Basic PHP 7 and Nginx Configuration on Ubuntu 16.04 Linux

Nginx is quickly overtaking Apache as the favorite web server. For web apps built in languages like Rails and Python it’s virtually ubiquitous, but it’s a bit slower to catch on in the PHP world. Part of the reason for that is how easily PHP and Apache go together. However, PHP and Nginx can cooperate nearly as easily, and with the release of PHP 7, combining the two can be a fairly speedy option.

The Packages

First thing’s first. Update Ubuntu and get the the Nginx and PHP packages.

# sudo apt-get update && sudo apt-get -y upgrade
# sudo apt-get -y install nginx php7.0 php7.0-fpm

When the installation is finished, the packages should all be in place, and actually running. To make sure that this is the case, you can check that both Nginx and the PHP-FPM services are running in Systemd.

# sudo systemctl status nginx
# sudo systemctl status php7.0-fpm

If Systemd confirms that both services are running, the server should actually be up, and you should be able to see the default Nginx welcome page by navigating to localhost in the browser.

Configuration

Of course, that isn’t anywhere near ready to actually host anything. There is some configuration needed to point Nginx at some actual content and improve security. The root directory for Nginx configuration files is located at /etc/nginx. Thankfully, there are already defaults there from Ubuntu that make the configuration process much easier.

Nginx.conf

The main configuration file for Nginx is nginx.conf. Open it in the text editor of your choosing. It will require root permissions, so a text-based editor like Vim will probably be best. The default configuration is mostly alright. There are obviously things that can be done to improve the system speed and security, but most of that is beyond the scope of this basic tutorial. If you want to improve performance, the commented Gzip options will help with compression and can speed things up. On the security side, adding the following three lines will help to prevent malicious activity.

add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";


Site Configuration

Once the lines are added, save and exit. There are two folders in the Nginx root, sites-available and sites-enabled. sites-available stores site configurations. sites-enabled contains symlinks to the configuration files in sites-available. This way, enabling and disabling sites is as simple as creating and removing symlinks.

Using your text editor, create a file at /etc/nginx/sites-available/yoursite. This file will contain any site-specific configuration for your new PHP 7 website. The following example contains a breakdown in the comments of what each line does. It’s a fairly basic configuration, but it will get the job done.


server { 
	
	#Nginx should listen on port 80 for requests to yoursite.com
	listen 80; 
	server_name yoursite.com; 

	#Create access and error logs in /var/log/nginx
	access_log /var/log/nginx/yoursite.access_log main; 
	error_log /var/log/nginx/yoursite.error_log info; 

	#Nginx should look in /var/www/yoursite for your website
	root /var/www/yoursite/;
	#The homepage of your website is a file called index.php 
	index index.php; 

	#Specifies that Nginx is looking for .php files
	location ~ \.php$ { 
		#If a file isn’t found, 404
		try_files $uri =404; 
		#Include Nginx’s fastcgi configuration
		include /etc/nginx/fastcgi.conf;
		#Look for the FastCGI Process Manager at this location 
		fastcgi_pass unix:/run/php/php7.0-fpm.sock; 
	} 
}

When you have that file created, save it and move into the sites-enabled directory. From there, create the symlink back to file you just created.

# cd /etc/nginx/sites-enabled
# sudo ln -s /etc/nginx/sites-available/yoursite

PHP.ini Security

Security is a moving target, and it is impossible to stay ahead of every possible threat, but it is always a good idea to lock down any new server installation as much as possible. There are a few simple tweaks that can be made to the php.ini configuration file that will help to secure PHP. With your text editor, open up /etc/php/7.0/fpm/php.ini. This is a huge file. Again, Vim or something with a search function is probably best.

First find disable_functions and add phpinfo,system,mail,exec to the end of the string of functions that are already there. Then find file_uploads and set it to Off. Next, find sql.safe_mode and switch it On. Last, find allow_url_fopen and set it to Off. Before closing out the file, add one more line to the end.

register_globals = Off

When that’s all done, save and close. Restart the server and it should be ready to go.

# sudo systemctl restart php7.0-fpm
# sudo systemctl restart nginx

Where To Go Next

As it sits, the Ubuntu server should be able to run most PHP websites. Any PHP files placed in the /var/www/yoursite will be run by the server. It will look for the index.php file first and the website can branch out form there. Of course, there is a lot more that can be done to configure PHP and Nginx for speed, security, and just about any special case situation, but now you have a strong starting point.