• nginx ¹⁾
• PHP + PHP-CGI²⁾
• Realm of Espionage

• Windows 10

• https://nginx.org/en/docs/windows.html
• https://gist.github.com/odan/b5f7de8dfbdbf76bef089776c868fea1
• https://certbot.eff.org/instructions?ws=other&os=pip
• https://community.letsencrypt.org/t/using-certbot-in-windows-the-pragmatic-way/173929
• https://www.php.net/manual/en/image.installation.php

• https://nginx.org/en/download.html

• Extract to root system drive for C:\nginx-1.27.0\nginx.exe

CD "%SystemDrive%\nginx-"*"\" && DIR "nginx.exe"

CD "%SystemDrive%\nginx-"*"\" && explorer "."

• https://windows.php.net/download/
• x64 Non Thread Safe

• Extract to root system drive for C:\php-8.3.8-nts-Win32-vs16-x64\php-cgi.exe

CD "%SystemDrive%\php-"*"-nts-Win32-vs16-x64\" && DIR "php-cgi.exe"

CD "%SystemDrive%\php-"*"-nts-Win32-vs16-x64\" && explorer "."

CD "%SystemDrive%\php-"*"-nts-Win32-vs16-x64\" && "php.exe" -m

CD "%SystemDrive%\php-"*"-nts-Win32-vs16-x64\ext\" && explorer "."

• 80/tcp is HTTP
• 443/tcp is HTTPS

netsh advfirewall firewall add rule name="nginx HTTP" dir="in" action="allow" protocol="TCP" localport="80"

netsh advfirewall firewall add rule name="nginx HTTPS" dir="in" action="allow" protocol="TCP" localport="443"

• nginx-conf.d contains server-wide modular configuration files
• nginx-default.d contains site-specific modular configuration files
• nginx-vhosts.d contains enabled websites

MKDIR "%SystemDrive%\www\nginx-conf.d"

MKDIR "%SystemDrive%\www\nginx-default.d"

MKDIR "%SystemDrive%\www\nginx-vhosts.d"

explorer "%SystemDrive%\www\"

• This automatically redirects non-HTTPS site links to HTTPS

notepad++ "%SystemDrive%\www\nginx-conf.d\http-redirect.conf"

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    return 301 https://$host$request_uri;
}

• This prevents unconfigured subdomains from loading assets from other sites ³⁾

notepad++ "%SystemDrive%\www\nginx-conf.d\non-existent.conf"

server {
    listen "443" "ssl" "default_server";
    http2 "on";
    server_name "_";

    return "404";
}

• Last updated: 2024/02/07
• Add to individual site configs as an include

notepad++ "%SystemDrive%\www\nginx-default.d\headers.conf"

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Cache-Control "no-store, no-transform, public" always;
add_header Referrer-Policy "same-origin" always;
add_header Expect-CT "max-age=0" always;
add_header Permissions-Policy "geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()" always;

• Last updated: 2024/06/21

notepad++ "%SystemDrive%\nginx-1.27.0\conf\nginx.conf"

worker_processes  1;

events {
    worker_connections  1024;
}

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

http {

    # Logging
    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    # Includes
    include C:/www/nginx-conf.d/*.conf;
    include C:/www/nginx-vhosts.d/*.conf;
    include mime.types;
    default_type application/octet-stream;

    # Config
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 4096;
    server_names_hash_bucket_size 64;

    # gzip
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 9;
    gzip_types *;
}

• The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the include line(s)

    add_header Content-Security-Policy "default-src 'self'" always;

    add_header Content-Security-Policy "" always;

• See Let's Encrypt/Certbot for further set-up

notepad++ "%SystemDrive%\www\nginx-conf.d\ssl.conf"

ssl_certificate "C:/Certbot/live/realmofespionage.xyz/fullchain.pem";
ssl_trusted_certificate "C:/Certbot/live/realmofespionage.xyz/fullchain.pem";
ssl_certificate_key "C:/Certbot/live/realmofespionage.xyz/privkey.pem";

ssl_session_timeout "10m";
ssl_session_cache "shared:SSL:10m";
ssl_session_tickets "off";
ssl_buffer_size "4k";

ssl_protocols "TLSv1.3";
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM";
ssl_prefer_server_ciphers "on";
ssl_ecdh_curve "secp384r1";

ssl_stapling "on";
ssl_stapling_verify "on";
resolver "1.1.1.2" "1.0.0.2" "[2606:4700:4700::1112]" "[2606:4700:4700::1002]" "valid=300s";
resolver_timeout "5s";

# End

notepad++ "%UserProfile%\Desktop\nginx Start.bat"

CD "%SystemDrive%\nginx-"*"\"
"nginx.exe"

"%UserProfile%\Desktop\nginx Start.bat"

notepad++ "%UserProfile%\Desktop\nginx Stop.bat"

cd "%SystemDrive%\nginx-"*"\"
"nginx.exe" -s quit

"%UserProfile%\Desktop\nginx Stop.bat"

notepad++ "%UserProfile%\Desktop\nginx Reload.bat"

cd "%SystemDrive%\nginx-"*"\"
"nginx.exe" -s reload
"nginx.exe" -s reopen

"%UserProfile%\Desktop\nginx Reload.bat"

notepad++ "%ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp\nginx Start.bat"

CD "%SystemDrive%\nginx-"*"\"
"nginx.exe"

explorer "%ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp\"