API
Start with a base installation of Ubuntu Server 18.04.1LTS. Choose the PostgreSQL and OpenSSH Server packages when prompted.
sudo apt install nginx php-fpm php-pgsql
Security Conf:
nano /etc/nginx/nginx.conf
Uncomment:
server_tokens off
Add:
add_header X-Frame-Options "SAMEORIGIN";
Replace the supplied cert:
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /var/www/html/GrowBox-Root/conf/gbapi.key -out /var/www/html/GrowBox-Root/conf/gbapi.crt -subj '/CN=gbapi/O=The GrowBox Project/C=US'
nano /etc/nginx/sites-enabled/default
server {
server_name _;
listen 80;
listen [::]:80;
listen 443 default_server ssl;
listen [::]:443 ssl;
root /var/www/html/GrowBox-Root/api;
index index.php index.html index.htm;
if ($scheme = http) {
return 301 https://$host$request_uri;
}
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 405;
}
add_header X-XSS-Protection "1; mode=block";
#Please move this cert file for security purposes
#Run to replace: openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /var/www/html/GrowBox-Root/conf/ssl-cert/gbapi.key -out /var/www/html/GrowBox-Root/conf/ssl-cert/gbapi.crt -subj '/CN=gbapi/O=The GrowBox Project/C=US'
ssl_certificate /var/www/html/GrowBox-Root/conf/ssl-cert/gbapi.crt;
ssl_certificate_key /var/www/html/GrowBox-Root/conf/ssl-cert/gbapi.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
#Disable if you choose to
#Run to replace: openssl dhparam -out /var/www/html/GrowBox-Root/conf/ssl-cert/dhparams.pem 4096
ssl_dhparam /var/www/html/GrowBox-Root/conf/ssl-cert/dhparams.pem;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
}
location ~ /\.ht {
deny all;
}
}