nginx ssl + ocsp + http/2 + quic + php-fpm + certbot

_nginx_ssl_php_fpm_certbot.md

This setup allows restrictive chmods, which prevents users for reading the conents of each others directories and provides a layer of security against reading raw PHP code in case of FPM failure. You can set chmod 600 for all .php files and chmod 640/710 for any other static files/dirs.

certbot certonly -d example.com
useradd -m -d /home/example -s /bin/bash example
usermod -a -G nginx example
su - example -c "mkdir ~/www"
chmod 710 /home/example
chmod 710 /home/example/www
su - example -c "echo '<?php echo time(); ?>' > ~/www/index.php"
chmod 600 /home/example/www/index.php
service nginx restart
service php8.2-fpm restart

• FW: open 80/tcp, 443/tcp, 443/udp (h3)
• Test SSL configuration: https://github.com/drwetter/testssl.sh
• Test curl with quic: https://curl.se/docs/http3.html (curl --http3) - btw. good luck compiling this (took me a few hours)

PS. OCSP is being slowly but surely replaced by revocation lists (CRLS), https://letsencrypt.org/2024/07/23/replacing-ocsp-with-crls/ which means that in the near future we will have to abandon OCSP in favor of CRLS, although at the moment nginx only allows pointing to a local PEM file https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_crl and LE does not yet issue certificates with CRLS entry

fpm_pool_example.conf

[example]
user = example
group = example
listen = /run/php/php8.2-fpm.sock
listen.owner = nginx
listen.group = nginx
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3

nginx_vhost.conf

# nginx/1.26.2 --with-http_v2_module --with-http_v3_module
# TLS 1.3 ONLY

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    listen 443 quic reuseport;
    listen [::]:443 quic reuseport;
    http2 on;
    http3 on;
    ssl_early_data on;

    root /home/example/www;

    location / {
        deny all;
    }

    location = / {
        allow all;
        index index.php;
    }

    location ~ ^/index.php$ {
        allow all;
        include fastcgi.conf;
        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
    }

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    ssl_protocols TLSv1.3;
    ssl_prefer_server_ciphers off;

    add_header Strict-Transport-Security "max-age=63072000" always;
    add_header X-Frame-Options DENY;
    add_header Alt-Svc 'h3=":443"; ma=86400';

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;

    resolver 9.9.9.9;
}