New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Need safe nginx config, ssl + php5-fpm.
Hello,
I've had a pretty nice config but lost when I deactivated one of my VPS.
I need a http config, port 80 redirects to https (and to the domain without "www), then https, port 443, should load the cert, include the php5-fpm params, and should be safe as well against weak ciphers, etc.
Can anyone help? I'd appreciate!
Comments
I'm not too familiar with any of those things, but this is what I use:
server { listen 80; server_name ...; rewrite ^ https://$server_name$request_uri? permanent; } server { listen 443; root ...; server_name ...; index index.html index.php; location ~ \.php$ { try_files $uri /index.php =404; fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } ssl on; ssl_certificate ...; ssl_certificate_key ...; ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL'; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:10m; ssl_prefer_server_ciphers on; }This is what I've come up after reading bunch of tutorials and stackoverflow answers.
server { > listen 80; > server_name ...; > rewrite ^ https://$server_name$request_uri? permanent; > } > server { > listen 443; > root ...; > > server_name ...; > > index index.html index.php; > > location ~ \.php$ { > try_files $uri /index.php =404; > fastcgi_pass unix:/var/run/php5-fpm.sock; > fastcgi_index index.php; > fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; > include fastcgi_params; > } > > ssl on; > ssl_certificate ...; > ssl_certificate_key ...; > > ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL'; > > ssl_protocols TLSv1 TLSv1.1 TLSv1.2; > ssl_session_cache shared:SSL:10m; > > ssl_prefer_server_ciphers on; > }Looks pretty good, @drazilox, thank you for sharing!
Anyone else can improve it? Any suggestions?
Oh yeah, that doesn't forward www to non-www, but that should be pretty easy to accomplish. Quick Google search will probably yield some good stackoverflow answers
EDIT: Also, if you're interested in more ssl with nginx, I recommend to read @Raymii's blog post. https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
For port 80 to 443 use
returninstead of rewrite.Also don't use
$server_name. Nothing inherently wrong with it, but since you want non-www, just have the port 80 setup be the default (or use.yourdomain.tldto match with and without the www) and redirect to the non-www SSL.You'll also need to handle www in the port 443 part with either an
ifor a separate config.(Excuse the brevit, I'm on mobile.)
Thank you both!
centminmod ??
@eva2000 script include safe SSL config when entering option no.2
http://centminmod.com/nginx_domain_dns_setup.html#vhost
I know it ain't perfect but you can try forking and modifying my config.
Thanks!
@Nomad: That's an amazing template!
Some suggestions:
Limit the type of HTTP request in the server block,
Add deferred to the SPDY line
Rate limit incoming with limit_req_zone
I also restrict client_max_body_size because I have fairly predictable message sizes, but YMMV.
Slightly off-topic, but say hello to one of the bees in my bonnet:
BACKUPS people. BACKUPS.
Make them. Automate them. Test them. Automate the tests. Monitor the results.
Nginx configuration:
https://gist.github.com/hidden-refuge/d6319485e31a96209936
PHP include file (create in /etc/nginx/ and call it just php):
https://raw.githubusercontent.com/hidden-refuge/fvps-lnmp-debian/master/php
Use these both. After you created the php include file edit the vHost config (the first link) and simply add "include php" into the server block for the HTTPS setup.
THIS IS USING HTTP/2! REPLACE WITH SPDY IF YOU DON'T HAVE NGINX MAINLINE. THIS GETS YOU A A+ ON SSL LABS.
Thanks @Hidden_Refuge, great!
), will test it for sure.
Thanks @rincewind,
I'm trying my best to make it a good one. With my limited knowledge, this is the best I came up so far but too bad people are either not eager to bug hunt it or knows less then I do and can't help.
I did implement spdy deferred lines. Why did I even forget that?
Hmm, I thought I had a line like
if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 444; }Somewhere along the lines, I'll look into that.
As for rate limiting, well I was never a fan of that. With dDos deflate and fail2ban I never saw any use of that on my servers but, since this is a template, can be added as a commented out option somewhere with the lines.
@Nomad : I am also looking to improve my setup
From what I understand, both fail2ban and DDosDeflate limit the number of (new) connections. Neither stop a client from using a single TCP connection in "keepalive" to pump in requests and overload your server. But rate limiting may need customization for your individual needs - I am shifting it from NGINX to my application for a more fine-grained approach.
I found Centinmod's NGINX setup as another good source of ideas.
@MrGeneral : You might want to look at Centinmod as well. It's a complete installer for NGINX/Maria/PHP.
Hehe, nah. I do all my setups with no other bash scripts. I just needed a config, and found pretty good configs here! :-)
Glad you got that sorted out. I did learn a few tricks from Centinmod though.
Sure thing, but I have been doing it for years and years. I'd rather install software myself, using other repos, etc. It's nice to learn, though, and I am aware Centminmod is pretty good.
It seems you already got this; but, if you did not, let me know via PM or here and I can provide my secured config or help you out.