$ prt-get depinst nginx
Allow minimal privileges via mount options, view /etc/fstab;
UID=xxxxx-xxx-xxx-xxx-xxxxxxxx /srv/www ext4 defaults,nosuid,noexec,nodev,noatime 1 2
Add user nginx to www group;
# usermod -a -G www nginx
Change default home directory of nginx user;
# usermod -m -d /srv/www nginx
Create configuration directory's for better organization;
$ sudo mkdir /etc/nginx/conf.d
$ sudo mkdir /etc/nginx/sites-enable
$ sudo mkdir /etc/nginx/sites
Example of nginx location block on public pmwiki setup;
#ACME challenge
location ^~ /.well-known {
allow all;
alias /srv/www/c9-pmwiki/pub/cert/.well-known/;
default_type "text/plain";
try_files $uri =404;
}
First run dryrun to test if everything is ok;
# certbot certonly --dry-run --email user@mail.org --webroot -w /srv/www/c9-pmwiki/pub/cert/-d c9.root.sx
# certbot certonly --email user@mail.org --webroot -w /srv/www/c9-pmwiki/pub/cert/-d c9.root.sx
Certificates allow a more secure connection. Lets create self-signed certificate;
Create private key;
$ sudo openssl genrsa -des3 -out /etc/ssl/keys/nginx.key 2048
Password:
Generating RSA private key, 2048 bit long modulus
..............................+++
............+++
e is 65537 (0x10001)
Enter pass phrase for /etc/ssl/keys/nginx.key:
Verifying - Enter pass phrase for /etc/ssl/keys/nginx.key:
Create ceritificate signing request. For "Common Name" provide domain name or ip address, leave challange password and optional company name blank;
$ sudo openssl req -new -key /etc/ssl/keys/nginx.key -out /etc/ssl/certs/nginx.csr
Enter pass phrase for /etc/ssl/keys/nginx.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:PT
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:core.privat-network.net
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$
Having password is a good idea, but requires it every time nginx is restarted. To remove;
$ sudo cp /etc/ssl/keys/nginx.key /etc/ssl/keys/nginx.key.pass
$ sudo openssl rsa -in /etc/ssl/keys/nginx.key.pass -out /etc/ssl/keys/nginx.key
Enter pass phrase for /etc/ssl/keys/nginx.key.pass:
writing RSA key
$ sudo chown nginx /etc/ssl/keys/nginx.key*
$ sudo chmod 0600 /etc/ssl/keys/nginx.key*
# chmod 644 /etc/ssl/certs/exim.cert
Sign SSL cetificate;
$ sudo openssl x509 -req -days 365 \
-in /etc/ssl/certs/nginx.csr \
-signkey /etc/ssl/keys/nginx.key \
-out /etc/ssl/certs/nginx.crt
Signature ok
subject=/C=PT/ST=Some-State/O=Internet Widgits Pty Ltd/CN=core.privat-network.net
Getting Private key
Enter pass phrase for /etc/ssl/keys/nginx.key:
$ sudo chown nginx:nginx /etc/ssl/keys/nginx.key*
$ sudo chmod 0600 /etc/ssl/keys/nginx.key*
$ sudo chmod 644 /etc/ssl/certs/nginx.crt
Read nginx pitfalls, for more information about optimization digitalocean,
Number of worker_processes must be equal or less than the number of available cpu cores. This is set to auto.
$ nproc
2
Number of worker_connections must be equal or less than the number file-size writing limit, you can get it by;
$ nlimit -n
1024
Example of http block with ssl configured;
#
# /etc/nginx/nginx.conf - nginx server configuration
#
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
# ssl on;
ssl_certificate /etc/ssl/certs/nginx.crt;
ssl_certificate_key /etc/ssl/keys/nginx.key;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
client_body_timeout 12;
client_header_timeout 12;
send_timeout 65;
gzip on;
gzip_vary on;
#gzip_proxied any;
gzip_comp_level 9;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*.conf;
}
# End of file
To debug configurations check logs and;
nginx -V
Install php and setup php.ini as development mode;
$ sudo prt-get depinst php php-fpm php-gd php-pdo-pgsql php-postgresql
Setup php ini in development mode;
$ sudo cp /etc/php/php.ini-development /etc/php/php.ini
$ php --ini
Configuration File (php.ini) Path: /etc/php
Loaded Configuration File: /etc/php/php.ini
Scan for additional .ini files in: /etc/php/conf.d
Additional .ini files parsed: /etc/php/conf.d/extensions.ini,
/etc/php/conf.d/pdo_pgsql.ini
Server (virtual host) with pmwiki and flyspray, check /etc/nginx/sites for more examples. Install pmwiki and flyspray;
$ sudo prt-get depinst pmwiki flyspray
This server is configured in a way that root serves pmwiki and /tasks serves flyspray. In order to flyspray to link correctly change index is needed;
server {
listen 443 ssl;
# listen [::]:443 ssl;
server_name c9.core;
root /srv/www/default;
location /distfiles {
alias /usr/ports/distfiles;
}
location /tasks {
index index.php;
alias /srv/www/default/flyspray;
try_files $uri $uri/ index.php$is_args$args;
}
location ~ ^/tasks(.+\.php)$ {
alias /srv/www/default/flyspray;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
try_files $uri /index.php =404;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$1;
# fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_pass 127.0.0.1:9000;
}
location / {
alias /srv/www/default/pmwiki/;
index pmwiki.php
try_files $uri $uri/ /pmwiki.php$is_args$args;
}
location ~ \.php$ {
alias /srv/www/default/pmwiki;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index pmwiki.php;
try_files $uri /pmwiki.php =404;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_pass 127.0.0.1:9000;
}
}
Change /srv/www/default/flyspray/index.php to;
<?php
/*
This is the main script that everything else is included
in. Mostly what it does is check the user permissions
to see what they have access to.
*/
define('IN_FS', true);
$_SERVER['SCRIPT_NAME'] = "/bug/index.php";
require_once(dirname(__FILE__).'/header.php');
location ~ ^/~(.+?)(/.*)?$ {
alias /home/$1/public_html$2;
index index.html index.htm;
autoindex on;
}
Directories should have 644 or 664 and files chmod 755 or 775;
$ sudo find . -type f -print0 | xargs -0 chmod 644
$ sudo find . -type d -print0 | xargs -0 chmod 755
$ sudo grep "login" /var/log/nginx/access.log
$ sudo grep "etc/passwd" /var/log/nginx/access.log
$ sudo egrep -i "denied|error|warn" /var/log/nginx/error.log
Tools Index
This is part of the c9-doc Manual. Copyright (C) 2016 c9 team. See the file Gnu Free Documentation License for copying conditions.