full rewrite of documentation

* new html presentation with TOC
* clone the repository instead of downloading each file
* various configuration updates
This commit is contained in:
VirtuBox 2018-10-13 15:04:41 +02:00
parent 57cccbc844
commit 51235bc0ef
31 changed files with 1065 additions and 1308 deletions

241
README.md
View File

@ -18,32 +18,37 @@
Configuration files with comments and informations available by following the link **source** Configuration files with comments and informations available by following the link **source**
### Initial configuration ## Initial configuration
#### System update and packages cleanup ### System update and packages cleanup
```bash ```bash
apt-get update && apt-get upgrade -y && apt-get autoremove --purge -y && apt-get clean apt-get update && apt-get upgrade -y && apt-get autoremove --purge -y && apt-get clean
``` ```
#### Install useful packages ### Install useful packages
```bash ```bash
sudo apt-get install haveged curl git unzip zip fail2ban htop nload nmon ntp gnupg gnupg2 wget pigz tree ccze -y sudo apt-get install haveged curl git unzip zip fail2ban htop nload nmon ntp gnupg gnupg2 wget pigz tree ccze -y
``` ```
#### Tweak Kernel & Increase open files limits ### Clone the repository
```bash
git clone https://github.com/VirtuBox/ubuntu-nginx-web-server.git $HOME/ubuntu-nginx-web-server
```
### Tweak Kernel & Increase open files limits
[source sysctl.conf](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) - [limits.conf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf) [source sysctl.conf](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) - [limits.conf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf)
```bash ```bash
modprobe tcp_htcp cp $HOME/ubuntu-nginx-web-server/etc/sysctl.d/60-ubuntu-nginx-web-server.conf /etc/sysctl.d/60-ubuntu-nginx-web-server.conf
wget -O /etc/sysctl.d/60-ubuntu-nginx-web-server.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.d/60-ubuntu-nginx-web-server.conf
sysctl -e -p /etc/sysctl.d/60-ubuntu-nginx-web-server.conf sysctl -e -p /etc/sysctl.d/60-ubuntu-nginx-web-server.conf
wget -O /etc/security/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/security/limits.conf cp -f $HOME/ubuntu-nginx-web-server/etc/security/limits.conf /etc/security/limits.conf
``` ```
#### disable transparent hugepage for redis ### disable transparent hugepage for redis
```bash ```bash
echo never > /sys/kernel/mm/transparent_hugepage/enabled echo never > /sys/kernel/mm/transparent_hugepage/enabled
@ -51,9 +56,9 @@ echo never > /sys/kernel/mm/transparent_hugepage/enabled
* * * * * *
### EasyEngine Setup ## EasyEngine Setup
#### Install MariaDB 10.3 ### Install MariaDB 10.3
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/) Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
@ -62,12 +67,12 @@ bash <(wget -qO - https://downloads.mariadb.com/MariaDB/mariadb_repo_setup) --ma
sudo apt update && sudo apt install mariadb-server -y sudo apt update && sudo apt install mariadb-server -y
``` ```
#### MySQL Tuning ### MySQL Tuning
You can download my example of my.cnf, optimized for VPS with 4GB RAM. [my.cnf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/mysql/my.cnf) You can download my example of my.cnf, optimized for VPS with 4GB RAM. [my.cnf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/mysql/my.cnf)
```bash ```bash
wget -O /etc/mysql/my.cnf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/mysql/my.cnf cp -f $HOME/ubuntu-nginx-web-server/etc/mysql/my.cnf /etc/mysql/my.cnf
``` ```
It include modification of innodb_log_file_size variable, so you need to use the following commands to apply the new configuration : It include modification of innodb_log_file_size variable, so you need to use the following commands to apply the new configuration :
@ -81,16 +86,16 @@ sudo mv /var/lib/mysql/ib_logfile1 /var/lib/mysql/ib_logfile1.bak
sudo service mysql start sudo service mysql start
``` ```
Increase MariaDB open files limits ### Increase MariaDB open files limits
```bash ```bash
wget -O /etc/systemd/system/mariadb.service.d/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/systemd/system/mariadb.service.d/limits.conf cp -f $HOME/ubuntu-nginx-web-server/etc/systemd/system/mariadb.service.d/limits.conf /etc/systemd/system/mariadb.service.d/limits.conf
sudo systemctl daemon-reload sudo systemctl daemon-reload
sudo systemctl restart mariadb sudo systemctl restart mariadb
``` ```
#### Install EasyEngine ## Install EasyEngine
```bash ```bash
# noninteractive install - you can replace $USER with your username & root@$HOSTNAME by your email # noninteractive install - you can replace $USER with your username & root@$HOSTNAME by your email
@ -99,27 +104,27 @@ sudo bash -c 'echo -e "[user]\n\tname = $USER\n\temail = root@$HOSTNAME" > $HOME
wget -qO ee rt.cx/ee && bash ee wget -qO ee rt.cx/ee && bash ee
``` ```
#### enable ee bash_completion ### enable ee bash_completion
```bash ```bash
source /etc/bash_completion.d/ee_auto.rc source /etc/bash_completion.d/ee_auto.rc
``` ```
#### Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend ### Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend
```bash ```bash
ee stack install ee stack install
ee stack install --php7 --redis --admin --phpredisadmin ee stack install --php7 --redis --admin --phpredisadmin
``` ```
#### Set your email instead of root@localhost ### Set your email instead of root@localhost
```bash ```bash
echo 'root: my.email@address.com' >> /etc/aliases echo 'root: my.email@address.com' >> /etc/aliases
newaliases newaliases
``` ```
#### Install Composer - Fix phpmyadmin install issue ### Install Composer - Fix phpmyadmin install issue
```bash ```bash
cd ~/ ||exit cd ~/ ||exit
@ -130,143 +135,138 @@ chown www-data:www-data /var/www
sudo -u www-data -H composer update -d /var/www/22222/htdocs/db/pma/ sudo -u www-data -H composer update -d /var/www/22222/htdocs/db/pma/
``` ```
#### Allow shell for www-data for SFTP usage ### Allow shell for www-data for SFTP usage
```bash ```bash
usermod -s /bin/bash www-data usermod -s /bin/bash www-data
``` ```
### PHP 7.1 & 7.2 Setup ## PHP 7.1 & 7.2 Setup
#### Install php7.1-fpm ### Install php7.1-fpm
```bash ```bash
# php7.1-fpm # php7.1-fpm
apt update && apt install php7.1-fpm php7.1-cli php7.1-zip php7.1-opcache php7.1-mysql php7.1-mcrypt php7.1-mbstring php7.1-json php7.1-intl \ apt update && apt install php7.1-fpm php7.1-cli php7.1-zip php7.1-opcache php7.1-mysql php7.1-mcrypt php7.1-mbstring php7.1-json php7.1-intl \
php7.1-gd php7.1-curl php7.1-bz2 php7.1-xml php7.1-tidy php7.1-soap php7.1-bcmath -y php7.1-xsl php7.1-gd php7.1-curl php7.1-bz2 php7.1-xml php7.1-tidy php7.1-soap php7.1-bcmath -y php7.1-xsl
wget -O /etc/php/7.1/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/pool.d/www.conf # copy php-fpm pools & php.ini configuration
cp -rf $HOME/ubuntu-nginx-web-server/etc/php/7.1/fpm/* /etc/php/7.1/fpm/
wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/php.ini
service php7.1-fpm restart service php7.1-fpm restart
git -C /etc/php/ add /etc/php/ && git -C /etc/php/ commit -m "add php7.1 configuration"
``` ```
#### Install php7.2-fpm ### Install php7.2-fpm
```bash ```bash
# php7.2-fpm # php7.2-fpm
apt update && apt install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring -y apt update && apt install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring php7.2-bcmath -y
wget -O /etc/php/7.2/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/pool.d/www.conf # copy php-fpm pools & php.ini configuration
cp -rf $HOME/ubuntu-nginx-web-server/etc/php/7.2/fpm/* /etc/php/7.2/fpm/
wget -O /etc/php/7.2/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/php.ini
service php7.2-fpm restart service php7.2-fpm restart
git -C /etc/php/ add /etc/php/ && git -C /etc/php/ commit -m "add php7.2 configuration"
``` ```
#### add nginx upstreams ## NGINX Configuration
### Additional Nginx configuration (/etc/nginx/conf.d)
- New upstreams (php7.1, php7.2, netdata) : upstream.conf
- webp image mapping : webp.conf
- new fastcgi_cache_bypass mapping for wordpress : map-wp-fastcgi-cache.conf
- stub_status configuration on 127.0.0.1:80 : stub_status.conf
- restore visitor real IP under cloudflare : cloudflare.conf
- mitigate WordPress DoS attack
```bash ```bash
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf # copy all common nginx configurations
service nginx reload cp -rf $HOME/ubuntu-nginx-web-server/etc/nginx/conf.d/* /etc/nginx/conf.d/
# commit change with git
git -C /etc/nginx/ add /etc/nginx/ && git -C /etc/nginx/ commit -m "update conf.d configurations"
``` ```
#### add ee common configuration ### EE common configuration
```bash ```bash
cd /etc/nginx/common || exit cp -rf $HOME/ubuntu-nginx-web-server/etc/nginx/common/* /etc/nginx/common/
wget https://virtubox.github.io/ubuntu-nginx-web-server/files/common.zip
unzip common.zip # commit change with git
git -C /etc/nginx/ add /etc/nginx/ && git -C /etc/nginx/ commit -m "update common configurations"
``` ```
### Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee) ### Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee)
```bash ```bash
bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh) bash <(wget-qO - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
``` ```
* * * * * *
### Custom configurations ## Custom configurations
#### clean php-fpm php.ini configuration ### clean php-fpm php.ini configuration
```bash ```bash
# PHP 7.0 # PHP 7.0
wget -O /etc/php/7.0/fpm/php.ini https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/php/7.0/fpm/php.ini cp -rf $HOME/ubuntu-nginx-web-server/etc/php/7.0/* /etc/php/7.0/
service php7.0-fpm restart service php7.0-fpm restart
git -C /etc/php/ add /etc/php/ && git -C /etc/php/ commit -m "add php7.2 configuration"
``` ```
#### Nginx optimized configurations ### Nginx optimized configurations
```bash ```bash
# TLSv1.2 TLSv1.3 only # TLSv1.2 TLSv1.3 only
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx.conf cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx.conf
# TLS intermediate - TLS v1.0 v1.1 v1.2 v1.3 # TLS intermediate - TLS v1.0 v1.1 v1.2 v1.3
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-intermediate.conf cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-intermediate.conf
# TLSv1.2 only # TLSv1.2 only
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-tlsv12.conf cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-tlsv12.conf
# commit change with git
git -C /etc/nginx/ add /etc/nginx/ && git -C /etc/nginx/ commit -m "update nginx.conf configurations"
``` ```
#### Nginx configuration for netdata & new upstreams ### Nginx configuration for netdata
```bash ```bash
# custom conf for netdata metrics (php-fpm & nginx status pages)
wget -O /etc/nginx/sites-available/default https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/default
# add netdata, php7.1 and php7.2 upstream
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/ # add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
wget -O /etc/nginx/sites-available/22222 https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/22222 cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/sites-available/22222 /etc/nginx/sites-available/22222
# commit change with git
git -C /etc/nginx/ add /etc/nginx/ && git -C /etc/nginx/ commit -m "update 22222 configuration"
``` ```
#### Increase Nginx open files limits #### Increase Nginx open files limits
```bash ```bash
sudo mkdir -p /etc/systemd/system/nginx.service.d sudo mkdir -p /etc/systemd/system/nginx.service.d
wget -O /etc/systemd/system/nginx.service.d/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/systemd/system/nginx.service.d/limits.conf cp -f $HOME/ubuntu-nginx-web-server/etc/systemd/system/nginx.service.d/limits.conf /etc/systemd/system/nginx.service.d/limits.conf
sudo systemctl daemon-reload sudo systemctl daemon-reload
sudo systemctl restart nginx.service sudo systemctl restart nginx.service
``` ```
#### wpcommon-php7x configurations
- webp rewrite rules added
- DoS attack CVE fix added
- php7.1 & php7.2 configuration added
```bash
# 1) add webp mapping
wget -O /etc/nginx/conf.d/webp.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/webp.conf
# 2) wpcommon files
# php7
wget -O /etc/nginx/common/wpcommon-php7.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php7.conf
# php7.1
wget -O /etc/nginx/common/wpcommon-php71.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php71.conf
# php7.2
wget -O /etc/nginx/common/wpcommon-php72.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php72.conf
nginx -t
service nginx reload
```
* * * * * *
### Security ## Security
#### Harden SSH Security ### Harden SSH Security
WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config) WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config)
wget -O /etc/ssh/sshd_config https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/ssh/sshd_config cp -f $HOME/ubuntu-nginx-web-server/etc/ssh/sshd_config /etc/ssh/sshd_config
#### UFW ### UFW
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/) Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
@ -276,23 +276,30 @@ ufw logging low
ufw default allow outgoing ufw default allow outgoing
ufw default deny incoming ufw default deny incoming
# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend # allow incoming traffic on SSH port
ufw allow 22 CURRENT_SSH_PORT=$(grep "Port" /etc/ssh/sshd_config | awk -F " " '{print $2}')
ufw allow $CURRENT_SSH_PORT
# DNS - HTTP/S - FTP - NTP - RSYNC - DHCP - SNMP - Librenms - Netdata - EE Backend
ufw allow 53 ufw allow 53
ufw allow http ufw allow http
ufw allow https ufw allow https
ufw allow 21 ufw allow 21
ufw allow 123 ufw allow 123
ufw allow 161 ufw allow 161
ufw allow 68
ufw allow 546
ufw allow 873
ufw allow 6556 ufw allow 6556
ufw allow 19999 ufw allow 19999
ufw allow 22222 ufw allow 22222
# enable UFW # enable UFW
ufw enable ufw enable
``` ```
#### Custom jails for fail2ban ### Custom jails for fail2ban
- wordpress bruteforce - wordpress bruteforce
- ssh - ssh
@ -301,34 +308,38 @@ ufw enable
- nginx bad bots - nginx bad bots
```bash ```bash
wget -O /etc/fail2ban/filter.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ddos.conf cp -rf $HOME/ubuntu-nginx-web-server/etc/fail2ban/filter.d/* /etc/fail2ban/filter.d/
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ee-wordpress.conf cp -rf $HOME/ubuntu-nginx-web-server/etc/fail2ban/jail.d/* /etc/fail2ban/jail.d/
wget -O /etc/fail2ban/filter.d/nginx-forbidden.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/nginx-forbidden.conf
wget -O /etc/fail2ban/jail.d/custom.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/custom.conf
wget -O /etc/fail2ban/jail.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/ddos.conf
fail2ban-client reload fail2ban-client reload
``` ```
#### Secure Memcached server ### Secure Memcached server
```bash ```bash
echo '-U 0' >> /etc/memcached.conf echo '-U 0' >> /etc/memcached.conf
sudo systemctl restart memcached sudo systemctl restart memcached
``` ```
### Optional If you do not use memcached, you can safely stop and disable it :
#### ee-acme-sh ```bash
sudo systemctl stop memcached
sudo systemctl disable memcached.service
```
## Optional
### ee-acme-sh
[Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers [Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers
* subdomain support - subdomain support
* ivp6 support - ivp6 support
* wildcards certificates support - wildcards certificates support
```bash ```bash
wget -O install-ee-acme.sh https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh wget-qO install-ee-acme.sh https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh
chmod +x install-ee-acme.sh chmod +x install-ee-acme.sh
./install-ee-acme.sh ./install-ee-acme.sh
@ -336,7 +347,7 @@ chmod +x install-ee-acme.sh
source .bashrc source .bashrc
``` ```
#### netdata ### netdata
[Github repository](https://github.com/firehol/netdata) [Github repository](https://github.com/firehol/netdata)
@ -349,11 +360,11 @@ echo 1 >/sys/kernel/mm/ksm/run
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
# disable email notifications # disable email notifications
sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /etc/netdata/health_alarm_notify.conf sudo sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /usr/lib/netdata/conf.d/health_alarm_notify.conf
service netdata restart service netdata restart
``` ```
#### cht.sh (cheat) ### cht.sh (cheat)
[Github repository](https://github.com/chubin/cheat.sh) [Github repository](https://github.com/chubin/cheat.sh)
@ -387,7 +398,7 @@ root@vps:~ cheat cat
cat -n file cat -n file
``` ```
#### nanorc - Improved Nano Syntax Highlighting Files ### nanorc - Improved Nano Syntax Highlighting Files
[Github repository](https://github.com/scopatz/nanorc) [Github repository](https://github.com/scopatz/nanorc)
@ -395,34 +406,18 @@ root@vps:~ cheat cat
wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh
``` ```
#### ucaresystem - script to update & cleanup packages easily ### Add WP-CLI & bash-completion for user www-data
```bash
sudo add-apt-repository ppa:utappia/stable -y
sudo apt update
sudo apt install ucaresystem-core -y
```
Run server maintenance with the command :
```bash
sudo ucaresystem-core
```
### WP-CLI
#### Add bash-completion for user www-data
```bashrc ```bashrc
# download wp-cli bash_completion # download wp-cli bash_completion
wget -O /etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash cp -f $HOME/ubuntu-nginx-web-server/etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash
# change /var/www owner # change /var/www owner
chown www-data:www-data /var/www chown www-data:www-data /var/www
# download .profile & .bashrc for www-data # download .profile & .bashrc for www-data
wget -O /var/www/.profile https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/docs/files/var/www/.profile cp -f $HOME/ubuntu-nginx-web-server/var/www/.profile /var/www/.profile
wget -O /var/www/.bashrc https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/docs/files/var/www/.bashrc cp -f $HOME/ubuntu-nginx-web-server/var/www/.bashrc /var/www/.bashrc
# set owner # set owner
chown www-data:www-data /var/www/.profile chown www-data:www-data /var/www/.profile
@ -438,9 +433,6 @@ Installation
```bash ```bash
# clone the github repository # clone the github repository
sudo -u www-data -H git clone https://github.com/alexphelps/server-error-pages.git /var/www/error sudo -u www-data -H git clone https://github.com/alexphelps/server-error-pages.git /var/www/error
# download nginx configuration
wget -O /etc/nginx/common/error_pages.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/error_pages.conf
``` ```
Then include this configuration in your nginx vhost by adding the following line Then include this configuration in your nginx vhost by adding the following line
@ -449,5 +441,4 @@ Then include this configuration in your nginx vhost by adding the following line
include common/error_pages.conf; include common/error_pages.conf;
``` ```
Published & maintained by [VirtuBox](https://virtubox.net) Published & maintained by [VirtuBox](https://virtubox.net)

View File

@ -1,453 +0,0 @@
# Optimized configuration for Ubuntu server with EasyEngine
* * *
## Server Stack
- Ubuntu 16.04/18.04 LTS
- Nginx 1.15.x / 1.14.x
- PHP-FPM 7/7.1/7.2
- MariaDB 10.3
- REDIS 4.0
- Memcached
- Fail2ban
- Netdata
- UFW
* * *
Configuration files with comments and informations available by following the link **source**
### Initial configuration
#### System update and packages cleanup
```bash
apt-get update && apt-get upgrade -y && apt-get autoremove --purge -y && apt-get clean
```
#### Install useful packages
```bash
sudo apt-get install haveged curl git unzip zip fail2ban htop nload nmon ntp gnupg gnupg2 wget pigz tree ccze -y
```
#### Tweak Kernel & Increase open files limits
[source sysctl.conf](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) - [limits.conf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf)
```bash
modprobe tcp_htcp
wget -O /etc/sysctl.d/60-ubuntu-nginx-web-server.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.d/60-ubuntu-nginx-web-server.conf
sysctl -e -p /etc/sysctl.d/60-ubuntu-nginx-web-server.conf
wget -O /etc/security/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/security/limits.conf
```
#### disable transparent hugepage for redis
```bash
echo never > /sys/kernel/mm/transparent_hugepage/enabled
```
* * *
### EasyEngine Setup
#### Install MariaDB 10.3
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
```bash
bash <(wget -qO - https://downloads.mariadb.com/MariaDB/mariadb_repo_setup) --mariadb-server-version=10.3 --skip-maxscale -y
sudo apt update && sudo apt install mariadb-server -y
```
#### MySQL Tuning
You can download my example of my.cnf, optimized for VPS with 4GB RAM. [my.cnf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/mysql/my.cnf)
```bash
wget -O /etc/mysql/my.cnf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/mysql/my.cnf
```
It include modification of innodb_log_file_size variable, so you need to use the following commands to apply the new configuration :
```bash
sudo service mysql stop
sudo mv /var/lib/mysql/ib_logfile0 /var/lib/mysql/ib_logfile0.bak
sudo mv /var/lib/mysql/ib_logfile1 /var/lib/mysql/ib_logfile1.bak
sudo service mysql start
```
Increase MariaDB open files limits
```bash
wget -O /etc/systemd/system/mariadb.service.d/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/systemd/system/mariadb.service.d/limits.conf
sudo systemctl daemon-reload
sudo systemctl restart mariadb
```
#### Install EasyEngine
```bash
# noninteractive install - you can replace $USER with your username & root@$HOSTNAME by your email
sudo bash -c 'echo -e "[user]\n\tname = $USER\n\temail = root@$HOSTNAME" > $HOME/.gitconfig'
wget -qO ee rt.cx/ee && bash ee
```
#### enable ee bash_completion
```bash
source /etc/bash_completion.d/ee_auto.rc
```
#### Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend
```bash
ee stack install
ee stack install --php7 --redis --admin --phpredisadmin
```
#### Set your email instead of root@localhost
```bash
echo 'root: my.email@address.com' >> /etc/aliases
newaliases
```
#### Install Composer - Fix phpmyadmin install issue
```bash
cd ~/ ||exit
curl -sS https://getcomposer.org/installer | php
mv composer.phar /usr/bin/composer
chown www-data:www-data /var/www
sudo -u www-data -H composer update -d /var/www/22222/htdocs/db/pma/
```
#### Allow shell for www-data for SFTP usage
```bash
usermod -s /bin/bash www-data
```
### PHP 7.1 & 7.2 Setup
#### Install php7.1-fpm
```bash
# php7.1-fpm
apt update && apt install php7.1-fpm php7.1-cli php7.1-zip php7.1-opcache php7.1-mysql php7.1-mcrypt php7.1-mbstring php7.1-json php7.1-intl \
php7.1-gd php7.1-curl php7.1-bz2 php7.1-xml php7.1-tidy php7.1-soap php7.1-bcmath -y php7.1-xsl
wget -O /etc/php/7.1/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/pool.d/www.conf
wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/php.ini
service php7.1-fpm restart
```
#### Install php7.2-fpm
```bash
# php7.2-fpm
apt update && apt install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring -y
wget -O /etc/php/7.2/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/pool.d/www.conf
wget -O /etc/php/7.2/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/php.ini
service php7.2-fpm restart
```
#### add nginx upstreams
```bash
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
service nginx reload
```
#### add ee common configuration
```bash
cd /etc/nginx/common || exit
wget https://virtubox.github.io/ubuntu-nginx-web-server/files/common.zip
unzip common.zip
```
### Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee)
```bash
bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
```
* * *
### Custom configurations
#### clean php-fpm php.ini configuration
```bash
# PHP 7.0
wget -O /etc/php/7.0/fpm/php.ini https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/php/7.0/fpm/php.ini
service php7.0-fpm restart
```
#### Nginx optimized configurations
```bash
# TLSv1.2 TLSv1.3 only
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx.conf
# TLS intermediate - TLS v1.0 v1.1 v1.2 v1.3
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-intermediate.conf
# TLSv1.2 only
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-tlsv12.conf
```
#### Nginx configuration for netdata & new upstreams
```bash
# custom conf for netdata metrics (php-fpm & nginx status pages)
wget -O /etc/nginx/sites-available/default https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/default
# add netdata, php7.1 and php7.2 upstream
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
wget -O /etc/nginx/sites-available/22222 https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/22222
```
#### Increase Nginx open files limits
```bash
sudo mkdir -p /etc/systemd/system/nginx.service.d
wget -O /etc/systemd/system/nginx.service.d/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/systemd/system/nginx.service.d/limits.conf
sudo systemctl daemon-reload
sudo systemctl restart nginx.service
```
#### wpcommon-php7x configurations
- webp rewrite rules added
- DoS attack CVE fix added
- php7.1 & php7.2 configuration added
```bash
# 1) add webp mapping
wget -O /etc/nginx/conf.d/webp.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/webp.conf
# 2) wpcommon files
# php7
wget -O /etc/nginx/common/wpcommon-php7.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php7.conf
# php7.1
wget -O /etc/nginx/common/wpcommon-php71.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php71.conf
# php7.2
wget -O /etc/nginx/common/wpcommon-php72.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php72.conf
nginx -t
service nginx reload
```
* * *
### Security
#### Harden SSH Security
WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config)
wget -O /etc/ssh/sshd_config https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/ssh/sshd_config
#### UFW
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
```bash
# enable ufw log - allow outgoing - deny incoming
ufw logging low
ufw default allow outgoing
ufw default deny incoming
# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend
ufw allow 22
ufw allow 53
ufw allow http
ufw allow https
ufw allow 21
ufw allow 123
ufw allow 161
ufw allow 6556
ufw allow 19999
ufw allow 22222
# enable UFW
ufw enable
```
#### Custom jails for fail2ban
- wordpress bruteforce
- ssh
- recidive (after 3 bans)
- backend http auth
- nginx bad bots
```bash
wget -O /etc/fail2ban/filter.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ddos.conf
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ee-wordpress.conf
wget -O /etc/fail2ban/filter.d/nginx-forbidden.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/nginx-forbidden.conf
wget -O /etc/fail2ban/jail.d/custom.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/custom.conf
wget -O /etc/fail2ban/jail.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/ddos.conf
fail2ban-client reload
```
#### Secure Memcached server
```bash
echo '-U 0' >> /etc/memcached.conf
sudo systemctl restart memcached
```
### Optional
#### ee-acme-sh
[Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers
* subdomain support
* ivp6 support
* wildcards certificates support
```bash
wget -O install-ee-acme.sh https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh
chmod +x install-ee-acme.sh
./install-ee-acme.sh
# enable acme.sh & ee-acme-sh
source .bashrc
```
#### netdata
[Github repository](https://github.com/firehol/netdata)
```bash
bash <(curl -Ss https://my-netdata.io/kickstart.sh) all
# save 40-60% of netdata memory
echo 1 >/sys/kernel/mm/ksm/run
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
# disable email notifications
sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /etc/netdata/health_alarm_notify.conf
service netdata restart
```
#### cht.sh (cheat)
[Github repository](https://github.com/chubin/cheat.sh)
```bash
curl https://cht.sh/:cht.sh > /usr/bin/cht.sh
chmod +x /usr/bin/cht.sh
echo "alias cheat='cht.sh'" >> $HOME/.bashrc
source $HOME/.bashrc
```
usage : `cheat <command>`
```bash
root@vps:~ cheat cat
# cat
# Print and concatenate files.
# Print the contents of a file to the standard output:
cat file
# Concatenate several files into the target file:
cat file1 file2 > target_file
# Append several files into the target file:
cat file1 file2 >> target_file
# Number all output lines:
cat -n file
```
#### nanorc - Improved Nano Syntax Highlighting Files
[Github repository](https://github.com/scopatz/nanorc)
```bash
wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh
```
#### ucaresystem - script to update & cleanup packages easily
```bash
sudo add-apt-repository ppa:utappia/stable -y
sudo apt update
sudo apt install ucaresystem-core -y
```
Run server maintenance with the command :
```bash
sudo ucaresystem-core
```
### WP-CLI
#### Add bash-completion for user www-data
```bashrc
# download wp-cli bash_completion
wget -O /etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash
# change /var/www owner
chown www-data:www-data /var/www
# download .profile & .bashrc for www-data
wget -O /var/www/.profile https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/docs/files/var/www/.profile
wget -O /var/www/.bashrc https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/docs/files/var/www/.bashrc
# set owner
chown www-data:www-data /var/www/.profile
chown www-data:www-data /var/www/.bashrc
```
### Custom Nginx error pages
[Github Repository](https://github.com/alexphelps/server-error-pages)
Installation
```bash
# clone the github repository
sudo -u www-data -H git clone https://github.com/alexphelps/server-error-pages.git /var/www/error
# download nginx configuration
wget -O /etc/nginx/common/error_pages.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/error_pages.conf
```
Then include this configuration in your nginx vhost by adding the following line
```bash
include common/error_pages.conf;
```
Published & maintained by [VirtuBox](https://virtubox.net)

View File

@ -1 +0,0 @@
theme: jekyll-theme-cayman

View File

@ -0,0 +1,88 @@
/*
Atom One Dark by Daniel Gamage
Original One Dark Syntax theme from https://github.com/atom/one-dark-syntax
base: #282c34
mono-1: #abb2bf
mono-2: #818896
mono-3: #5c6370
hue-1: #56b6c2
hue-2: #61aeee
hue-3: #c678dd
hue-4: #98c379
hue-5: #e06c75
hue-5-2: #be5046
hue-6: #d19a66
hue-6-2: #e6c07b
*/
.hljs {
display: block;
overflow-x: auto;
padding: 0.5em;
color: #abb2bf;
background: #282c34;
}
.hljs-comment,
.hljs-quote {
color: #5c6370;
font-style: italic;
}
.hljs-doctag,
.hljs-keyword,
.hljs-formula {
color: #c678dd;
}
.hljs-literal {
color: #56b6c2;
}
.hljs-string,
.hljs-regexp,
.hljs-addition,
.hljs-attribute,
.hljs-meta-string {
color: #98c379;
}
.hljs-built_in,
.hljs-class .hljs-title {
color: #e6c07b;
}
.hljs-attr,
.hljs-variable,
.hljs-template-variable,
.hljs-type,
.hljs-selector-class,
.hljs-selector-attr,
.hljs-selector-pseudo,
.hljs-number {
color: #d19a66;
}
.hljs-symbol,
.hljs-bullet,
.hljs-link,
.hljs-meta,
.hljs-selector-id,
.hljs-title {
color: #61aeee;
}
.hljs-emphasis {
font-style: italic;
}
.hljs-strong {
font-weight: bold;
}
.hljs-link {
text-decoration: underline;
}

File diff suppressed because one or more lines are too long

0
docs/assets/style.css Normal file
View File

View File

@ -36,6 +36,9 @@ AcceptEnv LANG LC_*
# override default of no subsystems # override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp /usr/lib/openssh/sftp-server
# Host keys the client accepts - order here is honored by OpenSSH
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
# use strong ciphers (you may have to comment those lines with some sftp clients) # use strong ciphers (you may have to comment those lines with some sftp clients)
KexAlgorithms curve25519-sha256@libssh.org KexAlgorithms curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com Ciphers chacha20-poly1305@openssh.com

View File

@ -1,6 +1,6 @@
# Kernel sysctl configuration file for Linux # Kernel sysctl configuration file for Linux
# #
# Version 1.14 - 2018-09-13 # Version 1.15 - 2018-10-13
# Michiel Klaver - IT Professional # Michiel Klaver - IT Professional
# Modified by VirtuBox # Modified by VirtuBox
# #
@ -28,7 +28,7 @@
# Usage # Usage
# wget -O /etc/sysctl.d/10-ubuntu-nginx-web-server.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.d/10-ubuntu-nginx-web-server.conf # wget -O /etc/sysctl.d/10-ubuntu-nginx-web-server.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.d/10-ubuntu-nginx-web-server.conf
# #
# sysctl -p # sysctl -e -p /etc/sysctl.d/10-ubuntu-nginx-web-server.conf
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and sysctl.conf(5) for more details. # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and sysctl.conf(5) for more details.
# #
@ -174,9 +174,10 @@ net.ipv6.conf.default.accept_ra_pinfo = 0
### TUNING NETWORK PERFORMANCE ### ### TUNING NETWORK PERFORMANCE ###
### ###
# For high-bandwidth low-latency networks, use 'htcp' congestion control # enable BBR congestion control and set tcp_notsent_lowat to 16KB for HTTP/2 prioritization to work reliably
# Do a 'modprobe tcp_htcp' first # source : https://blog.cloudflare.com/http-2-prioritization-with-nginx/
net.ipv4.tcp_congestion_control = htcp net.ipv4.tcp_congestion_control = bbr
net.ipv4.tcp_notsent_lowat = 16384
# For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12) # For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12)
net.core.default_qdisc = fq net.core.default_qdisc = fq

531
docs/index.html Normal file
View File

@ -0,0 +1,531 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=no">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="black">
<meta name="mobile-web-app-capable" content="yes">
<title>
Optimized configuration for Ubuntu server with EasyEngine
</title>
<link rel="icon" type="image/png" href="https://notes.vtbox.space/favicon.png">
<link rel="apple-touch-icon" href="https://notes.vtbox.space/apple-touch-icon.png">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha256-916EbMg70RQy9LHiGkXzG8hSg9EdNy97GazNG/aiY1w=" crossorigin="anonymous" />
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css" integrity="sha256-eZrrJcwDc/3uDhsdt61sL2oOBY362qM3lon1gyExkL0=" crossorigin="anonymous" />
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/ionicons/2.0.1/css/ionicons.min.css" integrity="sha256-3iu9jgsy9TpTwXKb7bNQzqWekRX7pPK+2OLj3R922fo=" crossorigin="anonymous" />
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/octicons/4.4.0/octicons.min.css" integrity="sha256-4eCms8tUm+iL29tUvmRhNRnz/7lNI4oTtQzqa/uM2dI=" crossorigin="anonymous" />
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/prism/1.5.1/themes/prism.min.css" integrity="sha256-vtR0hSWRc3Tb26iuN2oZHt3KRUomwTufNIf5/4oeCyg=" crossorigin="anonymous" />
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/styles/github-gist.min.css" integrity="sha256-tAflq+ymku3Khs+I/WcAneIlafYgDiOQ9stIHH985Wo=" crossorigin="anonymous" />
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/emojify.js/1.1.0/css/basic/emojify.min.css" integrity="sha256-UOrvMOsSDSrW6szVLe8ZDZezBxh5IoIfgTwdNDgTjiU=" crossorigin="anonymous" />
<link rel="stylesheet" href="https://virtubox.github.io/ubuntu-nginx-web-server/assets/atom-one-dark.css" type="text/css" media="all" />
<script type="text/javascript" src="https://virtubox.github.io/ubuntu-nginx-web-server/assets/highlight.pack.js"></script>
<link href="https://virtubox.github.io/ubuntu-nginx-web-server/assets/style.css" type="text/css" media="all" />
<!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<script src="https://cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv.min.js" integrity="sha256-3Jy/GbSLrg0o9y5Z5n1uw0qxZECH7C6OQpVBgNFYa0g=" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/respond.js/1.4.2/respond.min.js" integrity="sha256-g6iAfvZp+nDQ2TdTR/VVKJf3bGro4ub5fvWSWVRi2NE=" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.5.9/es5-shim.min.js" integrity="sha256-8E4Is26QH0bD52WoQpcB+R/tcWQtpzlCojrybUd7Mxo=" crossorigin="anonymous"></script>
<![endif]-->
</head>
<body>
<!-- Content -->
<div id="doc" class="markdown-body container-fluid"><h1 id="Optimized-configuration-for-Ubuntu-server-with-EasyEngine"><a class="anchor hidden-xs" href="#Optimized-configuration-for-Ubuntu-server-with-EasyEngine" title="Optimized-configuration-for-Ubuntu-server-with-EasyEngine"><span class="octicon octicon-link"></span></a>Optimized configuration for Ubuntu server with EasyEngine</h1><hr><h2 id="Server-Stack"><a class="anchor hidden-xs" href="#Server-Stack" title="Server-Stack"><span class="octicon octicon-link"></span></a>Server Stack</h2><ul>
<li>Ubuntu 16.04/18.04 LTS</li>
<li>Nginx 1.15.x / 1.14.x</li>
<li>PHP-FPM 7/7.1/7.2</li>
<li>MariaDB 10.3</li>
<li>REDIS 4.0</li>
<li>Memcached</li>
<li>Fail2ban</li>
<li>Netdata</li>
<li>UFW</li>
</ul><hr><p>Configuration files with comments available by following the link <strong>source</strong></p><h2 id="Initial-configuration"><a class="anchor hidden-xs" href="#Initial-configuration" title="Initial-configuration"><span class="octicon octicon-link"></span></a>Initial configuration</h2><h3 id="System-update-and-packages-cleanup"><a class="anchor hidden-xs" href="#System-update-and-packages-cleanup" title="System-update-and-packages-cleanup"><span class="octicon octicon-link"></span></a>System update and packages cleanup</h3><pre><code class="bash hljs">apt-get update &amp;&amp; apt-get upgrade -y &amp;&amp; apt-get autoremove --purge -y &amp;&amp; apt-get clean
</code></pre><h3 id="Install-useful-packages"><a class="anchor hidden-xs" href="#Install-useful-packages" title="Install-useful-packages"><span class="octicon octicon-link"></span></a>Install useful packages</h3><pre><code class="bash hljs">sudo apt-get install haveged curl git unzip zip fail2ban htop nload nmon ntp gnupg gnupg2 wget pigz tree ccze -y
</code></pre><h3 id="Clone-the-repository"><a class="anchor hidden-xs" href="#Clone-the-repository" title="Clone-the-repository"><span class="octicon octicon-link"></span></a>Clone the repository</h3><pre><code class="bash hljs">git <span class="hljs-built_in">clone</span> https://github.com/VirtuBox/ubuntu-nginx-web-server.git <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server
</code></pre><h3 id="Tweak-Kernel-amp-Increase-open-files-limits"><a class="anchor hidden-xs" href="#Tweak-Kernel-amp-Increase-open-files-limits" title="Tweak-Kernel-amp-Increase-open-files-limits"><span class="octicon octicon-link"></span></a>Tweak Kernel &amp; Increase open files limits</h3><p><a href="https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf" target="_blank">source sysctl.conf</a> - <a href="https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf" target="_blank">limits.conf source</a></p><pre><code class="bash hljs">cp <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/sysctl.d/60-ubuntu-nginx-web-server.conf /etc/sysctl.d/60-ubuntu-nginx-web-server.conf
sysctl -e -p /etc/sysctl.d/60-ubuntu-nginx-web-server.conf
cp -f <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/security/limits.conf /etc/security/limits.conf
</code></pre><h3 id="disable-transparent-hugepage-for-redis"><a class="anchor hidden-xs" href="#disable-transparent-hugepage-for-redis" title="disable-transparent-hugepage-for-redis"><span class="octicon octicon-link"></span></a>disable transparent hugepage for redis</h3><pre><code class="bash hljs"><span class="hljs-built_in">echo</span> never &gt; /sys/kernel/mm/transparent_hugepage/enabled
</code></pre><hr><h2 id="EasyEngine-Setup"><a class="anchor hidden-xs" href="#EasyEngine-Setup" title="EasyEngine-Setup"><span class="octicon octicon-link"></span></a>EasyEngine Setup</h2><h3 id="Install-MariaDB-103"><a class="anchor hidden-xs" href="#Install-MariaDB-103" title="Install-MariaDB-103"><span class="octicon octicon-link"></span></a>Install MariaDB 10.3</h3><p>Instructions available in <a href="https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/" target="_blank">VirtuBox Knowledgebase</a></p><pre><code class="bash hljs">bash &lt;(wget -qO - https://downloads.mariadb.com/MariaDB/mariadb_repo_setup) --mariadb-server-version=10.3 --skip-maxscale -y
sudo apt update &amp;&amp; sudo apt install mariadb-server -y
</code></pre><h3 id="MySQL-Tuning"><a class="anchor hidden-xs" href="#MySQL-Tuning" title="MySQL-Tuning"><span class="octicon octicon-link"></span></a>MySQL Tuning</h3><p>You can download my example of my.cnf, optimized for VPS with 4GB RAM. <a href="https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/mysql/my.cnf" target="_blank">my.cnf source</a></p><pre><code class="bash hljs">cp -f <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/mysql/my.cnf /etc/mysql/my.cnf
</code></pre><p>It include modification of innodb_log_file_size variable, so you need to use the following commands to apply the new configuration :</p><pre><code class="bash hljs">sudo service mysql stop
sudo mv /var/lib/mysql/ib_logfile0 /var/lib/mysql/ib_logfile0.bak
sudo mv /var/lib/mysql/ib_logfile1 /var/lib/mysql/ib_logfile1.bak
sudo service mysql start
</code></pre><h3 id="Increase-MariaDB-open-files-limits"><a class="anchor hidden-xs" href="#Increase-MariaDB-open-files-limits" title="Increase-MariaDB-open-files-limits"><span class="octicon octicon-link"></span></a>Increase MariaDB open files limits</h3><pre><code class="bash hljs">cp -f <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/systemd/system/mariadb.service.d/limits.conf /etc/systemd/system/mariadb.service.d/limits.conf
sudo systemctl daemon-reload
sudo systemctl restart mariadb
</code></pre><h2 id="Install-EasyEngine"><a class="anchor hidden-xs" href="#Install-EasyEngine" title="Install-EasyEngine"><span class="octicon octicon-link"></span></a>Install EasyEngine</h2><pre><code class="bash hljs"><span class="hljs-comment"># noninteractive install - you can replace $USER with your username &amp; root@$HOSTNAME by your email</span>
sudo bash -c <span class="hljs-string">'echo -e "[user]\n\tname = $USER\n\temail = root@$HOSTNAME" &gt; $HOME/.gitconfig'</span>
wget -qO ee rt.cx/ee &amp;&amp; bash ee
</code></pre><h3 id="enable-ee-bash_completion"><a class="anchor hidden-xs" href="#enable-ee-bash_completion" title="enable-ee-bash_completion"><span class="octicon octicon-link"></span></a>enable ee bash_completion</h3><pre><code class="bash hljs"><span class="hljs-built_in">source</span> /etc/bash_completion.d/ee_auto.rc
</code></pre><h3 id="Install-Nginx-php56-php70-postfix-redis-and-configure-EE-backend"><a class="anchor hidden-xs" href="#Install-Nginx-php56-php70-postfix-redis-and-configure-EE-backend" title="Install-Nginx-php56-php70-postfix-redis-and-configure-EE-backend"><span class="octicon octicon-link"></span></a>Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend</h3><pre><code class="bash hljs">ee stack install
ee stack install --php7 --redis --admin --phpredisadmin
</code></pre><h3 id="Set-your-email-instead-of-rootlocalhost"><a class="anchor hidden-xs" href="#Set-your-email-instead-of-rootlocalhost" title="Set-your-email-instead-of-rootlocalhost"><span class="octicon octicon-link"></span></a>Set your email instead of root@localhost</h3><pre><code class="bash hljs"><span class="hljs-built_in">echo</span> <span class="hljs-string">'root: my.email@address.com'</span> &gt;&gt; /etc/aliases
newaliases
</code></pre><h3 id="Install-Composer---Fix-phpmyadmin-install-issue"><a class="anchor hidden-xs" href="#Install-Composer---Fix-phpmyadmin-install-issue" title="Install-Composer---Fix-phpmyadmin-install-issue"><span class="octicon octicon-link"></span></a>Install Composer - Fix phpmyadmin install issue</h3><pre><code class="bash hljs"><span class="hljs-built_in">cd</span> ~/ ||<span class="hljs-built_in">exit</span>
curl -sS https://getcomposer.org/installer | php
mv composer.phar /usr/bin/composer
chown www-data:www-data /var/www
sudo -u www-data -H composer update -d /var/www/22222/htdocs/db/pma/
</code></pre><h3 id="Allow-shell-for-www-data-for-SFTP-usage"><a class="anchor hidden-xs" href="#Allow-shell-for-www-data-for-SFTP-usage" title="Allow-shell-for-www-data-for-SFTP-usage"><span class="octicon octicon-link"></span></a>Allow shell for www-data for SFTP usage</h3><pre><code class="bash hljs">usermod -s /bin/bash www-data
</code></pre><h2 id="PHP-71-amp-72-Setup"><a class="anchor hidden-xs" href="#PHP-71-amp-72-Setup" title="PHP-71-amp-72-Setup"><span class="octicon octicon-link"></span></a>PHP 7.1 &amp; 7.2 Setup</h2><h3 id="Install-php71-fpm"><a class="anchor hidden-xs" href="#Install-php71-fpm" title="Install-php71-fpm"><span class="octicon octicon-link"></span></a>Install php7.1-fpm</h3><pre><code class="bash hljs"><span class="hljs-comment"># php7.1-fpm</span>
apt update &amp;&amp; apt install php7.1-fpm php7.1-cli php7.1-zip php7.1-opcache php7.1-mysql php7.1-mcrypt php7.1-mbstring php7.1-json php7.1-intl \
php7.1-gd php7.1-curl php7.1-bz2 php7.1-xml php7.1-tidy php7.1-soap php7.1-bcmath -y php7.1-xsl
<span class="hljs-comment"># copy php-fpm pools &amp; php.ini configuration</span>
cp -rf <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/php/7.1/fpm/* /etc/php/7.1/fpm/
service php7.1-fpm restart
git -C /etc/php/ add /etc/php/ &amp;&amp; git -C /etc/php/ commit -m <span class="hljs-string">"add php7.1 configuration"</span>
</code></pre><h3 id="Install-php72-fpm"><a class="anchor hidden-xs" href="#Install-php72-fpm" title="Install-php72-fpm"><span class="octicon octicon-link"></span></a>Install php7.2-fpm</h3><pre><code class="bash hljs"><span class="hljs-comment"># php7.2-fpm</span>
apt update &amp;&amp; apt install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring php7.2-bcmath -y
<span class="hljs-comment"># copy php-fpm pools &amp; php.ini configuration</span>
cp -rf <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/php/7.2/fpm/* /etc/php/7.2/fpm/
service php7.2-fpm restart
git -C /etc/php/ add /etc/php/ &amp;&amp; git -C /etc/php/ commit -m <span class="hljs-string">"add php7.2 configuration"</span>
</code></pre><h2 id="NGINX-Configuration"><a class="anchor hidden-xs" href="#NGINX-Configuration" title="NGINX-Configuration"><span class="octicon octicon-link"></span></a>NGINX Configuration</h2><h3 id="Additional-Nginx-configuration-etcnginxconfd"><a class="anchor hidden-xs" href="#Additional-Nginx-configuration-etcnginxconfd" title="Additional-Nginx-configuration-etcnginxconfd"><span class="octicon octicon-link"></span></a>Additional Nginx configuration (/etc/nginx/conf.d)</h3><ul>
<li>New upstreams (php7.1, php7.2, netdata) : upstream.conf</li>
<li>webp image mapping : webp.conf</li>
<li>new fastcgi_cache_bypass mapping for wordpress : map-wp-fastcgi-cache.conf</li>
<li>stub_status configuration on 127.0.0.1:80 : stub_status.conf</li>
<li>restore visitor real IP under Cloudflare : cloudflare.conf</li>
<li>mitigate WordPress DoS attack</li>
</ul><pre><code class="bash hljs"><span class="hljs-comment"># copy all common nginx configurations</span>
cp -rf <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/nginx/conf.d/* /etc/nginx/conf.d/
<span class="hljs-comment"># commit change with git</span>
git -C /etc/nginx/ add /etc/nginx/ &amp;&amp; git -C /etc/nginx/ commit -m <span class="hljs-string">"update conf.d configurations"</span>
</code></pre><h3 id="EE-common-configuration"><a class="anchor hidden-xs" href="#EE-common-configuration" title="EE-common-configuration"><span class="octicon octicon-link"></span></a>EE common configuration</h3><pre><code class="bash hljs">cp -rf <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/nginx/common/* /etc/nginx/common/
<span class="hljs-comment"># commit change with git</span>
git -C /etc/nginx/ add /etc/nginx/ &amp;&amp; git -C /etc/nginx/ commit -m <span class="hljs-string">"update common configurations"</span>
</code></pre><h3 id="Compile-last-Nginx-mainline-release-with-nginx-ee-script"><a class="anchor hidden-xs" href="#Compile-last-Nginx-mainline-release-with-nginx-ee-script" title="Compile-last-Nginx-mainline-release-with-nginx-ee-script"><span class="octicon octicon-link"></span></a>Compile last Nginx mainline release with <a href="https://github.com/VirtuBox/nginx-ee" target="_blank">nginx-ee script</a></h3><pre><code class="bash hljs">bash &lt;(wget-qO - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
</code></pre><hr><h2 id="Custom-configurations"><a class="anchor hidden-xs" href="#Custom-configurations" title="Custom-configurations"><span class="octicon octicon-link"></span></a>Custom configurations</h2><h3 id="clean-php-fpm-phpini-configuration"><a class="anchor hidden-xs" href="#clean-php-fpm-phpini-configuration" title="clean-php-fpm-phpini-configuration"><span class="octicon octicon-link"></span></a>clean php-fpm php.ini configuration</h3><pre><code class="bash hljs"><span class="hljs-comment"># PHP 7.0</span>
cp -rf <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/php/7.0/* /etc/php/7.0/
service php7.0-fpm restart
git -C /etc/php/ add /etc/php/ &amp;&amp; git -C /etc/php/ commit -m <span class="hljs-string">"add php7.2 configuration"</span>
</code></pre><h3 id="Nginx-optimized-configurations"><a class="anchor hidden-xs" href="#Nginx-optimized-configurations" title="Nginx-optimized-configurations"><span class="octicon octicon-link"></span></a>Nginx optimized configurations</h3><pre><code class="bash hljs"><span class="hljs-comment"># TLSv1.2 TLSv1.3 only</span>
cp -f <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx.conf
<span class="hljs-comment"># TLS intermediate - TLS v1.0 v1.1 v1.2 v1.3</span>
cp -f <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-intermediate.conf
<span class="hljs-comment"># TLSv1.2 only</span>
cp -f <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-tlsv12.conf
<span class="hljs-comment"># commit change with git</span>
git -C /etc/nginx/ add /etc/nginx/ &amp;&amp; git -C /etc/nginx/ commit -m <span class="hljs-string">"update nginx.conf configurations"</span>
</code></pre><h3 id="Nginx-configuration-for-netdata"><a class="anchor hidden-xs" href="#Nginx-configuration-for-netdata" title="Nginx-configuration-for-netdata"><span class="octicon octicon-link"></span></a>Nginx configuration for netdata</h3><pre><code class="bash hljs"><span class="hljs-comment"># add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/</span>
cp -f <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/nginx/sites-available/22222 /etc/nginx/sites-available/22222
<span class="hljs-comment"># commit change with git</span>
git -C /etc/nginx/ add /etc/nginx/ &amp;&amp; git -C /etc/nginx/ commit -m <span class="hljs-string">"update 22222 configuration"</span>
</code></pre><h4 id="Increase-Nginx-open-files-limits"><a class="anchor hidden-xs" href="#Increase-Nginx-open-files-limits" title="Increase-Nginx-open-files-limits"><span class="octicon octicon-link"></span></a>Increase Nginx open files limits</h4><pre><code class="bash hljs">sudo mkdir -p /etc/systemd/system/nginx.service.d
cp -f <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/systemd/system/nginx.service.d/limits.conf /etc/systemd/system/nginx.service.d/limits.conf
sudo systemctl daemon-reload
sudo systemctl restart nginx.service
</code></pre><hr><h2 id="Security"><a class="anchor hidden-xs" href="#Security" title="Security"><span class="octicon octicon-link"></span></a>Security</h2><h3 id="Harden-SSH-Security"><a class="anchor hidden-xs" href="#Harden-SSH-Security" title="Harden-SSH-Security"><span class="octicon octicon-link"></span></a>Harden SSH Security</h3><p>WARNING : SSH Configuration with root login allowed with ed25519 &amp; ECDSA SSH keys only <a href="https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config" target="_blank">source</a></p><pre><code>cp -f $HOME/ubuntu-nginx-web-server/etc/ssh/sshd_config /etc/ssh/sshd_config
</code></pre><h3 id="UFW"><a class="anchor hidden-xs" href="#UFW" title="UFW"><span class="octicon octicon-link"></span></a>UFW</h3><p>Instructions available in <a href="https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/" target="_blank">VirtuBox Knowledgebase</a></p><pre><code class="bash hljs"><span class="hljs-comment"># enable ufw log - allow outgoing - deny incoming</span>
ufw logging low
ufw default allow outgoing
ufw default deny incoming
<span class="hljs-comment"># allow incoming traffic on SSH port</span>
CURRENT_SSH_PORT=$(grep <span class="hljs-string">"Port"</span> /etc/ssh/sshd_config | awk -F <span class="hljs-string">" "</span> <span class="hljs-string">'{print $2}'</span>)
ufw allow <span class="hljs-variable">$CURRENT_SSH_PORT</span>
<span class="hljs-comment"># DNS - HTTP/S - FTP - NTP - RSYNC - DHCP - SNMP - Librenms - Netdata - EE Backend</span>
ufw allow 53
ufw allow http
ufw allow https
ufw allow 21
ufw allow 123
ufw allow 161
ufw allow 68
ufw allow 546
ufw allow 873
ufw allow 6556
ufw allow 19999
ufw allow 22222
<span class="hljs-comment"># enable UFW</span>
ufw <span class="hljs-built_in">enable</span>
</code></pre><h3 id="Custom-jails-for-fail2ban"><a class="anchor hidden-xs" href="#Custom-jails-for-fail2ban" title="Custom-jails-for-fail2ban"><span class="octicon octicon-link"></span></a>Custom jails for fail2ban</h3><ul>
<li>wordpress bruteforce</li>
<li>ssh</li>
<li>recidive (after 3 bans)</li>
<li>backend http auth</li>
<li>nginx bad bots</li>
</ul><pre><code class="bash hljs">cp -rf <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/fail2ban/filter.d/* /etc/fail2ban/filter.d/
cp -rf <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/fail2ban/jail.d/* /etc/fail2ban/jail.d/
fail2ban-client reload
</code></pre><h3 id="Secure-Memcached-server"><a class="anchor hidden-xs" href="#Secure-Memcached-server" title="Secure-Memcached-server"><span class="octicon octicon-link"></span></a>Secure Memcached server</h3><pre><code class="bash hljs"><span class="hljs-built_in">echo</span> <span class="hljs-string">'-U 0'</span> &gt;&gt; /etc/memcached.conf
sudo systemctl restart memcached
</code></pre><p>If you do not use memcached, you can safely stop and disable it :</p><pre><code class="bash hljs">sudo systemctl stop memcached
sudo systemctl <span class="hljs-built_in">disable</span> memcached.service
</code></pre><h2 id="Optional"><a class="anchor hidden-xs" href="#Optional" title="Optional"><span class="octicon octicon-link"></span></a>Optional</h2><h3 id="ee-acme-sh"><a class="anchor hidden-xs" href="#ee-acme-sh" title="ee-acme-sh"><span class="octicon octicon-link"></span></a>ee-acme-sh</h3><p><a href="https://virtubox.github.io/ee-acme-sh/" target="_blank">Github repository</a> - Script to setup letsencrypt certificates using <a href="http://acme.sh" target="_blank">acme.sh</a> on EasyEngine servers</p><ul>
<li>subdomain support</li>
<li>ivp6 support</li>
<li>wildcards certificates support</li>
</ul><pre><code class="bash hljs">wget-qO install-ee-acme.sh https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh
chmod +x install-ee-acme.sh
./install-ee-acme.sh
<span class="hljs-comment"># enable acme.sh &amp; ee-acme-sh</span>
<span class="hljs-built_in">source</span> .bashrc
</code></pre><h3 id="netdata"><a class="anchor hidden-xs" href="#netdata" title="netdata"><span class="octicon octicon-link"></span></a>netdata</h3><p><a href="https://github.com/firehol/netdata" target="_blank">Github repository</a></p><pre><code class="bash hljs">
bash &lt;(curl -Ss https://my-netdata.io/kickstart.sh) all
<span class="hljs-comment"># save 40-60% of netdata memory</span>
<span class="hljs-built_in">echo</span> 1 &gt;/sys/kernel/mm/ksm/run
<span class="hljs-built_in">echo</span> 1000 &gt;/sys/kernel/mm/ksm/sleep_millisecs
<span class="hljs-comment"># disable email notifications</span>
sudo sed -i <span class="hljs-string">'s/SEND_EMAIL="YES"/SEND_EMAIL="NO"/'</span> /usr/lib/netdata/conf.d/health_alarm_notify.conf
service netdata restart
</code></pre><h3 id="chtsh-cheat"><a class="anchor hidden-xs" href="#chtsh-cheat" title="chtsh-cheat"><span class="octicon octicon-link"></span></a><a href="http://cht.sh" target="_blank">cht.sh</a> (cheat)</h3><p><a href="https://github.com/chubin/cheat.sh" target="_blank">Github repository</a></p><pre><code class="bash hljs">curl https://cht.sh/:cht.sh &gt; /usr/bin/cht.sh
chmod +x /usr/bin/cht.sh
<span class="hljs-built_in">echo</span> <span class="hljs-string">"alias cheat='cht.sh'"</span> &gt;&gt; <span class="hljs-variable">$HOME</span>/.bashrc
<span class="hljs-built_in">source</span> <span class="hljs-variable">$HOME</span>/.bashrc
</code></pre><p>usage : <code>cheat &lt;command&gt;</code></p><pre><code class="bash hljs">root@vps:~ cheat cat
<span class="hljs-comment"># cat</span>
<span class="hljs-comment"># Print and concatenate files.</span>
<span class="hljs-comment"># Print the contents of a file to the standard output:</span>
cat file
<span class="hljs-comment"># Concatenate several files into the target file:</span>
cat file1 file2 &gt; target_file
<span class="hljs-comment"># Append several files into the target file:</span>
cat file1 file2 &gt;&gt; target_file
<span class="hljs-comment"># Number all output lines:</span>
cat -n file
</code></pre><h3 id="nanorc---Improved-Nano-Syntax-Highlighting-Files"><a class="anchor hidden-xs" href="#nanorc---Improved-Nano-Syntax-Highlighting-Files" title="nanorc---Improved-Nano-Syntax-Highlighting-Files"><span class="octicon octicon-link"></span></a>nanorc - Improved Nano Syntax Highlighting Files</h3><p><a href="https://github.com/scopatz/nanorc" target="_blank">Github repository</a></p><pre><code class="bash hljs">wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh
</code></pre><h3 id="Add-WP-CLI-amp-bash-completion-for-user-www-data"><a class="anchor hidden-xs" href="#Add-WP-CLI-amp-bash-completion-for-user-www-data" title="Add-WP-CLI-amp-bash-completion-for-user-www-data"><span class="octicon octicon-link"></span></a>Add WP-CLI &amp; bash-completion for user www-data</h3><pre><code class="bashrc hljs"><span class="hljs-comment"># download wp-cli bash_completion</span>
cp -f $HOME/ubuntu-nginx-web-server/etc/bash_completion.d/wp-completion.bash https:<span class="hljs-comment">//raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash</span>
<span class="hljs-comment"># change /var/www owner</span>
chown www-data:www-data /<span class="hljs-keyword">var</span>/www
<span class="hljs-comment"># download .profile &amp; .bashrc for www-data</span>
cp -f $HOME/ubuntu-nginx-web-server/<span class="hljs-keyword">var</span>/www/.profile /<span class="hljs-keyword">var</span>/www/.profile
cp -f $HOME/ubuntu-nginx-web-server/<span class="hljs-keyword">var</span>/www/.bashrc /<span class="hljs-keyword">var</span>/www/.bashrc
<span class="hljs-comment"># set owner</span>
chown www-data:www-data /<span class="hljs-keyword">var</span>/www/.profile
chown www-data:www-data /<span class="hljs-keyword">var</span>/www/.bashrc
</code></pre><h3 id="Custom-Nginx-error-pages"><a class="anchor hidden-xs" href="#Custom-Nginx-error-pages" title="Custom-Nginx-error-pages"><span class="octicon octicon-link"></span></a>Custom Nginx error pages</h3><p><a href="https://github.com/alexphelps/server-error-pages" target="_blank">Github Repository</a></p><p>Installation</p><pre><code class="bash hljs"><span class="hljs-comment"># clone the github repository</span>
sudo -u www-data -H git <span class="hljs-built_in">clone</span> https://github.com/alexphelps/server-error-pages.git /var/www/error
</code></pre><p>Then include this configuration in your nginx vhost by adding the following line</p><pre><code class="bash hljs">include common/error_pages.conf;
</code></pre><p>Published &amp; maintained by <a href="https://virtubox.net" target="_blank">VirtuBox</a></p></div>
<div class="ui-toc dropup unselectable hidden-print" style="display:none;">
<div class="pull-right dropdown">
<a id="tocLabel" class="ui-toc-label btn btn-default" data-toggle="dropdown" href="#" role="button" aria-haspopup="true" aria-expanded="false" title="Table of content">
<i class="fa fa-bars"></i>
</a>
<ul id="ui-toc" class="ui-toc-dropdown dropdown-menu" aria-labelledby="tocLabel">
<div class="toc"><ul class="nav">
<li class=""><a href="#Optimized-configuration-for-Ubuntu-server-with-EasyEngine" title="Optimized configuration for Ubuntu server with EasyEngine">Optimized configuration for Ubuntu server with EasyEngine</a><ul class="nav">
<li><a href="#Server-Stack" title="Server Stack">Server Stack</a></li>
<li><a href="#Initial-configuration" title="Initial configuration">Initial configuration</a><ul class="nav">
<li><a href="#System-update-and-packages-cleanup" title="System update and packages cleanup">System update and packages cleanup</a></li>
<li><a href="#Install-useful-packages" title="Install useful packages">Install useful packages</a></li>
<li><a href="#Clone-the-repository" title="Clone the repository">Clone the repository</a></li>
<li><a href="#Tweak-Kernel-amp-Increase-open-files-limits" title="Tweak Kernel &amp; Increase open files limits">Tweak Kernel &amp; Increase open files limits</a></li>
<li><a href="#disable-transparent-hugepage-for-redis" title="disable transparent hugepage for redis">disable transparent hugepage for redis</a></li>
</ul>
</li>
<li><a href="#EasyEngine-Setup" title="EasyEngine Setup">EasyEngine Setup</a><ul class="nav">
<li><a href="#Install-MariaDB-103" title="Install MariaDB 10.3">Install MariaDB 10.3</a></li>
<li><a href="#MySQL-Tuning" title="MySQL Tuning">MySQL Tuning</a></li>
<li><a href="#Increase-MariaDB-open-files-limits" title="Increase MariaDB open files limits">Increase MariaDB open files limits</a></li>
</ul>
</li>
<li><a href="#Install-EasyEngine" title="Install EasyEngine">Install EasyEngine</a><ul class="nav">
<li><a href="#enable-ee-bash_completion" title="enable ee bash_completion">enable ee bash_completion</a></li>
<li><a href="#Install-Nginx-php56-php70-postfix-redis-and-configure-EE-backend" title="Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend">Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend</a></li>
<li><a href="#Set-your-email-instead-of-rootlocalhost" title="Set your email instead of root@localhost">Set your email instead of root@localhost</a></li>
<li><a href="#Install-Composer---Fix-phpmyadmin-install-issue" title="Install Composer - Fix phpmyadmin install issue">Install Composer - Fix phpmyadmin install issue</a></li>
<li><a href="#Allow-shell-for-www-data-for-SFTP-usage" title="Allow shell for www-data for SFTP usage">Allow shell for www-data for SFTP usage</a></li>
</ul>
</li>
<li><a href="#PHP-71-amp-72-Setup" title="PHP 7.1 &amp; 7.2 Setup">PHP 7.1 &amp; 7.2 Setup</a><ul class="nav">
<li><a href="#Install-php71-fpm" title="Install php7.1-fpm">Install php7.1-fpm</a></li>
<li><a href="#Install-php72-fpm" title="Install php7.2-fpm">Install php7.2-fpm</a></li>
</ul>
</li>
<li><a href="#NGINX-Configuration" title="NGINX Configuration">NGINX Configuration</a><ul class="nav">
<li><a href="#Additional-Nginx-configuration-etcnginxconfd" title="Additional Nginx configuration (/etc/nginx/conf.d)">Additional Nginx configuration (/etc/nginx/conf.d)</a></li>
<li><a href="#EE-common-configuration" title="EE common configuration">EE common configuration</a></li>
<li><a href="#Compile-last-Nginx-mainline-release-with-nginx-ee-script" title="Compile last Nginx mainline release with nginx-ee script">Compile last Nginx mainline release with nginx-ee script</a></li>
</ul>
</li>
<li><a href="#Custom-configurations" title="Custom configurations">Custom configurations</a><ul class="nav">
<li><a href="#clean-php-fpm-phpini-configuration" title="clean php-fpm php.ini configuration">clean php-fpm php.ini configuration</a></li>
<li><a href="#Nginx-optimized-configurations" title="Nginx optimized configurations">Nginx optimized configurations</a></li>
<li><a href="#Nginx-configuration-for-netdata" title="Nginx configuration for netdata">Nginx configuration for netdata</a></li>
</ul>
</li>
<li><a href="#Security" title="Security">Security</a><ul class="nav">
<li><a href="#Harden-SSH-Security" title="Harden SSH Security">Harden SSH Security</a></li>
<li><a href="#UFW" title="UFW">UFW</a></li>
<li><a href="#Custom-jails-for-fail2ban" title="Custom jails for fail2ban">Custom jails for fail2ban</a></li>
<li><a href="#Secure-Memcached-server" title="Secure Memcached server">Secure Memcached server</a></li>
</ul>
</li>
<li><a href="#Optional" title="Optional">Optional</a><ul class="nav">
<li><a href="#ee-acme-sh" title="ee-acme-sh">ee-acme-sh</a></li>
<li><a href="#netdata" title="netdata">netdata</a></li>
<li><a href="#chtsh-cheat" title="cht.sh (cheat)">cht.sh (cheat)</a></li>
<li><a href="#nanorc---Improved-Nano-Syntax-Highlighting-Files" title="nanorc - Improved Nano Syntax Highlighting Files">nanorc - Improved Nano Syntax Highlighting Files</a></li>
<li><a href="#Add-WP-CLI-amp-bash-completion-for-user-www-data" title="Add WP-CLI &amp; bash-completion for user www-data">Add WP-CLI &amp; bash-completion for user www-data</a></li>
<li><a href="#Custom-Nginx-error-pages" title="Custom Nginx error pages">Custom Nginx error pages</a></li>
</ul>
</li>
</ul>
</li>
</ul>
</div><div class="toc-menu"><a class="expand-toggle" href="#">Expand all</a><a class="back-to-top" href="#">Back to top</a><a class="go-to-bottom" href="#">Go to bottom</a></div>
</ul>
</div>
</div>
<div id="ui-toc-affix" class="ui-affix-toc ui-toc-dropdown unselectable hidden-print" data-spy="affix" style="top:17px;display:none;" >
<div class="toc"><ul class="nav">
<li class=""><a href="#Optimized-configuration-for-Ubuntu-server-with-EasyEngine" title="Optimized configuration for Ubuntu server with EasyEngine">Optimized configuration for Ubuntu server with EasyEngine</a><ul class="nav">
<li><a href="#Server-Stack" title="Server Stack">Server Stack</a></li>
<li><a href="#Initial-configuration" title="Initial configuration">Initial configuration</a><ul class="nav">
<li><a href="#System-update-and-packages-cleanup" title="System update and packages cleanup">System update and packages cleanup</a></li>
<li><a href="#Install-useful-packages" title="Install useful packages">Install useful packages</a></li>
<li><a href="#Clone-the-repository" title="Clone the repository">Clone the repository</a></li>
<li><a href="#Tweak-Kernel-amp-Increase-open-files-limits" title="Tweak Kernel &amp; Increase open files limits">Tweak Kernel &amp; Increase open files limits</a></li>
<li><a href="#disable-transparent-hugepage-for-redis" title="disable transparent hugepage for redis">disable transparent hugepage for redis</a></li>
</ul>
</li>
<li><a href="#EasyEngine-Setup" title="EasyEngine Setup">EasyEngine Setup</a><ul class="nav">
<li><a href="#Install-MariaDB-103" title="Install MariaDB 10.3">Install MariaDB 10.3</a></li>
<li><a href="#MySQL-Tuning" title="MySQL Tuning">MySQL Tuning</a></li>
<li><a href="#Increase-MariaDB-open-files-limits" title="Increase MariaDB open files limits">Increase MariaDB open files limits</a></li>
</ul>
</li>
<li><a href="#Install-EasyEngine" title="Install EasyEngine">Install EasyEngine</a><ul class="nav">
<li><a href="#enable-ee-bash_completion" title="enable ee bash_completion">enable ee bash_completion</a></li>
<li><a href="#Install-Nginx-php56-php70-postfix-redis-and-configure-EE-backend" title="Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend">Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend</a></li>
<li><a href="#Set-your-email-instead-of-rootlocalhost" title="Set your email instead of root@localhost">Set your email instead of root@localhost</a></li>
<li><a href="#Install-Composer---Fix-phpmyadmin-install-issue" title="Install Composer - Fix phpmyadmin install issue">Install Composer - Fix phpmyadmin install issue</a></li>
<li><a href="#Allow-shell-for-www-data-for-SFTP-usage" title="Allow shell for www-data for SFTP usage">Allow shell for www-data for SFTP usage</a></li>
</ul>
</li>
<li><a href="#PHP-71-amp-72-Setup" title="PHP 7.1 &amp; 7.2 Setup">PHP 7.1 &amp; 7.2 Setup</a><ul class="nav">
<li><a href="#Install-php71-fpm" title="Install php7.1-fpm">Install php7.1-fpm</a></li>
<li><a href="#Install-php72-fpm" title="Install php7.2-fpm">Install php7.2-fpm</a></li>
</ul>
</li>
<li><a href="#NGINX-Configuration" title="NGINX Configuration">NGINX Configuration</a><ul class="nav">
<li><a href="#Additional-Nginx-configuration-etcnginxconfd" title="Additional Nginx configuration (/etc/nginx/conf.d)">Additional Nginx configuration (/etc/nginx/conf.d)</a></li>
<li><a href="#EE-common-configuration" title="EE common configuration">EE common configuration</a></li>
<li><a href="#Compile-last-Nginx-mainline-release-with-nginx-ee-script" title="Compile last Nginx mainline release with nginx-ee script">Compile last Nginx mainline release with nginx-ee script</a></li>
</ul>
</li>
<li><a href="#Custom-configurations" title="Custom configurations">Custom configurations</a><ul class="nav">
<li><a href="#clean-php-fpm-phpini-configuration" title="clean php-fpm php.ini configuration">clean php-fpm php.ini configuration</a></li>
<li><a href="#Nginx-optimized-configurations" title="Nginx optimized configurations">Nginx optimized configurations</a></li>
<li><a href="#Nginx-configuration-for-netdata" title="Nginx configuration for netdata">Nginx configuration for netdata</a></li>
</ul>
</li>
<li><a href="#Security" title="Security">Security</a><ul class="nav">
<li><a href="#Harden-SSH-Security" title="Harden SSH Security">Harden SSH Security</a></li>
<li><a href="#UFW" title="UFW">UFW</a></li>
<li><a href="#Custom-jails-for-fail2ban" title="Custom jails for fail2ban">Custom jails for fail2ban</a></li>
<li><a href="#Secure-Memcached-server" title="Secure Memcached server">Secure Memcached server</a></li>
</ul>
</li>
<li><a href="#Optional" title="Optional">Optional</a><ul class="nav">
<li><a href="#ee-acme-sh" title="ee-acme-sh">ee-acme-sh</a></li>
<li><a href="#netdata" title="netdata">netdata</a></li>
<li><a href="#chtsh-cheat" title="cht.sh (cheat)">cht.sh (cheat)</a></li>
<li><a href="#nanorc---Improved-Nano-Syntax-Highlighting-Files" title="nanorc - Improved Nano Syntax Highlighting Files">nanorc - Improved Nano Syntax Highlighting Files</a></li>
<li><a href="#Add-WP-CLI-amp-bash-completion-for-user-www-data" title="Add WP-CLI &amp; bash-completion for user www-data">Add WP-CLI &amp; bash-completion for user www-data</a></li>
<li><a href="#Custom-Nginx-error-pages" title="Custom Nginx error pages">Custom Nginx error pages</a></li>
</ul>
</li>
</ul>
</li>
</ul>
</div><div class="toc-menu"><a class="expand-toggle" href="#">Expand all</a><a class="back-to-top" href="#">Back to top</a><a class="go-to-bottom" href="#">Go to bottom</a></div>
</div>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js" integrity="sha256-hVVnYaiADRTO2PzUGmuLJr8BLUSjGIZsDYGmIJLv2b8=" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha256-U5ZEeKfGNOja007MMD3YBI0A3OSZOQbeG6z2f2Y0hu8=" crossorigin="anonymous" defer></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/gist-embed/2.6.0/gist-embed.min.js" integrity="sha256-KyF2D6xPIJUW5sUDSs93vWyZm+1RzIpKCexxElmxl8g=" crossorigin="anonymous" defer></script>
<script>
var markdown = $(".markdown-body");
//smooth all hash trigger scrolling
function smoothHashScroll() {
var hashElements = $("a[href^='#']").toArray();
for (var i = 0; i < hashElements.length; i++) {
var element = hashElements[i];
var $element = $(element);
var hash = element.hash;
if (hash) {
$element.on('click', function (e) {
// store hash
var hash = this.hash;
if ($(hash).length <= 0) return;
// prevent default anchor click behavior
e.preventDefault();
// animate
$('body, html').stop(true, true).animate({
scrollTop: $(hash).offset().top
}, 100, "linear", function () {
// when done, add hash to url
// (default click behaviour)
window.location.hash = hash;
});
});
}
}
}
smoothHashScroll();
var toc = $('.ui-toc');
var tocAffix = $('.ui-affix-toc');
var tocDropdown = $('.ui-toc-dropdown');
//toc
tocDropdown.click(function (e) {
e.stopPropagation();
});
var enoughForAffixToc = true;
function generateScrollspy() {
$(document.body).scrollspy({
target: ''
});
$(document.body).scrollspy('refresh');
if (enoughForAffixToc) {
toc.hide();
tocAffix.show();
} else {
tocAffix.hide();
toc.show();
}
$(document.body).scroll();
}
function windowResize() {
//toc right
var paddingRight = parseFloat(markdown.css('padding-right'));
var right = ($(window).width() - (markdown.offset().left + markdown.outerWidth() - paddingRight));
toc.css('right', right + 'px');
//affix toc left
var newbool;
var rightMargin = (markdown.parent().outerWidth() - markdown.outerWidth()) / 2;
//for ipad or wider device
if (rightMargin >= 133) {
newbool = true;
var affixLeftMargin = (tocAffix.outerWidth() - tocAffix.width()) / 2;
var left = markdown.offset().left + markdown.outerWidth() - affixLeftMargin;
tocAffix.css('left', left + 'px');
} else {
newbool = false;
}
if (newbool != enoughForAffixToc) {
enoughForAffixToc = newbool;
generateScrollspy();
}
}
$(window).resize(function () {
windowResize();
});
$(document).ready(function () {
windowResize();
generateScrollspy();
});
//remove hash
function removeHash() {
window.location.hash = '';
}
var backtotop = $('.back-to-top');
var gotobottom = $('.go-to-bottom');
backtotop.click(function (e) {
e.preventDefault();
e.stopPropagation();
if (scrollToTop)
scrollToTop();
removeHash();
});
gotobottom.click(function (e) {
e.preventDefault();
e.stopPropagation();
if (scrollToBottom)
scrollToBottom();
removeHash();
});
var toggle = $('.expand-toggle');
var tocExpand = false;
checkExpandToggle();
toggle.click(function (e) {
e.preventDefault();
e.stopPropagation();
tocExpand = !tocExpand;
checkExpandToggle();
})
function checkExpandToggle () {
var toc = $('.ui-toc-dropdown .toc');
var toggle = $('.expand-toggle');
if (!tocExpand) {
toc.removeClass('expand');
toggle.text('Expand all');
} else {
toc.addClass('expand');
toggle.text('Collapse all');
}
}
function scrollToTop() {
$('body, html').stop(true, true).animate({
scrollTop: 0
}, 100, "linear");
}
function scrollToBottom() {
$('body, html').stop(true, true).animate({
scrollTop: $(document.body)[0].scrollHeight
}, 100, "linear");
}
</script>
</body>
</html>

View File

@ -1,453 +0,0 @@
# Optimized configuration for Ubuntu server with EasyEngine
* * *
## Server Stack
- Ubuntu 16.04/18.04 LTS
- Nginx 1.15.x / 1.14.x
- PHP-FPM 7/7.1/7.2
- MariaDB 10.3
- REDIS 4.0
- Memcached
- Fail2ban
- Netdata
- UFW
* * *
Configuration files with comments and informations available by following the link **source**
### Initial configuration
#### System update and packages cleanup
```bash
apt-get update && apt-get upgrade -y && apt-get autoremove --purge -y && apt-get clean
```
#### Install useful packages
```bash
sudo apt-get install haveged curl git unzip zip fail2ban htop nload nmon ntp gnupg gnupg2 wget pigz tree ccze -y
```
#### Tweak Kernel & Increase open files limits
[source sysctl.conf](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) - [limits.conf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf)
```bash
modprobe tcp_htcp
wget -O /etc/sysctl.d/60-ubuntu-nginx-web-server.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.d/60-ubuntu-nginx-web-server.conf
sysctl -e -p /etc/sysctl.d/60-ubuntu-nginx-web-server.conf
wget -O /etc/security/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/security/limits.conf
```
#### disable transparent hugepage for redis
```bash
echo never > /sys/kernel/mm/transparent_hugepage/enabled
```
* * *
### EasyEngine Setup
#### Install MariaDB 10.3
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
```bash
bash <(wget -qO - https://downloads.mariadb.com/MariaDB/mariadb_repo_setup) --mariadb-server-version=10.3 --skip-maxscale -y
sudo apt update && sudo apt install mariadb-server -y
```
#### MySQL Tuning
You can download my example of my.cnf, optimized for VPS with 4GB RAM. [my.cnf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/mysql/my.cnf)
```bash
wget -O /etc/mysql/my.cnf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/mysql/my.cnf
```
It include modification of innodb_log_file_size variable, so you need to use the following commands to apply the new configuration :
```bash
sudo service mysql stop
sudo mv /var/lib/mysql/ib_logfile0 /var/lib/mysql/ib_logfile0.bak
sudo mv /var/lib/mysql/ib_logfile1 /var/lib/mysql/ib_logfile1.bak
sudo service mysql start
```
Increase MariaDB open files limits
```bash
wget -O /etc/systemd/system/mariadb.service.d/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/systemd/system/mariadb.service.d/limits.conf
sudo systemctl daemon-reload
sudo systemctl restart mariadb
```
#### Install EasyEngine
```bash
# noninteractive install - you can replace $USER with your username & root@$HOSTNAME by your email
sudo bash -c 'echo -e "[user]\n\tname = $USER\n\temail = root@$HOSTNAME" > $HOME/.gitconfig'
wget -qO ee rt.cx/ee && bash ee
```
#### enable ee bash_completion
```bash
source /etc/bash_completion.d/ee_auto.rc
```
#### Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend
```bash
ee stack install
ee stack install --php7 --redis --admin --phpredisadmin
```
#### Set your email instead of root@localhost
```bash
echo 'root: my.email@address.com' >> /etc/aliases
newaliases
```
#### Install Composer - Fix phpmyadmin install issue
```bash
cd ~/ ||exit
curl -sS https://getcomposer.org/installer | php
mv composer.phar /usr/bin/composer
chown www-data:www-data /var/www
sudo -u www-data -H composer update -d /var/www/22222/htdocs/db/pma/
```
#### Allow shell for www-data for SFTP usage
```bash
usermod -s /bin/bash www-data
```
### PHP 7.1 & 7.2 Setup
#### Install php7.1-fpm
```bash
# php7.1-fpm
apt update && apt install php7.1-fpm php7.1-cli php7.1-zip php7.1-opcache php7.1-mysql php7.1-mcrypt php7.1-mbstring php7.1-json php7.1-intl \
php7.1-gd php7.1-curl php7.1-bz2 php7.1-xml php7.1-tidy php7.1-soap php7.1-bcmath -y php7.1-xsl
wget -O /etc/php/7.1/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/pool.d/www.conf
wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/php.ini
service php7.1-fpm restart
```
#### Install php7.2-fpm
```bash
# php7.2-fpm
apt update && apt install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring -y
wget -O /etc/php/7.2/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/pool.d/www.conf
wget -O /etc/php/7.2/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/php.ini
service php7.2-fpm restart
```
#### add nginx upstreams
```bash
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
service nginx reload
```
#### add ee common configuration
```bash
cd /etc/nginx/common || exit
wget https://virtubox.github.io/ubuntu-nginx-web-server/files/common.zip
unzip common.zip
```
### Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee)
```bash
bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
```
* * *
### Custom configurations
#### clean php-fpm php.ini configuration
```bash
# PHP 7.0
wget -O /etc/php/7.0/fpm/php.ini https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/php/7.0/fpm/php.ini
service php7.0-fpm restart
```
#### Nginx optimized configurations
```bash
# TLSv1.2 TLSv1.3 only
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx.conf
# TLS intermediate - TLS v1.0 v1.1 v1.2 v1.3
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-intermediate.conf
# TLSv1.2 only
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-tlsv12.conf
```
#### Nginx configuration for netdata & new upstreams
```bash
# custom conf for netdata metrics (php-fpm & nginx status pages)
wget -O /etc/nginx/sites-available/default https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/default
# add netdata, php7.1 and php7.2 upstream
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
wget -O /etc/nginx/sites-available/22222 https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/22222
```
#### Increase Nginx open files limits
```bash
sudo mkdir -p /etc/systemd/system/nginx.service.d
wget -O /etc/systemd/system/nginx.service.d/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/systemd/system/nginx.service.d/limits.conf
sudo systemctl daemon-reload
sudo systemctl restart nginx.service
```
#### wpcommon-php7x configurations
- webp rewrite rules added
- DoS attack CVE fix added
- php7.1 & php7.2 configuration added
```bash
# 1) add webp mapping
wget -O /etc/nginx/conf.d/webp.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/webp.conf
# 2) wpcommon files
# php7
wget -O /etc/nginx/common/wpcommon-php7.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php7.conf
# php7.1
wget -O /etc/nginx/common/wpcommon-php71.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php71.conf
# php7.2
wget -O /etc/nginx/common/wpcommon-php72.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php72.conf
nginx -t
service nginx reload
```
* * *
### Security
#### Harden SSH Security
WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config)
wget -O /etc/ssh/sshd_config https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/ssh/sshd_config
#### UFW
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
```bash
# enable ufw log - allow outgoing - deny incoming
ufw logging low
ufw default allow outgoing
ufw default deny incoming
# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend
ufw allow 22
ufw allow 53
ufw allow http
ufw allow https
ufw allow 21
ufw allow 123
ufw allow 161
ufw allow 6556
ufw allow 19999
ufw allow 22222
# enable UFW
ufw enable
```
#### Custom jails for fail2ban
- wordpress bruteforce
- ssh
- recidive (after 3 bans)
- backend http auth
- nginx bad bots
```bash
wget -O /etc/fail2ban/filter.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ddos.conf
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ee-wordpress.conf
wget -O /etc/fail2ban/filter.d/nginx-forbidden.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/nginx-forbidden.conf
wget -O /etc/fail2ban/jail.d/custom.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/custom.conf
wget -O /etc/fail2ban/jail.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/ddos.conf
fail2ban-client reload
```
#### Secure Memcached server
```bash
echo '-U 0' >> /etc/memcached.conf
sudo systemctl restart memcached
```
### Optional
#### ee-acme-sh
[Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers
* subdomain support
* ivp6 support
* wildcards certificates support
```bash
wget -O install-ee-acme.sh https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh
chmod +x install-ee-acme.sh
./install-ee-acme.sh
# enable acme.sh & ee-acme-sh
source .bashrc
```
#### netdata
[Github repository](https://github.com/firehol/netdata)
```bash
bash <(curl -Ss https://my-netdata.io/kickstart.sh) all
# save 40-60% of netdata memory
echo 1 >/sys/kernel/mm/ksm/run
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
# disable email notifications
sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /etc/netdata/health_alarm_notify.conf
service netdata restart
```
#### cht.sh (cheat)
[Github repository](https://github.com/chubin/cheat.sh)
```bash
curl https://cht.sh/:cht.sh > /usr/bin/cht.sh
chmod +x /usr/bin/cht.sh
echo "alias cheat='cht.sh'" >> $HOME/.bashrc
source $HOME/.bashrc
```
usage : `cheat <command>`
```bash
root@vps:~ cheat cat
# cat
# Print and concatenate files.
# Print the contents of a file to the standard output:
cat file
# Concatenate several files into the target file:
cat file1 file2 > target_file
# Append several files into the target file:
cat file1 file2 >> target_file
# Number all output lines:
cat -n file
```
#### nanorc - Improved Nano Syntax Highlighting Files
[Github repository](https://github.com/scopatz/nanorc)
```bash
wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh
```
#### ucaresystem - script to update & cleanup packages easily
```bash
sudo add-apt-repository ppa:utappia/stable -y
sudo apt update
sudo apt install ucaresystem-core -y
```
Run server maintenance with the command :
```bash
sudo ucaresystem-core
```
### WP-CLI
#### Add bash-completion for user www-data
```bashrc
# download wp-cli bash_completion
wget -O /etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash
# change /var/www owner
chown www-data:www-data /var/www
# download .profile & .bashrc for www-data
wget -O /var/www/.profile https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/docs/files/var/www/.profile
wget -O /var/www/.bashrc https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/docs/files/var/www/.bashrc
# set owner
chown www-data:www-data /var/www/.profile
chown www-data:www-data /var/www/.bashrc
```
### Custom Nginx error pages
[Github Repository](https://github.com/alexphelps/server-error-pages)
Installation
```bash
# clone the github repository
sudo -u www-data -H git clone https://github.com/alexphelps/server-error-pages.git /var/www/error
# download nginx configuration
wget -O /etc/nginx/common/error_pages.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/error_pages.conf
```
Then include this configuration in your nginx vhost by adding the following line
```bash
include common/error_pages.conf;
```
Published & maintained by [VirtuBox](https://virtubox.net)

View File

@ -2,9 +2,15 @@
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Basic locations files # Basic locations files
location = /favicon.ico { location = /favicon.ico {
try_files /favicon.ico @empty;
access_log off; access_log off;
log_not_found off; log_not_found off;
expires max; expires max;
}
location @empty {
empty_gif;
} }
location = /robots.txt { location = /robots.txt {
# Some WordPress plugin gererate robots.txt file # Some WordPress plugin gererate robots.txt file
@ -14,7 +20,7 @@ location = /robots.txt {
log_not_found off; log_not_found off;
} }
# Cache static files # Cache static files
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ { location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
add_header "Access-Control-Allow-Origin" "*"; add_header "Access-Control-Allow-Origin" "*";
access_log off; access_log off;
log_not_found off; log_not_found off;
@ -33,19 +39,19 @@ location ~ /\.(?!well-known\/) {
deny all; deny all;
} }
# Use the directory /var/www/html to valide acme-challenge # Use the directory /var/www/html to valide acme-challenge
# just create the sub-directories .well-known/acme-challenge and set www-data as owner # just create the sub-directories .well-known/acme-challenge
# # ####
# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge # sudo chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
# # ####
location /.well-known/acme-challenge/ { # location /.well-known/acme-challenge/ {
alias /var/www/html/.well-known/acme-challenge/; # alias /var/www/html/.well-known/acme-challenge/;
} # }
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files # Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
location ~* "/(^$|readme|license|example|README|changelog)\.(txt|html|md)" { location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
deny all; deny all;
} }
# Deny backup extensions & log files and return 403 forbidden # Deny backup extensions & log files and return 403 forbidden
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" { location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
deny all; deny all;
} }
# common nginx configuration to block sql injection and other attacks # common nginx configuration to block sql injection and other attacks
@ -100,32 +106,9 @@ location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
deny all; deny all;
} }
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" { location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|configuration)\.php" {
deny all; deny all;
} }
# Status pages
location = /nginx_status {
stub_status on;
access_log off;
include common/acl.conf;
}
location ~ ^/(status|ping)$ {
include fastcgi_params;
include common/acl.conf;
fastcgi_pass php7;
}
# EasyEngine (ee) utilities
# phpMyAdmin settings
location = /pma {
return 301 https://$host:22222/db/pma;
}
location = /phpMyAdmin {
return 301 https://$host:22222/db/pma;
}
location = /phpmyadmin {
return 301 https://$host:22222/db/pma;
}
# Adminer settings
location = /adminer {
return 301 https://$host:22222/db/adminer;
}

View File

@ -2,32 +2,36 @@
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Basic locations files # Basic locations files
location = /favicon.ico { location = /favicon.ico {
access_log off; try_files /favicon.ico @empty;
log_not_found off; access_log off;
expires max; log_not_found off;
expires max;
}
location @empty {
empty_gif;
} }
location = /robots.txt { location = /robots.txt {
# Some WordPress plugin gererate robots.txt file # Some WordPress plugin gererate robots.txt file
# Refer #340 issue # Refer #340 issue
try_files $uri $uri/ /index.php?$args; try_files $uri $uri/ /index.php?$args;
access_log off; access_log off;
log_not_found off; log_not_found off;
} }
# Cache static files # Cache static files
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
{ add_header "Access-Control-Allow-Origin" "*";
add_header "Access-Control-Allow-Origin" "*"; access_log off;
access_log off; log_not_found off;
log_not_found off; expires max;
expires max;
} }
# Cache css & js files # Cache css & js files
location ~* \.(?:css(\.map)?|js(\.map)?)$ location ~* \.(?:css(\.map)?|js(\.map)?)$ {
{ add_header "Access-Control-Allow-Origin" "*";
add_header "Access-Control-Allow-Origin" "*"; access_log off;
access_log off; log_not_found off;
log_not_found off; expires 30d;
expires 30d;
} }
# Security settings for better privacy # Security settings for better privacy
# Deny hidden files # Deny hidden files
@ -43,12 +47,12 @@ location ~ /\.(?!well-known\/) {
# alias /var/www/html/.well-known/acme-challenge/; # alias /var/www/html/.well-known/acme-challenge/;
# } # }
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files # Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
location ~* "/(^$|readme|license|example|README|changelog)\.(txt|html|md)" { location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
deny all; deny all;
} }
# Deny backup extensions & log files and return 403 forbidden # Deny backup extensions & log files and return 403 forbidden
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" { location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
deny all; deny all;
} }
# common nginx configuration to block sql injection and other attacks # common nginx configuration to block sql injection and other attacks
location ~* "(eval\()" { location ~* "(eval\()" {
@ -102,32 +106,9 @@ location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
deny all; deny all;
} }
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" { location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|configuration)\.php" {
deny all; deny all;
} }
# Status pages
location /nginx_status {
stub_status on;
access_log off;
include common/acl.conf;
}
location ~ ^/(status|ping) {
include fastcgi_params;
fastcgi_pass php71;
include common/acl.conf;
}
# EasyEngine (ee) utilities
# phpMyAdmin settings
location /pma {
return 301 https://$host:22222/db/pma;
}
location /phpMyAdmin {
return 301 https://$host:22222/db/pma;
}
location /phpmyadmin {
return 301 https://$host:22222/db/pma;
}
# Adminer settings
location /adminer {
return 301 https://$host:22222/db/adminer;
}

View File

@ -106,32 +106,9 @@ location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
deny all; deny all;
} }
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|settings|configuration)\.php" { location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|configuration)\.php" {
deny all; deny all;
} }
# Status pages
location /nginx_status {
stub_status on;
access_log off;
include common/acl.conf;
}
location ~ ^/(status|ping) {
include fastcgi_params;
include common/acl.conf;
fastcgi_pass php72;
}
# EasyEngine (ee) utilities
# phpMyAdmin settings
location /pma {
return 301 https://$host:22222/db/pma;
}
location /phpMyAdmin {
return 301 https://$host:22222/db/pma;
}
location /phpmyadmin {
return 301 https://$host:22222/db/pma;
}
# Adminer settings
location /adminer {
return 301 https://$host:22222/db/adminer;
}

View File

@ -2,9 +2,15 @@
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Basic locations files # Basic locations files
location = /favicon.ico { location = /favicon.ico {
try_files /favicon.ico @empty;
access_log off; access_log off;
log_not_found off; log_not_found off;
expires max; expires max;
}
location @empty {
empty_gif;
} }
location = /robots.txt { location = /robots.txt {
# Some WordPress plugin gererate robots.txt file # Some WordPress plugin gererate robots.txt file
@ -14,7 +20,7 @@ location = /robots.txt {
log_not_found off; log_not_found off;
} }
# Cache static files # Cache static files
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ { location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
add_header "Access-Control-Allow-Origin" "*"; add_header "Access-Control-Allow-Origin" "*";
access_log off; access_log off;
log_not_found off; log_not_found off;
@ -33,19 +39,19 @@ location ~ /\.(?!well-known\/) {
deny all; deny all;
} }
# Use the directory /var/www/html to valide acme-challenge # Use the directory /var/www/html to valide acme-challenge
# just create the sub-directories .well-known/acme-challenge and set www-data as owner # just create the sub-directories .well-known/acme-challenge
# # ####
# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge # sudo chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
# # ####
location /.well-known/acme-challenge/ { # location /.well-known/acme-challenge/ {
alias /var/www/html/.well-known/acme-challenge/; # alias /var/www/html/.well-known/acme-challenge/;
} # }
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files # Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
location ~* "/(^$|readme|license|example|README|changelog)\.(txt|html|md)" { location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
deny all; deny all;
} }
# Deny backup extensions & log files and return 403 forbidden # Deny backup extensions & log files and return 403 forbidden
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" { location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
deny all; deny all;
} }
# common nginx configuration to block sql injection and other attacks # common nginx configuration to block sql injection and other attacks
@ -100,13 +106,9 @@ location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
deny all; deny all;
} }
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" { location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|configuration)\.php" {
deny all; deny all;
} }
# Status pages
location = /nginx_status {
stub_status on;
access_log off;
include common/acl.conf;
}

View File

@ -19,7 +19,7 @@ pagespeed PreserveUrlRelativity on;
pagespeed AvoidRenamingIntrospectiveJavascript on; pagespeed AvoidRenamingIntrospectiveJavascript on;
#pagespeed MaxInlinedPreviewImagesIndex -1; #pagespeed MaxInlinedPreviewImagesIndex -1;
pagespeed EnableFilters convert_meta_tags,extend_cache,rewrite_javascript_inline; pagespeed EnableFilters convert_meta_tags,extend_cache,rewrite_javascript_inline;
pagespeed Domain *.virtubox.net; #pagespeed Domain *.yourdomain.tld;
location /ngx_pagespeed_statistics { include common/acl.conf; } location /ngx_pagespeed_statistics { include common/acl.conf; }
location /ngx_pagespeed_global_statistics { include common/acl.conf; } location /ngx_pagespeed_global_statistics { include common/acl.conf; }

View File

@ -0,0 +1,10 @@
# PHP NGINX CONFIGURATION
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php71-sock;
}

View File

@ -0,0 +1,10 @@
# PHP NGINX CONFIGURATION
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php72-sock;
}

View File

@ -1,21 +0,0 @@
# nginx common web app exploits protection
location ~* "(eval\()" { deny all; }
location ~* "(127\.0\.0\.1)" { deny all; }
location ~* "([a-z0-9]{2000})" { deny all; }
location ~* "(javascript\:)(.*)(\;)" { deny all; }
location ~* "(base64_encode)(.*)(\()" { deny all; }
location ~* "(GLOBALS|REQUEST)(=|\[|%)" { deny all; }
location ~* "(<|%3C).*script.*(>|%3)" { deny all; }
location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" { deny all; }
location ~* "(boot\.ini|etc/passwd|self/environ)" { deny all; }
location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" { deny all; }
location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" { deny all; }
location ~* "(https?|ftp|php):/" { deny all; }
location ~* "(=\\\'|=\\%27|/\\\'/?)\." { deny all; }
location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" { deny all; }
location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" { deny all; }
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { deny all; }
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { deny all; }
location ~* "\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" { deny all; }
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" { deny all; }

View File

@ -0,0 +1,25 @@
# wordpress fastcgi cache configuration
add_header X-fastcgi-cache $upstream_cache_status;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php7-sock;
fastcgi_cache_bypass $skip_cache;
fastcgi_no_cache $skip_cache;
fastcgi_cache WORDPRESS;
fastcgi_cache_valid 200 60m;
}
location ~ /purge(/.*) {
fastcgi_cache_purge WORDPRESS "$scheme$request_method$host$1";
access_log off;
}

View File

@ -0,0 +1,25 @@
# wordpress fastcgi cache configuration
add_header X-fastcgi-cache $upstream_cache_status;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php71-sock;
fastcgi_cache_bypass $skip_cache;
fastcgi_no_cache $skip_cache;
fastcgi_cache WORDPRESS;
fastcgi_cache_valid 200 60m;
}
location ~ /purge(/.*) {
fastcgi_cache_purge WORDPRESS "$scheme$request_method$host$1";
access_log off;
}

View File

@ -0,0 +1,25 @@
# wordpress fastcgi cache configuration
add_header X-fastcgi-cache $upstream_cache_status;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php72-sock;
fastcgi_cache_bypass $skip_cache;
fastcgi_no_cache $skip_cache;
fastcgi_cache WORDPRESS;
fastcgi_cache_valid 200 60m;
}
location ~ /purge(/.*) {
fastcgi_cache_purge WORDPRESS "$scheme$request_method$host$1";
access_log off;
}

View File

@ -12,22 +12,26 @@ location = /wp-config.txt {
access_log off; access_log off;
log_not_found off; log_not_found off;
} }
# Disallow php in upload folder and add webp rewrite # webp rewrite rules for jpg and png images
location /wp-content/uploads/ { # try to load alternative image.png.webp before image.png
location ~ \.php$ { location ~ ^/wp-content/uploads/.*\.(png|jpe?g)$ {
#Prevent Direct Access Of PHP Files From Web Browsers add_header Vary "Accept-Encoding";
deny all; add_header "Access-Control-Allow-Origin" "*";
} add_header Cache-Control "public, no-transform";
# webp rewrite rules access_log off;
location ~ \.(png|jpe?g)$ { log_not_found off;
add_header Vary "Accept-Encoding"; expires max;
add_header "Access-Control-Allow-Origin" "*"; try_files $uri$webp_suffix $uri =404;
add_header Cache-Control "public, no-transform"; }
access_log off; # Deny access to any files with a .php extension in the uploads directory for the single site
log_not_found off; location ~ ^/wp-content/uploads/.*\.php$ {
expires max; deny all;
try_files $uri$webp_suffix $uri =404; }
} # Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
} }
# mitigate DoS attack CVE with WordPress script concatenation # mitigate DoS attack CVE with WordPress script concatenation
# add the following line to wp-config.php # add the following line to wp-config.php

View File

@ -12,22 +12,26 @@ location = /wp-config.txt {
access_log off; access_log off;
log_not_found off; log_not_found off;
} }
# Disallow php in upload folder and add webp rewrite # webp rewrite rules for jpg and png images
location /wp-content/uploads/ { # try to load alternative image.png.webp before image.png
location ~ \.php$ { location ~ ^/wp-content/uploads/.*\.(png|jpe?g)$ {
#Prevent Direct Access Of PHP Files From Web Browsers add_header Vary "Accept-Encoding";
deny all; add_header "Access-Control-Allow-Origin" "*";
} add_header Cache-Control "public, no-transform";
# webp rewrite rules access_log off;
location ~ \.(png|jpe?g)$ { log_not_found off;
add_header Vary "Accept-Encoding"; expires max;
add_header "Access-Control-Allow-Origin" "*"; try_files $uri$webp_suffix $uri =404;
add_header Cache-Control "public, no-transform"; }
access_log off; # Deny access to any files with a .php extension in the uploads directory for the single site
log_not_found off; location ~ ^/wp-content/uploads/.*\.php$ {
expires max; deny all;
try_files $uri$webp_suffix $uri =404; }
} # Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
} }
# mitigate DoS attack CVE with WordPress script concatenation # mitigate DoS attack CVE with WordPress script concatenation
# add the following line to wp-config.php # add the following line to wp-config.php

View File

@ -12,22 +12,26 @@ location = /wp-config.txt {
access_log off; access_log off;
log_not_found off; log_not_found off;
} }
# Disallow php in upload folder and add webp rewrite # webp rewrite rules for jpg and png images
location /wp-content/uploads/ { # try to load alternative image.png.webp before image.png
location ~ \.php$ { location /wp-content/uploads/.*\.(png|jpe?g)$ {
#Prevent Direct Access Of PHP Files From Web Browsers add_header Vary "Accept-Encoding";
deny all; add_header "Access-Control-Allow-Origin" "*";
} add_header Cache-Control "public, no-transform";
# webp rewrite rules access_log off;
location ~ \.(png|jpe?g)$ { log_not_found off;
add_header Vary "Accept-Encoding"; expires max;
add_header "Access-Control-Allow-Origin" "*"; try_files $uri$webp_suffix $uri =404;
add_header Cache-Control "public, no-transform"; }
access_log off; # Deny access to any files with a .php extension in the uploads directory for the single site
log_not_found off; location ~ ^/wp-content/uploads/.*\.php$ {
expires max; deny all;
try_files $uri$webp_suffix $uri =404; }
} # Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
} }
# mitigate DoS attack CVE with WordPress script concatenation # mitigate DoS attack CVE with WordPress script concatenation
# add the following line to wp-config.php # add the following line to wp-config.php

View File

@ -1,5 +1,7 @@
# $remote_addr rewriting in case of NGINX behind CloudFlare. ##
# See also mod_cloudflare Apache module configuration. # nginx-cloudflare-real-ip - restore visitor IP under Cloudflare CDN
##
# Source : https://virtubox.github.io/nginx-cloudflare-real-ip/
set_real_ip_from 103.21.244.0/22; set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22; set_real_ip_from 103.22.200.0/22;
@ -16,12 +18,10 @@ set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22; set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17; set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32; set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2606:4700::/32; set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32; set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32; set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29; set_real_ip_from 2a06:98c0::/29;
real_ip_header CF-Connecting-IP; real_ip_header CF-Connecting-IP;
#real_ip_header X-Forwarded-For;

View File

@ -0,0 +1,15 @@
server {
listen 127.0.0.1:80;
server_name 127.0.0.1;
location ~ ^/(stub_status|nginx_status)$ {
stub_status on;
allow 127.0.0.1;
deny all;
}
location ~ ^/(status|ping) {
include fastcgi_params;
allow 127.0.0.1;
deny all;
fastcgi_pass php7;
}
}

View File

@ -1,6 +1,10 @@
# Common upstream settings # Common upstream settings
##################
# php5.6-fpm
##################
upstream php { upstream php {
# server unix:/run/php5-fpm.sock;
server 127.0.0.1:9000; server 127.0.0.1:9000;
} }
upstream debug { upstream debug {
@ -8,9 +12,11 @@ upstream debug {
server 127.0.0.1:9001; server 127.0.0.1:9001;
} }
####### php7.0-fpm ##################
# php7.0-fpm
##################
# php7.0-fpm TCP # TCP/IP on loopback interface
upstream php7 { upstream php7 {
server 127.0.0.1:9070; server 127.0.0.1:9070;
} }
@ -19,7 +25,7 @@ upstream debug7 {
server 127.0.0.1:9170; server 127.0.0.1:9170;
} }
# php7.0-fpm socket # load-balancing on unix socket
upstream php7-sock { upstream php7-sock {
least_conn; least_conn;
@ -29,14 +35,16 @@ server unix:/var/run/php7-two-fpm.sock;
keepalive 5; keepalive 5;
} }
####### php7.1-fpm ##################
# php7.1-fpm
##################
# php7.1-fpm TCP # TCP/IP on loopback interface
upstream php71 { upstream php71 {
server 127.0.0.1:9080; server 127.0.0.1:9080;
} }
# php7.1-fpm socket # load-balancing on unix socket
upstream php71-sock { upstream php71-sock {
least_conn; least_conn;
@ -46,14 +54,16 @@ server unix:/var/run/php71-two-fpm.sock;
keepalive 5; keepalive 5;
} }
####### php7.2-fpm ##################
# php7.2-fpm
##################
# php7.2-fpm TCP # TCP/IP on loopback interface
upstream php72 { upstream php72 {
server 127.0.0.1:9090; server 127.0.0.1:9090;
} }
# php7.2-fpm socket # load-balancing on unix socket
upstream php72-sock { upstream php72-sock {
least_conn; least_conn;
@ -63,12 +73,19 @@ server unix:/var/run/php72-two-fpm.sock;
keepalive 5; keepalive 5;
} }
##################
# redis # redis
##################
upstream redis { upstream redis {
server 127.0.0.1:6379; server 127.0.0.1:6379;
keepalive 10; keepalive 10;
} }
# netdata (optional)
##################
# netdata
##################
upstream netdata { upstream netdata {
server 127.0.0.1:19999; server 127.0.0.1:19999;
keepalive 64; keepalive 64;

View File

@ -38,12 +38,15 @@ http
limit_req_status 403; limit_req_status 403;
limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s; limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
#Simple DOS mitigation ##
##Max c/s by ip # Simple DOS mitigation
##
# Max c/s by ip
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m; #limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
#limit_conn limit_per_ip 80; #limit_conn limit_per_ip 80;
##Max rq/s by ip # Max rq/s by ip
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s; #limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
#limit_req zone=allips burst=400 nodelay; #limit_req zone=allips burst=400 nodelay;
@ -54,7 +57,7 @@ http
fastcgi_read_timeout 120s; fastcgi_read_timeout 120s;
client_max_body_size 100m; client_max_body_size 100m;
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/ # See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
aio threads; aio threads;
# tls dynamic records patch directive # tls dynamic records patch directive
@ -63,6 +66,7 @@ http
# nginx-vts-status module # nginx-vts-status module
vhost_traffic_status_zone; vhost_traffic_status_zone;
# oscp settings
resolver 8.8.8.8 1.1.1.1 valid=300s; resolver 8.8.8.8 1.1.1.1 valid=300s;
resolver_timeout 10; resolver_timeout 10;
@ -84,7 +88,7 @@ http
ssl_session_tickets off; ssl_session_tickets off;
ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1; ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
##Common headers for security # Common security headers
more_set_headers "X-Frame-Options : SAMEORIGIN"; more_set_headers "X-Frame-Options : SAMEORIGIN";
more_set_headers "X-Xss-Protection : 1; mode=block"; more_set_headers "X-Xss-Protection : 1; mode=block";
more_set_headers "X-Content-Type-Options : nosniff"; more_set_headers "X-Content-Type-Options : nosniff";
@ -101,13 +105,13 @@ http
## ##
# Logging Settings # Logging Settings
# access_log disabled for performance
## ##
# disable access_log for performance
access_log off; access_log off;
error_log /var/log/nginx/error.log; error_log /var/log/nginx/error.log;
# Log format Settings # Log format Settings - user IP hashed with the module ipscrub
log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] ' log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
'$http_host "$request" $status $body_bytes_sent ' '$http_host "$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $server_protocol'; '"$http_referer" "$http_user_agent" $server_protocol';

View File

@ -1,19 +1,23 @@
## ##
# You should look at the following URL's in order to grasp a solid understanding # You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx. # of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls # https://www.nginx.com/resources/wiki/start/
# http://wiki.nginx.org/QuickStart # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# http://wiki.nginx.org/Configuration # https://wiki.debian.org/Nginx/DirectoryStructure
# #
# Generally, you will want to move this file somewhere, and start with a clean # In most cases, administrators will remove this file from sites-enabled/ and
# file but keep this around for reference. Or just disable in sites-enabled. # leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
# #
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
## ##
# Default server configuration # Default server configuration
# #
server { server {
listen 80 default_server; listen 80 default_server;
listen [::]:80 default_server; listen [::]:80 default_server;
@ -23,13 +27,16 @@ server {
# listen 443 ssl default_server; # listen 443 ssl default_server;
# listen [::]:443 ssl default_server; # listen [::]:443 ssl default_server;
# #
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package # Self signed certs generated by the ssl-cert package
# Don't use them in a production server! # Don't use them in a production server!
# include snippets/snakeoil.conf;
# #
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # dont use SSLv3 ref: POODLE # include snippets/snakeoil.conf;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
root /var/www/html; root /var/www/html;
@ -37,9 +44,6 @@ server {
index index.html index.htm index.nginx-debian.html; index index.html index.htm index.nginx-debian.html;
server_name _; server_name _;
access_log off;
error_log /var/log/nginx/default.error.log;
location / { location / {
# First attempt to serve request as file, then # First attempt to serve request as file, then
@ -47,40 +51,15 @@ server {
try_files $uri $uri/ =404; try_files $uri $uri/ =404;
} }
location /stub_status { # pass PHP scripts to FastCGI server
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
# Status pages
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
# phpfpm pool monitoring
location ~ ^/(status|ping) {
include fastcgi_params;
fastcgi_pass php7;
include common/acl.conf;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
# #
#location ~ \.php$ { #location ~ \.php$ {
# include snippets/fastcgi-php.conf; # include snippets/fastcgi-php.conf;
# #
# # With php5-cgi alone: # # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000; # fastcgi_pass 127.0.0.1:9000;
# # With php5-fpm:
# fastcgi_pass unix:/var/run/php5-fpm.sock;
#} #}
# deny access to .htaccess files, if Apache's document root # deny access to .htaccess files, if Apache's document root

View File

@ -36,6 +36,9 @@ AcceptEnv LANG LC_*
# override default of no subsystems # override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp /usr/lib/openssh/sftp-server
# Host keys the client accepts - order here is honored by OpenSSH
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
# use strong ciphers (you may have to comment those lines with some sftp clients) # use strong ciphers (you may have to comment those lines with some sftp clients)
KexAlgorithms curve25519-sha256@libssh.org KexAlgorithms curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com Ciphers chacha20-poly1305@openssh.com

View File

@ -1,6 +1,6 @@
# Kernel sysctl configuration file for Linux # Kernel sysctl configuration file for Linux
# #
# Version 1.14 - 2018-09-13 # Version 1.15 - 2018-10-13
# Michiel Klaver - IT Professional # Michiel Klaver - IT Professional
# Modified by VirtuBox # Modified by VirtuBox
# #
@ -174,9 +174,10 @@ net.ipv6.conf.default.accept_ra_pinfo = 0
### TUNING NETWORK PERFORMANCE ### ### TUNING NETWORK PERFORMANCE ###
### ###
# For high-bandwidth low-latency networks, use 'htcp' congestion control # enable BBR congestion control and set tcp_notsent_lowat to 16KB for HTTP/2 prioritization to work reliably
# Do a 'modprobe tcp_htcp' first # source : https://blog.cloudflare.com/http-2-prioritization-with-nginx/
net.ipv4.tcp_congestion_control = htcp net.ipv4.tcp_congestion_control = bbr
net.ipv4.tcp_notsent_lowat = 16384
# For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12) # For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12)
net.core.default_qdisc = fq net.core.default_qdisc = fq