add error pages and some config

README.md

@@ -5,7 +5,7 @@
 ## Server Stack
 
 - Ubuntu 16.04/18.04 LTS
-- Nginx 1.14.x
+- Nginx 1.15.x / 1.14.x
 - PHP-FPM 7/7.1/7.2
 - MariaDB 10.3
 - REDIS 4.0
@@ -25,7 +25,7 @@ Configuration files with comments and informations available by following the li
 #### System update and packages cleanup
 
 ```bash
-apt-get update && apt-get upgrade -y && apt-get autoremove -y && apt-get clean
+apt-get update && apt-get upgrade -y && apt-get autoremove --purge -y && apt-get clean
 ```
 
 #### Install useful packages
@@ -271,8 +271,9 @@ WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH key
 #### UFW
 
 Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
+
 ```bash
-# enable ufw log - allow outgoing - deny incoming 
+# enable ufw log - allow outgoing - deny incoming
 ufw logging low
 ufw default allow outgoing
 ufw default deny incoming
@@ -313,7 +314,7 @@ fail2ban-client reload
 #### Secure Memcached server
 
 ```bash
-echo '-U 0' >> /etc/memcached.conf 
+echo '-U 0' >> /etc/memcached.conf
 sudo systemctl restart memcached
 ```
 
@@ -323,16 +324,14 @@ sudo systemctl restart memcached
 
 [Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers
 
-
-
 * subdomain support
 * ivp6 support
 * wildcards certificates support
 
 ```bash
 wget -O install-ee-acme.sh https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh
-chmod +x install-ee-acme.sh 
-./install-ee-acme.sh 
+chmod +x install-ee-acme.sh
+./install-ee-acme.sh
 
 # enable acme.sh & ee-acme-sh
 source .bashrc
@@ -386,7 +385,7 @@ root@vps:~ cheat cat
 # Number all output lines:
   cat -n file
 ```
- 
+
 #### nanorc - Improved Nano Syntax Highlighting Files
 
 [Github repository](https://github.com/scopatz/nanorc)
@@ -403,12 +402,13 @@ sudo apt update
 sudo apt install ucaresystem-core -y
 ```
 
-Run server maintenance with the command : 
+Run server maintenance with the command :
+
 ```bash
 sudo ucaresystem-core
 ```
 
-### WP-CLI 
+### WP-CLI
 
 #### Add bash-completion for user www-data
 
@@ -428,6 +428,24 @@ chown www-data:www-data /var/www/.profile
 chown www-data:www-data /var/www/.bashrc
 ```
 
+### Custom Nginx error pages
 
+[Github Repository](https://github.com/alexphelps/server-error-pages)
+
+Installation
+
+```bash
+# clone the github repository
+sudo -u www-data -H git clone https://github.com/alexphelps/server-error-pages.git /var/www/error
+
+# download nginx configuration
+wget -O /etc/nginx/common/error_pages.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/error_pages.conf
+```
+
+Then include this configuration in your nginx vhost by adding the following line
+
+```bash
+include common/error_pages.conf;
+```
 
 Published & maintained by [VirtuBox](https://virtubox.net)

docs/README.md

@@ -5,7 +5,7 @@
 ## Server Stack
 
 - Ubuntu 16/18.04 LTS
-- Nginx 1.14.x
+- Nginx 1.15.x / 1.14.x
 - PHP-FPM 7/7.1/7.2
 - MariaDB 10.3
 - REDIS 4.0
@@ -23,7 +23,7 @@ Configuration files with comments and informations available by following the li
 #### System update and packages cleanup
 
 ```bash
-apt-get update && apt-get upgrade -y && apt-get autoremove -y && apt-get clean
+apt-get update && apt-get upgrade -y && apt-get autoremove --purge -y && apt-get clean
 ```
 
 #### Install useful packages
@@ -81,7 +81,9 @@ sudo mv /var/lib/mysql/ib_logfile1 /var/lib/mysql/ib_logfile1.bak
 
 sudo service mysql start
 ```
-Increase MariaDB open files limits 
+
+Increase MariaDB open files limits
+
 ```bash
 wget -O /etc/systemd/system/mariadb.service.d/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/systemd/system/mariadb.service.d/limits.conf
 
@@ -98,7 +100,7 @@ sudo bash -c 'echo -e "[user]\n\tname = $USER\n\temail = root@$HOSTNAME" > $HOME
 wget -qO ee rt.cx/ee && bash ee
 ```
 
-#### enable ee bash_completion 
+#### enable ee bash_completion
 
 ```bash
 source /etc/bash_completion.d/ee_auto.rc
@@ -268,6 +270,7 @@ WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH key
 #### UFW
 
 Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
+
 ```bash
 # enable ufw log - allow outgoing - deny incoming 
 ufw logging low
@@ -310,7 +313,7 @@ fail2ban-client reload
 #### Secure Memcached server
 
 ```bash
-echo '-U 0' >> /etc/memcached.conf 
+echo '-U 0' >> /etc/memcached.conf
 sudo systemctl restart memcached
 ```
 
@@ -320,16 +323,14 @@ sudo systemctl restart memcached
 
 [Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers
 
-
-
 * subdomain support
 * ivp6 support
 * wildcards certificates support
 
 ```bash
 wget -O install-ee-acme.sh https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh
-chmod +x install-ee-acme.sh 
-./install-ee-acme.sh 
+chmod +x install-ee-acme.sh
+./install-ee-acme.sh
 
 # enable acme.sh & ee-acme-sh
 source .bashrc
@@ -400,12 +401,13 @@ sudo apt update
 sudo apt install ucaresystem-core -y
 ```
 
-Run server maintenance with the command : 
+Run server maintenance with the command :
+
 ```bash
 sudo ucaresystem-core
 ```
 
-### WP-CLI 
+### WP-CLI
 
 #### Add bash-completion for user www-data
 
@@ -425,6 +427,24 @@ chown www-data:www-data /var/www/.profile
 chown www-data:www-data /var/www/.bashrc
 ```
 
+### Custom Nginx error pages
 
+[Github Repository](https://github.com/alexphelps/server-error-pages)
 
-Published & maintained by [VirtuBox](https://virtubox.net)
+Installation
+
+```bash
+# clone the github repository
+sudo -u www-data -H git clone https://github.com/alexphelps/server-error-pages.git /var/www/error
+
+# download nginx configuration
+wget -O /etc/nginx/common/error_pages.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/error_pages.conf
+```
+
+Then include this configuration in your nginx vhost by adding the following line
+
+```bash
+include common/error_pages.conf;
+```
+
+Published & maintained by [VirtuBox](https://virtubox.net)

docs/files/etc/nginx/common/error_pages.conf

@@ -0,0 +1,16 @@
+error_page 400 /400-error.html;
+error_page 401 /401-error.html;
+error_page 403 /403-error.html;
+error_page 404 /404-error.html;
+error_page 500 /500-error.html;
+error_page 503 /503-error.html;
+error_page 504 /504-error.html;
+
+location ~ /*-error.html {
+        try_files $1-error.html @error;
+        internal;
+}
+
+location @error {
+    root /var/www/error/_site;
+}

docs/files/etc/nginx/common/hsts-nosub.conf

@@ -1,2 +1,2 @@
-# Warning : this line enable HSTS for your domain and all subdomains (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+# Warning : this line enable HSTS for your subdomain (ngx_http_headers_module is required) (15768000 seconds = 6 months)
 add_header Strict-Transport-Security "max-age=31536000; preload"; 

docs/files/etc/nginx/common/hsts-sub.conf

@@ -1,2 +0,0 @@
-# Warning : this line enable HSTS for your domain and all subdomains (ngx_http_headers_module is required) (15768000 seconds = 6 months)
-add_header Strict-Transport-Security "max-age=31536000; preload"; 

docs/files/etc/nginx/common/locations-php7.conf

@@ -48,7 +48,7 @@ location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$
   log_not_found off;
 }
 # Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
-if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
+location ~*  "/(^$|readme|license|example)\.(txt|html)" {
   return 403;
 }
 # Status pages

docs/files/etc/nginx/common/locations-php71.conf

@@ -48,7 +48,7 @@ location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$
   log_not_found off;
 }
 # Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
-if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
+location ~*  "/(^$|readme|license|example)\.(txt|html)" {
   return 403;
 }
 # Status pages

docs/files/etc/nginx/common/locations-php72.conf

@@ -48,7 +48,7 @@ location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$
   log_not_found off;
 }
 # Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
-if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
+location ~*  "/(^$|readme|license|example)\.(txt|html)" {
   return 403;
 }
 # Status pages

docs/files/etc/nginx/common/ocsp.conf

@@ -1,6 +1,4 @@
 ##OCSP settings
 ssl_stapling on;
-resolver 8.8.8.8 1.1.1.1 valid=300s;
 ssl_stapling_verify on;
 #ssl_trusted_certificate /etc/ssl/private/ocsp-certs.pem; # <- Add signing certs here  
-resolver_timeout 5;

docs/files/etc/nginx/common/wpcommon-php7.conf

@@ -18,16 +18,18 @@ location /wp-content/uploads/ {
     #Prevent Direct Access Of PHP Files From Web Browsers
     deny all;
   }
-}
-location ~* ^/wp-content/.+\.(png|jpg)$ {
-  add_header Vary Accept;
+  location ~ \.(png|jpe?g)$ {
+  add_header Vary "Accept-Encoding";
   add_header "Access-Control-Allow-Origin" "*";
+  add_header Cache-Control "public, no-transform";
   access_log off;
   log_not_found off;
   expires max;
   try_files $uri$webp_suffix $uri =404;
+  }
 }
 
+# mitigate DoS attack CVE with WordPress script concatenation
 location ~ \/wp-admin\/load-(scripts|styles).php {
   deny all;
 }

etc/nginx/common/error_pages.conf

@@ -0,0 +1,16 @@
+error_page 400 /400-error.html;
+error_page 401 /401-error.html;
+error_page 403 /403-error.html;
+error_page 404 /404-error.html;
+error_page 500 /500-error.html;
+error_page 503 /503-error.html;
+error_page 504 /504-error.html;
+
+location ~ /*-error.html {
+        try_files $1-error.html @error;
+        internal;
+}
+
+location @error {
+    root /var/www/error/_site;
+}

etc/nginx/common/hsts-nosub.conf

@@ -1,2 +1,2 @@
-# Warning : this line enable HSTS for your domain and all subdomains (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+# Warning : this line enable HSTS for your subdomain (ngx_http_headers_module is required) (15768000 seconds = 6 months)
 add_header Strict-Transport-Security "max-age=31536000; preload"; 

etc/nginx/common/hsts-sub.conf

@@ -1,2 +0,0 @@
-# Warning : this line enable HSTS for your domain and all subdomains (ngx_http_headers_module is required) (15768000 seconds = 6 months)
-add_header Strict-Transport-Security "max-age=31536000; preload"; 

etc/nginx/common/locations-php7.conf

@@ -48,7 +48,7 @@ location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$
   log_not_found off;
 }
 # Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
-if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
+location ~*  "/(^$|readme|license|example)\.(txt|html)" {
   return 403;
 }
 # Status pages

etc/nginx/common/locations-php71.conf

@@ -48,7 +48,7 @@ location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$
   log_not_found off;
 }
 # Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
-if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
+location ~*  "/(^$|readme|license|example)\.(txt|html)" {
   return 403;
 }
 # Status pages

etc/nginx/common/locations-php72.conf

@@ -48,7 +48,7 @@ location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$
   log_not_found off;
 }
 # Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
-if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
+location ~*  "/(^$|readme|license|example)\.(txt|html)" {
   return 403;
 }
 # Status pages

etc/nginx/common/ocsp.conf

@@ -1,6 +1,4 @@
 ##OCSP settings
 ssl_stapling on;
-resolver 8.8.8.8 1.1.1.1 valid=300s;
 ssl_stapling_verify on;
 #ssl_trusted_certificate /etc/ssl/private/ocsp-certs.pem; # <- Add signing certs here  
-resolver_timeout 5;

scripts/init.sh

@@ -22,6 +22,8 @@ REPO_PATH="/tmp/ubuntu-nginx-web-server"
 
 if [ "$(id -u)" != "0" ]; then
     echo "Error: You must be root to run this script, please use the root user to install the software."
+    echo ""
+    echo "Use 'sudo su - root' to login as root"
     exit 1
 fi
 
@@ -103,7 +105,7 @@ ufw() {
     
     if [ ! -d /etc/ufw ];
     then
-        sudo apt-get install ufw -y
+        apt-get install ufw -y
     fi
     
     ufw logging low
@@ -136,10 +138,10 @@ ufw() {
 
 useful() {
     
-    sudo apt-get install haveged curl git unzip zip fail2ban htop nload nmon ntp -y
+    apt-get install haveged curl git unzip zip fail2ban htop nload nmon ntp -y
     
     # ntp time
-    sudo systemctl enable ntp
+    systemctl enable ntp
     
 }
 
@@ -340,12 +342,11 @@ nginx_ee() {
 # Add nginx additional conf
 ##################################
 
+nginx_conf() {
+
 # php7.1 & 7.2 common configurations
 
-cd /etc/nginx/common || exit
-wget $REPO_PATH/common.zip
-unzip common.zip
-rm common.zip
+cp -rf $REPO_PATH/etc/nginx/common/* /etc/nginx/common/
 
 # optimized nginx.config
 cp -f  $REPO_PATH/etc/nginx/nginx.conf /etc/nginx/nginx.conf
@@ -377,19 +378,11 @@ fi
 # 1) add webp mapping
 cp -f $REPO_PATH/etc/nginx/conf.d/webp.conf /etc/nginx/conf.d/webp.conf
 
-# 2) wpcommon files
-# php7
-cp -f $REPO_PATH/etc/nginx/common/wpcommon-php7.conf /etc/nginx/common/wpcommon-php7.conf
-
-# php7.1
-cp -f $REPO_PATH/etc/nginx/common/wpcommon-php71.conf /etc/nginx/common/wpcommon-php71.conf
-
-# php7.2
-cp -f $REPO_PATH/etc/nginx/common/wpcommon-php72.conf /etc/nginx/common/wpcommon-php72.conf
-
 nginx -t
 service nginx reload
 
+}
+
 ##################################
 # Add fail2ban configurations
 ##################################
@@ -562,6 +555,7 @@ fi
 if [ "$nginxee" = "y" ]
 then
     nginx_ee
+    nginx_conf
 fi
 
 if [ "$fail2ban" = "y" ]
@@ -575,7 +569,7 @@ then
 fi
 
 bashrc_extra
-ucaresystem
+#ucaresystem
 
 netdata
 extplorer