Project

General

Profile

Support #622

Updated by Daniel Curtis about 9 years ago

{{>toc}} 

 Here is a procedure to install a FreeBSD with Nginx, PostgreSQL and PHP server stack. If any version of the packages needs to be changed, replace the versions in the commands accordingly. 

 h1. Prepare the Environment 

 * Before installation of the components, make sure everything is up to date using the following command: 
 <pre> 
 pkg update -f && pkg upgrade 
 </pre> 

 * Install portmaster: 
 <pre> 
 cd /usr/ports/ports-mgmt/portmaster 
 make install clean 
 pkg2ng 
 </pre> 

 * Edit the @/etc/hosts@ file  
 <pre> 
 vi /etc/hosts 
 </pre> 
 #* And add/modify the following line: 
 <pre> 
 192.168.1.100                 www.example.com 
 </pre> 

 --- 

 h1. Install Nginx 

 * Install Nginx 
 <pre> 
 portmaster www/nginx 
 </pre> 

 * Start and enable nginx at boot: 
 <pre> 
 echo 'nginx_enable="YES"' >> /etc/rc.conf 
 service nginx start 
 </pre> 


 * Create a configuration directory to make managing individual server blocks easier 
 <pre> 
 mkdir /usr/local/etc/nginx/conf.d 
 </pre> 

 * Edit the main nginx config file: 
 <pre> 
 vi /usr/local/etc/nginx/nginx.conf 
 </pre> 
 #* And strip down the config file and add the include statement at the end to make it easier to handle various server blocks: 
 <pre> 
 #user    nobody; 
 worker_processes    1; 
 error_log    /var/log/nginx-error.log; 

 events { 
   worker_connections    1024; 
 } 

 http { 
   include         mime.types; 
   default_type    application/octet-stream; 

   sendfile          on; 
   #tcp_nopush       on; 

   #keepalive_timeout    0; 
   keepalive_timeout    65; 

   #gzip    on; 

   # Load config files from the /etc/nginx/conf.d directory 
   include /usr/local/etc/nginx/conf.d/*.conf; 

 } 
 </pre> 

 h2. Default Static Website 

 Start by setting up a simple static website, no server-side stuff PHP or Ruby; just plain HTML, CSS, JavaScript, etc. 

 * Create a directory for the web site: 
 <pre> 
 mkdir /usr/local/www/www.example.com 
 </pre> 

 * Add a *default site server block*: 
 <pre> 
 vi /usr/local/etc/nginx/conf.d/www.example.com.conf 
 </pre> 
 #* Add the following: 
 <pre> 
   server { 
     listen         80 default_server; 
     server_name    www.example.com; 

     access_log    /var/log/www.example.com.log    main; 

     location / { 
       root     /usr/local/www/www.example.com; 
       index    index.html index.htm; 
     } 

     # redirect server error pages to the static page /50x.html 
     error_page     500 502 503 504    /50x.html; 
     location = /50x.html { 
       root     /usr/local/www/nginx-dist; 
     } 

   } 
 </pre> 

 --- 

 h1. Install PostgreSQL 9.4 

 * Install PostgreSQL: 
 <pre> 
 portmaster databases/postgresql94-server 
 </pre> 

 * Enable PostgreSQL at boot: 
 <pre> 
 echo 'postgresql_enable="YES"' >> /etc/rc.conf 
 </pre> 

 * Initialize the database: 
 <pre> 
 service postgresql initdb 
 </pre> 

 * Start PostgreSQL: 
 <pre> 
 service postgresql start 
 </pre> 

 h2. Create a new user and database 

 * Connect to the default database: 
 <pre> 
 su - postgres 
 psql 
 </pre> 
 #* Set a password for the postgres user: 
 <pre> 
 \password postgres 
 </pre> 
 #* The postgres admin console will show @postgres=#@, create a new database user and a database: 
 <pre> 
 CREATE USER somepguser WITH PASSWORD 'somepguserpass'; 
 CREATE DATABASE somepgdatabase OWNER somepguser; 
 </pre> 
 #* Quit from the database 
 <pre> 
 \q 
 </pre> 

 * Exit from the postgres user 
 <pre> 
 exit 
 </pre> 

 * And wrap up by restarting the nginx and postgresql servers: 
 <pre> 
 service nginx restart 
 service postgresql restart 
 </pre> 

 --- 

 h1. Install PHP 

 The PHP support in FreeBSD is extremely modular so the base install is very limited. It is very easy to add support using the _lang/php5-extensions_ port. This port provides a menu driven interface to PHP extension installation. Alternatively, individual extensions can be installed using the appropriate port. 

 * Install PHP 5.6 and other supporting packages: 
 <pre> 
 portmaster lang/php56 
 </pre> 

 * Install PHP extensions and a few modules: 
 <pre> 
 portmaster lang/php56-extensions databases/php56-pgsql databases/php56-pdo_pgsql www/php56-session 
 </pre> 
 #* *NOTE*: There are many more PHP modules, to search for more PHP modules run: 
 <pre> 
 find /usr/ports/ -name "php56-*" 
 </pre> 
 #* *NOTE*: PHP capabilities can be further extended by using PECL packages, to search for more PECL packages run: 
 <pre> 
 find /usr/ports/ -name "pecl-*" 
 </pre> 

 * Configure the default PHP settings 
 <pre> 
 cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini 
 </pre> 

 h2. Configure PHP-FPM 

 * Edit @/usr/local/etc/php-fpm.conf@: 
 <pre> 
 vi /usr/local/etc/php-fpm.conf 
 </pre> 
 #* Make the following changes: 
 <pre> 
 events.mechanism = kqueue 
 listen = /var/run/php-fpm.sock 
 listen.owner = www 
 listen.group = www 
 listen.mode = 0660 
 </pre> 

 * Start and enable PHP-FPM at boot: 
 <pre> 
 echo 'php_fpm_enable="YES"' >> /etc/rc.conf 
 service php-fpm start 
 </pre> 

 * Restart nginx: 
 <pre> 
 service nginx restart 
 </pre> 

 h2. PHP Website 

 * Create a directory for the web application: 
 <pre> 
 mkdir /usr/local/www/phpapp.example.com 
 </pre> 

 * Add a *phpapp.example.com server block*: 
 <pre> 
 vi /usr/local/etc/nginx/conf.d/phpapp.example.com.conf 
 </pre> 
 #* Add the following: 
 <pre> 
 server { 
   listen         80; 
   server_name    phpapp.example.com; 
   root           /usr/local/www/phpapp.example.com; 
   access_log     /var/log/phpapp.example.com-access.log; 
   error_log      /var/log/phpapp.example.com-error.log; 

   location / { 
     index    index.php index.html index.htm; 
   } 

   # For all PHP requests, pass them on to PHP-FPM via FastCGI 
   location ~ \.php$ { 
     fastcgi_pass unix:/var/run/php-fpm.sock; 
     fastcgi_param SCRIPT_FILENAME /usr/local/www/phpapp.example.com$fastcgi_script_name; 
     fastcgi_param PATH_INFO $fastcgi_script_name; 
     include fastcgi_params; # include extra FCGI params 
   } 

 } 
 </pre> 

 --- 

 h1. (Extra) Install Phusion Passenger 

 * Install Reinstall Nginx with Passenger support 
 <pre> 
 portmaster www/rubygem-passenger 
 </pre> 
 #* *NOTE*: Make sure to enable *@[X]NGINX@* while configuring rubygem-passenger on the _rubygem-passenger_ 
 #* *NOTE*: Enabling *[X]SYMLINK* makes upgrading passenger easier later on. Make sure to enable *@[X]PASSENGER@* when running @make config@ on _nginx_ 
 #* *NOTE*: Ruby capabilities can be further extended by using rubygem packages, to search for more packages run: 
 <pre> 
 find /usr/ports/ -name "rubygem-*" 
 </pre> 

 * Reinstall nginx with passenger support: 
 <pre> 
 cd /usr/ports/www/nginx 
 make config 
 portmaster www/nginx 
 </pre> 
 #* *NOTE*: Make sure to enable *@[X]PASSENGER@* while configuring _nginx_ 

 h2.    Configure Passenger 

 * Edit the main nginx config file: 
 <pre> 
 vi /usr/local/etc/nginx/nginx.conf 
 </pre> 
 #* And add the Passenger config parameters: 
 <pre> 
 #user    nobody; 
 worker_processes    1; 
 error_log    /var/log/nginx-error.log; 

 events { 
   worker_connections    1024; 
 } 

 http { 
   include         mime.types; 
   default_type    application/octet-stream; 

   sendfile          on; 
   #tcp_nopush       on; 

   #keepalive_timeout    0; 
   keepalive_timeout    65; 

   #gzip    on; 

   # Load Phusion Passenger module globally 
   passenger_root /usr/local/lib/ruby/gems/2.1/gems/passenger-5.0.6; 
   passenger_ruby /usr/local/bin/ruby21; 
   passenger_max_pool_size 15; 
   passenger_pool_idle_time 300; 

   # Load config files from the /etc/nginx/conf.d directory 
   include /usr/local/etc/nginx/conf.d/*.conf; 

 } 
 </pre> 

 h2. Ruby Website 

 * Create a directory for the web application: 
 <pre> 
 mkdir /usr/local/www/rubyapp.example.com 
 </pre> 

 * Add a *rubyapp.example.com server block*: 
 <pre> 
 vi /usr/local/etc/nginx/conf.d/rubyapp.example.com.conf 
 </pre> 
 #* Add the following: 
 <pre> 
 server { 
   listen         80; 
   server_name    rubyapp.example.com; 
   root           /usr/local/www/rubyapp.example.com/public; 
   access_log     /var/log/rubyapp.example.com-access.log; 
   error_log      /var/log/rubyapp.example.com-error.log 

   passenger_enabled on; 
   passenger_user      www; 
   passenger_group     www; 

 } 
 </pre> 


 --- 

 h1. Securing Nginx With SSL 

 * Install OpenSSL: 
 <pre> 
 portmaster security/openssl 
 </pre> 

 Enabling SSL in Nginx is simple. First add the ssl directive in the server listen option, then add the SSL certificate and key paths. 

 * The basic SSL server block should be look similar to the following: 
 <pre> 
     server { 
         listen                443 ssl; 
         server_name           www.example.com; 
         ssl_certificate       www.example.com.crt; 
         ssl_certificate_key www.example.com.key; 
         ... 
     } 
 </pre> 

 * Setup the Diffie-Hellman Key Exchange Parameters 
 <pre> 
 cd /usr/local/etc/nginx 
 openssl dhparam -out dhparam.pem 4096 
 </pre> 

 * Generate a strong SSL key and a CSR to send for signing by a CA: 
 <pre> 
 cd /usr/local/etc/nginx 
 openssl req -sha512 -out www.example.com.csr -new -newkey rsa:4096 -nodes -keyout www.example.com.key 
 </pre> 
 #* If the received SSL certificate requires additional bundle certificates, add them together like so: 
 <pre> 
 cd /usr/local/etc/nginx 
 cat www.example.com.crt www.example.com.bundle > www.example.com.chained.crt 
 </pre> 

 * Setup the default site configuration: 
 <pre> 
 vi /usr/local/etc/nginx/conf.d/www.example.com.conf 
 </pre> 
 #* Then add or modify the configuration to look similar to the following: 
 <pre> 
 server { 
   listen 80;  
   listen 443 default ssl; 
   server_name www.example.com; 

   # Turn on ans set SSL key/cert 
   ssl on; 
   ssl_certificate /usr/local/etc/nginx/www.example.com.crt; 
   ssl_certificate_key /usr/local/etc/nginx/www.example.com.key; 

   # Strong SSL configuration 
   ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL'; 
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
   ssl_session_cache    builtin:1000    shared:SSL:10m; 
   ssl_stapling on; 
   ssl_stapling_verify on; 
   ssl_prefer_server_ciphers on; 
   ssl_dhparam /usr/local/etc/nginx/dhparam.pem; 
   add_header Strict-Transport-Security max-age=63072000; 
   add_header X-Frame-Options SAMEORIGIN; DENY; 
   add_header X-Content-Type-Options nosniff; 

   root /usr/local/www/; 
   index index.html index.htm; 
   autoindex on; 

   # Uncomment to force HTTPS 
 #    if ($scheme = http) { 
 #      return 301 https://$server_name$request_uri; 
 #    } 

 } 
 </pre> 

 h2. Certificate Bundles 

 Some browsers may complain about a certificate signed by a well-known certificate authority, while other browsers may accept the certificate without issues. This occurs because the issuing authority has signed the server certificate using an intermediate certificate that is not present in the certificate base of well-known trusted certificate authorities which is distributed with a particular browser. In this case the authority provides a bundle of chained certificates which should be concatenated to the signed server certificate.  

 * The server certificate must appear before the chained certificates in the combined file: 
 <pre> 
 cat www.example.com.crt bundle.crt > www.example.com.chained.crt 
 </pre> 

 * The resulting file should be used in the ssl_certificate directive: 
 <pre> 
     server { 
         listen                443 ssl; 
         server_name           www.example.com; 
         ssl_certificate       www.example.com.chained.crt; 
         ssl_certificate_key www.example.com.key; 
         ... 
     } 
 </pre> 

 h1. Resources 

 * http://www.bsdnow.tv/tutorials/nginx 
 * http://forums.freebsd.org/viewtopic.php?t=30268 
 * https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

Back