From f83602c1c48c87a45965502b77137c8e62936ff3 Mon Sep 17 00:00:00 2001 From: Alex Thomassen Date: Tue, 27 Dec 2022 19:39:45 +0100 Subject: [PATCH] Update with more modern parameters --- 000-default.conf | 2 +- generate-dhparams.sh | 10 ++++++++-- phpfpm.conf | 2 +- setup.sh | 13 +++++++++++-- 4 files changed, 21 insertions(+), 6 deletions(-) diff --git a/000-default.conf b/000-default.conf index aa089b8..7df84fc 100644 --- a/000-default.conf +++ b/000-default.conf @@ -42,7 +42,7 @@ server { location = /favicon.ico { access_log off; log_not_found off; } location = /robots.txt { access_log off; log_not_found off; } - # Uncomment for PHP support (check /etc/nginx/phpfpm.conf), assumes PHP 7.2 FPM is installed. + # Uncomment for PHP support (check /etc/nginx/phpfpm.conf), assumes PHP 8.1 FPM is installed. # include phpfpm.conf; access_log /var/log/nginx/default-access.log combined; diff --git a/generate-dhparams.sh b/generate-dhparams.sh index 19ee692..0cc0b14 100644 --- a/generate-dhparams.sh +++ b/generate-dhparams.sh @@ -1,5 +1,11 @@ #!/bin/bash + +BITS=2048; + +if [[ ! -z "$1" ]]; then + BITS=$1; +fi + sudo touch /etc/nginx/dhparams.pem sudo chmod 700 /etc/nginx/dhparams.pem -# 4096 would also work here: -sudo openssl dhparam -out /etc/nginx/dhparams.pem 2048 \ No newline at end of file +sudo openssl dhparam -out /etc/nginx/dhparams.pem $BITS \ No newline at end of file diff --git a/phpfpm.conf b/phpfpm.conf index 4ea73e6..5681711 100644 --- a/phpfpm.conf +++ b/phpfpm.conf @@ -1,7 +1,7 @@ location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; + fastcgi_pass unix:/var/run/php/php8.1-fpm.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; diff --git a/setup.sh b/setup.sh index 06036c9..2b2c00f 100644 --- a/setup.sh +++ b/setup.sh @@ -8,6 +8,7 @@ NGINX="/etc/nginx" SSL_BASE="/srv/ssl" DEFAULT_DIR="$NGINX/conf.d"; DEFAULT_NAME="000-default.conf"; +DH_PARAMS_BITS=4096; help() { @@ -18,6 +19,7 @@ OPTIONS: -h Shows helptext -a Installs acme.sh and downloads "bootstrapping" files. -d Downloads the $DEFAULT_NAME file into $DEFAULT_DIR + -b Use 4096 bits for dhparams (default: $DH_PARAMS_BITS) EOF } @@ -35,6 +37,10 @@ while getopts "had" opt; do DOWNLOAD_DEFAULT=1; echo "Downloading 000-default.conf to /etc/nginx/conf.d"; ;; + b) + DH_PARAMS_BITS=4096; + echo "Using 4096 bits for dhparams"; + ;; \?) echo "Invalid option: -$OPTARG" >&2 exit 1 @@ -83,12 +89,15 @@ curl -L "$GIST/ssl_params.conf" > "$NGINX/ssl_params.conf" # Get the base reverse proxy configuration curl -L "$GIST/proxy_params" > "$NGINX/proxy_params" -# Get the PHP 7.4 FPM configuration (not enabled by default) +# Get the PHP 8.1 FPM configuration (not enabled by default) # You also need to install PHP before enabling it. curl -L "$GIST/phpfpm.conf" > "$NGINX/phpfpm.conf" # Get the dhparams file generation script, and execute. -curl -L "$GIST/generate-dhparams.sh" | sudo bash +DH_PARAMS_TEMP="$(mktemp)"; +curl -L "$GIST/generate-dhparams.sh" -o "${DH_PARAMS_TEMP}"; +sudo bash "${DH_PARAMS_TEMP}" $DH_PARAMS_BITS; +rm "${DH_PARAMS_TEMP}"; # Check if systemd is installed and enable the service. # Since I usually just install stock Debian with systemd, this may not be required.