🍺 Please support me: Although all my software is free, it is always appreciated if you can support my efforts on Github with a contribution via Paypal - this allows me to write cool projects like this in my personal time and hopefully help you or your business.
MailWizz nginx example with search-engine friendly URLs - this has been tested with MailWizz 1.3.6.x running on CentOS 7 with nginx/1.6.3
The nginx configuration includes:
- SSL and non SSL config
- PHP FPM
- Support for tracking domains
- SSL configuration with SSL stapling and tuning
- Gzip compression
- Security configuration
- Turn off access to hidden files and sensitive context
- XSS configuration to enforce SAMEORIGIN
- Limiting buffer overflow issues
- Restricting request methods
- CSP in reporting mode (ensure that you register with report-uri.io / or remove)
- Remove logging of favicon.ico and robots.txt
- Custom error pages for nginx (those could be much better)
- Cache control for media images, dynamic data and CSS/JavaScript
Included MySQL configuration and php.ini settings for a MailWizz system running on CentOS7, MySQL 5.7.12, nginx on a 4-core, 10GB single-server.
PHP-FPM by default writes sessions into the /var/lib/php directory and I personally do not like assigning nginx permissions to it (since MailWizz stores session info). I have therefore adjusted PHP-FPM config to have it's own directory.
You will need to run this (or adjust /etc/php-fpm.d/www.conf):
mkdir -p /var/lib/nginx/session
mkdir -p /var/lib/nginx/wsdlcache
chown -R nginx:nginx /var/lib/nginx
I use Thawte SSL123 certs and you will notice in the SSL configuration a reference to ssl_trusted_certificate /etc/pki/tls/certs/combined-certs.crt;
. I suggest you read up about SSL stapling first: https://raymii.org/s/tutorials/OCSP_Stapling_on_nginx.html.
The ssl_trusted_certificate
needs to be in a specific order, and this worked for me (copy each cert in this sequence into the file):
- The Webserver certificate - this is the cert for the domain and will be included in the SSL cert order email
- The intermediate CA - this will also be included in the SSL cert order email
- The primary root CA - for SSL123 Thawte it can be obtained from here: https://www.thawte.com/roots/thawte_Primary_Root_CA.pem
You can then test the SSL stapling via:
openssl s_client -connect yourdomain.com:443 -tls1 -tlsextdebug -status
Which will output something like this:
----
...
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
...
----
🍺 Please support me: If the above helped you in any way, then follow me on Twitter or send me some coins:
(CRO) cro1w2kvwrzp23aq54n3amwav4yy4a9ahq2kz2wtmj (Memo: 644996249) or 0xb83c3Fe378F5224fAdD7a0f8a7dD33a6C96C422C (Cronos)
(USDC) 0xb83c3Fe378F5224fAdD7a0f8a7dD33a6C96C422C
(BTC) 3628nqihXvw2RXsKtTR36dN6WvYzaHyr52
(ETH) 0xb83c3Fe378F5224fAdD7a0f8a7dD33a6C96C422C
(BAT) 0xb83c3Fe378F5224fAdD7a0f8a7dD33a6C96C422C
(LTC) MQxRAfhVU84KDVUqnZ5eV9MGyyaBEcQeDf
(Ripple) rKV8HEL3vLc6q9waTiJcewdRdSFyx67QFb (Tag: 1172047832)
(XLM) GB67TJFJO3GUA432EJ4JTODHFYSBTM44P4XQCDOFTXJNNPV2UKUJYVBF (Memo ID: 1406379394)
Go to Curve.com to add your Crypto.com card to ApplePay and signup to Crypto.com for a staking and free Crypto debit card.
Use Binance Exchange to trade #altcoins. Sign up with Coinbase and instantly get $10 in BTC. I also accept old-school PayPal.
If you have no crypto, follow me at least on Twitter.