Skip to main content

Webserver Configuration

info

When using the SSL (https) configuration you MUST create SSL certificates, otherwise your webserver will fail to start. See the Creating SSL Certificates documentation page to learn how to create these certificates before continuing.

php & fpm

If you're not using php8.3, you will need to edit the config file to point to the proper php fpm socket.

The line is highlighted below.

First, remove the default NGINX configuration.

rm /etc/nginx/sites-enabled/default

Now, you should paste the contents of the file below, replacing <domain> with your domain or IP being used in a file called pelican.conf and place the file in /etc/nginx/sites-available/.

warning

Note: IPs cannot be used with SSL.

/etc/nginx/sites-available/pelican.conf
server_tokens off;

server {
listen 80;
server_name <domain>;
return 301 https://$server_name$request_uri;
}

server {
listen 443 ssl http2;
server_name <domain>;

root /var/www/pelican/public;
index index.php;

access_log /var/log/nginx/pelican.app-access.log;
error_log /var/log/nginx/pelican.app-error.log error;

# allow larger file uploads and longer script runtimes
client_max_body_size 100m;
client_body_timeout 120s;

sendfile off;

ssl_certificate /etc/letsencrypt/live/<domain>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_prefer_server_ciphers on;

# See https://hstspreload.org/ before uncommenting the line below.
# add_header Strict-Transport-Security "max-age=15768000; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header Content-Security-Policy "frame-ancestors 'self'";
add_header X-Frame-Options DENY;
add_header Referrer-Policy same-origin;

location / {
try_files $uri $uri/ /index.php?$query_string;
}

location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php8.3-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100M";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTP_PROXY "";
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
include /etc/nginx/fastcgi_params;
}

location ~ /\.ht {
deny all;
}
}

Enabling Configuration

The final step is to enable your NGINX configuration and restart it.

sudo ln -s /etc/nginx/sites-available/pelican.conf /etc/nginx/sites-enabled/pelican.conf

You need to restart nginx to load the new config file.

sudo systemctl restart nginx