servers:nginx_php_php-fpm
Table of Contents
Information
- nginx 1)
- PHP
- PHP-FPM
Prerequisites
Resources
Notes
TODO: For Fedora this was recommended for SELinux, but not sure from where:
sudo semanage fcontext -a -t httpd_sys_content_t “/var/www(/.*)?” ; sudo restorecon -Rv /var/www
- On openSUSE TW,
wwwrun
is the user, andwww
is the group
Dependencies
TODO: Organize PHP module requirements according to sites; this is a PITA to check each deployment
sudo dnf install git nginx php-fpm php-cli php-xml php-opcache php-bcmath php-gd php-intl php-JsonSchema php-mbstring php-mysqlnd php-gettext-gettext php-sodium php-process php-gmp php-pecl-imagick php-pecl-zip
Old
- Wordpress: ghost script
PHP Extensions
Verify Modules
php -m
Firewall
- 80/tcp is HTTP
- 443/tcp is HTTPS
sudo firewall-cmd --add-service='http' --permanent && sudo firewall-cmd --add-service='https' --permanent && sudo firewall-cmd --reload
SELinux
Catchall
sudo setsebool -P 'httpd_unified' '1'
Individual
- This automatically sets policies for
nginx
andphp-fpm
as-needed
mkdir -p ~/'policies' && cd ~/'policies' && sudo grep 'nginx' '/var/log/audit/audit.log' | sudo audit2allow -M 'nginx' && sudo semodule -i 'nginx.pp' && sudo grep 'php-fpm' '/var/log/audit/audit.log' | sudo audit2allow -M 'php-fpm' && sudo semodule -i 'php-fpm.pp' && cd ~
Examine
nano ~/'policies/nginx.te'
nano ~/'policies/php-fpm.te'
Services
Enable
sudo systemctl enable 'nginx' 'php-fpm' --now
Permissions
sudo chown --recursive 'nginx':'nginx' '/var/lib/php/opcache' '/var/lib/php/session' '/var/lib/php/wsdlcache' '/var/lib/php/peclxml'
Config Defaults
Backup
sudo mv '/etc/nginx/default.d/php.conf' '/etc/nginx/default.d/php.conf.bak'
sudo mv '/etc/nginx/conf.d/php-fpm.conf' '/etc/nginx/conf.d/php-fpm.conf.bak'
sudo mv '/etc/php-fpm.d/www.conf' '/etc/php-fpm.d/www.conf.bak'
sudo mv '/etc/nginx/nginx.conf' '/etc/nginx/nginx.conf.bak'
View
nano '/etc/nginx/default.d/php.conf.bak'
nano '/etc/nginx/conf.d/php-fpm.conf.bak'
nano '/etc/php-fpm.d/www.conf.bak'
nano '/etc/nginx/nginx.conf.bak'
nano '/etc/php.ini'
nginx Settings
Notes
conf.d
contains server-wide modular configuration filesdefault.d
contains site-specific modular configuration filesvhosts.d
contains enabled websites 2)
Defaults
vhosts.d
sudo mkdir -p '/etc/nginx/vhosts.d'
HTTPS Redirect
- This automatically redirects non-HTTPS site links to HTTPS
sudo -e '/etc/nginx/conf.d/http-redirect.conf'
server { listen 80 default_server; listen [::]:80 default_server; return 301 https://$host$request_uri; }
Non-existent 404
- This prevents unconfigured subdomains from loading assets from other sites 3)
sudo -e '/etc/nginx/conf.d/non-existent.conf'
server { listen '443' 'ssl' 'http2' default_server; server_name '_'; return '404'; }
Headers
Last updated: 2022/12/16
Add on site-by-site basis as an
include
sudo -e '/etc/nginx/default.d/headers.conf'
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "sameorigin" always; add_header X-XSS-Protection "1; mode=block" always; add_header Cache-Control "no-store, no-transform, public" always; add_header Referrer-Policy "same-origin" always; add_header Expect-CT "max-age=0" always; add_header Feature-Policy "geolocation none; microphone none; payment none; usb none; vr none; magnetometer none; midi none; camera none; ambient-light-sensor none; accelerometer none" always; add_header Permissions-Policy "geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()" always;
nginx
Last updated: 2022/07/15
sudo -e '/etc/nginx/nginx.conf'
user nginx; worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; events { worker_connections 1024; use epoll; } http { # Logging log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; # Includes include /usr/share/nginx/modules/*.conf; include /etc/nginx/conf.d/*.conf; include /etc/nginx/vhosts.d/*.conf; include /etc/nginx/mime.types; default_type application/octet-stream; # Config sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 4096; # gzip gzip on; gzip_vary on; gzip_proxied any; gzip_comp_level 9; gzip_types *; }
CSP Headers
- The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the
include
line(s)
add_header Content-Security-Policy "default-src 'self'" always;
add_header Content-Security-Policy "" always;
SSL Certs
Let's Encrypt
- See Lets Encrypt for further set-up
Settings
sudo -e '/etc/nginx/conf.d/ssl.conf'
ssl_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem'; ssl_trusted_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem'; ssl_certificate_key '/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem'; ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_buffer_size 4k; ssl_protocols TLSv1.3; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM'; ssl_prefer_server_ciphers on; ssl_ecdh_curve secp384r1; ssl_stapling on; ssl_stapling_verify on; resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; resolver_timeout 5s;
Self-signed
This likely needs refactored
Generate Certs
sudo openssl ecparam -name secp521r1 -genkey -out '/etc/ssl/certs/nginx.key && sudo openssl req -new -x509 -key '/etc/ssl/certs/nginx.key' -out '/etc/ssl/certs/nginx.crt' -days 730
Settings
sudo -e '/etc/nginx/conf.d/ssl.conf'
ssl_certificate '/etc/ssl/certs/nginx.crt'; ssl_certificate_key '/etc/ssl/certs/nginx.key'; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_protocols TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; ssl_ecdh_curve secp384r1;
/var/www/wiki/data/pages/servers/nginx_php_php-fpm.txt · Last modified: 2022/12/27 14:32 by Sean Rhone