OpenEMR with nginx and php-fpm

From OpenEMR Project Wiki

The LAMP stack (Linux + Apache + MySQL + PHP) is very popular for powering OpenEMR. However is it possible to use Nginx?. OpenEMR may support Nginx, in fact, some OpenEMR sites are powered by Nginx as the reverse proxy with Apache. At least that is my understanding. A while back, after an update, my OpenEMR, FreeBSD/Apache/Mysql/PHP stack broke down. That is when I started looking for other solutions and came across Nginx. I liked it.

There are multiple ways to implement Nginx. However, this guide implements Nginx as the primary server instead of Apache. Please note that Apache and Nginx are not interchangeable. Hence this guide. For example, there is no directory-level configuration (.htaccess or IIS's Web.config files) in Nginx. All configuration must be done at the server level, and the server must be reloaded with each change.

Initially, this guide assumes you already have a working SSL enabled Nginx server with PHP7.2 and php-fpm is enabled and running. Later on, I may add sections on how to install the different components in a FreeBSD system, which is what I know. Hopefully, you already have a basic understanding of how to work with Nginx and how to debug it.

Please note that this set up is preliminary and new. There may be bugs in it. Use it at your own risk. We set up OpenEMR with SSL right from the start. Please post your comments at the community.open-emr.org forum.

In order for OpenEMR to work with Nginx, you have to configure the backend php-cgi. The Nginx default installation comes with three options for implementation of the CGI module: 'fastcgi', 'scgi' and 'uwsgi'. The CGI module connects Nginx and the php-fpm (PHP Fast Program Manager). We use the FastCGI module. The "fastcgi_params" file can already be found in the default Nginx configuration directory, which in FreeBSD is located at /usr/local/etc/nginx/

This is my setup:

openemr-5.0.1_3
FreeBSD 11.1
nginx -1.14.0
Mysql-5.7
PHP-7.2 (includes the php-fpm server)


Important information regarding Nginx search instructions, placement and whitespaces are important:

^~  stop when found
~  case sensitive
~* case insensitive


/usr/local/etc/nginx/nginx.conf:

worker_processes  auto;
error_log  /var/log/nginx/error.log;
events { 
    worker_connections  1024; 
}
# start the http block
http {
  include       mime.types;
  default_type  application/octet-stream;

  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
  access_log  /var/log/access.log  main;

  sendfile        on;
  #tcp_nopush     on;

  #keepalive_timeout  0;
  server_names_hash_bucket_size 128;
  keepalive_timeout  65;

  gzip  off;
  upstream php { 
      server unix:/var/run/php-fpm.sock; 
  }
  index  index.html index.htm index.php;

  #  http host
  #  redirects to ssl only host below
  server {
      listen 80 default_server;
      listen [::]:80 default_server;
      server_name  example.net www.example.net;
      
      # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
      return 301 https://$host$request_uri;
  }

  #   openemr https host
  #   This is an ssl only openemr site
  server {
      listen 		 443 default_server ssl http2;
      listen  [::]:443 default_server ssl http2;
      server_name  example.net www.example.net;
      root /usr/local/nginx/www;

      ## redirect www to nowww
      if ($host = 'www.example.net' ) { 
		rewrite  ^/(.*)$  https://example.net/$1  permanent; 
      }   

      access_log /var/log/*/example.net_access_log main;
      error_log    /var/log/*/example.net_error_log notice;

      # openemr specific SSL settings, I am still working on this
      # to customize your configuration: https://mozilla.github.io/server-side-tls/ssl-config-generator/
      # configuration can be placed here, or in a separate file
      #include openemr-ssl.conf;  

      ssl_certificate      /path/to/ssl.cert;
      ssl_certificate_key    /path/to/ssl.key;

      # restrict/protect certain files
      include globals.conf;   

      # deny access to writable files/directories
      location ~* ^/sites/*/(documents|edi|era) { 
		deny all; 
      }
	
      # Pick one of the following two blockc, but not both:
      # protect special files from outside openemer login, and restrict them to superAdmins only
      location ~* ^/(admin|setup|acl_setup|acl_upgrade|sl_convert|sql_upgrade|gacl/setup|ippf_upgrade|sql_patch)\.php {
		auth_basic 				"Restricted Access"; 
		auth_basic_user_file 	/path/to/.htpasswd;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 
		fastcgi_pass php; 
		include fastcgi_params; 
      }
	
      # Alternatively all access to these files can be denied
      #location ~* ^/(admin|setup|acl_setup|acl_upgrade|sl_convert|sql_upgrade|gacl/setup|ippf_upgrade|sql_patch)\.php { 
      #	deny all; 
      #	return 404; 
      #}

      location / {
		# try as file ($uri), as directory ($uri/) if not found, send to index file
		# no php is touched for static content
        	try_files $uri $uri/ /index.php;
      }	
	
      # redirect server error pages to the static page /50x.html
      error_page   500 502 503 504  /50x.html;
      location = /50x.html { 
		root   /usr/local/www/nginx-dist; 
      } 
    
      # pass the PHP scripts to the FastCGI server listening on unix socket, in this case php-fpm
      location ~* \.php$ {
		try_files $uri =404;
        	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        	fastcgi_index index.php;
    	        fastcgi_pass php;
                include fastcgi_params; 
      }
      # dynamic stuff goes to php-proxy
      include php-proxy.conf;
    }
} # end http block


/usr/local/etc/nginx/globals.conf file:

# globals.conf configuration file.
# Designed to be included in any server {} block
# If this server only hosts openemr, this file can be merged with openemr.conf

# Stops the annoying error messages in the logs. robots are not allowed
location = /favicon.ico { 
      log_not_found off; 
      access_log off; 
}

location = /robots.txt  { 
      log_not_found off; 
      access_log off; 
}

# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\. {
      deny all; 
}

# protect or deny access to important server information and testing files
# alternatively, you can deny access to all files using {deny all; return 404;} or remove them
location ~* /(info|test)\.php$ {
	auth_basic "Restricted Access";
	auth_basic_user_file /path/to/.htpasswd;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 
	fastcgi_pass php; 
	include fastcgi_params; 
}

# Not sure if openemr needs this. it comes from wordpress
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { 
	access_log off; 
	log_not_found off; 
	expires max;
}

## Deny certain Referers
if ( $http_referer ~* (babes|forsale|girl|jewelry|love|nudit|organic|poker|porn|sex|teen) ) {
         #return 404;
         return 403;
}
     
# Stop deep linking or hot linking
location /images/ {
  valid_referers none blocked www.example.com example.com;
  if ($invalid_referer) {
       return   403;
   }
}

/usr/local/etc/nginx/php-proxy.conf:

# php proxy block
# should have "cgi.fix_pathinfo = 0;" in php.ini
#
location ~ \.php$ {
    # php-fpm must be in same machine. Otherwise there is risk of hacking
    try_files $uri =404;
    fastcgi_index  index.php;
    fastcgi_pass unix:/var/run/php-fpm.sock;
    fastcgi_buffer_size 16k;
    fastcgi_buffers 4 16k;
    fastcgi_param SCRIPT_FILENAME $request_filename;
    include fastcgi_params;
    fastcgi_intercept_errors on;
    fastcgi_read_timeout 120;
}

/usr/local/etc/nginx/openemr-ssl.conf:

# openemr gets its own SSL configuration. It should be stricter than a regular ssl.conf
# SSL, go here to test your server: [https://www.ssllabs.com/ssltest/]
# 
# For more information: https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK";

# Allow only TLSv 1.1 and 1.2 in openemr
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout  10m;
ssl_session_tickets off;

# [https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html] for more information.
ssl_dhparam /path/to/dhparam.pem;

#  OCSP_Stapling_on_nginx
#  https://raymii.org/s/tutorials/OCSP_Stapling_on_nginx.html
#ssl_trusted_certificate /path/to/domain.chain.stapling.pem;

ssl_trusted_certificate /path/to/rootCA.crt;
ssl_trusted_certificate /path/to/sym-chain.crt;
ssl_trusted_certificate /path/to/server-chain.crt;

#
# HEADERS
add_header Strict-Transport-Security "max-age=15724800; includeSubdomains; preload";

# add always at end of statement after nginx 1.7
# add_header Strict-Transport-Security $hsts_header;

# this works with the admin module, DENY might not work with all else
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

#
# STAPLING
ssl_stapling on; 		# Requires nginx >= 1.3.7
ssl_stapling_verify on;     # Requires nginx => 1.3.7
#
# RESOLVERS
#resolver 	$DNS-IP-1 	$DNS-IP-2 	valid=300s;

# these must be for localhost if BIND is being used
#resolver 	127.0.0.1 	[::1]:5353 	valid=300s;

# google resolvers
resolver	8.8.8.8		8.8.4.4    valid=300s;
resolver_timeout 5s;