ArchLinux:Nginx: Difference between revisions
Line 100: | Line 100: | ||
{{margin}} | {{margin}} | ||
{{Console|title=/etc/nginx/nginx.conf|prompt=false|1=include /nginx/conf.d/nginx.conf;}} | {{Console|title=/etc/nginx/nginx.conf|prompt=false|1=include /nginx/conf.d/nginx.conf;}} | ||
Create a {{mono|fastcgi_params}} file (PHP environmental variable defaults). | === FastCGI === | ||
Create a {{mono|fastcgi_params}} config file (PHP environmental variable defaults). | |||
{{Console|1=sudoedit /nginx/conf.d/fastcgi_params}} | {{Console|1=sudoedit /nginx/conf.d/fastcgi_params}} | ||
{{margin}} | {{margin}} | ||
{{Console|title=/nginx/conf.d/fastcgi_params|prompt=false|1={{blackBold|# $KYAULabs: fastcgi_params,v 1.0.5 2021/05/03 17:31:37 kyau Exp $}}<br/><br/>fastcgi_param QUERY_STRING $query_string;<br/>fastcgi_param REQUEST_METHOD $request_method;<br/>fastcgi_param CONTENT_TYPE $content_type;<br/>fastcgi_param CONTENT_LENGTH $content_length;<br/><br/>fastcgi_param SCRIPT_FILENAME $request_filename;<br/>fastcgi_param SCRIPT_NAME $fastcgi_script_name;<br/>fastcgi_param REQUEST_URI $request_uri;<br/>fastcgi_param DOCUMENT_URI $document_uri;<br/>fastcgi_param DOCUMENT_ROOT $document_root;<br/>fastcgi_param SERVER_PROTOCOL $server_protocol;<br/>fastcgi_param REQUEST_SCHEME $scheme;<br/>fastcgi_param HTTPS $https if_not_empty;<br/><br/>fastcgi_param GATEWAY_INTERFACE CGI/1.1;<br/>{{blackBold|#fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;}}<br/>fastcgi_param SERVER_SOFTWARE nginx;<br/><br/>fastcgi_param REMOTE_ADDR $remote_addr;<br/>fastcgi_param REMOTE_PORT $remote_port;<br/>fastcgi_param SERVER_ADDR $server_addr;<br/>fastcgi_param SERVER_PORT $server_port;<br/>fastcgi_param SERVER_NAME $server_name;<br/><br/>{{blackBold|# PHP only, required if PHP was built with --enable-force-cgi-redirect}}<br/>fastcgi_param REDIRECT_STATUS 200;<br/><br/>{{blackBold|# Mitigate <nowiki>https://httpoxy.org/</nowiki> vulnerabilities}}<br/>fastcgi_param HTTP_PROXY "";<br/><br/>{{blackBold|# vim: ft{{=}}nginx ts{{=}}4 sw{{=}}4 noet :}}}} | {{Console|title=/nginx/conf.d/fastcgi_params|prompt=false|1={{blackBold|# $KYAULabs: fastcgi_params,v 1.0.5 2021/05/03 17:31:37 kyau Exp $}}<br/><br/>fastcgi_param QUERY_STRING $query_string;<br/>fastcgi_param REQUEST_METHOD $request_method;<br/>fastcgi_param CONTENT_TYPE $content_type;<br/>fastcgi_param CONTENT_LENGTH $content_length;<br/><br/>fastcgi_param SCRIPT_FILENAME $request_filename;<br/>fastcgi_param SCRIPT_NAME $fastcgi_script_name;<br/>fastcgi_param REQUEST_URI $request_uri;<br/>fastcgi_param DOCUMENT_URI $document_uri;<br/>fastcgi_param DOCUMENT_ROOT $document_root;<br/>fastcgi_param SERVER_PROTOCOL $server_protocol;<br/>fastcgi_param REQUEST_SCHEME $scheme;<br/>fastcgi_param HTTPS $https if_not_empty;<br/><br/>fastcgi_param GATEWAY_INTERFACE CGI/1.1;<br/>{{blackBold|#fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;}}<br/>fastcgi_param SERVER_SOFTWARE nginx;<br/><br/>fastcgi_param REMOTE_ADDR $remote_addr;<br/>fastcgi_param REMOTE_PORT $remote_port;<br/>fastcgi_param SERVER_ADDR $server_addr;<br/>fastcgi_param SERVER_PORT $server_port;<br/>fastcgi_param SERVER_NAME $server_name;<br/><br/>{{blackBold|# PHP only, required if PHP was built with --enable-force-cgi-redirect}}<br/>fastcgi_param REDIRECT_STATUS 200;<br/><br/>{{blackBold|# Mitigate <nowiki>https://httpoxy.org/</nowiki> vulnerabilities}}<br/>fastcgi_param HTTP_PROXY "";<br/><br/>{{blackBold|# vim: ft{{=}}nginx ts{{=}}4 sw{{=}}4 noet :}}}} | ||
=== SSL/TLS === | |||
Create an SSL config file (SSL/TLS hardening/defaults). | |||
{{Console|1=sudoedit /nginx/conf.d/ssl.conf}} | |||
{{margin}} | |||
{{Console|title=/nginx/conf.d/ssl.conf|prompt=false|1={{blackBold|# $KYAULabs: ssl.conf,v 1.002 2019/07/17 07:47:13 kyau Exp $}}<br/><br/>{{blackBold|## SSL/TLS (<nowiki>https://cipherli.st/</nowiki>)}}<br/>{{blackBold|#ssl_certificate /etc/letsencrypt/live/${server_name}/fullchain.pem;}}<br/>{{blackBold|#ssl_certificate_key /etc/letsencrypt/live/${server_name}/privkey.pem;}}<br/>ssl_dhparam /nginx/ssl/dhparam4096.pem; {{blackBold|# openssl dhparam -out dhparam4096.pem 4096}}<br/>ssl_protocols TLSv1.3; {{blackBold|# Requires nginx >{{=}} 1.13.0}}<br/>ssl_ciphers EECDH+AESGCM:EDH+AESGCM;<br/>ssl_ecdh_curve secp384r1; {{blackBold|# Requires nginx >{{=}} 1.1.0}}<br/>ssl_session_cache shared:SSL:10m;<br/>ssl_session_tickets off; {{blackBold|# Requires nginx >{{=}} 1.5.9}}<br/>ssl_session_timeout 10m;<br/>ssl_stapling on; {{blackBold|# Requires nginx >{{=}} 1.3.7}}<br/>ssl_stapling_verify on; {{blackBold|# Requires nginx >{{=}} 1.3.7}}<br/>ssl_prefer_server_ciphers on;<br/>resolver {{cyanBold|1.1.1.1 1.0.0.1}} valid{{=}}300s; {{blackBold|# Change if you run your own DNS servers}}<br/>resolver_timeout 5s;<br/>add_header Strict-Transport-Security "max-age{{=}}63072000; includeSubDomains; preload" always;<br/>add_header X-Frame-Options DENY;<br/>add_header X-Content-Type-Options nosniff;<br/>add_header X-XSS-Protection "1; mode{{=}}block";<br/><br/>{{blackBold|# vim: ft{{=}}nginx ts{{=}}4 sw{{=}}4 noet :}}}} | |||
Create the {{mono|dhparam}} as indicated above. | |||
{{Console|1=sudo -u http openssl dhparam -out /nginx/ssl/dhparam4096.pem 4096}} | |||
Set permissions properly. | |||
{{Console|1=sudo chmod 660 /nginx/ssl/dhparam4096.pem}} | |||
[[Category:Arch Linux]] | [[Category:Arch Linux]] |
Revision as of 10:11, 3 May 2021
Introduction
NGINX
Beforehand be sure to determine weather the web server will be using MySQL (ie. MariaDB) or PostgreSQL.
Begin by installing NGINX, PHP and other required utilities.
# pikaur -S apache-tools composer curl minify nginx php-fpm sassc wget |
Install all of the required PHP extensions.
# pikaur -S php-gd php-geoip php-imagick php-intl php-memcache php-odbc php-sqlite php-sodium xdebug |
Next create the environment for the web server.
# sudo mkdir -p /nginx/conf.d /nginx/https /nginx/logs /nginx/sql /nginx/ssl /nginx/vhosts.d |
# sudo chown -R http:http /nginx |
# sudo chmod -R 770 /nginx |
# sudo chmod 750 /nginx/sql |
# sudo gpasswd -a username http |
Set the default shell for http to Bash.
# sudo chsh http New shell [/usr/bin/nologin]: /bin/bash |
Database
PostgreSQL
Using postgresql as a back-end will require the following setup and configuration.
# pikaur -S postgresql php-pgsql |
# sudo chown postgres:postgres /nginx/sql |
# sudo gpasswd -a username postgres |
Swap over to the postgresql user account.
# sudo -iu postgres |
Run the database initialization.
# initdb --locale en_US.UTF-8 -E UTF8 -D '/nginx/sql/data' |
Return to the normal user account.
# exit |
Modify the systemd service file to reflect the new data directory.
# sudo systemctl edit postgresql.service |
Environment=PGROOT=/nginx/sql PIDFile=/nginx/sql/postmaster.pid |
Start and enable the systemd service.
# sudo systemctl enable --now postgresql.service |
Swap back over to the postgresql user account.
# sudo -iu postgres |
Create a new postgres user account.
# createuser -P --interactive Enter name of role to add: username Enter password for new role: ******** Enter it again: ******** Shall the new role be a superuser? (y/n) n Shall the new role be allowed to create databases? (y/n) y Shall the new role be allowed to create more new roles? (y/n) n |
MariaDB
Using mariadb as a back-end will require the following setup and configuration.
# pikaur -S mariadb |
# sudo chown mysql:mysql /nginx/sql |
Give the current logged in user access.
# sudo gpasswd -a username mysql |
Create and initialize the data directory.
# mariadb-install-db --user=mysql --basedir=/usr --datadir=/nginx/sql |
# sudoedit /etc/my.cnf.d/server.cnf |
[mysqld] datadir=/nginx/sql |
Start and enable the MySQL service.
# sudo systemctl enable --now mariadb.service |
Secure the installation and set the root password.
# sudo mysql_secure_installation |
The default mysql root password is none |
Connect to mysql using the root account and the password you previously set.
# sudo mysql -u root -p |
Add a new mysql user account.
# MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'kyau'@'localhost' \ IDENTIFIED BY 'user_password' WITH GRANT OPTION; |
PHP Configuration
First remove the default pool.
# sudo rm /etc/php/php-fpm.d/www.conf |
Create the defaults for all pools.
# sudoedit /etc/php/php-fpm.d/defaults.inc |
user = http group = http listen = /run/php-fpm/php-fpm-$pool.sock listen.owner = http listen.group = http ; process configuration pm = dynamic pm.max_children = 5 pm.start_servers = 2 pm.min_spare_servers = 1 pm.max_spare_servers = 3 ; php.ini changes php_admin_flag[expose_php] = off php_admin_flag[log_errors] = on php_admin_flag[short_open_tag] = on php_admin_value[date.timezone] = America/Los_Angeles php_admin_value[error_log] = /nginx/logs/$pool/php.log php_admin_value[memory_limit] = 256M php_admin_value[post_max_size] = 2048M php_admin_value[session.save_path] = /tmp php_admin_value[upload_max_filesize] = 2048M |
Enable all third party PHP extensions that were installed.
# sudo find . -type f -name '*.ini' -exec sed -i -e 's/^;extension/extension/g' \ -e 's/^;zend_extension/zend_extension/g' -e 's/^;xdebug/xdebug/g' {} + |
Enable global PHP extensions.
# sudoedit /etc/php/conf.d/defaults.ini |
extension=bz2 extension=exif extension=gd extension=gettext extension=gmp extension=iconv extension=intl extension=sodium extension=mysqli extension=odbc extension=pdo_mysql extension=pdo_odbc extension=pdo_sqlite extension=sockets extension=sqlite3 ; opcache zend_extension=opcache opcache.enable = 1 opcache.interned_strings_buffer = 8 opcache.max_accelerated_files = 10000 opcache.memory_consumption = 128 opcache.save_comments = 1 opcache.revalidate_freq = 1 |
Create a php-fpm pool for the domain being setup (use a different pool for each site/domain).
# sudoedit /etc/php/php-fpm.d/domain_com.conf |
; $KYAULabs: domain_com.conf,v 1.0.0 2021/05/01 12:36:14 kyau Exp $ [domain_com] include = /etc/php/php-fpm.d/defaults.inc env[HOSTNAME] = domain.com env[PATH] = /usr/local/bin:/usr/bin:/bin env[TMP] = /tmp env[TMPDIR] = /tmp env[TEMP] = /tmp ; vim: ft=dosini sw=4 ts=4 noet: |
Be sure to set the file permissions properly.
# sudo chmod 644 /etc/php/conf.d/defaults.ini /etc/php/php-fpm.d/* |
Start and enable the php-fpm service.
# sudo systemctl enable --now php-fpm.service |
NGINX Configuration
Create a blank configuration file.
# sudo install -g http -m 660 -o http /dev/null /nginx/conf.d/nginx.conf |
Copy the MIME types file.
# sudo install -g http -m 660 -o http /etc/nginx/mime.types /nginx/conf.d/mime.types |
Remove the default config in nginx.conf and replace it with an include (to the new config location).
# sudoedit /etc/nginx/nginx.conf |
include /nginx/conf.d/nginx.conf; |
FastCGI
Create a fastcgi_params config file (PHP environmental variable defaults).
# sudoedit /nginx/conf.d/fastcgi_params |
# $KYAULabs: fastcgi_params,v 1.0.5 2021/05/03 17:31:37 kyau Exp $ fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param REQUEST_SCHEME $scheme; fastcgi_param HTTPS $https if_not_empty; fastcgi_param GATEWAY_INTERFACE CGI/1.1; #fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; fastcgi_param SERVER_SOFTWARE nginx; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; # PHP only, required if PHP was built with --enable-force-cgi-redirect fastcgi_param REDIRECT_STATUS 200; # Mitigate https://httpoxy.org/ vulnerabilities fastcgi_param HTTP_PROXY ""; # vim: ft=nginx ts=4 sw=4 noet : |
SSL/TLS
Create an SSL config file (SSL/TLS hardening/defaults).
# sudoedit /nginx/conf.d/ssl.conf |
# $KYAULabs: ssl.conf,v 1.002 2019/07/17 07:47:13 kyau Exp $ ## SSL/TLS (https://cipherli.st/) #ssl_certificate /etc/letsencrypt/live/${server_name}/fullchain.pem; #ssl_certificate_key /etc/letsencrypt/live/${server_name}/privkey.pem; ssl_dhparam /nginx/ssl/dhparam4096.pem; # openssl dhparam -out dhparam4096.pem 4096 ssl_protocols TLSv1.3; # Requires nginx >= 1.13.0 ssl_ciphers EECDH+AESGCM:EDH+AESGCM; ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Requires nginx >= 1.5.9 ssl_session_timeout 10m; ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx >= 1.3.7 ssl_prefer_server_ciphers on; resolver 1.1.1.1 1.0.0.1 valid=300s; # Change if you run your own DNS servers resolver_timeout 5s; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; # vim: ft=nginx ts=4 sw=4 noet : |
Create the dhparam as indicated above.
# sudo -u http openssl dhparam -out /nginx/ssl/dhparam4096.pem 4096 |
Set permissions properly.
# sudo chmod 660 /nginx/ssl/dhparam4096.pem |