| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| servers:linux:nginx_php_php-fpm [2026/04/29 21:55] – Sean Rhone | servers:linux:nginx_php_php-fpm [2026/06/03 00:27] (current) – [Let's Encrypt] more PQC Sean Rhone |
|---|
| **** | **** |
| |
| sudo mv '/etc/nginx/nginx.conf' '/etc/nginx/nginx.conf~' | sudo mv -fv '/etc/nginx/nginx.conf' '/etc/nginx/nginx.conf~' |
| |
| ===== PHP-FPM ===== | ===== PHP-FPM ===== |
| **** | **** |
| |
| sudo mv '/etc/php8/fpm/php-fpm.d/www.conf' '/etc/php8/fpm/php-fpm.d/www.conf~' | sudo mv -fv '/etc/php8/fpm/php-fpm.d/www.conf' '/etc/php8/fpm/php-fpm.d/www.conf~' |
| |
| ===== Check Defaults ===== | ===== Check Defaults ===== |
| |
| <code> | <code> |
| add_header 'Strict-Transport-Security' 'max-age=63072000; includeSubdomains; preload' 'always'; | add_header 'Strict-Transport-Security' 'max-age=63072000; includeSubdomains; preload' 'always'; |
| add_header 'X-Content-Type-Options' 'nosniff' 'always'; | add_header 'X-Content-Type-Options' 'nosniff' 'always'; |
| add_header 'X-Frame-Options' 'sameorigin' 'always'; | add_header 'X-Frame-Options' 'sameorigin' 'always'; |
| add_header 'X-XSS-Protection' '1; mode=block' 'always'; | add_header 'X-XSS-Protection' '1; mode=block' 'always'; |
| add_header 'Cache-Control' 'max-age=604800, no-transform, public' 'always'; | add_header 'Cache-Control' 'max-age=604800, no-transform, public' 'always'; |
| add_header 'Referrer-Policy' 'same-origin' 'always'; | add_header 'Referrer-Policy' 'same-origin' 'always'; |
| add_header 'Expect-CT' 'max-age=0' 'always'; | add_header 'Expect-CT' 'max-age=0' 'always'; |
| add_header 'Permissions-Policy' 'geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()' 'always'; | add_header 'Permissions-Policy' 'geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()' 'always'; |
| |
| # End</code> | # End</code> |
| * The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the ''include'' line(s) | * The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the ''include'' line(s) |
| |
| <code> add_header Content-Security-Policy "default-src 'self'" always;</code> | <code>add_header Content-Security-Policy "default-src 'self'" always;</code> |
| |
| <code> add_header Content-Security-Policy "" always;</code> | <code>add_header Content-Security-Policy "" always;</code> |
| |
| ====== SSL Certs ====== | ====== SSL Certs ====== |
| |
| <code> | <code> |
| ssl_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem'; | ssl_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem'; |
| ssl_trusted_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem'; | ssl_trusted_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem'; |
| ssl_certificate_key '/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem'; | ssl_certificate_key '/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem'; |
| |
| ssl_session_timeout '10m'; | ssl_session_timeout '10m'; |
| ssl_session_cache 'shared:SSL:10m'; | ssl_session_cache 'shared:SSL:10m'; |
| ssl_session_tickets 'off'; | ssl_session_tickets 'off'; |
| ssl_buffer_size '4k'; | ssl_buffer_size '4k'; |
| |
| ssl_protocols 'TLSv1.2' 'TLSv1.3'; | ssl_protocols 'TLSv1.2' 'TLSv1.3'; |
| ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM'; | ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM'; |
| ssl_prefer_server_ciphers 'on'; | ssl_prefer_server_ciphers 'on'; |
| ssl_ecdh_curve 'secp384r1'; | ssl_ecdh_curve 'secp384r1:SecP384r1MLKEM1024:SecP256r1MLKEM768:X25519MLKEM768'; |
| |
| # End</code> | # End</code> |
