c0m4r · November 3, 2024 09:53 · Nov 3, 2024 · Nov 3, 2024 · Nov 3, 2024 · Oct 21, 2024
diff --git a/nginx_vhost.conf b/nginx_vhost.conf
@@ -1,4 +1,5 @@
 # nginx/1.26.2 --with-http_v2_module --with-http_v3_module
+# TLS 1.3 ONLY
 
 server {
     listen 80 default_server;

diff --git a/_nginx_ssl_php_fpm_certbot.md b/_nginx_ssl_php_fpm_certbot.md
@@ -17,4 +17,4 @@ service php8.2-fpm restart
 * Test SSL configuration: https://github.com/drwetter/testssl.sh
 * Test curl with quic: https://curl.se/docs/http3.html (`curl --http3`) - btw. good luck compiling this (took me a few hours)
 
-PS. OCSP is being slowly but surely replaced by revocation lists (CRLS),  https://letsencrypt.org/2024/07/23/replacing-ocsp-with-crls/ which means that in the near future we will have to abandon OCSP in favor of CRLS, although at the moment nginx only allows pointing to a local PEM file https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_crl
+PS. OCSP is being slowly but surely replaced by revocation lists (CRLS),  https://letsencrypt.org/2024/07/23/replacing-ocsp-with-crls/ which means that in the near future we will have to abandon OCSP in favor of CRLS, although at the moment nginx only allows pointing to a local PEM file https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_crl and LE does not yet issue certificates with CRLS entry
diff --git a/_nginx_ssl_php_fpm_certbot.md b/_nginx_ssl_php_fpm_certbot.md
@@ -15,4 +15,6 @@ service php8.2-fpm restart
 
 * FW: open `80/tcp`, `443/tcp`, `443/udp (h3)`
 * Test SSL configuration: https://github.com/drwetter/testssl.sh
-* Test curl with quic: https://curl.se/docs/http3.html (`curl --http3`)
+* Test curl with quic: https://curl.se/docs/http3.html (`curl --http3`) - btw. good luck compiling this (took me a few hours)
+
+PS. OCSP is being slowly but surely replaced by revocation lists (CRLS),  https://letsencrypt.org/2024/07/23/replacing-ocsp-with-crls/ which means that in the near future we will have to abandon OCSP in favor of CRLS, although at the moment nginx only allows pointing to a local PEM file https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_crl
diff --git a/_nginx_ssl_php_fpm_certbot.md b/_nginx_ssl_php_fpm_certbot.md
@@ -15,8 +15,4 @@ service php8.2-fpm restart
 
 * FW: open `80/tcp`, `443/tcp`, `443/udp (h3)`
 * Test SSL configuration: https://github.com/drwetter/testssl.sh
-* Test curl with quic: https://curl.se/docs/http3.html (`curl --http3`)
-
-```
-./configure LDFLAGS=-Wl,-rpath,/root/curl-http3/quiche/target/release --with-openssl=/root/curl-http3/quiche/quiche/deps/boringssl/src --with-quiche=/root/curl-http3/quiche/target/release --with-nghttp2 --with-zlib
-```
+* Test curl with quic: https://curl.se/docs/http3.html (`curl --http3`)
diff --git a/nginx_vhost.conf b/nginx_vhost.conf
@@ -1,3 +1,5 @@
+# nginx/1.26.2 --with-http_v2_module --with-http_v3_module
+
 server {
     listen 80 default_server;
     listen [::]:80 default_server;

diff --git a/_nginx_ssl_php_fpm_certbot.md b/_nginx_ssl_php_fpm_certbot.md
@@ -13,6 +13,7 @@ service nginx restart
 service php8.2-fpm restart
 ```
 
+* FW: open `80/tcp`, `443/tcp`, `443/udp (h3)`
 * Test SSL configuration: https://github.com/drwetter/testssl.sh
 * Test curl with quic: https://curl.se/docs/http3.html (`curl --http3`)
 

diff --git a/_nginx_ssl_php_fpm_certbot.md b/_nginx_ssl_php_fpm_certbot.md
@@ -14,4 +14,8 @@ service php8.2-fpm restart
 ```
 
 * Test SSL configuration: https://github.com/drwetter/testssl.sh
-* Test curl with quic: https://curl.se/docs/http3.html (`curl --http3`
+* Test curl with quic: https://curl.se/docs/http3.html (`curl --http3`)
+
+```
+./configure LDFLAGS=-Wl,-rpath,/root/curl-http3/quiche/target/release --with-openssl=/root/curl-http3/quiche/quiche/deps/boringssl/src --with-quiche=/root/curl-http3/quiche/target/release --with-nghttp2 --with-zlib
+```
diff --git a/nginx_configure.sh b/nginx_configure.sh
@@ -1,41 +0,0 @@
-./configure \
---prefix=/etc/nginx \
---sbin-path=/usr/sbin/nginx \
---modules-path=/usr/lib/nginx/modules \
---conf-path=/etc/nginx/nginx.conf \
---error-log-path=/var/log/nginx/error.log \
---http-log-path=/var/log/nginx/access.log \
---pid-path=/var/run/nginx.pid \
---lock-path=/var/run/nginx.lock \
---http-client-body-temp-path=/var/cache/nginx/client_temp \
---http-proxy-temp-path=/var/cache/nginx/proxy_temp \
---http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
---http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
---http-scgi-temp-path=/var/cache/nginx/scgi_temp \
---user=nginx \
---group=nginx \
---with-compat \
---with-file-aio \
---with-threads \
---with-http_addition_module \
---with-http_auth_request_module \
---with-http_dav_module \
---with-http_flv_module \
---with-http_gunzip_module \
---with-http_gzip_static_module \
---with-http_mp4_module \
---with-http_random_index_module \
---with-http_realip_module \
---with-http_secure_link_module \
---with-http_slice_module \
---with-http_ssl_module \
---with-http_stub_status_module \
---with-http_sub_module \
---with-http_v2_module \
---with-http_v3_module \
---with-mail \
---with-mail_ssl_module \
---with-stream \
---with-stream_realip_module \
---with-stream_ssl_module \
---with-stream_ssl_preread_module

diff --git a/_nginx_ssl_php_fpm_certbot.md b/_nginx_ssl_php_fpm_certbot.md
@@ -1,3 +1,5 @@
+This setup allows restrictive chmods, which prevents users for reading the conents of each others directories and provides a layer of security against reading raw PHP code in case of FPM failure. You can set chmod 600 for all .php files and chmod 640/710 for any other static files/dirs.
+
 ```bash
 certbot certonly -d example.com
 useradd -m -d /home/example -s /bin/bash example
@@ -9,4 +11,7 @@ su - example -c "echo '<?php echo time(); ?>' > ~/www/index.php"
 chmod 600 /home/example/www/index.php
 service nginx restart
 service php8.2-fpm restart
-```
+```
+
+* Test SSL configuration: https://github.com/drwetter/testssl.sh
+* Test curl with quic: https://curl.se/docs/http3.html (`curl --http3`
diff --git a/_nginx_ssl_php_fpm_certbot.md b/_nginx_ssl_php_fpm_certbot.md
@@ -0,0 +1,12 @@
+```bash
+certbot certonly -d example.com
+useradd -m -d /home/example -s /bin/bash example
+usermod -a -G nginx example
+su - example -c "mkdir ~/www"
+chmod 710 /home/example
+chmod 710 /home/example/www
+su - example -c "echo '<?php echo time(); ?>' > ~/www/index.php"
+chmod 600 /home/example/www/index.php
+service nginx restart
+service php8.2-fpm restart
+```
diff --git a/fpm_pool_example.conf b/fpm_pool_example.conf
@@ -0,0 +1,11 @@
+[example]
+user = example
+group = example
+listen = /run/php/php8.2-fpm.sock
+listen.owner = nginx
+listen.group = nginx
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
diff --git a/configure.sh → nginx_configure.sh b/configure.sh → nginx_configure.sh
diff --git a/default.conf → nginx_vhost.conf b/default.conf → nginx_vhost.conf
@@ -16,7 +16,7 @@ server {
     http3 on;
     ssl_early_data on;
 
-    root /var/www/example;
+    root /home/example/www;
 
     location / {
         deny all;
@@ -30,19 +30,7 @@ server {
     location ~ ^/index.php$ {
         allow all;
         include fastcgi.conf;
-        fastcgi_pass unix:/var/run/php/php8.2-ipinfo-fpm.sock;
-    }
-
-    location ~ ^/(favicon.ico|icon.png|icon\-144.png|icon\-512.png)$ {
-        allow all;
-    }
-
-    location ~ ^/(manifest.json|js/navigator.js|css/style.css)$ {
-        allow all;
-    }
-
-    location ~ ^/vendor/twbs/bootstrap/dist/css/bootstrap.min.(css|css.map)$ {
-        allow all;
+        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
     }
 
     ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;

diff --git a/configure.sh b/configure.sh
@@ -0,0 +1,41 @@
+./configure \
+--prefix=/etc/nginx \
+--sbin-path=/usr/sbin/nginx \
+--modules-path=/usr/lib/nginx/modules \
+--conf-path=/etc/nginx/nginx.conf \
+--error-log-path=/var/log/nginx/error.log \
+--http-log-path=/var/log/nginx/access.log \
+--pid-path=/var/run/nginx.pid \
+--lock-path=/var/run/nginx.lock \
+--http-client-body-temp-path=/var/cache/nginx/client_temp \
+--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
+--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
+--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
+--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
+--user=nginx \
+--group=nginx \
+--with-compat \
+--with-file-aio \
+--with-threads \
+--with-http_addition_module \
+--with-http_auth_request_module \
+--with-http_dav_module \
+--with-http_flv_module \
+--with-http_gunzip_module \
+--with-http_gzip_static_module \
+--with-http_mp4_module \
+--with-http_random_index_module \
+--with-http_realip_module \
+--with-http_secure_link_module \
+--with-http_slice_module \
+--with-http_ssl_module \
+--with-http_stub_status_module \
+--with-http_sub_module \
+--with-http_v2_module \
+--with-http_v3_module \
+--with-mail \
+--with-mail_ssl_module \
+--with-stream \
+--with-stream_realip_module \
+--with-stream_ssl_module \
+--with-stream_ssl_preread_module
diff --git a/default.conf b/default.conf
@@ -0,0 +1,66 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    listen 443 quic reuseport;
+    listen [::]:443 quic reuseport;
+    http2 on;
+    http3 on;
+    ssl_early_data on;
+
+    root /var/www/example;
+
+    location / {
+        deny all;
+    }
+
+    location = / {
+        allow all;
+        index index.php;
+    }
+
+    location ~ ^/index.php$ {
+        allow all;
+        include fastcgi.conf;
+        fastcgi_pass unix:/var/run/php/php8.2-ipinfo-fpm.sock;
+    }
+
+    location ~ ^/(favicon.ico|icon.png|icon\-144.png|icon\-512.png)$ {
+        allow all;
+    }
+
+    location ~ ^/(manifest.json|js/navigator.js|css/style.css)$ {
+        allow all;
+    }
+
+    location ~ ^/vendor/twbs/bootstrap/dist/css/bootstrap.min.(css|css.map)$ {
+        allow all;
+    }
+
+    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    ssl_protocols TLSv1.3;
+    ssl_prefer_server_ciphers off;
+
+    add_header Strict-Transport-Security "max-age=63072000" always;
+    add_header X-Frame-Options DENY;
+    add_header Alt-Svc 'h3=":443"; ma=86400';
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
+
+    resolver 9.9.9.9;
+}
No results found