Merge remote-tracking branch 'origin/master' into develop

2018-09-19 14:45:50 +02:00 · 2018-09-19 14:45:50 +02:00 · 45d1041425
parent bf80590dbb dde52e237b
commit 45d1041425
28 changed files with 1658 additions and 776 deletions
--- a/common.zip
+++ b/common.zip
--- a/docs/files/common.zip
+++ b/docs/files/common.zip
--- a/docs/files/etc/mysql/my.cnf
+++ b/docs/files/etc/mysql/my.cnf
@ -3,7 +3,7 @@
 # You can copy this file to one of:
 # - "/etc/mysql/my.cnf" to set global options,
 # - "~/.my.cnf" to set user-specific options.
-# 
+#
 # One can use all long options that the program supports.
 # Run program with --help to get a list of available options and with
 # --print-defaults to see which it would actually understand and use.
@ -37,10 +37,11 @@ tmpdir		= /tmp
 lc_messages_dir	= /usr/share/mysql
 lc_messages	= en_US
 skip-external-locking
+performance_schema = ON
 #
 # Instead of skip-networking the default is now to listen only on
 # localhost which is more compatible and is not less secure.
-bind-address		= 127.0.0.1
+bind-address = ::ffff:127.0.0.1
 #
 # * Fine Tuning
 #
@ -71,9 +72,9 @@ read_rnd_buffer_size	= 1M
 #
 # Cache only tiny result sets, so we can fit more in the query cache.
 query_cache_limit		= 128K
-query_cache_size		= 64M
+query_cache_size		= 0
 # for more write intensive setups, set to DEMAND or OFF
-#query_cache_type		= DEMAND
+query_cache_type		= 0
 #
 # * Logging and Replication
 #
@ -89,7 +90,7 @@ query_cache_size		= 64M
 log_warnings		= 2
 #
 # Enable the slow query log to see queries with especially long duration
-#slow_query_log[={0|1}]
+slow_query_log = 1
 slow_query_log_file	= /var/log/mysql/mariadb-slow.log
 long_query_time = 10
 #log_slow_rate_limit	= 1000
--- a/docs/files/etc/nginx/common/acl.conf
+++ b/docs/files/etc/nginx/common/acl.conf
@ -0,0 +1,8 @@
+	# EasyEngine (ee) protect locations using
+	# HTTP authentication || IP address
+	satisfy any;
+	auth_basic "Restricted Area";
+	auth_basic_user_file htpasswd-ee;
+	# Allowed IP Address List
+	allow 127.0.0.1;
+	deny all;
--- a/docs/files/etc/nginx/common/locations-php7.conf
+++ b/docs/files/etc/nginx/common/locations-php7.conf
@ -1,79 +1,131 @@
-# NGINX CONFIGURATION FOR COMMON LOCATION
-# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
-# Basic locations files
-location = /favicon.ico {
-  access_log off;
-  log_not_found off;
-  expires max;
-}
-location = /robots.txt {
-  # Some WordPress plugin gererate robots.txt file
-  # Refer #340 issue
-  try_files $uri $uri/ /index.php?$args;
-  access_log off;
-  log_not_found off;
-}
-# Cache static files
-location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
-  add_header "Access-Control-Allow-Origin" "*";
-  access_log off;
-  log_not_found off;
-  expires max;
-}
-# Cache static files
-location ~* \.(css|js)$ {
-  add_header "Access-Control-Allow-Origin" "*";
-  access_log off;
-  log_not_found off;
-  expires 30d;
-}
-# Security settings for better privacy
-# Deny hidden files
-location /.well-known/acme-challenge/ {
-    alias /var/www/html/.well-known/acme-challenge/;
-}
-
-#location ~ /\.well-known {
-#  allow all;
-#}
-location ~ /\. {
-  deny all;
-  access_log off;
-  log_not_found off;
-}
-# Deny backup extensions & log files
-location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
-  deny all;
-  access_log off;
-  log_not_found off;
-}
-# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
-location ~*  "/(^$|readme|license|example)\.(txt|html)" {
-  return 403;
-}
-# Status pages
-location /nginx_status {
-  stub_status on;
-  access_log off;
-  include common/acl.conf;
-}
-location ~ ^/(status|ping) {
-  include fastcgi_params;
-  fastcgi_pass php7;
-  include common/acl.conf;
-}
-# EasyEngine (ee) utilities
-# phpMyAdmin settings
-location /pma {
-  return 301 https://$host:22222/db/pma;
-}
-location /phpMyAdmin {
-  return 301 https://$host:22222/db/pma;
-}
-location /phpmyadmin {
-  return 301 https://$host:22222/db/pma;
-}
-# Adminer settings
-location /adminer {
-  return 301 https://$host:22222/db/adminer;
-}
+# NGINX CONFIGURATION FOR COMMON LOCATION
+# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
+# Basic locations files
+location = /favicon.ico {
+    access_log off;
+    log_not_found off;
+    expires max;
+}
+location = /robots.txt {
+# Some WordPress plugin gererate robots.txt file
+# Refer #340 issue
+    try_files $uri $uri/ /index.php?$args;
+    access_log off;
+    log_not_found off;
+}
+# Cache static files
+location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
+    add_header "Access-Control-Allow-Origin" "*";
+    access_log off;
+    log_not_found off;
+    expires max;
+}
+# Cache css & js files
+location ~* \.(?:css(\.map)?|js(\.map)?)$ {
+    add_header "Access-Control-Allow-Origin" "*";
+    access_log off;
+    log_not_found off;
+    expires 30d;
+}
+# Security settings for better privacy
+# Deny hidden files
+location ~ /\. {
+    deny all;
+}
+# Use the directory /var/www/html to valide acme-challenge
+# just create the sub-directories .well-known/acme-challenge and set www-data as owner
+# #
+# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
+# #
+location /.well-known/acme-challenge/ {
+    alias /var/www/html/.well-known/acme-challenge/;
+}
+# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
+location ~*  "/(^$|readme|license|example|README|changelog)\.(txt|html|md)" {
+    deny all;
+}
+# Deny backup extensions & log files and return 403 forbidden
+location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
+    deny all;
+}
+# common nginx configuration to block sql injection and other attacks
+location ~* "(eval\()" {
+    deny all;
+}
+location ~* "(127\.0\.0\.1)" {
+    deny all;
+}
+location ~* "([a-z0-9]{2000})" {
+    deny all;
+}
+location ~* "(javascript\:)(.*)(\;)" {
+    deny all;
+}
+location ~* "(base64_encode)(.*)(\()" {
+    deny all;
+}
+location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
+    deny all;
+}
+location ~* "(<|%3C).*script.*(>|%3)" {
+    deny all;
+}
+location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
+    deny all;
+}
+location ~* "(boot\.ini|etc/passwd|self/environ)" {
+    deny all;
+}
+location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
+    deny all;
+}
+location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
+    deny all;
+}
+location ~* "(https?|ftp|php):/" {
+    deny all;
+}
+location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
+    deny all;
+}
+location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
+    deny all;
+}
+location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
+    deny all;
+}
+location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
+    deny all;
+}
+location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
+    deny all;
+}
+location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" {
+    deny all;
+}
+# Status pages
+location = /nginx_status {
+    stub_status on;
+    access_log off;
+    include common/acl.conf;
+}
+location ~ ^/(status|ping)$ {
+    include fastcgi_params;
+    include common/acl.conf;
+    fastcgi_pass php7;
+}
+# EasyEngine (ee) utilities
+# phpMyAdmin settings
+location = /pma {
+    return 301 https://$host:22222/db/pma;
+}
+location = /phpMyAdmin {
+    return 301 https://$host:22222/db/pma;
+}
+location = /phpmyadmin {
+    return 301 https://$host:22222/db/pma;
+}
+# Adminer settings
+location = /adminer {
+    return 301 https://$host:22222/db/adminer;
+}
--- a/docs/files/etc/nginx/common/locations-php71.conf
+++ b/docs/files/etc/nginx/common/locations-php71.conf
@ -1,79 +1,133 @@
-# NGINX CONFIGURATION FOR COMMON LOCATION
-# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
-# Basic locations files
-location = /favicon.ico {
-  access_log off;
-  log_not_found off;
-  expires max;
-}
-location = /robots.txt {
-  # Some WordPress plugin gererate robots.txt file
-  # Refer #340 issue
-  try_files $uri $uri/ /index.php?$args;
-  access_log off;
-  log_not_found off;
-}
-# Cache static files
-location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
-  add_header "Access-Control-Allow-Origin" "*";
-  access_log off;
-  log_not_found off;
-  expires max;
-}
-# Cache static files
-location ~* \.(css|js)$ {
-  add_header "Access-Control-Allow-Origin" "*";
-  access_log off;
-  log_not_found off;
-  expires 30d;
-}
-# Security settings for better privacy
-# Deny hidden files
-location /.well-known/acme-challenge/ {
-    alias /var/www/html/.well-known/acme-challenge/;
-}
-
-#location ~ /\.well-known {
-#  allow all;
-#}
-location ~ /\. {
-  deny all;
-  access_log off;
-  log_not_found off;
-}
-# Deny backup extensions & log files
-location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
-  deny all;
-  access_log off;
-  log_not_found off;
-}
-# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
-location ~*  "/(^$|readme|license|example)\.(txt|html)" {
-  return 403;
-}
-# Status pages
-location /nginx_status {
-  stub_status on;
-  access_log off;
-  include common/acl.conf;
-}
-location ~ ^/(status|ping) {
-  include fastcgi_params;
-  fastcgi_pass php71;
-  include common/acl.conf;
-}
-# EasyEngine (ee) utilities
-# phpMyAdmin settings
-location /pma {
-  return 301 https://$host:22222/db/pma;
-}
-location /phpMyAdmin {
-  return 301 https://$host:22222/db/pma;
-}
-location /phpmyadmin {
-  return 301 https://$host:22222/db/pma;
-}
-# Adminer settings
-location /adminer {
-  return 301 https://$host:22222/db/adminer;
-}
+# NGINX CONFIGURATION FOR COMMON LOCATION
+# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
+# Basic locations files
+location = /favicon.ico {
+  access_log off;
+  log_not_found off;
+  expires max;
+}
+location = /robots.txt {
+  # Some WordPress plugin gererate robots.txt file
+  # Refer #340 issue
+  try_files $uri $uri/ /index.php?$args;
+  access_log off;
+  log_not_found off;
+}
+# Cache static files
+location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$
+{
+  add_header "Access-Control-Allow-Origin" "*";
+  access_log off;
+  log_not_found off;
+  expires max;
+}
+# Cache css & js files
+location ~* \.(?:css(\.map)?|js(\.map)?)$
+{
+  add_header "Access-Control-Allow-Origin" "*";
+  access_log off;
+  log_not_found off;
+  expires 30d;
+}
+# Security settings for better privacy
+# Deny hidden files
+location ~ /\. {
+  deny all;
+}
+# Use the directory /var/www/html to valide acme-challenge
+# just create the sub-directories .well-known/acme-challenge and set www-data as owner
+# #
+# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
+# #
+location /.well-known/acme-challenge/ {
+    alias /var/www/html/.well-known/acme-challenge/;
+}
+# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
+location ~*  "/(^$|readme|license|example|README|changelog)\.(txt|html|md)" {
+   deny all;
+}
+# Deny backup extensions & log files and return 403 forbidden
+location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
+  deny all;
+}
+# common nginx configuration to block sql injection and other attacks
+location ~* "(eval\()" {
+    deny all;
+}
+location ~* "(127\.0\.0\.1)" {
+    deny all;
+}
+location ~* "([a-z0-9]{2000})" {
+    deny all;
+}
+location ~* "(javascript\:)(.*)(\;)" {
+    deny all;
+}
+location ~* "(base64_encode)(.*)(\()" {
+    deny all;
+}
+location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
+    deny all;
+}
+location ~* "(<|%3C).*script.*(>|%3)" {
+    deny all;
+}
+location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
+    deny all;
+}
+location ~* "(boot\.ini|etc/passwd|self/environ)" {
+    deny all;
+}
+location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
+    deny all;
+}
+location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
+    deny all;
+}
+location ~* "(https?|ftp|php):/" {
+    deny all;
+}
+location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
+    deny all;
+}
+location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
+    deny all;
+}
+location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
+    deny all;
+}
+location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
+    deny all;
+}
+location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
+    deny all;
+}
+location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" {
+    deny all;
+}
+# Status pages
+location /nginx_status {
+  stub_status on;
+  access_log off;
+  include common/acl.conf;
+}
+location ~ ^/(status|ping) {
+  include fastcgi_params;
+  fastcgi_pass php71;
+  include common/acl.conf;
+}
+# EasyEngine (ee) utilities
+# phpMyAdmin settings
+location /pma {
+  return 301 https://$host:22222/db/pma;
+}
+location /phpMyAdmin {
+  return 301 https://$host:22222/db/pma;
+}
+location /phpmyadmin {
+  return 301 https://$host:22222/db/pma;
+}
+# Adminer settings
+location /adminer {
+  return 301 https://$host:22222/db/adminer;
+}
--- a/docs/files/etc/nginx/common/locations-php72.conf
+++ b/docs/files/etc/nginx/common/locations-php72.conf
@ -1,79 +1,137 @@
-# NGINX CONFIGURATION FOR COMMON LOCATION
-# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
-# Basic locations files
-location = /favicon.ico {
-  access_log off;
-  log_not_found off;
-  expires max;
-}
-location = /robots.txt {
-  # Some WordPress plugin gererate robots.txt file
-  # Refer #340 issue
-  try_files $uri $uri/ /index.php?$args;
-  access_log off;
-  log_not_found off;
-}
-# Cache static files
-location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
-  add_header "Access-Control-Allow-Origin" "*";
-  access_log off;
-  log_not_found off;
-  expires max;
-}
-# Cache static files
-location ~* \.(css|js)$ {
-  add_header "Access-Control-Allow-Origin" "*";
-  access_log off;
-  log_not_found off;
-  expires 30d;
-}
-# Security settings for better privacy
-# Deny hidden files
-location /.well-known/acme-challenge/ {
-    alias /var/www/html/.well-known/acme-challenge/;
-}
-
-#location ~ /\.well-known {
-#  allow all;
-#}
-location ~ /\. {
-  deny all;
-  access_log off;
-  log_not_found off;
-}
-# Deny backup extensions & log files
-location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
-  deny all;
-  access_log off;
-  log_not_found off;
-}
-# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
-location ~*  "/(^$|readme|license|example)\.(txt|html)" {
-  return 403;
-}
-# Status pages
-location /nginx_status {
-  stub_status on;
-  access_log off;
-  include common/acl.conf;
-}
-location ~ ^/(status|ping) {
-  include fastcgi_params;
-  fastcgi_pass php71;
-  include common/acl.conf;
-}
-# EasyEngine (ee) utilities
-# phpMyAdmin settings
-location /pma {
-  return 301 https://$host:22222/db/pma;
-}
-location /phpMyAdmin {
-  return 301 https://$host:22222/db/pma;
-}
-location /phpmyadmin {
-  return 301 https://$host:22222/db/pma;
-}
-# Adminer settings
-location /adminer {
-  return 301 https://$host:22222/db/adminer;
-}
+# NGINX CONFIGURATION FOR COMMON LOCATION
+# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
+# Basic locations files
+location = /favicon.ico {
+    try_files /favicon.ico @empty;
+    access_log off;
+    log_not_found off;
+    expires max;
+
+}
+
+location @empty {
+    empty_gif;
+}
+location = /robots.txt {
+# Some WordPress plugin gererate robots.txt file
+# Refer #340 issue
+    try_files $uri $uri/ /index.php?$args;
+    access_log off;
+    log_not_found off;
+}
+# Cache static files
+location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
+    add_header "Access-Control-Allow-Origin" "*";
+    access_log off;
+    log_not_found off;
+    expires max;
+}
+# Cache css & js files
+location ~* \.(?:css(\.map)?|js(\.map)?)$ {
+    add_header "Access-Control-Allow-Origin" "*";
+    access_log off;
+    log_not_found off;
+    expires 30d;
+}
+# Security settings for better privacy
+# Deny hidden files
+location ~ /\. {
+    deny all;
+}
+# Use the directory /var/www/html to valide acme-challenge
+# just create the sub-directories .well-known/acme-challenge and set www-data as owner
+# #
+# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
+# #
+location /.well-known/acme-challenge/ {
+    alias /var/www/html/.well-known/acme-challenge/;
+}
+# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
+location ~*  "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
+    deny all;
+}
+# Deny backup extensions & log files and return 403 forbidden
+location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
+    deny all;
+}
+# common nginx configuration to block sql injection and other attacks
+location ~* "(eval\()" {
+    deny all;
+}
+location ~* "(127\.0\.0\.1)" {
+    deny all;
+}
+location ~* "([a-z0-9]{2000})" {
+    deny all;
+}
+location ~* "(javascript\:)(.*)(\;)" {
+    deny all;
+}
+location ~* "(base64_encode)(.*)(\()" {
+    deny all;
+}
+location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
+    deny all;
+}
+location ~* "(<|%3C).*script.*(>|%3)" {
+    deny all;
+}
+location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
+    deny all;
+}
+location ~* "(boot\.ini|etc/passwd|self/environ)" {
+    deny all;
+}
+location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
+    deny all;
+}
+location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
+    deny all;
+}
+location ~* "(https?|ftp|php):/" {
+    deny all;
+}
+location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
+    deny all;
+}
+location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
+    deny all;
+}
+location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
+    deny all;
+}
+location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
+    deny all;
+}
+location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
+    deny all;
+}
+location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|settings|configuration)\.php" {
+    deny all;
+}
+# Status pages
+location /nginx_status {
+    stub_status on;
+    access_log off;
+    include common/acl.conf;
+}
+location ~ ^/(status|ping) {
+    include fastcgi_params;
+    include common/acl.conf;
+    fastcgi_pass php72;
+}
+# EasyEngine (ee) utilities
+# phpMyAdmin settings
+location /pma {
+    return 301 https://$host:22222/db/pma;
+}
+location /phpMyAdmin {
+    return 301 https://$host:22222/db/pma;
+}
+location /phpmyadmin {
+    return 301 https://$host:22222/db/pma;
+}
+# Adminer settings
+location /adminer {
+    return 301 https://$host:22222/db/adminer;
+}
--- a/docs/files/etc/nginx/common/wpcommon-php7.conf
+++ b/docs/files/etc/nginx/common/wpcommon-php7.conf
@ -1,35 +1,37 @@
-# WordPress COMMON SETTINGS
-# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
-# Limit access to avoid brute force attack
-location = /wp-login.php {
-  limit_req zone=one burst=1 nodelay;
-  include fastcgi_params;
-  fastcgi_pass php7;
-}
-# Disable wp-config.txt
-location = /wp-config.txt {
-  deny all;
-  access_log off;
-  log_not_found off;
-}
-# Disallow php in upload folder
-location /wp-content/uploads/ {
-  location ~ \.php$ {
-    #Prevent Direct Access Of PHP Files From Web Browsers
-    deny all;
-  }
-  location ~ \.(png|jpe?g)$ {
-  add_header Vary "Accept-Encoding";
-  add_header "Access-Control-Allow-Origin" "*";
-  add_header Cache-Control "public, no-transform";
-  access_log off;
-  log_not_found off;
-  expires max;
-  try_files $uri$webp_suffix $uri =404;
-  }
-}
-
-# mitigate DoS attack CVE with WordPress script concatenation
-location ~ \/wp-admin\/load-(scripts|styles).php {
-  deny all;
-}
+# WordPress COMMON SETTINGS
+# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
+# Limit access to avoid brute force attack
+location = /wp-login.php {
+    limit_req zone=one burst=1 nodelay;
+    include fastcgi_params;
+    fastcgi_pass php7;
+}
+# Disable wp-config.txt
+location = /wp-config.txt {
+    deny all;
+    access_log off;
+    log_not_found off;
+}
+# Disallow php in upload folder and add webp rewrite
+location /wp-content/uploads/ {
+    location ~ \.php$ {
+#Prevent Direct Access Of PHP Files From Web Browsers
+        deny all;
+    }
+    # webp rewrite rules
+    location ~ \.(png|jpe?g)$ {
+        add_header Vary "Accept-Encoding";
+        add_header "Access-Control-Allow-Origin" "*";
+        add_header Cache-Control "public, no-transform";
+        access_log off;
+        log_not_found off;
+        expires max;
+        try_files $uri$webp_suffix $uri =404;
+    }
+}
+# mitigate DoS attack CVE with WordPress script concatenation
+# add the following line to wp-config.php
+# define( 'CONCATENATE_SCRIPTS', false );
+location ~ \/wp-admin\/load-(scripts|styles).php {
+    deny all;
+}
--- a/docs/files/etc/nginx/common/wpcommon-php71.conf
+++ b/docs/files/etc/nginx/common/wpcommon-php71.conf
@ -1,35 +1,37 @@
-# WordPress COMMON SETTINGS
-# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
-# Limit access to avoid brute force attack
-location = /wp-login.php {
-  limit_req zone=one burst=1 nodelay;
-  include fastcgi_params;
-  fastcgi_pass php71;
-}
-# Disable wp-config.txt
-location = /wp-config.txt {
-  deny all;
-  access_log off;
-  log_not_found off;
-}
-# Disallow php in upload folder and add webp rewrite
-location /wp-content/uploads/ {
-  location ~ \.php$ {
-    #Prevent Direct Access Of PHP Files From Web Browsers
-    deny all;
-  }
-  location ~ \.(png|jpe?g)$ {
-  add_header Vary "Accept-Encoding";
-  add_header "Access-Control-Allow-Origin" "*";
-  add_header Cache-Control "public, no-transform";
-  access_log off;
-  log_not_found off;
-  expires max;
-  try_files $uri$webp_suffix $uri =404;
-  }
-}
-
-# mitigate DoS attack CVE with WordPress script concatenation
-location ~ \/wp-admin\/load-(scripts|styles).php {
-  deny all;
-}
+# WordPress COMMON SETTINGS
+# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
+# Limit access to avoid brute force attack
+location = /wp-login.php {
+    limit_req zone=one burst=1 nodelay;
+    include fastcgi_params;
+    fastcgi_pass php71;
+}
+# Disable wp-config.txt
+location = /wp-config.txt {
+    deny all;
+    access_log off;
+    log_not_found off;
+}
+# Disallow php in upload folder and add webp rewrite
+location /wp-content/uploads/ {
+    location ~ \.php$ {
+#Prevent Direct Access Of PHP Files From Web Browsers
+        deny all;
+    }
+    # webp rewrite rules
+    location ~ \.(png|jpe?g)$ {
+        add_header Vary "Accept-Encoding";
+        add_header "Access-Control-Allow-Origin" "*";
+        add_header Cache-Control "public, no-transform";
+        access_log off;
+        log_not_found off;
+        expires max;
+        try_files $uri$webp_suffix $uri =404;
+    }
+}
+# mitigate DoS attack CVE with WordPress script concatenation
+# add the following line to wp-config.php
+# define( 'CONCATENATE_SCRIPTS', false );
+location ~ \/wp-admin\/load-(scripts|styles).php {
+    deny all;
+}
--- a/docs/files/etc/nginx/common/wpcommon-php72.conf
+++ b/docs/files/etc/nginx/common/wpcommon-php72.conf
@ -1,35 +1,37 @@
-# WordPress COMMON SETTINGS
-# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
-# Limit access to avoid brute force attack
-location = /wp-login.php {
-  limit_req zone=one burst=1 nodelay;
-  include fastcgi_params;
-  fastcgi_pass php72;
-}
-# Disable wp-config.txt
-location = /wp-config.txt {
-  deny all;
-  access_log off;
-  log_not_found off;
-}
-# Disallow php in upload folder and add webp rewrite
-location /wp-content/uploads/ {
-  location ~ \.php$ {
-    #Prevent Direct Access Of PHP Files From Web Browsers
-    deny all;
-  }
-  location ~ \.(png|jpe?g)$ {
-  add_header Vary "Accept-Encoding";
-  add_header "Access-Control-Allow-Origin" "*";
-  add_header Cache-Control "public, no-transform";
-  access_log off;
-  log_not_found off;
-  expires max;
-  try_files $uri$webp_suffix $uri =404;
-  }
-}
-
-# mitigate DoS attack CVE with WordPress script concatenation
-location ~ \/wp-admin\/load-(scripts|styles).php {
-  deny all;
-}
+# WordPress COMMON SETTINGS
+# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
+# Limit access to avoid brute force attack
+location = /wp-login.php {
+    limit_req zone=one burst=1 nodelay;
+    include fastcgi_params;
+    fastcgi_pass php72;
+}
+# Disable wp-config.txt
+location = /wp-config.txt {
+    deny all;
+    access_log off;
+    log_not_found off;
+}
+# Disallow php in upload folder and add webp rewrite
+location /wp-content/uploads/ {
+    location ~ \.php$ {
+#Prevent Direct Access Of PHP Files From Web Browsers
+        deny all;
+    }
+    # webp rewrite rules
+    location ~ \.(png|jpe?g)$ {
+        add_header Vary "Accept-Encoding";
+        add_header "Access-Control-Allow-Origin" "*";
+        add_header Cache-Control "public, no-transform";
+        access_log off;
+        log_not_found off;
+        expires max;
+        try_files $uri$webp_suffix $uri =404;
+    }
+}
+# mitigate DoS attack CVE with WordPress script concatenation
+# add the following line to wp-config.php
+# define( 'CONCATENATE_SCRIPTS', false );
+location ~ \/wp-admin\/load-(scripts|styles).php {
+    deny all;
+}
--- a/docs/files/etc/nginx/nginx-intermediate.conf
+++ b/docs/files/etc/nginx/nginx-intermediate.conf
@ -18,10 +18,16 @@ http
    ##

    sendfile on;
+    sendfile_max_chunk 512k;
+
    tcp_nopush on;
    tcp_nodelay on;
-    keepalive_timeout 30;
-    types_hash_max_size 2048;
+
+    keepalive_timeout 8;
+    keepalive_requests 500;
+
+    lingering_time 20s;
+    lingering_timeout 5s;

    server_tokens off;
    reset_timedout_connection on;
--- a/docs/files/etc/nginx/nginx-tlsv12.conf
+++ b/docs/files/etc/nginx/nginx-tlsv12.conf
@ -0,0 +1,186 @@
+user www-data;
+worker_processes auto;
+worker_cpu_affinity auto;
+worker_rlimit_nofile 100000;
+pid /run/nginx.pid;
+
+events
+{
+    worker_connections 16384;
+    multi_accept on;
+    use epoll;
+}
+
+http
+{
+    ##
+    # EasyEngine Settings
+    ##
+
+    sendfile on;
+    sendfile_max_chunk 512k;
+
+    tcp_nopush on;
+    tcp_nodelay on;
+
+    keepalive_timeout 8;
+    keepalive_requests 500;
+
+    lingering_time 20s;
+    lingering_timeout 5s;
+
+    server_tokens off;
+    reset_timedout_connection on;
+    add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox";
+    add_header rt-Fastcgi-Cache $upstream_cache_status;
+
+    # Limit Request
+    limit_req_status 403;
+    limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
+
+    #Simple DOS mitigation
+    ##Max c/s by ip
+    #limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
+    #limit_conn limit_per_ip 80;
+
+    ##Max rq/s by ip
+    #limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
+    #limit_req zone=allips burst=400 nodelay;
+
+    # Proxy Settings
+    # set_real_ip_from	proxy-server-ip;
+    # real_ip_header	X-Forwarded-For;
+
+    fastcgi_read_timeout 120s;
+    client_max_body_size 100m;
+
+    #See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
+    aio threads;
+
+    # tls dynamic records patch directive
+    ssl_dyn_rec_enable on;
+
+    # nginx-vts-status module
+    vhost_traffic_status_zone;
+
+    resolver 8.8.8.8 1.1.1.1 valid=300s;
+    resolver_timeout 10;
+
+    ##
+    # GeoIP module configuration, before removing comments
+    # read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
+    ##
+    #geoip_country /usr/share/GeoIP/GeoIP.dat;
+    #geoip_city /usr/share/GeoIP/GeoIPCity.dat;
+
+    ##
+    # SSL Settings
+    ##
+    ssl_protocols TLSv1.2;
+    ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM';
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_timeout 1d;
+    ssl_session_tickets off;
+    ssl_ecdh_curve X25519:P-521:P-384:P-256;
+
+    ##Common headers for security
+    more_set_headers "X-Frame-Options : SAMEORIGIN";
+    more_set_headers "X-Xss-Protection : 1; mode=block";
+    more_set_headers "X-Content-Type-Options : nosniff";
+    more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
+    ##
+    # Basic Settings
+    ##
+    # server_names_hash_bucket_size 64;
+    # server_name_in_redirect off;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    ##
+    # Logging Settings
+    # access_log disabled for performance
+    ##
+
+    access_log off;
+    error_log /var/log/nginx/error.log;
+
+    # Log format Settings
+    log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
+    '$http_host "$request" $status $body_bytes_sent '
+    '"$http_referer" "$http_user_agent" $server_protocol';
+
+    # ipscrub settings
+    ipscrub_period_seconds 3600;
+
+    ##
+    # Gzip Settings
+    ##
+
+    gzip on;
+    gzip_disable "msie6";
+
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_buffers 16 8k;
+    gzip_http_version 1.1;
+    gzip_types
+    application/atom+xml
+    application/javascript
+    application/json
+    application/rss+xml
+    application/vnd.ms-fontobject
+    application/x-font-ttf
+    application/x-web-app-manifest+json
+    application/xhtml+xml
+    application/xml
+    font/opentype
+    image/svg+xml
+    image/x-icon
+    text/css
+    text/plain
+    text/x-component
+    text/xml
+    text/javascript;
+
+    ##
+    # Brotli Settings
+    ##
+
+    brotli on;
+    brotli_static on;
+    brotli_buffers 16 8k;
+    brotli_comp_level 6;
+    brotli_types *;
+
+
+    ##
+    # Virtual Host Configs
+    ##
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
+}
+
+
+#mail {
+#	# See sample authentication script at:
+#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+#
+#	# auth_http localhost/auth.php;
+#	# pop3_capabilities "TOP" "USER";
+#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
+#
+#	server {
+#		listen     localhost:110;
+#		protocol   pop3;
+#		proxy      on;
+#	}
+#
+#	server {
+#		listen     localhost:143;
+#		protocol   imap;
+#		proxy      on;
+#	}
+#}
--- a/docs/files/etc/nginx/nginx.conf
+++ b/docs/files/etc/nginx/nginx.conf
@ -19,11 +19,16 @@ http {
 # EasyEngine Settings
 ##
    sendfile on;
+    sendfile_max_chunk 512k;
+
    tcp_nopush on;
    tcp_nodelay on;

-    keepalive_timeout 30;
-    types_hash_max_size 2048;
+    keepalive_timeout 8;
+    keepalive_requests 500;
+
+    lingering_time 20s;
+    lingering_timeout 5s;

    server_tokens off;
    reset_timedout_connection on;
@ -72,7 +77,7 @@ http {
 # ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
   
    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers 'TLS13+AESGCM+AES128:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+    ssl_ciphers 'TLS13+AESGCM+AES128:EECDH+AES128';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 1d;
--- a/docs/files/etc/nginx/sites-available/22222
+++ b/docs/files/etc/nginx/sites-available/22222
@ -25,12 +25,12 @@ server {
  location / {
    try_files $uri $uri/ /index.php?$args;
  }
-  
-  # nginx-vts-status 
-  #location /vts_status {
-  #vhost_traffic_status_display;
-  #vhost_traffic_status_display_format html;
-  #}
+
+  # nginx-vts-status
+  location /vts_status {
+  vhost_traffic_status_display;
+  vhost_traffic_status_display_format html;
+  }

  # Display menu at location /fpm/status/
  location =  /fpm/status/ {}
--- a/docs/files/etc/sysctl.d/60-ubuntu-nginx-web-server.conf
+++ b/docs/files/etc/sysctl.d/60-ubuntu-nginx-web-server.conf
@ -1,14 +1,37 @@
-# Kernel sysctl configuration file 
-# Sources : 
+# Kernel sysctl configuration file for Linux
+#
+# Version 1.14 - 2018-09-13
+# Michiel Klaver - IT Professional
+# Modified by VirtuBox
+#
+# Sources :
+# https://klaver.it/linux/sysctl.conf
 # https://easyengine.io/tutorials/linux/sysctl-conf/
-# http://klaver.it/linux/ 
 #
 #
-# sysctl -e -p /etc/sysctl.conf
+# Credits:
 #
+# http://www.enigma.id.au/linux_tuning.txt
+# http://www.securityfocus.com/infocus/1729
+# http://fasterdata.es.net/TCP-tuning/linux.html
+# http://fedorahosted.org/ktune/browser/sysctl.ktune
+# http://www.cymru.com/Documents/ip-stack-tuning.html
+# http://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
+# http://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/index.html
+# http://knol.google.com/k/linux-performance-tuning-and-measurement
+# http://www.cyberciti.biz/faq/linux-kernel-tuning-virtual-memory-subsystem/
+# http://www.redbooks.ibm.com/abstracts/REDP4285.html
+# http://www.speedguide.net/read_articles.php?id=121
+# http://lartc.org/howto/lartc.kernel.obscure.html
+# http://en.wikipedia.org/wiki/Sysctl
+#
+# Usage
+# wget -O /etc/sysctl.d/10-ubuntu-nginx-web-server.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.d/10-ubuntu-nginx-web-server.conf
+#
+# sysctl -p
 # For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and sysctl.conf(5) for more details.
 #
-# 
+
 ###
 ### GENERAL SYSTEM SECURITY OPTIONS ###
 ###
@ -16,9 +39,21 @@
 # Controls the System Request debugging functionality of the kernel
 kernel.sysrq = 0

+# Controls whether core dumps will append the PID to the core filename.
+# Useful for debugging multi-threaded applications.
+kernel.core_uses_pid = 1
+
 #Allow for more PIDs
 kernel.pid_max = 65535

+# The contents of /proc/<pid>/maps and smaps files are only visible to
+# readers that are allowed to ptrace() the process
+kernel.maps_protect = 1
+
+#Enable ExecShield protection
+kernel.exec-shield = 1
+kernel.randomize_va_space = 2
+
 # Controls the maximum size of a message, in bytes
 kernel.msgmnb = 65535

@ -31,34 +66,44 @@ fs.suid_dumpable = 0
 # Hide exposed kernel pointers
 kernel.kptr_restrict = 1

+###
 ### IMPROVE SYSTEM MEMORY MANAGEMENT ###
-
-# Increase size of file handles and inode cache
-fs.file-max = 2097152
+###

 # Increase size of file handles and inode cache
 fs.file-max = 209708
+
 # Do less swapping
 vm.swappiness = 10
 vm.dirty_ratio = 30
-vm.dirty_background_ratio = 2
+vm.dirty_background_ratio = 5

-# Redis configuration
+# specifies the minimum virtual address that a process is allowed to mmap
+vm.mmap_min_addr = 4096
+
+# 50% overcommitment of available memory
+vm.overcommit_ratio = 50
+
+# allow memory overcommit required for redis
 vm.overcommit_memory = 1

+# Set maximum amount of memory allocated to shm to 256MB
+kernel.shmmax = 268435456
+kernel.shmall = 268435456
+
+# Keep at least 64MB of free RAM space available
+vm.min_free_kbytes = 65535
+
+###
+### GENERAL NETWORK SECURITY OPTIONS ###
+###
+
 #Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
 net.ipv4.tcp_syncookies = 1
 net.ipv4.tcp_syn_retries = 2
 net.ipv4.tcp_synack_retries = 2
 net.ipv4.tcp_max_syn_backlog = 4096

-# Disables packet forwarding
-net.ipv4.ip_forward = 0
-net.ipv4.conf.all.forwarding = 0
-net.ipv4.conf.default.forwarding = 0
-net.ipv6.conf.all.forwarding = 0
-net.ipv6.conf.default.forwarding = 0
-
 # Disables IP source routing
 net.ipv4.conf.all.send_redirects = 0
 net.ipv4.conf.default.send_redirects = 0
@ -120,7 +165,10 @@ net.ipv6.conf.all.autoconf=0
 net.ipv6.conf.all.accept_ra=0
 net.ipv6.conf.default.autoconf=0
 net.ipv6.conf.default.accept_ra=0
-
+net.ipv6.conf.all.accept_ra_defrtr = 0
+net.ipv6.conf.default.accept_ra_defrtr = 0
+net.ipv6.conf.all.accept_ra_pinfo = 0
+net.ipv6.conf.default.accept_ra_pinfo = 0

 ###
 ### TUNING NETWORK PERFORMANCE ###
@ -169,9 +217,12 @@ net.ipv4.tcp_tw_reuse = 1
 net.ipv4.tcp_max_orphans = 16384
 net.ipv4.tcp_orphan_retries = 0

-# Increase the maximum memory used to reassemble IP fragments
-net.ipv4.ipfrag_high_thresh = 512000
-net.ipv4.ipfrag_low_thresh = 446464
+# Limit the maximum memory used to reassemble IP fragments (CVE-2018-5391)
+net.ipv4.ipfrag_low_thresh = 196608
+net.ipv6.ip6frag_low_thresh = 196608
+net.ipv4.ipfrag_high_thresh = 262144
+net.ipv6.ip6frag_high_thresh = 262144
+

 # don't cache ssthresh from previous connection
 net.ipv4.tcp_no_metrics_save = 1
--- a/etc/mysql/my.cnf
+++ b/etc/mysql/my.cnf
@ -37,10 +37,11 @@ tmpdir		= /tmp
 lc_messages_dir	= /usr/share/mysql
 lc_messages	= en_US
 skip-external-locking
+performance_schema = ON
 #
 # Instead of skip-networking the default is now to listen only on
 # localhost which is more compatible and is not less secure.
-bind-address		= 127.0.0.1
+bind-address = ::ffff:127.0.0.1
 #
 # * Fine Tuning
 #
@ -71,9 +72,9 @@ read_rnd_buffer_size	= 1M
 #
 # Cache only tiny result sets, so we can fit more in the query cache.
 query_cache_limit		= 128K
-query_cache_size		= 64M
+query_cache_size		= 0
 # for more write intensive setups, set to DEMAND or OFF
-#query_cache_type		= DEMAND
+query_cache_type		= 0
 #
 # * Logging and Replication
 #
@ -89,7 +90,7 @@ query_cache_size		= 64M
 log_warnings		= 2
 #
 # Enable the slow query log to see queries with especially long duration
-#slow_query_log[={0|1}]
+slow_query_log = 1
 slow_query_log_file	= /var/log/mysql/mariadb-slow.log
 long_query_time = 10
 #log_slow_rate_limit	= 1000
--- a/etc/nginx/common/acl.conf
+++ b/etc/nginx/common/acl.conf
@ -0,0 +1,8 @@
+	# EasyEngine (ee) protect locations using
+	# HTTP authentication || IP address
+	satisfy any;
+	auth_basic "Restricted Area";
+	auth_basic_user_file htpasswd-ee;
+	# Allowed IP Address List
+	allow 127.0.0.1;
+	deny all;
--- a/etc/nginx/common/locations-php7.conf
+++ b/etc/nginx/common/locations-php7.conf
@ -1,79 +1,131 @@
-# NGINX CONFIGURATION FOR COMMON LOCATION
-# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
-# Basic locations files
-location = /favicon.ico {
-  access_log off;
-  log_not_found off;
-  expires max;
-}
-location = /robots.txt {
-  # Some WordPress plugin gererate robots.txt file
-  # Refer #340 issue
-  try_files $uri $uri/ /index.php?$args;
-  access_log off;
-  log_not_found off;
-}
-# Cache static files
-location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
-  add_header "Access-Control-Allow-Origin" "*";
-  access_log off;
-  log_not_found off;
-  expires max;
-}
-# Cache static files
-location ~* \.(css|js)$ {
-  add_header "Access-Control-Allow-Origin" "*";
-  access_log off;
-  log_not_found off;
-  expires 30d;
-}
-# Security settings for better privacy
-# Deny hidden files
-location /.well-known/acme-challenge/ {
-    alias /var/www/html/.well-known/acme-challenge/;
-}
-
-#location ~ /\.well-known {
-#  allow all;
-#}
-location ~ /\. {
-  deny all;
-  access_log off;
-  log_not_found off;
-}
-# Deny backup extensions & log files
-location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
-  deny all;
-  access_log off;
-  log_not_found off;
-}
-# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
-location ~*  "/(^$|readme|license|example)\.(txt|html)" {
-  return 403;
-}
-# Status pages
-location /nginx_status {
-  stub_status on;
-  access_log off;
-  include common/acl.conf;
-}
-location ~ ^/(status|ping) {
-  include fastcgi_params;
-  fastcgi_pass php7;
-  include common/acl.conf;
-}
-# EasyEngine (ee) utilities
-# phpMyAdmin settings
-location /pma {
-  return 301 https://$host:22222/db/pma;
-}
-location /phpMyAdmin {
-  return 301 https://$host:22222/db/pma;
-}
-location /phpmyadmin {
-  return 301 https://$host:22222/db/pma;
-}
-# Adminer settings
-location /adminer {
-  return 301 https://$host:22222/db/adminer;
-}
+# NGINX CONFIGURATION FOR COMMON LOCATION
+# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
+# Basic locations files
+location = /favicon.ico {
+    access_log off;
+    log_not_found off;
+    expires max;
+}
+location = /robots.txt {
+# Some WordPress plugin gererate robots.txt file
+# Refer #340 issue
+    try_files $uri $uri/ /index.php?$args;
+    access_log off;
+    log_not_found off;
+}
+# Cache static files
+location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
+    add_header "Access-Control-Allow-Origin" "*";
+    access_log off;
+    log_not_found off;
+    expires max;
+}
+# Cache css & js files
+location ~* \.(?:css(\.map)?|js(\.map)?)$ {
+    add_header "Access-Control-Allow-Origin" "*";
+    access_log off;
+    log_not_found off;
+    expires 30d;
+}
+# Security settings for better privacy
+# Deny hidden files
+location ~ /\.(?!well-known\/) {
+    deny all;
+}
+# Use the directory /var/www/html to valide acme-challenge
+# just create the sub-directories .well-known/acme-challenge and set www-data as owner
+# #
+# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
+# #
+location /.well-known/acme-challenge/ {
+    alias /var/www/html/.well-known/acme-challenge/;
+}
+# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
+location ~*  "/(^$|readme|license|example|README|changelog)\.(txt|html|md)" {
+    deny all;
+}
+# Deny backup extensions & log files and return 403 forbidden
+location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
+    deny all;
+}
+# common nginx configuration to block sql injection and other attacks
+location ~* "(eval\()" {
+    deny all;
+}
+location ~* "(127\.0\.0\.1)" {
+    deny all;
+}
+location ~* "([a-z0-9]{2000})" {
+    deny all;
+}
+location ~* "(javascript\:)(.*)(\;)" {
+    deny all;
+}
+location ~* "(base64_encode)(.*)(\()" {
+    deny all;
+}
+location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
+    deny all;
+}
+location ~* "(<|%3C).*script.*(>|%3)" {
+    deny all;
+}
+location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
+    deny all;
+}
+location ~* "(boot\.ini|etc/passwd|self/environ)" {
+    deny all;
+}
+location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
+    deny all;
+}
+location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
+    deny all;
+}
+location ~* "(https?|ftp|php):/" {
+    deny all;
+}
+location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
+    deny all;
+}
+location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
+    deny all;
+}
+location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
+    deny all;
+}
+location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
+    deny all;
+}
+location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
+    deny all;
+}
+location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" {
+    deny all;
+}
+# Status pages
+location = /nginx_status {
+    stub_status on;
+    access_log off;
+    include common/acl.conf;
+}
+location ~ ^/(status|ping)$ {
+    include fastcgi_params;
+    include common/acl.conf;
+    fastcgi_pass php7;
+}
+# EasyEngine (ee) utilities
+# phpMyAdmin settings
+location = /pma {
+    return 301 https://$host:22222/db/pma;
+}
+location = /phpMyAdmin {
+    return 301 https://$host:22222/db/pma;
+}
+location = /phpmyadmin {
+    return 301 https://$host:22222/db/pma;
+}
+# Adminer settings
+location = /adminer {
+    return 301 https://$host:22222/db/adminer;
+}
--- a/etc/nginx/common/locations-php71.conf
+++ b/etc/nginx/common/locations-php71.conf
@ -1,79 +1,133 @@
-# NGINX CONFIGURATION FOR COMMON LOCATION
-# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
-# Basic locations files
-location = /favicon.ico {
-  access_log off;
-  log_not_found off;
-  expires max;
-}
-location = /robots.txt {
-  # Some WordPress plugin gererate robots.txt file
-  # Refer #340 issue
-  try_files $uri $uri/ /index.php?$args;
-  access_log off;
-  log_not_found off;
-}
-# Cache static files
-location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
-  add_header "Access-Control-Allow-Origin" "*";
-  access_log off;
-  log_not_found off;
-  expires max;
-}
-# Cache static files
-location ~* \.(css|js)$ {
-  add_header "Access-Control-Allow-Origin" "*";
-  access_log off;
-  log_not_found off;
-  expires 30d;
-}
-# Security settings for better privacy
-# Deny hidden files
-location /.well-known/acme-challenge/ {
-    alias /var/www/html/.well-known/acme-challenge/;
-}
-
-#location ~ /\.well-known {
-#  allow all;
-#}
-location ~ /\. {
-  deny all;
-  access_log off;
-  log_not_found off;
-}
-# Deny backup extensions & log files
-location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
-  deny all;
-  access_log off;
-  log_not_found off;
-}
-# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
-location ~*  "/(^$|readme|license|example)\.(txt|html)" {
-  return 403;
-}
-# Status pages
-location /nginx_status {
-  stub_status on;
-  access_log off;
-  include common/acl.conf;
-}
-location ~ ^/(status|ping) {
-  include fastcgi_params;
-  fastcgi_pass php71;
-  include common/acl.conf;
-}
-# EasyEngine (ee) utilities
-# phpMyAdmin settings
-location /pma {
-  return 301 https://$host:22222/db/pma;
-}
-location /phpMyAdmin {
-  return 301 https://$host:22222/db/pma;
-}
-location /phpmyadmin {
-  return 301 https://$host:22222/db/pma;
-}
-# Adminer settings
-location /adminer {
-  return 301 https://$host:22222/db/adminer;
-}
+# NGINX CONFIGURATION FOR COMMON LOCATION
+# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
+# Basic locations files
+location = /favicon.ico {
+  access_log off;
+  log_not_found off;
+  expires max;
+}
+location = /robots.txt {
+  # Some WordPress plugin gererate robots.txt file
+  # Refer #340 issue
+  try_files $uri $uri/ /index.php?$args;
+  access_log off;
+  log_not_found off;
+}
+# Cache static files
+location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$
+{
+  add_header "Access-Control-Allow-Origin" "*";
+  access_log off;
+  log_not_found off;
+  expires max;
+}
+# Cache css & js files
+location ~* \.(?:css(\.map)?|js(\.map)?)$
+{
+  add_header "Access-Control-Allow-Origin" "*";
+  access_log off;
+  log_not_found off;
+  expires 30d;
+}
+# Security settings for better privacy
+# Deny hidden files
+location ~ /\.(?!well-known\/) {
+    deny all;
+}
+# Use the directory /var/www/html to valide acme-challenge
+# just create the sub-directories .well-known/acme-challenge and set www-data as owner
+# #
+# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
+# #
+location /.well-known/acme-challenge/ {
+    alias /var/www/html/.well-known/acme-challenge/;
+}
+# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
+location ~*  "/(^$|readme|license|example|README|changelog)\.(txt|html|md)" {
+   deny all;
+}
+# Deny backup extensions & log files and return 403 forbidden
+location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
+  deny all;
+}
+# common nginx configuration to block sql injection and other attacks
+location ~* "(eval\()" {
+    deny all;
+}
+location ~* "(127\.0\.0\.1)" {
+    deny all;
+}
+location ~* "([a-z0-9]{2000})" {
+    deny all;
+}
+location ~* "(javascript\:)(.*)(\;)" {
+    deny all;
+}
+location ~* "(base64_encode)(.*)(\()" {
+    deny all;
+}
+location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
+    deny all;
+}
+location ~* "(<|%3C).*script.*(>|%3)" {
+    deny all;
+}
+location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
+    deny all;
+}
+location ~* "(boot\.ini|etc/passwd|self/environ)" {
+    deny all;
+}
+location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
+    deny all;
+}
+location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
+    deny all;
+}
+location ~* "(https?|ftp|php):/" {
+    deny all;
+}
+location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
+    deny all;
+}
+location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
+    deny all;
+}
+location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
+    deny all;
+}
+location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
+    deny all;
+}
+location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
+    deny all;
+}
+location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" {
+    deny all;
+}
+# Status pages
+location /nginx_status {
+  stub_status on;
+  access_log off;
+  include common/acl.conf;
+}
+location ~ ^/(status|ping) {
+  include fastcgi_params;
+  fastcgi_pass php71;
+  include common/acl.conf;
+}
+# EasyEngine (ee) utilities
+# phpMyAdmin settings
+location /pma {
+  return 301 https://$host:22222/db/pma;
+}
+location /phpMyAdmin {
+  return 301 https://$host:22222/db/pma;
+}
+location /phpmyadmin {
+  return 301 https://$host:22222/db/pma;
+}
+# Adminer settings
+location /adminer {
+  return 301 https://$host:22222/db/adminer;
+}
--- a/etc/nginx/common/locations-php72.conf
+++ b/etc/nginx/common/locations-php72.conf
@ -1,79 +1,137 @@
-# NGINX CONFIGURATION FOR COMMON LOCATION
-# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
-# Basic locations files
-location = /favicon.ico {
-  access_log off;
-  log_not_found off;
-  expires max;
-}
-location = /robots.txt {
-  # Some WordPress plugin gererate robots.txt file
-  # Refer #340 issue
-  try_files $uri $uri/ /index.php?$args;
-  access_log off;
-  log_not_found off;
-}
-# Cache static files
-location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
-  add_header "Access-Control-Allow-Origin" "*";
-  access_log off;
-  log_not_found off;
-  expires max;
-}
-# Cache static files
-location ~* \.(css|js)$ {
-  add_header "Access-Control-Allow-Origin" "*";
-  access_log off;
-  log_not_found off;
-  expires 30d;
-}
-# Security settings for better privacy
-# Deny hidden files
-location /.well-known/acme-challenge/ {
-    alias /var/www/html/.well-known/acme-challenge/;
-}
-
-#location ~ /\.well-known {
-#  allow all;
-#}
-location ~ /\. {
-  deny all;
-  access_log off;
-  log_not_found off;
-}
-# Deny backup extensions & log files
-location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
-  deny all;
-  access_log off;
-  log_not_found off;
-}
-# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
-location ~*  "/(^$|readme|license|example)\.(txt|html)" {
-  return 403;
-}
-# Status pages
-location /nginx_status {
-  stub_status on;
-  access_log off;
-  include common/acl.conf;
-}
-location ~ ^/(status|ping) {
-  include fastcgi_params;
-  fastcgi_pass php71;
-  include common/acl.conf;
-}
-# EasyEngine (ee) utilities
-# phpMyAdmin settings
-location /pma {
-  return 301 https://$host:22222/db/pma;
-}
-location /phpMyAdmin {
-  return 301 https://$host:22222/db/pma;
-}
-location /phpmyadmin {
-  return 301 https://$host:22222/db/pma;
-}
-# Adminer settings
-location /adminer {
-  return 301 https://$host:22222/db/adminer;
-}
+# NGINX CONFIGURATION FOR COMMON LOCATION
+# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
+# Basic locations files
+location = /favicon.ico {
+    try_files /favicon.ico @empty;
+    access_log off;
+    log_not_found off;
+    expires max;
+
+}
+
+location @empty {
+    empty_gif;
+}
+location = /robots.txt {
+# Some WordPress plugin gererate robots.txt file
+# Refer #340 issue
+    try_files $uri $uri/ /index.php?$args;
+    access_log off;
+    log_not_found off;
+}
+# Cache static files
+location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
+    add_header "Access-Control-Allow-Origin" "*";
+    access_log off;
+    log_not_found off;
+    expires max;
+}
+# Cache css & js files
+location ~* \.(?:css(\.map)?|js(\.map)?)$ {
+    add_header "Access-Control-Allow-Origin" "*";
+    access_log off;
+    log_not_found off;
+    expires 30d;
+}
+# Security settings for better privacy
+# Deny hidden files
+location ~ /\.(?!well-known\/) {
+    deny all;
+}
+# Use the directory /var/www/html to valide acme-challenge
+# just create the sub-directories .well-known/acme-challenge and set www-data as owner
+# #
+# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
+# #
+location /.well-known/acme-challenge/ {
+    alias /var/www/html/.well-known/acme-challenge/;
+}
+# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
+location ~*  "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
+    deny all;
+}
+# Deny backup extensions & log files and return 403 forbidden
+location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
+    deny all;
+}
+# common nginx configuration to block sql injection and other attacks
+location ~* "(eval\()" {
+    deny all;
+}
+location ~* "(127\.0\.0\.1)" {
+    deny all;
+}
+location ~* "([a-z0-9]{2000})" {
+    deny all;
+}
+location ~* "(javascript\:)(.*)(\;)" {
+    deny all;
+}
+location ~* "(base64_encode)(.*)(\()" {
+    deny all;
+}
+location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
+    deny all;
+}
+location ~* "(<|%3C).*script.*(>|%3)" {
+    deny all;
+}
+location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
+    deny all;
+}
+location ~* "(boot\.ini|etc/passwd|self/environ)" {
+    deny all;
+}
+location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
+    deny all;
+}
+location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
+    deny all;
+}
+location ~* "(https?|ftp|php):/" {
+    deny all;
+}
+location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
+    deny all;
+}
+location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
+    deny all;
+}
+location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
+    deny all;
+}
+location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
+    deny all;
+}
+location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
+    deny all;
+}
+location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|settings|configuration)\.php" {
+    deny all;
+}
+# Status pages
+location /nginx_status {
+    stub_status on;
+    access_log off;
+    include common/acl.conf;
+}
+location ~ ^/(status|ping) {
+    include fastcgi_params;
+    include common/acl.conf;
+    fastcgi_pass php72;
+}
+# EasyEngine (ee) utilities
+# phpMyAdmin settings
+location /pma {
+    return 301 https://$host:22222/db/pma;
+}
+location /phpMyAdmin {
+    return 301 https://$host:22222/db/pma;
+}
+location /phpmyadmin {
+    return 301 https://$host:22222/db/pma;
+}
+# Adminer settings
+location /adminer {
+    return 301 https://$host:22222/db/adminer;
+}
--- a/etc/nginx/common/wpcommon-php7.conf
+++ b/etc/nginx/common/wpcommon-php7.conf
@ -1,33 +1,37 @@
-# WordPress COMMON SETTINGS
-# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
-# Limit access to avoid brute force attack
-location = /wp-login.php {
-  limit_req zone=one burst=1 nodelay;
-  include fastcgi_params;
-  fastcgi_pass php7;
-}
-# Disable wp-config.txt
-location = /wp-config.txt {
-  deny all;
-  access_log off;
-  log_not_found off;
-}
-# Disallow php in upload folder
-location /wp-content/uploads/ {
-  location ~ \.php$ {
-    #Prevent Direct Access Of PHP Files From Web Browsers
-    deny all;
-  }
-}
-location ~* ^/wp-content/.+\.(png|jpg)$ {
-  add_header Vary Accept;
-  add_header "Access-Control-Allow-Origin" "*";
-  access_log off;
-  log_not_found off;
-  expires max;
-  try_files $uri$webp_suffix $uri =404;
-}
-
-location ~ \/wp-admin\/load-(scripts|styles).php {
-  deny all;
-}
+# WordPress COMMON SETTINGS
+# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
+# Limit access to avoid brute force attack
+location = /wp-login.php {
+    limit_req zone=one burst=1 nodelay;
+    include fastcgi_params;
+    fastcgi_pass php7;
+}
+# Disable wp-config.txt
+location = /wp-config.txt {
+    deny all;
+    access_log off;
+    log_not_found off;
+}
+# Disallow php in upload folder and add webp rewrite
+location /wp-content/uploads/ {
+    location ~ \.php$ {
+#Prevent Direct Access Of PHP Files From Web Browsers
+        deny all;
+    }
+    # webp rewrite rules
+    location ~ \.(png|jpe?g)$ {
+        add_header Vary "Accept-Encoding";
+        add_header "Access-Control-Allow-Origin" "*";
+        add_header Cache-Control "public, no-transform";
+        access_log off;
+        log_not_found off;
+        expires max;
+        try_files $uri$webp_suffix $uri =404;
+    }
+}
+# mitigate DoS attack CVE with WordPress script concatenation
+# add the following line to wp-config.php
+# define( 'CONCATENATE_SCRIPTS', false );
+location ~ \/wp-admin\/load-(scripts|styles).php {
+    deny all;
+}
--- a/etc/nginx/common/wpcommon-php71.conf
+++ b/etc/nginx/common/wpcommon-php71.conf
@ -1,35 +1,37 @@
-# WordPress COMMON SETTINGS
-# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
-# Limit access to avoid brute force attack
-location = /wp-login.php {
-  limit_req zone=one burst=1 nodelay;
-  include fastcgi_params;
-  fastcgi_pass php71;
-}
-# Disable wp-config.txt
-location = /wp-config.txt {
-  deny all;
-  access_log off;
-  log_not_found off;
-}
-# Disallow php in upload folder and add webp rewrite
-location /wp-content/uploads/ {
-  location ~ \.php$ {
-    #Prevent Direct Access Of PHP Files From Web Browsers
-    deny all;
-  }
-  location ~ \.(png|jpe?g)$ {
-  add_header Vary "Accept-Encoding";
-  add_header "Access-Control-Allow-Origin" "*";
-  add_header Cache-Control "public, no-transform";
-  access_log off;
-  log_not_found off;
-  expires max;
-  try_files $uri$webp_suffix $uri =404;
-  }
-}
-
-# mitigate DoS attack CVE with WordPress script concatenation
-location ~ \/wp-admin\/load-(scripts|styles).php {
-  deny all;
-}
+# WordPress COMMON SETTINGS
+# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
+# Limit access to avoid brute force attack
+location = /wp-login.php {
+    limit_req zone=one burst=1 nodelay;
+    include fastcgi_params;
+    fastcgi_pass php71;
+}
+# Disable wp-config.txt
+location = /wp-config.txt {
+    deny all;
+    access_log off;
+    log_not_found off;
+}
+# Disallow php in upload folder and add webp rewrite
+location /wp-content/uploads/ {
+    location ~ \.php$ {
+#Prevent Direct Access Of PHP Files From Web Browsers
+        deny all;
+    }
+    # webp rewrite rules
+    location ~ \.(png|jpe?g)$ {
+        add_header Vary "Accept-Encoding";
+        add_header "Access-Control-Allow-Origin" "*";
+        add_header Cache-Control "public, no-transform";
+        access_log off;
+        log_not_found off;
+        expires max;
+        try_files $uri$webp_suffix $uri =404;
+    }
+}
+# mitigate DoS attack CVE with WordPress script concatenation
+# add the following line to wp-config.php
+# define( 'CONCATENATE_SCRIPTS', false );
+location ~ \/wp-admin\/load-(scripts|styles).php {
+    deny all;
+}
--- a/etc/nginx/common/wpcommon-php72.conf
+++ b/etc/nginx/common/wpcommon-php72.conf
@ -1,35 +1,37 @@
-# WordPress COMMON SETTINGS
-# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
-# Limit access to avoid brute force attack
-location = /wp-login.php {
-  limit_req zone=one burst=1 nodelay;
-  include fastcgi_params;
-  fastcgi_pass php72;
-}
-# Disable wp-config.txt
-location = /wp-config.txt {
-  deny all;
-  access_log off;
-  log_not_found off;
-}
-# Disallow php in upload folder and add webp rewrite
-location /wp-content/uploads/ {
-  location ~ \.php$ {
-    #Prevent Direct Access Of PHP Files From Web Browsers
-    deny all;
-  }
-  location ~ \.(png|jpe?g)$ {
-  add_header Vary "Accept-Encoding";
-  add_header "Access-Control-Allow-Origin" "*";
-  add_header Cache-Control "public, no-transform";
-  access_log off;
-  log_not_found off;
-  expires max;
-  try_files $uri$webp_suffix $uri =404;
-  }
-}
-
-# mitigate DoS attack CVE with WordPress script concatenation
-location ~ \/wp-admin\/load-(scripts|styles).php {
-  deny all;
-}
+# WordPress COMMON SETTINGS
+# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
+# Limit access to avoid brute force attack
+location = /wp-login.php {
+    limit_req zone=one burst=1 nodelay;
+    include fastcgi_params;
+    fastcgi_pass php72;
+}
+# Disable wp-config.txt
+location = /wp-config.txt {
+    deny all;
+    access_log off;
+    log_not_found off;
+}
+# Disallow php in upload folder and add webp rewrite
+location /wp-content/uploads/ {
+    location ~ \.php$ {
+#Prevent Direct Access Of PHP Files From Web Browsers
+        deny all;
+    }
+    # webp rewrite rules
+    location ~ \.(png|jpe?g)$ {
+        add_header Vary "Accept-Encoding";
+        add_header "Access-Control-Allow-Origin" "*";
+        add_header Cache-Control "public, no-transform";
+        access_log off;
+        log_not_found off;
+        expires max;
+        try_files $uri$webp_suffix $uri =404;
+    }
+}
+# mitigate DoS attack CVE with WordPress script concatenation
+# add the following line to wp-config.php
+# define( 'CONCATENATE_SCRIPTS', false );
+location ~ \/wp-admin\/load-(scripts|styles).php {
+    deny all;
+}
--- a/etc/nginx/nginx-intermediate.conf
+++ b/etc/nginx/nginx-intermediate.conf
@ -18,10 +18,16 @@ http
    ##

    sendfile on;
+    sendfile_max_chunk 512k;
+
    tcp_nopush on;
    tcp_nodelay on;
-    keepalive_timeout 30;
-    types_hash_max_size 2048;
+
+    keepalive_timeout 8;
+    keepalive_requests 500;
+
+    lingering_time 20s;
+    lingering_timeout 5s;

    server_tokens off;
    reset_timedout_connection on;
--- a/etc/nginx/nginx-tlsv12.conf
+++ b/etc/nginx/nginx-tlsv12.conf
@ -0,0 +1,186 @@
+user www-data;
+worker_processes auto;
+worker_cpu_affinity auto;
+worker_rlimit_nofile 100000;
+pid /run/nginx.pid;
+
+events
+{
+    worker_connections 16384;
+    multi_accept on;
+    use epoll;
+}
+
+http
+{
+    ##
+    # EasyEngine Settings
+    ##
+
+    sendfile on;
+    sendfile_max_chunk 512k;
+
+    tcp_nopush on;
+    tcp_nodelay on;
+
+    keepalive_timeout 8;
+    keepalive_requests 500;
+
+    lingering_time 20s;
+    lingering_timeout 5s;
+
+    server_tokens off;
+    reset_timedout_connection on;
+    add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox";
+    add_header rt-Fastcgi-Cache $upstream_cache_status;
+
+    # Limit Request
+    limit_req_status 403;
+    limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
+
+    #Simple DOS mitigation
+    ##Max c/s by ip
+    #limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
+    #limit_conn limit_per_ip 80;
+
+    ##Max rq/s by ip
+    #limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
+    #limit_req zone=allips burst=400 nodelay;
+
+    # Proxy Settings
+    # set_real_ip_from	proxy-server-ip;
+    # real_ip_header	X-Forwarded-For;
+
+    fastcgi_read_timeout 120s;
+    client_max_body_size 100m;
+
+    #See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
+    aio threads;
+
+    # tls dynamic records patch directive
+    ssl_dyn_rec_enable on;
+
+    # nginx-vts-status module
+    vhost_traffic_status_zone;
+
+    resolver 8.8.8.8 1.1.1.1 valid=300s;
+    resolver_timeout 10;
+
+    ##
+    # GeoIP module configuration, before removing comments
+    # read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
+    ##
+    #geoip_country /usr/share/GeoIP/GeoIP.dat;
+    #geoip_city /usr/share/GeoIP/GeoIPCity.dat;
+
+    ##
+    # SSL Settings
+    ##
+    ssl_protocols TLSv1.2;
+    ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM';
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_timeout 1d;
+    ssl_session_tickets off;
+    ssl_ecdh_curve X25519:P-521:P-384:P-256;
+
+    ##Common headers for security
+    more_set_headers "X-Frame-Options : SAMEORIGIN";
+    more_set_headers "X-Xss-Protection : 1; mode=block";
+    more_set_headers "X-Content-Type-Options : nosniff";
+    more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
+    ##
+    # Basic Settings
+    ##
+    # server_names_hash_bucket_size 64;
+    # server_name_in_redirect off;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    ##
+    # Logging Settings
+    # access_log disabled for performance
+    ##
+
+    access_log off;
+    error_log /var/log/nginx/error.log;
+
+    # Log format Settings
+    log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
+    '$http_host "$request" $status $body_bytes_sent '
+    '"$http_referer" "$http_user_agent" $server_protocol';
+
+    # ipscrub settings
+    ipscrub_period_seconds 3600;
+
+    ##
+    # Gzip Settings
+    ##
+
+    gzip on;
+    gzip_disable "msie6";
+
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_buffers 16 8k;
+    gzip_http_version 1.1;
+    gzip_types
+    application/atom+xml
+    application/javascript
+    application/json
+    application/rss+xml
+    application/vnd.ms-fontobject
+    application/x-font-ttf
+    application/x-web-app-manifest+json
+    application/xhtml+xml
+    application/xml
+    font/opentype
+    image/svg+xml
+    image/x-icon
+    text/css
+    text/plain
+    text/x-component
+    text/xml
+    text/javascript;
+
+    ##
+    # Brotli Settings
+    ##
+
+    brotli on;
+    brotli_static on;
+    brotli_buffers 16 8k;
+    brotli_comp_level 6;
+    brotli_types *;
+
+
+    ##
+    # Virtual Host Configs
+    ##
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
+}
+
+
+#mail {
+#	# See sample authentication script at:
+#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+#
+#	# auth_http localhost/auth.php;
+#	# pop3_capabilities "TOP" "USER";
+#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
+#
+#	server {
+#		listen     localhost:110;
+#		protocol   pop3;
+#		proxy      on;
+#	}
+#
+#	server {
+#		listen     localhost:143;
+#		protocol   imap;
+#		proxy      on;
+#	}
+#}
--- a/etc/nginx/nginx.conf
+++ b/etc/nginx/nginx.conf
@ -19,11 +19,16 @@ http {
 # EasyEngine Settings
 ##
    sendfile on;
+    sendfile_max_chunk 512k;
+
    tcp_nopush on;
    tcp_nodelay on;

-    keepalive_timeout 30;
-    types_hash_max_size 2048;
+    keepalive_timeout 8;
+    keepalive_requests 500;
+
+    lingering_time 20s;
+    lingering_timeout 5s;

    server_tokens off;
    reset_timedout_connection on;
@ -71,7 +76,7 @@ http {
 # ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
   
    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers 'TLS13+AESGCM+AES128:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+    ssl_ciphers 'TLS13+AESGCM+AES128:EECDH+AES128';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 1d;
--- a/etc/nginx/sites-available/22222
+++ b/etc/nginx/sites-available/22222
@ -26,33 +26,59 @@ server {
        vhost_traffic_status_display_format html;
    }

-# Display menu at location /fpm/status/
-    location =  /fpm/status/;
-    location ~ /fpm/status/(.*) {
-        try_files $uri =404;
-        include fastcgi_params;
-        fastcgi_param SCRIPT_NAME  /status;
-        fastcgi_pass $1;
-    }
-    location ~ \.php$ {
-        try_files $uri =404;
-        include fastcgi_params;
-        fastcgi_pass php7;
-    }
-    
-# ViMbAdmin Rules
-    location = /vimbadmin/ {
-        return 301 $scheme://$host:22222/vimbadmin/public/;
-    }
-    location ~* /vimbadmin/public/(.*)/(.*) {
-        root /var/www/22222/htdocs/vimbadmin/public;
-        try_files $uri $uri/  /vimbadmin/public/index.php?$args;
-    }
-    location ~* /vimbadmin/public/(.*) {
-        root /var/www/22222/htdocs/vimbadmin/public;
-        try_files $uri $uri/  /vimbadmin/public/index.php?$args;
-    }
-    location /netdata {
+  root /var/www/22222/htdocs;
+  index index.php index.htm index.html;
+
+  # Turn on directory listing
+  autoindex on;
+
+  # HTTP Authentication on port 22222
+  include common/acl.conf;
+
+  location / {
+    try_files $uri $uri/ /index.php?$args;
+  }
+
+  # nginx-vts-status
+  location /vts_status {
+  vhost_traffic_status_display;
+  vhost_traffic_status_display_format html;
+  }
+
+  # Display menu at location /fpm/status/
+  location =  /fpm/status/ {}
+
+  location ~ /fpm/status/(.*) {
+    try_files $uri =404;
+    include fastcgi_params;
+    fastcgi_param  SCRIPT_NAME  /status;
+    fastcgi_pass $1;
+  }
+
+  location ~ \.php$ {
+    try_files $uri =404;
+    include fastcgi_params;
+    fastcgi_pass php7;
+  }
+
+  # ViMbAdmin Rules
+  location = /vimbadmin/ {
+    return 301 $scheme://$host:22222/vimbadmin/public/;
+  }
+
+
+
+  location ~* /vimbadmin/public/(.*)/(.*) {
+    root /var/www/22222/htdocs/vimbadmin/public;
+    try_files $uri $uri/  /vimbadmin/public/index.php?$args;
+  }
+
+  location ~* /vimbadmin/public/(.*) {
+    root /var/www/22222/htdocs/vimbadmin/public;
+    try_files $uri $uri/  /vimbadmin/public/index.php?$args;
+  }
+
+   location /netdata {
        return 301 /netdata/;
    }
    location ~ /netdata/(?<ndpath>.*) {
--- a/etc/sysctl.d/60-ubuntu-nginx-web-server.conf
+++ b/etc/sysctl.d/60-ubuntu-nginx-web-server.conf
@ -1,14 +1,37 @@
-# Kernel sysctl configuration file 
-# Sources : 
+# Kernel sysctl configuration file for Linux
+#
+# Version 1.14 - 2018-09-13
+# Michiel Klaver - IT Professional
+# Modified by VirtuBox
+#
+# Sources :
+# https://klaver.it/linux/sysctl.conf
 # https://easyengine.io/tutorials/linux/sysctl-conf/
-# http://klaver.it/linux/ 
 #
 #
-# sysctl -e -p /etc/sysctl.conf
+# Credits:
 #
+# http://www.enigma.id.au/linux_tuning.txt
+# http://www.securityfocus.com/infocus/1729
+# http://fasterdata.es.net/TCP-tuning/linux.html
+# http://fedorahosted.org/ktune/browser/sysctl.ktune
+# http://www.cymru.com/Documents/ip-stack-tuning.html
+# http://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
+# http://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/index.html
+# http://knol.google.com/k/linux-performance-tuning-and-measurement
+# http://www.cyberciti.biz/faq/linux-kernel-tuning-virtual-memory-subsystem/
+# http://www.redbooks.ibm.com/abstracts/REDP4285.html
+# http://www.speedguide.net/read_articles.php?id=121
+# http://lartc.org/howto/lartc.kernel.obscure.html
+# http://en.wikipedia.org/wiki/Sysctl
+#
+# Usage
+# wget -O /etc/sysctl.d/10-ubuntu-nginx-web-server.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.d/10-ubuntu-nginx-web-server.conf
+#
+# sysctl -e -p /etc/sysctl.d/10-ubuntu-nginx-web-server.conf
 # For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and sysctl.conf(5) for more details.
 #
-# 
+
 ###
 ### GENERAL SYSTEM SECURITY OPTIONS ###
 ###
@ -16,9 +39,21 @@
 # Controls the System Request debugging functionality of the kernel
 kernel.sysrq = 0

+# Controls whether core dumps will append the PID to the core filename.
+# Useful for debugging multi-threaded applications.
+kernel.core_uses_pid = 1
+
 #Allow for more PIDs
 kernel.pid_max = 65535

+# The contents of /proc/<pid>/maps and smaps files are only visible to
+# readers that are allowed to ptrace() the process
+kernel.maps_protect = 1
+
+#Enable ExecShield protection
+kernel.exec-shield = 1
+kernel.randomize_va_space = 2
+
 # Controls the maximum size of a message, in bytes
 kernel.msgmnb = 65535

@ -31,34 +66,44 @@ fs.suid_dumpable = 0
 # Hide exposed kernel pointers
 kernel.kptr_restrict = 1

+###
 ### IMPROVE SYSTEM MEMORY MANAGEMENT ###
-
-# Increase size of file handles and inode cache
-fs.file-max = 2097152
+###

 # Increase size of file handles and inode cache
 fs.file-max = 209708
+
 # Do less swapping
 vm.swappiness = 10
 vm.dirty_ratio = 30
-vm.dirty_background_ratio = 2
+vm.dirty_background_ratio = 5

-# Redis configuration
+# specifies the minimum virtual address that a process is allowed to mmap
+vm.mmap_min_addr = 4096
+
+# 50% overcommitment of available memory
+vm.overcommit_ratio = 50
+
+# allow memory overcommit required for redis
 vm.overcommit_memory = 1

+# Set maximum amount of memory allocated to shm to 256MB
+kernel.shmmax = 268435456
+kernel.shmall = 268435456
+
+# Keep at least 64MB of free RAM space available
+vm.min_free_kbytes = 65535
+
+###
+### GENERAL NETWORK SECURITY OPTIONS ###
+###
+
 #Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
 net.ipv4.tcp_syncookies = 1
 net.ipv4.tcp_syn_retries = 2
 net.ipv4.tcp_synack_retries = 2
 net.ipv4.tcp_max_syn_backlog = 4096

-# Disables packet forwarding
-net.ipv4.ip_forward = 0
-net.ipv4.conf.all.forwarding = 0
-net.ipv4.conf.default.forwarding = 0
-net.ipv6.conf.all.forwarding = 0
-net.ipv6.conf.default.forwarding = 0
-
 # Disables IP source routing
 net.ipv4.conf.all.send_redirects = 0
 net.ipv4.conf.default.send_redirects = 0
@ -120,7 +165,10 @@ net.ipv6.conf.all.autoconf=0
 net.ipv6.conf.all.accept_ra=0
 net.ipv6.conf.default.autoconf=0
 net.ipv6.conf.default.accept_ra=0
-
+net.ipv6.conf.all.accept_ra_defrtr = 0
+net.ipv6.conf.default.accept_ra_defrtr = 0
+net.ipv6.conf.all.accept_ra_pinfo = 0
+net.ipv6.conf.default.accept_ra_pinfo = 0

 ###
 ### TUNING NETWORK PERFORMANCE ###
@ -169,9 +217,12 @@ net.ipv4.tcp_tw_reuse = 1
 net.ipv4.tcp_max_orphans = 16384
 net.ipv4.tcp_orphan_retries = 0

-# Increase the maximum memory used to reassemble IP fragments
-net.ipv4.ipfrag_high_thresh = 512000
-net.ipv4.ipfrag_low_thresh = 446464
+# Limit the maximum memory used to reassemble IP fragments (CVE-2018-5391)
+net.ipv4.ipfrag_low_thresh = 196608
+net.ipv6.ip6frag_low_thresh = 196608
+net.ipv4.ipfrag_high_thresh = 262144
+net.ipv6.ip6frag_high_thresh = 262144
+

 # don't cache ssthresh from previous connection
 net.ipv4.tcp_no_metrics_save = 1