NGINX + PHP

From Wiki³

Icon Introduction

Icon NGINX

Beforehand be sure to determine weather the web server will be using MySQL (ie. MariaDB) or PostgreSQL.

Begin by installing NGINX, PHP and other required utilities.

# pikaur -S apache-tools composer curl minify nginx php-fpm sassc wget

Install all of the required PHP extensions.

# pikaur -S php-gd php-geoip php-imagick php-intl php-memcache php-odbc php-sqlite php-sodium xdebug

Next create the environment for the web server.

# sudo mkdir -p /nginx/conf.d /nginx/https /nginx/logs /nginx/sql /nginx/ssl /nginx/vhosts.d
 
# sudo chown -R http:http /nginx
 
# sudo chmod -R 770 /nginx
 
# sudo chmod 750 /nginx/sql
 
# sudo gpasswd -a username http

Set the default shell for http to Bash.

# sudo chsh http
New shell [/usr/bin/nologin]: /bin/bash

Icon Database

PostgreSQL

Using postgresql as a back-end will require the following setup and configuration.

# pikaur -S postgresql php-pgsql
 
# sudo chown postgres:postgres /nginx/sql
 
# sudo gpasswd -a username postgres

Swap over to the postgresql user account.

# sudo -iu postgres

Run the database initialization.

# initdb --locale en_US.UTF-8 -E UTF8 -D '/nginx/sql/data'

Return to the normal user account.

# exit

Modify the systemd service file to reflect the new data directory.

# sudo systemctl edit postgresql.service
 
filename: postgresql.service
Environment=PGROOT=/nginx/sql
PIDFile=/nginx/sql/postmaster.pid

Start and enable the systemd service.

# sudo systemctl enable --now postgresql.service

Swap back over to the postgresql user account.

# sudo -iu postgres

Create a new postgres user account.

# createuser -P --interactive
Enter name of role to add: username
Enter password for new role: ********
Enter it again: ********
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) y
Shall the new role be allowed to create more new roles? (y/n) n

MariaDB

Using mariadb as a back-end will require the following setup and configuration.

# pikaur -S mariadb
 
# sudo chown mysql:mysql /nginx/sql

Give the current logged in user access.

# sudo gpasswd -a username mysql

Create and initialize the data directory.

# mariadb-install-db --user=mysql --basedir=/usr --datadir=/nginx/sql
 
# sudoedit /etc/my.cnf.d/server.cnf
 
filename: /etc/my.cnf.d/server.cnf
[mysqld]
datadir=/nginx/sql

Start and enable the MySQL service.

# sudo systemctl enable --now mariadb.service

Secure the installation and set the root password.

# sudo mysql_secure_installation
IconThe default mysql root password is none

Connect to mysql using the root account and the password you previously set.

# sudo mysql -u root -p

Add a new mysql user account.

# MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'kyau'@'localhost' \
  IDENTIFIED BY 'user_password' WITH GRANT OPTION;

Icon PHP Configuration

First remove the default pool.

# sudo rm /etc/php/php-fpm.d/www.conf

Create the defaults for all pools.

# sudoedit /etc/php/php-fpm.d/defaults.inc
 
filename: /etc/php/php-fpm.d/defaults.inc
user = http
group = http
listen = /run/php-fpm/php-fpm-$pool.sock
listen.owner = http
listen.group = http
; process configuration
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
; php.ini changes
php_admin_flag[expose_php] = off
php_admin_flag[log_errors] = on
php_admin_flag[short_open_tag] = on
php_admin_value[date.timezone] = America/Los_Angeles
php_admin_value[error_log] = /nginx/logs/$pool/php.log
php_admin_value[memory_limit] = 256M
php_admin_value[post_max_size] = 2048M
php_admin_value[session.save_path] = /tmp
php_admin_value[upload_max_filesize] = 2048M

Enable all third party PHP extensions that were installed.

# sudo find . -type f -name '*.ini' -exec sed -i -e 's/^;extension/extension/g' \
  -e 's/^;zend_extension/zend_extension/g' -e 's/^;xdebug/xdebug/g' {} +

Enable global PHP extensions.

# sudoedit /etc/php/conf.d/defaults.ini
 
filename: /etc/php/conf.d/defaults.ini
extension=bz2
extension=exif
extension=gd
extension=gettext
extension=gmp
extension=iconv
extension=intl
extension=sodium
extension=mysqli
extension=odbc
extension=pdo_mysql
extension=pdo_odbc
extension=pdo_sqlite
extension=sockets
extension=sqlite3
; opcache
zend_extension=opcache
opcache.enable = 1
opcache.interned_strings_buffer = 8
opcache.max_accelerated_files = 10000
opcache.memory_consumption = 128
opcache.save_comments = 1
opcache.revalidate_freq = 1

Create a php-fpm pool for the domain being setup (use a different pool for each site/domain).

# sudoedit /etc/php/php-fpm.d/domain_com.conf
 
filename: /etc/php/php-fpm.d/domain_com.conf
; $KYAULabs: domain_com.conf,v 1.0.0 2021/05/01 12:36:14 kyau Exp $

[domain_com]
include = /etc/php/php-fpm.d/defaults.inc
env[HOSTNAME] = domain.com
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

; vim: ft=dosini sw=4 ts=4 noet:

Be sure to set the file permissions properly.

# sudo chmod 644 /etc/php/conf.d/defaults.ini /etc/php/php-fpm.d/*

Start and enable the php-fpm service.

# sudo systemctl enable --now php-fpm.service

Icon NGINX Configuration

Create a blank configuration file.

# sudo install -g http -m 660 -o http /dev/null /nginx/conf.d/nginx.conf

Copy the MIME types file.

# sudo install -g http -m 660 -o http /etc/nginx/mime.types /nginx/conf.d/mime.types

Remove the default config in nginx.conf and replace it with an include (to the new config location).

# sudoedit /etc/nginx/nginx.conf
 
filename: /etc/nginx/nginx.conf
include /nginx/conf.d/nginx.conf;

Create a fastcgi_params file (PHP environmental variable defaults).

# sudoedit /nginx/conf.d/fastcgi_params
 
filename: /nginx/conf.d/fastcgi_params
# $KYAULabs: fastcgi_params,v 1.0.5 2021/05/03 17:31:37 kyau Exp $

fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;

fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;

fastcgi_param GATEWAY_INTERFACE CGI/1.1;
#fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param SERVER_SOFTWARE nginx;

fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;

# Mitigate https://httpoxy.org/ vulnerabilities
fastcgi_param HTTP_PROXY "";

# vim: ft=nginx ts=4 sw=4 noet :