• nginx ¹⁾
• PHP
• PHP-FPM
• Realm of Espionage

• Fedora Server (or Workstation)

• Cipherli.st
• Security Headers
• Qualys SSL Test
• Qualys SSL Test (dev)
• https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/feature_policy/feature_policy.cc?l=138&rcl=ab90b51c5b60de15054a32b0bd18e4839536a1c9
• https://infosec.mozilla.org
• https://gist.github.com/plentz/6737338
• https://scotthelme.co.uk

• https://mozilla.github.io/server-side-tls/ssl-config-generator
• TODO: For Fedora this was recommended for SELinux, but not sure from where: sudo semanage fcontext -a -t httpd_sys_content_t “/var/www(/.*)?” ; sudo restorecon -Rv /var/www
• On openSUSE TW, wwwrun is the user, and www is the group

• This (TODO: will) covers the required PHP extensions for DokuWiki, Joomla!, and WordPress
• TODO: Organize PHP module requirements according to sites; this is a PITA to check each deployment

sudo dnf install git nginx php-fpm php-cli php-xml php-opcache php-bcmath php-gd php-intl php-JsonSchema php-mbstring php-mysqlnd php-gettext-gettext php-sodium php-process php-gmp php-pecl-imagick php-pecl-zip

• https://docs.joomla.org/J4.x:Optional_Technical_Requirements
• https://docs.gnusocial.rocks/administrator/install/no_docker_shell.html
• https://make.wordpress.org/hosting/handbook/server-environment/

• Wordpress: ghost script

php -m

• 80/tcp is HTTP
• 443/tcp is HTTPS

sudo firewall-cmd --add-service='http' --permanent && sudo firewall-cmd --add-service='https' --permanent && sudo firewall-cmd --reload

sudo setsebool -P 'httpd_unified' '1'

• This automatically sets policies for nginx and php-fpm as-needed

mkdir -p ~/'policies' && cd ~/'policies' && sudo grep 'nginx' '/var/log/audit/audit.log' | sudo audit2allow -M 'nginx' && sudo semodule -i 'nginx.pp' && sudo grep 'php-fpm' '/var/log/audit/audit.log' | sudo audit2allow -M 'php-fpm' && sudo semodule -i 'php-fpm.pp' && cd ~

nano ~/'policies/nginx.te'

nano ~/'policies/php-fpm.te'

sudo systemctl enable 'nginx' 'php-fpm' --now

sudo chown --recursive 'nginx':'nginx' '/var/lib/php/opcache' '/var/lib/php/session' '/var/lib/php/wsdlcache' '/var/lib/php/peclxml'

sudo mv '/etc/nginx/default.d/php.conf' '/etc/nginx/default.d/php.conf.bak'

sudo mv '/etc/nginx/conf.d/php-fpm.conf' '/etc/nginx/conf.d/php-fpm.conf.bak'

sudo mv '/etc/php-fpm.d/www.conf' '/etc/php-fpm.d/www.conf.bak'

sudo mv '/etc/nginx/nginx.conf' '/etc/nginx/nginx.conf.bak'

nano '/etc/nginx/default.d/php.conf.bak'

nano '/etc/nginx/conf.d/php-fpm.conf.bak'

nano '/etc/php-fpm.d/www.conf.bak'

nano '/etc/nginx/nginx.conf.bak'

nano '/etc/php.ini'

• conf.d contains server-wide modular configuration files
• default.d contains site-specific modular configuration files
• vhosts.d contains enabled websites ²⁾

sudo mkdir -p '/etc/nginx/vhosts.d'

• This automatically redirects non-HTTPS site links to HTTPS

sudo -e '/etc/nginx/conf.d/http-redirect.conf'

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    return 301 https://$host$request_uri;
}

• This prevents unconfigured subdomains from loading assets from other sites ³⁾

sudo -e '/etc/nginx/conf.d/non-existent.conf'

server {
    listen '443' 'ssl' 'http2' default_server;
    server_name '_';

    return '404';
}

• Last updated: 2022/12/16
• Add on site-by-site basis as an include

sudo -e '/etc/nginx/default.d/headers.conf'

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Cache-Control "no-store, no-transform, public" always;
add_header Referrer-Policy "same-origin" always;
add_header Expect-CT "max-age=0" always;
add_header Feature-Policy "geolocation none; microphone none; payment none; usb none; vr none; magnetometer none; midi none; camera none; ambient-light-sensor none; accelerometer none" always;
add_header Permissions-Policy "geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()" always;

• Last updated: 2022/07/15

sudo -e '/etc/nginx/nginx.conf'

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

events {
    worker_connections 1024;
    use epoll;
}

http {
    # Logging
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    # Includes
    include /usr/share/nginx/modules/*.conf;
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/vhosts.d/*.conf;
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    # Config
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 4096;

    # gzip
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 9;
    gzip_types *;
}

• The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the include line(s)

    add_header Content-Security-Policy "default-src 'self'" always;

    add_header Content-Security-Policy "" always;

• See Lets Encrypt for further set-up

• TODO: Keybase website proof verification used to fail with TLSv1.3 (#3443), but may work now (#3720); test this

sudo -e '/etc/nginx/conf.d/ssl.conf'

ssl_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
ssl_trusted_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
ssl_certificate_key '/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem';

ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_buffer_size 4k;

ssl_protocols TLSv1.3;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM';
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;

ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s;
resolver_timeout 5s;

• This likely needs refactored

sudo openssl ecparam -name secp521r1 -genkey -out '/etc/ssl/certs/nginx.key && sudo openssl req -new -x509 -key '/etc/ssl/certs/nginx.key' -out '/etc/ssl/certs/nginx.crt' -days 730

sudo -e '/etc/nginx/conf.d/ssl.conf'

ssl_certificate '/etc/ssl/certs/nginx.crt';
ssl_certificate_key '/etc/ssl/certs/nginx.key';

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

ssl_protocols TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;