We have ready Nginx server, ready PHP deamons with tweaked configuration so… what next? It’s time to secure our websites. With Nginx it’s very simple to run SSL/TLS connections and also HTTP/2 – faster protocol, great for mobile devices and new web browsers. Like in previous chapters, we will make changes not only to enable secure connections, but also tweak default settings – be aware, these recommendations will not work with old browsers like Opera 12, Internet Explorer 7 or old Android (2.x) build-in browsers. I thinks is isn’t any drawback, these browsers are obsolote for a long time. Ok, let’s start with Nginx configuration.
Yes it’s something new on this blog – not only PHP, but also Node.js and Vue.js because I work on new project and use these technologies. Many, many things are completly new for me, but some of them are not. Good example is forms security: we must prevent attackers to make CSRF attacks and use tokens. Simple to say and now, in PHP world, very simple in usage – most of frameworks, most of template systems already have build-in solutions. With Express.js and Vue.js we can use available node modules, but we must still remember about some things. This post is about how use CSRF in that connection.
We’ve already installed Nginx web server, PHP, run wrappers and configure php.ini settings. Next step will be some small improvements on global PHP-FPM configuration and also, additional settings on websites wrappers. Today we will edit /etc/php-fpm/version/fpm/php-fpm.conf file. It’s PHP-FPM main configuration file. Not PHP like php.ini from last chapter, but for FastCGI Process Manager. There is no time for unnecessary descriptions, let’s edit this file.
We already have a configured a Nginx web server and PHP-FPM wrapper. It’s time to change PHP default settings now – default configuration files from Ubuntu or Debian repositories aren’t bad, but we can make them better for our needs. In this chapter we will change only one file, php.ini, which should be located on /etc/php/YOUR_VERSION/fpm/ directory. Of course, fell free to use other settings than proposed on this blog entry.
I recently posted an entry related to the installation and basic configuration of Nginx web server. In this chapter we will add the configuration of our website to server. This time we will no longer have to install any additional packages in the system or use additional external repositories. Everything is limited to editing existing files and optionally creating new ones – just as in Apache, which includes the configuration of each website. Of course, I’m assuming that you have already installed the Nginx server in accordance with the instructions from the previous chapter. This entry does not concern PHP configuration – this aspect will be discussed in the next chapter.