NGINX Setup

Install Nginx

sudo apt-get update
sudo apt-get install nginx
sudo service nginx start
sudo service nginx stop
sudo systemctl enable nginx
curl -I http://localhost
sudo vi /etc/nginx/nginx.conf
server_tokens off;
curl -I http://localhost

Nginx Server Blocks / Virtual hosts

sudo mkdir -p /var/www/example.com/html
sudo chown -R www-data:www-data /var/www/
sudo chmod -R 755 /var/www
sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/example.com
sudo vi /etc/nginx/sites-available/example.com
/etc/nginx/sites-available/example.com server {
listen 80;
listen [::]:80;
root /var/www/example.com/html;
index index.html index.htm index.nginx-debian.html;
server_name example.com;
location / {
try_files $uri $uri/ =404;
}
}
sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
sudo vi /etc/nginx/nginx.conf
http {
server_names_hash_bucket_size 64;
}
vi /var/www/example.com/html/index.html # no sudo
sudo nginx -t
sudo systemctl restart nginx

SSL

Didn’t work - skip this - version in repo too old - client authenticator error
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx
sudo nginx -t
sudo systemctl reload nginx
sudo certbot --nginx -d example.com
sudo certbot renew --dry-run # just test, cert bot will automatically renew, /etc/cron.d.
sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'
# this junk to get newer package
wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
sudo ./certbot-auto # will give you a menu, don’t use this (IPv6 problem)
sudo ./certbot-auto --nginx -d example2.com # one domain at a time
sudo vi /etc/nginx/sites-available/example2.com
# comment out the IPv6 line so the next domain will work without conflict ...
#listen [::]:443 ssl ipv6only=on; # managed by Certbot
sudo nginx -t
sudo systemctl reload nginx # don’t need, do it anyway
sudo ./certbot-auto renew # check that it works
crontab -e
0 5 * * * /home/user1/certbot-auto renew &> /home/user1/log/certbot_output_`date +%Y-%m-%d_%H:%M:%S`.log

PHP


sudo apt-get install php-fpm
sudo vi /etc/php/7.0/fpm/php.ini
cgi.fix_pathinfo=0
expose_php = Off # already default in my case
sudo systemctl restart php7.0-fpm


In Server Block:
index index.php index.html index.htm index.nginx-debian.html;
…...
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}

location ~ /\.ht {
deny all;
}
sudo nginx -t
sudo systemctl reload nginx


PHP without extension:
location / {
#try_files $uri $uri/ =404;
try_files $uri $uri/ @extensionless-php;
}
…..
location @extensionless-php {
rewrite ^(.*)$ $1.php last;
}


Extra Security:
Added to server block
error_page 401 403 404 /404.html;
sudo apt-get install wapiti
wapiti http://example.org -n 10 -b folder

Admin Tasks

This was done ….
sudo chown user1:user1 /var/www

Add site to hosting

cd /etc/nginx/sites-available
cp TEMPLATE.txt example3.com
sed -i 's/XXXX/example3.com/' example3.com
cd ../sites-enabled/
ln -s /etc/nginx/sites-available/example3.com
mkdir -p /var/www/example3.com/html

sudo nginx -t
sudo systemctl restart nginx