change link and cleanup readme
This commit is contained in:
parent
741817f489
commit
32768d4636
325
README.md
325
README.md
|
@ -2,88 +2,113 @@
|
|||
|
||||
* * *
|
||||
|
||||
## Server Stack :
|
||||
## Server Stack
|
||||
|
||||
- Ubuntu 16.04/18.04 LTS
|
||||
- Nginx 1.14.x
|
||||
- PHP-FPM 7/7.1/7.2
|
||||
- MariaDB 10.3
|
||||
- REDIS 4.0
|
||||
- Memcached
|
||||
- Fail2ban
|
||||
- Netdata
|
||||
- UFW
|
||||
- Ubuntu 16.04/18.04 LTS
|
||||
- Nginx 1.14.x
|
||||
- PHP-FPM 7/7.1/7.2
|
||||
- MariaDB 10.3
|
||||
- REDIS 4.0
|
||||
- Memcached
|
||||
- Fail2ban
|
||||
- Netdata
|
||||
- UFW
|
||||
|
||||
* * *
|
||||
|
||||
## All Instructions and informations are listed on the [Github page](https://virtubox.github.io/ubuntu-nginx-web-server/)
|
||||
**All Instructions and informations are listed on the [Github page](https://virtubox.github.io/ubuntu-nginx-web-server/)**
|
||||
|
||||
Configuration files with comments and informations available by following the link **source**
|
||||
|
||||
## Initial configuration
|
||||
### Initial configuration
|
||||
|
||||
**System update and packages cleanup**
|
||||
#### System update and packages cleanup
|
||||
|
||||
apt-get update && apt-get upgrade -y && apt-get autoremove -y && apt-get clean
|
||||
```bash
|
||||
apt-get update && apt-get upgrade -y && apt-get autoremove -y && apt-get clean
|
||||
```
|
||||
|
||||
**Install useful packages**
|
||||
#### Install useful packages
|
||||
|
||||
sudo apt install haveged curl git unzip zip fail2ban htop -y
|
||||
```bash
|
||||
sudo apt install haveged curl git unzip zip fail2ban htop -y
|
||||
```
|
||||
|
||||
**Tweak Kernel** [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) &
|
||||
**Increase open files limits** [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf)
|
||||
#### Tweak Kernel & Increase open files limits
|
||||
|
||||
modprobe tcp_htcp
|
||||
wget -O /etc/sysctl.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/sysctl.conf
|
||||
sysctl -p
|
||||
wget -O /etc/security/limits.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/security/limits.conf
|
||||
[source sysctl.conf](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) - [limits.conf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf)
|
||||
|
||||
**disable transparent hugepage for redis**
|
||||
```bash
|
||||
modprobe tcp_htcp
|
||||
wget -O /etc/sysctl.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.conf
|
||||
sysctl -p
|
||||
wget -O /etc/security/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/security/limits.conf
|
||||
```
|
||||
|
||||
echo never > /sys/kernel/mm/transparent_hugepage/enabled
|
||||
#### disable transparent hugepage for redis
|
||||
|
||||
```bash
|
||||
echo never > /sys/kernel/mm/transparent_hugepage/enabled
|
||||
```
|
||||
|
||||
* * *
|
||||
|
||||
## EasyEngine Setup
|
||||
### EasyEngine Setup
|
||||
|
||||
**Install MariaDB 10.3** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
|
||||
#### Install MariaDB 10.3
|
||||
|
||||
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \
|
||||
| sudo bash -s -- --mariadb-server-version=10.3 --skip-maxscale
|
||||
sudo apt update && sudo apt install mariadb-server percona-xtrabackup-24 -y
|
||||
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
|
||||
|
||||
**Install EasyEngine**
|
||||
```bash
|
||||
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \
|
||||
| sudo bash -s -- --mariadb-server-version=10.3 --skip-maxscale
|
||||
sudo apt update && sudo apt install mariadb-server percona-xtrabackup-24 -y
|
||||
```
|
||||
|
||||
wget -qO ee rt.cx/ee && bash ee
|
||||
#### Install EasyEngine
|
||||
|
||||
**enable ee bash_completion**
|
||||
```bash
|
||||
wget -qO ee rt.cx/ee && bash ee
|
||||
```
|
||||
|
||||
source /etc/bash_completion.d/ee_auto.rc
|
||||
#### enable ee bash_completion
|
||||
|
||||
**Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend**
|
||||
```bash
|
||||
source /etc/bash_completion.d/ee_auto.rc
|
||||
```
|
||||
|
||||
ee stack install
|
||||
ee stack install --php7 --redis --admin --phpredisadmin
|
||||
#### Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend
|
||||
|
||||
**Set your email instead of root@localhost**
|
||||
```bash
|
||||
ee stack install
|
||||
ee stack install --php7 --redis --admin --phpredisadmin
|
||||
```
|
||||
|
||||
echo 'root: my.email@address.com' >> /etc/aliases
|
||||
newaliases
|
||||
#### Set your email instead of root@localhost
|
||||
|
||||
**Install Composer - Fix phpmyadmin install issue**
|
||||
```bash
|
||||
echo 'root: my.email@address.com' >> /etc/aliases
|
||||
newaliases
|
||||
```
|
||||
|
||||
cd ~/
|
||||
curl -sS https://getcomposer.org/installer | php
|
||||
mv composer.phar /usr/bin/composer
|
||||
sudo -u www-data composer update -d /var/www/22222/htdocs/db/pma/
|
||||
#### Install Composer - Fix phpmyadmin install issue
|
||||
|
||||
**Allow shell for www-data for SFTP usage**
|
||||
```bash
|
||||
cd ~/
|
||||
curl -sS https://getcomposer.org/installer | php
|
||||
mv composer.phar /usr/bin/composer
|
||||
sudo -u www-data composer update -d /var/www/22222/htdocs/db/pma/
|
||||
```
|
||||
|
||||
usermod -s /bin/bash www-data
|
||||
#### Allow shell for www-data for SFTP usage
|
||||
|
||||
## PHP 7.1 & 7.2 Setup
|
||||
```bash
|
||||
usermod -s /bin/bash www-data
|
||||
```
|
||||
|
||||
**Install php7.1-fpm**
|
||||
### PHP 7.1 & 7.2 Setup
|
||||
|
||||
#### Install php7.1-fpm
|
||||
|
||||
```bash
|
||||
# php7.1-fpm
|
||||
|
@ -96,8 +121,9 @@ wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubun
|
|||
service php7.1-fpm restart
|
||||
```
|
||||
|
||||
**Install php7.2-fpm**
|
||||
```
|
||||
#### Install php7.2-fpm
|
||||
|
||||
```bash
|
||||
# php7.2-fpm
|
||||
apt update && apt install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring -y
|
||||
|
||||
|
@ -107,159 +133,173 @@ wget -O /etc/php/7.2/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubun
|
|||
service php7.2-fpm restart
|
||||
```
|
||||
|
||||
**add nginx upstreams**
|
||||
#### add nginx upstreams
|
||||
|
||||
wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf
|
||||
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
|
||||
service nginx reload
|
||||
|
||||
add ee common configuration
|
||||
#### add ee common configuration
|
||||
|
||||
cd /etc/nginx/common || exit
|
||||
wget https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/common.zip
|
||||
wget https://virtubox.github.io/ubuntu-nginx-web-server/files/common.zip
|
||||
unzip common.zip
|
||||
|
||||
**Compile last Nginx mainline release with [nginx-ee script](https://virtubox.github.io/nginx-ee/)**
|
||||
### Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee)
|
||||
|
||||
bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
|
||||
|
||||
* * *
|
||||
|
||||
## Custom configurations
|
||||
### Custom configurations
|
||||
|
||||
**clean php-fpm php.ini configurations**
|
||||
#### clean php-fpm php.ini configuration
|
||||
|
||||
# PHP 7.0
|
||||
wget -O /etc/php/7.0/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.0/fpm/php.ini
|
||||
# PHP 7.0
|
||||
wget -O /etc/php/7.0/fpm/php.ini https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/php/7.0/fpm/php.ini
|
||||
service php7.0-fpm restart
|
||||
|
||||
**Nginx optimized configurations**
|
||||
#### Nginx optimized configurations
|
||||
|
||||
# TLSv1.2 TLSv1.3 only
|
||||
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx.conf
|
||||
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx.conf
|
||||
|
||||
# TLS intermediate
|
||||
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-intermediate.conf
|
||||
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-intermediate.conf
|
||||
|
||||
# TLSv1.2 only
|
||||
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-tlsv12.conf
|
||||
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-tlsv12.conf
|
||||
|
||||
**nginx configuration for netdata & new upstreams**
|
||||
#### Nginx configuration for netdata & new upstreams
|
||||
|
||||
# custom conf for netdata metrics (php-fpm & nginx status pages)
|
||||
wget -O /etc/nginx/sites-available/default https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/default
|
||||
wget -O /etc/nginx/sites-available/default https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/default
|
||||
|
||||
# add netdata, php7.1 and php7.2 upstream
|
||||
wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf
|
||||
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
|
||||
|
||||
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
|
||||
wget -O /etc/nginx/sites-available/22222 https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/22222
|
||||
wget -O /etc/nginx/sites-available/22222 https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/22222
|
||||
|
||||
**wpcommon-php7x configurations**
|
||||
#### wpcommon-php7x configurations
|
||||
|
||||
- webp rewrite rules added
|
||||
- DoS attack CVE fix added
|
||||
- php7.1 & php7.2 configuration added
|
||||
- webp rewrite rules added
|
||||
- DoS attack CVE fix added
|
||||
- php7.1 & php7.2 configuration added
|
||||
|
||||
```bash
|
||||
# 1) add webp mapping
|
||||
wget -O /etc/nginx/conf.d/webp.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/webp.conf
|
||||
|
||||
# 1) add webp mapping
|
||||
wget -O /etc/nginx/conf.d/webp.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/webp.conf
|
||||
# 2) wpcommon files
|
||||
# php7
|
||||
wget -O /etc/nginx/common/wpcommon-php7.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php7.conf
|
||||
|
||||
# 2) wpcommon files
|
||||
# php7.1
|
||||
wget -O /etc/nginx/common/wpcommon-php71.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php71.conf
|
||||
|
||||
# php7
|
||||
wget -O /etc/nginx/common/wpcommon-php7.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php7.conf
|
||||
# php7.2
|
||||
wget -O /etc/nginx/common/wpcommon-php72.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php72.conf
|
||||
|
||||
# php7.1
|
||||
wget -O /etc/nginx/common/wpcommon-php71.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php71.conf
|
||||
|
||||
# php7.2
|
||||
wget -O /etc/nginx/common/wpcommon-php72.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php72.conf
|
||||
|
||||
nginx -t
|
||||
service nginx reload
|
||||
nginx -t
|
||||
service nginx reload
|
||||
```
|
||||
|
||||
* * *
|
||||
|
||||
## Security
|
||||
### Security
|
||||
|
||||
* * *
|
||||
#### Harden SSH Security
|
||||
|
||||
**Harden SSH Security**
|
||||
WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config)
|
||||
|
||||
wget -O /etc/ssh/sshd_config https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/ssh/sshd_config
|
||||
wget -O /etc/ssh/sshd_config https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/ssh/sshd_config
|
||||
|
||||
**UFW** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
|
||||
#### UFW
|
||||
|
||||
# enable ufw log - allow outgoing - deny incoming
|
||||
ufw logging low
|
||||
ufw default allow outgoing
|
||||
ufw default deny incoming
|
||||
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
|
||||
```bash
|
||||
# enable ufw log - allow outgoing - deny incoming
|
||||
ufw logging on
|
||||
ufw default allow outgoing
|
||||
ufw default deny incoming
|
||||
|
||||
# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend
|
||||
ufw allow 22
|
||||
ufw allow 53
|
||||
ufw allow http
|
||||
ufw allow https
|
||||
ufw allow 21
|
||||
ufw allow 123
|
||||
ufw allow 161
|
||||
ufw allow 6556
|
||||
ufw allow 19999
|
||||
ufw allow 22222
|
||||
# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend
|
||||
ufw allow 22
|
||||
ufw allow 53
|
||||
ufw allow http
|
||||
ufw allow https
|
||||
ufw allow 21
|
||||
ufw allow 123
|
||||
ufw allow 161
|
||||
ufw allow 6556
|
||||
ufw allow 19999
|
||||
ufw allow 22222
|
||||
|
||||
# enable UFW
|
||||
ufw enable
|
||||
# enable UFW
|
||||
ufw enable
|
||||
```
|
||||
|
||||
**Custom jails for fail2ban**
|
||||
#### Custom jails for fail2ban
|
||||
|
||||
- wordpress bruteforce
|
||||
- ssh
|
||||
- recidive (after 3 bans)
|
||||
- backend http auth
|
||||
- nginx bad bots
|
||||
- wordpress bruteforce
|
||||
- ssh
|
||||
- recidive (after 3 bans)
|
||||
- backend http auth
|
||||
- nginx bad bots
|
||||
|
||||
```bash
|
||||
wget -O /etc/fail2ban/filter.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ddos.conf
|
||||
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ee-wordpress.conf
|
||||
wget -O /etc/fail2ban/jail.d/custom.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/custom.conf
|
||||
wget -O /etc/fail2ban/jail.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/ddos.conf
|
||||
|
||||
fail2ban-client reload
|
||||
```
|
||||
|
||||
#### Secure Memcached server
|
||||
|
||||
```bash
|
||||
echo '-U 0' >> /etc/memcached.conf
|
||||
sudo systemctl restart memcached
|
||||
```
|
||||
|
||||
### Optional tools
|
||||
|
||||
#### ee-acme-sh
|
||||
|
||||
[Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers
|
||||
|
||||
|
||||
wget -O /etc/fail2ban/filter.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ddos.conf
|
||||
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ee-wordpress.conf
|
||||
wget -O /etc/fail2ban/jail.d/custom.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/custom.conf
|
||||
wget -O /etc/fail2ban/jail.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/ddos.conf
|
||||
|
||||
fail2ban-client reload
|
||||
|
||||
**Secure Memcached server**
|
||||
|
||||
echo '-U 0' >> /etc/memcached.conf
|
||||
sudo systemctl restart memcached
|
||||
|
||||
## Optional tools
|
||||
|
||||
### ee-acme-sh
|
||||
[Github repository](https://virtubox.github.io/ee-acme-sh/)
|
||||
My script to setup letsencrypt certificates using acme.sh on EasyEngine servers.
|
||||
* subdomain support
|
||||
* ivp6 support
|
||||
* ivp6 support
|
||||
* wildcards certificates support
|
||||
|
||||
```bash
|
||||
cd && bash <(wget --no-check-certificate -O - https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh)
|
||||
|
||||
wget -O - https://get.acme.sh | sh
|
||||
source ~/.bashrc
|
||||
# enable acme.sh & ee-acme-sh
|
||||
source .bashrc
|
||||
```
|
||||
|
||||
### netdata
|
||||
#### netdata
|
||||
|
||||
[Github repository](https://github.com/firehol/netdata)
|
||||
|
||||
bash <(curl -Ss https://my-netdata.io/kickstart.sh) all
|
||||
```bash
|
||||
|
||||
# save 40-60% of netdata memory
|
||||
echo 1 >/sys/kernel/mm/ksm/run
|
||||
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
|
||||
bash <(curl -Ss https://my-netdata.io/kickstart.sh) all
|
||||
|
||||
# disable email notifications
|
||||
wget -O /etc/netdata/health_alarm_notify.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/netdata/health_alarm_notify.conf
|
||||
service netdata restart
|
||||
# save 40-60% of netdata memory
|
||||
echo 1 >/sys/kernel/mm/ksm/run
|
||||
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
|
||||
|
||||
### bash-snippets
|
||||
# disable email notifications
|
||||
wget -O /etc/netdata/health_alarm_notify.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/netdata/health_alarm_notify.conf
|
||||
service netdata restart
|
||||
```
|
||||
|
||||
#### bash-snippets
|
||||
|
||||
[Github repository](https://github.com/alexanderepstein/Bash-Snippets)
|
||||
|
||||
|
@ -270,7 +310,7 @@ git checkout v1.22.0
|
|||
./install.sh cheat
|
||||
```
|
||||
|
||||
usage : cheat command
|
||||
usage : `cheat <command>`
|
||||
|
||||
```bash
|
||||
root@vps:~ cheat cat
|
||||
|
@ -291,11 +331,10 @@ root@vps:~ cheat cat
|
|||
cat -n file
|
||||
```
|
||||
|
||||
## nanorc - Improved Nano Syntax Highlighting Files
|
||||
#### nanorc - Improved Nano Syntax Highlighting Files
|
||||
|
||||
[Github repository](https://github.com/scopatz/nanorc)
|
||||
|
||||
wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh
|
||||
|
||||
Published & maintained by [VirtuBox](https://virtubox.net)
|
||||
|
||||
|
|
311
docs/README.md
311
docs/README.md
|
@ -2,86 +2,110 @@
|
|||
|
||||
* * *
|
||||
|
||||
## Server Stack :
|
||||
## Server Stack
|
||||
|
||||
- Ubuntu 16.04/18.04 LTS
|
||||
- Nginx 1.14.x
|
||||
- PHP-FPM 7/7.1/7.2
|
||||
- MariaDB 10.3
|
||||
- REDIS 4.0
|
||||
- Memcached
|
||||
- Fail2ban
|
||||
- Netdata
|
||||
- UFW
|
||||
- Ubuntu 16/18.04 LTS
|
||||
- Nginx 1.14.x
|
||||
- PHP-FPM 7/7.1/7.2
|
||||
- MariaDB 10.3
|
||||
- REDIS 4.0
|
||||
- Memcached
|
||||
- Fail2ban
|
||||
- Netdata
|
||||
- UFW
|
||||
|
||||
* * *
|
||||
|
||||
Configuration files with comments and informations available by following the link **source**
|
||||
### Initial configuration
|
||||
|
||||
## Initial configuration
|
||||
#### System update and packages cleanup
|
||||
|
||||
**System update and packages cleanup**
|
||||
```bash
|
||||
apt-get update && apt-get upgrade -y && apt-get autoremove -y && apt-get clean
|
||||
```
|
||||
|
||||
apt-get update && apt-get upgrade -y && apt-get autoremove -y && apt-get clean
|
||||
#### Install useful packages
|
||||
|
||||
**Install useful packages**
|
||||
```bash
|
||||
sudo apt install haveged curl git unzip zip fail2ban htop -y
|
||||
```
|
||||
|
||||
sudo apt install haveged curl git unzip zip fail2ban htop -y
|
||||
#### Tweak Kernel & Increase open files limits
|
||||
|
||||
**Tweak Kernel** [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) &
|
||||
**Increase open files limits** [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf)
|
||||
[source sysctl.conf](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) - [limits.conf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf)
|
||||
|
||||
modprobe tcp_htcp
|
||||
wget -O /etc/sysctl.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/sysctl.conf
|
||||
sysctl -p
|
||||
wget -O /etc/security/limits.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/security/limits.conf
|
||||
```bash
|
||||
modprobe tcp_htcp
|
||||
wget -O /etc/sysctl.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.conf
|
||||
sysctl -p
|
||||
wget -O /etc/security/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/security/limits.conf
|
||||
```
|
||||
|
||||
**disable transparent hugepage for redis**
|
||||
#### disable transparent hugepage for redis
|
||||
|
||||
echo never > /sys/kernel/mm/transparent_hugepage/enabled
|
||||
```bash
|
||||
echo never > /sys/kernel/mm/transparent_hugepage/enabled
|
||||
```
|
||||
|
||||
* * *
|
||||
|
||||
## EasyEngine Setup
|
||||
### EasyEngine Setup
|
||||
|
||||
**Install MariaDB 10.3** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
|
||||
#### Install MariaDB 10.3
|
||||
|
||||
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \
|
||||
| sudo bash -s -- --mariadb-server-version=10.3 --skip-maxscale
|
||||
sudo apt update && sudo apt install mariadb-server percona-xtrabackup-24 -y
|
||||
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
|
||||
|
||||
**Install EasyEngine**
|
||||
```bash
|
||||
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \
|
||||
| sudo bash -s -- --mariadb-server-version=10.3 --skip-maxscale
|
||||
sudo apt update && sudo apt install mariadb-server percona-xtrabackup-24 -y
|
||||
```
|
||||
|
||||
wget -qO ee rt.cx/ee && bash ee
|
||||
#### Install EasyEngine
|
||||
|
||||
**enable ee bash_completion**
|
||||
```bash
|
||||
wget -qO ee rt.cx/ee && bash ee
|
||||
```
|
||||
|
||||
source /etc/bash_completion.d/ee_auto.rc
|
||||
#### enable ee bash_completion
|
||||
|
||||
**Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend**
|
||||
```bash
|
||||
source /etc/bash_completion.d/ee_auto.rc
|
||||
```
|
||||
|
||||
ee stack install
|
||||
ee stack install --php7 --redis --admin --phpredisadmin
|
||||
#### Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend
|
||||
|
||||
**Set your email instead of root@localhost**
|
||||
```bash
|
||||
ee stack install
|
||||
ee stack install --php7 --redis --admin --phpredisadmin
|
||||
```
|
||||
|
||||
echo 'root: my.email@address.com' >> /etc/aliases
|
||||
newaliases
|
||||
#### Set your email instead of root@localhost
|
||||
|
||||
**Install Composer - Fix phpmyadmin install issue**
|
||||
```bash
|
||||
echo 'root: my.email@address.com' >> /etc/aliases
|
||||
newaliases
|
||||
```
|
||||
|
||||
cd ~/
|
||||
curl -sS https://getcomposer.org/installer | php
|
||||
mv composer.phar /usr/bin/composer
|
||||
sudo -u www-data composer update -d /var/www/22222/htdocs/db/pma/
|
||||
#### Install Composer - Fix phpmyadmin install issue
|
||||
|
||||
**Allow shell for www-data for SFTP usage**
|
||||
```bash
|
||||
cd ~/
|
||||
curl -sS https://getcomposer.org/installer | php
|
||||
mv composer.phar /usr/bin/composer
|
||||
sudo -u www-data composer update -d /var/www/22222/htdocs/db/pma/
|
||||
```
|
||||
|
||||
usermod -s /bin/bash www-data
|
||||
#### Allow shell for www-data for SFTP usage
|
||||
|
||||
## PHP 7.1 & 7.2 Setup
|
||||
```bash
|
||||
usermod -s /bin/bash www-data
|
||||
```
|
||||
|
||||
**Install php7.1-fpm**
|
||||
### PHP 7.1 & 7.2 Setup
|
||||
|
||||
#### Install php7.1-fpm
|
||||
|
||||
```bash
|
||||
# php7.1-fpm
|
||||
|
@ -94,8 +118,9 @@ wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubun
|
|||
service php7.1-fpm restart
|
||||
```
|
||||
|
||||
**Install php7.2-fpm**
|
||||
```
|
||||
#### Install php7.2-fpm
|
||||
|
||||
```bash
|
||||
# php7.2-fpm
|
||||
apt update && apt install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring -y
|
||||
|
||||
|
@ -105,159 +130,171 @@ wget -O /etc/php/7.2/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubun
|
|||
service php7.2-fpm restart
|
||||
```
|
||||
|
||||
**add nginx upstreams**
|
||||
#### add nginx upstreams
|
||||
|
||||
wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf
|
||||
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
|
||||
service nginx reload
|
||||
|
||||
add ee common configuration
|
||||
#### add ee common configuration
|
||||
|
||||
cd /etc/nginx/common || exit
|
||||
wget https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/common.zip
|
||||
wget https://virtubox.github.io/ubuntu-nginx-web-server/files/common.zip
|
||||
unzip common.zip
|
||||
|
||||
**Compile last Nginx mainline release with [nginx-ee script](https://virtubox.github.io/nginx-ee/)**
|
||||
### Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee)
|
||||
|
||||
bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
|
||||
|
||||
* * *
|
||||
|
||||
## Custom configurations
|
||||
### Custom configurations
|
||||
|
||||
**clean php-fpm php.ini configurations**
|
||||
#### clean php-fpm php.ini configuration
|
||||
|
||||
# PHP 7.0
|
||||
wget -O /etc/php/7.0/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.0/fpm/php.ini
|
||||
# PHP 7.0
|
||||
wget -O /etc/php/7.0/fpm/php.ini https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/php/7.0/fpm/php.ini
|
||||
service php7.0-fpm restart
|
||||
|
||||
**Nginx optimized configurations**
|
||||
#### Nginx optimized configurations
|
||||
|
||||
# TLSv1.2 TLSv1.3 only
|
||||
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx.conf
|
||||
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx.conf
|
||||
|
||||
# TLS intermediate
|
||||
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-intermediate.conf
|
||||
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-intermediate.conf
|
||||
|
||||
# TLSv1.2 only
|
||||
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-tlsv12.conf
|
||||
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-tlsv12.conf
|
||||
|
||||
**nginx configuration for netdata & new upstreams**
|
||||
#### Nginx configuration for netdata & new upstreams
|
||||
|
||||
# custom conf for netdata metrics (php-fpm & nginx status pages)
|
||||
wget -O /etc/nginx/sites-available/default https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/default
|
||||
wget -O /etc/nginx/sites-available/default https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/default
|
||||
|
||||
# add netdata, php7.1 and php7.2 upstream
|
||||
wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf
|
||||
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
|
||||
|
||||
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
|
||||
wget -O /etc/nginx/sites-available/22222 https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/22222
|
||||
wget -O /etc/nginx/sites-available/22222 https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/22222
|
||||
|
||||
**wpcommon-php7x configurations**
|
||||
#### wpcommon-php7x configurations
|
||||
|
||||
- webp rewrite rules added
|
||||
- DoS attack CVE fix added
|
||||
- php7.1 & php7.2 configuration added
|
||||
- webp rewrite rules added
|
||||
- DoS attack CVE fix added
|
||||
- php7.1 & php7.2 configuration added
|
||||
|
||||
```bash
|
||||
# 1) add webp mapping
|
||||
wget -O /etc/nginx/conf.d/webp.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/webp.conf
|
||||
|
||||
# 1) add webp mapping
|
||||
wget -O /etc/nginx/conf.d/webp.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/webp.conf
|
||||
# 2) wpcommon files
|
||||
# php7
|
||||
wget -O /etc/nginx/common/wpcommon-php7.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php7.conf
|
||||
|
||||
# 2) wpcommon files
|
||||
# php7.1
|
||||
wget -O /etc/nginx/common/wpcommon-php71.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php71.conf
|
||||
|
||||
# php7
|
||||
wget -O /etc/nginx/common/wpcommon-php7.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php7.conf
|
||||
# php7.2
|
||||
wget -O /etc/nginx/common/wpcommon-php72.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php72.conf
|
||||
|
||||
# php7.1
|
||||
wget -O /etc/nginx/common/wpcommon-php71.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php71.conf
|
||||
|
||||
# php7.2
|
||||
wget -O /etc/nginx/common/wpcommon-php72.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php72.conf
|
||||
|
||||
nginx -t
|
||||
service nginx reload
|
||||
nginx -t
|
||||
service nginx reload
|
||||
```
|
||||
|
||||
* * *
|
||||
|
||||
## Security
|
||||
### Security
|
||||
|
||||
* * *
|
||||
#### Harden SSH Security
|
||||
|
||||
**Harden SSH Security**
|
||||
WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config)
|
||||
|
||||
wget -O /etc/ssh/sshd_config https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/ssh/sshd_config
|
||||
wget -O /etc/ssh/sshd_config https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/ssh/sshd_config
|
||||
|
||||
**UFW** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
|
||||
#### UFW
|
||||
|
||||
# enable ufw log - allow outgoing - deny incoming
|
||||
ufw logging low
|
||||
ufw default allow outgoing
|
||||
ufw default deny incoming
|
||||
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
|
||||
```bash
|
||||
# enable ufw log - allow outgoing - deny incoming
|
||||
ufw logging on
|
||||
ufw default allow outgoing
|
||||
ufw default deny incoming
|
||||
|
||||
# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend
|
||||
ufw allow 22
|
||||
ufw allow 53
|
||||
ufw allow http
|
||||
ufw allow https
|
||||
ufw allow 21
|
||||
ufw allow 123
|
||||
ufw allow 161
|
||||
ufw allow 6556
|
||||
ufw allow 19999
|
||||
ufw allow 22222
|
||||
# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend
|
||||
ufw allow 22
|
||||
ufw allow 53
|
||||
ufw allow http
|
||||
ufw allow https
|
||||
ufw allow 21
|
||||
ufw allow 123
|
||||
ufw allow 161
|
||||
ufw allow 6556
|
||||
ufw allow 19999
|
||||
ufw allow 22222
|
||||
|
||||
# enable UFW
|
||||
ufw enable
|
||||
# enable UFW
|
||||
ufw enable
|
||||
```
|
||||
|
||||
**Custom jails for fail2ban**
|
||||
#### Custom jails for fail2ban
|
||||
|
||||
- wordpress bruteforce
|
||||
- ssh
|
||||
- recidive (after 3 bans)
|
||||
- backend http auth
|
||||
- nginx bad bots
|
||||
- wordpress bruteforce
|
||||
- ssh
|
||||
- recidive (after 3 bans)
|
||||
- backend http auth
|
||||
- nginx bad bots
|
||||
|
||||
```bash
|
||||
wget -O /etc/fail2ban/filter.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ddos.conf
|
||||
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ee-wordpress.conf
|
||||
wget -O /etc/fail2ban/jail.d/custom.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/custom.conf
|
||||
wget -O /etc/fail2ban/jail.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/ddos.conf
|
||||
|
||||
wget -O /etc/fail2ban/filter.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ddos.conf
|
||||
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ee-wordpress.conf
|
||||
wget -O /etc/fail2ban/jail.d/custom.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/custom.conf
|
||||
wget -O /etc/fail2ban/jail.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/ddos.conf
|
||||
fail2ban-client reload
|
||||
```
|
||||
|
||||
fail2ban-client reload
|
||||
#### Secure Memcached server
|
||||
|
||||
**Secure Memcached server**
|
||||
```bash
|
||||
echo '-U 0' >> /etc/memcached.conf
|
||||
sudo systemctl restart memcached
|
||||
```
|
||||
|
||||
echo '-U 0' >> /etc/memcached.conf
|
||||
sudo systemctl restart memcached
|
||||
### Optional tools
|
||||
|
||||
## Optional tools
|
||||
#### ee-acme-sh
|
||||
|
||||
[Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers
|
||||
|
||||
### ee-acme-sh
|
||||
[Github repository](https://virtubox.github.io/ee-acme-sh/)
|
||||
My script to setup letsencrypt certificates using acme.sh on EasyEngine servers.
|
||||
* subdomain support
|
||||
* ivp6 support
|
||||
* ivp6 support
|
||||
* wildcards certificates support
|
||||
|
||||
```bash
|
||||
cd && bash <(wget --no-check-certificate -O - https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh)
|
||||
|
||||
wget -O - https://get.acme.sh | sh
|
||||
source ~/.bashrc
|
||||
# enable acme.sh & ee-acme-sh
|
||||
source .bashrc
|
||||
```
|
||||
|
||||
### netdata
|
||||
#### netdata
|
||||
|
||||
[Github repository](https://github.com/firehol/netdata)
|
||||
|
||||
bash <(curl -Ss https://my-netdata.io/kickstart.sh) all
|
||||
```bash
|
||||
|
||||
# save 40-60% of netdata memory
|
||||
echo 1 >/sys/kernel/mm/ksm/run
|
||||
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
|
||||
bash <(curl -Ss https://my-netdata.io/kickstart.sh) all
|
||||
|
||||
# disable email notifications
|
||||
wget -O /etc/netdata/health_alarm_notify.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/netdata/health_alarm_notify.conf
|
||||
service netdata restart
|
||||
# save 40-60% of netdata memory
|
||||
echo 1 >/sys/kernel/mm/ksm/run
|
||||
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
|
||||
|
||||
### bash-snippets
|
||||
# disable email notifications
|
||||
wget -O /etc/netdata/health_alarm_notify.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/netdata/health_alarm_notify.conf
|
||||
service netdata restart
|
||||
```
|
||||
|
||||
#### bash-snippets
|
||||
|
||||
[Github repository](https://github.com/alexanderepstein/Bash-Snippets)
|
||||
|
||||
|
@ -268,7 +305,7 @@ git checkout v1.22.0
|
|||
./install.sh cheat
|
||||
```
|
||||
|
||||
usage : cheat command
|
||||
usage : `cheat <command>`
|
||||
|
||||
```bash
|
||||
root@vps:~ cheat cat
|
||||
|
@ -289,7 +326,7 @@ root@vps:~ cheat cat
|
|||
cat -n file
|
||||
```
|
||||
|
||||
## nanorc - Improved Nano Syntax Highlighting Files
|
||||
#### nanorc - Improved Nano Syntax Highlighting Files
|
||||
|
||||
[Github repository](https://github.com/scopatz/nanorc)
|
||||
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
[Definition]
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: Auto block short UDP.
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = ^.*kernel: UDP: short packet: From <HOST>:.*$
|
||||
|
||||
ignoreregex =
|
|
@ -0,0 +1,3 @@
|
|||
[Definition]
|
||||
failregex = ^<HOST>.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200
|
||||
ignoreregex =
|
|
@ -0,0 +1,16 @@
|
|||
[recidive]
|
||||
enabled = true
|
||||
|
||||
[nginx-http-auth]
|
||||
enabled = true
|
||||
|
||||
[nginx-botsearch]
|
||||
enabled = true
|
||||
|
||||
[ee-wordpress]
|
||||
enabled = true
|
||||
filter = ee-wordpress
|
||||
action = iptables-multiport[name="ee-wordpress", port="http,https"]
|
||||
logpath = /var/log/nginx/*access.log
|
||||
maxretry = 5
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
[ddos]
|
||||
enabled = true
|
||||
port = 27015
|
||||
protocol = udp
|
||||
filter = ddos
|
||||
logpath = /var/log/kern.log
|
||||
maxretry = 3
|
||||
bantime = 6000
|
|
@ -0,0 +1,578 @@
|
|||
# Configuration for alarm notifications
|
||||
#
|
||||
# This configuration is used by: alarm-notify.sh
|
||||
# changes take effect immediately (the next alarm will use them).
|
||||
#
|
||||
# alarm-notify.sh can send:
|
||||
# - e-mails (using the sendmail command),
|
||||
# - push notifications to your mobile phone (pushover.net),
|
||||
# - messages to your slack team (slack.com),
|
||||
# - messages to your flock team (flock.com),
|
||||
# - messages to your discord guild (discordapp.com),
|
||||
# - messages to your telegram chat / group chat (telegram.org)
|
||||
# - sms messages to your cell phone or any sms enabled device (twilio.com)
|
||||
# - sms messages to your cell phone or any sms enabled device (messagebird.com)
|
||||
# - notifications to users on pagerduty.com
|
||||
#
|
||||
# The 'to' line given at netdata alarms defines a *role*, so that many
|
||||
# people can be notified for each role.
|
||||
#
|
||||
# This file is a BASH script itself.
|
||||
#
|
||||
#
|
||||
#------------------------------------------------------------------------------
|
||||
# proxy configuration
|
||||
#
|
||||
# If you need to send curl based notifications (pushover, pushbullet, slack,
|
||||
# flock, discord, telegram) via a proxy, set these to your proxy address:
|
||||
#export http_proxy="http://10.0.0.1:3128/"
|
||||
#export https_proxy="http://10.0.0.1:3128/"
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# notifications images
|
||||
#
|
||||
# Images in notifications need to be downloaded from an Internet facing site.
|
||||
# To allow notification providers fetch the icons/images, by default we set
|
||||
# the URL of the global public netdata registry.
|
||||
# If you have an Internet facing netdata (or you have copied the images/ folder
|
||||
# of netdata to your web server), set its URL here, to fetch the notification
|
||||
# images from it.
|
||||
#images_base_url="http://my.public.netdata.server:19999"
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# external commands
|
||||
|
||||
# The full path to the sendmail command.
|
||||
# If empty, the system $PATH will be searched for it.
|
||||
# If not found, email notifications will be disabled (silently).
|
||||
sendmail=""
|
||||
|
||||
# The full path of the curl command.
|
||||
# If empty, the system $PATH will be searched for it.
|
||||
# If not found, most notifications will be silently disabled.
|
||||
curl=""
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# NOTE ABOUT RECIPIENTS
|
||||
#
|
||||
# When you define recipients (all types):
|
||||
#
|
||||
# - emails addresses
|
||||
# - pushover user tokens
|
||||
# - telegram chat ids
|
||||
# - slack channels
|
||||
# - flock rooms
|
||||
# - discord channels
|
||||
# - hipchat rooms
|
||||
# - sms phone numbers
|
||||
# - pagerduty.com (pd) services
|
||||
#
|
||||
# You can append |critical to limit the notifications to be sent.
|
||||
#
|
||||
# In these examples, the first recipient receives all the alarms
|
||||
# while the second one receives only the critical ones:
|
||||
#
|
||||
# email : "user1@example.com user2@example.com|critical"
|
||||
# pushover : "2987343...9437837 8756278...2362736|critical"
|
||||
# telegram : "111827421 112746832|critical"
|
||||
# slack : "alarms disasters|critical"
|
||||
# flock : "alarms disasters|critical"
|
||||
# discord : "alarms disasters|critical"
|
||||
# twilio : "+15555555555 +17777777777|critical"
|
||||
# messagebird: "+15555555555 +17777777777|critical"
|
||||
# kavenegar : "09155555555 09177777777|critical"
|
||||
# pd : "<pd_service_key_1> <pd_service_key_2>|critical"
|
||||
#
|
||||
# If a recipient is set to empty string, the default recipient of the given
|
||||
# notification method (email, pushover, telegram, slack, etc) will be used.
|
||||
# To disable a notification, use the recipient called: disabled
|
||||
# This works for all notification methods (including the default recipients).
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# email global notification options
|
||||
|
||||
# multiple recipients can be given like this:
|
||||
# "admin1@example.com admin2@example.com ..."
|
||||
|
||||
# the email address sending email notifications
|
||||
# the default is the system user netdata runs as (usually: netdata)
|
||||
# The following formats are supported:
|
||||
# EMAIL_SENDER="user@domain"
|
||||
# EMAIL_SENDER="User Name <user@domain>"
|
||||
# EMAIL_SENDER="'User Name' <user@domain>"
|
||||
# EMAIL_SENDER="\"User Name\" <user@domain>"
|
||||
EMAIL_SENDER=""
|
||||
|
||||
# enable/disable sending emails
|
||||
SEND_EMAIL="NO"
|
||||
|
||||
# if a role recipient is not configured, an email will be send to:
|
||||
DEFAULT_RECIPIENT_EMAIL=""
|
||||
# to receive only critical alarms, set it to "root|critical"
|
||||
|
||||
# Optionally specify the encoding to list in the Content-Type header.
|
||||
# This doesn't change what encoding the e-mail is sent with, just what
|
||||
# the headers say it was encoded as.
|
||||
# This shouldn't need to be changed as it will almost always be
|
||||
# autodetected from the environment.
|
||||
#EMAIL_CHARSET="UTF-8"
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# pushover (pushover.net) global notification options
|
||||
|
||||
# multiple recipients can be given like this:
|
||||
# "USERTOKEN1 USERTOKEN2 ..."
|
||||
|
||||
# enable/disable sending pushover notifications
|
||||
SEND_PUSHOVER="YES"
|
||||
|
||||
# Login to pushover.net to get your pushover app token.
|
||||
# You need only one for all your netdata servers (or you can have one for
|
||||
# each of your netdata - your call).
|
||||
# Without an app token, netdata cannot send pushover notifications.
|
||||
PUSHOVER_APP_TOKEN=""
|
||||
|
||||
# if a role's recipients are not configured, a notification will be send to
|
||||
# this pushover user token (empty = do not send a notification for unconfigured
|
||||
# roles):
|
||||
DEFAULT_RECIPIENT_PUSHOVER=""
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# pushbullet (pushbullet.com) push notification options
|
||||
|
||||
# multiple recipients can be given like this:
|
||||
# "user1@email.com user2@mail.com"
|
||||
|
||||
# enable/disable sending pushbullet notifications
|
||||
SEND_PUSHBULLET="YES"
|
||||
|
||||
# Signup and Login to pushbullet.com
|
||||
# To get your Access Token, go to https://www.pushbullet.com/#settings/account
|
||||
# Create a new access token and paste it below.
|
||||
# Then just set the recipients' emails.
|
||||
# Please note that the if the email in the DEFAULT_RECIPIENT_PUSHBULLET does
|
||||
# not have a pushbullet account, the pushbullet service will send an email
|
||||
# to that address instead.
|
||||
|
||||
# Without an access token, netdata cannot send pushbullet notifications.
|
||||
PUSHBULLET_ACCESS_TOKEN=""
|
||||
DEFAULT_RECIPIENT_PUSHBULLET=""
|
||||
|
||||
# Device iden of the sending device. Optional.
|
||||
PUSHBULLET_SOURCE_DEVICE=""
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# Twilio (twilio.com) SMS options
|
||||
|
||||
# multiple recipients can be given like this:
|
||||
# "+15555555555 +17777777777"
|
||||
|
||||
# enable/disable sending twilio SMS
|
||||
SEND_TWILIO="YES"
|
||||
|
||||
# Signup for free trial and select a SMS capable Twilio Number
|
||||
# To get your Account SID and Token, go to https://www.twilio.com/console
|
||||
# Place your sid, token and number below.
|
||||
# Then just set the recipients' phone numbers.
|
||||
# The trial account is only allowed to use the number specified when set up.
|
||||
|
||||
# Without an account sid and token, netdata cannot send Twilio text messages.
|
||||
TWILIO_ACCOUNT_SID=""
|
||||
TWILIO_ACCOUNT_TOKEN=""
|
||||
TWILIO_NUMBER=""
|
||||
DEFAULT_RECIPIENT_TWILIO=""
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# Messagebird (messagebird.com) SMS options
|
||||
|
||||
# multiple recipients can be given like this:
|
||||
# "+15555555555 +17777777777"
|
||||
|
||||
# enable/disable sending messagebird SMS
|
||||
SEND_MESSAGEBIRD="YES"
|
||||
|
||||
# to get an access key, create a free account at https://www.messagebird.com
|
||||
# verify and activate the account (no CC info needed)
|
||||
# login to your account and enter your phonenumber to get some free credits
|
||||
# to get the API key, click on 'API' in the sidebar, then 'API Access (REST)'
|
||||
# click 'Add access key' and fill in data (you want a live key to send SMS)
|
||||
|
||||
# Without an access key, netdata cannot send Messagebird text messages.
|
||||
MESSAGEBIRD_ACCESS_KEY=""
|
||||
MESSAGEBIRD_NUMBER=""
|
||||
DEFAULT_RECIPIENT_MESSAGEBIRD=""
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# Kavenegar (Kavenegar.com) SMS options
|
||||
|
||||
# multiple recipients can be given like this:
|
||||
# "09155555555 09177777777"
|
||||
|
||||
# enable/disable sending kavenegar SMS
|
||||
SEND_KAVENEGAR="YES"
|
||||
|
||||
# to get an access key, after selecting and purchasing your desired service
|
||||
# at http://kavenegar.com/pricing.html
|
||||
# login to your account, go to your dashboard and my account are
|
||||
# https://panel.kavenegar.com/Client/setting/account from API Key
|
||||
# copy your api key. You can generate new API Key too.
|
||||
# You can find and select kevenegar sender number from this place.
|
||||
|
||||
# Without an API key, netdata cannot send KAVENEGAR text messages.
|
||||
KAVENEGAR_API_KEY=""
|
||||
KAVENEGAR_SENDER=""
|
||||
DEFAULT_RECIPIENT_KAVENEGAR=""
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# telegram (telegram.org) global notification options
|
||||
|
||||
# To get your chat ID send the command /my_id to telegram bot @get_id.
|
||||
# Users also need to open a query with the bot (see below).
|
||||
|
||||
# note: multiple recipients can be given like this:
|
||||
# "CHAT_ID_1 CHAT_ID_2 ..."
|
||||
|
||||
# enable/disable sending telegram messages
|
||||
SEND_TELEGRAM="YES"
|
||||
|
||||
# Contact the bot @BotFather to create a new bot and receive a bot token.
|
||||
# Without it, netdata cannot send telegram messages.
|
||||
TELEGRAM_BOT_TOKEN=""
|
||||
|
||||
# If a role's recipients are not configured, a message will be send to
|
||||
# this chat id (empty = do not send a notification for unconfigured roles):
|
||||
DEFAULT_RECIPIENT_TELEGRAM=""
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# slack (slack.com) global notification options
|
||||
|
||||
# multiple recipients can be given like this:
|
||||
# "CHANNEL1 CHANNEL2 ..."
|
||||
|
||||
# enable/disable sending slack notifications
|
||||
SEND_SLACK="YES"
|
||||
|
||||
# Login to slack.com and create an incoming webhook. You need only one for all
|
||||
# your netdata servers (or you can have one for each of your netdata).
|
||||
# Without it, netdata cannot send slack notifications.
|
||||
# Get yours from: https://api.slack.com/incoming-webhooks
|
||||
SLACK_WEBHOOK_URL=""
|
||||
|
||||
# if a role's recipients are not configured, a notification will be send to
|
||||
# this slack channel (empty = do not send a notification for unconfigured
|
||||
# roles):
|
||||
DEFAULT_RECIPIENT_SLACK=""
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# flock (flock.com) global notification options
|
||||
|
||||
# enable/disable sending flock notifications
|
||||
SEND_FLOCK="YES"
|
||||
|
||||
# Login to flock.com and create an incoming webhook. You need only one for all
|
||||
# your netdata servers (or you can have one for each of your netdata).
|
||||
# Without it, netdata cannot send flock notifications.
|
||||
FLOCK_WEBHOOK_URL=""
|
||||
|
||||
# if a role recipient is not configured, no notification will be sent
|
||||
DEFAULT_RECIPIENT_FLOCK=""
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# discord (discordapp.com) global notification options
|
||||
|
||||
# multiple recipients can be given like this:
|
||||
# "CHANNEL1 CHANNEL2 ..."
|
||||
|
||||
# enable/disable sending discord notifications
|
||||
SEND_DISCORD="YES"
|
||||
|
||||
# Create a webhook by following the official documentation -
|
||||
# https://support.discordapp.com/hc/en-us/articles/228383668-Intro-to-Webhooks
|
||||
DISCORD_WEBHOOK_URL=""
|
||||
|
||||
# if a role's recipients are not configured, a notification will be send to
|
||||
# this discord channel (empty = do not send a notification for unconfigured
|
||||
# roles):
|
||||
DEFAULT_RECIPIENT_DISCORD=""
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# hipchat global notification options
|
||||
|
||||
# multiple recipients can be given like this:
|
||||
# "ROOM1 ROOM2 ..."
|
||||
|
||||
# enable/disable sending hipchat notifications
|
||||
SEND_HIPCHAT="YES"
|
||||
|
||||
# define hipchat server
|
||||
HIPCHAT_SERVER="api.hipchat.com"
|
||||
|
||||
# api.hipchat.com authorization token
|
||||
# Without this, netdata cannot send hipchat notifications.
|
||||
HIPCHAT_AUTH_TOKEN=""
|
||||
|
||||
# if a role's recipients are not configured, a notification will be send to
|
||||
# this hipchat room (empty = do not send a notification for unconfigured
|
||||
# roles):
|
||||
DEFAULT_RECIPIENT_HIPCHAT=""
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# kafka notification options
|
||||
|
||||
# enable/disable sending kafka notifications
|
||||
SEND_KAFKA="YES"
|
||||
|
||||
# The URL to POST kafka alarm data to. It should be the full URL.
|
||||
KAFKA_URL=""
|
||||
|
||||
# The IP to be used in the kafka message as the sender.
|
||||
KAFKA_SENDER_IP=""
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# pagerduty.com notification options
|
||||
#
|
||||
# pagerduty.com notifications require the pagerduty agent to be installed and
|
||||
# a "Generic API" pagerduty service.
|
||||
# https://www.pagerduty.com/docs/guides/agent-install-guide/
|
||||
|
||||
# multiple recipients can be given like this:
|
||||
# "<pd_service_key_1> <pd_service_key_2> ..."
|
||||
|
||||
# enable/disable sending pagerduty notifications
|
||||
SEND_PD="YES"
|
||||
|
||||
# if a role's recipients are not configured, a notification will be sent to
|
||||
# the "General API" pagerduty.com service that uses this service key.
|
||||
# (empty = do not send a notification for unconfigured roles):
|
||||
DEFAULT_RECIPIENT_PD=""
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# custom notifications
|
||||
#
|
||||
|
||||
# enable/disable sending custom notifications
|
||||
SEND_CUSTOM="YES"
|
||||
|
||||
# if a role's recipients are not configured, use the following.
|
||||
# (empty = do not send a notification for unconfigured roles)
|
||||
DEFAULT_RECIPIENT_CUSTOM=""
|
||||
|
||||
# The custom_sender() is a custom function to do whatever you need to do
|
||||
custom_sender() {
|
||||
# variables you can use:
|
||||
# ${host} the host generated this event
|
||||
# ${url_host} same as ${host} but URL encoded
|
||||
# ${unique_id} the unique id of this event
|
||||
# ${alarm_id} the unique id of the alarm that generated this event
|
||||
# ${event_id} the incremental id of the event, for this alarm id
|
||||
# ${when} the timestamp this event occurred
|
||||
# ${name} the name of the alarm, as given in netdata health.d entries
|
||||
# ${url_name} same as ${name} but URL encoded
|
||||
# ${chart} the name of the chart (type.id)
|
||||
# ${url_chart} same as ${chart} but URL encoded
|
||||
# ${family} the family of the chart
|
||||
# ${url_family} same as ${family} but URL encoded
|
||||
# ${status} the current status : REMOVED, UNINITIALIZED, UNDEFINED, CLEAR, WARNING, CRITICAL
|
||||
# ${old_status} the previous status: REMOVED, UNINITIALIZED, UNDEFINED, CLEAR, WARNING, CRITICAL
|
||||
# ${value} the current value of the alarm
|
||||
# ${old_value} the previous value of the alarm
|
||||
# ${src} the line number and file the alarm has been configured
|
||||
# ${duration} the duration in seconds of the previous alarm state
|
||||
# ${duration_txt} same as ${duration} for humans
|
||||
# ${non_clear_duration} the total duration in seconds this is/was non-clear
|
||||
# ${non_clear_duration_txt} same as ${non_clear_duration} for humans
|
||||
# ${units} the units of the value
|
||||
# ${info} a short description of the alarm
|
||||
# ${value_string} friendly value (with units)
|
||||
# ${old_value_string} friendly old value (with units)
|
||||
# ${image} the URL of an image to represent the status of the alarm
|
||||
# ${color} a color in #AABBCC format for the alarm
|
||||
# ${goto_url} the URL the user can click to see the netdata dashboard
|
||||
|
||||
# these are more human friendly:
|
||||
# ${alarm} like "name = value units"
|
||||
# ${status_message} like "needs attention", "recovered", "is critical"
|
||||
# ${severity} like "Escalated to CRITICAL", "Recovered from WARNING"
|
||||
# ${raised_for} like "(alarm was raised for 10 minutes)"
|
||||
|
||||
# example human readable SMS
|
||||
local msg="${host} ${status_message}: ${alarm} ${raised_for}"
|
||||
|
||||
# limit it to 160 characters and encode it for use in a URL
|
||||
urlencode "${msg:0:160}" >/dev/null; msg="${REPLY}"
|
||||
|
||||
# a space separated list of the recipients to send alarms to
|
||||
to="${1}"
|
||||
|
||||
info "not sending custom notification to ${to}, for ${status} of '${host}.${chart}.${name}' - custom_sender() is not configured."
|
||||
}
|
||||
|
||||
|
||||
###############################################################################
|
||||
# RECIPIENTS PER ROLE
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# generic system alarms
|
||||
# CPU, disks, network interfaces, entropy, etc
|
||||
|
||||
role_recipients_email[sysadmin]="${DEFAULT_RECIPIENT_EMAIL}"
|
||||
|
||||
role_recipients_pushover[sysadmin]="${DEFAULT_RECIPIENT_PUSHOVER}"
|
||||
|
||||
role_recipients_pushbullet[sysadmin]="${DEFAULT_RECIPIENT_PUSHBULLET}"
|
||||
|
||||
role_recipients_telegram[sysadmin]="${DEFAULT_RECIPIENT_TELEGRAM}"
|
||||
|
||||
role_recipients_slack[sysadmin]="${DEFAULT_RECIPIENT_SLACK}"
|
||||
|
||||
role_recipients_flock[sysadmin]="${DEFAULT_RECIPIENT_FLOCK}"
|
||||
|
||||
role_recipients_discord[sysadmin]="${DEFAULT_RECIPIENT_DISCORD}"
|
||||
|
||||
role_recipients_hipchat[sysadmin]="${DEFAULT_RECIPIENT_HIPCHAT}"
|
||||
|
||||
role_recipients_twilio[sysadmin]="${DEFAULT_RECIPIENT_TWILIO}"
|
||||
|
||||
role_recipients_messagebird[sysadmin]="${DEFAULT_RECIPIENT_MESSAGEBIRD}"
|
||||
|
||||
role_recipients_kavenegar[sysadmin]="${DEFAULT_RECIPIENT_KAVENEGAR}"
|
||||
|
||||
role_recipients_pd[sysadmin]="${DEFAULT_RECIPIENT_PD}"
|
||||
|
||||
role_recipients_custom[sysadmin]="${DEFAULT_RECIPIENT_CUSTOM}"
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# DNS related alarms
|
||||
|
||||
role_recipients_email[domainadmin]="${DEFAULT_RECIPIENT_EMAIL}"
|
||||
|
||||
role_recipients_pushover[domainadmin]="${DEFAULT_RECIPIENT_PUSHOVER}"
|
||||
|
||||
role_recipients_pushbullet[domainadmin]="${DEFAULT_RECIPIENT_PUSHBULLET}"
|
||||
|
||||
role_recipients_telegram[domainadmin]="${DEFAULT_RECIPIENT_TELEGRAM}"
|
||||
|
||||
role_recipients_slack[domainadmin]="${DEFAULT_RECIPIENT_SLACK}"
|
||||
|
||||
role_recipients_flock[domainadmin]="${DEFAULT_RECIPIENT_FLOCK}"
|
||||
|
||||
role_recipients_discord[domainadmin]="${DEFAULT_RECIPIENT_DISCORD}"
|
||||
|
||||
role_recipients_hipchat[domainadmin]="${DEFAULT_RECIPIENT_HIPCHAT}"
|
||||
|
||||
role_recipients_twilio[domainadmin]="${DEFAULT_RECIPIENT_TWILIO}"
|
||||
|
||||
role_recipients_messagebird[domainadmin]="${DEFAULT_RECIPIENT_MESSAGEBIRD}"
|
||||
|
||||
role_recipients_kavenegar[domainadmin]="${DEFAULT_RECIPIENT_KAVENEGAR}"
|
||||
|
||||
role_recipients_pd[domainadmin]="${DEFAULT_RECIPIENT_PD}"
|
||||
|
||||
role_recipients_custom[domainadmin]="${DEFAULT_RECIPIENT_CUSTOM}"
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# database servers alarms
|
||||
# mysql, redis, memcached, postgres, etc
|
||||
|
||||
role_recipients_email[dba]="${DEFAULT_RECIPIENT_EMAIL}"
|
||||
|
||||
role_recipients_pushover[dba]="${DEFAULT_RECIPIENT_PUSHOVER}"
|
||||
|
||||
role_recipients_pushbullet[dba]="${DEFAULT_RECIPIENT_PUSHBULLET}"
|
||||
|
||||
role_recipients_telegram[dba]="${DEFAULT_RECIPIENT_TELEGRAM}"
|
||||
|
||||
role_recipients_slack[dba]="${DEFAULT_RECIPIENT_SLACK}"
|
||||
|
||||
role_recipients_flock[dba]="${DEFAULT_RECIPIENT_FLOCK}"
|
||||
|
||||
role_recipients_discord[dba]="${DEFAULT_RECIPIENT_DISCORD}"
|
||||
|
||||
role_recipients_hipchat[dba]="${DEFAULT_RECIPIENT_HIPCHAT}"
|
||||
|
||||
role_recipients_twilio[dba]="${DEFAULT_RECIPIENT_TWILIO}"
|
||||
|
||||
role_recipients_messagebird[dba]="${DEFAULT_RECIPIENT_MESSAGEBIRD}"
|
||||
|
||||
role_recipients_kavenegar[dba]="${DEFAULT_RECIPIENT_KAVENEGAR}"
|
||||
|
||||
role_recipients_pd[dba]="${DEFAULT_RECIPIENT_PD}"
|
||||
|
||||
role_recipients_custom[dba]="${DEFAULT_RECIPIENT_CUSTOM}"
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# web servers alarms
|
||||
# apache, nginx, lighttpd, etc
|
||||
|
||||
role_recipients_email[webmaster]="${DEFAULT_RECIPIENT_EMAIL}"
|
||||
|
||||
role_recipients_pushover[webmaster]="${DEFAULT_RECIPIENT_PUSHOVER}"
|
||||
|
||||
role_recipients_pushbullet[webmaster]="${DEFAULT_RECIPIENT_PUSHBULLET}"
|
||||
|
||||
role_recipients_telegram[webmaster]="${DEFAULT_RECIPIENT_TELEGRAM}"
|
||||
|
||||
role_recipients_slack[webmaster]="${DEFAULT_RECIPIENT_SLACK}"
|
||||
|
||||
role_recipients_flock[webmaster]="${DEFAULT_RECIPIENT_FLOCK}"
|
||||
|
||||
role_recipients_discord[webmaster]="${DEFAULT_RECIPIENT_DISCORD}"
|
||||
|
||||
role_recipients_hipchat[webmaster]="${DEFAULT_RECIPIENT_HIPCHAT}"
|
||||
|
||||
role_recipients_twilio[webmaster]="${DEFAULT_RECIPIENT_TWILIO}"
|
||||
|
||||
role_recipients_messagebird[webmaster]="${DEFAULT_RECIPIENT_MESSAGEBIRD}"
|
||||
|
||||
role_recipients_kavenegar[webmaster]="${DEFAULT_RECIPIENT_KAVENEGAR}"
|
||||
|
||||
role_recipients_pd[webmaster]="${DEFAULT_RECIPIENT_PD}"
|
||||
|
||||
role_recipients_custom[webmaster]="${DEFAULT_RECIPIENT_CUSTOM}"
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# proxy servers alarms
|
||||
# squid, etc
|
||||
|
||||
role_recipients_email[proxyadmin]="${DEFAULT_RECIPIENT_EMAIL}"
|
||||
|
||||
role_recipients_pushover[proxyadmin]="${DEFAULT_RECIPIENT_PUSHOVER}"
|
||||
|
||||
role_recipients_pushbullet[proxyadmin]="${DEFAULT_RECIPIENT_PUSHBULLET}"
|
||||
|
||||
role_recipients_telegram[proxyadmin]="${DEFAULT_RECIPIENT_TELEGRAM}"
|
||||
|
||||
role_recipients_slack[proxyadmin]="${DEFAULT_RECIPIENT_SLACK}"
|
||||
|
||||
role_recipients_flock[proxyadmin]="${DEFAULT_RECIPIENT_FLOCK}"
|
||||
|
||||
role_recipients_discord[proxyadmin]="${DEFAULT_RECIPIENT_DISCORD}"
|
||||
|
||||
role_recipients_hipchat[proxyadmin]="${DEFAULT_RECIPIENT_HIPCHAT}"
|
||||
|
||||
role_recipients_twilio[proxyadmin]="${DEFAULT_RECIPIENT_TWILIO}"
|
||||
|
||||
role_recipients_messagebird[proxyadmin]="${DEFAULT_RECIPIENT_MESSAGEBIRD}"
|
||||
|
||||
role_recipients_kavenegar[proxyadmin]="${DEFAULT_RECIPIENT_KAVENEGAR}"
|
||||
|
||||
role_recipients_pd[proxyadmin]="${DEFAULT_RECIPIENT_PD}"
|
||||
|
||||
role_recipients_custom[proxyadmin]="${DEFAULT_RECIPIENT_CUSTOM}"
|
|
@ -0,0 +1,2 @@
|
|||
# Warning : this line enable HSTS for your domain and all subdomains (ngx_http_headers_module is required) (15768000 seconds = 6 months)
|
||||
add_header Strict-Transport-Security "max-age=31536000; preload";
|
|
@ -0,0 +1,3 @@
|
|||
# Warning : this line enable HSTS for your domain and all subdomains (ngx_http_headers_module is required) (15768000 seconds = 6 months)
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
|
||||
|
|
@ -0,0 +1,79 @@
|
|||
# NGINX CONFIGURATION FOR COMMON LOCATION
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Basic locations files
|
||||
location = /favicon.ico {
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
location = /robots.txt {
|
||||
# Some WordPress plugin gererate robots.txt file
|
||||
# Refer #340 issue
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Cache static files
|
||||
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
# Cache static files
|
||||
location ~* \.(css|js)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires 30d;
|
||||
}
|
||||
# Security settings for better privacy
|
||||
# Deny hidden files
|
||||
location /.well-known/acme-challenge/ {
|
||||
alias /var/www/html/.well-known/acme-challenge/;
|
||||
}
|
||||
|
||||
#location ~ /\.well-known {
|
||||
# allow all;
|
||||
#}
|
||||
location ~ /\. {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Deny backup extensions & log files
|
||||
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
|
||||
if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
|
||||
return 403;
|
||||
}
|
||||
# Status pages
|
||||
location /nginx_status {
|
||||
stub_status on;
|
||||
access_log off;
|
||||
include common/acl.conf;
|
||||
}
|
||||
location ~ ^/(status|ping) {
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php7;
|
||||
include common/acl.conf;
|
||||
}
|
||||
# EasyEngine (ee) utilities
|
||||
# phpMyAdmin settings
|
||||
location /pma {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location /phpMyAdmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location /phpmyadmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
# Adminer settings
|
||||
location /adminer {
|
||||
return 301 https://$host:22222/db/adminer;
|
||||
}
|
|
@ -0,0 +1,79 @@
|
|||
# NGINX CONFIGURATION FOR COMMON LOCATION
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Basic locations files
|
||||
location = /favicon.ico {
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
location = /robots.txt {
|
||||
# Some WordPress plugin gererate robots.txt file
|
||||
# Refer #340 issue
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Cache static files
|
||||
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
# Cache static files
|
||||
location ~* \.(css|js)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires 30d;
|
||||
}
|
||||
# Security settings for better privacy
|
||||
# Deny hidden files
|
||||
location /.well-known/acme-challenge/ {
|
||||
alias /var/www/html/.well-known/acme-challenge/;
|
||||
}
|
||||
|
||||
#location ~ /\.well-known {
|
||||
# allow all;
|
||||
#}
|
||||
location ~ /\. {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Deny backup extensions & log files
|
||||
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
|
||||
if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
|
||||
return 403;
|
||||
}
|
||||
# Status pages
|
||||
location /nginx_status {
|
||||
stub_status on;
|
||||
access_log off;
|
||||
include common/acl.conf;
|
||||
}
|
||||
location ~ ^/(status|ping) {
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php71;
|
||||
include common/acl.conf;
|
||||
}
|
||||
# EasyEngine (ee) utilities
|
||||
# phpMyAdmin settings
|
||||
location /pma {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location /phpMyAdmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location /phpmyadmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
# Adminer settings
|
||||
location /adminer {
|
||||
return 301 https://$host:22222/db/adminer;
|
||||
}
|
|
@ -0,0 +1,79 @@
|
|||
# NGINX CONFIGURATION FOR COMMON LOCATION
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Basic locations files
|
||||
location = /favicon.ico {
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
location = /robots.txt {
|
||||
# Some WordPress plugin gererate robots.txt file
|
||||
# Refer #340 issue
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Cache static files
|
||||
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
# Cache static files
|
||||
location ~* \.(css|js)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires 30d;
|
||||
}
|
||||
# Security settings for better privacy
|
||||
# Deny hidden files
|
||||
location /.well-known/acme-challenge/ {
|
||||
alias /var/www/html/.well-known/acme-challenge/;
|
||||
}
|
||||
|
||||
#location ~ /\.well-known {
|
||||
# allow all;
|
||||
#}
|
||||
location ~ /\. {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Deny backup extensions & log files
|
||||
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
|
||||
if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
|
||||
return 403;
|
||||
}
|
||||
# Status pages
|
||||
location /nginx_status {
|
||||
stub_status on;
|
||||
access_log off;
|
||||
include common/acl.conf;
|
||||
}
|
||||
location ~ ^/(status|ping) {
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php71;
|
||||
include common/acl.conf;
|
||||
}
|
||||
# EasyEngine (ee) utilities
|
||||
# phpMyAdmin settings
|
||||
location /pma {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location /phpMyAdmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location /phpmyadmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
# Adminer settings
|
||||
location /adminer {
|
||||
return 301 https://$host:22222/db/adminer;
|
||||
}
|
|
@ -0,0 +1,6 @@
|
|||
##OCSP settings
|
||||
ssl_stapling on;
|
||||
resolver 8.8.8.8 1.1.1.1 valid=300s;
|
||||
ssl_stapling_verify on;
|
||||
#ssl_trusted_certificate /etc/ssl/private/ocsp-certs.pem; # <- Add signing certs here
|
||||
resolver_timeout 5;
|
|
@ -0,0 +1,10 @@
|
|||
# PHP NGINX CONFIGURATION
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
}
|
||||
location ~ \.php$ {
|
||||
try_files $uri =404;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php71;
|
||||
}
|
|
@ -0,0 +1,10 @@
|
|||
# PHP NGINX CONFIGURATION
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
}
|
||||
location ~ \.php$ {
|
||||
try_files $uri =404;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php72;
|
||||
}
|
|
@ -0,0 +1,33 @@
|
|||
# WordPress COMMON SETTINGS
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Limit access to avoid brute force attack
|
||||
location = /wp-login.php {
|
||||
limit_req zone=one burst=1 nodelay;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php7;
|
||||
}
|
||||
# Disable wp-config.txt
|
||||
location = /wp-config.txt {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Disallow php in upload folder
|
||||
location /wp-content/uploads/ {
|
||||
location ~ \.php$ {
|
||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
||||
deny all;
|
||||
}
|
||||
}
|
||||
location ~* ^/wp-content/.+\.(png|jpg)$ {
|
||||
add_header Vary Accept;
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
try_files $uri$webp_suffix $uri =404;
|
||||
}
|
||||
|
||||
location ~ \/wp-admin\/load-(scripts|styles).php {
|
||||
deny all;
|
||||
}
|
|
@ -0,0 +1,33 @@
|
|||
# WordPress COMMON SETTINGS
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Limit access to avoid brute force attack
|
||||
location = /wp-login.php {
|
||||
limit_req zone=one burst=1 nodelay;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php71;
|
||||
}
|
||||
# Disable wp-config.txt
|
||||
location = /wp-config.txt {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Disallow php in upload folder
|
||||
location /wp-content/uploads/ {
|
||||
location ~ \.php$ {
|
||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
||||
deny all;
|
||||
}
|
||||
}
|
||||
location ~* ^/wp-content/.+\.(png|jpg)$ {
|
||||
add_header Vary Accept;
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
try_files $uri$webp_suffix $uri =404;
|
||||
}
|
||||
|
||||
location ~ \/wp-admin\/load-(scripts|styles).php {
|
||||
deny all;
|
||||
}
|
|
@ -0,0 +1,33 @@
|
|||
# WordPress COMMON SETTINGS
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Limit access to avoid brute force attack
|
||||
location = /wp-login.php {
|
||||
limit_req zone=one burst=1 nodelay;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php72;
|
||||
}
|
||||
# Disable wp-config.txt
|
||||
location = /wp-config.txt {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Disallow php in upload folder
|
||||
location /wp-content/uploads/ {
|
||||
location ~ \.php$ {
|
||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
||||
deny all;
|
||||
}
|
||||
}
|
||||
location ~* ^/wp-content/.+\.(png|jpg)$ {
|
||||
add_header Vary Accept;
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
try_files $uri$webp_suffix $uri =404;
|
||||
}
|
||||
|
||||
location ~ \/wp-admin\/load-(scripts|styles).php {
|
||||
deny all;
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
# $remote_addr rewriting in case of NGINX behind CloudFlare.
|
||||
# See also mod_cloudflare Apache module configuration.
|
||||
|
||||
set_real_ip_from 103.21.244.0/22;
|
||||
set_real_ip_from 103.22.200.0/22;
|
||||
set_real_ip_from 103.31.4.0/22;
|
||||
set_real_ip_from 104.16.0.0/12;
|
||||
set_real_ip_from 108.162.192.0/18;
|
||||
set_real_ip_from 131.0.72.0/22;
|
||||
set_real_ip_from 141.101.64.0/18;
|
||||
set_real_ip_from 162.158.0.0/15;
|
||||
set_real_ip_from 172.64.0.0/13;
|
||||
set_real_ip_from 173.245.48.0/20;
|
||||
set_real_ip_from 188.114.96.0/20;
|
||||
set_real_ip_from 190.93.240.0/20;
|
||||
set_real_ip_from 197.234.240.0/22;
|
||||
set_real_ip_from 198.41.128.0/17;
|
||||
set_real_ip_from 2400:cb00::/32;
|
||||
set_real_ip_from 2606:4700::/32;
|
||||
set_real_ip_from 2803:f800::/32;
|
||||
set_real_ip_from 2405:b500::/32;
|
||||
set_real_ip_from 2405:8100::/32;
|
||||
set_real_ip_from 2c0f:f248::/32;
|
||||
set_real_ip_from 2a06:98c0::/29;
|
||||
|
||||
real_ip_header CF-Connecting-IP;
|
||||
#real_ip_header X-Forwarded-For;
|
|
@ -0,0 +1,19 @@
|
|||
# FastCGI cache settings
|
||||
fastcgi_cache_path /var/run/nginx-cache levels=1:2 keys_zone=WORDPRESS:50m inactive=60m;
|
||||
fastcgi_cache_key "$scheme$request_method$host$request_uri";
|
||||
fastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503;
|
||||
fastcgi_buffers 256 32k;
|
||||
fastcgi_buffer_size 256k;
|
||||
fastcgi_connect_timeout 4s;
|
||||
fastcgi_send_timeout 120s;
|
||||
fastcgi_busy_buffers_size 512k;
|
||||
fastcgi_temp_file_write_size 512K;
|
||||
fastcgi_param SERVER_NAME $http_host;
|
||||
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
|
||||
fastcgi_keep_conn on;
|
||||
|
||||
#Others
|
||||
open_file_cache max=2000 inactive=20s;
|
||||
open_file_cache_valid 60s;
|
||||
open_file_cache_min_uses 5;
|
||||
open_file_cache_errors off;
|
|
@ -0,0 +1,35 @@
|
|||
# Common upstream settings
|
||||
upstream php {
|
||||
# server unix:/run/php5-fpm.sock;
|
||||
server 127.0.0.1:9000;
|
||||
}
|
||||
upstream debug {
|
||||
# Debug Pool
|
||||
server 127.0.0.1:9001;
|
||||
}
|
||||
# php7.0-fpm
|
||||
upstream php7 {
|
||||
server 127.0.0.1:9070;
|
||||
}
|
||||
|
||||
upstream debug7 {
|
||||
server 127.0.0.1:9170;
|
||||
}
|
||||
# php7.1-fpm
|
||||
upstream php71 {
|
||||
server 127.0.0.1:9080;
|
||||
}
|
||||
# php7.2-fpm
|
||||
upstream php72 {
|
||||
server 127.0.0.1:9090;
|
||||
}
|
||||
# redis
|
||||
upstream redis {
|
||||
server 127.0.0.1:6379;
|
||||
keepalive 10;
|
||||
}
|
||||
# netdata (optional)
|
||||
upstream netdata {
|
||||
server 127.0.0.1:19999;
|
||||
keepalive 64;
|
||||
}
|
|
@ -0,0 +1,4 @@
|
|||
map $http_accept $webp_suffix {
|
||||
default "";
|
||||
"~*webp" ".webp";
|
||||
}
|
|
@ -0,0 +1,155 @@
|
|||
user www-data;
|
||||
worker_processes auto;
|
||||
worker_cpu_affinity auto;
|
||||
worker_rlimit_nofile 100000;
|
||||
pid /run/nginx.pid;
|
||||
|
||||
events
|
||||
{
|
||||
worker_connections 16384;
|
||||
multi_accept on;
|
||||
use epoll;
|
||||
}
|
||||
|
||||
http
|
||||
{
|
||||
##
|
||||
# EasyEngine Settings
|
||||
##
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 30;
|
||||
types_hash_max_size 2048;
|
||||
|
||||
server_tokens off;
|
||||
reset_timedout_connection on;
|
||||
add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox";
|
||||
add_header rt-Fastcgi-Cache $upstream_cache_status;
|
||||
|
||||
# Limit Request
|
||||
limit_req_status 403;
|
||||
limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
|
||||
|
||||
#Simple DOS mitigation
|
||||
##Max c/s by ip
|
||||
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
|
||||
#limit_conn limit_per_ip 80;
|
||||
|
||||
##Max rq/s by ip
|
||||
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
|
||||
#limit_req zone=allips burst=400 nodelay;
|
||||
|
||||
# Proxy Settings
|
||||
# set_real_ip_from proxy-server-ip;
|
||||
# real_ip_header X-Forwarded-For;
|
||||
|
||||
fastcgi_read_timeout 300;
|
||||
client_max_body_size 100m;
|
||||
|
||||
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
|
||||
aio threads;
|
||||
|
||||
# tls dynamic records patch directive
|
||||
ssl_dyn_rec_enable on;
|
||||
|
||||
##
|
||||
# GeoIP module configuration, before removing comments
|
||||
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
|
||||
##
|
||||
#geoip_country /usr/share/GeoIP/GeoIP.dat;
|
||||
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
|
||||
|
||||
##
|
||||
# SSL Settings
|
||||
##
|
||||
# intermediate configuration. tweak to your needs.
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_tickets off;
|
||||
ssl_ecdh_curve X25519:P-521:P-384:P-256;
|
||||
|
||||
##Common headers for security
|
||||
more_set_headers "X-Frame-Options : SAMEORIGIN";
|
||||
more_set_headers "X-Xss-Protection : 1; mode=block";
|
||||
more_set_headers "X-Content-Type-Options : nosniff";
|
||||
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
|
||||
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
# server_names_hash_bucket_size 64;
|
||||
# server_name_in_redirect off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
# access_log disabled for performance
|
||||
##
|
||||
|
||||
access_log off;
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
# Log format Settings
|
||||
log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
|
||||
'$http_host "$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent" $server_protocol';
|
||||
|
||||
# ipscrub settings
|
||||
ipscrub_period_seconds 3600;
|
||||
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
|
||||
gzip_vary on;
|
||||
gzip_proxied any;
|
||||
gzip_comp_level 6;
|
||||
gzip_buffers 16 8k;
|
||||
gzip_http_version 1.1;
|
||||
gzip_types
|
||||
application/atom+xml
|
||||
application/javascript
|
||||
application/json
|
||||
application/rss+xml
|
||||
application/vnd.ms-fontobject
|
||||
application/x-font-ttf
|
||||
application/x-web-app-manifest+json
|
||||
application/xhtml+xml
|
||||
application/xml
|
||||
font/opentype
|
||||
image/svg+xml
|
||||
image/x-icon
|
||||
text/css
|
||||
text/plain
|
||||
text/x-component
|
||||
text/xml
|
||||
text/javascript;
|
||||
|
||||
##
|
||||
# Brotli Settings
|
||||
##
|
||||
|
||||
brotli on;
|
||||
brotli_static on;
|
||||
brotli_buffers 16 8k;
|
||||
brotli_comp_level 6;
|
||||
brotli_types *;
|
||||
|
||||
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
||||
|
|
@ -0,0 +1,174 @@
|
|||
user www-data;
|
||||
worker_processes auto;
|
||||
worker_cpu_affinity auto;
|
||||
worker_rlimit_nofile 100000;
|
||||
pid /run/nginx.pid;
|
||||
|
||||
events
|
||||
{
|
||||
worker_connections 16384;
|
||||
multi_accept on;
|
||||
use epoll;
|
||||
}
|
||||
|
||||
http
|
||||
{
|
||||
##
|
||||
# EasyEngine Settings
|
||||
##
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 30;
|
||||
types_hash_max_size 2048;
|
||||
|
||||
server_tokens off;
|
||||
reset_timedout_connection on;
|
||||
add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox";
|
||||
add_header rt-Fastcgi-Cache $upstream_cache_status;
|
||||
|
||||
# Limit Request
|
||||
limit_req_status 403;
|
||||
limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
|
||||
|
||||
#Simple DOS mitigation
|
||||
##Max c/s by ip
|
||||
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
|
||||
#limit_conn limit_per_ip 80;
|
||||
|
||||
##Max rq/s by ip
|
||||
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
|
||||
#limit_req zone=allips burst=400 nodelay;
|
||||
|
||||
# Proxy Settings
|
||||
# set_real_ip_from proxy-server-ip;
|
||||
# real_ip_header X-Forwarded-For;
|
||||
|
||||
fastcgi_read_timeout 120s;
|
||||
client_max_body_size 100m;
|
||||
|
||||
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
|
||||
aio threads;
|
||||
|
||||
# tls dynamic records patch directive
|
||||
ssl_dyn_rec_enable on;
|
||||
|
||||
##
|
||||
# GeoIP module configuration, before removing comments
|
||||
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
|
||||
##
|
||||
#geoip_country /usr/share/GeoIP/GeoIP.dat;
|
||||
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
|
||||
|
||||
##
|
||||
# SSL Settings
|
||||
##
|
||||
ssl_protocols TLSv1.2;
|
||||
ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM';
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_tickets off;
|
||||
ssl_ecdh_curve X25519:P-521:P-384:P-256;
|
||||
|
||||
##Common headers for security
|
||||
more_set_headers "X-Frame-Options : SAMEORIGIN";
|
||||
more_set_headers "X-Xss-Protection : 1; mode=block";
|
||||
more_set_headers "X-Content-Type-Options : nosniff";
|
||||
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
# server_names_hash_bucket_size 64;
|
||||
# server_name_in_redirect off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
# access_log disabled for performance
|
||||
##
|
||||
|
||||
access_log off;
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
# Log format Settings
|
||||
log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
|
||||
'$http_host "$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent" $server_protocol';
|
||||
|
||||
# ipscrub settings
|
||||
ipscrub_period_seconds 3600;
|
||||
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
|
||||
gzip_vary on;
|
||||
gzip_proxied any;
|
||||
gzip_comp_level 6;
|
||||
gzip_buffers 16 8k;
|
||||
gzip_http_version 1.1;
|
||||
gzip_types
|
||||
application/atom+xml
|
||||
application/javascript
|
||||
application/json
|
||||
application/rss+xml
|
||||
application/vnd.ms-fontobject
|
||||
application/x-font-ttf
|
||||
application/x-web-app-manifest+json
|
||||
application/xhtml+xml
|
||||
application/xml
|
||||
font/opentype
|
||||
image/svg+xml
|
||||
image/x-icon
|
||||
text/css
|
||||
text/plain
|
||||
text/x-component
|
||||
text/xml
|
||||
text/javascript;
|
||||
|
||||
##
|
||||
# Brotli Settings
|
||||
##
|
||||
|
||||
brotli on;
|
||||
brotli_static on;
|
||||
brotli_buffers 16 8k;
|
||||
brotli_comp_level 6;
|
||||
brotli_types *;
|
||||
|
||||
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
||||
|
||||
|
||||
#mail {
|
||||
# # See sample authentication script at:
|
||||
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
|
||||
#
|
||||
# # auth_http localhost/auth.php;
|
||||
# # pop3_capabilities "TOP" "USER";
|
||||
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
|
||||
#
|
||||
# server {
|
||||
# listen localhost:110;
|
||||
# protocol pop3;
|
||||
# proxy on;
|
||||
# }
|
||||
#
|
||||
# server {
|
||||
# listen localhost:143;
|
||||
# protocol imap;
|
||||
# proxy on;
|
||||
# }
|
||||
#}
|
|
@ -0,0 +1,175 @@
|
|||
user www-data;
|
||||
worker_processes auto;
|
||||
worker_cpu_affinity auto;
|
||||
worker_rlimit_nofile 100000;
|
||||
pid /run/nginx.pid;
|
||||
|
||||
events
|
||||
{
|
||||
worker_connections 16384;
|
||||
multi_accept on;
|
||||
use epoll;
|
||||
}
|
||||
|
||||
http
|
||||
{
|
||||
##
|
||||
# EasyEngine Settings
|
||||
##
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 30;
|
||||
types_hash_max_size 2048;
|
||||
|
||||
server_tokens off;
|
||||
reset_timedout_connection on;
|
||||
add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox";
|
||||
add_header rt-Fastcgi-Cache $upstream_cache_status;
|
||||
|
||||
# Limit Request
|
||||
limit_req_status 403;
|
||||
limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
|
||||
|
||||
#Simple DOS mitigation
|
||||
##Max c/s by ip
|
||||
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
|
||||
#limit_conn limit_per_ip 80;
|
||||
|
||||
##Max rq/s by ip
|
||||
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
|
||||
#limit_req zone=allips burst=400 nodelay;
|
||||
|
||||
# Proxy Settings
|
||||
# set_real_ip_from proxy-server-ip;
|
||||
# real_ip_header X-Forwarded-For;
|
||||
|
||||
fastcgi_read_timeout 120s;
|
||||
client_max_body_size 100m;
|
||||
|
||||
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
|
||||
aio threads;
|
||||
|
||||
# tls dynamic records patch directive
|
||||
ssl_dyn_rec_enable on;
|
||||
|
||||
##
|
||||
# GeoIP module configuration, before removing comments
|
||||
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
|
||||
##
|
||||
#geoip_country /usr/share/GeoIP/GeoIP.dat;
|
||||
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
|
||||
|
||||
##
|
||||
# SSL Settings
|
||||
##
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_tickets off;
|
||||
ssl_ecdh_curve X25519:P-521:P-384:P-256;
|
||||
|
||||
##Common headers for security
|
||||
more_set_headers "X-Frame-Options : SAMEORIGIN";
|
||||
more_set_headers "X-Xss-Protection : 1; mode=block";
|
||||
more_set_headers "X-Content-Type-Options : nosniff";
|
||||
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
|
||||
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
# server_names_hash_bucket_size 64;
|
||||
# server_name_in_redirect off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
# access_log disabled for performance
|
||||
##
|
||||
|
||||
access_log off;
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
# Log format Settings
|
||||
log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
|
||||
'$http_host "$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent" $server_protocol';
|
||||
|
||||
# ipscrub settings
|
||||
ipscrub_period_seconds 3600;
|
||||
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
|
||||
gzip_vary on;
|
||||
gzip_proxied any;
|
||||
gzip_comp_level 6;
|
||||
gzip_buffers 16 8k;
|
||||
gzip_http_version 1.1;
|
||||
gzip_types
|
||||
application/atom+xml
|
||||
application/javascript
|
||||
application/json
|
||||
application/rss+xml
|
||||
application/vnd.ms-fontobject
|
||||
application/x-font-ttf
|
||||
application/x-web-app-manifest+json
|
||||
application/xhtml+xml
|
||||
application/xml
|
||||
font/opentype
|
||||
image/svg+xml
|
||||
image/x-icon
|
||||
text/css
|
||||
text/plain
|
||||
text/x-component
|
||||
text/xml
|
||||
text/javascript;
|
||||
|
||||
##
|
||||
# Brotli Settings
|
||||
##
|
||||
|
||||
brotli on;
|
||||
brotli_static on;
|
||||
brotli_buffers 16 8k;
|
||||
brotli_comp_level 6;
|
||||
brotli_types *;
|
||||
|
||||
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
||||
|
||||
|
||||
#mail {
|
||||
# # See sample authentication script at:
|
||||
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
|
||||
#
|
||||
# # auth_http localhost/auth.php;
|
||||
# # pop3_capabilities "TOP" "USER";
|
||||
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
|
||||
#
|
||||
# server {
|
||||
# listen localhost:110;
|
||||
# protocol pop3;
|
||||
# proxy on;
|
||||
# }
|
||||
#
|
||||
# server {
|
||||
# listen localhost:143;
|
||||
# protocol imap;
|
||||
# proxy on;
|
||||
# }
|
||||
#}
|
|
@ -0,0 +1,10 @@
|
|||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_buffering on;
|
||||
proxy_buffer_size 128k;
|
||||
proxy_buffers 256 16k;
|
||||
proxy_busy_buffers_size 256k;
|
||||
proxy_temp_file_write_size 256k;
|
||||
proxy_max_temp_file_size 0;
|
|
@ -0,0 +1,84 @@
|
|||
# EasyEngine admin NGINX CONFIGURATION
|
||||
|
||||
server {
|
||||
|
||||
listen 22222 default_server ssl http2;
|
||||
|
||||
access_log off;
|
||||
error_log /var/log/nginx/22222.error.log;
|
||||
|
||||
ssl_certificate /var/www/22222/cert/22222.crt;
|
||||
ssl_certificate_key /var/www/22222/cert/22222.key;
|
||||
|
||||
# Force HTTP to HTTPS
|
||||
error_page 497 =200 https://$host:22222$request_uri;
|
||||
|
||||
root /var/www/22222/htdocs;
|
||||
index index.php index.htm index.html;
|
||||
|
||||
# Turn on directory listing
|
||||
autoindex on;
|
||||
|
||||
# HTTP Authentication on port 22222
|
||||
include common/acl.conf;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
}
|
||||
|
||||
# Display menu at location /fpm/status/
|
||||
location = /fpm/status/ {}
|
||||
|
||||
location ~ /fpm/status/(.*) {
|
||||
try_files $uri =404;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_NAME /status;
|
||||
fastcgi_pass $1;
|
||||
}
|
||||
|
||||
location ~ \.php$ {
|
||||
try_files $uri =404;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php7;
|
||||
}
|
||||
|
||||
# ViMbAdmin Rules
|
||||
location = /vimbadmin/ {
|
||||
return 301 $scheme://$host:22222/vimbadmin/public/;
|
||||
}
|
||||
|
||||
|
||||
|
||||
location ~* /vimbadmin/public/(.*)/(.*) {
|
||||
root /var/www/22222/htdocs/vimbadmin/public;
|
||||
try_files $uri $uri/ /vimbadmin/public/index.php?$args;
|
||||
}
|
||||
|
||||
location ~* /vimbadmin/public/(.*) {
|
||||
root /var/www/22222/htdocs/vimbadmin/public;
|
||||
try_files $uri $uri/ /vimbadmin/public/index.php?$args;
|
||||
}
|
||||
|
||||
location /netdata {
|
||||
return 301 /netdata/;
|
||||
}
|
||||
|
||||
location ~ /netdata/(?<ndpath>.*) {
|
||||
proxy_redirect off;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_http_version 1.1;
|
||||
proxy_pass_request_headers on;
|
||||
proxy_set_header Connection "keep-alive";
|
||||
proxy_store off;
|
||||
proxy_pass http://netdata/$ndpath$is_args$args;
|
||||
|
||||
gzip on;
|
||||
gzip_proxied any;
|
||||
gzip_types *;
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,112 @@
|
|||
##
|
||||
# You should look at the following URL's in order to grasp a solid understanding
|
||||
# of Nginx configuration files in order to fully unleash the power of Nginx.
|
||||
# http://wiki.nginx.org/Pitfalls
|
||||
# http://wiki.nginx.org/QuickStart
|
||||
# http://wiki.nginx.org/Configuration
|
||||
#
|
||||
# Generally, you will want to move this file somewhere, and start with a clean
|
||||
# file but keep this around for reference. Or just disable in sites-enabled.
|
||||
#
|
||||
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
|
||||
##
|
||||
|
||||
# Default server configuration
|
||||
#
|
||||
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
|
||||
# SSL configuration
|
||||
#
|
||||
# listen 443 ssl default_server;
|
||||
# listen [::]:443 ssl default_server;
|
||||
#
|
||||
# Self signed certs generated by the ssl-cert package
|
||||
# Don't use them in a production server!
|
||||
# include snippets/snakeoil.conf;
|
||||
#
|
||||
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
|
||||
# ssl_ciphers HIGH:!aNULL:!MD5;
|
||||
# ssl_prefer_server_ciphers on;
|
||||
|
||||
root /var/www/html;
|
||||
|
||||
# Add index.php to the list if you are using PHP
|
||||
index index.html index.htm index.nginx-debian.html;
|
||||
|
||||
server_name _;
|
||||
|
||||
access_log off;
|
||||
error_log /var/log/nginx/default.error.log;
|
||||
|
||||
location / {
|
||||
# First attempt to serve request as file, then
|
||||
# as directory, then fall back to displaying a 404.
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
|
||||
location /stub_status {
|
||||
stub_status on;
|
||||
access_log off;
|
||||
allow 127.0.0.1;
|
||||
deny all;
|
||||
}
|
||||
|
||||
|
||||
# Status pages
|
||||
location /nginx_status {
|
||||
stub_status on;
|
||||
access_log off;
|
||||
allow 127.0.0.1;
|
||||
deny all;
|
||||
}
|
||||
|
||||
# phpfpm pool monitoring
|
||||
location ~ ^/(status|ping) {
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php7;
|
||||
include common/acl.conf;
|
||||
}
|
||||
|
||||
|
||||
|
||||
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
|
||||
#
|
||||
#location ~ \.php$ {
|
||||
# include snippets/fastcgi-php.conf;
|
||||
#
|
||||
# # With php5-cgi alone:
|
||||
# fastcgi_pass 127.0.0.1:9000;
|
||||
# # With php5-fpm:
|
||||
# fastcgi_pass unix:/var/run/php5-fpm.sock;
|
||||
#}
|
||||
|
||||
# deny access to .htaccess files, if Apache's document root
|
||||
# concurs with nginx's one
|
||||
#
|
||||
#location ~ /\.ht {
|
||||
# deny all;
|
||||
#}
|
||||
}
|
||||
|
||||
|
||||
# Virtual Host configuration for example.com
|
||||
#
|
||||
# You can move that to a different file under sites-available/ and symlink that
|
||||
# to sites-enabled/ to enable it.
|
||||
#
|
||||
#server {
|
||||
# listen 80;
|
||||
# listen [::]:80;
|
||||
#
|
||||
# server_name example.com;
|
||||
#
|
||||
# root /var/www/example.com;
|
||||
# index index.html;
|
||||
#
|
||||
# location / {
|
||||
# try_files $uri $uri/ =404;
|
||||
# }
|
||||
#}
|
|
@ -0,0 +1,191 @@
|
|||
[PHP]
|
||||
engine = On
|
||||
short_open_tag = Off
|
||||
precision = 14
|
||||
output_buffering = 8096
|
||||
zlib.output_compression = Off
|
||||
implicit_flush = Off
|
||||
unserialize_callback_func =
|
||||
serialize_precision = 17
|
||||
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,
|
||||
disable_classes =
|
||||
zend.enable_gc = On
|
||||
expose_php = Off
|
||||
max_execution_time = 300
|
||||
max_input_time = 600
|
||||
max_input_vars = 10000
|
||||
memory_limit = -1
|
||||
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
|
||||
display_errors = Off
|
||||
display_startup_errors = Off
|
||||
log_errors = On
|
||||
log_errors_max_len = 1024
|
||||
ignore_repeated_errors = Off
|
||||
ignore_repeated_source = Off
|
||||
report_memleaks = On
|
||||
track_errors = Off
|
||||
html_errors = On
|
||||
variables_order = "GPCS"
|
||||
request_order = "GP"
|
||||
register_argc_argv = Off
|
||||
auto_globals_jit = On
|
||||
post_max_size = 128M
|
||||
auto_prepend_file =
|
||||
auto_append_file =
|
||||
default_mimetype = "text/html"
|
||||
default_charset = "UTF-8"
|
||||
doc_root =
|
||||
user_dir =
|
||||
enable_dl = Off
|
||||
file_uploads = On
|
||||
upload_max_filesize = 128M
|
||||
max_file_uploads = 20
|
||||
allow_url_fopen = On
|
||||
allow_url_include = Off
|
||||
default_socket_timeout = 60
|
||||
|
||||
[CLI Server]
|
||||
cli_server.color = On
|
||||
|
||||
[Date]
|
||||
date.timezone = Europe/Paris
|
||||
|
||||
[filter]
|
||||
|
||||
[iconv]
|
||||
|
||||
[intl]
|
||||
|
||||
[sqlite3]
|
||||
|
||||
[Pcre]
|
||||
|
||||
[Pdo]
|
||||
|
||||
[Pdo_mysql]
|
||||
pdo_mysql.cache_size = 2000
|
||||
pdo_mysql.default_socket =
|
||||
|
||||
[Phar]
|
||||
|
||||
[mail function]
|
||||
smtp = localhost
|
||||
smtp_port = 25
|
||||
mail.add_x_header = On
|
||||
|
||||
[SQL]
|
||||
sql.safe_mode = Off
|
||||
|
||||
[ODBC]
|
||||
odbc.allow_persistent = On
|
||||
odbc.check_persistent = On
|
||||
odbc.max_persistent = -1
|
||||
odbc.max_links = -1
|
||||
odbc.defaultlrl = 4096
|
||||
odbc.defaultbinmode = 1
|
||||
|
||||
[Interbase]
|
||||
ibase.allow_persistent = 1
|
||||
ibase.max_persistent = -1
|
||||
ibase.max_links = -1
|
||||
ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
|
||||
ibase.dateformat = "%Y-%m-%d"
|
||||
ibase.timeformat = "%H:%M:%S"
|
||||
|
||||
[MySQLi]
|
||||
mysqli.max_persistent = -1
|
||||
mysqli.allow_persistent = On
|
||||
mysqli.max_links = -1
|
||||
mysqli.cache_size = 2000
|
||||
mysqli.default_port = 3306
|
||||
mysqli.default_socket =
|
||||
mysqli.default_host =
|
||||
mysqli.default_user =
|
||||
mysqli.default_pw =
|
||||
mysqli.reconnect = Off
|
||||
|
||||
[mysqlnd]
|
||||
mysqlnd.collect_statistics = On
|
||||
mysqlnd.collect_memory_statistics = Off
|
||||
|
||||
[OCI8]
|
||||
|
||||
[OCI8]
|
||||
|
||||
[PostgreSQL]
|
||||
pgsql.allow_persistent = On
|
||||
pgsql.auto_reset_persistent = Off
|
||||
pgsql.max_persistent = -1
|
||||
pgsql.max_links = -1
|
||||
pgsql.ignore_notice = 0
|
||||
pgsql.log_notice = 0
|
||||
|
||||
[bcmath]
|
||||
bcmath.scale = 0
|
||||
|
||||
[browscap]
|
||||
|
||||
[Session]
|
||||
session.save_handler = files
|
||||
session.use_strict_mode = 0
|
||||
session.use_cookies = 1
|
||||
session.use_only_cookies = 1
|
||||
session.name = PHPSESSID
|
||||
session.auto_start = 0
|
||||
session.cookie_lifetime = 0
|
||||
session.cookie_path = /
|
||||
session.cookie_domain =
|
||||
session.cookie_httponly =
|
||||
session.serialize_handler = php
|
||||
session.gc_probability = 0
|
||||
session.gc_divisor = 1000
|
||||
session.gc_maxlifetime = 1440
|
||||
session.referer_check =
|
||||
session.cache_limiter = nocache
|
||||
session.cache_expire = 180
|
||||
session.use_trans_sid = 0
|
||||
|
||||
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
|
||||
|
||||
[Assertion]
|
||||
zend.assertions = -1
|
||||
|
||||
[COM]
|
||||
|
||||
[mbstring]
|
||||
|
||||
[gd]
|
||||
|
||||
[exif]
|
||||
|
||||
[Tidy]
|
||||
tidy.clean_output = Off
|
||||
|
||||
[soap]
|
||||
soap.wsdl_cache_enabled = 1
|
||||
soap.wsdl_cache_dir = "/tmp"
|
||||
soap.wsdl_cache_ttl = 86400
|
||||
soap.wsdl_cache_limit = 5
|
||||
|
||||
[sysvshm]
|
||||
|
||||
[ldap]
|
||||
ldap.max_links = -1
|
||||
|
||||
[mcrypt]
|
||||
|
||||
[dba]
|
||||
|
||||
[opcache]
|
||||
opcache.enable=1
|
||||
opcache.enable_cli=1
|
||||
opcache.interned_strings_buffer=8
|
||||
opcache.max_accelerated_files=10000
|
||||
opcache.memory_consumption=256
|
||||
opcache.save_comments=1
|
||||
opcache.revalidate_freq=1
|
||||
|
||||
|
||||
[curl]
|
||||
|
||||
[openssl]
|
|
@ -0,0 +1,191 @@
|
|||
[PHP]
|
||||
engine = On
|
||||
short_open_tag = Off
|
||||
precision = 14
|
||||
output_buffering = 8096
|
||||
zlib.output_compression = Off
|
||||
implicit_flush = Off
|
||||
unserialize_callback_func =
|
||||
serialize_precision = 17
|
||||
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,
|
||||
disable_classes =
|
||||
zend.enable_gc = On
|
||||
expose_php = Off
|
||||
max_execution_time = 300
|
||||
max_input_time = 600
|
||||
max_input_vars = 10000
|
||||
memory_limit = 256M
|
||||
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
|
||||
display_errors = Off
|
||||
display_startup_errors = Off
|
||||
log_errors = On
|
||||
log_errors_max_len = 1024
|
||||
ignore_repeated_errors = Off
|
||||
ignore_repeated_source = Off
|
||||
report_memleaks = On
|
||||
track_errors = Off
|
||||
html_errors = On
|
||||
variables_order = "GPCS"
|
||||
request_order = "GP"
|
||||
register_argc_argv = Off
|
||||
auto_globals_jit = On
|
||||
post_max_size = 128M
|
||||
auto_prepend_file =
|
||||
auto_append_file =
|
||||
default_mimetype = "text/html"
|
||||
default_charset = "UTF-8"
|
||||
doc_root =
|
||||
user_dir =
|
||||
enable_dl = Off
|
||||
file_uploads = On
|
||||
upload_max_filesize = 128M
|
||||
max_file_uploads = 20
|
||||
allow_url_fopen = On
|
||||
allow_url_include = Off
|
||||
default_socket_timeout = 60
|
||||
|
||||
[CLI Server]
|
||||
cli_server.color = On
|
||||
|
||||
[Date]
|
||||
date.timezone = Europe/Paris
|
||||
|
||||
[filter]
|
||||
|
||||
[iconv]
|
||||
|
||||
[intl]
|
||||
|
||||
[sqlite3]
|
||||
|
||||
[Pcre]
|
||||
|
||||
[Pdo]
|
||||
|
||||
[Pdo_mysql]
|
||||
pdo_mysql.cache_size = 2000
|
||||
pdo_mysql.default_socket =
|
||||
|
||||
[Phar]
|
||||
|
||||
[mail function]
|
||||
smtp = localhost
|
||||
smtp_port = 25
|
||||
mail.add_x_header = On
|
||||
|
||||
[SQL]
|
||||
sql.safe_mode = Off
|
||||
|
||||
[ODBC]
|
||||
odbc.allow_persistent = On
|
||||
odbc.check_persistent = On
|
||||
odbc.max_persistent = -1
|
||||
odbc.max_links = -1
|
||||
odbc.defaultlrl = 4096
|
||||
odbc.defaultbinmode = 1
|
||||
|
||||
[Interbase]
|
||||
ibase.allow_persistent = 1
|
||||
ibase.max_persistent = -1
|
||||
ibase.max_links = -1
|
||||
ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
|
||||
ibase.dateformat = "%Y-%m-%d"
|
||||
ibase.timeformat = "%H:%M:%S"
|
||||
|
||||
[MySQLi]
|
||||
mysqli.max_persistent = -1
|
||||
mysqli.allow_persistent = On
|
||||
mysqli.max_links = -1
|
||||
mysqli.cache_size = 2000
|
||||
mysqli.default_port = 3306
|
||||
mysqli.default_socket =
|
||||
mysqli.default_host =
|
||||
mysqli.default_user =
|
||||
mysqli.default_pw =
|
||||
mysqli.reconnect = Off
|
||||
|
||||
[mysqlnd]
|
||||
mysqlnd.collect_statistics = On
|
||||
mysqlnd.collect_memory_statistics = Off
|
||||
|
||||
[OCI8]
|
||||
|
||||
[OCI8]
|
||||
|
||||
[PostgreSQL]
|
||||
pgsql.allow_persistent = On
|
||||
pgsql.auto_reset_persistent = Off
|
||||
pgsql.max_persistent = -1
|
||||
pgsql.max_links = -1
|
||||
pgsql.ignore_notice = 0
|
||||
pgsql.log_notice = 0
|
||||
|
||||
[bcmath]
|
||||
bcmath.scale = 0
|
||||
|
||||
[browscap]
|
||||
|
||||
[Session]
|
||||
session.save_handler = files
|
||||
session.use_strict_mode = 0
|
||||
session.use_cookies = 1
|
||||
session.use_only_cookies = 1
|
||||
session.name = PHPSESSID
|
||||
session.auto_start = 0
|
||||
session.cookie_lifetime = 0
|
||||
session.cookie_path = /
|
||||
session.cookie_domain =
|
||||
session.cookie_httponly =
|
||||
session.serialize_handler = php
|
||||
session.gc_probability = 0
|
||||
session.gc_divisor = 1000
|
||||
session.gc_maxlifetime = 1440
|
||||
session.referer_check =
|
||||
session.cache_limiter = nocache
|
||||
session.cache_expire = 180
|
||||
session.use_trans_sid = 0
|
||||
|
||||
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
|
||||
|
||||
[Assertion]
|
||||
zend.assertions = -1
|
||||
|
||||
[COM]
|
||||
|
||||
[mbstring]
|
||||
|
||||
[gd]
|
||||
|
||||
[exif]
|
||||
|
||||
[Tidy]
|
||||
tidy.clean_output = Off
|
||||
|
||||
[soap]
|
||||
soap.wsdl_cache_enabled = 1
|
||||
soap.wsdl_cache_dir = "/tmp"
|
||||
soap.wsdl_cache_ttl = 86400
|
||||
soap.wsdl_cache_limit = 5
|
||||
|
||||
[sysvshm]
|
||||
|
||||
[ldap]
|
||||
ldap.max_links = -1
|
||||
|
||||
[mcrypt]
|
||||
|
||||
[dba]
|
||||
|
||||
[opcache]
|
||||
opcache.enable=1
|
||||
opcache.enable_cli=1
|
||||
opcache.interned_strings_buffer=8
|
||||
opcache.max_accelerated_files=10000
|
||||
opcache.memory_consumption=256
|
||||
opcache.save_comments=1
|
||||
opcache.revalidate_freq=1
|
||||
|
||||
|
||||
[curl]
|
||||
|
||||
[openssl]
|
|
@ -0,0 +1,271 @@
|
|||
[PHP]
|
||||
|
||||
engine = On
|
||||
short_open_tag = Off
|
||||
precision = 14
|
||||
output_buffering = 4096
|
||||
zlib.output_compression = Off
|
||||
implicit_flush = Off
|
||||
unserialize_callback_func =
|
||||
serialize_precision = -1
|
||||
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
|
||||
disable_classes =
|
||||
zend.enable_gc = On
|
||||
expose_php = Off
|
||||
max_execution_time = 300
|
||||
max_input_time = 600
|
||||
max_input_vars = 10000
|
||||
memory_limit = 256M
|
||||
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
|
||||
display_errors = Off
|
||||
display_startup_errors = Off
|
||||
log_errors = On
|
||||
log_errors_max_len = 1024
|
||||
ignore_repeated_errors = Off
|
||||
ignore_repeated_source = Off
|
||||
report_memleaks = On
|
||||
track_errors = Off
|
||||
html_errors = On
|
||||
|
||||
variables_order = "GPCS"
|
||||
request_order = "GP"
|
||||
register_argc_argv = Off
|
||||
auto_globals_jit = On
|
||||
post_max_size = 128M
|
||||
auto_prepend_file =
|
||||
auto_append_file =
|
||||
default_mimetype = "text/html"
|
||||
default_charset = "UTF-8"
|
||||
doc_root =
|
||||
user_dir =
|
||||
enable_dl = Off
|
||||
file_uploads = On
|
||||
upload_max_filesize = 128M
|
||||
max_file_uploads = 20
|
||||
allow_url_fopen = On
|
||||
allow_url_include = Off
|
||||
default_socket_timeout = 60
|
||||
|
||||
[CLI Server]
|
||||
cli_server.color = On
|
||||
|
||||
[Date]
|
||||
date.timezone = Europe/Paris
|
||||
|
||||
|
||||
[filter]
|
||||
|
||||
[iconv]
|
||||
|
||||
[intl]
|
||||
|
||||
|
||||
[sqlite3]
|
||||
|
||||
[Pcre]
|
||||
|
||||
|
||||
[Pdo]
|
||||
|
||||
[Pdo_mysql]
|
||||
|
||||
pdo_mysql.cache_size = 2000
|
||||
|
||||
pdo_mysql.default_socket=
|
||||
|
||||
[Phar]
|
||||
|
||||
[mail function]
|
||||
|
||||
SMTP = localhost
|
||||
smtp_port = 25
|
||||
mail.add_x_header = On
|
||||
|
||||
|
||||
[SQL]
|
||||
|
||||
sql.safe_mode = Off
|
||||
|
||||
[ODBC]
|
||||
|
||||
odbc.allow_persistent = On
|
||||
|
||||
odbc.check_persistent = On
|
||||
|
||||
odbc.max_persistent = -1
|
||||
|
||||
odbc.max_links = -1
|
||||
|
||||
odbc.defaultlrl = 4096
|
||||
|
||||
odbc.defaultbinmode = 1
|
||||
|
||||
[Interbase]
|
||||
|
||||
ibase.allow_persistent = 1
|
||||
|
||||
ibase.max_persistent = -1
|
||||
|
||||
ibase.max_links = -1
|
||||
|
||||
ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
|
||||
|
||||
ibase.dateformat = "%Y-%m-%d"
|
||||
|
||||
ibase.timeformat = "%H:%M:%S"
|
||||
|
||||
[MySQLi]
|
||||
|
||||
mysqli.max_persistent = -1
|
||||
|
||||
|
||||
mysqli.allow_persistent = On
|
||||
|
||||
mysqli.max_links = -1
|
||||
|
||||
mysqli.cache_size = 2000
|
||||
|
||||
|
||||
mysqli.default_port = 3306
|
||||
|
||||
mysqli.default_socket =
|
||||
|
||||
mysqli.default_host =
|
||||
|
||||
mysqli.default_user =
|
||||
|
||||
mysqli.default_pw =
|
||||
|
||||
mysqli.reconnect = Off
|
||||
|
||||
[mysqlnd]
|
||||
|
||||
mysqlnd.collect_statistics = On
|
||||
|
||||
mysqlnd.collect_memory_statistics = Off
|
||||
|
||||
|
||||
|
||||
[OCI8]
|
||||
|
||||
[PostgreSQL]
|
||||
|
||||
pgsql.allow_persistent = On
|
||||
|
||||
pgsql.auto_reset_persistent = Off
|
||||
|
||||
pgsql.max_persistent = -1
|
||||
|
||||
pgsql.max_links = -1
|
||||
|
||||
pgsql.ignore_notice = 0
|
||||
|
||||
pgsql.log_notice = 0
|
||||
|
||||
[bcmath]
|
||||
|
||||
bcmath.scale = 0
|
||||
|
||||
[browscap]
|
||||
|
||||
[Session]
|
||||
|
||||
session.save_handler = files
|
||||
|
||||
session.use_strict_mode = 0
|
||||
|
||||
session.use_cookies = 1
|
||||
|
||||
session.cookie_secure = 1
|
||||
|
||||
session.use_only_cookies = 1
|
||||
|
||||
session.name = PHPSESSID
|
||||
|
||||
session.auto_start = 0
|
||||
|
||||
session.cookie_lifetime = 0
|
||||
|
||||
session.cookie_path = /
|
||||
|
||||
session.cookie_domain =
|
||||
|
||||
session.cookie_httponly = 1
|
||||
|
||||
session.serialize_handler = php
|
||||
|
||||
session.gc_probability = 0
|
||||
|
||||
|
||||
session.gc_divisor = 1000
|
||||
|
||||
session.gc_maxlifetime = 1440
|
||||
|
||||
session.referer_check =
|
||||
|
||||
session.cache_limiter = nocache
|
||||
|
||||
session.cache_expire = 180
|
||||
|
||||
session.use_trans_sid = 0
|
||||
|
||||
session.sid_length = 26
|
||||
|
||||
session.trans_sid_tags = "a=href,area=href,frame=src,form="
|
||||
|
||||
session.sid_bits_per_character = 5
|
||||
|
||||
[Assertion]
|
||||
|
||||
zend.assertions = -1
|
||||
|
||||
[COM]
|
||||
|
||||
[mbstring]
|
||||
|
||||
|
||||
[gd]
|
||||
|
||||
|
||||
[exif]
|
||||
|
||||
|
||||
[Tidy]
|
||||
|
||||
tidy.clean_output = Off
|
||||
|
||||
[soap]
|
||||
|
||||
soap.wsdl_cache_enabled=1
|
||||
|
||||
soap.wsdl_cache_dir="/tmp"
|
||||
|
||||
soap.wsdl_cache_ttl=86400
|
||||
|
||||
soap.wsdl_cache_limit = 5
|
||||
|
||||
[sysvshm]
|
||||
|
||||
[ldap]
|
||||
|
||||
ldap.max_links = -1
|
||||
|
||||
[mcrypt]
|
||||
|
||||
[dba]
|
||||
|
||||
|
||||
[opcache]
|
||||
|
||||
opcache.enable=1
|
||||
opcache.enable_cli=1
|
||||
opcache.interned_strings_buffer=8
|
||||
opcache.max_accelerated_files=10000
|
||||
opcache.memory_consumption=256
|
||||
opcache.save_comments=1
|
||||
opcache.revalidate_freq=1
|
||||
|
||||
[curl]
|
||||
|
||||
|
||||
[openssl]
|
|
@ -0,0 +1,15 @@
|
|||
[www]
|
||||
user = www-data
|
||||
group = www-data
|
||||
listen = 127.0.0.1:9080
|
||||
listen.owner = www-data
|
||||
listen.group = www-data
|
||||
pm = ondemand
|
||||
pm.max_children = 100
|
||||
pm.start_servers = 20
|
||||
pm.min_spare_servers = 10
|
||||
pm.max_spare_servers = 30
|
||||
ping.path = /ping
|
||||
pm.status_path = /status
|
||||
pm.max_requests = 500
|
||||
request_terminate_timeout = 300
|
|
@ -0,0 +1,184 @@
|
|||
[PHP]
|
||||
engine = On
|
||||
short_open_tag = Off
|
||||
precision = 14
|
||||
output_buffering = 4096
|
||||
zlib.output_compression = Off
|
||||
implicit_flush = Off
|
||||
unserialize_callback_func =
|
||||
serialize_precision = -1
|
||||
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
|
||||
disable_classes =
|
||||
zend.enable_gc = On
|
||||
expose_php = Off
|
||||
max_execution_time = 300
|
||||
max_input_vars = 10000
|
||||
max_input_time = 600
|
||||
memory_limit = 256M
|
||||
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
|
||||
display_errors = Off
|
||||
display_startup_errors = Off
|
||||
log_errors = On
|
||||
log_errors_max_len = 1024
|
||||
ignore_repeated_errors = Off
|
||||
ignore_repeated_source = Off
|
||||
report_memleaks = On
|
||||
html_errors = On
|
||||
variables_order = "GPCS"
|
||||
request_order = "GP"
|
||||
register_argc_argv = Off
|
||||
auto_globals_jit = On
|
||||
post_max_size = 128M
|
||||
auto_prepend_file =
|
||||
auto_append_file =
|
||||
default_mimetype = "text/html"
|
||||
default_charset = "UTF-8"
|
||||
doc_root =
|
||||
user_dir =
|
||||
enable_dl = Off
|
||||
file_uploads = On
|
||||
upload_max_filesize = 128M
|
||||
max_file_uploads = 20
|
||||
allow_url_fopen = On
|
||||
allow_url_include = Off
|
||||
default_socket_timeout = 60
|
||||
|
||||
[CLI Server]
|
||||
cli_server.color = On
|
||||
|
||||
[Date]
|
||||
date.timezone = Europe/Paris
|
||||
|
||||
[filter]
|
||||
|
||||
[iconv]
|
||||
|
||||
[intl]
|
||||
|
||||
[sqlite3]
|
||||
|
||||
[Pcre]
|
||||
|
||||
[Pdo]
|
||||
|
||||
[Pdo_mysql]
|
||||
pdo_mysql.cache_size = 2000
|
||||
pdo_mysql.default_socket=
|
||||
|
||||
[Phar]
|
||||
|
||||
[mail function]
|
||||
SMTP = localhost
|
||||
smtp_port = 25
|
||||
mail.add_x_header = On
|
||||
|
||||
[ODBC]
|
||||
odbc.allow_persistent = On
|
||||
odbc.check_persistent = On
|
||||
odbc.max_persistent = -1
|
||||
odbc.max_links = -1
|
||||
odbc.defaultlrl = 4096
|
||||
odbc.defaultbinmode = 1
|
||||
|
||||
[Interbase]
|
||||
ibase.allow_persistent = 1
|
||||
ibase.max_persistent = -1
|
||||
ibase.max_links = -1
|
||||
ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
|
||||
ibase.dateformat = "%Y-%m-%d"
|
||||
ibase.timeformat = "%H:%M:%S"
|
||||
|
||||
[MySQLi]
|
||||
mysqli.max_persistent = -1
|
||||
mysqli.allow_persistent = On
|
||||
mysqli.max_links = -1
|
||||
mysqli.cache_size = 2000
|
||||
mysqli.default_port = 3306
|
||||
mysqli.default_socket =
|
||||
mysqli.default_host =
|
||||
mysqli.default_user =
|
||||
mysqli.default_pw =
|
||||
mysqli.reconnect = Off
|
||||
|
||||
[mysqlnd]
|
||||
mysqlnd.collect_statistics = On
|
||||
mysqlnd.collect_memory_statistics = Off
|
||||
|
||||
[OCI8]
|
||||
|
||||
[PostgreSQL]
|
||||
pgsql.allow_persistent = On
|
||||
pgsql.auto_reset_persistent = Off
|
||||
pgsql.max_persistent = -1
|
||||
pgsql.max_links = -1
|
||||
pgsql.ignore_notice = 0
|
||||
pgsql.log_notice = 0
|
||||
|
||||
[bcmath]
|
||||
bcmath.scale = 0
|
||||
|
||||
[browscap]
|
||||
|
||||
[Session]
|
||||
session.save_handler = files
|
||||
session.use_strict_mode = 0
|
||||
session.use_cookies = 1
|
||||
session.cookie_secure = 1
|
||||
session.use_only_cookies = 1
|
||||
session.name = PHPSESSID
|
||||
session.auto_start = 0
|
||||
session.cookie_lifetime = 0
|
||||
session.cookie_path = /
|
||||
session.cookie_domain =
|
||||
session.cookie_httponly =
|
||||
session.serialize_handler = php
|
||||
session.gc_probability = 0
|
||||
session.gc_divisor = 1000
|
||||
session.gc_maxlifetime = 1440
|
||||
session.referer_check =
|
||||
session.cache_limiter = nocache
|
||||
session.cache_expire = 180
|
||||
session.use_trans_sid = 0
|
||||
session.sid_length = 26
|
||||
session.trans_sid_tags = "a=href,area=href,frame=src,form="
|
||||
session.sid_bits_per_character = 5
|
||||
|
||||
[Assertion]
|
||||
zend.assertions = -1
|
||||
|
||||
[COM]
|
||||
|
||||
[mbstring]
|
||||
|
||||
[gd]
|
||||
|
||||
[exif]
|
||||
|
||||
[Tidy]
|
||||
tidy.clean_output = Off
|
||||
|
||||
[soap]
|
||||
soap.wsdl_cache_enabled=1
|
||||
soap.wsdl_cache_dir="/tmp"
|
||||
soap.wsdl_cache_ttl=86400
|
||||
soap.wsdl_cache_limit = 5
|
||||
|
||||
[sysvshm]
|
||||
|
||||
[ldap]
|
||||
ldap.max_links = -1
|
||||
|
||||
[dba]
|
||||
|
||||
[opcache]
|
||||
opcache.enable=1
|
||||
opcache.enable_cli=1
|
||||
opcache.interned_strings_buffer=8
|
||||
opcache.max_accelerated_files=10000
|
||||
opcache.memory_consumption=256
|
||||
opcache.save_comments=1
|
||||
opcache.revalidate_freq=1
|
||||
|
||||
[curl]
|
||||
|
||||
[openssl]
|
|
@ -0,0 +1,15 @@
|
|||
[www]
|
||||
user = www-data
|
||||
group = www-data
|
||||
listen = 127.0.0.1:9090
|
||||
listen.owner = www-data
|
||||
listen.group = www-data
|
||||
pm = ondemand
|
||||
pm.max_children = 100
|
||||
pm.start_servers = 20
|
||||
pm.min_spare_servers = 10
|
||||
pm.max_spare_servers = 30
|
||||
ping.path = /ping
|
||||
pm.status_path = /status
|
||||
pm.max_requests = 500
|
||||
request_terminate_timeout = 300
|
|
@ -0,0 +1,61 @@
|
|||
# /etc/security/limits.conf
|
||||
#
|
||||
#Each line describes a limit for a user in the form:
|
||||
#
|
||||
#<domain> <type> <item> <value>
|
||||
#
|
||||
#Where:
|
||||
#<domain> can be:
|
||||
# - a user name
|
||||
# - a group name, with @group syntax
|
||||
# - the wildcard *, for default entry
|
||||
# - the wildcard %, can be also used with %group syntax,
|
||||
# for maxlogin limit
|
||||
# - NOTE: group and wildcard limits are not applied to root.
|
||||
# To apply a limit to the root user, <domain> must be
|
||||
# the literal username root.
|
||||
#
|
||||
#<type> can have the two values:
|
||||
# - "soft" for enforcing the soft limits
|
||||
# - "hard" for enforcing hard limits
|
||||
#
|
||||
#<item> can be one of the following:
|
||||
# - core - limits the core file size (KB)
|
||||
# - data - max data size (KB)
|
||||
# - fsize - maximum filesize (KB)
|
||||
# - memlock - max locked-in-memory address space (KB)
|
||||
# - nofile - max number of open files
|
||||
# - rss - max resident set size (KB)
|
||||
# - stack - max stack size (KB)
|
||||
# - cpu - max CPU time (MIN)
|
||||
# - nproc - max number of processes
|
||||
# - as - address space limit (KB)
|
||||
# - maxlogins - max number of logins for this user
|
||||
# - maxsyslogins - max number of logins on the system
|
||||
# - priority - the priority to run user process with
|
||||
# - locks - max number of file locks the user can hold
|
||||
# - sigpending - max number of pending signals
|
||||
# - msgqueue - max memory used by POSIX message queues (bytes)
|
||||
# - nice - max nice priority allowed to raise to values: [-20, 19]
|
||||
# - rtprio - max realtime priority
|
||||
# - chroot - change root to directory (Debian-specific)
|
||||
#
|
||||
#<domain> <type> <item> <value>
|
||||
#
|
||||
|
||||
#* soft core 0
|
||||
#root hard core 100000
|
||||
#* hard rss 10000
|
||||
#@student hard nproc 20
|
||||
#@faculty soft nproc 20
|
||||
#@faculty hard nproc 50
|
||||
#ftp hard nproc 0
|
||||
#ftp - chroot /ftp
|
||||
#@student - maxlogins 4
|
||||
|
||||
# End of file
|
||||
* hard nofile 500000
|
||||
* soft nofile 500000
|
||||
root hard nofile 500000
|
||||
root soft nofile 500000
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
# Use a custom port in the following range : 1024-65536
|
||||
Port 22
|
||||
|
||||
#Prefer ed25519 & ECDSA keys rather than 2048 bit RSA
|
||||
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
# Allow root access with ssh keys
|
||||
PermitRootLogin without-password
|
||||
|
||||
# Allow ssh access to some users only
|
||||
AllowUsers root
|
||||
|
||||
# allow ssh key Authentication
|
||||
PubkeyAuthentication yes
|
||||
|
||||
# ssh keys path in ~/.ssh/authorized_keys
|
||||
AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||
|
||||
# No password or empty passwords Authentication
|
||||
PasswordAuthentication no
|
||||
PermitEmptyPasswords no
|
||||
|
||||
# No challenge response Authentication
|
||||
ChallengeResponseAuthentication no
|
||||
|
||||
|
||||
UsePAM yes
|
||||
X11Forwarding yes
|
||||
|
||||
#PrintMotd no
|
||||
|
||||
# Allow client to pass locale environment variables
|
||||
AcceptEnv LANG LC_*
|
||||
|
||||
# override default of no subsystems
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
|
||||
# use strong ciphers
|
||||
KexAlgorithms curve25519-sha256@libssh.org
|
||||
Ciphers chacha20-poly1305@openssh.com
|
||||
MACs umac-128-etm@openssh.com,umac-128@openssh.com
|
Loading…
Reference in New Issue