• nginx
• PHP
• PHP-FPM
• Realm of Espionage

• openSUSE Tumbleweed (Server)

• Qualys SSL Test
• https://fedoraproject.org/wiki/Nginx

• Cipherli.st
• Security Headers
• Qualys SSL Test (dev)
• https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/feature_policy/feature_policy.cc?l=138&rcl=ab90b51c5b60de15054a32b0bd18e4839536a1c9
• https://infosec.mozilla.org
• https://gist.github.com/plentz/6737338
• https://scotthelme.co.uk
• https://mozilla.github.io/server-side-tls/ssl-config-generator

sudo zypper install git-core nginx php8-cli php8-fpm php8-opcache

nginx -v

php -m

sudo firewall-cmd --add-service='http' --permanent && sudo firewall-cmd --add-service='https' --permanent && sudo firewall-cmd --reload

sudo setsebool -P 'httpd_execmem' '1'

• 2025/04/25

sudo setsebool -P 'httpd_can_network_connect' '1'

sudo setsebool -P 'httpd_graceful_shutdown' '1'

sudo setsebool -P 'nis_enabled' '1'

sudo setsebool -P 'httpd_can_network_relay' '1'

sudo restorecon -F -I -R '/etc/nginx' '/etc/php8/fpm/php-fpm.d' '/srv/www'

sudo systemctl enable 'nginx' 'php-fpm' --now

sudo mv '/etc/php8/fpm/php-fpm.d/www.conf' '/etc/php8/fpm/php-fpm.d/www.conf~'

nano '/etc/php8/fpm/php-fpm.d/www.conf~'

sudo mv '/etc/nginx/nginx.conf' '/etc/nginx/nginx.conf~'

nano '/etc/nginx/nginx.conf~'

sudo mv '/etc/nginx/default.d/php.conf' '/etc/nginx/default.d/php.conf~'

sudo mv '/etc/nginx/conf.d/php-fpm.conf' '/etc/nginx/conf.d/php-fpm.conf~'

nano '/etc/nginx/default.d/php.conf~'

nano '/etc/nginx/conf.d/php-fpm.conf~'

nano '/etc/php.ini'

• conf.d contains server-wide modular configuration files
• default.d contains site-specific modular configuration files
• vhosts.d contains enabled websites ¹⁾

sudo mkdir -p '/etc/nginx/vhosts.d'

• This automatically redirects non-HTTPS site links to HTTPS

sudo -e '/etc/nginx/conf.d/http-redirect.conf'

# nginx/conf.d/http-redirect.conf

server {
    listen '80' 'default_server';
    listen '[::]:80' 'default_server';

    return '301' 'https://$host$request_uri';
}

# End

• This prevents unconfigured subdomains from loading assets from other sites ²⁾

sudo -e '/etc/nginx/conf.d/non-existent.conf'

# nginx/conf.d/non-existent.conf

server {
    listen '443' 'ssl' default_server;
    http2 'on';
    server_name '_';

    return '404';
}

# End

• Add to individual site configs as an include

sudo -e '/etc/nginx/default.d/headers.conf'

# nginx/default.d/headers.conf

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Cache-Control "no-store, no-transform, public" always;
add_header Referrer-Policy "same-origin" always;
add_header Expect-CT "max-age=0" always;
add_header Permissions-Policy "geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()" always;

# End

sudo -e '/etc/nginx/nginx.conf'

# nginx/nginx.conf

events {
 multi_accept 'on';
 worker_connections '1024';
}

#error_log /var/log/nginx/error.log;

http {

 # Logging
 #log_format main '$time_local - $http_host - $remote_addr - $status "$request" $body_bytes_sent - $http_referer - "$http_user_agent"';
 #access_log '/var/log/nginx/access.log main';

 # Includes
 include '/etc/nginx/conf.d/*.conf';
 include '/etc/nginx/vhosts.d/*.conf';
 include '/etc/nginx/mime.types';
 default_type 'application/octet-stream';

 # Config
 sendfile 'on';
 tcp_nopush 'on';
 tcp_nodelay 'on';
 keepalive_timeout '65';
 types_hash_max_size '4096';

 # gzip
 gzip 'on';
 gzip_vary 'on';
 gzip_proxied 'any';
 gzip_comp_level '9';
 gzip_types '*';
}

# End

• The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the include line(s)

    add_header Content-Security-Policy "default-src 'self'" always;

    add_header Content-Security-Policy "" always;

• See Let's Encrypt/Certbot for further set-up

sudo -e '/etc/nginx/conf.d/ssl.conf'

# nginx/conf.d/ssl.conf

ssl_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
ssl_trusted_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
ssl_certificate_key '/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem';

ssl_session_timeout '10m';
ssl_session_cache 'shared:SSL:10m';
ssl_session_tickets 'off';
ssl_buffer_size '4k';

ssl_protocols 'TLSv1.2' 'TLSv1.3';
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM';
ssl_prefer_server_ciphers 'on';
ssl_ecdh_curve 'secp384r1';

ssl_stapling 'on';
ssl_stapling_verify 'on';

# End