These are my config notes for getting a brand new Xenial + nginx server online.
Install Tor:
sudo apt install tor apt-transport-tor
sudo gpg --keyserver keys.gnupg.net --recv 886DDD89 sudo gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
Edit the sources list by removing all the lines and adding these:
sudo vim /etc/apt/sources.list
deb tor+https://deb.torproject.org/torproject.org xenial main deb tor+https://mirrors.wikimedia.org/ubuntu/ xenial main restricted universe multiverse deb tor+https://mirrors.wikimedia.org/ubuntu/ xenial-updates main restricted universe multiverse deb tor+https://mirrors.wikimedia.org/ubuntu/ xenial-security main restricted universe multiverse
Update the repos:
sudo add-apt-repository ppa:nginx/development sudo add-apt-repository ppa:ondrej/nginx sudo add-apt-repository ppa:ondrej/php sudo add-apt-repository ppa:certbot/certbot
Add “tor+” to all of the above sources files in /etc/apt/sources.list.d/*
Update and restart:
sudo apt update && sudo apt upgrade -V && sudo apt autoremove -y && sudo shutdown -r now
Install nginx + certbot:
sudo apt install python-certbot-nginx -V
Add server_name to (replacing “_”):
sudo vim /etc/nginx/sites-available/default
server_name domain.net;
Get Let’s Encrypt cert for nginx:
sudo certbot --nginx -d domain.net --redirect --rsa-key-size 4096
Further harden the TLS config:
sudo vim /etc/letsencrypt/options-ssl-nginx.conf
ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!3DES:!aNULL:!DES:!DSS:!eNULL:!EXP:!IDEA:!LOW:!MD5:!PSK:!RC4:!SEED";
Delete the “SSL” config:
sudo vim /etc/nginx/nginx.conf
Edit the nginx config:
sudo vim /etc/nginx/sites-available/default
replace “domain.net”
server { listen 80 default_server; listen [::]:80 default_server; server_name domain.net www.domain.net; return 301 https://$host$request_uri; server_tokens off; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Referrer-Policy "no-referrer"; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name domain.net www.domain.net; root /var/www; index index.php index.html index.htm; ssl_certificate /etc/letsencrypt/live/domain.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/domain.net/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; server_tokens off; add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Referrer-Policy "no-referrer"; resolver 8.8.8.8 8.8.4.4 valid=300s; # For WordPress location / { try_files $uri $uri/ /index.php?$args; } location ~ .php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php7.2-fpm.sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } }
Validate the nginx config:
sudo nginx -t
Restart nginx:
sudo service nginx restart
Add inbound and outbound firewall rules:
sudo ufw limit 22/tcp && sudo ufw allow 443/tcp && sudo ufw allow out 22/tcp && sudo ufw allow out 25/tcp && sudo ufw allow out 53/udp && sudo ufw allow out 443/tcp && sudo ufw allow out 9050/tcp && sudo ufw deny out to any && sudo ufw enable && sudo ufw status verbose