Run after apt-get PHP module install when dpkg restarts the FPM service; no existing conf causes daemon to fail to restartservers:linux:nginx_php_php-fpm
This is an old revision of the document!
Table of Contents
Information
- nginx
- PHP
- PHP-FPM
Prerequisites
Dependencies
sudo apt install git nginx-light php-fpm
Information
nginx -v
php -m
Firewall
Disable IPv6
sudo ufw status numbered
sudo ufw delete '5'
sudo ufw delete '4'
Services
sudo systemctl enable 'nginx' 'php8.4-fpm'
sudo systemctl stop 'nginx' 'php8.4-fpm'
Start
sudo systemctl start 'nginx'
sudo systemctl start 'php8.4-fpm'
Disable Defaults
nginx
sudo rm '/etc/nginx/sites-enabled/default'
sudo mv '/etc/nginx/modules-enabled/50-mod-http-echo.conf' '/etc/nginx/modules-available/50-mod-http-echo.conf'
sudo mv '/etc/nginx/nginx.conf' '/etc/nginx/nginx.conf~'
PHP-FPM
sudo mv '/etc/php/8.4/fpm/pool.d/www.conf' '/etc/php/8.4/fpm/pool.d/www.conf~'
Check Defaults
nginx
nano '/etc/nginx/sites-available/default'
nano '/etc/nginx/nginx.conf~'
PHP
php.iniis in bothfpmandclifolders
nano '/etc/php/8.4/fpm/pool.d/www.conf~'
nano '/etc/php/8.4/fpm/php-fpm.conf'
nano '/etc/php/8.4/fpm/php.ini'
nano '/etc/php/8.4/cli/php.ini'
nginx Settings
HTTPS Redirect
- This automatically redirects non-HTTPS site links to HTTPS
sudo -e '/etc/nginx/conf.d/http-redirect.conf'
server {
listen '80' 'default_server';
listen '[::]:80' 'default_server';
return '301' 'https://$host$request_uri';
}
# End
Non-existent 404
- This prevents unconfigured subdomains from loading assets from other sites 2)
sudo -e '/etc/nginx/conf.d/non-existent.conf'
server {
listen '443' 'ssl' 'default_server';
http2 'on';
server_name '_';
return '404';
}
# End
Headers
- Add to individual site configs as an
include
sudo -e '/etc/nginx/snippets/headers.conf'
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "sameorigin" always; add_header X-XSS-Protection "1; mode=block" always; add_header Cache-Control "no-store, no-transform, public" always; add_header Referrer-Policy "same-origin" always; add_header Expect-CT "max-age=0" always; add_header Permissions-Policy "geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()" always; # End
nginx
sudo -e '/etc/nginx/nginx.conf' && sudo nginx -t
user www-data;
worker_processes auto;
worker_cpu_affinity auto;
pid /run/nginx.pid;
events {
multi_accept 'on';
worker_connections '1024';
}
#error_log '/var/log/nginx/error.log';
http {
# Logging
access_log '/dev/null';
# Includes
include '/etc/nginx/conf.d/*.conf';
include '/etc/nginx/sites-enabled/*.conf';
include '/etc/nginx/mime.types';
default_type 'application/octet-stream';
# Config
sendfile 'on';
tcp_nopush 'on';
tcp_nodelay 'on';
keepalive_timeout '65';
types_hash_max_size '4096';
# gzip
gzip 'on';
gzip_vary 'on';
gzip_proxied 'any';
gzip_comp_level '9';
gzip_types '*';
}
# End
CSP Headers
- The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the
includeline(s)
add_header Content-Security-Policy "default-src 'self'" always;
add_header Content-Security-Policy "" always;
SSL Certs
Let's Encrypt
- See Let's Encrypt/Certbot for further set-up
sudo -e '/etc/nginx/conf.d/ssl.conf'
ssl_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem'; ssl_trusted_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem'; ssl_certificate_key '/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem'; ssl_session_timeout '10m'; ssl_session_cache 'shared:SSL:10m'; ssl_session_tickets 'off'; ssl_buffer_size '4k'; ssl_protocols 'TLSv1.2' 'TLSv1.3'; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM'; ssl_prefer_server_ciphers 'on'; ssl_ecdh_curve 'secp384r1'; # End
TODOs
Resources
Old
/usr/local/www/wiki/data/attic/servers/linux/nginx_php_php-fpm.1766274355.txt.gz · Last modified: by Sean Rhone