This is an old revision of the document!

Information

nginx ¹⁾
PHP
PHP-FPM
Realm of Espionage

Prerequisites

Ubuntu Server

Previous Fedora Server revision

Resources

Dependencies

sudo apt install git nginx-core php-fpm

PHP Extensions

Verify Modules

php -m

Firewall

80/tcp is HTTP
443/tcp is HTTPS
Nginx Full covers 80,443/tcp (ufw notes)

sudo ufw allow 'Nginx Full'

Services

Enable

sudo systemctl enable 'nginx' 'php8.2-fpm' --now

Permissions

TODO: Adapt for Ubuntu if needed

sudo chown --recursive 'nginx':'nginx' '/var/lib/php/opcache' '/var/lib/php/session' '/var/lib/php/wsdlcache' '/var/lib/php/peclxml'

Config Defaults

Backup

sudo mv '/etc/php/8.2/fpm/pool.d/www.conf' '/etc/php/8.2/fpm/pool.d/www.conf~'

sudo mv '/etc/nginx/nginx.conf' '/etc/nginx/nginx.conf~'

sudo unlink '/etc/nginx/sites-enabled/default'

View

nano '/etc/php/8.2/fpm/pool.d/www.conf~'

nano '/etc/nginx/nginx.conf~'

nano '/etc/nginx/sites-available/default'

nano '/etc/php/8.2/fpm/php.ini'

nano '/etc/php/8.2/fpm/php-fpm.conf'

nginx Settings

Notes

conf.d contains server-wide modular configuration files ²⁾
snippets contains site-specific modular configuration files ³⁾
sites-available contains site's main configuration files
sites-enabled contains enabled websites symlinked from sites-available

HTTPS Redirect

This automatically redirects non-HTTPS site links to HTTPS

sudo -e '/etc/nginx/conf.d/http-redirect.conf'

# HTTPS Redirect

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    return 301 https://$host$request_uri;
}

# End

Non-existent 404

This prevents unconfigured subdomains from loading assets from other sites ⁴⁾

sudo -e '/etc/nginx/conf.d/non-existent.conf'

# Non-existent 404

server {
    listen '443' 'ssl' 'http2' default_server;
    server_name '_';

    return '404';
}

# End

Headers

Last updated: 2022/12/16
Add to individual site configs as an include

sudo -e '/etc/nginx/snippets/headers.conf'

# Headers

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Cache-Control "no-store, no-transform, public" always;
add_header Referrer-Policy "same-origin" always;
add_header Expect-CT "max-age=0" always;
add_header Feature-Policy "geolocation none; microphone none; payment none; usb none; vr none; magnetometer none; midi none; camera none; ambient-light-sensor none; accelerometer none" always;
add_header Permissions-Policy "geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()" always;

# End

nginx

Last updated: 2024/02/07

sudo -e '/etc/nginx/nginx.conf'

user www-data;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

events {
    worker_connections 1024;
}

http {

    # Logging
    access_log  /var/log/nginx/access.log  main;

    # Includes
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*.conf;
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    # Config
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 4096;

    # gzip
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 9;
    gzip_types *;
}

# End

CSP Headers

The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the include line(s)

    add_header Content-Security-Policy "default-src 'self'" always;

    add_header Content-Security-Policy "" always;

SSL Certs

Let's Encrypt

See Lets Encrypt for further set-up

Settings

sudo -e '/etc/nginx/conf.d/ssl.conf'

ssl_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
ssl_trusted_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
ssl_certificate_key '/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem';

ssl_session_timeout '10m';
ssl_session_cache 'shared:SSL:10m';
ssl_session_tickets 'off';
ssl_buffer_size '4k';

ssl_protocols 'TLSv1.3';
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM';
ssl_prefer_server_ciphers 'on';
ssl_ecdh_curve 'secp384r1';

ssl_stapling 'on';
ssl_stapling_verify 'on';
resolver '1.1.1.2' '1.0.0.2' '2606:4700:4700::1112' '2606:4700:4700::1002' 'valid=300s';
resolver_timeout '5s';

# End

Self-signed

This likely needs refactored

Generate Certs

sudo openssl ecparam -name secp521r1 -genkey -out '/etc/ssl/certs/nginx.key && sudo openssl req -new -x509 -key '/etc/ssl/certs/nginx.key' -out '/etc/ssl/certs/nginx.crt' -days 730

Settings

sudo -e '/etc/nginx/conf.d/ssl.conf'

ssl_certificate '/etc/ssl/certs/nginx.crt';
ssl_certificate_key '/etc/ssl/certs/nginx.key';

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

ssl_protocols TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;

¹⁾

https://nginx.org/en

²⁾

HTTPS redirect, SSL

³⁾

CSPs

⁴⁾

if a site/URL doesn't exist, it'll 404

RoE | Wiki

Table of Contents

Information

Prerequisites

Resources

Dependencies

PHP Extensions

Verify Modules

Firewall

Services

Enable

Permissions

Config Defaults

Backup

View

nginx Settings

Notes

HTTPS Redirect

Non-existent 404

Headers

nginx

CSP Headers

SSL Certs

Let's Encrypt

Settings

Self-signed

Generate Certs

Settings