> cd /usr/ports/www/nginx/ && make clean && make install > cd /usr/ports/www/fcgi/ && make clean && make install > cd /usr/ports/www/fcgiwrap/ && make clean && make install
... nginx_enable=YES php_fpm_enable=YES # für PHP fcgiwrap_enable="YES" # für CGI (bash) fcgiwrap_user="www" fcgiwrap_socket="unix:/var/run/fcgiwrap.socket" fcgiwrap_socket_owner="www" fcgiwrap_socket_mode="0770"
> /usr/local/etc/rc.d/nginx restart > /usr/local/etc/rc.d/php-fpm restart > /usr/local/etc/rc.d/fcgiwrap restart
# Redirect all HTTP traffic to HTTPS server { listen 80 default_server; listen [::]:80 default_server; location / { return 301 https://$host$request_uri; } } # Default server server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; ssl_certificate /usr/local/etc/letsencrypt/live/EXAMPLE.COM/fullchain.pem; ssl_certificate_key /usr/local/etc/letsencrypt/live/EXAMPLE.COM/privkey.pem; location / { return 404; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; # Server Whitelist for SNI Header (Server Name Indication) server_name EXAMPLE.COM *.TESTSERVER.COM 10.0.0.100; ssl_certificate /usr/local/etc/letsencrypt/live/EXAMPLE.COM/fullchain.pem; ssl_certificate_key /usr/local/etc/letsencrypt/live/EXAMPLE.COM/privkey.pem; # verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /usr/local/etc/letsencrypt/live/EXAMPLE.COM/chain.pem; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; # Improve HTTPS performance with session resumption ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; # about 40000 sessions ssl_session_tickets off; # only TLS 1.3 ciphers -> 100% ssllabs (cipher strength) ssl_protocols TLSv1.3; ssl_prefer_server_ciphers on; # curves which are equivalent of >=4096 rsa (only secp521r1 and secp384r1) -> 100% ssllabs (kex/key exchange) ssl_ecdh_curve secp521r1:secp384r1; # HSTS (ngx_http_headers_module is required) add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # 1 year = 31536000 seconds # replace with the IP address of your resolver #resolver 127.0.0.1; #resolver [2606:4700:4700::1111] 1.1.1.1 [2606:4700:4700::1001] 1.0.0.1; resolver 192.168.1.4 [2606:4700:4700::1111] 1.1.1.1; root /home/http; index index.html index.php doku.php; client_max_body_size 15M; client_body_buffer_size 128K; location / { try_files $uri $uri/ @dokuwiki; } location ^~ /conf/ { return 403; } location ^~ /data/ { return 403; } location ~ /\.ht { deny all; } location @dokuwiki { rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; rewrite ^/(.*) /doku.php?id=$1 last; } location ~ \.php$ { include fastcgi_params; fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } location /cgi-bin/ { include fcgiwrap_params; fastcgi_pass unix:/var/run/fcgiwrap.socket; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } location ~ /cgi-bin/foto\.cgi$ { auth_basic "Multimedia"; auth_basic_user_file /home/etc/httpd/.htpwd_multimedia; include fcgiwrap_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass unix:/var/run/fcgiwrap.socket; } location /daten/mm/oeffentlich/ { auth_basic "Multimedia"; auth_basic_user_file /home/etc/httpd/.htpwd_multimedia; autoindex on; } location /foto/ { auth_basic "Multimedia"; auth_basic_user_file /home/etc/httpd/.htpwd_multimedia; } location ~* ^(\/_matrix|\/_synapse\/client) { proxy_pass http://localhost:8008; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; # Nginx by default only allows file uploads up to 1M in size # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml client_max_body_size 50M; } }
Unterstützt PHP, CGI und Webapps hinter einem Reverse Proxy (z.B. NodeJS und ASP.NET Core)
# Redirect all HTTP traffic to HTTPS server { listen 80 default_server; listen [::]:80 default_server; location / { return 301 https://$host$request_uri; } } # Default server server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; include snippets/ssl.conf; location / { return 404; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; include snippets/ssl.conf; # Server Whitelist for SNI Header (Server Name Indication) server_name EXAMPLE.COM *.TESTSERVER.COM 10.0.0.100; root /var/www; index index.html index.php; # replace with the IP address of your resolver #resolver 127.0.0.1; resolver [2606:4700:4700::1111] 1.1.1.1 [2606:4700:4700::1001] 1.0.0.1; # redirect to custom 404 error page on 403 or 404 error_page 403 =404 /404.html; error_page 404 =404 /404.html; client_max_body_size 15M; client_body_buffer_size 128K; location / { autoindex off; try_files $uri $uri/ =404; } location ~ /\.ht { deny all; } location ^~ /data/ { autoindex on; auth_basic "Please enter your login information"; auth_basic_user_file /etc/nginx/.htpasswd; } # CGI location ^~ /cgi-bin/ { include fastcgi_params; fastcgi_pass unix:/var/run/fcgiwrap.socket; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } # PHP location ~ \.php$ { include snippets/fastcgi-php.conf; include fastcgi_params; fastcgi_pass unix:/var/run/php/php-fpm.sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } # NodeJS location ^~ /helloworld-nodejs { include snippets/webapp-proxy.conf; proxy_pass http://localhost:8001/; } # ASP.NET Core location ^~ /helloworld-aspnet { include snippets/webapp-proxy.conf; proxy_pass http://localhost:8002/; } }
user www-data; worker_processes auto; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; events { worker_connections 768; # multi_accept on; } http { map $http_upgrade $connection_upgrade { default upgrade; '' close; } include mime.types; default_type application/octet-stream; include snippets/ssl.conf; http2 on; http3 on; client_body_buffer_size 128K; client_max_body_size 128M; fastcgi_hide_header X-Powered-By; gzip on; index index.html; proxy_hide_header X-Powered-By; resolver [2606:4700:4700::1111] 1.1.1.1 [2606:4700:4700::1001] 1.0.0.1; sendfile on; server_tokens off; tcp_nopush on; types_hash_max_size 2048; ## # Basic Settings ## #types_hash_max_size 2048; #server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; #include mime.types; #default_type application/octet-stream; ## # SSL Settings ## #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE #ssl_protocols TLSv1.3 TLSv1.2; #ssl_prefer_server_ciphers on; ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Gzip Settings ## #gzip on; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; }
server { listen 80 default_server; listen [::]:80 default_server; include snippets/header.conf; location / { return 308 https://$host$request_uri; } } server { listen 443 quic default_server; listen [::]:443 quic default_server; listen 443 ssl default_server; listen [::]:443 ssl default_server; include snippets/header.conf; include snippets/header-policy.conf; location / { return 404; } }
server { listen 443 quic; listen [::]:443 quic; listen 443 ssl; listen [::]:443 ssl; server_name ~^www.(?<domain>.+)$; include snippets/header.conf; include snippets/header-policy.conf; location / { return 308 https://$domain$request_uri; } }
server { listen 443 quic; listen [::]:443 quic; listen 443 ssl; listen [::]:443 ssl; # Server Whitelist for SNI Header (Server Name Indication) server_name EXAMPLE.COM; root /data/www/EXAMPLE.COM; include snippets/header.conf; include snippets/header-policy.conf; include snippets/fastcgi.conf; location / { try_files $uri $uri/ =404; } location /data/ { auth_basic "Please enter your login information"; auth_basic_user_file /etc/nginx/.htpasswd; autoindex on; } }
siehe letsencrypt (mit hook)
# ssl certificate and private key # ECDSA ssl_certificate /etc/letsencrypt/live/ecdsa-EXAMPLE.COM/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/ecdsa-EXAMPLE.COM/privkey.pem; # RSA ssl_certificate /etc/letsencrypt/live/rsa-EXAMPLE.COM/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/rsa-EXAMPLE.COM/privkey.pem; # SSL Labs (Cipher Strength): min. AES-256 equivalent for 100% grade (TLS 1.3 requires a AES-128 cipher tho) ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; ssl_conf_command Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256; #ssl_conf_command Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256; ssl_conf_command Options ServerPreference,PrioritizeChaCha; # curl -so /etc/ssl/ffdhe4096.pem https://ssl-config.mozilla.org/ffdhe4096.txt # ln -s /etc/ssl/ffdhe4096.pem /etc/nginx/dhparam.pem ssl_dhparam dhparam.pem; # SSL Labs (Key Exchange): min RSA 4096 equivalent curves for 100% grade (x25519 is only equivalent to RSA 3072) ssl_ecdh_curve X448:X25519:secp521r1:secp384r1; #ssl_ecdh_curve X448:secp521r1:secp384r1; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.3 TLSv1.2; # improve HTTPS performance with session resumption ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; # about 40000 sessions ssl_session_tickets off; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; # verify chain of trust of OCSP response using root ca and intermediate certs # combine to one file as this directive can only be specified once # cat /etc/letsencrypt/live/*/chain.pem > /etc/letsencrypt/live/chain.pem ssl_trusted_certificate /etc/letsencrypt/live/chain.pem;
# HSTS # 1 year = 31536000 seconds #add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains' always; # HSTS preloading (see https://hstspreload.org) add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always; # HTTP/2 & HTTP/3 # 1 day = 86400 seconds add_header Alt-Svc 'h3=":443"; ma=86400, h2=":443"; ma=86400'; add_header Referrer-Policy 'no-referrer' always; add_header X-Content-Type-Options 'nosniff' always; add_header X-XSS-Protection '1; mode=block' always;
add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; base-uri 'none'; object-src 'none'; form-action 'none'; style-src 'self' https:; script-src 'self'; img-src 'self' https: data:; font-src 'self' https:; upgrade-insecure-requests" always; add_header Permissions-Policy "camera=(), display-capture=(), fullscreen=(), geolocation=(), microphone=(), web-share=()" always;
# FastCGI # these two lines #include fastcgi_params; #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; # can also be replaced by #include snippets/fastcgi-php.conf # if it exists # CGI location ~ /cgi-bin/.+\.cgi$ { if (!-f $request_filename) { return 404; } include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param HTTPS $https; fastcgi_pass unix:/var/run/fcgiwrap.socket; } # PHP location ~ \.php$ { if (!-f $request_filename) { return 404; } include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param HTTPS $https; fastcgi_pass unix:/var/run/php/php-fpm.sock; }
# Proxy Headers for web apps proxy_http_version 1.1; proxy_set_header Connection 'upgrade'; proxy_set_header Connection keep-alive; proxy_set_header Upgrade $http_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_cache_bypass $http_upgrade;
location ~ \.mkv$ { types { video/webm mkv; audio/webm mka; text/vtt mks; } }