virtubox
/
ubuntu-nginx-web-server
mirror of https://github.com/VirtuBox/ubuntu-nginx-web-server
1
0
Fork 0
Code Issues Releases Wiki Activity

change link and cleanup readme

This commit is contained in:
VirtuBox 2018-06-03 16:39:21 +02:00
parent 741817f489
commit 32768d4636
36 changed files with 3102 additions and 280 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

325
README.md
View File

@ -2,88 +2,113 @@
* * *
## Server Stack :
## Server Stack
- Ubuntu 16.04/18.04 LTS
- Nginx 1.14.x
- PHP-FPM 7/7.1/7.2
- MariaDB 10.3
- REDIS 4.0
- Memcached
- Fail2ban
- Netdata
- UFW
- Ubuntu 16.04/18.04 LTS
- Nginx 1.14.x
- PHP-FPM 7/7.1/7.2
- MariaDB 10.3
- REDIS 4.0
- Memcached
- Fail2ban
- Netdata
- UFW
* * *
## All Instructions and informations are listed on the [Github page](https://virtubox.github.io/ubuntu-nginx-web-server/)
**All Instructions and informations are listed on the [Github page](https://virtubox.github.io/ubuntu-nginx-web-server/)**
Configuration files with comments and informations available by following the link **source**
## Initial configuration
### Initial configuration
**System update and packages cleanup**
#### System update and packages cleanup
apt-get update && apt-get upgrade -y && apt-get autoremove -y && apt-get clean
```bash
apt-get update && apt-get upgrade -y && apt-get autoremove -y && apt-get clean
```
**Install useful packages**
#### Install useful packages
sudo apt install haveged curl git unzip zip fail2ban htop -y
```bash
sudo apt install haveged curl git unzip zip fail2ban htop -y
```
**Tweak Kernel** [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) &
**Increase open files limits** [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf)
#### Tweak Kernel & Increase open files limits
modprobe tcp_htcp
wget -O /etc/sysctl.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/sysctl.conf
sysctl -p
wget -O /etc/security/limits.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/security/limits.conf
[source sysctl.conf](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) - [limits.conf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf)
**disable transparent hugepage for redis**
```bash
modprobe tcp_htcp
wget -O /etc/sysctl.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.conf
sysctl -p
wget -O /etc/security/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/security/limits.conf
```
echo never > /sys/kernel/mm/transparent_hugepage/enabled
#### disable transparent hugepage for redis
```bash
echo never > /sys/kernel/mm/transparent_hugepage/enabled
```
* * *
## EasyEngine Setup
### EasyEngine Setup
**Install MariaDB 10.3** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
#### Install MariaDB 10.3
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \
| sudo bash -s -- --mariadb-server-version=10.3 --skip-maxscale
sudo apt update && sudo apt install mariadb-server percona-xtrabackup-24 -y
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
**Install EasyEngine**
```bash
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \
| sudo bash -s -- --mariadb-server-version=10.3 --skip-maxscale
sudo apt update && sudo apt install mariadb-server percona-xtrabackup-24 -y
```
wget -qO ee rt.cx/ee && bash ee
#### Install EasyEngine
**enable ee bash_completion**
```bash
wget -qO ee rt.cx/ee && bash ee
```
source /etc/bash_completion.d/ee_auto.rc
#### enable ee bash_completion
**Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend**
```bash
source /etc/bash_completion.d/ee_auto.rc
```
ee stack install
ee stack install --php7 --redis --admin --phpredisadmin
#### Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend
**Set your email instead of root@localhost**
```bash
ee stack install
ee stack install --php7 --redis --admin --phpredisadmin
```
echo 'root: my.email@address.com' >> /etc/aliases
newaliases
#### Set your email instead of root@localhost
**Install Composer - Fix phpmyadmin install issue**
```bash
echo 'root: my.email@address.com' >> /etc/aliases
newaliases
```
cd ~/
curl -sS https://getcomposer.org/installer | php
mv composer.phar /usr/bin/composer
sudo -u www-data composer update -d /var/www/22222/htdocs/db/pma/
#### Install Composer - Fix phpmyadmin install issue
**Allow shell for www-data for SFTP usage**
```bash
cd ~/
curl -sS https://getcomposer.org/installer | php
mv composer.phar /usr/bin/composer
sudo -u www-data composer update -d /var/www/22222/htdocs/db/pma/
```
usermod -s /bin/bash www-data
#### Allow shell for www-data for SFTP usage
## PHP 7.1 & 7.2 Setup
```bash
usermod -s /bin/bash www-data
```
**Install php7.1-fpm**
### PHP 7.1 & 7.2 Setup
#### Install php7.1-fpm
```bash
# php7.1-fpm
@ -96,8 +121,9 @@ wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubun
service php7.1-fpm restart
```
**Install php7.2-fpm**
```
#### Install php7.2-fpm
```bash
# php7.2-fpm
apt update && apt install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring -y
@ -107,159 +133,173 @@ wget -O /etc/php/7.2/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubun
service php7.2-fpm restart
```
**add nginx upstreams**
#### add nginx upstreams
wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
service nginx reload
add ee common configuration
#### add ee common configuration
cd /etc/nginx/common || exit
wget https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/common.zip
wget https://virtubox.github.io/ubuntu-nginx-web-server/files/common.zip
unzip common.zip
**Compile last Nginx mainline release with [nginx-ee script](https://virtubox.github.io/nginx-ee/)**
### Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee)
bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
* * *
## Custom configurations
### Custom configurations
**clean php-fpm php.ini configurations**
#### clean php-fpm php.ini configuration
# PHP 7.0
wget -O /etc/php/7.0/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.0/fpm/php.ini
# PHP 7.0
wget -O /etc/php/7.0/fpm/php.ini https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/php/7.0/fpm/php.ini
service php7.0-fpm restart
**Nginx optimized configurations**
#### Nginx optimized configurations
# TLSv1.2 TLSv1.3 only
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx.conf
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx.conf
# TLS intermediate
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-intermediate.conf
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-intermediate.conf
# TLSv1.2 only
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-tlsv12.conf
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-tlsv12.conf
**nginx configuration for netdata & new upstreams**
#### Nginx configuration for netdata & new upstreams
# custom conf for netdata metrics (php-fpm & nginx status pages)
wget -O /etc/nginx/sites-available/default https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/default
wget -O /etc/nginx/sites-available/default https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/default
# add netdata, php7.1 and php7.2 upstream
wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
wget -O /etc/nginx/sites-available/22222 https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/22222
wget -O /etc/nginx/sites-available/22222 https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/22222
**wpcommon-php7x configurations**
#### wpcommon-php7x configurations
- webp rewrite rules added
- DoS attack CVE fix added
- php7.1 & php7.2 configuration added
- webp rewrite rules added
- DoS attack CVE fix added
- php7.1 & php7.2 configuration added
```bash
# 1) add webp mapping
wget -O /etc/nginx/conf.d/webp.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/webp.conf
# 1) add webp mapping
wget -O /etc/nginx/conf.d/webp.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/webp.conf
# 2) wpcommon files
# php7
wget -O /etc/nginx/common/wpcommon-php7.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php7.conf
# 2) wpcommon files
# php7.1
wget -O /etc/nginx/common/wpcommon-php71.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php71.conf
# php7
wget -O /etc/nginx/common/wpcommon-php7.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php7.conf
# php7.2
wget -O /etc/nginx/common/wpcommon-php72.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php72.conf
# php7.1
wget -O /etc/nginx/common/wpcommon-php71.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php71.conf
# php7.2
wget -O /etc/nginx/common/wpcommon-php72.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php72.conf
nginx -t
service nginx reload
nginx -t
service nginx reload
```
* * *
## Security
### Security
* * *
#### Harden SSH Security
**Harden SSH Security**
WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config)
wget -O /etc/ssh/sshd_config https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/ssh/sshd_config
wget -O /etc/ssh/sshd_config https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/ssh/sshd_config
**UFW** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
#### UFW
# enable ufw log - allow outgoing - deny incoming
ufw logging low
ufw default allow outgoing
ufw default deny incoming
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
```bash
# enable ufw log - allow outgoing - deny incoming
ufw logging on
ufw default allow outgoing
ufw default deny incoming
# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend
ufw allow 22
ufw allow 53
ufw allow http
ufw allow https
ufw allow 21
ufw allow 123
ufw allow 161
ufw allow 6556
ufw allow 19999
ufw allow 22222
# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend
ufw allow 22
ufw allow 53
ufw allow http
ufw allow https
ufw allow 21
ufw allow 123
ufw allow 161
ufw allow 6556
ufw allow 19999
ufw allow 22222
# enable UFW
ufw enable
# enable UFW
ufw enable
```
**Custom jails for fail2ban**
#### Custom jails for fail2ban
- wordpress bruteforce
- ssh
- recidive (after 3 bans)
- backend http auth
- nginx bad bots
- wordpress bruteforce
- ssh
- recidive (after 3 bans)
- backend http auth
- nginx bad bots
```bash
wget -O /etc/fail2ban/filter.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ddos.conf
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ee-wordpress.conf
wget -O /etc/fail2ban/jail.d/custom.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/custom.conf
wget -O /etc/fail2ban/jail.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/ddos.conf
fail2ban-client reload
```
#### Secure Memcached server
```bash
echo '-U 0' >> /etc/memcached.conf
sudo systemctl restart memcached
```
### Optional tools
#### ee-acme-sh
[Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers
wget -O /etc/fail2ban/filter.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ddos.conf
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ee-wordpress.conf
wget -O /etc/fail2ban/jail.d/custom.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/custom.conf
wget -O /etc/fail2ban/jail.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/ddos.conf
fail2ban-client reload
**Secure Memcached server**
echo '-U 0' >> /etc/memcached.conf
sudo systemctl restart memcached
## Optional tools
### ee-acme-sh
[Github repository](https://virtubox.github.io/ee-acme-sh/)
My script to setup letsencrypt certificates using acme.sh on EasyEngine servers.
* subdomain support
* ivp6 support
* ivp6 support
* wildcards certificates support
```bash
cd && bash <(wget --no-check-certificate -O - https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh)
wget -O - https://get.acme.sh | sh
source ~/.bashrc
# enable acme.sh & ee-acme-sh
source .bashrc
```
### netdata
#### netdata
[Github repository](https://github.com/firehol/netdata)
bash <(curl -Ss https://my-netdata.io/kickstart.sh) all
```bash
# save 40-60% of netdata memory
echo 1 >/sys/kernel/mm/ksm/run
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
bash <(curl -Ss https://my-netdata.io/kickstart.sh) all
# disable email notifications
wget -O /etc/netdata/health_alarm_notify.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/netdata/health_alarm_notify.conf
service netdata restart
# save 40-60% of netdata memory
echo 1 >/sys/kernel/mm/ksm/run
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
### bash-snippets
# disable email notifications
wget -O /etc/netdata/health_alarm_notify.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/netdata/health_alarm_notify.conf
service netdata restart
```
#### bash-snippets
[Github repository](https://github.com/alexanderepstein/Bash-Snippets)
@ -270,7 +310,7 @@ git checkout v1.22.0
./install.sh cheat
```
usage : cheat command
usage : `cheat <command>`
```bash
root@vps:~ cheat cat
@ -291,11 +331,10 @@ root@vps:~ cheat cat
cat -n file
```
## nanorc - Improved Nano Syntax Highlighting Files
#### nanorc - Improved Nano Syntax Highlighting Files
[Github repository](https://github.com/scopatz/nanorc)
wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh
Published & maintained by [VirtuBox](https://virtubox.net)

311
docs/README.md
View File

@ -2,86 +2,110 @@
* * *
## Server Stack :
## Server Stack
- Ubuntu 16.04/18.04 LTS
- Nginx 1.14.x
- PHP-FPM 7/7.1/7.2
- MariaDB 10.3
- REDIS 4.0
- Memcached
- Fail2ban
- Netdata
- UFW
- Ubuntu 16/18.04 LTS
- Nginx 1.14.x
- PHP-FPM 7/7.1/7.2
- MariaDB 10.3
- REDIS 4.0
- Memcached
- Fail2ban
- Netdata
- UFW
* * *
Configuration files with comments and informations available by following the link **source**
### Initial configuration
## Initial configuration
#### System update and packages cleanup
**System update and packages cleanup**
```bash
apt-get update && apt-get upgrade -y && apt-get autoremove -y && apt-get clean
```
apt-get update && apt-get upgrade -y && apt-get autoremove -y && apt-get clean
#### Install useful packages
**Install useful packages**
```bash
sudo apt install haveged curl git unzip zip fail2ban htop -y
```
sudo apt install haveged curl git unzip zip fail2ban htop -y
#### Tweak Kernel & Increase open files limits
**Tweak Kernel** [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) &
**Increase open files limits** [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf)
[source sysctl.conf](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) - [limits.conf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf)
modprobe tcp_htcp
wget -O /etc/sysctl.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/sysctl.conf
sysctl -p
wget -O /etc/security/limits.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/security/limits.conf
```bash
modprobe tcp_htcp
wget -O /etc/sysctl.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.conf
sysctl -p
wget -O /etc/security/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/security/limits.conf
```
**disable transparent hugepage for redis**
#### disable transparent hugepage for redis
echo never > /sys/kernel/mm/transparent_hugepage/enabled
```bash
echo never > /sys/kernel/mm/transparent_hugepage/enabled
```
* * *
## EasyEngine Setup
### EasyEngine Setup
**Install MariaDB 10.3** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
#### Install MariaDB 10.3
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \
| sudo bash -s -- --mariadb-server-version=10.3 --skip-maxscale
sudo apt update && sudo apt install mariadb-server percona-xtrabackup-24 -y
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
**Install EasyEngine**
```bash
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \
| sudo bash -s -- --mariadb-server-version=10.3 --skip-maxscale
sudo apt update && sudo apt install mariadb-server percona-xtrabackup-24 -y
```
wget -qO ee rt.cx/ee && bash ee
#### Install EasyEngine
**enable ee bash_completion**
```bash
wget -qO ee rt.cx/ee && bash ee
```
source /etc/bash_completion.d/ee_auto.rc
#### enable ee bash_completion
**Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend**
```bash
source /etc/bash_completion.d/ee_auto.rc
```
ee stack install
ee stack install --php7 --redis --admin --phpredisadmin
#### Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend
**Set your email instead of root@localhost**
```bash
ee stack install
ee stack install --php7 --redis --admin --phpredisadmin
```
echo 'root: my.email@address.com' >> /etc/aliases
newaliases
#### Set your email instead of root@localhost
**Install Composer - Fix phpmyadmin install issue**
```bash
echo 'root: my.email@address.com' >> /etc/aliases
newaliases
```
cd ~/
curl -sS https://getcomposer.org/installer | php
mv composer.phar /usr/bin/composer
sudo -u www-data composer update -d /var/www/22222/htdocs/db/pma/
#### Install Composer - Fix phpmyadmin install issue
**Allow shell for www-data for SFTP usage**
```bash
cd ~/
curl -sS https://getcomposer.org/installer | php
mv composer.phar /usr/bin/composer
sudo -u www-data composer update -d /var/www/22222/htdocs/db/pma/
```
usermod -s /bin/bash www-data
#### Allow shell for www-data for SFTP usage
## PHP 7.1 & 7.2 Setup
```bash
usermod -s /bin/bash www-data
```
**Install php7.1-fpm**
### PHP 7.1 & 7.2 Setup
#### Install php7.1-fpm
```bash
# php7.1-fpm
@ -94,8 +118,9 @@ wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubun
service php7.1-fpm restart
```
**Install php7.2-fpm**
```
#### Install php7.2-fpm
```bash
# php7.2-fpm
apt update && apt install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring -y
@ -105,159 +130,171 @@ wget -O /etc/php/7.2/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubun
service php7.2-fpm restart
```
**add nginx upstreams**
#### add nginx upstreams
wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
service nginx reload
add ee common configuration
#### add ee common configuration
cd /etc/nginx/common || exit
wget https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/common.zip
wget https://virtubox.github.io/ubuntu-nginx-web-server/files/common.zip
unzip common.zip
**Compile last Nginx mainline release with [nginx-ee script](https://virtubox.github.io/nginx-ee/)**
### Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee)
bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
* * *
## Custom configurations
### Custom configurations
**clean php-fpm php.ini configurations**
#### clean php-fpm php.ini configuration
# PHP 7.0
wget -O /etc/php/7.0/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.0/fpm/php.ini
# PHP 7.0
wget -O /etc/php/7.0/fpm/php.ini https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/php/7.0/fpm/php.ini
service php7.0-fpm restart
**Nginx optimized configurations**
#### Nginx optimized configurations
# TLSv1.2 TLSv1.3 only
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx.conf
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx.conf
# TLS intermediate
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-intermediate.conf
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-intermediate.conf
# TLSv1.2 only
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-tlsv12.conf
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-tlsv12.conf
**nginx configuration for netdata & new upstreams**
#### Nginx configuration for netdata & new upstreams
# custom conf for netdata metrics (php-fpm & nginx status pages)
wget -O /etc/nginx/sites-available/default https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/default
wget -O /etc/nginx/sites-available/default https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/default
# add netdata, php7.1 and php7.2 upstream
wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
wget -O /etc/nginx/sites-available/22222 https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/22222
wget -O /etc/nginx/sites-available/22222 https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/22222
**wpcommon-php7x configurations**
#### wpcommon-php7x configurations
- webp rewrite rules added
- DoS attack CVE fix added
- php7.1 & php7.2 configuration added
- webp rewrite rules added
- DoS attack CVE fix added
- php7.1 & php7.2 configuration added
```bash
# 1) add webp mapping
wget -O /etc/nginx/conf.d/webp.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/webp.conf
# 1) add webp mapping
wget -O /etc/nginx/conf.d/webp.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/webp.conf
# 2) wpcommon files
# php7
wget -O /etc/nginx/common/wpcommon-php7.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php7.conf
# 2) wpcommon files
# php7.1
wget -O /etc/nginx/common/wpcommon-php71.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php71.conf
# php7
wget -O /etc/nginx/common/wpcommon-php7.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php7.conf
# php7.2
wget -O /etc/nginx/common/wpcommon-php72.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php72.conf
# php7.1
wget -O /etc/nginx/common/wpcommon-php71.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php71.conf
# php7.2
wget -O /etc/nginx/common/wpcommon-php72.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php72.conf
nginx -t
service nginx reload
nginx -t
service nginx reload
```
* * *
## Security
### Security
* * *
#### Harden SSH Security
**Harden SSH Security**
WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config)
wget -O /etc/ssh/sshd_config https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/ssh/sshd_config
wget -O /etc/ssh/sshd_config https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/ssh/sshd_config
**UFW** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
#### UFW
# enable ufw log - allow outgoing - deny incoming
ufw logging low
ufw default allow outgoing
ufw default deny incoming
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
```bash
# enable ufw log - allow outgoing - deny incoming
ufw logging on
ufw default allow outgoing
ufw default deny incoming
# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend
ufw allow 22
ufw allow 53
ufw allow http
ufw allow https
ufw allow 21
ufw allow 123
ufw allow 161
ufw allow 6556
ufw allow 19999
ufw allow 22222
# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend
ufw allow 22
ufw allow 53
ufw allow http
ufw allow https
ufw allow 21
ufw allow 123
ufw allow 161
ufw allow 6556
ufw allow 19999
ufw allow 22222
# enable UFW
ufw enable
# enable UFW
ufw enable
```
**Custom jails for fail2ban**
#### Custom jails for fail2ban
- wordpress bruteforce
- ssh
- recidive (after 3 bans)
- backend http auth
- nginx bad bots
- wordpress bruteforce
- ssh
- recidive (after 3 bans)
- backend http auth
- nginx bad bots
```bash
wget -O /etc/fail2ban/filter.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ddos.conf
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ee-wordpress.conf
wget -O /etc/fail2ban/jail.d/custom.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/custom.conf
wget -O /etc/fail2ban/jail.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/ddos.conf
wget -O /etc/fail2ban/filter.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ddos.conf
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ee-wordpress.conf
wget -O /etc/fail2ban/jail.d/custom.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/custom.conf
wget -O /etc/fail2ban/jail.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/ddos.conf
fail2ban-client reload
```
fail2ban-client reload
#### Secure Memcached server
**Secure Memcached server**
```bash
echo '-U 0' >> /etc/memcached.conf
sudo systemctl restart memcached
```
echo '-U 0' >> /etc/memcached.conf
sudo systemctl restart memcached
### Optional tools
## Optional tools
#### ee-acme-sh
[Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers
### ee-acme-sh
[Github repository](https://virtubox.github.io/ee-acme-sh/)
My script to setup letsencrypt certificates using acme.sh on EasyEngine servers.
* subdomain support
* ivp6 support
* ivp6 support
* wildcards certificates support
```bash
cd && bash <(wget --no-check-certificate -O - https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh)
wget -O - https://get.acme.sh | sh
source ~/.bashrc
# enable acme.sh & ee-acme-sh
source .bashrc
```
### netdata
#### netdata
[Github repository](https://github.com/firehol/netdata)
bash <(curl -Ss https://my-netdata.io/kickstart.sh) all
```bash
# save 40-60% of netdata memory
echo 1 >/sys/kernel/mm/ksm/run
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
bash <(curl -Ss https://my-netdata.io/kickstart.sh) all
# disable email notifications
wget -O /etc/netdata/health_alarm_notify.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/netdata/health_alarm_notify.conf
service netdata restart
# save 40-60% of netdata memory
echo 1 >/sys/kernel/mm/ksm/run
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
### bash-snippets
# disable email notifications
wget -O /etc/netdata/health_alarm_notify.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/netdata/health_alarm_notify.conf
service netdata restart
```
#### bash-snippets
[Github repository](https://github.com/alexanderepstein/Bash-Snippets)
@ -268,7 +305,7 @@ git checkout v1.22.0
./install.sh cheat
```
usage : cheat command
usage : `cheat <command>`
```bash
root@vps:~ cheat cat
@ -289,7 +326,7 @@ root@vps:~ cheat cat
cat -n file
```
## nanorc - Improved Nano Syntax Highlighting Files
#### nanorc - Improved Nano Syntax Highlighting Files
[Github repository](https://github.com/scopatz/nanorc)

9
docs/files/etc/fail2ban/filter.d/ddos.conf Normal file
View File

@ -0,0 +1,9 @@
[Definition]
# Option: failregex
# Notes.: Auto block short UDP.
# Values: TEXT
#
failregex = ^.*kernel: UDP: short packet: From <HOST>:.*$
ignoreregex =

3
docs/files/etc/fail2ban/filter.d/ee-wordpress.conf Normal file
View File

@ -0,0 +1,3 @@
[Definition]
failregex = ^<HOST>.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200
ignoreregex =

16
docs/files/etc/fail2ban/jail.d/custom.conf Normal file
View File

@ -0,0 +1,16 @@
[recidive]
enabled = true
[nginx-http-auth]
enabled = true
[nginx-botsearch]
enabled = true
[ee-wordpress]
enabled = true
filter = ee-wordpress
action = iptables-multiport[name="ee-wordpress", port="http,https"]
logpath = /var/log/nginx/*access.log
maxretry = 5

8
docs/files/etc/fail2ban/jail.d/ddos.conf Normal file
View File

@ -0,0 +1,8 @@
[ddos]
enabled = true
port = 27015
protocol = udp
filter = ddos
logpath = /var/log/kern.log
maxretry = 3
bantime = 6000

578
docs/files/etc/netdata/health_alarm_notify.conf Normal file
View File

@ -0,0 +1,578 @@
# Configuration for alarm notifications
#
# This configuration is used by: alarm-notify.sh
# changes take effect immediately (the next alarm will use them).
#
# alarm-notify.sh can send:
# - e-mails (using the sendmail command),
# - push notifications to your mobile phone (pushover.net),
# - messages to your slack team (slack.com),
# - messages to your flock team (flock.com),
# - messages to your discord guild (discordapp.com),
# - messages to your telegram chat / group chat (telegram.org)
# - sms messages to your cell phone or any sms enabled device (twilio.com)
# - sms messages to your cell phone or any sms enabled device (messagebird.com)
# - notifications to users on pagerduty.com
#
# The 'to' line given at netdata alarms defines a *role*, so that many
# people can be notified for each role.
#
# This file is a BASH script itself.
#
#
#------------------------------------------------------------------------------
# proxy configuration
#
# If you need to send curl based notifications (pushover, pushbullet, slack,
# flock, discord, telegram) via a proxy, set these to your proxy address:
#export http_proxy="http://10.0.0.1:3128/"
#export https_proxy="http://10.0.0.1:3128/"
#------------------------------------------------------------------------------
# notifications images
#
# Images in notifications need to be downloaded from an Internet facing site.
# To allow notification providers fetch the icons/images, by default we set
# the URL of the global public netdata registry.
# If you have an Internet facing netdata (or you have copied the images/ folder
# of netdata to your web server), set its URL here, to fetch the notification
# images from it.
#images_base_url="http://my.public.netdata.server:19999"
#------------------------------------------------------------------------------
# external commands
# The full path to the sendmail command.
# If empty, the system $PATH will be searched for it.
# If not found, email notifications will be disabled (silently).
sendmail=""
# The full path of the curl command.
# If empty, the system $PATH will be searched for it.
# If not found, most notifications will be silently disabled.
curl=""
#------------------------------------------------------------------------------
# NOTE ABOUT RECIPIENTS
#
# When you define recipients (all types):
#
# - emails addresses
# - pushover user tokens
# - telegram chat ids
# - slack channels
# - flock rooms
# - discord channels
# - hipchat rooms
# - sms phone numbers
# - pagerduty.com (pd) services
#
# You can append |critical to limit the notifications to be sent.
#
# In these examples, the first recipient receives all the alarms
# while the second one receives only the critical ones:
#
# email : "user1@example.com user2@example.com|critical"
# pushover : "2987343...9437837 8756278...2362736|critical"
# telegram : "111827421 112746832|critical"
# slack : "alarms disasters|critical"
# flock : "alarms disasters|critical"
# discord : "alarms disasters|critical"
# twilio : "+15555555555 +17777777777|critical"
# messagebird: "+15555555555 +17777777777|critical"
# kavenegar : "09155555555 09177777777|critical"
# pd : "<pd_service_key_1> <pd_service_key_2>|critical"
#
# If a recipient is set to empty string, the default recipient of the given
# notification method (email, pushover, telegram, slack, etc) will be used.
# To disable a notification, use the recipient called: disabled
# This works for all notification methods (including the default recipients).
#------------------------------------------------------------------------------
# email global notification options
# multiple recipients can be given like this:
# "admin1@example.com admin2@example.com ..."
# the email address sending email notifications
# the default is the system user netdata runs as (usually: netdata)
# The following formats are supported:
# EMAIL_SENDER="user@domain"
# EMAIL_SENDER="User Name <user@domain>"
# EMAIL_SENDER="'User Name' <user@domain>"
# EMAIL_SENDER="\"User Name\" <user@domain>"
EMAIL_SENDER=""
# enable/disable sending emails
SEND_EMAIL="NO"
# if a role recipient is not configured, an email will be send to:
DEFAULT_RECIPIENT_EMAIL=""
# to receive only critical alarms, set it to "root|critical"
# Optionally specify the encoding to list in the Content-Type header.
# This doesn't change what encoding the e-mail is sent with, just what
# the headers say it was encoded as.
# This shouldn't need to be changed as it will almost always be
# autodetected from the environment.
#EMAIL_CHARSET="UTF-8"
#------------------------------------------------------------------------------
# pushover (pushover.net) global notification options
# multiple recipients can be given like this:
# "USERTOKEN1 USERTOKEN2 ..."
# enable/disable sending pushover notifications
SEND_PUSHOVER="YES"
# Login to pushover.net to get your pushover app token.
# You need only one for all your netdata servers (or you can have one for
# each of your netdata - your call).
# Without an app token, netdata cannot send pushover notifications.
PUSHOVER_APP_TOKEN=""
# if a role's recipients are not configured, a notification will be send to
# this pushover user token (empty = do not send a notification for unconfigured
# roles):
DEFAULT_RECIPIENT_PUSHOVER=""
#------------------------------------------------------------------------------
# pushbullet (pushbullet.com) push notification options
# multiple recipients can be given like this:
# "user1@email.com user2@mail.com"
# enable/disable sending pushbullet notifications
SEND_PUSHBULLET="YES"
# Signup and Login to pushbullet.com
# To get your Access Token, go to https://www.pushbullet.com/#settings/account
# Create a new access token and paste it below.
# Then just set the recipients' emails.
# Please note that the if the email in the DEFAULT_RECIPIENT_PUSHBULLET does
# not have a pushbullet account, the pushbullet service will send an email
# to that address instead.
# Without an access token, netdata cannot send pushbullet notifications.
PUSHBULLET_ACCESS_TOKEN=""
DEFAULT_RECIPIENT_PUSHBULLET=""
# Device iden of the sending device. Optional.
PUSHBULLET_SOURCE_DEVICE=""
#------------------------------------------------------------------------------
# Twilio (twilio.com) SMS options
# multiple recipients can be given like this:
# "+15555555555 +17777777777"
# enable/disable sending twilio SMS
SEND_TWILIO="YES"
# Signup for free trial and select a SMS capable Twilio Number
# To get your Account SID and Token, go to https://www.twilio.com/console
# Place your sid, token and number below.
# Then just set the recipients' phone numbers.
# The trial account is only allowed to use the number specified when set up.
# Without an account sid and token, netdata cannot send Twilio text messages.
TWILIO_ACCOUNT_SID=""
TWILIO_ACCOUNT_TOKEN=""
TWILIO_NUMBER=""
DEFAULT_RECIPIENT_TWILIO=""
#------------------------------------------------------------------------------
# Messagebird (messagebird.com) SMS options
# multiple recipients can be given like this:
# "+15555555555 +17777777777"
# enable/disable sending messagebird SMS
SEND_MESSAGEBIRD="YES"
# to get an access key, create a free account at https://www.messagebird.com
# verify and activate the account (no CC info needed)
# login to your account and enter your phonenumber to get some free credits
# to get the API key, click on 'API' in the sidebar, then 'API Access (REST)'
# click 'Add access key' and fill in data (you want a live key to send SMS)
# Without an access key, netdata cannot send Messagebird text messages.
MESSAGEBIRD_ACCESS_KEY=""
MESSAGEBIRD_NUMBER=""
DEFAULT_RECIPIENT_MESSAGEBIRD=""
#------------------------------------------------------------------------------
# Kavenegar (Kavenegar.com) SMS options
# multiple recipients can be given like this:
# "09155555555 09177777777"
# enable/disable sending kavenegar SMS
SEND_KAVENEGAR="YES"
# to get an access key, after selecting and purchasing your desired service
# at http://kavenegar.com/pricing.html
# login to your account, go to your dashboard and my account are
# https://panel.kavenegar.com/Client/setting/account from API Key
# copy your api key. You can generate new API Key too.
# You can find and select kevenegar sender number from this place.
# Without an API key, netdata cannot send KAVENEGAR text messages.
KAVENEGAR_API_KEY=""
KAVENEGAR_SENDER=""
DEFAULT_RECIPIENT_KAVENEGAR=""
#------------------------------------------------------------------------------
# telegram (telegram.org) global notification options
# To get your chat ID send the command /my_id to telegram bot @get_id.
# Users also need to open a query with the bot (see below).
# note: multiple recipients can be given like this:
# "CHAT_ID_1 CHAT_ID_2 ..."
# enable/disable sending telegram messages
SEND_TELEGRAM="YES"
# Contact the bot @BotFather to create a new bot and receive a bot token.
# Without it, netdata cannot send telegram messages.
TELEGRAM_BOT_TOKEN=""
# If a role's recipients are not configured, a message will be send to
# this chat id (empty = do not send a notification for unconfigured roles):
DEFAULT_RECIPIENT_TELEGRAM=""
#------------------------------------------------------------------------------
# slack (slack.com) global notification options
# multiple recipients can be given like this:
# "CHANNEL1 CHANNEL2 ..."
# enable/disable sending slack notifications
SEND_SLACK="YES"
# Login to slack.com and create an incoming webhook. You need only one for all
# your netdata servers (or you can have one for each of your netdata).
# Without it, netdata cannot send slack notifications.
# Get yours from: https://api.slack.com/incoming-webhooks
SLACK_WEBHOOK_URL=""
# if a role's recipients are not configured, a notification will be send to
# this slack channel (empty = do not send a notification for unconfigured
# roles):
DEFAULT_RECIPIENT_SLACK=""
#------------------------------------------------------------------------------
# flock (flock.com) global notification options
# enable/disable sending flock notifications
SEND_FLOCK="YES"
# Login to flock.com and create an incoming webhook. You need only one for all
# your netdata servers (or you can have one for each of your netdata).
# Without it, netdata cannot send flock notifications.
FLOCK_WEBHOOK_URL=""
# if a role recipient is not configured, no notification will be sent
DEFAULT_RECIPIENT_FLOCK=""
#------------------------------------------------------------------------------
# discord (discordapp.com) global notification options
# multiple recipients can be given like this:
# "CHANNEL1 CHANNEL2 ..."
# enable/disable sending discord notifications
SEND_DISCORD="YES"
# Create a webhook by following the official documentation -
# https://support.discordapp.com/hc/en-us/articles/228383668-Intro-to-Webhooks
DISCORD_WEBHOOK_URL=""
# if a role's recipients are not configured, a notification will be send to
# this discord channel (empty = do not send a notification for unconfigured
# roles):
DEFAULT_RECIPIENT_DISCORD=""
#------------------------------------------------------------------------------
# hipchat global notification options
# multiple recipients can be given like this:
# "ROOM1 ROOM2 ..."
# enable/disable sending hipchat notifications
SEND_HIPCHAT="YES"
# define hipchat server
HIPCHAT_SERVER="api.hipchat.com"
# api.hipchat.com authorization token
# Without this, netdata cannot send hipchat notifications.
HIPCHAT_AUTH_TOKEN=""
# if a role's recipients are not configured, a notification will be send to
# this hipchat room (empty = do not send a notification for unconfigured
# roles):
DEFAULT_RECIPIENT_HIPCHAT=""
#------------------------------------------------------------------------------
# kafka notification options
# enable/disable sending kafka notifications
SEND_KAFKA="YES"
# The URL to POST kafka alarm data to. It should be the full URL.
KAFKA_URL=""
# The IP to be used in the kafka message as the sender.
KAFKA_SENDER_IP=""
#------------------------------------------------------------------------------
# pagerduty.com notification options
#
# pagerduty.com notifications require the pagerduty agent to be installed and
# a "Generic API" pagerduty service.
# https://www.pagerduty.com/docs/guides/agent-install-guide/
# multiple recipients can be given like this:
# "<pd_service_key_1> <pd_service_key_2> ..."
# enable/disable sending pagerduty notifications
SEND_PD="YES"
# if a role's recipients are not configured, a notification will be sent to
# the "General API" pagerduty.com service that uses this service key.
# (empty = do not send a notification for unconfigured roles):
DEFAULT_RECIPIENT_PD=""
#------------------------------------------------------------------------------
# custom notifications
#
# enable/disable sending custom notifications
SEND_CUSTOM="YES"
# if a role's recipients are not configured, use the following.
# (empty = do not send a notification for unconfigured roles)
DEFAULT_RECIPIENT_CUSTOM=""
# The custom_sender() is a custom function to do whatever you need to do
custom_sender() {
# variables you can use:
# ${host} the host generated this event
# ${url_host} same as ${host} but URL encoded
# ${unique_id} the unique id of this event
# ${alarm_id} the unique id of the alarm that generated this event
# ${event_id} the incremental id of the event, for this alarm id
# ${when} the timestamp this event occurred
# ${name} the name of the alarm, as given in netdata health.d entries
# ${url_name} same as ${name} but URL encoded
# ${chart} the name of the chart (type.id)
# ${url_chart} same as ${chart} but URL encoded
# ${family} the family of the chart
# ${url_family} same as ${family} but URL encoded
# ${status} the current status : REMOVED, UNINITIALIZED, UNDEFINED, CLEAR, WARNING, CRITICAL
# ${old_status} the previous status: REMOVED, UNINITIALIZED, UNDEFINED, CLEAR, WARNING, CRITICAL
# ${value} the current value of the alarm
# ${old_value} the previous value of the alarm
# ${src} the line number and file the alarm has been configured
# ${duration} the duration in seconds of the previous alarm state
# ${duration_txt} same as ${duration} for humans
# ${non_clear_duration} the total duration in seconds this is/was non-clear
# ${non_clear_duration_txt} same as ${non_clear_duration} for humans
# ${units} the units of the value
# ${info} a short description of the alarm
# ${value_string} friendly value (with units)
# ${old_value_string} friendly old value (with units)
# ${image} the URL of an image to represent the status of the alarm
# ${color} a color in #AABBCC format for the alarm
# ${goto_url} the URL the user can click to see the netdata dashboard
# these are more human friendly:
# ${alarm} like "name = value units"
# ${status_message} like "needs attention", "recovered", "is critical"
# ${severity} like "Escalated to CRITICAL", "Recovered from WARNING"
# ${raised_for} like "(alarm was raised for 10 minutes)"
# example human readable SMS
local msg="${host} ${status_message}: ${alarm} ${raised_for}"
# limit it to 160 characters and encode it for use in a URL
urlencode "${msg:0:160}" >/dev/null; msg="${REPLY}"
# a space separated list of the recipients to send alarms to
to="${1}"
info "not sending custom notification to ${to}, for ${status} of '${host}.${chart}.${name}' - custom_sender() is not configured."
}
###############################################################################
# RECIPIENTS PER ROLE
# -----------------------------------------------------------------------------
# generic system alarms
# CPU, disks, network interfaces, entropy, etc
role_recipients_email[sysadmin]="${DEFAULT_RECIPIENT_EMAIL}"
role_recipients_pushover[sysadmin]="${DEFAULT_RECIPIENT_PUSHOVER}"
role_recipients_pushbullet[sysadmin]="${DEFAULT_RECIPIENT_PUSHBULLET}"
role_recipients_telegram[sysadmin]="${DEFAULT_RECIPIENT_TELEGRAM}"
role_recipients_slack[sysadmin]="${DEFAULT_RECIPIENT_SLACK}"
role_recipients_flock[sysadmin]="${DEFAULT_RECIPIENT_FLOCK}"
role_recipients_discord[sysadmin]="${DEFAULT_RECIPIENT_DISCORD}"
role_recipients_hipchat[sysadmin]="${DEFAULT_RECIPIENT_HIPCHAT}"
role_recipients_twilio[sysadmin]="${DEFAULT_RECIPIENT_TWILIO}"
role_recipients_messagebird[sysadmin]="${DEFAULT_RECIPIENT_MESSAGEBIRD}"
role_recipients_kavenegar[sysadmin]="${DEFAULT_RECIPIENT_KAVENEGAR}"
role_recipients_pd[sysadmin]="${DEFAULT_RECIPIENT_PD}"
role_recipients_custom[sysadmin]="${DEFAULT_RECIPIENT_CUSTOM}"
# -----------------------------------------------------------------------------
# DNS related alarms
role_recipients_email[domainadmin]="${DEFAULT_RECIPIENT_EMAIL}"
role_recipients_pushover[domainadmin]="${DEFAULT_RECIPIENT_PUSHOVER}"
role_recipients_pushbullet[domainadmin]="${DEFAULT_RECIPIENT_PUSHBULLET}"
role_recipients_telegram[domainadmin]="${DEFAULT_RECIPIENT_TELEGRAM}"
role_recipients_slack[domainadmin]="${DEFAULT_RECIPIENT_SLACK}"
role_recipients_flock[domainadmin]="${DEFAULT_RECIPIENT_FLOCK}"
role_recipients_discord[domainadmin]="${DEFAULT_RECIPIENT_DISCORD}"
role_recipients_hipchat[domainadmin]="${DEFAULT_RECIPIENT_HIPCHAT}"
role_recipients_twilio[domainadmin]="${DEFAULT_RECIPIENT_TWILIO}"
role_recipients_messagebird[domainadmin]="${DEFAULT_RECIPIENT_MESSAGEBIRD}"
role_recipients_kavenegar[domainadmin]="${DEFAULT_RECIPIENT_KAVENEGAR}"
role_recipients_pd[domainadmin]="${DEFAULT_RECIPIENT_PD}"
role_recipients_custom[domainadmin]="${DEFAULT_RECIPIENT_CUSTOM}"
# -----------------------------------------------------------------------------
# database servers alarms
# mysql, redis, memcached, postgres, etc
role_recipients_email[dba]="${DEFAULT_RECIPIENT_EMAIL}"
role_recipients_pushover[dba]="${DEFAULT_RECIPIENT_PUSHOVER}"
role_recipients_pushbullet[dba]="${DEFAULT_RECIPIENT_PUSHBULLET}"
role_recipients_telegram[dba]="${DEFAULT_RECIPIENT_TELEGRAM}"
role_recipients_slack[dba]="${DEFAULT_RECIPIENT_SLACK}"
role_recipients_flock[dba]="${DEFAULT_RECIPIENT_FLOCK}"
role_recipients_discord[dba]="${DEFAULT_RECIPIENT_DISCORD}"
role_recipients_hipchat[dba]="${DEFAULT_RECIPIENT_HIPCHAT}"
role_recipients_twilio[dba]="${DEFAULT_RECIPIENT_TWILIO}"
role_recipients_messagebird[dba]="${DEFAULT_RECIPIENT_MESSAGEBIRD}"
role_recipients_kavenegar[dba]="${DEFAULT_RECIPIENT_KAVENEGAR}"
role_recipients_pd[dba]="${DEFAULT_RECIPIENT_PD}"
role_recipients_custom[dba]="${DEFAULT_RECIPIENT_CUSTOM}"
# -----------------------------------------------------------------------------
# web servers alarms
# apache, nginx, lighttpd, etc
role_recipients_email[webmaster]="${DEFAULT_RECIPIENT_EMAIL}"
role_recipients_pushover[webmaster]="${DEFAULT_RECIPIENT_PUSHOVER}"
role_recipients_pushbullet[webmaster]="${DEFAULT_RECIPIENT_PUSHBULLET}"
role_recipients_telegram[webmaster]="${DEFAULT_RECIPIENT_TELEGRAM}"
role_recipients_slack[webmaster]="${DEFAULT_RECIPIENT_SLACK}"
role_recipients_flock[webmaster]="${DEFAULT_RECIPIENT_FLOCK}"
role_recipients_discord[webmaster]="${DEFAULT_RECIPIENT_DISCORD}"
role_recipients_hipchat[webmaster]="${DEFAULT_RECIPIENT_HIPCHAT}"
role_recipients_twilio[webmaster]="${DEFAULT_RECIPIENT_TWILIO}"
role_recipients_messagebird[webmaster]="${DEFAULT_RECIPIENT_MESSAGEBIRD}"
role_recipients_kavenegar[webmaster]="${DEFAULT_RECIPIENT_KAVENEGAR}"
role_recipients_pd[webmaster]="${DEFAULT_RECIPIENT_PD}"
role_recipients_custom[webmaster]="${DEFAULT_RECIPIENT_CUSTOM}"
# -----------------------------------------------------------------------------
# proxy servers alarms
# squid, etc
role_recipients_email[proxyadmin]="${DEFAULT_RECIPIENT_EMAIL}"
role_recipients_pushover[proxyadmin]="${DEFAULT_RECIPIENT_PUSHOVER}"
role_recipients_pushbullet[proxyadmin]="${DEFAULT_RECIPIENT_PUSHBULLET}"
role_recipients_telegram[proxyadmin]="${DEFAULT_RECIPIENT_TELEGRAM}"
role_recipients_slack[proxyadmin]="${DEFAULT_RECIPIENT_SLACK}"
role_recipients_flock[proxyadmin]="${DEFAULT_RECIPIENT_FLOCK}"
role_recipients_discord[proxyadmin]="${DEFAULT_RECIPIENT_DISCORD}"
role_recipients_hipchat[proxyadmin]="${DEFAULT_RECIPIENT_HIPCHAT}"
role_recipients_twilio[proxyadmin]="${DEFAULT_RECIPIENT_TWILIO}"
role_recipients_messagebird[proxyadmin]="${DEFAULT_RECIPIENT_MESSAGEBIRD}"
role_recipients_kavenegar[proxyadmin]="${DEFAULT_RECIPIENT_KAVENEGAR}"
role_recipients_pd[proxyadmin]="${DEFAULT_RECIPIENT_PD}"
role_recipients_custom[proxyadmin]="${DEFAULT_RECIPIENT_CUSTOM}"

2
docs/files/etc/nginx/common/hsts-sub.conf Normal file
View File

@ -0,0 +1,2 @@
# Warning : this line enable HSTS for your domain and all subdomains (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security "max-age=31536000; preload";

3
docs/files/etc/nginx/common/hsts.conf Normal file
View File

@ -0,0 +1,3 @@
# Warning : this line enable HSTS for your domain and all subdomains (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

79
docs/files/etc/nginx/common/locations-php7.conf Normal file
View File

@ -0,0 +1,79 @@
# NGINX CONFIGURATION FOR COMMON LOCATION
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Basic locations files
location = /favicon.ico {
access_log off;
log_not_found off;
expires max;
}
location = /robots.txt {
# Some WordPress plugin gererate robots.txt file
# Refer #340 issue
try_files $uri $uri/ /index.php?$args;
access_log off;
log_not_found off;
}
# Cache static files
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
add_header "Access-Control-Allow-Origin" "*";
access_log off;
log_not_found off;
expires max;
}
# Cache static files
location ~* \.(css|js)$ {
add_header "Access-Control-Allow-Origin" "*";
access_log off;
log_not_found off;
expires 30d;
}
# Security settings for better privacy
# Deny hidden files
location /.well-known/acme-challenge/ {
alias /var/www/html/.well-known/acme-challenge/;
}
#location ~ /\.well-known {
# allow all;
#}
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
# Deny backup extensions & log files
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
deny all;
access_log off;
log_not_found off;
}
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
return 403;
}
# Status pages
location /nginx_status {
stub_status on;
access_log off;
include common/acl.conf;
}
location ~ ^/(status|ping) {
include fastcgi_params;
fastcgi_pass php7;
include common/acl.conf;
}
# EasyEngine (ee) utilities
# phpMyAdmin settings
location /pma {
return 301 https://$host:22222/db/pma;
}
location /phpMyAdmin {
return 301 https://$host:22222/db/pma;
}
location /phpmyadmin {
return 301 https://$host:22222/db/pma;
}
# Adminer settings
location /adminer {
return 301 https://$host:22222/db/adminer;
}

79
docs/files/etc/nginx/common/locations-php71.conf Normal file
View File

@ -0,0 +1,79 @@
# NGINX CONFIGURATION FOR COMMON LOCATION
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Basic locations files
location = /favicon.ico {
access_log off;
log_not_found off;
expires max;
}
location = /robots.txt {
# Some WordPress plugin gererate robots.txt file
# Refer #340 issue
try_files $uri $uri/ /index.php?$args;
access_log off;
log_not_found off;
}
# Cache static files
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
add_header "Access-Control-Allow-Origin" "*";
access_log off;
log_not_found off;
expires max;
}
# Cache static files
location ~* \.(css|js)$ {
add_header "Access-Control-Allow-Origin" "*";
access_log off;
log_not_found off;
expires 30d;
}
# Security settings for better privacy
# Deny hidden files
location /.well-known/acme-challenge/ {
alias /var/www/html/.well-known/acme-challenge/;
}
#location ~ /\.well-known {
# allow all;
#}
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
# Deny backup extensions & log files
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
deny all;
access_log off;
log_not_found off;
}
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
return 403;
}
# Status pages
location /nginx_status {
stub_status on;
access_log off;
include common/acl.conf;
}
location ~ ^/(status|ping) {
include fastcgi_params;
fastcgi_pass php71;
include common/acl.conf;
}
# EasyEngine (ee) utilities
# phpMyAdmin settings
location /pma {
return 301 https://$host:22222/db/pma;
}
location /phpMyAdmin {
return 301 https://$host:22222/db/pma;
}
location /phpmyadmin {
return 301 https://$host:22222/db/pma;
}
# Adminer settings
location /adminer {
return 301 https://$host:22222/db/adminer;
}

79
docs/files/etc/nginx/common/locations-php72.conf Normal file
View File

@ -0,0 +1,79 @@
# NGINX CONFIGURATION FOR COMMON LOCATION
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Basic locations files
location = /favicon.ico {
access_log off;
log_not_found off;
expires max;
}
location = /robots.txt {
# Some WordPress plugin gererate robots.txt file
# Refer #340 issue
try_files $uri $uri/ /index.php?$args;
access_log off;
log_not_found off;
}
# Cache static files
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
add_header "Access-Control-Allow-Origin" "*";
access_log off;
log_not_found off;
expires max;
}
# Cache static files
location ~* \.(css|js)$ {
add_header "Access-Control-Allow-Origin" "*";
access_log off;
log_not_found off;
expires 30d;
}
# Security settings for better privacy
# Deny hidden files
location /.well-known/acme-challenge/ {
alias /var/www/html/.well-known/acme-challenge/;
}
#location ~ /\.well-known {
# allow all;
#}
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
# Deny backup extensions & log files
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
deny all;
access_log off;
log_not_found off;
}
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
return 403;
}
# Status pages
location /nginx_status {
stub_status on;
access_log off;
include common/acl.conf;
}
location ~ ^/(status|ping) {
include fastcgi_params;
fastcgi_pass php71;
include common/acl.conf;
}
# EasyEngine (ee) utilities
# phpMyAdmin settings
location /pma {
return 301 https://$host:22222/db/pma;
}
location /phpMyAdmin {
return 301 https://$host:22222/db/pma;
}
location /phpmyadmin {
return 301 https://$host:22222/db/pma;
}
# Adminer settings
location /adminer {
return 301 https://$host:22222/db/adminer;
}

6
docs/files/etc/nginx/common/ocsp.conf Normal file
View File

@ -0,0 +1,6 @@
##OCSP settings
ssl_stapling on;
resolver 8.8.8.8 1.1.1.1 valid=300s;
ssl_stapling_verify on;
#ssl_trusted_certificate /etc/ssl/private/ocsp-certs.pem; # <- Add signing certs here
resolver_timeout 5;

10
docs/files/etc/nginx/common/php71.conf Normal file
View File

@ -0,0 +1,10 @@
# PHP NGINX CONFIGURATION
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php71;
}

10
docs/files/etc/nginx/common/php72.conf Normal file
View File

@ -0,0 +1,10 @@
# PHP NGINX CONFIGURATION
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php72;
}

33
docs/files/etc/nginx/common/wpcommon-php7.conf Normal file
View File

@ -0,0 +1,33 @@
# WordPress COMMON SETTINGS
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Limit access to avoid brute force attack
location = /wp-login.php {
limit_req zone=one burst=1 nodelay;
include fastcgi_params;
fastcgi_pass php7;
}
# Disable wp-config.txt
location = /wp-config.txt {
deny all;
access_log off;
log_not_found off;
}
# Disallow php in upload folder
location /wp-content/uploads/ {
location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers
deny all;
}
}
location ~* ^/wp-content/.+\.(png|jpg)$ {
add_header Vary Accept;
add_header "Access-Control-Allow-Origin" "*";
access_log off;
log_not_found off;
expires max;
try_files $uri$webp_suffix $uri =404;
}
location ~ \/wp-admin\/load-(scripts|styles).php {
deny all;
}

33
docs/files/etc/nginx/common/wpcommon-php71.conf Normal file
View File

@ -0,0 +1,33 @@
# WordPress COMMON SETTINGS
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Limit access to avoid brute force attack
location = /wp-login.php {
limit_req zone=one burst=1 nodelay;
include fastcgi_params;
fastcgi_pass php71;
}
# Disable wp-config.txt
location = /wp-config.txt {
deny all;
access_log off;
log_not_found off;
}
# Disallow php in upload folder
location /wp-content/uploads/ {
location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers
deny all;
}
}
location ~* ^/wp-content/.+\.(png|jpg)$ {
add_header Vary Accept;
add_header "Access-Control-Allow-Origin" "*";
access_log off;
log_not_found off;
expires max;
try_files $uri$webp_suffix $uri =404;
}
location ~ \/wp-admin\/load-(scripts|styles).php {
deny all;
}

33
docs/files/etc/nginx/common/wpcommon-php72.conf Normal file
View File

@ -0,0 +1,33 @@
# WordPress COMMON SETTINGS
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Limit access to avoid brute force attack
location = /wp-login.php {
limit_req zone=one burst=1 nodelay;
include fastcgi_params;
fastcgi_pass php72;
}
# Disable wp-config.txt
location = /wp-config.txt {
deny all;
access_log off;
log_not_found off;
}
# Disallow php in upload folder
location /wp-content/uploads/ {
location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers
deny all;
}
}
location ~* ^/wp-content/.+\.(png|jpg)$ {
add_header Vary Accept;
add_header "Access-Control-Allow-Origin" "*";
access_log off;
log_not_found off;
expires max;
try_files $uri$webp_suffix $uri =404;
}
location ~ \/wp-admin\/load-(scripts|styles).php {
deny all;
}

27
docs/files/etc/nginx/conf.d/cloudflare.conf Normal file
View File

@ -0,0 +1,27 @@
# $remote_addr rewriting in case of NGINX behind CloudFlare.
# See also mod_cloudflare Apache module configuration.
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;
real_ip_header CF-Connecting-IP;
#real_ip_header X-Forwarded-For;

19
docs/files/etc/nginx/conf.d/fastcgi.conf Normal file
View File

@ -0,0 +1,19 @@
# FastCGI cache settings
fastcgi_cache_path /var/run/nginx-cache levels=1:2 keys_zone=WORDPRESS:50m inactive=60m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";
fastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503;
fastcgi_buffers 256 32k;
fastcgi_buffer_size 256k;
fastcgi_connect_timeout 4s;
fastcgi_send_timeout 120s;
fastcgi_busy_buffers_size 512k;
fastcgi_temp_file_write_size 512K;
fastcgi_param SERVER_NAME $http_host;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_keep_conn on;
#Others
open_file_cache max=2000 inactive=20s;
open_file_cache_valid 60s;
open_file_cache_min_uses 5;
open_file_cache_errors off;

35
docs/files/etc/nginx/conf.d/upstream.conf Normal file
View File

@ -0,0 +1,35 @@
# Common upstream settings
upstream php {
# server unix:/run/php5-fpm.sock;
server 127.0.0.1:9000;
}
upstream debug {
# Debug Pool
server 127.0.0.1:9001;
}
# php7.0-fpm
upstream php7 {
server 127.0.0.1:9070;
}
upstream debug7 {
server 127.0.0.1:9170;
}
# php7.1-fpm
upstream php71 {
server 127.0.0.1:9080;
}
# php7.2-fpm
upstream php72 {
server 127.0.0.1:9090;
}
# redis
upstream redis {
server 127.0.0.1:6379;
keepalive 10;
}
# netdata (optional)
upstream netdata {
server 127.0.0.1:19999;
keepalive 64;
}

4
docs/files/etc/nginx/conf.d/webp.conf Normal file
View File

@ -0,0 +1,4 @@
map $http_accept $webp_suffix {
default "";
"~*webp" ".webp";
}

155
docs/files/etc/nginx/nginx-intermediate.conf Normal file
View File

@ -0,0 +1,155 @@
user www-data;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 100000;
pid /run/nginx.pid;
events
{
worker_connections 16384;
multi_accept on;
use epoll;
}
http
{
##
# EasyEngine Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 30;
types_hash_max_size 2048;
server_tokens off;
reset_timedout_connection on;
add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox";
add_header rt-Fastcgi-Cache $upstream_cache_status;
# Limit Request
limit_req_status 403;
limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
#Simple DOS mitigation
##Max c/s by ip
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
#limit_conn limit_per_ip 80;
##Max rq/s by ip
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
#limit_req zone=allips burst=400 nodelay;
# Proxy Settings
# set_real_ip_from proxy-server-ip;
# real_ip_header X-Forwarded-For;
fastcgi_read_timeout 300;
client_max_body_size 100m;
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
aio threads;
# tls dynamic records patch directive
ssl_dyn_rec_enable on;
##
# GeoIP module configuration, before removing comments
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
##
#geoip_country /usr/share/GeoIP/GeoIP.dat;
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
##
# SSL Settings
##
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_ecdh_curve X25519:P-521:P-384:P-256;
##Common headers for security
more_set_headers "X-Frame-Options : SAMEORIGIN";
more_set_headers "X-Xss-Protection : 1; mode=block";
more_set_headers "X-Content-Type-Options : nosniff";
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
##
# Basic Settings
##
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
# access_log disabled for performance
##
access_log off;
error_log /var/log/nginx/error.log;
# Log format Settings
log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
'$http_host "$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $server_protocol';
# ipscrub settings
ipscrub_period_seconds 3600;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/svg+xml
image/x-icon
text/css
text/plain
text/x-component
text/xml
text/javascript;
##
# Brotli Settings
##
brotli on;
brotli_static on;
brotli_buffers 16 8k;
brotli_comp_level 6;
brotli_types *;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

174
docs/files/etc/nginx/nginx-tlsv12.conf Normal file
View File

@ -0,0 +1,174 @@
user www-data;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 100000;
pid /run/nginx.pid;
events
{
worker_connections 16384;
multi_accept on;
use epoll;
}
http
{
##
# EasyEngine Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 30;
types_hash_max_size 2048;
server_tokens off;
reset_timedout_connection on;
add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox";
add_header rt-Fastcgi-Cache $upstream_cache_status;
# Limit Request
limit_req_status 403;
limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
#Simple DOS mitigation
##Max c/s by ip
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
#limit_conn limit_per_ip 80;
##Max rq/s by ip
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
#limit_req zone=allips burst=400 nodelay;
# Proxy Settings
# set_real_ip_from proxy-server-ip;
# real_ip_header X-Forwarded-For;
fastcgi_read_timeout 120s;
client_max_body_size 100m;
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
aio threads;
# tls dynamic records patch directive
ssl_dyn_rec_enable on;
##
# GeoIP module configuration, before removing comments
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
##
#geoip_country /usr/share/GeoIP/GeoIP.dat;
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
##
# SSL Settings
##
ssl_protocols TLSv1.2;
ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_ecdh_curve X25519:P-521:P-384:P-256;
##Common headers for security
more_set_headers "X-Frame-Options : SAMEORIGIN";
more_set_headers "X-Xss-Protection : 1; mode=block";
more_set_headers "X-Content-Type-Options : nosniff";
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
##
# Basic Settings
##
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
# access_log disabled for performance
##
access_log off;
error_log /var/log/nginx/error.log;
# Log format Settings
log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
'$http_host "$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $server_protocol';
# ipscrub settings
ipscrub_period_seconds 3600;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/svg+xml
image/x-icon
text/css
text/plain
text/x-component
text/xml
text/javascript;
##
# Brotli Settings
##
brotli on;
brotli_static on;
brotli_buffers 16 8k;
brotli_comp_level 6;
brotli_types *;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}

175
docs/files/etc/nginx/nginx.conf Normal file
View File

@ -0,0 +1,175 @@
user www-data;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 100000;
pid /run/nginx.pid;
events
{
worker_connections 16384;
multi_accept on;
use epoll;
}
http
{
##
# EasyEngine Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 30;
types_hash_max_size 2048;
server_tokens off;
reset_timedout_connection on;
add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox";
add_header rt-Fastcgi-Cache $upstream_cache_status;
# Limit Request
limit_req_status 403;
limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
#Simple DOS mitigation
##Max c/s by ip
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
#limit_conn limit_per_ip 80;
##Max rq/s by ip
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
#limit_req zone=allips burst=400 nodelay;
# Proxy Settings
# set_real_ip_from proxy-server-ip;
# real_ip_header X-Forwarded-For;
fastcgi_read_timeout 120s;
client_max_body_size 100m;
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
aio threads;
# tls dynamic records patch directive
ssl_dyn_rec_enable on;
##
# GeoIP module configuration, before removing comments
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
##
#geoip_country /usr/share/GeoIP/GeoIP.dat;
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
##
# SSL Settings
##
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_ecdh_curve X25519:P-521:P-384:P-256;
##Common headers for security
more_set_headers "X-Frame-Options : SAMEORIGIN";
more_set_headers "X-Xss-Protection : 1; mode=block";
more_set_headers "X-Content-Type-Options : nosniff";
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
##
# Basic Settings
##
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
# access_log disabled for performance
##
access_log off;
error_log /var/log/nginx/error.log;
# Log format Settings
log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
'$http_host "$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $server_protocol';
# ipscrub settings
ipscrub_period_seconds 3600;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/svg+xml
image/x-icon
text/css
text/plain
text/x-component
text/xml
text/javascript;
##
# Brotli Settings
##
brotli on;
brotli_static on;
brotli_buffers 16 8k;
brotli_comp_level 6;
brotli_types *;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}

10
docs/files/etc/nginx/proxy_params Normal file
View File

@ -0,0 +1,10 @@
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering on;
proxy_buffer_size 128k;
proxy_buffers 256 16k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_max_temp_file_size 0;

84
docs/files/etc/nginx/sites-available/22222 Normal file
View File

@ -0,0 +1,84 @@
# EasyEngine admin NGINX CONFIGURATION
server {
listen 22222 default_server ssl http2;
access_log off;
error_log /var/log/nginx/22222.error.log;
ssl_certificate /var/www/22222/cert/22222.crt;
ssl_certificate_key /var/www/22222/cert/22222.key;
# Force HTTP to HTTPS
error_page 497 =200 https://$host:22222$request_uri;
root /var/www/22222/htdocs;
index index.php index.htm index.html;
# Turn on directory listing
autoindex on;
# HTTP Authentication on port 22222
include common/acl.conf;
location / {
try_files $uri $uri/ /index.php?$args;
}
# Display menu at location /fpm/status/
location = /fpm/status/ {}
location ~ /fpm/status/(.*) {
try_files $uri =404;
include fastcgi_params;
fastcgi_param SCRIPT_NAME /status;
fastcgi_pass $1;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php7;
}
# ViMbAdmin Rules
location = /vimbadmin/ {
return 301 $scheme://$host:22222/vimbadmin/public/;
}
location ~* /vimbadmin/public/(.*)/(.*) {
root /var/www/22222/htdocs/vimbadmin/public;
try_files $uri $uri/ /vimbadmin/public/index.php?$args;
}
location ~* /vimbadmin/public/(.*) {
root /var/www/22222/htdocs/vimbadmin/public;
try_files $uri $uri/ /vimbadmin/public/index.php?$args;
}
location /netdata {
return 301 /netdata/;
}
location ~ /netdata/(?<ndpath>.*) {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_pass_request_headers on;
proxy_set_header Connection "keep-alive";
proxy_store off;
proxy_pass http://netdata/$ndpath$is_args$args;
gzip on;
gzip_proxied any;
gzip_types *;
}
}

112
docs/files/etc/nginx/sites-available/default Normal file
View File

@ -0,0 +1,112 @@
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
# include snippets/snakeoil.conf;
#
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # dont use SSLv3 ref: POODLE
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
access_log off;
error_log /var/log/nginx/default.error.log;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location /stub_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
# Status pages
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
# phpfpm pool monitoring
location ~ ^/(status|ping) {
include fastcgi_params;
fastcgi_pass php7;
include common/acl.conf;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php5-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php5-fpm:
# fastcgi_pass unix:/var/run/php5-fpm.sock;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}

191
docs/files/etc/php/7.0/cli/php.ini Normal file
View File

@ -0,0 +1,191 @@
[PHP]
engine = On
short_open_tag = Off
precision = 14
output_buffering = 8096
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func =
serialize_precision = 17
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,
disable_classes =
zend.enable_gc = On
expose_php = Off
max_execution_time = 300
max_input_time = 600
max_input_vars = 10000
memory_limit = -1
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
html_errors = On
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 128M
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
default_charset = "UTF-8"
doc_root =
user_dir =
enable_dl = Off
file_uploads = On
upload_max_filesize = 128M
max_file_uploads = 20
allow_url_fopen = On
allow_url_include = Off
default_socket_timeout = 60
[CLI Server]
cli_server.color = On
[Date]
date.timezone = Europe/Paris
[filter]
[iconv]
[intl]
[sqlite3]
[Pcre]
[Pdo]
[Pdo_mysql]
pdo_mysql.cache_size = 2000
pdo_mysql.default_socket =
[Phar]
[mail function]
smtp = localhost
smtp_port = 25
mail.add_x_header = On
[SQL]
sql.safe_mode = Off
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1
[Interbase]
ibase.allow_persistent = 1
ibase.max_persistent = -1
ibase.max_links = -1
ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
ibase.dateformat = "%Y-%m-%d"
ibase.timeformat = "%H:%M:%S"
[MySQLi]
mysqli.max_persistent = -1
mysqli.allow_persistent = On
mysqli.max_links = -1
mysqli.cache_size = 2000
mysqli.default_port = 3306
mysqli.default_socket =
mysqli.default_host =
mysqli.default_user =
mysqli.default_pw =
mysqli.reconnect = Off
[mysqlnd]
mysqlnd.collect_statistics = On
mysqlnd.collect_memory_statistics = Off
[OCI8]
[OCI8]
[PostgreSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0
[bcmath]
bcmath.scale = 0
[browscap]
[Session]
session.save_handler = files
session.use_strict_mode = 0
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 0
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
[Assertion]
zend.assertions = -1
[COM]
[mbstring]
[gd]
[exif]
[Tidy]
tidy.clean_output = Off
[soap]
soap.wsdl_cache_enabled = 1
soap.wsdl_cache_dir = "/tmp"
soap.wsdl_cache_ttl = 86400
soap.wsdl_cache_limit = 5
[sysvshm]
[ldap]
ldap.max_links = -1
[mcrypt]
[dba]
[opcache]
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=256
opcache.save_comments=1
opcache.revalidate_freq=1
[curl]
[openssl]

191
docs/files/etc/php/7.0/fpm/php.ini Normal file
View File

@ -0,0 +1,191 @@
[PHP]
engine = On
short_open_tag = Off
precision = 14
output_buffering = 8096
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func =
serialize_precision = 17
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,
disable_classes =
zend.enable_gc = On
expose_php = Off
max_execution_time = 300
max_input_time = 600
max_input_vars = 10000
memory_limit = 256M
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
html_errors = On
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 128M
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
default_charset = "UTF-8"
doc_root =
user_dir =
enable_dl = Off
file_uploads = On
upload_max_filesize = 128M
max_file_uploads = 20
allow_url_fopen = On
allow_url_include = Off
default_socket_timeout = 60
[CLI Server]
cli_server.color = On
[Date]
date.timezone = Europe/Paris
[filter]
[iconv]
[intl]
[sqlite3]
[Pcre]
[Pdo]
[Pdo_mysql]
pdo_mysql.cache_size = 2000
pdo_mysql.default_socket =
[Phar]
[mail function]
smtp = localhost
smtp_port = 25
mail.add_x_header = On
[SQL]
sql.safe_mode = Off
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1
[Interbase]
ibase.allow_persistent = 1
ibase.max_persistent = -1
ibase.max_links = -1
ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
ibase.dateformat = "%Y-%m-%d"
ibase.timeformat = "%H:%M:%S"
[MySQLi]
mysqli.max_persistent = -1
mysqli.allow_persistent = On
mysqli.max_links = -1
mysqli.cache_size = 2000
mysqli.default_port = 3306
mysqli.default_socket =
mysqli.default_host =
mysqli.default_user =
mysqli.default_pw =
mysqli.reconnect = Off
[mysqlnd]
mysqlnd.collect_statistics = On
mysqlnd.collect_memory_statistics = Off
[OCI8]
[OCI8]
[PostgreSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0
[bcmath]
bcmath.scale = 0
[browscap]
[Session]
session.save_handler = files
session.use_strict_mode = 0
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 0
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
[Assertion]
zend.assertions = -1
[COM]
[mbstring]
[gd]
[exif]
[Tidy]
tidy.clean_output = Off
[soap]
soap.wsdl_cache_enabled = 1
soap.wsdl_cache_dir = "/tmp"
soap.wsdl_cache_ttl = 86400
soap.wsdl_cache_limit = 5
[sysvshm]
[ldap]
ldap.max_links = -1
[mcrypt]
[dba]
[opcache]
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=256
opcache.save_comments=1
opcache.revalidate_freq=1
[curl]
[openssl]

271
docs/files/etc/php/7.1/fpm/php.ini Normal file
View File

@ -0,0 +1,271 @@
[PHP]
engine = On
short_open_tag = Off
precision = 14
output_buffering = 4096
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func =
serialize_precision = -1
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
disable_classes =
zend.enable_gc = On
expose_php = Off
max_execution_time = 300
max_input_time = 600
max_input_vars = 10000
memory_limit = 256M
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
html_errors = On
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 128M
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
default_charset = "UTF-8"
doc_root =
user_dir =
enable_dl = Off
file_uploads = On
upload_max_filesize = 128M
max_file_uploads = 20
allow_url_fopen = On
allow_url_include = Off
default_socket_timeout = 60
[CLI Server]
cli_server.color = On
[Date]
date.timezone = Europe/Paris
[filter]
[iconv]
[intl]
[sqlite3]
[Pcre]
[Pdo]
[Pdo_mysql]
pdo_mysql.cache_size = 2000
pdo_mysql.default_socket=
[Phar]
[mail function]
SMTP = localhost
smtp_port = 25
mail.add_x_header = On
[SQL]
sql.safe_mode = Off
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1
[Interbase]
ibase.allow_persistent = 1
ibase.max_persistent = -1
ibase.max_links = -1
ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
ibase.dateformat = "%Y-%m-%d"
ibase.timeformat = "%H:%M:%S"
[MySQLi]
mysqli.max_persistent = -1
mysqli.allow_persistent = On
mysqli.max_links = -1
mysqli.cache_size = 2000
mysqli.default_port = 3306
mysqli.default_socket =
mysqli.default_host =
mysqli.default_user =
mysqli.default_pw =
mysqli.reconnect = Off
[mysqlnd]
mysqlnd.collect_statistics = On
mysqlnd.collect_memory_statistics = Off
[OCI8]
[PostgreSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0
[bcmath]
bcmath.scale = 0
[browscap]
[Session]
session.save_handler = files
session.use_strict_mode = 0
session.use_cookies = 1
session.cookie_secure = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly = 1
session.serialize_handler = php
session.gc_probability = 0
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.sid_length = 26
session.trans_sid_tags = "a=href,area=href,frame=src,form="
session.sid_bits_per_character = 5
[Assertion]
zend.assertions = -1
[COM]
[mbstring]
[gd]
[exif]
[Tidy]
tidy.clean_output = Off
[soap]
soap.wsdl_cache_enabled=1
soap.wsdl_cache_dir="/tmp"
soap.wsdl_cache_ttl=86400
soap.wsdl_cache_limit = 5
[sysvshm]
[ldap]
ldap.max_links = -1
[mcrypt]
[dba]
[opcache]
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=256
opcache.save_comments=1
opcache.revalidate_freq=1
[curl]
[openssl]

15
docs/files/etc/php/7.1/fpm/pool.d/www.conf Normal file
View File

@ -0,0 +1,15 @@
[www]
user = www-data
group = www-data
listen = 127.0.0.1:9080
listen.owner = www-data
listen.group = www-data
pm = ondemand
pm.max_children = 100
pm.start_servers = 20
pm.min_spare_servers = 10
pm.max_spare_servers = 30
ping.path = /ping
pm.status_path = /status
pm.max_requests = 500
request_terminate_timeout = 300

184
docs/files/etc/php/7.2/fpm/php.ini Normal file
View File

@ -0,0 +1,184 @@
[PHP]
engine = On
short_open_tag = Off
precision = 14
output_buffering = 4096
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func =
serialize_precision = -1
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
disable_classes =
zend.enable_gc = On
expose_php = Off
max_execution_time = 300
max_input_vars = 10000
max_input_time = 600
memory_limit = 256M
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
html_errors = On
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 128M
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
default_charset = "UTF-8"
doc_root =
user_dir =
enable_dl = Off
file_uploads = On
upload_max_filesize = 128M
max_file_uploads = 20
allow_url_fopen = On
allow_url_include = Off
default_socket_timeout = 60
[CLI Server]
cli_server.color = On
[Date]
date.timezone = Europe/Paris
[filter]
[iconv]
[intl]
[sqlite3]
[Pcre]
[Pdo]
[Pdo_mysql]
pdo_mysql.cache_size = 2000
pdo_mysql.default_socket=
[Phar]
[mail function]
SMTP = localhost
smtp_port = 25
mail.add_x_header = On
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1
[Interbase]
ibase.allow_persistent = 1
ibase.max_persistent = -1
ibase.max_links = -1
ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
ibase.dateformat = "%Y-%m-%d"
ibase.timeformat = "%H:%M:%S"
[MySQLi]
mysqli.max_persistent = -1
mysqli.allow_persistent = On
mysqli.max_links = -1
mysqli.cache_size = 2000
mysqli.default_port = 3306
mysqli.default_socket =
mysqli.default_host =
mysqli.default_user =
mysqli.default_pw =
mysqli.reconnect = Off
[mysqlnd]
mysqlnd.collect_statistics = On
mysqlnd.collect_memory_statistics = Off
[OCI8]
[PostgreSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0
[bcmath]
bcmath.scale = 0
[browscap]
[Session]
session.save_handler = files
session.use_strict_mode = 0
session.use_cookies = 1
session.cookie_secure = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 0
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.sid_length = 26
session.trans_sid_tags = "a=href,area=href,frame=src,form="
session.sid_bits_per_character = 5
[Assertion]
zend.assertions = -1
[COM]
[mbstring]
[gd]
[exif]
[Tidy]
tidy.clean_output = Off
[soap]
soap.wsdl_cache_enabled=1
soap.wsdl_cache_dir="/tmp"
soap.wsdl_cache_ttl=86400
soap.wsdl_cache_limit = 5
[sysvshm]
[ldap]
ldap.max_links = -1
[dba]
[opcache]
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=256
opcache.save_comments=1
opcache.revalidate_freq=1
[curl]
[openssl]

15
docs/files/etc/php/7.2/fpm/pool.d/www.conf Normal file
View File

@ -0,0 +1,15 @@
[www]
user = www-data
group = www-data
listen = 127.0.0.1:9090
listen.owner = www-data
listen.group = www-data
pm = ondemand
pm.max_children = 100
pm.start_servers = 20
pm.min_spare_servers = 10
pm.max_spare_servers = 30
ping.path = /ping
pm.status_path = /status
pm.max_requests = 500
request_terminate_timeout = 300

61
docs/files/etc/security/limits.conf Normal file
View File

@ -0,0 +1,61 @@
# /etc/security/limits.conf
#
#Each line describes a limit for a user in the form:
#
#<domain> <type> <item> <value>
#
#Where:
#<domain> can be:
# - a user name
# - a group name, with @group syntax
# - the wildcard *, for default entry
# - the wildcard %, can be also used with %group syntax,
# for maxlogin limit
# - NOTE: group and wildcard limits are not applied to root.
# To apply a limit to the root user, <domain> must be
# the literal username root.
#
#<type> can have the two values:
# - "soft" for enforcing the soft limits
# - "hard" for enforcing hard limits
#
#<item> can be one of the following:
# - core - limits the core file size (KB)
# - data - max data size (KB)
# - fsize - maximum filesize (KB)
# - memlock - max locked-in-memory address space (KB)
# - nofile - max number of open files
# - rss - max resident set size (KB)
# - stack - max stack size (KB)
# - cpu - max CPU time (MIN)
# - nproc - max number of processes
# - as - address space limit (KB)
# - maxlogins - max number of logins for this user
# - maxsyslogins - max number of logins on the system
# - priority - the priority to run user process with
# - locks - max number of file locks the user can hold
# - sigpending - max number of pending signals
# - msgqueue - max memory used by POSIX message queues (bytes)
# - nice - max nice priority allowed to raise to values: [-20, 19]
# - rtprio - max realtime priority
# - chroot - change root to directory (Debian-specific)
#
#<domain> <type> <item> <value>
#
#* soft core 0
#root hard core 100000
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#ftp - chroot /ftp
#@student - maxlogins 4
# End of file
* hard nofile 500000
* soft nofile 500000
root hard nofile 500000
root soft nofile 500000

42
docs/files/etc/ssh/sshd_config Normal file
View File

@ -0,0 +1,42 @@
# Use a custom port in the following range : 1024-65536
Port 22
#Prefer ed25519 & ECDSA keys rather than 2048 bit RSA
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Allow root access with ssh keys
PermitRootLogin without-password
# Allow ssh access to some users only
AllowUsers root
# allow ssh key Authentication
PubkeyAuthentication yes
# ssh keys path in ~/.ssh/authorized_keys
AuthorizedKeysFile %h/.ssh/authorized_keys
# No password or empty passwords Authentication
PasswordAuthentication no
PermitEmptyPasswords no
# No challenge response Authentication
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
#PrintMotd no
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# use strong ciphers
KexAlgorithms curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com
MACs umac-128-etm@openssh.com,umac-128@openssh.com