INITIAL CONFIGURATION of NGINX WEB SERVER on DEBIAN 8.0 JESSIE



update server
	ssh root@*hostname*
	sudo dpkg-reconfigure locales
	sudo apt update
	sudo apt upgrade



create new user
	adduser *user*



add new user to sudo
	usermod -aG sudo *user*
	usermod -aG www-data *user*
	apt install nano
	sudo nano /etc/nanorc
	# find and uncomment the following line
	set const
	sudo nano /etc/sudoers
	# add the following line under 'root'
	*user*	ALL=(ALL:ALL) ALL



copy public key to the remote server (local machine)
	ssh-copy-id *user*@*address* -p 22



disable password authentication and change default ssh port
	sudo nano /etc/ssh/sshd_config
	# set Port to '*ssh port*'
	# set PermitRootLogin to 'no'
	# set PasswordAuthentication to 'no'
	# confirm PubkeyAuthentication set to 'yes'
	# add "AddressFamily inet" to the end of the file
	sudo systemctl reload sshd



disable root password and console access
	sudo passwd -l root
	sudo sh -c "echo > /etc/securetty"



disable ipv6
	sudo nano /etc/sysctl.conf
	# add the following 3 lines to the bottom of the file
	net.ipv6.conf.all.disable_ipv6 = 1
	net.ipv6.conf.default.disable_ipv6 = 1
	net.ipv6.conf.lo.disable_ipv6 = 1
	sudo sysctl -p



set up firewall
	sudo apt install ufw
	sudo ufw allow OpenSSH
	sudo ufw allow *ssh port*
	sudo ufw deny 22
	sudo ufw allow 80/tcp
	sudo ufw allow 443/tcp
	sudo ufw enable



add swap file
	# replace X with _M or _G
	# where _ is the amount of system memory in megabytes or gigabytes
	sudo fallocate -l X /swapfile
	sudo chmod 600 /swapfile
	sudo mkswap /swapfile
	sudo cp /etc/fstab /etc/fstab.bak
	sudo echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
	sudo sysctl vm.swappiness=10
	sudo sysctl vm.vfs_cache_pressure=50
	sudo nano /etc/sysctl.conf
	# add the following 2 lines to the end of the file
	vm.swappiness=10
	sudo sysctl vm.vfs_cache_pressure=50



enable debian backports
	sudo nano /etc/apt/sources.list
	# add the following line to the end of the file
	deb http://ftp.debian.org/debian jessie-backports main
	sudo apt update



install nginx
	sudo apt install apt-utils
	sudo nano /etc/apt/sources.list
	# add the following 2 lines to the end of the file
	deb http://nginx.org/packages/mainline/debian/ jessie nginx
	deb-src http://nginx.org/packages/mainline/debian/ jessie nginx
	sudo wget http://nginx.org/keys/nginx_signing.key
	sudo apt-key add nginx_signing.key
	sudo apt update
	sudo apt install nginx
	sudo ufw allow "Nginx Full"
	sudo systemctl enable nginx



set chown, chgrp, and chmod for nginx webserver
	sudo nano /etc/group
	# set 'www-data:x:33:" to *user*
	sudo chown -R www-data:www-data /var/www
	sudo chmod -R 775 /var/www
	sudo systemctl reload nginx



backup default configuration
	sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bac
	sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.bac
	sudo rm /etc/nginx/sites-available/default



add virtual hosts
	sudo mkdir /var/www/*vhost*
	sudo chown -R www-data:www-data /var/www/*vhost*
	sudo chmod -R 775 /var/www/*vhost*
	sudo cp /etc/nginx/sites-available/default.bac /etc/nginx/sites-available/*vhost*
	sudo ln -s /etc/nginx/sites-available/*vhost* /etc/nginx/sites-enabled/*vhost*
	sudo systemctl reload nginx



install letsencrypt
	sudo apt install certbot -t jessie-backports
	# perform the following command for each virtual host
	sudo certbot certonly --agree-tos --email *email* --hsts --rsa-key-size 4096 --webroot -w /var/www/*vhost* -d *vhost* -d www.*vhost*
	sudo certbot renew
	sudo apt install cron
	sudo crontab -e
	# add the following 2 lines to the end of the file
	25 5 * * 1 certbot renew >> /var/log/certbot-renew.log
	35 5 * * 1 /bin/systemctl reload nginx



configure nginx
	sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
	cd
	sudo nano /etc/nginx/sites-available/*vhost*
	# replace the file with the following
	# BEGIN
	map $sent_http_content_type $expires {
		default off;
		text/html epoch;
		text/css max;
		application/javascript max;
		~image/ max;
	}
	server {
		listen 80;
		server_name *vhost*;
		return 301 https://www.$server_name$request_uri;
	}
	server {
		listen 443 ssl http2;
		server_name www.*vhost*;
		ssl_protocols TLSv1.2;
		ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
		ssl_ecdh_curve secp384r1;
		ssl_prefer_server_ciphers on;
		ssl_certificate /etc/letsencrypt/live/*vhost*/fullchain.pem;
		ssl_certificate_key /etc/letsencrypt/live/*vhost*/privkey.pem;
		ssl_trusted_certificate /etc/letsencrypt/live/*vhost*/chain.pem;
		ssl_session_cache shared:SSL:10m;
		ssl_session_tickets off;
		ssl_session_timeout 10m;
		reset_timedout_connection on;
		add_header Content-Security-Policy "default-src 'self'; script-src 'self' *.google-analytics.com";
		add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always;
		add_header X-Content-Type-Options "nosniff" always;
		add_header X-Frame-Options DENY always;
		add_header X-Xss-Protection 1;
		ssl_stapling on;
		ssl_stapling_verify on;
		ssl_dhparam /etc/ssl/certs/dhparam.pem;
		resolver 208.67.222.222 208.67.220.220 valid=300s;
		resolver_timeout 5s;
		root /var/www/*vhost*;
		index index.html index.htm index.php;
		location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
			expires 365d;
		}
		access_log off;
		error_log off;
		error_page 400 401 402 403 404 /error/4xx;
		error_page 500 501 502 503 504 /error/5xx;
		location ^~ /error/ {
			internal;
			root /var/www/*vhost*;
		}
		location ~ \.php$ {
			fastcgi_pass unix:/var/run/php5-fpm.sock;
			fastcgi_index index.php;
			fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
			fastcgi_param SCRIPT_NAME $fastcgi_script_name;
			fastcgi_buffer_size 128k;
			fastcgi_buffers 256 16k;
			fastcgi_busy_buffers_size 256k;
			fastcgi_temp_file_write_size 256k;
			include fastcgi_params;
		}
		location '/.well-known/acme-challenge' {
			root /var/www/*vhost*;
		}
	}
	# END
	sudo systemctl restart nginx



optimize nginx
	sudo nano /etc/nginx/nginx.conf
	# set worker processes to 'auto' or the number of available cores
	# set worker_connections to the amount of system memory in megabytes
	# add the following line below worker_connections
	use epoll;
	# comment out all SSL settings, logging settings, and Gzip settings
	# replace the http block with the following
	# BEGIN
	http {
		include /etc/nginx/mime.types;
		default_type application/octet-stream;
		keepalive_timeout 60;
		keepalive_requests 100000;
		client_body_buffer_size 128k;
		client_max_body_size 10m;
		client_header_buffer_size 1k;
		large_client_header_buffers 4 4k;
		output_buffers 1 32k;
		postpone_output 1460;
		client_header_timeout 3m;
		client_body_timeout 3m;
		send_timeout 3m;
		gzip on;
		gzip_vary on;
		gzip_min_length 10240;
		gzip_proxied expired no-cache no-store private auth;
		gzip_types text/plain text/html text/css text/xml text/javascript application/x-javascript application/xml application/x-font-opentype application/x-font-truetype font/eot font/opentype font/otf;
		gzip_disable "MSIE [1-6]\.";
		sendfile on;
		tcp_nodelay on;
		tcp_nopush on;
		include /etc/nginx/sites-enabled/*;
		access_log /var/log/nginx/access.log;
		error_log /var/log/nginx/error.log;
	}
	# END
	sudo systemctl reload nginx



install and configure MYSQL and PHP
	# perform one of the following two commands depending on the suitability for mariadb as a mysql replacement
	sudo apt install mariadb-server mariadb-client php5-fpm php5-mysql
	sudo apt install mysql-server mysql-client php5-fpm php5-mysql
	sudo mysql_secure_installation
	sudo nano /etc/php5/fpm/php.ini
	# uncomment and set cgi.fix_pathinfo=1 to '0'
	sudo nano /etc/php5/fpm/pool.d/www.conf
	# set pm to 'static'
	# set pm.max_children to '24'
	# set listen.mode to '0750'
	# set listen.owner to 'nginx'
	# set listen.group to 'nginx'
	sudo systemctl restart php5-fpm



install fail2ban
	sudo apt install fail2ban
	sudo apt install sendmail sendmail-bin
	sudo nano /etc/fail2ban/jail.conf
	# configure bantime
	# configure findtime (duration of time to consider multiple login failures to be part of an attack)
	# configure maxretry
	# configure destemail (email address to receive emails)
	# configure sendername (name field of sent emails)
	# configure sender (email address to send emails)
	# set enabled to 'true' under [ssh-ddos]
	sudo systemctl stop fail2ban
	sudo systemctl start fail2ban



change the server timezone and enable time server
	sudo dpkg-reconfigure tzdata
	sudo apt install ntp
	sudo nano /etc/ntp.conf
	# add the following 2 lines to the end of file
	server ntp.ubuntu.com
	server pool.ntp.org



enable unattended upgrades
	sudo apt install unattended-upgrades
	sudo dpkg-reconfigure --priority=low unattended-upgrades
	# non-critical servers may be set to automatically reboot if desired
	sudo nano /etc/cron.daily/apt
	# set Unattended-Upgrade::Automatic-Reboot to 'true'
	sudo apt install update-notifier-common