Jump to content

Setting up a secure Nginx+PHP-FPM installation for IPS4


Recommended Posts

5 minutes ago, Makoto said:

Can you post your Nginx configuration for your IPS installation, and can you verify that rewrite rules are indeed not working when this is enabled (ignoring the warning)?

My server was set up by somebody else and I don't have a specific config file for the domain, it uses the default (mydomainexample.com is my domain I've hid the name for personal reasons). I was told to move my files to /forums instead of root so that I achieve what I'm looking for and I had to enable rewriting URLs which doesn't seem to be working

 

##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
	listen 80 default_server;
	listen [::]:80 default_server;

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.php index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
	}


	# pass PHP scripts to FastCGI server
	#
	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
	#
		# With php-fpm (or other unix sockets):
		fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
	#	# With php-cgi (or other tcp sockets):
	#	fastcgi_pass 127.0.0.1:9000;
	}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#	listen 80;
#	listen [::]:80;
#
#	server_name example.com;
#
#	root /var/www/example.com;
#	index index.html;
#
#	location / {
#		try_files $uri $uri/ =404;
#	}
#}

server {
	listen 80 ;
	listen [::]:80 ;

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.php index.html index.htm index.nginx-debian.html;
    server_name mydomainexample.com www.mydomainexample.com; # managed by Certbot


	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
	}

	# pass PHP scripts to FastCGI server
	#
	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
	#
		# With php-fpm (or other unix sockets):
		fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
	#	# With php-cgi (or other tcp sockets):
	#	fastcgi_pass 127.0.0.1:9000;
	}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}


    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mydomainexample.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mydomainexample.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot



}

 

Edited by 6ichem
Link to comment
Share on other sites

  • 2 years later...

Late to this topic (by about 2 years) but if wanting to set up nginx with IPS, I'd STRONGLY recommend looking at CentMin Mod and CentMin  7 (not 8).  There is also a new BETA version being worked on for AlmaLinux since CentOS is reaching EOL in the near future.

The only major thing you have to change is the "try_files) for IPS... and it is an easy edit.

 

Link to comment
Share on other sites

On 2/25/2023 at 5:31 AM, Tracy Perry said:

Late to this topic (by about 2 years) but if wanting to set up nginx with IPS, I'd STRONGLY recommend looking at CentMin Mod and CentMin  7 (not 8).  There is also a new BETA version being worked on for AlmaLinux since CentOS is reaching EOL in the near future.

The only major thing you have to change is the "try_files) for IPS... and it is an easy edit.

 

CentMin equivalent for Debian? Installing this stuff is not an issue.. but setting up correct way in nginx is little bit challenge, as I am not familiar with nginx or php fpm. 

Something like Apache / php -> Nginx / php fpm - default configuration would be helpful, if any experienced admin can help. 

Edited by AlexJ
Link to comment
Share on other sites

On 2/27/2023 at 1:25 PM, AlexJ said:

CentMin equivalent for Debian? Installing this stuff is not an issue.. but setting up correct way in nginx is little bit challenge, as I am not familiar with nginx or php fpm. 

You wont' see a Debian version of CentMin Mod.  The developer is pretty much set in the Redhat style environment... and honestly, I've had WAY less issues with CentOS/AlmaLinux than I EVER did Debian/Ubuntu.

Is there a reason you are stuck on Debian/Ubuntu.  About all I use Ubuntu/Debian for any longer is on my Raspberry Pi 4's or similar for my astrophotography stuff.

Link to comment
Share on other sites

3 hours ago, Makoto said:

I've been using Debian for the last 10+ years on all of my production servers and have never had any OS or distribution related issues.

 

+1. 

6 hours ago, Tracy Perry said:

Is there a reason you are stuck on Debian/Ubuntu. 

As Makoto said, no issues for me on any of my dedicated servers since 2007.  Each upgrade has been smooth and I prefer Debian because I always get security patches quick plus 3rd party repo support is very good, except centmin.

Link to comment
Share on other sites

Red Hat based distros have one big advantage, they have a 10 years long term support, while Debian is only 5 years.
At least for me, that matters a lot.

Regarding 3rd party repos, security patches, etc, they also have all that.
From my experience on working with some Linux Distros, Red Hat distros are the most stable ones. 

Edited by RevengeFNF
Link to comment
Share on other sites

I think LTS is more important for enterprise, but yes, it's one advantage to consider. Upgrading at a large scale can be expensive and LTS is more important then. As I just manage my servers myself, needing to upgrade once every 5 years is not really an issue.

Both have good 3rd party repo support and both are quick to release security patches.

Personally speaking, I've had more stability and compatibility issues for my needs with CentOS than Debian any time I've had to use it, but it's really a matter of personal preference, both are fine, neither is better than the other in any significant way outside of maybe LTS.

If you're contemplating between the two on a new system, try working with both in a virtualized environment for a bit and see which you think feels better to you. Both are well supported and widely used.

Edited by Makoto
Link to comment
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...