RoE | Wiki

User Tools

Site Tools

Trace:
servers:nginx_php_php-fpm

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
servers:nginx_php_php-fpm [2024/02/07 14:14] Sean Rhoneservers:nginx_php_php-fpm [2024/08/13 16:32] (current) – removed Sean Rhone
Line 1: Line 1:
-====== Information ====== 
- 
-  * nginx ((https://nginx.org/en)) 
-  * PHP 
-  * PHP-FPM 
-  * [[Information:Realm of Espionage]] 
- 
-===== Prerequisites ===== 
- 
-  * [[distros:ubuntu_server|Ubuntu Server]] 
- 
-  * [[servers:nginx_php_php-fpm?rev=1706787894|Previous Fedora Server revision]] 
- 
-===== Resources ===== 
- 
-  * [[https://cipherli.st/|Cipherli.st]] 
-  * [[https://securityheaders.com/?q=wiki.realmofespionage.xyz&followRedirects=on|Security Headers]] 
-  * [[https://www.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test]] 
-  * [[https://dev.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test (dev)]] 
-  * https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/feature_policy/feature_policy.cc?l=138&rcl=ab90b51c5b60de15054a32b0bd18e4839536a1c9 
-  * https://infosec.mozilla.org 
-  * https://gist.github.com/plentz/6737338 
-  * https://scotthelme.co.uk 
-  * https://mozilla.github.io/server-side-tls/ssl-config-generator 
- 
-====== Dependencies ====== 
- 
-**** 
- 
-  sudo apt install git nginx-core php-fpm 
- 
-===== PHP Extensions ===== 
- 
-==== Verify Modules ==== 
- 
-**** 
- 
-  php -m 
- 
-====== Firewall ====== 
- 
-  * 80/tcp is HTTP 
-  * 443/tcp is HTTPS 
-  * ''Nginx Full'' covers ''80,443/tcp'' ([[notes:ufw|ufw notes]]) 
- 
-  sudo ufw allow 'Nginx Full' 
- 
-====== Services ====== 
- 
-===== Enable ===== 
- 
-**** 
- 
-  sudo systemctl enable 'nginx' 'php8.2-fpm' --now 
- 
-====== Permissions ====== 
- 
-  * :!: TODO: Adapt for Ubuntu if needed 
- 
-  sudo chown --recursive 'nginx':'nginx' '/var/lib/php/opcache' '/var/lib/php/session' '/var/lib/php/wsdlcache' '/var/lib/php/peclxml' 
- 
-====== Config Defaults ====== 
- 
-===== Backup ===== 
- 
-  sudo mv '/etc/php/8.2/fpm/pool.d/www.conf' '/etc/php/8.2/fpm/pool.d/www.conf~' 
- 
-  sudo mv '/etc/nginx/nginx.conf' '/etc/nginx/nginx.conf~' 
- 
-  sudo unlink '/etc/nginx/sites-enabled/default' 
- 
-===== View ===== 
- 
-  nano '/etc/php/8.2/fpm/pool.d/www.conf~' 
- 
-  nano '/etc/nginx/nginx.conf~' 
- 
-  nano '/etc/nginx/sites-available/default' 
- 
-  nano '/etc/php/8.2/fpm/php.ini' 
- 
-  nano '/etc/php/8.2/fpm/php-fpm.conf' 
- 
-====== nginx Settings ====== 
- 
-===== Notes ===== 
- 
-  * ''conf.d'' contains **server-wide** modular configuration files ((HTTPS redirect, SSL)) 
-  * ''snippets'' contains **site-specific** modular configuration files ((CSPs)) 
-  * ''sites-available'' contains site's main configuration files 
-  * ''sites-enabled'' contains enabled websites symlinked from ''sites-available'' 
- 
-===== HTTPS Redirect ===== 
- 
-  * This automatically redirects non-HTTPS site links to HTTPS 
- 
-  sudo -e '/etc/nginx/conf.d/http-redirect.conf' 
- 
-<code> 
-server { 
-    listen 80 default_server; 
-    listen [::]:80 default_server; 
- 
-    return 301 https://$host$request_uri; 
-}</code> 
- 
-===== Non-existent 404 ===== 
- 
-  * This prevents unconfigured subdomains from loading assets from other sites ((if a site/URL doesn't exist, it'll 404)) 
- 
-  sudo -e '/etc/nginx/conf.d/non-existent.conf' 
- 
-<code> 
-server { 
-    listen '443' 'ssl' 'http2' default_server; 
-    server_name '_'; 
- 
-    return '404'; 
-}</code> 
- 
-===== Headers ===== 
- 
-  * Last updated: 2022/12/16 
-  * Add to individual site configs as an ''include'' 
- 
-  sudo -e '/etc/nginx/snippets/headers.conf' 
- 
-<code> 
-add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always; 
-add_header X-Content-Type-Options "nosniff" always; 
-add_header X-Frame-Options "sameorigin" always; 
-add_header X-XSS-Protection "1; mode=block" always; 
-add_header Cache-Control "no-store, no-transform, public" always; 
-add_header Referrer-Policy "same-origin" always; 
-add_header Expect-CT "max-age=0" always; 
-add_header Feature-Policy "geolocation none; microphone none; payment none; usb none; vr none; magnetometer none; midi none; camera none; ambient-light-sensor none; accelerometer none" always; 
-add_header Permissions-Policy "geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()" always;</code> 
- 
-===== nginx ===== 
- 
-  * Last updated: 2024/02/07 
- 
-  sudo -e '/etc/nginx/nginx.conf' 
- 
-<code> 
-user www-data; 
-worker_processes auto; 
-error_log /var/log/nginx/error.log; 
-pid /run/nginx.pid; 
- 
-events { 
-    worker_connections 1024; 
-} 
- 
-http { 
- 
-    # Logging 
-    access_log  /var/log/nginx/access.log  main; 
- 
-    # Includes 
-    include /etc/nginx/conf.d/*.conf; 
-    include /etc/nginx/sites-enabled/*.conf; 
-    include /etc/nginx/mime.types; 
-    default_type application/octet-stream; 
- 
-    # Config 
-    sendfile on; 
-    tcp_nopush on; 
-    tcp_nodelay on; 
-    keepalive_timeout 65; 
-    types_hash_max_size 4096; 
- 
-    # gzip 
-    gzip on; 
-    gzip_vary on; 
-    gzip_proxied any; 
-    gzip_comp_level 9; 
-    gzip_types *; 
-} 
- 
-# End</code> 
- 
-==== CSP Headers ==== 
- 
-  * The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the ''include'' line(s) 
- 
-<code>    add_header Content-Security-Policy "default-src 'self'" always;</code> 
- 
-<code>    add_header Content-Security-Policy "" always;</code> 
- 
-====== SSL Certs ====== 
- 
-===== Let's Encrypt ===== 
- 
-  * See [[Servers:nginx:Lets Encrypt]] for further set-up 
- 
-==== Settings ==== 
- 
-  sudo -e '/etc/nginx/conf.d/ssl.conf' 
- 
-<code> 
-ssl_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem'; 
-ssl_trusted_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem'; 
-ssl_certificate_key '/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem'; 
- 
-ssl_session_timeout '10m'; 
-ssl_session_cache 'shared:SSL:10m'; 
-ssl_session_tickets 'off'; 
-ssl_buffer_size '4k'; 
- 
-ssl_protocols 'TLSv1.3'; 
-ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM'; 
-ssl_prefer_server_ciphers 'on'; 
-ssl_ecdh_curve 'secp384r1'; 
- 
-ssl_stapling 'on'; 
-ssl_stapling_verify 'on'; 
-resolver '1.1.1.2' '1.0.0.2' '2606:4700:4700::1112' '2606:4700:4700::1002' 'valid=300s'; 
-resolver_timeout '5s'; 
- 
-# End</code> 
- 
-===== Self-signed ===== 
- 
-  * :!: This likely needs refactored 
- 
-==== Generate Certs ==== 
- 
-**** 
- 
-  sudo openssl ecparam -name secp521r1 -genkey -out '/etc/ssl/certs/nginx.key && sudo openssl req -new -x509 -key '/etc/ssl/certs/nginx.key' -out '/etc/ssl/certs/nginx.crt' -days 730 
- 
-==== Settings ==== 
- 
-  sudo -e '/etc/nginx/conf.d/ssl.conf' 
- 
-  ssl_certificate '/etc/ssl/certs/nginx.crt'; 
-  ssl_certificate_key '/etc/ssl/certs/nginx.key'; 
-   
-  ssl_session_timeout 1d; 
-  ssl_session_cache shared:SSL:50m; 
-  ssl_session_tickets off; 
-   
-  ssl_protocols TLSv1.3; 
-  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; 
-  ssl_prefer_server_ciphers on; 
-  ssl_ecdh_curve secp384r1; 
  
/srv/www/wiki/data/attic/servers/nginx_php_php-fpm.1707333240.txt.gz · Last modified: (external edit)