Skip to main content
Topic: / etc / nginx / sites-available / default with SSL (Read 1893 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

/ etc / nginx / sites-available / default with SSL

So, I had a small amount of trouble setting up Elkarte with nginx and SSL and I've turned off my CSP rules for the time being...

But, the biggest problem was not installing in a subdirectory of the webroot. Since it is the only thing on the server-- I didn't see the harm in changing the install directory to the actual webroot and not a subdirectory. Meh.

Anyhoo, if you all want to enlighten me on better practices, I am all ears. I'm a noob in the forum space and expert advice would be appreciated if you have any to give.

As the title states, here's a jumping off point for anyone that wants a head start on installing Elkarte on nginx with PHP-FPM, this install happens to be from a PHP 7.2 installation.

Code: [Select]
server {
  listen 80;
  listen [::]:80;
  server_name forum.list255.com;
  return 301 https://forum.list255.com$request_uri;
}

server {

  listen 443 ssl http2 default_server;
  listen [::]:443 ssl http2 default_server;
  server_name forum.list255.com;
  ssl_protocols TLSv1 TLSv1.2;
  # generate diffie-hellman prime with: openssl dhparam -out /etc/ssl/dhparams4096.pem 4096
  ssl_dhparam /etc/ssl/dhparams4096.pem;
  ssl_ecdh_curve secp384r1;
  ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
  ssl_prefer_server_ciphers on;
  # generate ssl certificate signing request with: openssl req -nodes -sha256 -newkey rsa:2048 -keyout /etc/ssl/2018/key.pem -out /etc/ssl/2018/csr.pem -subj "/C=US/ST=Ohio/L=Eastlake/O=list255, inc./OU=Web Development/CN=list255.com"
  ssl_certificate /etc/ssl/2018/chain.pem;
  ssl_certificate_key /etc/ssl/2018/key.pem;
  ssl_session_cache shared:SSL:128m;
  add_header Strict-Transport-Security "max-age=31557600; includeSubDomains";
  add_header X-Frame-Options "SAMEORIGIN" always;
  add_header X-Content-Type-Options "nosniff" always;
  add_header X-Xss-Protection "1";
  #add_header Content-Security-Policy "default-src 'self'; img-src 'self'; script-src 'unsafe-inline' 'self' *.google-analytics.com; style-src 'unsafe-inline' 'self'";
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver 127.0.0.1;

  root /var/www/html;                                                                                                         

  # Add index.php to the list if you are using PHP
  index index.php index.html index.htm;

  charset UTF-8;

  location = /favicon.ico {
    log_not_found off;
    access_log off;
  }

  location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
  }

  location ~ /\.svn/* {
    deny all;
  }

  location ~ /\.git/* {
    deny all;
  }

  location /nginx_status {
    stub_status on;
    access_log off;
  }
 
  location / {
    try_files $uri $uri/ /index.php?$args;
  }

  location ~ \.php$ {

    fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
    fastcgi_intercept_errors on;
    include /etc/nginx/mime.types;

    fastcgi_index index.php;

    fastcgi_split_path_info ^(.+\.php)(/.+)$; #this line
    include fastcgi_params;
    fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name; # update this too

    #fastcgi_cache_use_stale error timeout invalid_header http_500;
    #fastcgi_cache_key $host$request_uri;
    #fastcgi_cache example;
    #fastcgi_cache_valid 200 1m;
    #fastcgi_cache_bypass $nocache;
    #fastcgi_no_cache $nocache;
  }

  location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
    expires max;
    log_not_found off;
  }
 
  location ~ ^/(status|ping)$ {
    include /etc/nginx/fastcgi_params;
    fastcgi_pass unix:/var/run/php5-fpm.sock;
    fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
    allow 127.0.0.1;
    deny all;
  }
 
  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log;
}
Last Edit: March 30, 2018, 07:31:29 pm by bradchesney79

Re: / etc / nginx / sites-available / default with SSL

Reply #1

Hello bradchesney79 and welcome! :)

Unfortunately, server config is completely out of my reach. xD
Bugs creator.
Features destroyer.
Template killer.

Re: / etc / nginx / sites-available / default with SSL

Reply #2

This site and many more use nginx. Simply copy your forum files to the desired subdirectory and use repair_settings.php to fix all forum's links, if that what you are asking.

Re: / etc / nginx / sites-available / default with SSL

Reply #3

Thanks for sharing your config, its always cool to see how others have set up their servers.  Looking at what you did and what I do I made a few notes.

You may want to disablle TLSv1.1 and just have "ssl_protocols TLSv1 TLSv1.2;" 
My cipher line is "ssl_ciphers ECDH+AESGCM:ECDH+AES256:!aNULL:!MD5:!DSS:!DH:!AES128;"  I'm not saying that is the best just providing it for comparison.  There are sites that you can test your SSL setup against for compatibility and vulnerability. https://www.ssllabs.com/ssltest/ is one.

I was not sure about the "index index.php index.html index.htm;" line, I was not even aware you could enter it like that, but then there is significantly more I don't know about Nginx that the little I do.  For comparison here is what I do.

Code: [Select]
location / {
index index.php index.html index.htm;
try_files $uri $uri/ @rewrites;
}
location @rewrites {
rewrite ^ /index.php last;
}

My php section looks like this for all sites.  You need to make sure names used sync up here and in your fastcgi_params file
Code: [Select]
	try_files $1 = 404;
include /etc/nginx/fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(/.+)\$;
fastcgi_param SCRIPT_FILENAME $document_root$1;
fastcgi_param PATH_INFO $2;
fastcgi_param HTTPS on;
fastcgi_pass unix:/var/run/nginx/yoursite.com-php-fpm.socket;
fastcgi_index index.php;

For expires I've moved those to my main nginx.conf file and use the map directive (need the right version of Nginx).  placing it there makes it the same for all sites on your server which you may not want to do, but the map functions are very nice.

Code: [Select]
        # Expires map
         map $sent_http_content_type $expires {
             default                    off;
             text/html                  epoch;
             text/css                   max;
             application/javascript     max;
             ~image/                    max;
             application/pdf            1M;
             ~font/                     max;
             application/vnd.ms-fontobject  max;
             application/font-woff      max;
             application/x-font-woff    max;
             application/font-woff2     max;
         }

Re: / etc / nginx / sites-available / default with SSL

Reply #4

I can see that your forum already have an A+ score at: https://www.ssllabs.com/ssltest/analyze.html?d=forum.list255.com&s=198.58.124.18

Just for fun, you may also want to check your site at:
- https://gtmetrix.com
- https://tools.pingdom.com
- http://www.webpagetest.org
- https://developers.google.com/speed/pagespeed/insights

If want to share it result, you may response in Test Web Sites thread.

Re: / etc / nginx / sites-available / default with SSL

Reply #5

I was able to get everything "working" with my initial post. I have updated the information to reflect my final configuration. Make it work, make it right, make it fast... Thanks for the input-- on other support forums my posts usually don't get any responses. So, kudos for being active here.

I had to do a lot of searching and ended up basing my configuration on an old wordpress install. I posted hoping it might get someone else off the ground faster when they come looking for the same information I was searching for.

I may dig into Spuds configuration to see which works better by comparison.