From 0b61a38c265c72a6920f2f898a038ded9320c6dd Mon Sep 17 00:00:00 2001
From: Daniel Winzen <d@winzen4.de>
Date: Mon, 2 Sep 2019 19:45:09 +0200
Subject: [PATCH] Replace debian stock nginx with custom optimized nginx

---
 README.md                                      | 11 ++++++++++-
 etc/nginx/fastcgi.conf                         |  3 ++-
 etc/nginx/nginx.conf                           | 17 ++++++++++++++---
 etc/nginx/snippets/fastcgi-php.conf            |  2 +-
 .../custom.conf => nginx.service}              | 18 ++++++++++++++----
 var/www/common.php                             |  4 ----
 6 files changed, 41 insertions(+), 14 deletions(-)
 rename etc/systemd/system/{nginx.service.d/custom.conf => nginx.service} (61%)

diff --git a/README.md b/README.md
index 72e526c..7ddd4c2 100644
--- a/README.md
+++ b/README.md
@@ -33,7 +33,7 @@ echo "deb https://deb.nodesource.com/node_11.x sid main" >> /etc/apt/sources.lis
 
 The following command will install all required packages:
 ```
-apt-get --no-install-recommends install apt-transport-tor aspell bzip2 clamav-daemon clamav-freshclam clamav-milter composer curl dovecot-imapd dovecot-pop3d git dnsmasq haveged hunspell iptables libsasl2-modules locales-all logrotate mariadb-server nano nginx-full nodejs postfix postfix-mysql \
+apt-get --no-install-recommends install apt-transport-tor aspell bzip2 clamav-daemon clamav-freshclam clamav-milter composer curl dovecot-imapd dovecot-pop3d git dnsmasq haveged hunspell iptables libsasl2-modules locales-all logrotate mariadb-server nano nodejs postfix postfix-mysql \
 php7.3-bcmath php7.3-bz2 php7.3-cli php7.3-curl php7.3-dba php7.3-enchant php7.3-fpm php7.3-gd php7.3-gmp php7.3-imap php7.3-intl php7.3-json php7.3-mbstring php7.3-mysql php7.3-opcache php7.3-pspell php7.3-readline php7.3-recode php7.3-soap php7.3-sqlite3 php7.3-tidy php7.3-xml php7.3-xmlrpc php7.3-xsl php7.3-zip \
 php-apcu php-gnupg php-imagick quota quotatool rsync sasl2-bin ssh subversion tor unzip vim vsftpd wget yarn zip
 ```
@@ -159,6 +159,15 @@ Install sodium_compat for v3 hidden_service support
 cd /var/www && composer install
 ```
 
+Custom optimized nginx
+```
+apt-get --no-install-recommends install libbrotli-dev libpcre3-dev zlib1g-dev
+git clone https://github.com/nginx/nginx && cd nginx
+git clone https://github.com/eustas/ngx_brotli
+./auto/configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/tmp/body --http-fastcgi-temp-path=/tmp/fastcgi --http-proxy-temp-path=/tmp/proxy --with-threads --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --without-http_ssi_module --without-http_userid_module --without-http_access_module --without-http_mirror_module --without-http_geo_module --without-http_split_clients_module --without-http_uwsgi_module --without-http_scgi_module --without-http_grpc_module --without-http_memcached_module --without-http_limit_conn_module --without-http_limit_req_module --without-http_empty_gif_module --without-http_browser_module --without-http_upstream_hash_module --without-http_upstream_ip_hash_module --without-http_upstream_least_conn_module --without-http_upstream_keepalive_module --without-http_upstream_zone_module --with-stream --with-stream_ssl_module --without-stream_limit_conn_module --without-stream_access_module --without-stream_geo_module --without-stream_map_module --without-stream_split_clients_module --without-stream_return_module --without-stream_upstream_hash_module --without-stream_upstream_least_conn_module --without-stream_upstream_zone_module --with-cc-opt='-O3 -march=native -mtune=native -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --add-module=ngx_brotli
+make -j $(nproc) install
+```
+
 Last but not least setup the database by running
 ```
 php /var/www/setup.php
diff --git a/etc/nginx/fastcgi.conf b/etc/nginx/fastcgi.conf
index 8b24ef6..a116bec 100644
--- a/etc/nginx/fastcgi.conf
+++ b/etc/nginx/fastcgi.conf
@@ -28,4 +28,5 @@ fastcgi_param  REDIRECT_STATUS    200;
 fastcgi_param HTTP_PROXY "";
 
 #running in chroots
-fastcgi_param SCRIPT_FILENAME /www/$fastcgi_script_name;
+fastcgi_param DOCUMENT_ROOT /www;
+fastcgi_param SCRIPT_FILENAME /www$fastcgi_script_name;
diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf
index 107568c..72389b4 100644
--- a/etc/nginx/nginx.conf
+++ b/etc/nginx/nginx.conf
@@ -1,7 +1,6 @@
 user www-data;
 worker_processes auto;
 pid /run/nginx.pid;
-include /etc/nginx/modules-enabled/*.conf;
 pcre_jit on;
 worker_rlimit_nofile 30000;
 
@@ -76,8 +75,6 @@ http {
 	##
 
 	gzip on;
-	gzip_disable "msie6";
-
 	gzip_vary on;
 	gzip_proxied any;
 	gzip_comp_level 6;
@@ -85,6 +82,9 @@ http {
 	# gzip_http_version 1.1;
 	gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
 
+	brotli on;
+	brotli_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
+
 	fastcgi_index index.php;
 	fastcgi_read_timeout 30m;
 	fastcgi_max_temp_file_size 0;
@@ -94,6 +94,17 @@ http {
 	fastcgi_cache_path /tmp/nginx/ levels=2 keys_zone=fcache:5m inactive=1h max_size=1G;
 	fastcgi_cache_key $host$request_uri;
 
+	ssl_protocols TLSv1.2 TLSv1.3;
+	ssl_prefer_server_ciphers on;
+	ssl_ecdh_curve X448:X25519:secp521r1:secp384r1:prime256v1;
+	ssl_ciphers HIGH:!PSK:!RSA:!aNULL:!MD5:!SHA:!CAMELLIA:!AES+SHA256:!AES+SHA384;
+	ssl_session_cache shared:SSL:10m;
+	ssl_stapling on;
+	ssl_stapling_verify on;
+#	ssl_certificate /etc/acme.sh/hosting.danwin1210.me_ecc/fullchain.cer;
+#	ssl_certificate_key /etc/acme.sh/hosting.danwin1210.me_ecc/hosting.danwin1210.me.key;
+#	ssl_dhparam /etc/nginx/dh4096.pem;
+
 	##
 	# Virtual Host Configs
 	##
diff --git a/etc/nginx/snippets/fastcgi-php.conf b/etc/nginx/snippets/fastcgi-php.conf
index 38e6cae..d110456 100644
--- a/etc/nginx/snippets/fastcgi-php.conf
+++ b/etc/nginx/snippets/fastcgi-php.conf
@@ -1,5 +1,5 @@
 # regex to split $uri to $fastcgi_script_name and $fastcgi_path
-fastcgi_split_path_info ^(.+\.php)(/.+)$;
+fastcgi_split_path_info ^(.+\.php)(/.*)$;
 
 # Check that the PHP script exists before passing it
 try_files $fastcgi_script_name =404;
diff --git a/etc/systemd/system/nginx.service.d/custom.conf b/etc/systemd/system/nginx.service
similarity index 61%
rename from etc/systemd/system/nginx.service.d/custom.conf
rename to etc/systemd/system/nginx.service
index 3a4d423..d912c51 100644
--- a/etc/systemd/system/nginx.service.d/custom.conf
+++ b/etc/systemd/system/nginx.service
@@ -1,11 +1,19 @@
+[Unit]
+Description=A high performance web server and a reverse proxy server
+After=network.target nss-lookup.target
+
 [Service]
+Type=forking
+PIDFile=/run/nginx.pid
 LimitNOFILE=100000
 TimeoutStartSec=600
-ExecStop=
+TimeoutStopSec=5
+KillMode=mixed
 ExecStop=-/sbin/start-stop-daemon --quiet --stop --pidfile /run/nginx.pid
-ExecStartPre=
-ExecStartPre=/usr/bin/install -Z -m 02755 -o www-data -g www-data -d /var/run/nginx
+ExecStartPre=/usr/bin/install -Z -m 02755 -o www-data -g www-data -d /run/nginx
 ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
+ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
+ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
 ProtectSystem=strict
 PrivateTmp=true
 NoNewPrivileges=true
@@ -17,7 +25,9 @@ LockPersonality=true
 SystemCallArchitectures=native
 BindPaths=/var/log/nginx/
 BindPaths=/var/lib/nginx/
-BindPaths=/var/run/
 BindPaths=/var/www/var/run/
 BindPaths=/run/
 InaccessiblePaths=/root/
+
+[Install]
+WantedBy=multi-user.target
diff --git a/var/www/common.php b/var/www/common.php
index a93d2c5..129d459 100644
--- a/var/www/common.php
+++ b/var/www/common.php
@@ -440,8 +440,6 @@ function rewrite_nginx_config(PDO $db){
 			$php_location="
 		location ~ [^/]\.php(/|\$) {
 			include snippets/fastcgi-php.conf;
-			fastcgi_param DOCUMENT_ROOT /www;
-			fastcgi_param SCRIPT_FILENAME /www\$fastcgi_script_name;
 			fastcgi_pass unix:/run/php/$tmp[system_account];
 		}";
 		}else{
@@ -472,8 +470,6 @@ function rewrite_nginx_config(PDO $db){
 			$php_location="
 		location ~ [^/]\.php(/|\$) {
 			include snippets/fastcgi-php.conf;
-			fastcgi_param DOCUMENT_ROOT /www;
-			fastcgi_param SCRIPT_FILENAME /www\$fastcgi_script_name;
 			fastcgi_pass unix:/run/php/$tmp[system_account];
 		}";
 		}else{