Kanboard with Nginx, HTTPS, SPDY and PHP-FPM ============================================ This installation example will help you to have the following features: - Latest stable nginx version - HTTPS only with a valid certificate - [SPDY protocol](http://en.wikipedia.org/wiki/SPDY) activated - PHP 5.5 with php-fpm - Recommended security parameters - File uploads with a 10MB file size limit This procedure is written for **Ubuntu 14.04 LTS** but it should be similar for any Linux distribution. For this setup, we suppose that only Kanboard is installed on the server. It can be a small virtual machine by example. Kanboard detect automatically the utilization of HTTPS and enable some extra features: - [HTTP Strict Transport Security](http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) - [Secure Cookie Flag](http://en.wikipedia.org/wiki/HTTP_cookie#Secure_and_HttpOnly) PHP 5.5 Installation -------------------- ```bash sudo apt-get install php5-fpm php5-cli php5-sqlite ``` You can also install `php5-mysql` if you prefer to use Kanboard with Mysql or MariaDB. Customize your `/etc/php5/fpm/php.ini`: ```ini ; Security settings expose_php = Off cgi.fix_pathinfo=0 ; Log errors error_reporting = E_ALL display_errors = Off log_errors = On html_errors = Off error_log = syslog ; File uploads upload_max_filesize = 10M post_max_size = 10M ``` Restart PHP background processes: ```bash sudo service php5-fpm restart ``` Nginx Installation ------------------ We want the latest stable version of nginx to be able to use the SPDY protocol. Hopefully, there is PPA for Ubuntu (unofficial): ```bash sudo add-apt-repository ppa:nginx/stable sudo apt-get install nginx ``` Generate a SSL certificate -------------------------- We want a SSL certificate that work everywhere, not a self-signed certificate. You can buy a cheap one at [Namecheap](http://www.namecheap.com/?aff=73824) or anywhere else. Here the different steps to configure your certificate: ```bash # Generate a private key openssl genrsa -des3 -out kanboard.key 2048 # Create a key with no password for Nginx openssl rsa -in kanboard.key -out kanboard.key.nopass # Generate the Certificate Signing Request, enter your domain name for the field 'Common Name' openssl req -new -key kanboard.key.nopass -out kanboard.csr # Copy and paste the content of the CSR to the Namecheap control panel and finalize the procedure cat kanboard.csr # After that, you receive by email your certificate, then concat everything into a single file cat kanboard.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt AddTrustExternalCARoot.crt > kanboard.pem ``` Copy the certificates in a new directory: ```bash mkdir /etc/nginx/ssl cp kanboard.pem /etc/nginx/ssl cp kanboard.key.nopass /etc/nginx/ssl chmod 400 /etc/nginx/ssl/* ``` Configure Nginx --------------- Now, we can customize our installation, start to modify the main configuration file `/etc/nginx/nginx.conf`: ```nginx user www-data; worker_processes auto; pid /run/nginx.pid; events { worker_connections 1024; } http { sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; server_tokens off; # SSL shared cache between workers ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; # We disable weak protocols and ciphers ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers HIGH:!SSLv2:!MEDIUM:!LOW:!EXP:!RC4:!DSS:!aNULL:@STRENGTH; include /etc/nginx/mime.types; default_type application/octet-stream; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; # We enable the Gzip compression for some mime types gzip on; gzip_disable "msie6"; gzip_vary on; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } ``` Create a new virtual host for Kanboard `/etc/nginx/sites-available/kanboard` ```nginx server { # We also enable the SPDY protocol listen 443 ssl spdy; # Our SSL certificate ssl on; ssl_certificate /etc/nginx/ssl/kanboard.pem; ssl_certificate_key /etc/nginx/ssl/kanboard.key.nopass; # You can change the default root directory here root /usr/share/nginx/html; index index.php; # Your domain name server_name localhost; # The maximum body size, useful for file uploads client_max_body_size 10M; location / { try_files $uri $uri/ =404; } error_page 404 /404.html; error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } # PHP-FPM configuration location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; include fastcgi.conf; } # Deny access to the directory data location ~* /data { deny all; return 404; } # Deny access to .htaccess location ~ /\.ht { deny all; return 404; } } ``` Now it's time to test our setup ```bash # Disable the default virtual host sudo unlink /etc/nginx/sites-enabled/default # Add our default virtual host sudo ln -s /etc/nginx/sites-available/kanboard /etc/nginx/sites-enabled/kanboard # Check the config file sudo nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful # Restart nginx sudo service nginx restart ``` Kanboard Installation --------------------- You can install Kanboard in a subdirectory or not, it's up to you. ```bash cd /usr/share/nginx/html sudo wget http://kanboard.net/kanboard-latest.zip sudo unzip kanboard-latest.zip sudo chown -R www-data:www-data kanboard/data sudo rm kanboard-latest.zip ``` Now, you should be able to use Kanboard with your web browser.