Updated 20-Sep-2023
It is a good idea to get PHP and MariaDB on Debian set up before Nginx (except the PhpMyAdmin which can come after).
Related Artices in Debian Services and Applications - Debian on AWS Lightsail - OpenVPN on Debian + UFW Firewall - Nginx and Letsencrypt on Debian - PHP & MariaDB on Debian
- Grav CMS on Debian
Install Nginx
Edit the /etc/apt/sources.list to add the Nginx repostitory
nano /etc/apt/sources.list
Add the following repository (currently for Debian 9/Stretch)
deb http://nginx.org/packages/mainline/debian/ stretch nginx
Download and install the key for the repository
wget https://nginx.org/keys/nginx_signing.key
sudo apt-key add nginx_signing.key
Remove nginx-common, update apt and install nginx
sudo apt-get remove -y nginx-common
sudo apt-get update -y
sudo apt-get install -y nginx
Systemd / Nginx Race Condition
There is a known race condition, with a workaround as follows:
mkdir /etc/systemd/system/nginx.service.d
printf "[Service]\nExecStartPost=/bin/sleep 0.1\n" > /etc/systemd/system/nginx.service.d/override.conf
systemctl daemon-reload
Edit /etc/nginx/sites-available/default
Note: these edits are not comprehensive, just to get certbot working. Uncomment the following lines:
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
...
location / {
...
try_files $uri $uri/ =404;
}
Where it says server_name _; change _ to an appropriate fqdn that has an appropriate A record.
Save and restart the nginx:
service nginx restart
Letsencrypt Certbot
sudo apt-get update
sudo apt-get install -y python-certbot-nginx certbot -t stretch-backports
Run letsencrypt (automatic)
certbot
Test access from a browser.
HSTS Preload
Browsers have a list of servers that require https/ssl. Add sites to the list. Two things are required: 80 to 443 redirect, and an hsts header. For the redirect, add this server configuration:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
For the HSTS header, this needs to be added to each server. Can simply be added after the listen 443 ssl; line:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
Nginx Info
Nginx has become the standard for much of the web, for the basic standard reason it is not creaky old (though of course still lovable) Apache. However, before we get too far ahead of ourselves, let's recall exactly what we need to know about Nginx in order for it to work as well as Apache:
- Installation
- Configuration files
- Support of SSL / LetsEncrypt
- SFTP/SCP access to file system (and file rights + ownership)
- Multiple virtual servers / directories
- Mimetypes
- Support for PHP
- Threading
- .htaccess and related
Standard or default files and directories as follows:
/etc/nginx- application directory/etc/nginx/nginx.conf- main configuration file/usr/share/nginx/html- default website root directory - noted ashtmlin nginx.conf/var/log/nginx/error.log- error log/var/log/nginx/access.log- access log/etc/nginx/mime.types- mime types/etc/php.ini- php configuration file
Nginx / PHP-FPM Security Issues
There are significant issues with PHP-FPM in terms of keeping site caching partitioned when using multiple websites/virtual sites. Opcache should be turned off and individual users should be in charge of a different php-fpm process for each site. How to do this is not listed here (just yet).