Skip to content

Instantly share code, notes, and snippets.

@dhaupin

dhaupin/etc_nginx_sites-available_template.bak

Last active September 7, 2016 20:11
Show Gist options
  • Save dhaupin/f71f714360c3c79e84543e973b597a82 to your computer and use it in GitHub Desktop.
Save dhaupin/f71f714360c3c79e84543e973b597a82 to your computer and use it in GitHub Desktop.
Download ZIP
Server - Nginx default configs for NO-SSL and SSL enabled server blocks - Uses LetsEncrypt and FPM Unix sockets
Raw
etc_nginx_sites-available_template.bak
server {
listen 80;
listen [::]:80;
server_name EXAMPLE.com www.EXAMPLE.com;
return 301 https://EXAMPLE.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/EXAMPLE.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/EXAMPLE.com/privkey.pem;
# include the SSL common init
include snippets/ssl-params.conf;
server_name www.EXAMPLE.com;
return 301 https://EXAMPLE.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# letsencrypt certonly --webroot -w /home/EXAMPLE/www -d EXAMPLE.com -d www.EXAMPLE.com
ssl_certificate /etc/letsencrypt/live/EXAMPLE.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/EXAMPLE.com/privkey.pem;
# include the SSL common init
include snippets/ssl-params.conf;
server_name EXAMPLE.com;
root /home/EXAMPLE/www;
# for subfolders use `/subfolder/index.php
index index.html index.htm index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
fastcgi_pass unix:/run/php/php7.0-fpm-EXAMPLE.sock;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
}
# deny all direct access for these folders
location ~* /(.git|cache|bin|logs|backups)/.*$ { return 403; }
# deny running scripts inside core system folders
location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
# deny running scripts inside user folder
location ~* /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
# deny access to specific files in the root folder
location ~ /(LICENSE|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess) { return 403; }
}
Raw
etc_nginx_sites-available_template.nossl.bak
server {
listen 80;
server_name www.EXAMPLE.com;
return 301 http://EXAMPLE.com$request_uri;
}
server {
listen 80;
listen [::]:80;
server_name EXAMPLE.com;
root /home/EXAMPLE/www;
# for subfolders use `/subfolder/index.php
index index.html index.htm index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
fastcgi_pass unix:/run/php/php7.0-fpm-EXAMPLE.sock;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
}
# deny all direct access for these folders
location ~* /(.git|cache|bin|logs|backups)/.*$ { return 403; }
# deny running scripts inside core system folders
location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
# deny running scripts inside user folder
location ~* /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
# deny access to specific files in the root folder
location ~ /(LICENSE|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess) { return 403; }
}
Raw
etc_nginx_snippets_ssl-params.conf.bak
# https://cipherli.st/
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
# https://gist.github.com/plentz/6737338
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
# Google DNS resolver
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
# to generate:
# openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
ssl_dhparam /etc/ssl/certs/dhparam.pem;
Raw
etc_php_7.0_fpm_pool.d_template.conf.bak
[EXAMPLE]
user = EXAMPLE
group = EXAMPLE
listen = /run/php/php7.0-fpm-EXAMPLE.sock
listen.owner = www-data
listen.group = www-data
pm = ondemand
pm.max_children = 6
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
pm.process_idle_timeout = 10s
pm.max_requests = 300
chdir = /
@dhaupin
Copy link
Author

dhaupin commented Aug 26, 2016
edited
Loading 

# su

{as root user}
# adduser --shell /bin/false EXAMPLE && su -s /bin/bash EXAMPLE

{as EXAMPLE user}
# mkdir -p ~/www/.well-known

{ctrl-D to switch to root}
# cp /etc/php/7.0/fpm/pool.d/template.conf.bak /etc/php/7.0/fpm/pool.d/EXAMPLE.conf && vim $_

{edit site for HTTP mode}
# cp /etc/nginx/sites-available/template.nossl.bak /etc/nginx/sites-available/EXAMPLE.nossl.bak && vim $_
# cp /etc/nginx/sites-available/EXAMPLE.nossl.bak /etc/nginx/sites-available/EXAMPLE
# cd /etc/nginx/sites-enabled/ && ln -s ../sites-available/EXAMPLE

{make it live}
{turn off CloudFlare and/or turn off SSL, HSTS, and Pagerules}
# nginx -t
# service nginx restart && service php7.0-fpm restart

{make sure DNS is pointed and .well-known folder is accessable for LetsEncrypt}
# letsencrypt certonly --webroot -w /home/EXAMPLE/www -d EXAMPLE.com -d www.EXAMPLE.com

{edit site for SSL mode}
# cp /etc/nginx/sites-available/template.bak /etc/nginx/sites-available/EXAMPLE.bak && vim $_
# cp /etc/nginx/sites-available/EXAMPLE.bak /etc/nginx/sites-available/EXAMPLE

{make it live}
# nginx -t
# service nginx restart && service php7.0-fpm restart

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment