diff --git a/README.md b/README.md index 72e526c..7ddd4c2 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ echo "deb https://deb.nodesource.com/node_11.x sid main" >> /etc/apt/sources.lis The following command will install all required packages: ``` -apt-get --no-install-recommends install apt-transport-tor aspell bzip2 clamav-daemon clamav-freshclam clamav-milter composer curl dovecot-imapd dovecot-pop3d git dnsmasq haveged hunspell iptables libsasl2-modules locales-all logrotate mariadb-server nano nginx-full nodejs postfix postfix-mysql \ +apt-get --no-install-recommends install apt-transport-tor aspell bzip2 clamav-daemon clamav-freshclam clamav-milter composer curl dovecot-imapd dovecot-pop3d git dnsmasq haveged hunspell iptables libsasl2-modules locales-all logrotate mariadb-server nano nodejs postfix postfix-mysql \ php7.3-bcmath php7.3-bz2 php7.3-cli php7.3-curl php7.3-dba php7.3-enchant php7.3-fpm php7.3-gd php7.3-gmp php7.3-imap php7.3-intl php7.3-json php7.3-mbstring php7.3-mysql php7.3-opcache php7.3-pspell php7.3-readline php7.3-recode php7.3-soap php7.3-sqlite3 php7.3-tidy php7.3-xml php7.3-xmlrpc php7.3-xsl php7.3-zip \ php-apcu php-gnupg php-imagick quota quotatool rsync sasl2-bin ssh subversion tor unzip vim vsftpd wget yarn zip ``` @@ -159,6 +159,15 @@ Install sodium_compat for v3 hidden_service support cd /var/www && composer install ``` +Custom optimized nginx +``` +apt-get --no-install-recommends install libbrotli-dev libpcre3-dev zlib1g-dev +git clone https://github.com/nginx/nginx && cd nginx +git clone https://github.com/eustas/ngx_brotli +./auto/configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/tmp/body --http-fastcgi-temp-path=/tmp/fastcgi --http-proxy-temp-path=/tmp/proxy --with-threads --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --without-http_ssi_module --without-http_userid_module --without-http_access_module --without-http_mirror_module --without-http_geo_module --without-http_split_clients_module --without-http_uwsgi_module --without-http_scgi_module --without-http_grpc_module --without-http_memcached_module --without-http_limit_conn_module --without-http_limit_req_module --without-http_empty_gif_module --without-http_browser_module --without-http_upstream_hash_module --without-http_upstream_ip_hash_module --without-http_upstream_least_conn_module --without-http_upstream_keepalive_module --without-http_upstream_zone_module --with-stream --with-stream_ssl_module --without-stream_limit_conn_module --without-stream_access_module --without-stream_geo_module --without-stream_map_module --without-stream_split_clients_module --without-stream_return_module --without-stream_upstream_hash_module --without-stream_upstream_least_conn_module --without-stream_upstream_zone_module --with-cc-opt='-O3 -march=native -mtune=native -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --add-module=ngx_brotli +make -j $(nproc) install +``` + Last but not least setup the database by running ``` php /var/www/setup.php diff --git a/etc/nginx/fastcgi.conf b/etc/nginx/fastcgi.conf index 8b24ef6..a116bec 100644 --- a/etc/nginx/fastcgi.conf +++ b/etc/nginx/fastcgi.conf @@ -28,4 +28,5 @@ fastcgi_param REDIRECT_STATUS 200; fastcgi_param HTTP_PROXY ""; #running in chroots -fastcgi_param SCRIPT_FILENAME /www/$fastcgi_script_name; +fastcgi_param DOCUMENT_ROOT /www; +fastcgi_param SCRIPT_FILENAME /www$fastcgi_script_name; diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf index 107568c..72389b4 100644 --- a/etc/nginx/nginx.conf +++ b/etc/nginx/nginx.conf @@ -1,7 +1,6 @@ user www-data; worker_processes auto; pid /run/nginx.pid; -include /etc/nginx/modules-enabled/*.conf; pcre_jit on; worker_rlimit_nofile 30000; @@ -76,8 +75,6 @@ http { ## gzip on; - gzip_disable "msie6"; - gzip_vary on; gzip_proxied any; gzip_comp_level 6; @@ -85,6 +82,9 @@ http { # gzip_http_version 1.1; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml; + brotli on; + brotli_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml; + fastcgi_index index.php; fastcgi_read_timeout 30m; fastcgi_max_temp_file_size 0; @@ -94,6 +94,17 @@ http { fastcgi_cache_path /tmp/nginx/ levels=2 keys_zone=fcache:5m inactive=1h max_size=1G; fastcgi_cache_key $host$request_uri; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ecdh_curve X448:X25519:secp521r1:secp384r1:prime256v1; + ssl_ciphers HIGH:!PSK:!RSA:!aNULL:!MD5:!SHA:!CAMELLIA:!AES+SHA256:!AES+SHA384; + ssl_session_cache shared:SSL:10m; + ssl_stapling on; + ssl_stapling_verify on; +# ssl_certificate /etc/acme.sh/hosting.danwin1210.me_ecc/fullchain.cer; +# ssl_certificate_key /etc/acme.sh/hosting.danwin1210.me_ecc/hosting.danwin1210.me.key; +# ssl_dhparam /etc/nginx/dh4096.pem; + ## # Virtual Host Configs ## diff --git a/etc/nginx/snippets/fastcgi-php.conf b/etc/nginx/snippets/fastcgi-php.conf index 38e6cae..d110456 100644 --- a/etc/nginx/snippets/fastcgi-php.conf +++ b/etc/nginx/snippets/fastcgi-php.conf @@ -1,5 +1,5 @@ # regex to split $uri to $fastcgi_script_name and $fastcgi_path -fastcgi_split_path_info ^(.+\.php)(/.+)$; +fastcgi_split_path_info ^(.+\.php)(/.*)$; # Check that the PHP script exists before passing it try_files $fastcgi_script_name =404; diff --git a/etc/systemd/system/nginx.service.d/custom.conf b/etc/systemd/system/nginx.service similarity index 61% rename from etc/systemd/system/nginx.service.d/custom.conf rename to etc/systemd/system/nginx.service index 3a4d423..d912c51 100644 --- a/etc/systemd/system/nginx.service.d/custom.conf +++ b/etc/systemd/system/nginx.service @@ -1,11 +1,19 @@ +[Unit] +Description=A high performance web server and a reverse proxy server +After=network.target nss-lookup.target + [Service] +Type=forking +PIDFile=/run/nginx.pid LimitNOFILE=100000 TimeoutStartSec=600 -ExecStop= +TimeoutStopSec=5 +KillMode=mixed ExecStop=-/sbin/start-stop-daemon --quiet --stop --pidfile /run/nginx.pid -ExecStartPre= -ExecStartPre=/usr/bin/install -Z -m 02755 -o www-data -g www-data -d /var/run/nginx +ExecStartPre=/usr/bin/install -Z -m 02755 -o www-data -g www-data -d /run/nginx ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;' +ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;' +ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload ProtectSystem=strict PrivateTmp=true NoNewPrivileges=true @@ -17,7 +25,9 @@ LockPersonality=true SystemCallArchitectures=native BindPaths=/var/log/nginx/ BindPaths=/var/lib/nginx/ -BindPaths=/var/run/ BindPaths=/var/www/var/run/ BindPaths=/run/ InaccessiblePaths=/root/ + +[Install] +WantedBy=multi-user.target diff --git a/var/www/common.php b/var/www/common.php index a93d2c5..129d459 100644 --- a/var/www/common.php +++ b/var/www/common.php @@ -440,8 +440,6 @@ function rewrite_nginx_config(PDO $db){ $php_location=" location ~ [^/]\.php(/|\$) { include snippets/fastcgi-php.conf; - fastcgi_param DOCUMENT_ROOT /www; - fastcgi_param SCRIPT_FILENAME /www\$fastcgi_script_name; fastcgi_pass unix:/run/php/$tmp[system_account]; }"; }else{ @@ -472,8 +470,6 @@ function rewrite_nginx_config(PDO $db){ $php_location=" location ~ [^/]\.php(/|\$) { include snippets/fastcgi-php.conf; - fastcgi_param DOCUMENT_ROOT /www; - fastcgi_param SCRIPT_FILENAME /www\$fastcgi_script_name; fastcgi_pass unix:/run/php/$tmp[system_account]; }"; }else{