FreeBSD ➔ NGinx


Writing Icon

Lizenz: Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0)
Letzte Aktualisierung:
Veröffentlicht:
Verfasser: Markus Kohlmeyer
Beitragender: Olaf Uecker


Zu den Voraussetzungen für dieses HowTo siehe bitte: FreeBSD ➔ WebHosting System ➔ Voraussetzungen

Einleitung

Unser WebHosting System wird um folgende Dienste erweitert.

  • NGinx 1.14.0 (HTTP/2, mod_brotli)

Installation

WICHTIG Der Rest des HowTo ist derzeit nicht auf das Zusammenspiel mit NGinx abgestimmt, daher ist die Verwendung von Apache aktuell zu bevorzugen. NGinx bietet zudem auch keinen wirklichen Mehrwert gegenüber Apache, so dass Apache generell bevorzugt werden sollte. Die hier gezeigte Konfiguration ist nicht ausreichend getestet, enthält möglicherweise sicherheitsrelevante Fehler und ist daher vollkommen unsupportet. Die Verwendung von NGinx erfolgt daher ausschliesslich auf eigenes Risiko und ohne weitere Unterstützung durch dieses HowTo.

WICHTIG Der RootService CertBot Wrapper welchen wir später in FreeBSD ➔ WebHosting System ➔ Sicherheit ➔ CertBot installieren, ist derzeit nicht mit NGinx kompatibel. Aus diesem Grund müssen bei Verwendung von NGinx der CertBot Wrapper für Apache konfiguriert und die Zertifikats-Konfigurationen in der NGinx vhosts-ssl.conf von Hand angepasst werden (siehe Apache vhosts-ssl.conf für die Details).

Wir installieren www/nginx und dessen Abhängigkeiten.

mkdir -p /var/db/ports/www_nginx
cat > /var/db/ports/www_nginx/options << "EOF"
_OPTIONS_READ=nginx-1.14.0
_FILE_COMPLETE_OPTIONS_LIST=DSO DEBUGLOG FILE_AIO GOOGLE_PERFTOOLS HTTP HTTP_ADDITION HTTP_AUTH_REQ HTTP_CACHE HTTP_DAV HTTP_FLV HTTP_GEOIP HTTP_GZIP_STATIC HTTP_GUNZIP_FILTER HTTP_IMAGE_FILTER HTTP_MP4 HTTP_PERL HTTP_RANDOM_INDEX HTTP_REALIP HTTP_REWRITE HTTP_SECURE_LINK HTTP_SLICE HTTP_SSL HTTP_STATUS HTTP_SUB HTTP_XSLT MAIL MAIL_IMAP MAIL_POP3 MAIL_SMTP MAIL_SSL HTTPV2 NJS STREAM STREAM_SSL STREAM_SSL_PREREAD WWW AJP AWS_AUTH CACHE_PURGE CLOJURE CT ECHO FASTDFS HEADERS_MORE HTTP_ACCEPT_LANGUAGE HTTP_AUTH_DIGEST HTTP_AUTH_KRB5 HTTP_AUTH_LDAP HTTP_AUTH_PAM HTTP_DAV_EXT HTTP_EVAL HTTP_FANCYINDEX HTTP_FOOTER HTTP_GEOIP2 HTTP_JSON_STATUS HTTP_MOGILEFS HTTP_MP4_H264 HTTP_NOTICE HTTP_PUSH HTTP_PUSH_STREAM HTTP_REDIS HTTP_RESPONSE HTTP_SUBS_FILTER HTTP_TARANTOOL HTTP_UPLOAD HTTP_UPLOAD_PROGRESS HTTP_UPSTREAM_CHECK HTTP_UPSTREAM_FAIR HTTP_UPSTREAM_STICKY HTTP_VIDEO_THUMBEXTRACTOR HTTP_ZIP ARRAYVAR BROTLI DRIZZLE DYNAMIC_UPSTREAM ENCRYPTSESSION FORMINPUT GRIDFS ICONV LET LUA MEMC MODSECURITY MODSECURITY3 NAXSI PASSENGER POSTGRES RDS_CSV RDS_JSON REDIS2 RTMP SET_MISC SFLOW SHIBBOLETH SLOWFS_CACHE SMALL_LIGHT SRCACHE XSS
OPTIONS_FILE_SET+=DSO
OPTIONS_FILE_UNSET+=DEBUGLOG
OPTIONS_FILE_SET+=FILE_AIO
OPTIONS_FILE_UNSET+=GOOGLE_PERFTOOLS
OPTIONS_FILE_SET+=HTTP
OPTIONS_FILE_UNSET+=HTTP_ADDITION
OPTIONS_FILE_SET+=HTTP_AUTH_REQ
OPTIONS_FILE_SET+=HTTP_CACHE
OPTIONS_FILE_SET+=HTTP_DAV
OPTIONS_FILE_UNSET+=HTTP_FLV
OPTIONS_FILE_UNSET+=HTTP_GEOIP
OPTIONS_FILE_SET+=HTTP_GZIP_STATIC
OPTIONS_FILE_SET+=HTTP_GUNZIP_FILTER
OPTIONS_FILE_UNSET+=HTTP_IMAGE_FILTER
OPTIONS_FILE_UNSET+=HTTP_MP4
OPTIONS_FILE_UNSET+=HTTP_PERL
OPTIONS_FILE_UNSET+=HTTP_RANDOM_INDEX
OPTIONS_FILE_SET+=HTTP_REALIP
OPTIONS_FILE_SET+=HTTP_REWRITE
OPTIONS_FILE_UNSET+=HTTP_SECURE_LINK
OPTIONS_FILE_UNSET+=HTTP_SLICE
OPTIONS_FILE_SET+=HTTP_SSL
OPTIONS_FILE_SET+=HTTP_STATUS
OPTIONS_FILE_SET+=HTTP_SUB
OPTIONS_FILE_UNSET+=HTTP_XSLT
OPTIONS_FILE_UNSET+=MAIL
OPTIONS_FILE_UNSET+=MAIL_IMAP
OPTIONS_FILE_UNSET+=MAIL_POP3
OPTIONS_FILE_UNSET+=MAIL_SMTP
OPTIONS_FILE_UNSET+=MAIL_SSL
OPTIONS_FILE_SET+=HTTPV2
OPTIONS_FILE_UNSET+=NJS
OPTIONS_FILE_UNSET+=STREAM
OPTIONS_FILE_UNSET+=STREAM_SSL
OPTIONS_FILE_UNSET+=STREAM_SSL_PREREAD
OPTIONS_FILE_SET+=WWW
OPTIONS_FILE_UNSET+=AJP
OPTIONS_FILE_UNSET+=AWS_AUTH
OPTIONS_FILE_UNSET+=CACHE_PURGE
OPTIONS_FILE_UNSET+=CLOJURE
OPTIONS_FILE_UNSET+=CT
OPTIONS_FILE_UNSET+=ECHO
OPTIONS_FILE_UNSET+=FASTDFS
OPTIONS_FILE_UNSET+=HEADERS_MORE
OPTIONS_FILE_UNSET+=HTTP_ACCEPT_LANGUAGE
OPTIONS_FILE_UNSET+=HTTP_AUTH_DIGEST
OPTIONS_FILE_UNSET+=HTTP_AUTH_KRB5
OPTIONS_FILE_UNSET+=HTTP_AUTH_LDAP
OPTIONS_FILE_UNSET+=HTTP_AUTH_PAM
OPTIONS_FILE_UNSET+=HTTP_DAV_EXT
OPTIONS_FILE_UNSET+=HTTP_EVAL
OPTIONS_FILE_UNSET+=HTTP_FANCYINDEX
OPTIONS_FILE_UNSET+=HTTP_FOOTER
OPTIONS_FILE_UNSET+=HTTP_GEOIP2
OPTIONS_FILE_UNSET+=HTTP_JSON_STATUS
OPTIONS_FILE_UNSET+=HTTP_MOGILEFS
OPTIONS_FILE_UNSET+=HTTP_MP4_H264
OPTIONS_FILE_UNSET+=HTTP_NOTICE
OPTIONS_FILE_UNSET+=HTTP_PUSH
OPTIONS_FILE_UNSET+=HTTP_PUSH_STREAM
OPTIONS_FILE_UNSET+=HTTP_REDIS
OPTIONS_FILE_UNSET+=HTTP_RESPONSE
OPTIONS_FILE_UNSET+=HTTP_SUBS_FILTER
OPTIONS_FILE_UNSET+=HTTP_TARANTOOL
OPTIONS_FILE_UNSET+=HTTP_UPLOAD
OPTIONS_FILE_UNSET+=HTTP_UPLOAD_PROGRESS
OPTIONS_FILE_UNSET+=HTTP_UPSTREAM_CHECK
OPTIONS_FILE_UNSET+=HTTP_UPSTREAM_FAIR
OPTIONS_FILE_UNSET+=HTTP_UPSTREAM_STICKY
OPTIONS_FILE_UNSET+=HTTP_VIDEO_THUMBEXTRACTOR
OPTIONS_FILE_UNSET+=HTTP_ZIP
OPTIONS_FILE_UNSET+=ARRAYVAR
OPTIONS_FILE_SET+=BROTLI
OPTIONS_FILE_UNSET+=DRIZZLE
OPTIONS_FILE_UNSET+=DYNAMIC_UPSTREAM
OPTIONS_FILE_UNSET+=ENCRYPTSESSION
OPTIONS_FILE_UNSET+=FORMINPUT
OPTIONS_FILE_UNSET+=GRIDFS
OPTIONS_FILE_UNSET+=ICONV
OPTIONS_FILE_UNSET+=LET
OPTIONS_FILE_UNSET+=LUA
OPTIONS_FILE_UNSET+=MEMC
OPTIONS_FILE_UNSET+=MODSECURITY
OPTIONS_FILE_UNSET+=MODSECURITY3
OPTIONS_FILE_UNSET+=NAXSI
OPTIONS_FILE_UNSET+=PASSENGER
OPTIONS_FILE_UNSET+=POSTGRES
OPTIONS_FILE_UNSET+=RDS_CSV
OPTIONS_FILE_UNSET+=RDS_JSON
OPTIONS_FILE_UNSET+=REDIS2
OPTIONS_FILE_UNSET+=RTMP
OPTIONS_FILE_UNSET+=SET_MISC
OPTIONS_FILE_UNSET+=SFLOW
OPTIONS_FILE_UNSET+=SHIBBOLETH
OPTIONS_FILE_UNSET+=SLOWFS_CACHE
OPTIONS_FILE_UNSET+=SMALL_LIGHT
OPTIONS_FILE_UNSET+=SRCACHE
OPTIONS_FILE_UNSET+=XSS
"EOF"

cd /usr/ports/www/nginx
make config-recursive all install clean-depends clean

echo 'nginx_enable="YES"' >> /etc/rc.conf
echo 'nginxlimits_enable="YES"' >> /etc/rc.conf

mkdir -p /usr/local/etc/newsyslog.conf.d
cat >> /usr/local/etc/newsyslog.conf.d/nginx << "EOF"
/var/log/nginx/*.log                    644  13    *    $W6D0 JCG   /var/run/nginx.pid
/data/www/vhosts/*/logs/nginx_*_log     644  24    *    $M1D0 JCG   /var/run/nginx.pid
"EOF"

Konfiguration

Verzeichnisse für die ersten VirtualHosts erstellen.

mkdir -p /data/www/{cache,tmp}
chmod 1777 /data/www/{cache,tmp}
chown www:www /data/www/{cache,tmp}

mkdir -p /data/www/acme/.well-known

mkdir -p /data/www/vhosts/_{default,localhost}_/logs
mkdir -p /data/www/vhosts/_{default,localhost}_/data/.well-known
chmod 0750 /data/www/vhosts/_{default,localhost}_/data
chown www:www /data/www/vhosts/_{default,localhost}_/data

mkdir -p /data/www/vhosts/mail.example.com/logs
mkdir -p /data/www/vhosts/mail.example.com/data/.well-known
chmod 0750 /data/www/vhosts/mail.example.com/data
chown www:www /data/www/vhosts/mail.example.com/data

mkdir -p /data/www/vhosts/www.example.com/logs
mkdir -p /data/www/vhosts/www.example.com/data/.well-known
chmod 0750 /data/www/vhosts/www.example.com/data
chown www:www /data/www/vhosts/www.example.com/data

Die folgende Konfiguration verwendet für den localhost den Pfad /data/www/vhosts/_localhost_, für den Default-Host den Pfad /data/www/vhosts/_default_ und für die regulären Virtual-Hosts den Pfad /data/www/vhosts/sub.domain.tld.

nginx.conf einrichten.

cat > /usr/local/etc/nginx/nginx.conf << "EOF"
user  www  www;
load_module  /usr/local/libexec/nginx/ngx_http_brotli_filter_module.so;
load_module  /usr/local/libexec/nginx/ngx_http_brotli_static_module.so;
worker_processes  1;
events {
    worker_connections  1024;
}
http {
    include  mime.types;
    default_type  application/octet-stream;
    resolver  127.0.0.1;
    sendfile  on;
    tcp_nopush  on;
    aio  on;
    deny  all;
    etag  off;
    charset  utf-8;
    charset_types  application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rdf+xml application/rss+xml application/schema+json application/vnd.geo+json application/x-javascript application/x-web-app-manifest+json application/xhtml+xml application/xml image/svg+xml text/cache-manifest text/css text/javascript text/markdown text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy text/xml;
    gzip  on;
    gzip_vary  on;
    gzip_comp_level  6;
    gzip_types  application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rdf+xml application/rss+xml application/schema+json application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-javascript application/x-web-app-manifest+json application/xhtml+xml application/xml font/eot font/opentype image/bmp image/svg+xml image/vnd.microsoft.icon image/x-icon text/cache-manifest text/css text/javascript text/markdown text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy text/xml;
    brotli  on;
    brotli_comp_level  6;
    brotli_types  application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rdf+xml application/rss+xml application/schema+json application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-javascript application/x-web-app-manifest+json application/xhtml+xml application/xml font/eot font/opentype image/bmp image/svg+xml image/vnd.microsoft.icon image/x-icon text/cache-manifest text/css text/javascript text/markdown text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy text/xml;
    map $sent_http_content_type $expires {
        default                               30d;
        text/css                              7d;
        application/atom+xml                  1h;
        application/rdf+xml                   1h;
        application/rss+xml                   1h;
        application/xhtml+xml                 0;
        application/json                      0;
        application/ld+json                   0;
        application/schema+json               0;
        application/vnd.geo+json              0;
        application/xml                       0;
        text/xml                              0;
        image/vnd.microsoft.icon              7d;
        image/x-icon                          7d;
        text/html                             0;
        text/markdown                         0;
        application/javascript                7d;
        application/x-javascript              7d;
        text/javascript                       7d;
        application/manifest+json             7d;
        application/x-web-app-manifest+json   0;
        text/cache-manifest                   0;
        audio/ogg                             30d;
        image/bmp                             30d;
        image/gif                             30d;
        image/jpeg                            30d;
        image/png                             30d;
        image/svg+xml                         30d;
        image/webp                            30d;
        video/mp4                             30d;
        video/ogg                             30d;
        video/webm                            30d;
        application/vnd.ms-fontobject         30d;
        font/eot                              30d;
        font/opentype                         30d;
        application/x-font-ttf                30d;
        application/font-woff                 30d;
        application/x-font-woff               30d;
        font/woff                             30d;
        application/font-woff2                30d;
        text/x-cross-domain-policy            7d;
    }
    expires  $expires;
    include  vhosts.conf;
    ssl_stapling  on;
    ssl_session_tickets  off;
    ssl_session_timeout  10m;
    ssl_session_cache  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers  EECDH+ECDSA+CHACHA20:EECDH+CHACHA20:EECDH+ECDSA+AESGCM+AES256:EECDH+AESGCM+AES256:EECDH+ECDSA+AESGCM+AES128:EECDH+AESGCM+AES128:EECDH+ECDSA+AES256+SHA384:EECDH+AES256+SHA384:EECDH+ECDSA+AES128+SHA256:EECDH+AES128+SHA256:EECDH+ECDSA+AES256+SHA1:EECDH+AES256+SHA1:EECDH+ECDSA+AES128+SHA1:EECDH+AES128+SHA1:EDH+CHACHA20:EDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AES256+SHA256:EDH+AES128+SHA256:EDH+AES256+SHA1:EDH+AES128+SHA1:!CAMELLIA:!SEED:!IDEA:!RC2:!RC4:!3DES:!DES:!kRSA:!kSRP:!kPSK:!kGOST:!kECDHr:!kECDHe:!kDHr:!kDHd:!aDSS:!aNULL:!eNULL:!MEDIUM:!LOW:!EXPORT;
    ssl_prefer_server_ciphers  on;
    include  vhosts-ssl.conf;
}
"EOF"

vhosts.conf einrichten.

cat > /usr/local/etc/nginx/vhosts.conf << "EOF"
    server {
        listen  8080 default_server;
        server_name  localhost "";
        error_log  /data/www/vhosts/_localhost_/logs/nginx_error_log;
        access_log  /data/www/vhosts/_localhost_/logs/nginx_access_log  combined;
        root  /data/www/vhosts/_localhost_/data;
        index  index.html index.htm index.php;
        include  headers.conf;
        location / {
            allow  all;
        }
        include  defaults.conf;
        location ~ ^(.+\.phps?)(/.*)?$ {
            fastcgi_pass  unix:/var/run/fpm_www.sock;
            fastcgi_index  index.php;
            fastcgi_split_path_info  ^(.+\.phps?)(/.*)?$;
            fastcgi_param  SCRIPT_FILENAME  /data/www/vhosts/_localhost_/data$fastcgi_script_name;
            fastcgi_param  PATH_INFO  $fastcgi_path_info;
            include  fastcgi_params;
            allow  all;
        }
    }
    server {
        listen  8080;
        server_name  devnull.example.com;
        error_log  /data/www/vhosts/_default_/logs/nginx_error_log;
        access_log  /data/www/vhosts/_default_/logs/nginx_access_log  combined;
        root  /data/www/vhosts/_default_/data;
        index  index.html index.htm index.php;
        include  headers.conf;
        location / {
            allow  all;
        }
        include  defaults.conf;
        location ~ ^(.+\.phps?)(/.*)?$ {
            fastcgi_pass  unix:/var/run/fpm_www.sock;
            fastcgi_index  index.php;
            fastcgi_split_path_info  ^(.+\.phps?)(/.*)?$;
            fastcgi_param  SCRIPT_FILENAME  /data/www/vhosts/_default_/data$fastcgi_script_name;
            fastcgi_param  PATH_INFO  $fastcgi_path_info;
            include  fastcgi_params;
            allow  all;
        }
    }
    server {
        listen  8080;
        server_name  mail.example.com;
        error_log  /data/www/vhosts/mail.example.com/logs/nginx_error_log;
        access_log  /data/www/vhosts/mail.example.com/logs/nginx_access_log  combined;
        root  /data/www/vhosts/mail.example.com/data;
        index  index.html index.htm index.php;
        include  headers.conf;
        location / {
            allow  all;
        }
        include  defaults.conf;
        location ~ ^(.+\.phps?)(/.*)?$ {
            fastcgi_pass  unix:/var/run/fpm_www.sock;
            fastcgi_index  index.php;
            fastcgi_split_path_info  ^(.+\.phps?)(/.*)?$;
            fastcgi_param  SCRIPT_FILENAME  /data/www/vhosts/mail.example.com/data$fastcgi_script_name;
            fastcgi_param  PATH_INFO  $fastcgi_path_info;
            include  fastcgi_params;
            allow  all;
        }
    }
    server {
        listen  8080;
        server_name  www.example.com;
        error_log  /data/www/vhosts/www.example.com/logs/nginx_error_log;
        access_log  /data/www/vhosts/www.example.com/logs/nginx_access_log  combined;
        root  /data/www/vhosts/www.example.com/data;
        index  index.html index.htm index.php;
        include  headers.conf;
        location / {
            allow  all;
        }
        include  defaults.conf;
        location ~ ^(.+\.phps?)(/.*)?$ {
            fastcgi_pass  unix:/var/run/fpm_www.sock;
            fastcgi_index  index.php;
            fastcgi_split_path_info  ^(.+\.phps?)(/.*)?$;
            fastcgi_param  SCRIPT_FILENAME  /data/www/vhosts/www.example.com/data$fastcgi_script_name;
            fastcgi_param  PATH_INFO  $fastcgi_path_info;
            include  fastcgi_params;
            allow  all;
        }
    }
"EOF"

vhosts-ssl.conf einrichten.

cat > /usr/local/etc/nginx/vhosts-ssl.conf << "EOF"
    server {
        listen  8443 default_server ssl http2;
        server_name  localhost "";
        error_log  /data/www/vhosts/_localhost_/logs/nginx_ssl_error_log;
        access_log  /data/www/vhosts/_localhost_/logs/nginx_ssl_access_log  combined;
        ssl_certificate  /data/pki/certs/devnull.example.com.crt;
        ssl_certificate_key  /data/pki/private/devnull.example.com.key;
        root  /data/www/vhosts/_localhost_/data;
        index  index.html index.htm index.php;
        include  headers.conf;
        location / {
            allow  all;
        }
        include  defaults.conf;
        location ~ ^(.+\.phps?)(/.*)?$ {
            fastcgi_pass  unix:/var/run/fpm_www.sock;
            fastcgi_index  index.php;
            fastcgi_split_path_info  ^(.+\.phps?)(/.*)?$;
            fastcgi_param  SCRIPT_FILENAME  /data/www/vhosts/_localhost_/data$fastcgi_script_name;
            fastcgi_param  PATH_INFO  $fastcgi_path_info;
            include  fastcgi_params;
            allow  all;
        }
    }
    server {
        listen  8443 ssl http2;
        server_name  devnull.example.com;
        error_log  /data/www/vhosts/_default_/logs/nginx_ssl_error_log;
        access_log  /data/www/vhosts/_default_/logs/nginx_ssl_access_log  combined;
        ssl_certificate  /data/pki/certs/devnull.example.com.crt;
        ssl_certificate_key  /data/pki/private/devnull.example.com.key;
        root  /data/www/vhosts/_default_/data;
        index  index.html index.htm index.php;
        include  headers.conf;
        location / {
            allow  all;
        }
        include  defaults.conf;
        location ~ ^(.+\.phps?)(/.*)?$ {
            fastcgi_pass  unix:/var/run/fpm_www.sock;
            fastcgi_index  index.php;
            fastcgi_split_path_info  ^(.+\.phps?)(/.*)?$;
            fastcgi_param  SCRIPT_FILENAME  /data/www/vhosts/_default_/data$fastcgi_script_name;
            fastcgi_param  PATH_INFO  $fastcgi_path_info;
            include  fastcgi_params;
            allow  all;
        }
    }
    server {
        listen  8443 ssl http2;
        server_name  mail.example.com;
        error_log  /data/www/vhosts/mail.example.com/logs/nginx_ssl_error_log;
        access_log  /data/www/vhosts/mail.example.com/logs/nginx_ssl_access_log  combined;
        ssl_certificate  /data/pki/certs/mail.example.com.crt;
        ssl_certificate_key  /data/pki/private/mail.example.com.key;
        root  /data/www/vhosts/www.example.com/data;
        index  index.html index.htm index.php;
        include  headers.conf;
        location / {
            allow  all;
        }
        include  defaults.conf;
        location ~ ^(.+\.phps?)(/.*)?$ {
            fastcgi_pass  unix:/var/run/fpm_www.sock;
            fastcgi_index  index.php;
            fastcgi_split_path_info  ^(.+\.phps?)(/.*)?$;
            fastcgi_param  SCRIPT_FILENAME  /data/www/vhosts/mail.example.com/data$fastcgi_script_name;
            fastcgi_param  PATH_INFO  $fastcgi_path_info;
            include  fastcgi_params;
            allow  all;
        }
    }
    server {
        listen  8443 ssl http2;
        server_name  www.example.com;
        error_log  /data/www/vhosts/www.example.com/logs/nginx_ssl_error_log;
        access_log  /data/www/vhosts/www.example.com/logs/nginx_ssl_access_log  combined;
        ssl_certificate  /data/pki/certs/www.example.com.crt;
        ssl_certificate_key  /data/pki/private/www.example.com.key;
        root  /data/www/vhosts/www.example.com/data;
        index  index.html index.htm index.php;
        include  headers.conf;
        location / {
            allow  all;
        }
        include  defaults.conf;
        location ~ ^(.+\.phps?)(/.*)?$ {
            fastcgi_pass  unix:/var/run/fpm_www.sock;
            fastcgi_index  index.php;
            fastcgi_split_path_info  ^(.+\.phps?)(/.*)?$;
            fastcgi_param  SCRIPT_FILENAME  /data/www/vhosts/www.example.com/data$fastcgi_script_name;
            fastcgi_param  PATH_INFO  $fastcgi_path_info;
            include  fastcgi_params;
            allow  all;
        }
    }
"EOF"

defaults.conf und headers.conf einrichten.

cat > /usr/local/etc/nginx/defaults.conf << "EOF"
        location ~* /?(.+/)*[\._] { return 403; }
        location ~* /?\.well-known { allow all; }
"EOF"

cat > /usr/local/etc/nginx/headers.conf << "EOF"
        add_header  Access-Control-Allow-Methods  "GET, POST, OPTIONS";
        add_header  Access-Control-Allow-Origin  "*";
        add_header  Access-Control-Max-Age  "600";
        add_header  Upgrade-Insecure-Requests  "1";
        add_header  Referrer-Policy  "origin-when-cross-origin";
        add_header  Content-Security-Policy  "upgrade-insecure-requests; default-src 'self' 'unsafe-inline' 'unsafe-eval' https: wss: data: blob:; form-action 'self' https: wss:; frame-ancestors 'self'; sandbox allow-forms allow-modals allow-pointer-lock allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts allow-top-navigation";
        add_header  X-Content-Security-Policy  "upgrade-insecure-requests; default-src 'self' 'unsafe-inline' 'unsafe-eval' https: wss: data: blob:; form-action 'self' https: wss:; frame-ancestors 'self'; sandbox allow-forms allow-modals allow-pointer-lock allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts allow-top-navigation";
        add_header  X-Frame-Options  "SAMEORIGIN";
        add_header  X-Content-Type-Options  "nosniff";
        add_header  X-XSS-Protection  "1; mode=block";
        add_header  X-DNS-Prefetch-Control  "on";
        add_header  X-UA-Compatible  "IE=Edge";
        add_header  X-Download-Options  "noopen";
        add_header  X-Permitted-Cross-Domain-Policies  "none";
        add_header  Timing-Allow-Origin  "*";
#        add_header  P3P  "policyref=\"/w3c/p3p.xml\", CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"";
"EOF"

Abschluss

NGinx kann nun gestartet werden.

service nginx start

Über den Autor