This setup allows restrictive chmods, which prevents users for reading the conents of each others directories and provides a layer of security against reading raw PHP code in case of FPM failure. You can set chmod 600 for all .php files and chmod 640/710 for any other static files/dirs.

```bash
certbot certonly -d example.com
useradd -m -d /home/example -s /bin/bash example
usermod -a -G nginx example
su - example -c "mkdir ~/www"
chmod 710 /home/example
chmod 710 /home/example/www
su - example -c "echo '<?php echo time(); ?>' > ~/www/index.php"
chmod 600 /home/example/www/index.php
service nginx restart
service php8.2-fpm restart
```

* FW: open `80/tcp`, `443/tcp`, `443/udp (h3)`
* Test SSL configuration: https://github.com/drwetter/testssl.sh
* Test curl with quic: https://curl.se/docs/http3.html (`curl --http3`) - btw. good luck compiling this (took me a few hours)

PS. OCSP is being slowly but surely replaced by revocation lists (CRLS),  https://letsencrypt.org/2024/07/23/replacing-ocsp-with-crls/ which means that in the near future we will have to abandon OCSP in favor of CRLS, although at the moment nginx only allows pointing to a local PEM file https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_crl and LE does not yet issue certificates with CRLS entry