Differences

This shows you the differences between two versions of the page.

--- servers:windows:nginx_php_php-cgi [2025/01/07 00:14] – Sean Rhone
+++ servers:windows:nginx_php_php-cgi [2026/04/15 09:45] (current) – [Firewall] Sean Rhone
@@ Line 2: / Line 2: @@
   * nginx ((https://nginx.org/en/docs/windows.html))
-  * PHP + PHP-CGI((https://windows.php.net/download/))
+  * PHP ((https://windows.php.net/))
-  * [[Information:Realm of Espionage]]
+  * PHP-CGI
+  * [[information;realm_of_espionage|Realm of Espionage]]
 ===== Prerequisites =====
-  * [[windows:10|Windows 10]]
+  * [[windows;10_ltsc_server|Windows 10 (21H2)]]
 ====== Install ======
@@ Line 13: / Line 14: @@
 ===== nginx =====
-  * https://nginx.org/en/download.html
+  * https://nginx.org/en/download.html ([[https://nginx.org/en/CHANGES|CHANGES]])
-  * Last tested: ''nginx-1.27.3.zip''
+  * Last tested: ''nginx-1.29.8.zip''
-  * Extract to root system drive for ''C:\nginx-1.27.3\nginx.exe''
+  * Extract to root system drive for ''C:\nginx-1.29.8\nginx.exe''
-  CD "%SystemDrive%\nginx-"*"\" && DIR "nginx.exe"
+  "%SystemRoot%\explorer.exe" "%SystemDrive%"
-  CD "%SystemDrive%\nginx-"*"\" && explorer "."
 ===== PHP-CGI =====
-  * https://windows.php.net/download/
+  * https://www.php.net/downloads.php
+  * https://www.php.net/pre-release-builds.php
   * x64 Non Thread Safe
-  * Last tested: ''php-8.4.2-nts-Win32-vs17-x64.zip''
+  * Last tested: ''php-8.5.5-nts-Win32-vs17-x64.zip''
-  * Extract to root system drive for ''C:\php-8.4.2-nts-Win32-vs17-x64\php-cgi.exe''
+  * Extract to root system drive for ''C:\php-*\php-cgi.exe''
+  * Add to user ''Path''
-  CD "%SystemDrive%\php-"*"-nts-Win32-"*"-x64\" && DIR "php-cgi.exe"
+  "%SystemRoot%\explorer.exe" "%SystemDrive%"
-  CD "%SystemDrive%\php-"*"-nts-Win32-"*"-x64\" && explorer "."
+  "%SystemRoot%\System32\SystemPropertiesAdvanced.exe"
-  * TODO:
+  C:\php-8.5.5-nts-Win32-vs17-x64
-<code>SETX "Path" "%SystemDrive%\php-8.4.2-nts-Win32-vs17-x64"</code>
+====== Firewall ======
-===== PHP Extensions =====
+  CD "%SystemDrive%\nginx-"*"\"
-==== Verify Modules ====
+  "%SystemRoot%\System32\netsh.exe" advfirewall firewall add rule name="nginx" dir="in" action="allow" profile="any" program="%CD%\nginx.exe" protocol="tcp" localport="80,443"
-  CD "%SystemDrive%\php-"*"-nts-Win32-"*"-x64\" && "php.exe" -m
+===== Delete Rule =====
-  CD "%SystemDrive%\php-"*"-nts-Win32-"*"-x64\" && explorer "."
+****
-====== Firewall ======
+  "%SystemRoot%\System32\netsh.exe" advfirewall firewall delete rule name="nginx"
-  * 80/tcp is HTTP
+====== Check Defaults ======
-  * 443/tcp is HTTPS
-  netsh advfirewall firewall add rule name="nginx HTTP" dir="in" action="allow" protocol="TCP" localport="80"
+==== nginx ====
-  netsh advfirewall firewall add rule name="nginx HTTPS" dir="in" action="allow" protocol="TCP" localport="443"
+****
+  CD "%SystemDrive%\nginx-"*"\conf" && "%SystemRoot%\System32\notepad.exe" "nginx.conf"
+==== PHP ====
+  CD "%SystemDrive%\php-"*"-nts-Win32-"*"-x64\" && "%SystemRoot%\System32\notepad.exe" "php.ini-production"
+  CD "%SystemDrive%\php-"*"-nts-Win32-"*"-x64\" && "%SystemRoot%\System32\notepad.exe" "php.ini-development"
 ====== nginx Settings ======
-===== Folders =====
+===== confs =====
-  MKDIR "%SystemDrive%\www\php"
+  MKDIR "%SystemDrive%\www\nginx\conf" & CD "%SystemDrive%\nginx-"*"\conf" && COPY /Y "fastcgi_params" "%SystemDrive%\www\nginx\conf\fastcgi_params"
-  MKDIR "%SystemDrive%\www\nginx\conf.d"
+  MKDIR "%SystemDrive%\www\nginx\conf" & CD "%SystemDrive%\nginx-"*"\conf" && COPY /Y "mime.types" "%SystemDrive%\www\nginx\conf\mime.types"
-  MKDIR "%SystemDrive%\www\nginx\default.d"
+===== Folders =====
-  MKDIR "%SystemDrive%\www\nginx\vhosts.d"
+****
-  explorer "%SystemDrive%\www\"
+  MKDIR "%SystemDrive%\www\php" "%SystemDrive%\www\nginx\conf.d" "%SystemDrive%\www\nginx\default.d" "%SystemDrive%\www\nginx\vhosts.d"
 ===== HTTPS Redirect =====
@@ Line 73: / Line 81: @@
   * This automatically redirects non-HTTPS site links to HTTPS
-  notepad "%SystemDrive%\www\nginx\conf.d\http-redirect.conf"
+  "%SystemRoot%\System32\notepad.exe" "%SystemDrive%\www\nginx\conf.d\http-redirect.conf"
 <code>
 server {
-    listen 80 default_server;
+ listen "80" "default_server";
-    listen [::]:80 default_server;
+ listen "[::]:80" "default_server";
-    return 301 https://$host$request_uri;
+ return "301" "https://$host$request_uri";
-}</code>
+}
+# End</code>
 ===== Non-existent 404 =====
-  * This prevents unconfigured subdomains from loading assets from other sites ((if a site/URL doesn't exist, it'll 404))
+  * This prevents unconfigured subdomains from loading assets from other sites ((if a site/URL doesn't have a ''vhosts.d\*.conf'', it'll 404))
-  notepad "%SystemDrive%\www\nginx\conf.d\non-existent.conf"
+  "%SystemRoot%\System32\notepad.exe" "%SystemDrive%\www\nginx\conf.d\non-existent.conf"
 <code>
 server {
-    listen "443" "ssl" "default_server";
+ listen "443" "ssl" "default_server";
-    http2 "on";
+ http2 "on";
-    server_name "_";
+ server_name "_";
-    return "404";
+ return "404";
-}</code>
+}
+# End</code>
 ===== Headers =====
@@ Line 102: / Line 114: @@
   * Add to individual site configs as an ''include''
-  notepad "%SystemDrive%\www\nginx\default.d\headers.conf"
+  "%SystemRoot%\System32\notepad.exe" "%SystemDrive%\www\nginx\default.d\headers.conf"
 <code>
-add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
+add_header "Strict-Transport-Security" "max-age=63072000; includeSubdomains; preload" "always";
-add_header X-Content-Type-Options "nosniff" always;
+add_header "X-Content-Type-Options" "nosniff" "always";
-add_header X-Frame-Options "sameorigin" always;
+add_header "X-Frame-Options" "sameorigin" "always";
-add_header X-XSS-Protection "1; mode=block" always;
+add_header "X-XSS-Protection" "1; mode=block" "always";
-add_header Cache-Control "no-store, no-transform, public" always;
+add_header "Cache-Control" "max-age=604800, no-transform, public" "always";
-add_header Referrer-Policy "same-origin" always;
+add_header "Referrer-Policy" "same-origin" "always";
-add_header Expect-CT "max-age=0" always;
+add_header "Expect-CT" "max-age=0" "always";
-add_header Permissions-Policy "geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()" always;</code>
+add_header "Permissions-Policy" "geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()" "always";
+# End</code>
 ===== nginx =====
-  * :!: ''mime.types'' include hard-coded to nginx version path
+  "%SystemRoot%\System32\notepad.exe" "%SystemDrive%\www\nginx\nginx.conf"
-  notepad "%SystemDrive%\www\nginx\nginx.conf"
 <code>
-worker_processes  1;
+worker_processes "1";
+error_log "logs/error.log" "emerg";
 events {
-    worker_connections  1024;
+ multi_accept "on";
+ worker_connections "1024";
 }
-#error_log  logs/error.log;
-#error_log  logs/error.log  notice;
-#error_log  logs/error.log  info;
 http {
+ access_log "off";
-    # Logging
+ include "C:/www/nginx/conf.d/*.conf";
-    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+ include "C:/www/nginx/vhosts.d/*.conf";
-    #                  '$status $body_bytes_sent "$http_referer" '
+ include "C:/www/nginx/conf/mime.types";
-    #                  '"$http_user_agent" "$http_x_forwarded_for"';
+ default_type "application/octet-stream";
-    #access_log  logs/access.log  main;
+ sendfile "on";
+ tcp_nopush "on";
+ tcp_nodelay "on";
+ keepalive_timeout "65";
+ types_hash_max_size "4096";
+ server_names_hash_bucket_size "64";
-    # Includes
+ gzip "on";
-    include C:/www/nginx/conf.d/*.conf;
+ gzip_vary "on";
-    include C:/www/nginx/vhosts.d/*.conf;
+ gzip_proxied "any";
-    include C:/nginx-1.27.3/conf/mime.types;
+ gzip_comp_level "9";
-    default_type application/octet-stream;
+ gzip_types "*";
+}
-    # Config
+# End</code>
-    sendfile on;
-    tcp_nopush on;
-    tcp_nodelay on;
-    keepalive_timeout 65;
-    types_hash_max_size 4096;
-    server_names_hash_bucket_size 64;
-    # gzip
+  CD "%SystemDrive%\nginx-"*"\" && "nginx.exe" -c "%SystemDrive%\www\nginx\nginx.conf" -t
-    gzip on;
-    gzip_vary on;
-    gzip_proxied any;
-    gzip_comp_level 9;
-    gzip_types *;
-}</code>
 ==== CSP Headers ====
@@ Line 166: / Line 171: @@
   * The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the ''include'' line(s)
-<code>    add_header Content-Security-Policy "default-src 'self'" always;</code>
+<code>add_header Content-Security-Policy "default-src 'self'" always;</code>
-<code>    add_header Content-Security-Policy "" always;</code>
+<code>add_header Content-Security-Policy "" always;</code>
 ====== SSL Certs ======
@@ Line 178: / Line 183: @@
 ==== Settings ====
-  notepad "%SystemDrive%\www\nginx\conf.d\ssl.conf"
+  "%SystemRoot%\System32\notepad.exe" "%SystemDrive%\www\nginx\conf.d\ssl.conf"
 <code>
@@ Line 194: / Line 199: @@
 ssl_prefer_server_ciphers "on";
 ssl_ecdh_curve "secp384r1";
-ssl_stapling "on";
-ssl_stapling_verify "on";
-resolver "1.1.1.2" "1.0.0.2" "[2606:4700:4700::1112]" "[2606:4700:4700::1002]" "valid=300s";
-resolver_timeout "5s";
 # End</code>
-====== Batch Files ======
+====== Scripts ======
-  MKDIR "%SystemDrive%\www\scripts"
+  MKDIR "%SystemDrive%\www\scripts\nginx"
-  explorer "%SystemDrive%\www\scripts"
+  "%SystemRoot%\explorer.exe" "%SystemDrive%\www\scripts\nginx"
 ===== Start =====
-  notepad "%SystemDrive%\www\scripts\nginx Start.bat"
+  "%SystemRoot%\System32\notepad.exe" "%SystemDrive%\www\scripts\nginx\Start.bat"
 <code>
+@echo off
+TITLE nginx
 CD "%SystemDrive%\nginx-"*"\"
-"nginx.exe" -c "%SystemDrive%\www\nginx\nginx.conf"</code>
-  "%SystemDrive%\www\scripts\nginx Start.bat"
-==== Autostart ====
-  explorer "%ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp"
+"nginx.exe" -c "%SystemDrive%\www\nginx\nginx.conf"
-  "%SystemDrive%\www\scripts\nginx Start.bat"
+:: End</code>
-  nginx
+  "%SystemDrive%\www\scripts\nginx\Start.bat"
 ===== Stop =====
-  notepad "%SystemDrive%\www\scripts\nginx Stop.bat"
+  "%SystemRoot%\System32\notepad.exe" "%SystemDrive%\www\scripts\nginx\Stop.bat"
 <code>
+@echo off
+TITLE nginx Stop
 CD "%SystemDrive%\nginx-"*"\"
-"nginx.exe" -s quit</code>
-  "%SystemDrive%\www\scripts\nginx Stop.bat"
+"nginx.exe" -s "quit"
+"%SystemRoot%\System32\timeout.exe" /T "2" /NOBREAK
+"%SystemRoot%\System32\taskkill.exe" /IM "nginx.exe" /T /F
+CD "%Temp%"
+:: End</code>
+  "%SystemDrive%\www\scripts\nginx\Stop.bat"
 ===== Reload =====
-  notepad "%SystemDrive%\www\scripts\nginx Reload.bat"
+  "%SystemRoot%\System32\notepad.exe" "%SystemDrive%\www\scripts\nginx\Reload.bat"
 <code>
+@echo off
 CD "%SystemDrive%\nginx-"*"\"
-"nginx.exe" -s reload
-"nginx.exe" -s reopen</code>
-  "%SystemDrive%\www\scripts\nginx Reload.bat"
+"nginx.exe" -s "reload"
+"nginx.exe" -s "reopen"
-====== TODOs ======
+CD "%Temp%"
-===== Resources =====
+:: End</code>
+  "%SystemDrive%\www\scripts\nginx\Reload.bat"
+====== Task Scheduler ======
+===== nginx =====
+  * Auto-start
+  "%SystemRoot%\System32\schtasks.exe" /Create /SC "ONLOGON" /TN "nginx" /TR "%SystemDrive%\www\scripts\nginx\Start.bat" /F
+====== Resources ======
   * https://nginx.org/en/docs/windows.html
@@ Line 256: / Line 278: @@
   * https://community.letsencrypt.org/t/using-certbot-in-windows-the-pragmatic-way/173929
   * https://www.php.net/manual/en/image.installation.php
+  * [[https://www.ssllabs.com/ssltest/analyze.html?d=wiki.realmofespionage.xyz|Qualys SSL Test]]
+====== TODO ======
+===== Exploit Protection =====
+  * https://learn.microsoft.com/en-us/defender-endpoint/exploit-protection-reference
+==== nginx ====
+  nginx.exe
+  * Arbitrary code guard (ACG): On
+    * ''[ ]'' Allow thread opt-out
+  * Block low integrity images: On
+  * Block remote images: On
+  * Block untrusted fonts: On
+  * Control integrity guard: On
+    * ''[ ]'' Also allow loading of images signed by Microsoft Store
+  * Control flow guard (CFG): On
+    * :!: ''[ ]'' Use strict CFG
+  * Data Execution Prevention (DEP): On
+    * ''[ ]'' Enable ATL thunk emulation
+  * Disable extension points: On
+  * :!: Disable Win32k system calls: Off
+  * :!: Do not allow child processes: Off
+  * Export address filtering (EAF): On
+    * ''[x]'' Validate access for modules that are commonly abused by exploits.
+  * Force randomization for images (Mandatory ASLR): On
+    * ''[x]'' Do not allow stripped images
+  * Hardware-enforced Stack Protection: On
+    * ''[x]'' Enforce for all modules instead of only compatible modules
+  * Import address filtering (IAF): On
+  * Randomize memory allocations (Bottom-up ASLR): On
+    * ''[ ]'' Don't use high entropy
+  * Simulate execution (SimExec): On
+  * Validate API invocation (CallerCheck): On
+  * Validate exception chains (SEHOP): On
+  * Validate handle usage: On
+  * Validate heap integrity: On
+  * Validate image dependency integrity: On
+  * Validate stack integrity (StackPivot): On
+==== PHP-CGI ====
+  php-cgi.exe
+  * :!: Arbitrary code guard (ACG): Off
+  * Block low integrity images: On
+  * Block remote images: On
+  * Block untrusted fonts: On
+  * :!: Control integrity guard: Off
+  * Control flow guard (CFG): On
+    * :!: ''[ ]'' Use strict CFG
+  * Data Execution Prevention (DEP): On
+    * ''[ ]'' Enable ATL thunk emulation
+  * Disable extension points: On
+  * :!: Disable Win32k system calls: Off
+  * :!: Do not allow child processes: Off
+  * Export address filtering (EAF): On
+    * ''[x]'' Validate access for modules that are commonly abused by exploits.
+  * Force randomization for images (Mandatory ASLR): On
+    * ''[x]'' Do not allow stripped images
+  * Hardware-enforced Stack Protection: On
+    * ''[x]'' Enforce for all modules instead of only compatible modules
+  * Import address filtering (IAF): On
+  * Randomize memory allocations (Bottom-up ASLR): On
+    * ''[ ]'' Don't use high entropy
+  * Simulate execution (SimExec): On
+  * Validate API invocation (CallerCheck): On
+  * Validate exception chains (SEHOP): On
+  * Validate handle usage: On
+  * Validate heap integrity: On
+  * Validate image dependency integrity: On
+  * Validate stack integrity (StackPivot): On