API
Start with a base installation of Ubuntu Server 18.04.1LTS. Choose the PostgreSQL and OpenSSH Server packages when prompted.
sudo apt install nginx php-fpm php-pgsql
Security Conf:
nano /etc/nginx/nginx.conf
Uncomment:
server_tokens off
Add:
add_header X-Frame-Options "SAMEORIGIN";
Replace the supplied cert:
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /var/www/html/GrowBox-Root/conf/gbapi.key -out /var/www/html/GrowBox-Root/conf/gbapi.crt -subj '/CN=gbapi/O=The GrowBox Project/C=US'
nano /etc/nginx/sites-enabled/default
server { server_name _; listen 80; listen [::]:80; listen 443 default_server ssl; listen [::]:443 ssl; root /var/www/html/GrowBox-Root/api; index index.php index.html index.htm; if ($scheme = http) { return 301 https://$host$request_uri; } if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 405; } add_header X-XSS-Protection "1; mode=block"; #Please move this cert file for security purposes #Run to replace: openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /var/www/html/GrowBox-Root/conf/ssl-cert/gbapi.key -out /var/www/html/GrowBox-Root/conf/ssl-cert/gbapi.crt -subj '/CN=gbapi/O=The GrowBox Project/C=US' ssl_certificate /var/www/html/GrowBox-Root/conf/ssl-cert/gbapi.crt; ssl_certificate_key /var/www/html/GrowBox-Root/conf/ssl-cert/gbapi.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; #Disable if you choose to #Run to replace: openssl dhparam -out /var/www/html/GrowBox-Root/conf/ssl-cert/dhparams.pem 4096 ssl_dhparam /var/www/html/GrowBox-Root/conf/ssl-cert/dhparams.pem; location / { try_files $uri $uri/ =404; } location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php7.2-fpm.sock; } location ~ /\.ht { deny all; } }