User Tools

Site Tools


servers:nginx_php_php-fpm

Information

Prerequisites

Resources

Notes

  • TODO: If ever using RHEL/CentOS/Fedora Server again, use this for SELinux permissions on folders sudo semanage fcontext -a -t httpd_sys_content_t “/var/www(/.*)?” ; sudo restorecon -Rv /var/www
  • On openSUSE TW, wwwrun is the user, and www is the group

Dependencies

sudo zypper install git-core nginx php7-fpm php7-cli php7-curl php7-exif php7-fileinfo php7-mysql php7-sodium php7-zip php7-bcmath php7-gd php7-intl php7-zlib php7-imagick

PHP 8

  • :!: This caused some auth error with DokuWiki on 2021/06/18
  • :!: It's assumed DokuWiki won't work properly with PHP 8 until they explicitly claim support
sudo zypper install git-core nginx php8-fpm php8-cli php8-curl php8-exif php8-fileinfo php8-mysql php8-sodium php8-zip php8-bcmath php8-gd php8-intl php8-zlib

PHP Extensions

Verify Modules

php -m

Firewall

  • 80/tcp is HTTP
  • 443/tcp is HTTPS
sudo firewall-cmd --add-service='http' --permanent && sudo firewall-cmd --add-service='https' --permanent && sudo firewall-cmd --reload

AppArmor

sudo aa-complain '/etc/apparmor.d/php-fpm'

Services

Enable

sudo systemctl enable 'nginx' 'php-fpm' --now

Config Defaults

sudo -e '/etc/nginx/nginx.conf'
nano '/etc/php7/cli/php.ini'
nano '/etc/php7/fpm/php-fpm.conf.default'
nano '/etc/php7/fpm/php-fpm.d/www.conf.default'

nginx Settings

Notes

  • conf.d contains server-wide modular configuration files
  • snippets.d contains site-specific modular configuration files 2)
  • vhosts.d contains enabled websites

Defaults

snippets.d

sudo mkdir -p '/etc/nginx/snippets.d'

PHP-FPM

  • :!: For PHP 8, change php7 to php8
sudo -e '/etc/php7/fpm/php-fpm.conf'
[global]
include=/etc/php7/fpm/php-fpm.d/*.conf

HTTPS Redirect

  • This automatically redirects non-HTTPS site links to HTTPS
sudo -e '/etc/nginx/conf.d/http-redirect.conf'
server {
    listen 80 default_server;
    listen [::]:80 default_server;

    return 301 https://$host$request_uri;
}

Non-existent 404

  • This prevents unconfigured subdomains from loading assets from other sites 3)
sudo -e '/etc/nginx/conf.d/non-existent.conf'
server {
    listen '443' 'ssl' 'http2' default_server;
    server_name '_';

    return '404';
}

Headers

  • :!: Last updated: 2019/06/28
  • :!: Add on site-by-site basis as an include
sudo -e '/etc/nginx/snippets.d/headers.conf'
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Cache-Control "no-store, no-transform, public" always;
add_header Referrer-Policy "same-origin" always;
add_header Expect-CT "max-age=0" always;
add_header Feature-Policy "geolocation none; microphone none; payment none; usb none; vr none; magnetometer none; midi none; camera none; ambient-light-sensor none; accelerometer none" always;

nginx

  • :!: Last updated: 2021/06/18
sudo -e '/etc/nginx/nginx.conf'
#user  nginx;
worker_processes  1;

# load_module lib64/nginx/modules/ngx_http_fancyindex_module.so;
# load_module lib64/nginx/modules/ngx_http_headers_more_filter_module.so;
# load_module lib64/nginx/modules/ngx_http_image_filter_module.so;
# load_module lib64/nginx/modules/ngx_http_perl_module.so;
# load_module lib64/nginx/modules/ngx_http_xslt_filter_module.so;
# load_module lib64/nginx/modules/ngx_mail_module.so;
# load_module lib64/nginx/modules/ngx_rtmp_module.so;
# load_module lib64/nginx/modules/ngx_stream_module.so;

#error_log  /var/log/nginx/error.log;
#error_log  /var/log/nginx/error.log  notice;
#error_log  /var/log/nginx/error.log  info;

#pid        /var/run/nginx.pid;

events {
    worker_connections 1024;
    use epoll;
}

http {
    # Logging
    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  /var/log/nginx/access.log  main;

    # Includes
    include conf.d/*.conf;
    include vhosts.d/*.conf;
    include mime.types;
    default_type application/octet-stream;

    # Config
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;

    # gzip
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 9;
    gzip_types *;
}

CSP Headers

  • The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the include line(s)
    add_header Content-Security-Policy "default-src 'self'" always;
    add_header Content-Security-Policy "" always;

SSL Certs

Let's Encrypt

Settings

  • :!: Keybase website proof verification fails with TLSv1.3 as the only ssl_protocols as of 2019/06/29, see bug report
sudo -e '/etc/nginx/conf.d/ssl.conf'
ssl_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
ssl_trusted_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
ssl_certificate_key '/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem';

ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_buffer_size 4k;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM';
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;

ssl_stapling on;
ssl_stapling_verify on;
resolver 9.9.9.9 149.112.112.112 [2620:fe::fe] [2620:fe::9] valid=300s;
resolver_timeout 5s;

Self-signed

  • :!: This likely needs refactored

Generate Certs

sudo openssl ecparam -name secp521r1 -genkey -out '/etc/ssl/certs/nginx.key && sudo openssl req -new -x509 -key '/etc/ssl/certs/nginx.key' -out '/etc/ssl/certs/nginx.crt' -days 730

Settings

sudo -e '/etc/nginx/conf.d/ssl.conf'
ssl_certificate '/etc/ssl/certs/nginx.crt';
ssl_certificate_key '/etc/ssl/certs/nginx.key';

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
2)
this folder needs created
3)
if a site/URL doesn't exist, it'll 404
servers/nginx_php_php-fpm.txt · Last modified: 2021/06/18 17:04 by Sean Rhone