssl_certificate_key '/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem';+ ssl_certificate_key '/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem';
  
-ssl_session_timeout '10m'; + ssl_session_timeout '10m'; 
-ssl_session_cache 'shared:SSL:10m'; + ssl_session_cache 'shared:SSL:10m'; 
-ssl_session_tickets 'off'; + ssl_session_tickets 'off'; 
-ssl_buffer_size '4k';+ ssl_buffer_size '4k';
  
-ssl_protocols 'TLSv1.2' 'TLSv1.3'; + ssl_protocols 'TLSv1.2' 'TLSv1.3'; 
-ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM'; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM'; 
-ssl_prefer_server_ciphers 'on'; + ssl_prefer_server_ciphers 'on'; 
-ssl_ecdh_curve 'secp384r1';+ ssl_ecdh_curve 'secp384r1:SecP384r1MLKEM1024:SecP256r1MLKEM768:X25519MLKEM768';
  
 # End</code> # End</code>
Line 235: Line 226:
   * https://scotthelme.co.uk   * https://scotthelme.co.uk
   * https://mozilla.github.io/server-side-tls/ssl-config-generator   * https://mozilla.github.io/server-side-tls/ssl-config-generator
-  * [[https://www.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test]] 
   * https://fedoraproject.org/wiki/Nginx   * https://fedoraproject.org/wiki/Nginx
  
/srv/www/wiki/data/attic/servers/linux/nginx_php_php-fpm.1777421046.txt.gz · Last modified: by Sean Rhone
Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki