Differences

This shows you the differences between two versions of the page.

--- windows:servers:nginx_php_php-fpm [2024/05/19 19:30] – created Sean Rhone
+++ windows:servers:nginx_php_php-fpm [2024/06/27 19:58] (current) – changed page slug to cgi instead of fpm Sean Rhone
@@ Line 1: / Line 1: @@
-====== Information ======
-  * nginx ((https://nginx.org/en/docs/windows.html))
-  * PHP + PHP-FPM ((https://windows.php.net/download/))
-  * [[Information:Realm of Espionage]]
-  * :!: 20240519: This is experimental and WIP
-===== Prerequisites =====
-  * [[windows:10|Windows 10]]
-===== Resources =====
-  * https://nginx.org/en/docs/windows.html
-  * https://gist.github.com/odan/b5f7de8dfbdbf76bef089776c868fea1
-  * https://certbot.eff.org/instructions?ws=other&os=pip
-  * https://community.letsencrypt.org/t/using-certbot-in-windows-the-pragmatic-way/173929
-====== Install ======
-===== nginx =====
-  * https://nginx.org/en/download.html
-  * Extract to ''C:\'' for ''C:\nginx-1.25.5\nginx.exe''
-===== PHP-FPM =====
-  * https://windows.php.net/download/
-  * x64 Non Thread Safe
-  * Extract to ''C:\'' for ''C:\php-8.3.7-nts-Win32-vs16-x64\php-cgi.exe''
-===== PHP Extensions =====
-==== Verify Modules ====
-****
-  "C:\php-8.3.7-nts-Win32-vs16-x64\php.exe" -m
-====== Firewall ======
-  * 80/tcp is HTTP
-  * 443/tcp is HTTPS
-  netsh advfirewall firewall add rule name="nginx HTTP" dir="in" action="allow" protocol="TCP" localport="80"
-  netsh advfirewall firewall add rule name="nginx HTTPS" dir="in" action="allow" protocol="TCP" localport="443"
-====== Config Defaults ======
-===== Backup =====
-  sudo mv '/etc/nginx/default.d/php.conf' '/etc/nginx/default.d/php.conf~'
-  sudo mv '/etc/nginx/conf.d/php-fpm.conf' '/etc/nginx/conf.d/php-fpm.conf~'
-  sudo mv '/etc/php-fpm.d/www.conf' '/etc/php-fpm.d/www.conf~'
-  sudo mv '/etc/nginx/nginx.conf' '/etc/nginx/nginx.conf~'
-===== View =====
-  nano '/etc/nginx/default.d/php.conf~'
-  nano '/etc/nginx/conf.d/php-fpm.conf~'
-  nano '/etc/php-fpm.d/www.conf~'
-  nano '/etc/nginx/nginx.conf~'
-  nano '/etc/php.ini'
-====== nginx Settings ======
-===== Notes =====
-  * ''conf.d'' contains **server-wide** modular configuration files
-  * ''default.d'' contains **site-specific** modular configuration files
-  * ''vhosts.d'' contains enabled websites ((this folder needs created))
-===== Defaults =====
-==== vhosts.d ====
-****
-  sudo mkdir -p '/etc/nginx/vhosts.d'
-===== HTTPS Redirect =====
-  * This automatically redirects non-HTTPS site links to HTTPS
-  sudo -e '/etc/nginx/conf.d/http-redirect.conf'
-<code>
-server {
-    listen 80 default_server;
-    listen [::]:80 default_server;
-    return 301 https://$host$request_uri;
-}</code>
-===== Non-existent 404 =====
-  * This prevents unconfigured subdomains from loading assets from other sites ((if a site/URL doesn't exist, it'll 404))
-  sudo -e '/etc/nginx/conf.d/non-existent.conf'
-<code>
-server {
-    listen '443' 'ssl' 'http2' default_server;
-    server_name '_';
-    return '404';
-}</code>
-===== Headers =====
-  * Last updated: 2024/02/07
-  * Add to individual site configs as an ''include''
-  sudo -e '/etc/nginx/default.d/headers.conf'
-<code>
-add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
-add_header X-Content-Type-Options "nosniff" always;
-add_header X-Frame-Options "sameorigin" always;
-add_header X-XSS-Protection "1; mode=block" always;
-add_header Cache-Control "no-store, no-transform, public" always;
-add_header Referrer-Policy "same-origin" always;
-add_header Expect-CT "max-age=0" always;
-add_header Permissions-Policy "geolocation=(), microphone=(), payment=(), usb=(), vr=(), magnetometer=(), midi=(), camera=(), ambient-light-sensor=(), accelerometer=()" always;</code>
-===== nginx =====
-  * :!: Last updated: 2023/09/12
-  sudo -e '/etc/nginx/nginx.conf'
-<code>
-user nginx;
-worker_processes auto;
-error_log /var/log/nginx/error.log notice;
-pid /run/nginx.pid;
-include /usr/share/nginx/modules/*.conf;
-events {
-    worker_connections 1024;
-}
-http {
-    # Logging
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent "$http_referer" '
-                      '"$http_user_agent" "$http_x_forwarded_for"';
-    access_log  /var/log/nginx/access.log  main;
-    # Includes
-    include /etc/nginx/conf.d/*.conf;
-    include /etc/nginx/vhosts.d/*.conf;
-    include /etc/nginx/mime.types;
-    default_type application/octet-stream;
-    # Config
-    sendfile on;
-    tcp_nopush on;
-    tcp_nodelay on;
-    keepalive_timeout 65;
-    types_hash_max_size 4096;
-    # gzip
-    gzip on;
-    gzip_vary on;
-    gzip_proxied any;
-    gzip_comp_level 9;
-    gzip_types *;
-}
-# End</code>
-==== CSP Headers ====
-  * The empty CSP allows all and can be useful for new site bring-ups, and should be placed in site-specific configs underneath the ''include'' line(s)
-<code>    add_header Content-Security-Policy "default-src 'self'" always;</code>
-<code>    add_header Content-Security-Policy "" always;</code>
-====== SSL Certs ======
-===== Let's Encrypt =====
-  * See [[Servers:nginx:Lets Encrypt]] for further set-up
-==== Settings ====
-  notepad++ "C:\nginx-1.25.5\conf\nginx.conf"
-<code>
-ssl_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
-ssl_trusted_certificate '/etc/letsencrypt/live/realmofespionage.xyz/fullchain.pem';
-ssl_certificate_key '/etc/letsencrypt/live/realmofespionage.xyz/privkey.pem';
-ssl_session_timeout '10m';
-ssl_session_cache 'shared:SSL:10m';
-ssl_session_tickets 'off';
-ssl_buffer_size '4k';
-ssl_protocols 'TLSv1.3';
-ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM';
-ssl_prefer_server_ciphers 'on';
-ssl_ecdh_curve 'secp384r1';
-ssl_stapling 'on';
-ssl_stapling_verify 'on';
-resolver '1.1.1.2' '1.0.0.2' '[2606:4700:4700::1112]' '[2606:4700:4700::1002]' 'valid=300s';
-resolver_timeout '5s';
-# End</code>