full rewrite of documentation
* new html presentation with TOC * clone the repository instead of downloading each file * various configuration updates
This commit is contained in:
parent
57cccbc844
commit
51235bc0ef
241
README.md
241
README.md
|
@ -18,32 +18,37 @@
|
||||||
|
|
||||||
Configuration files with comments and informations available by following the link **source**
|
Configuration files with comments and informations available by following the link **source**
|
||||||
|
|
||||||
### Initial configuration
|
## Initial configuration
|
||||||
|
|
||||||
#### System update and packages cleanup
|
### System update and packages cleanup
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
apt-get update && apt-get upgrade -y && apt-get autoremove --purge -y && apt-get clean
|
apt-get update && apt-get upgrade -y && apt-get autoremove --purge -y && apt-get clean
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Install useful packages
|
### Install useful packages
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
sudo apt-get install haveged curl git unzip zip fail2ban htop nload nmon ntp gnupg gnupg2 wget pigz tree ccze -y
|
sudo apt-get install haveged curl git unzip zip fail2ban htop nload nmon ntp gnupg gnupg2 wget pigz tree ccze -y
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Tweak Kernel & Increase open files limits
|
### Clone the repository
|
||||||
|
|
||||||
|
```bash
|
||||||
|
git clone https://github.com/VirtuBox/ubuntu-nginx-web-server.git $HOME/ubuntu-nginx-web-server
|
||||||
|
```
|
||||||
|
|
||||||
|
### Tweak Kernel & Increase open files limits
|
||||||
|
|
||||||
[source sysctl.conf](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) - [limits.conf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf)
|
[source sysctl.conf](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) - [limits.conf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf)
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
modprobe tcp_htcp
|
cp $HOME/ubuntu-nginx-web-server/etc/sysctl.d/60-ubuntu-nginx-web-server.conf /etc/sysctl.d/60-ubuntu-nginx-web-server.conf
|
||||||
wget -O /etc/sysctl.d/60-ubuntu-nginx-web-server.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.d/60-ubuntu-nginx-web-server.conf
|
|
||||||
sysctl -e -p /etc/sysctl.d/60-ubuntu-nginx-web-server.conf
|
sysctl -e -p /etc/sysctl.d/60-ubuntu-nginx-web-server.conf
|
||||||
wget -O /etc/security/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/security/limits.conf
|
cp -f $HOME/ubuntu-nginx-web-server/etc/security/limits.conf /etc/security/limits.conf
|
||||||
```
|
```
|
||||||
|
|
||||||
#### disable transparent hugepage for redis
|
### disable transparent hugepage for redis
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
echo never > /sys/kernel/mm/transparent_hugepage/enabled
|
echo never > /sys/kernel/mm/transparent_hugepage/enabled
|
||||||
|
@ -51,9 +56,9 @@ echo never > /sys/kernel/mm/transparent_hugepage/enabled
|
||||||
|
|
||||||
* * *
|
* * *
|
||||||
|
|
||||||
### EasyEngine Setup
|
## EasyEngine Setup
|
||||||
|
|
||||||
#### Install MariaDB 10.3
|
### Install MariaDB 10.3
|
||||||
|
|
||||||
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
|
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
|
||||||
|
|
||||||
|
@ -62,12 +67,12 @@ bash <(wget -qO - https://downloads.mariadb.com/MariaDB/mariadb_repo_setup) --ma
|
||||||
sudo apt update && sudo apt install mariadb-server -y
|
sudo apt update && sudo apt install mariadb-server -y
|
||||||
```
|
```
|
||||||
|
|
||||||
#### MySQL Tuning
|
### MySQL Tuning
|
||||||
|
|
||||||
You can download my example of my.cnf, optimized for VPS with 4GB RAM. [my.cnf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/mysql/my.cnf)
|
You can download my example of my.cnf, optimized for VPS with 4GB RAM. [my.cnf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/mysql/my.cnf)
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
wget -O /etc/mysql/my.cnf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/mysql/my.cnf
|
cp -f $HOME/ubuntu-nginx-web-server/etc/mysql/my.cnf /etc/mysql/my.cnf
|
||||||
```
|
```
|
||||||
|
|
||||||
It include modification of innodb_log_file_size variable, so you need to use the following commands to apply the new configuration :
|
It include modification of innodb_log_file_size variable, so you need to use the following commands to apply the new configuration :
|
||||||
|
@ -81,16 +86,16 @@ sudo mv /var/lib/mysql/ib_logfile1 /var/lib/mysql/ib_logfile1.bak
|
||||||
sudo service mysql start
|
sudo service mysql start
|
||||||
```
|
```
|
||||||
|
|
||||||
Increase MariaDB open files limits
|
### Increase MariaDB open files limits
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
wget -O /etc/systemd/system/mariadb.service.d/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/systemd/system/mariadb.service.d/limits.conf
|
cp -f $HOME/ubuntu-nginx-web-server/etc/systemd/system/mariadb.service.d/limits.conf /etc/systemd/system/mariadb.service.d/limits.conf
|
||||||
|
|
||||||
sudo systemctl daemon-reload
|
sudo systemctl daemon-reload
|
||||||
sudo systemctl restart mariadb
|
sudo systemctl restart mariadb
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Install EasyEngine
|
## Install EasyEngine
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# noninteractive install - you can replace $USER with your username & root@$HOSTNAME by your email
|
# noninteractive install - you can replace $USER with your username & root@$HOSTNAME by your email
|
||||||
|
@ -99,27 +104,27 @@ sudo bash -c 'echo -e "[user]\n\tname = $USER\n\temail = root@$HOSTNAME" > $HOME
|
||||||
wget -qO ee rt.cx/ee && bash ee
|
wget -qO ee rt.cx/ee && bash ee
|
||||||
```
|
```
|
||||||
|
|
||||||
#### enable ee bash_completion
|
### enable ee bash_completion
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
source /etc/bash_completion.d/ee_auto.rc
|
source /etc/bash_completion.d/ee_auto.rc
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend
|
### Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
ee stack install
|
ee stack install
|
||||||
ee stack install --php7 --redis --admin --phpredisadmin
|
ee stack install --php7 --redis --admin --phpredisadmin
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Set your email instead of root@localhost
|
### Set your email instead of root@localhost
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
echo 'root: my.email@address.com' >> /etc/aliases
|
echo 'root: my.email@address.com' >> /etc/aliases
|
||||||
newaliases
|
newaliases
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Install Composer - Fix phpmyadmin install issue
|
### Install Composer - Fix phpmyadmin install issue
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
cd ~/ ||exit
|
cd ~/ ||exit
|
||||||
|
@ -130,143 +135,138 @@ chown www-data:www-data /var/www
|
||||||
sudo -u www-data -H composer update -d /var/www/22222/htdocs/db/pma/
|
sudo -u www-data -H composer update -d /var/www/22222/htdocs/db/pma/
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Allow shell for www-data for SFTP usage
|
### Allow shell for www-data for SFTP usage
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
usermod -s /bin/bash www-data
|
usermod -s /bin/bash www-data
|
||||||
```
|
```
|
||||||
|
|
||||||
### PHP 7.1 & 7.2 Setup
|
## PHP 7.1 & 7.2 Setup
|
||||||
|
|
||||||
#### Install php7.1-fpm
|
### Install php7.1-fpm
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# php7.1-fpm
|
# php7.1-fpm
|
||||||
apt update && apt install php7.1-fpm php7.1-cli php7.1-zip php7.1-opcache php7.1-mysql php7.1-mcrypt php7.1-mbstring php7.1-json php7.1-intl \
|
apt update && apt install php7.1-fpm php7.1-cli php7.1-zip php7.1-opcache php7.1-mysql php7.1-mcrypt php7.1-mbstring php7.1-json php7.1-intl \
|
||||||
php7.1-gd php7.1-curl php7.1-bz2 php7.1-xml php7.1-tidy php7.1-soap php7.1-bcmath -y php7.1-xsl
|
php7.1-gd php7.1-curl php7.1-bz2 php7.1-xml php7.1-tidy php7.1-soap php7.1-bcmath -y php7.1-xsl
|
||||||
|
|
||||||
wget -O /etc/php/7.1/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/pool.d/www.conf
|
# copy php-fpm pools & php.ini configuration
|
||||||
|
cp -rf $HOME/ubuntu-nginx-web-server/etc/php/7.1/fpm/* /etc/php/7.1/fpm/
|
||||||
wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/php.ini
|
|
||||||
service php7.1-fpm restart
|
service php7.1-fpm restart
|
||||||
|
|
||||||
|
git -C /etc/php/ add /etc/php/ && git -C /etc/php/ commit -m "add php7.1 configuration"
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Install php7.2-fpm
|
### Install php7.2-fpm
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# php7.2-fpm
|
# php7.2-fpm
|
||||||
apt update && apt install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring -y
|
apt update && apt install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring php7.2-bcmath -y
|
||||||
|
|
||||||
wget -O /etc/php/7.2/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/pool.d/www.conf
|
# copy php-fpm pools & php.ini configuration
|
||||||
|
cp -rf $HOME/ubuntu-nginx-web-server/etc/php/7.2/fpm/* /etc/php/7.2/fpm/
|
||||||
wget -O /etc/php/7.2/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/php.ini
|
|
||||||
service php7.2-fpm restart
|
service php7.2-fpm restart
|
||||||
|
|
||||||
|
git -C /etc/php/ add /etc/php/ && git -C /etc/php/ commit -m "add php7.2 configuration"
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
#### add nginx upstreams
|
## NGINX Configuration
|
||||||
|
|
||||||
|
### Additional Nginx configuration (/etc/nginx/conf.d)
|
||||||
|
|
||||||
|
- New upstreams (php7.1, php7.2, netdata) : upstream.conf
|
||||||
|
- webp image mapping : webp.conf
|
||||||
|
- new fastcgi_cache_bypass mapping for wordpress : map-wp-fastcgi-cache.conf
|
||||||
|
- stub_status configuration on 127.0.0.1:80 : stub_status.conf
|
||||||
|
- restore visitor real IP under cloudflare : cloudflare.conf
|
||||||
|
- mitigate WordPress DoS attack
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
|
# copy all common nginx configurations
|
||||||
service nginx reload
|
cp -rf $HOME/ubuntu-nginx-web-server/etc/nginx/conf.d/* /etc/nginx/conf.d/
|
||||||
|
|
||||||
|
# commit change with git
|
||||||
|
git -C /etc/nginx/ add /etc/nginx/ && git -C /etc/nginx/ commit -m "update conf.d configurations"
|
||||||
```
|
```
|
||||||
|
|
||||||
#### add ee common configuration
|
### EE common configuration
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
cd /etc/nginx/common || exit
|
cp -rf $HOME/ubuntu-nginx-web-server/etc/nginx/common/* /etc/nginx/common/
|
||||||
wget https://virtubox.github.io/ubuntu-nginx-web-server/files/common.zip
|
|
||||||
unzip common.zip
|
# commit change with git
|
||||||
|
git -C /etc/nginx/ add /etc/nginx/ && git -C /etc/nginx/ commit -m "update common configurations"
|
||||||
```
|
```
|
||||||
|
|
||||||
### Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee)
|
### Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee)
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
|
bash <(wget-qO - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
|
||||||
```
|
```
|
||||||
|
|
||||||
* * *
|
* * *
|
||||||
|
|
||||||
### Custom configurations
|
## Custom configurations
|
||||||
|
|
||||||
#### clean php-fpm php.ini configuration
|
### clean php-fpm php.ini configuration
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# PHP 7.0
|
# PHP 7.0
|
||||||
wget -O /etc/php/7.0/fpm/php.ini https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/php/7.0/fpm/php.ini
|
cp -rf $HOME/ubuntu-nginx-web-server/etc/php/7.0/* /etc/php/7.0/
|
||||||
service php7.0-fpm restart
|
service php7.0-fpm restart
|
||||||
|
|
||||||
|
git -C /etc/php/ add /etc/php/ && git -C /etc/php/ commit -m "add php7.2 configuration"
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Nginx optimized configurations
|
### Nginx optimized configurations
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# TLSv1.2 TLSv1.3 only
|
# TLSv1.2 TLSv1.3 only
|
||||||
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx.conf
|
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx.conf
|
||||||
|
|
||||||
# TLS intermediate - TLS v1.0 v1.1 v1.2 v1.3
|
# TLS intermediate - TLS v1.0 v1.1 v1.2 v1.3
|
||||||
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-intermediate.conf
|
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-intermediate.conf
|
||||||
|
|
||||||
# TLSv1.2 only
|
# TLSv1.2 only
|
||||||
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-tlsv12.conf
|
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-tlsv12.conf
|
||||||
|
|
||||||
|
# commit change with git
|
||||||
|
git -C /etc/nginx/ add /etc/nginx/ && git -C /etc/nginx/ commit -m "update nginx.conf configurations"
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Nginx configuration for netdata & new upstreams
|
### Nginx configuration for netdata
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# custom conf for netdata metrics (php-fpm & nginx status pages)
|
|
||||||
wget -O /etc/nginx/sites-available/default https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/default
|
|
||||||
|
|
||||||
# add netdata, php7.1 and php7.2 upstream
|
|
||||||
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
|
|
||||||
|
|
||||||
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
|
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
|
||||||
wget -O /etc/nginx/sites-available/22222 https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/22222
|
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/sites-available/22222 /etc/nginx/sites-available/22222
|
||||||
|
|
||||||
|
# commit change with git
|
||||||
|
git -C /etc/nginx/ add /etc/nginx/ && git -C /etc/nginx/ commit -m "update 22222 configuration"
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Increase Nginx open files limits
|
#### Increase Nginx open files limits
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
sudo mkdir -p /etc/systemd/system/nginx.service.d
|
sudo mkdir -p /etc/systemd/system/nginx.service.d
|
||||||
wget -O /etc/systemd/system/nginx.service.d/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/systemd/system/nginx.service.d/limits.conf
|
cp -f $HOME/ubuntu-nginx-web-server/etc/systemd/system/nginx.service.d/limits.conf /etc/systemd/system/nginx.service.d/limits.conf
|
||||||
|
|
||||||
sudo systemctl daemon-reload
|
sudo systemctl daemon-reload
|
||||||
sudo systemctl restart nginx.service
|
sudo systemctl restart nginx.service
|
||||||
```
|
```
|
||||||
|
|
||||||
#### wpcommon-php7x configurations
|
|
||||||
|
|
||||||
- webp rewrite rules added
|
|
||||||
- DoS attack CVE fix added
|
|
||||||
- php7.1 & php7.2 configuration added
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# 1) add webp mapping
|
|
||||||
wget -O /etc/nginx/conf.d/webp.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/webp.conf
|
|
||||||
|
|
||||||
# 2) wpcommon files
|
|
||||||
# php7
|
|
||||||
wget -O /etc/nginx/common/wpcommon-php7.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php7.conf
|
|
||||||
|
|
||||||
# php7.1
|
|
||||||
wget -O /etc/nginx/common/wpcommon-php71.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php71.conf
|
|
||||||
|
|
||||||
# php7.2
|
|
||||||
wget -O /etc/nginx/common/wpcommon-php72.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php72.conf
|
|
||||||
|
|
||||||
nginx -t
|
|
||||||
service nginx reload
|
|
||||||
```
|
|
||||||
|
|
||||||
* * *
|
* * *
|
||||||
|
|
||||||
### Security
|
## Security
|
||||||
|
|
||||||
#### Harden SSH Security
|
### Harden SSH Security
|
||||||
|
|
||||||
WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config)
|
WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config)
|
||||||
|
|
||||||
wget -O /etc/ssh/sshd_config https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/ssh/sshd_config
|
cp -f $HOME/ubuntu-nginx-web-server/etc/ssh/sshd_config /etc/ssh/sshd_config
|
||||||
|
|
||||||
#### UFW
|
### UFW
|
||||||
|
|
||||||
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
|
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
|
||||||
|
|
||||||
|
@ -276,23 +276,30 @@ ufw logging low
|
||||||
ufw default allow outgoing
|
ufw default allow outgoing
|
||||||
ufw default deny incoming
|
ufw default deny incoming
|
||||||
|
|
||||||
# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend
|
# allow incoming traffic on SSH port
|
||||||
ufw allow 22
|
CURRENT_SSH_PORT=$(grep "Port" /etc/ssh/sshd_config | awk -F " " '{print $2}')
|
||||||
|
ufw allow $CURRENT_SSH_PORT
|
||||||
|
|
||||||
|
# DNS - HTTP/S - FTP - NTP - RSYNC - DHCP - SNMP - Librenms - Netdata - EE Backend
|
||||||
ufw allow 53
|
ufw allow 53
|
||||||
ufw allow http
|
ufw allow http
|
||||||
ufw allow https
|
ufw allow https
|
||||||
ufw allow 21
|
ufw allow 21
|
||||||
ufw allow 123
|
ufw allow 123
|
||||||
ufw allow 161
|
ufw allow 161
|
||||||
|
ufw allow 68
|
||||||
|
ufw allow 546
|
||||||
|
ufw allow 873
|
||||||
ufw allow 6556
|
ufw allow 6556
|
||||||
ufw allow 19999
|
ufw allow 19999
|
||||||
ufw allow 22222
|
ufw allow 22222
|
||||||
|
|
||||||
|
|
||||||
# enable UFW
|
# enable UFW
|
||||||
ufw enable
|
ufw enable
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Custom jails for fail2ban
|
### Custom jails for fail2ban
|
||||||
|
|
||||||
- wordpress bruteforce
|
- wordpress bruteforce
|
||||||
- ssh
|
- ssh
|
||||||
|
@ -301,34 +308,38 @@ ufw enable
|
||||||
- nginx bad bots
|
- nginx bad bots
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
wget -O /etc/fail2ban/filter.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ddos.conf
|
cp -rf $HOME/ubuntu-nginx-web-server/etc/fail2ban/filter.d/* /etc/fail2ban/filter.d/
|
||||||
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ee-wordpress.conf
|
cp -rf $HOME/ubuntu-nginx-web-server/etc/fail2ban/jail.d/* /etc/fail2ban/jail.d/
|
||||||
wget -O /etc/fail2ban/filter.d/nginx-forbidden.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/nginx-forbidden.conf
|
|
||||||
wget -O /etc/fail2ban/jail.d/custom.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/custom.conf
|
|
||||||
wget -O /etc/fail2ban/jail.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/ddos.conf
|
|
||||||
|
|
||||||
fail2ban-client reload
|
fail2ban-client reload
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Secure Memcached server
|
### Secure Memcached server
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
echo '-U 0' >> /etc/memcached.conf
|
echo '-U 0' >> /etc/memcached.conf
|
||||||
sudo systemctl restart memcached
|
sudo systemctl restart memcached
|
||||||
```
|
```
|
||||||
|
|
||||||
### Optional
|
If you do not use memcached, you can safely stop and disable it :
|
||||||
|
|
||||||
#### ee-acme-sh
|
```bash
|
||||||
|
sudo systemctl stop memcached
|
||||||
|
sudo systemctl disable memcached.service
|
||||||
|
```
|
||||||
|
|
||||||
|
## Optional
|
||||||
|
|
||||||
|
### ee-acme-sh
|
||||||
|
|
||||||
[Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers
|
[Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers
|
||||||
|
|
||||||
* subdomain support
|
- subdomain support
|
||||||
* ivp6 support
|
- ivp6 support
|
||||||
* wildcards certificates support
|
- wildcards certificates support
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
wget -O install-ee-acme.sh https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh
|
wget-qO install-ee-acme.sh https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh
|
||||||
chmod +x install-ee-acme.sh
|
chmod +x install-ee-acme.sh
|
||||||
./install-ee-acme.sh
|
./install-ee-acme.sh
|
||||||
|
|
||||||
|
@ -336,7 +347,7 @@ chmod +x install-ee-acme.sh
|
||||||
source .bashrc
|
source .bashrc
|
||||||
```
|
```
|
||||||
|
|
||||||
#### netdata
|
### netdata
|
||||||
|
|
||||||
[Github repository](https://github.com/firehol/netdata)
|
[Github repository](https://github.com/firehol/netdata)
|
||||||
|
|
||||||
|
@ -349,11 +360,11 @@ echo 1 >/sys/kernel/mm/ksm/run
|
||||||
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
|
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
|
||||||
|
|
||||||
# disable email notifications
|
# disable email notifications
|
||||||
sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /etc/netdata/health_alarm_notify.conf
|
sudo sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /usr/lib/netdata/conf.d/health_alarm_notify.conf
|
||||||
service netdata restart
|
service netdata restart
|
||||||
```
|
```
|
||||||
|
|
||||||
#### cht.sh (cheat)
|
### cht.sh (cheat)
|
||||||
|
|
||||||
[Github repository](https://github.com/chubin/cheat.sh)
|
[Github repository](https://github.com/chubin/cheat.sh)
|
||||||
|
|
||||||
|
@ -387,7 +398,7 @@ root@vps:~ cheat cat
|
||||||
cat -n file
|
cat -n file
|
||||||
```
|
```
|
||||||
|
|
||||||
#### nanorc - Improved Nano Syntax Highlighting Files
|
### nanorc - Improved Nano Syntax Highlighting Files
|
||||||
|
|
||||||
[Github repository](https://github.com/scopatz/nanorc)
|
[Github repository](https://github.com/scopatz/nanorc)
|
||||||
|
|
||||||
|
@ -395,34 +406,18 @@ root@vps:~ cheat cat
|
||||||
wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh
|
wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh
|
||||||
```
|
```
|
||||||
|
|
||||||
#### ucaresystem - script to update & cleanup packages easily
|
### Add WP-CLI & bash-completion for user www-data
|
||||||
|
|
||||||
```bash
|
|
||||||
sudo add-apt-repository ppa:utappia/stable -y
|
|
||||||
sudo apt update
|
|
||||||
sudo apt install ucaresystem-core -y
|
|
||||||
```
|
|
||||||
|
|
||||||
Run server maintenance with the command :
|
|
||||||
|
|
||||||
```bash
|
|
||||||
sudo ucaresystem-core
|
|
||||||
```
|
|
||||||
|
|
||||||
### WP-CLI
|
|
||||||
|
|
||||||
#### Add bash-completion for user www-data
|
|
||||||
|
|
||||||
```bashrc
|
```bashrc
|
||||||
# download wp-cli bash_completion
|
# download wp-cli bash_completion
|
||||||
wget -O /etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash
|
cp -f $HOME/ubuntu-nginx-web-server/etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash
|
||||||
|
|
||||||
# change /var/www owner
|
# change /var/www owner
|
||||||
chown www-data:www-data /var/www
|
chown www-data:www-data /var/www
|
||||||
|
|
||||||
# download .profile & .bashrc for www-data
|
# download .profile & .bashrc for www-data
|
||||||
wget -O /var/www/.profile https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/docs/files/var/www/.profile
|
cp -f $HOME/ubuntu-nginx-web-server/var/www/.profile /var/www/.profile
|
||||||
wget -O /var/www/.bashrc https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/docs/files/var/www/.bashrc
|
cp -f $HOME/ubuntu-nginx-web-server/var/www/.bashrc /var/www/.bashrc
|
||||||
|
|
||||||
# set owner
|
# set owner
|
||||||
chown www-data:www-data /var/www/.profile
|
chown www-data:www-data /var/www/.profile
|
||||||
|
@ -438,9 +433,6 @@ Installation
|
||||||
```bash
|
```bash
|
||||||
# clone the github repository
|
# clone the github repository
|
||||||
sudo -u www-data -H git clone https://github.com/alexphelps/server-error-pages.git /var/www/error
|
sudo -u www-data -H git clone https://github.com/alexphelps/server-error-pages.git /var/www/error
|
||||||
|
|
||||||
# download nginx configuration
|
|
||||||
wget -O /etc/nginx/common/error_pages.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/error_pages.conf
|
|
||||||
```
|
```
|
||||||
|
|
||||||
Then include this configuration in your nginx vhost by adding the following line
|
Then include this configuration in your nginx vhost by adding the following line
|
||||||
|
@ -449,5 +441,4 @@ Then include this configuration in your nginx vhost by adding the following line
|
||||||
include common/error_pages.conf;
|
include common/error_pages.conf;
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
Published & maintained by [VirtuBox](https://virtubox.net)
|
Published & maintained by [VirtuBox](https://virtubox.net)
|
||||||
|
|
453
docs/README.md
453
docs/README.md
|
@ -1,453 +0,0 @@
|
||||||
# Optimized configuration for Ubuntu server with EasyEngine
|
|
||||||
|
|
||||||
* * *
|
|
||||||
|
|
||||||
## Server Stack
|
|
||||||
|
|
||||||
- Ubuntu 16.04/18.04 LTS
|
|
||||||
- Nginx 1.15.x / 1.14.x
|
|
||||||
- PHP-FPM 7/7.1/7.2
|
|
||||||
- MariaDB 10.3
|
|
||||||
- REDIS 4.0
|
|
||||||
- Memcached
|
|
||||||
- Fail2ban
|
|
||||||
- Netdata
|
|
||||||
- UFW
|
|
||||||
|
|
||||||
* * *
|
|
||||||
|
|
||||||
Configuration files with comments and informations available by following the link **source**
|
|
||||||
|
|
||||||
### Initial configuration
|
|
||||||
|
|
||||||
#### System update and packages cleanup
|
|
||||||
|
|
||||||
```bash
|
|
||||||
apt-get update && apt-get upgrade -y && apt-get autoremove --purge -y && apt-get clean
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Install useful packages
|
|
||||||
|
|
||||||
```bash
|
|
||||||
sudo apt-get install haveged curl git unzip zip fail2ban htop nload nmon ntp gnupg gnupg2 wget pigz tree ccze -y
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Tweak Kernel & Increase open files limits
|
|
||||||
|
|
||||||
[source sysctl.conf](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) - [limits.conf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf)
|
|
||||||
|
|
||||||
```bash
|
|
||||||
modprobe tcp_htcp
|
|
||||||
wget -O /etc/sysctl.d/60-ubuntu-nginx-web-server.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.d/60-ubuntu-nginx-web-server.conf
|
|
||||||
sysctl -e -p /etc/sysctl.d/60-ubuntu-nginx-web-server.conf
|
|
||||||
wget -O /etc/security/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/security/limits.conf
|
|
||||||
```
|
|
||||||
|
|
||||||
#### disable transparent hugepage for redis
|
|
||||||
|
|
||||||
```bash
|
|
||||||
echo never > /sys/kernel/mm/transparent_hugepage/enabled
|
|
||||||
```
|
|
||||||
|
|
||||||
* * *
|
|
||||||
|
|
||||||
### EasyEngine Setup
|
|
||||||
|
|
||||||
#### Install MariaDB 10.3
|
|
||||||
|
|
||||||
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
|
|
||||||
|
|
||||||
```bash
|
|
||||||
bash <(wget -qO - https://downloads.mariadb.com/MariaDB/mariadb_repo_setup) --mariadb-server-version=10.3 --skip-maxscale -y
|
|
||||||
sudo apt update && sudo apt install mariadb-server -y
|
|
||||||
```
|
|
||||||
|
|
||||||
#### MySQL Tuning
|
|
||||||
|
|
||||||
You can download my example of my.cnf, optimized for VPS with 4GB RAM. [my.cnf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/mysql/my.cnf)
|
|
||||||
|
|
||||||
```bash
|
|
||||||
wget -O /etc/mysql/my.cnf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/mysql/my.cnf
|
|
||||||
```
|
|
||||||
|
|
||||||
It include modification of innodb_log_file_size variable, so you need to use the following commands to apply the new configuration :
|
|
||||||
|
|
||||||
```bash
|
|
||||||
sudo service mysql stop
|
|
||||||
|
|
||||||
sudo mv /var/lib/mysql/ib_logfile0 /var/lib/mysql/ib_logfile0.bak
|
|
||||||
sudo mv /var/lib/mysql/ib_logfile1 /var/lib/mysql/ib_logfile1.bak
|
|
||||||
|
|
||||||
sudo service mysql start
|
|
||||||
```
|
|
||||||
|
|
||||||
Increase MariaDB open files limits
|
|
||||||
|
|
||||||
```bash
|
|
||||||
wget -O /etc/systemd/system/mariadb.service.d/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/systemd/system/mariadb.service.d/limits.conf
|
|
||||||
|
|
||||||
sudo systemctl daemon-reload
|
|
||||||
sudo systemctl restart mariadb
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Install EasyEngine
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# noninteractive install - you can replace $USER with your username & root@$HOSTNAME by your email
|
|
||||||
sudo bash -c 'echo -e "[user]\n\tname = $USER\n\temail = root@$HOSTNAME" > $HOME/.gitconfig'
|
|
||||||
|
|
||||||
wget -qO ee rt.cx/ee && bash ee
|
|
||||||
```
|
|
||||||
|
|
||||||
#### enable ee bash_completion
|
|
||||||
|
|
||||||
```bash
|
|
||||||
source /etc/bash_completion.d/ee_auto.rc
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend
|
|
||||||
|
|
||||||
```bash
|
|
||||||
ee stack install
|
|
||||||
ee stack install --php7 --redis --admin --phpredisadmin
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Set your email instead of root@localhost
|
|
||||||
|
|
||||||
```bash
|
|
||||||
echo 'root: my.email@address.com' >> /etc/aliases
|
|
||||||
newaliases
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Install Composer - Fix phpmyadmin install issue
|
|
||||||
|
|
||||||
```bash
|
|
||||||
cd ~/ ||exit
|
|
||||||
curl -sS https://getcomposer.org/installer | php
|
|
||||||
mv composer.phar /usr/bin/composer
|
|
||||||
|
|
||||||
chown www-data:www-data /var/www
|
|
||||||
sudo -u www-data -H composer update -d /var/www/22222/htdocs/db/pma/
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Allow shell for www-data for SFTP usage
|
|
||||||
|
|
||||||
```bash
|
|
||||||
usermod -s /bin/bash www-data
|
|
||||||
```
|
|
||||||
|
|
||||||
### PHP 7.1 & 7.2 Setup
|
|
||||||
|
|
||||||
#### Install php7.1-fpm
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# php7.1-fpm
|
|
||||||
apt update && apt install php7.1-fpm php7.1-cli php7.1-zip php7.1-opcache php7.1-mysql php7.1-mcrypt php7.1-mbstring php7.1-json php7.1-intl \
|
|
||||||
php7.1-gd php7.1-curl php7.1-bz2 php7.1-xml php7.1-tidy php7.1-soap php7.1-bcmath -y php7.1-xsl
|
|
||||||
|
|
||||||
wget -O /etc/php/7.1/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/pool.d/www.conf
|
|
||||||
|
|
||||||
wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/php.ini
|
|
||||||
service php7.1-fpm restart
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Install php7.2-fpm
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# php7.2-fpm
|
|
||||||
apt update && apt install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring -y
|
|
||||||
|
|
||||||
wget -O /etc/php/7.2/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/pool.d/www.conf
|
|
||||||
|
|
||||||
wget -O /etc/php/7.2/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/php.ini
|
|
||||||
service php7.2-fpm restart
|
|
||||||
```
|
|
||||||
|
|
||||||
#### add nginx upstreams
|
|
||||||
|
|
||||||
```bash
|
|
||||||
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
|
|
||||||
service nginx reload
|
|
||||||
```
|
|
||||||
|
|
||||||
#### add ee common configuration
|
|
||||||
|
|
||||||
```bash
|
|
||||||
cd /etc/nginx/common || exit
|
|
||||||
wget https://virtubox.github.io/ubuntu-nginx-web-server/files/common.zip
|
|
||||||
unzip common.zip
|
|
||||||
```
|
|
||||||
|
|
||||||
### Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee)
|
|
||||||
|
|
||||||
```bash
|
|
||||||
bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
|
|
||||||
```
|
|
||||||
|
|
||||||
* * *
|
|
||||||
|
|
||||||
### Custom configurations
|
|
||||||
|
|
||||||
#### clean php-fpm php.ini configuration
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# PHP 7.0
|
|
||||||
wget -O /etc/php/7.0/fpm/php.ini https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/php/7.0/fpm/php.ini
|
|
||||||
service php7.0-fpm restart
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Nginx optimized configurations
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# TLSv1.2 TLSv1.3 only
|
|
||||||
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx.conf
|
|
||||||
|
|
||||||
# TLS intermediate - TLS v1.0 v1.1 v1.2 v1.3
|
|
||||||
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-intermediate.conf
|
|
||||||
|
|
||||||
# TLSv1.2 only
|
|
||||||
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-tlsv12.conf
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Nginx configuration for netdata & new upstreams
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# custom conf for netdata metrics (php-fpm & nginx status pages)
|
|
||||||
wget -O /etc/nginx/sites-available/default https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/default
|
|
||||||
|
|
||||||
# add netdata, php7.1 and php7.2 upstream
|
|
||||||
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
|
|
||||||
|
|
||||||
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
|
|
||||||
wget -O /etc/nginx/sites-available/22222 https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/22222
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Increase Nginx open files limits
|
|
||||||
|
|
||||||
```bash
|
|
||||||
sudo mkdir -p /etc/systemd/system/nginx.service.d
|
|
||||||
wget -O /etc/systemd/system/nginx.service.d/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/systemd/system/nginx.service.d/limits.conf
|
|
||||||
|
|
||||||
sudo systemctl daemon-reload
|
|
||||||
sudo systemctl restart nginx.service
|
|
||||||
```
|
|
||||||
|
|
||||||
#### wpcommon-php7x configurations
|
|
||||||
|
|
||||||
- webp rewrite rules added
|
|
||||||
- DoS attack CVE fix added
|
|
||||||
- php7.1 & php7.2 configuration added
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# 1) add webp mapping
|
|
||||||
wget -O /etc/nginx/conf.d/webp.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/webp.conf
|
|
||||||
|
|
||||||
# 2) wpcommon files
|
|
||||||
# php7
|
|
||||||
wget -O /etc/nginx/common/wpcommon-php7.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php7.conf
|
|
||||||
|
|
||||||
# php7.1
|
|
||||||
wget -O /etc/nginx/common/wpcommon-php71.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php71.conf
|
|
||||||
|
|
||||||
# php7.2
|
|
||||||
wget -O /etc/nginx/common/wpcommon-php72.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php72.conf
|
|
||||||
|
|
||||||
nginx -t
|
|
||||||
service nginx reload
|
|
||||||
```
|
|
||||||
|
|
||||||
* * *
|
|
||||||
|
|
||||||
### Security
|
|
||||||
|
|
||||||
#### Harden SSH Security
|
|
||||||
|
|
||||||
WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config)
|
|
||||||
|
|
||||||
wget -O /etc/ssh/sshd_config https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/ssh/sshd_config
|
|
||||||
|
|
||||||
#### UFW
|
|
||||||
|
|
||||||
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# enable ufw log - allow outgoing - deny incoming
|
|
||||||
ufw logging low
|
|
||||||
ufw default allow outgoing
|
|
||||||
ufw default deny incoming
|
|
||||||
|
|
||||||
# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend
|
|
||||||
ufw allow 22
|
|
||||||
ufw allow 53
|
|
||||||
ufw allow http
|
|
||||||
ufw allow https
|
|
||||||
ufw allow 21
|
|
||||||
ufw allow 123
|
|
||||||
ufw allow 161
|
|
||||||
ufw allow 6556
|
|
||||||
ufw allow 19999
|
|
||||||
ufw allow 22222
|
|
||||||
|
|
||||||
# enable UFW
|
|
||||||
ufw enable
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Custom jails for fail2ban
|
|
||||||
|
|
||||||
- wordpress bruteforce
|
|
||||||
- ssh
|
|
||||||
- recidive (after 3 bans)
|
|
||||||
- backend http auth
|
|
||||||
- nginx bad bots
|
|
||||||
|
|
||||||
```bash
|
|
||||||
wget -O /etc/fail2ban/filter.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ddos.conf
|
|
||||||
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ee-wordpress.conf
|
|
||||||
wget -O /etc/fail2ban/filter.d/nginx-forbidden.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/nginx-forbidden.conf
|
|
||||||
wget -O /etc/fail2ban/jail.d/custom.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/custom.conf
|
|
||||||
wget -O /etc/fail2ban/jail.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/ddos.conf
|
|
||||||
|
|
||||||
fail2ban-client reload
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Secure Memcached server
|
|
||||||
|
|
||||||
```bash
|
|
||||||
echo '-U 0' >> /etc/memcached.conf
|
|
||||||
sudo systemctl restart memcached
|
|
||||||
```
|
|
||||||
|
|
||||||
### Optional
|
|
||||||
|
|
||||||
#### ee-acme-sh
|
|
||||||
|
|
||||||
[Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers
|
|
||||||
|
|
||||||
* subdomain support
|
|
||||||
* ivp6 support
|
|
||||||
* wildcards certificates support
|
|
||||||
|
|
||||||
```bash
|
|
||||||
wget -O install-ee-acme.sh https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh
|
|
||||||
chmod +x install-ee-acme.sh
|
|
||||||
./install-ee-acme.sh
|
|
||||||
|
|
||||||
# enable acme.sh & ee-acme-sh
|
|
||||||
source .bashrc
|
|
||||||
```
|
|
||||||
|
|
||||||
#### netdata
|
|
||||||
|
|
||||||
[Github repository](https://github.com/firehol/netdata)
|
|
||||||
|
|
||||||
```bash
|
|
||||||
|
|
||||||
bash <(curl -Ss https://my-netdata.io/kickstart.sh) all
|
|
||||||
|
|
||||||
# save 40-60% of netdata memory
|
|
||||||
echo 1 >/sys/kernel/mm/ksm/run
|
|
||||||
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
|
|
||||||
|
|
||||||
# disable email notifications
|
|
||||||
sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /etc/netdata/health_alarm_notify.conf
|
|
||||||
service netdata restart
|
|
||||||
```
|
|
||||||
|
|
||||||
#### cht.sh (cheat)
|
|
||||||
|
|
||||||
[Github repository](https://github.com/chubin/cheat.sh)
|
|
||||||
|
|
||||||
```bash
|
|
||||||
curl https://cht.sh/:cht.sh > /usr/bin/cht.sh
|
|
||||||
chmod +x /usr/bin/cht.sh
|
|
||||||
|
|
||||||
|
|
||||||
echo "alias cheat='cht.sh'" >> $HOME/.bashrc
|
|
||||||
source $HOME/.bashrc
|
|
||||||
```
|
|
||||||
|
|
||||||
usage : `cheat <command>`
|
|
||||||
|
|
||||||
```bash
|
|
||||||
root@vps:~ cheat cat
|
|
||||||
# cat
|
|
||||||
|
|
||||||
# Print and concatenate files.
|
|
||||||
|
|
||||||
# Print the contents of a file to the standard output:
|
|
||||||
cat file
|
|
||||||
|
|
||||||
# Concatenate several files into the target file:
|
|
||||||
cat file1 file2 > target_file
|
|
||||||
|
|
||||||
# Append several files into the target file:
|
|
||||||
cat file1 file2 >> target_file
|
|
||||||
|
|
||||||
# Number all output lines:
|
|
||||||
cat -n file
|
|
||||||
```
|
|
||||||
|
|
||||||
#### nanorc - Improved Nano Syntax Highlighting Files
|
|
||||||
|
|
||||||
[Github repository](https://github.com/scopatz/nanorc)
|
|
||||||
|
|
||||||
```bash
|
|
||||||
wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh
|
|
||||||
```
|
|
||||||
|
|
||||||
#### ucaresystem - script to update & cleanup packages easily
|
|
||||||
|
|
||||||
```bash
|
|
||||||
sudo add-apt-repository ppa:utappia/stable -y
|
|
||||||
sudo apt update
|
|
||||||
sudo apt install ucaresystem-core -y
|
|
||||||
```
|
|
||||||
|
|
||||||
Run server maintenance with the command :
|
|
||||||
|
|
||||||
```bash
|
|
||||||
sudo ucaresystem-core
|
|
||||||
```
|
|
||||||
|
|
||||||
### WP-CLI
|
|
||||||
|
|
||||||
#### Add bash-completion for user www-data
|
|
||||||
|
|
||||||
```bashrc
|
|
||||||
# download wp-cli bash_completion
|
|
||||||
wget -O /etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash
|
|
||||||
|
|
||||||
# change /var/www owner
|
|
||||||
chown www-data:www-data /var/www
|
|
||||||
|
|
||||||
# download .profile & .bashrc for www-data
|
|
||||||
wget -O /var/www/.profile https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/docs/files/var/www/.profile
|
|
||||||
wget -O /var/www/.bashrc https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/docs/files/var/www/.bashrc
|
|
||||||
|
|
||||||
# set owner
|
|
||||||
chown www-data:www-data /var/www/.profile
|
|
||||||
chown www-data:www-data /var/www/.bashrc
|
|
||||||
```
|
|
||||||
|
|
||||||
### Custom Nginx error pages
|
|
||||||
|
|
||||||
[Github Repository](https://github.com/alexphelps/server-error-pages)
|
|
||||||
|
|
||||||
Installation
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# clone the github repository
|
|
||||||
sudo -u www-data -H git clone https://github.com/alexphelps/server-error-pages.git /var/www/error
|
|
||||||
|
|
||||||
# download nginx configuration
|
|
||||||
wget -O /etc/nginx/common/error_pages.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/error_pages.conf
|
|
||||||
```
|
|
||||||
|
|
||||||
Then include this configuration in your nginx vhost by adding the following line
|
|
||||||
|
|
||||||
```bash
|
|
||||||
include common/error_pages.conf;
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
Published & maintained by [VirtuBox](https://virtubox.net)
|
|
|
@ -1 +0,0 @@
|
||||||
theme: jekyll-theme-cayman
|
|
|
@ -0,0 +1,88 @@
|
||||||
|
/*
|
||||||
|
|
||||||
|
Atom One Dark by Daniel Gamage
|
||||||
|
Original One Dark Syntax theme from https://github.com/atom/one-dark-syntax
|
||||||
|
|
||||||
|
base: #282c34
|
||||||
|
mono-1: #abb2bf
|
||||||
|
mono-2: #818896
|
||||||
|
mono-3: #5c6370
|
||||||
|
hue-1: #56b6c2
|
||||||
|
hue-2: #61aeee
|
||||||
|
hue-3: #c678dd
|
||||||
|
hue-4: #98c379
|
||||||
|
hue-5: #e06c75
|
||||||
|
hue-5-2: #be5046
|
||||||
|
hue-6: #d19a66
|
||||||
|
hue-6-2: #e6c07b
|
||||||
|
|
||||||
|
*/
|
||||||
|
|
||||||
|
.hljs {
|
||||||
|
display: block;
|
||||||
|
overflow-x: auto;
|
||||||
|
padding: 0.5em;
|
||||||
|
color: #abb2bf;
|
||||||
|
background: #282c34;
|
||||||
|
}
|
||||||
|
|
||||||
|
.hljs-comment,
|
||||||
|
.hljs-quote {
|
||||||
|
color: #5c6370;
|
||||||
|
font-style: italic;
|
||||||
|
}
|
||||||
|
|
||||||
|
.hljs-doctag,
|
||||||
|
.hljs-keyword,
|
||||||
|
.hljs-formula {
|
||||||
|
color: #c678dd;
|
||||||
|
}
|
||||||
|
|
||||||
|
.hljs-literal {
|
||||||
|
color: #56b6c2;
|
||||||
|
}
|
||||||
|
|
||||||
|
.hljs-string,
|
||||||
|
.hljs-regexp,
|
||||||
|
.hljs-addition,
|
||||||
|
.hljs-attribute,
|
||||||
|
.hljs-meta-string {
|
||||||
|
color: #98c379;
|
||||||
|
}
|
||||||
|
|
||||||
|
.hljs-built_in,
|
||||||
|
.hljs-class .hljs-title {
|
||||||
|
color: #e6c07b;
|
||||||
|
}
|
||||||
|
|
||||||
|
.hljs-attr,
|
||||||
|
.hljs-variable,
|
||||||
|
.hljs-template-variable,
|
||||||
|
.hljs-type,
|
||||||
|
.hljs-selector-class,
|
||||||
|
.hljs-selector-attr,
|
||||||
|
.hljs-selector-pseudo,
|
||||||
|
.hljs-number {
|
||||||
|
color: #d19a66;
|
||||||
|
}
|
||||||
|
|
||||||
|
.hljs-symbol,
|
||||||
|
.hljs-bullet,
|
||||||
|
.hljs-link,
|
||||||
|
.hljs-meta,
|
||||||
|
.hljs-selector-id,
|
||||||
|
.hljs-title {
|
||||||
|
color: #61aeee;
|
||||||
|
}
|
||||||
|
|
||||||
|
.hljs-emphasis {
|
||||||
|
font-style: italic;
|
||||||
|
}
|
||||||
|
|
||||||
|
.hljs-strong {
|
||||||
|
font-weight: bold;
|
||||||
|
}
|
||||||
|
|
||||||
|
.hljs-link {
|
||||||
|
text-decoration: underline;
|
||||||
|
}
|
File diff suppressed because one or more lines are too long
|
@ -36,6 +36,9 @@ AcceptEnv LANG LC_*
|
||||||
# override default of no subsystems
|
# override default of no subsystems
|
||||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||||
|
|
||||||
|
# Host keys the client accepts - order here is honored by OpenSSH
|
||||||
|
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
|
||||||
|
|
||||||
# use strong ciphers (you may have to comment those lines with some sftp clients)
|
# use strong ciphers (you may have to comment those lines with some sftp clients)
|
||||||
KexAlgorithms curve25519-sha256@libssh.org
|
KexAlgorithms curve25519-sha256@libssh.org
|
||||||
Ciphers chacha20-poly1305@openssh.com
|
Ciphers chacha20-poly1305@openssh.com
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# Kernel sysctl configuration file for Linux
|
# Kernel sysctl configuration file for Linux
|
||||||
#
|
#
|
||||||
# Version 1.14 - 2018-09-13
|
# Version 1.15 - 2018-10-13
|
||||||
# Michiel Klaver - IT Professional
|
# Michiel Klaver - IT Professional
|
||||||
# Modified by VirtuBox
|
# Modified by VirtuBox
|
||||||
#
|
#
|
||||||
|
@ -28,7 +28,7 @@
|
||||||
# Usage
|
# Usage
|
||||||
# wget -O /etc/sysctl.d/10-ubuntu-nginx-web-server.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.d/10-ubuntu-nginx-web-server.conf
|
# wget -O /etc/sysctl.d/10-ubuntu-nginx-web-server.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.d/10-ubuntu-nginx-web-server.conf
|
||||||
#
|
#
|
||||||
# sysctl -p
|
# sysctl -e -p /etc/sysctl.d/10-ubuntu-nginx-web-server.conf
|
||||||
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and sysctl.conf(5) for more details.
|
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and sysctl.conf(5) for more details.
|
||||||
#
|
#
|
||||||
|
|
||||||
|
@ -174,9 +174,10 @@ net.ipv6.conf.default.accept_ra_pinfo = 0
|
||||||
### TUNING NETWORK PERFORMANCE ###
|
### TUNING NETWORK PERFORMANCE ###
|
||||||
###
|
###
|
||||||
|
|
||||||
# For high-bandwidth low-latency networks, use 'htcp' congestion control
|
# enable BBR congestion control and set tcp_notsent_lowat to 16KB for HTTP/2 prioritization to work reliably
|
||||||
# Do a 'modprobe tcp_htcp' first
|
# source : https://blog.cloudflare.com/http-2-prioritization-with-nginx/
|
||||||
net.ipv4.tcp_congestion_control = htcp
|
net.ipv4.tcp_congestion_control = bbr
|
||||||
|
net.ipv4.tcp_notsent_lowat = 16384
|
||||||
|
|
||||||
# For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12)
|
# For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12)
|
||||||
net.core.default_qdisc = fq
|
net.core.default_qdisc = fq
|
||||||
|
|
|
@ -0,0 +1,531 @@
|
||||||
|
<!DOCTYPE html>
|
||||||
|
|
||||||
|
<html lang="en">
|
||||||
|
|
||||||
|
<head>
|
||||||
|
<meta charset="utf-8">
|
||||||
|
<meta http-equiv="X-UA-Compatible" content="IE=edge">
|
||||||
|
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=no">
|
||||||
|
<meta name="apple-mobile-web-app-capable" content="yes">
|
||||||
|
<meta name="apple-mobile-web-app-status-bar-style" content="black">
|
||||||
|
<meta name="mobile-web-app-capable" content="yes">
|
||||||
|
<title>
|
||||||
|
Optimized configuration for Ubuntu server with EasyEngine
|
||||||
|
</title>
|
||||||
|
<link rel="icon" type="image/png" href="https://notes.vtbox.space/favicon.png">
|
||||||
|
<link rel="apple-touch-icon" href="https://notes.vtbox.space/apple-touch-icon.png">
|
||||||
|
|
||||||
|
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha256-916EbMg70RQy9LHiGkXzG8hSg9EdNy97GazNG/aiY1w=" crossorigin="anonymous" />
|
||||||
|
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css" integrity="sha256-eZrrJcwDc/3uDhsdt61sL2oOBY362qM3lon1gyExkL0=" crossorigin="anonymous" />
|
||||||
|
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/ionicons/2.0.1/css/ionicons.min.css" integrity="sha256-3iu9jgsy9TpTwXKb7bNQzqWekRX7pPK+2OLj3R922fo=" crossorigin="anonymous" />
|
||||||
|
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/octicons/4.4.0/octicons.min.css" integrity="sha256-4eCms8tUm+iL29tUvmRhNRnz/7lNI4oTtQzqa/uM2dI=" crossorigin="anonymous" />
|
||||||
|
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/prism/1.5.1/themes/prism.min.css" integrity="sha256-vtR0hSWRc3Tb26iuN2oZHt3KRUomwTufNIf5/4oeCyg=" crossorigin="anonymous" />
|
||||||
|
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/styles/github-gist.min.css" integrity="sha256-tAflq+ymku3Khs+I/WcAneIlafYgDiOQ9stIHH985Wo=" crossorigin="anonymous" />
|
||||||
|
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/emojify.js/1.1.0/css/basic/emojify.min.css" integrity="sha256-UOrvMOsSDSrW6szVLe8ZDZezBxh5IoIfgTwdNDgTjiU=" crossorigin="anonymous" />
|
||||||
|
<link rel="stylesheet" href="https://virtubox.github.io/ubuntu-nginx-web-server/assets/atom-one-dark.css" type="text/css" media="all" />
|
||||||
|
<script type="text/javascript" src="https://virtubox.github.io/ubuntu-nginx-web-server/assets/highlight.pack.js"></script>
|
||||||
|
<link href="https://virtubox.github.io/ubuntu-nginx-web-server/assets/style.css" type="text/css" media="all" />
|
||||||
|
<!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
|
||||||
|
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
|
||||||
|
<!--[if lt IE 9]>
|
||||||
|
<script src="https://cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv.min.js" integrity="sha256-3Jy/GbSLrg0o9y5Z5n1uw0qxZECH7C6OQpVBgNFYa0g=" crossorigin="anonymous"></script>
|
||||||
|
<script src="https://cdnjs.cloudflare.com/ajax/libs/respond.js/1.4.2/respond.min.js" integrity="sha256-g6iAfvZp+nDQ2TdTR/VVKJf3bGro4ub5fvWSWVRi2NE=" crossorigin="anonymous"></script>
|
||||||
|
<script src="https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.5.9/es5-shim.min.js" integrity="sha256-8E4Is26QH0bD52WoQpcB+R/tcWQtpzlCojrybUd7Mxo=" crossorigin="anonymous"></script>
|
||||||
|
<![endif]-->
|
||||||
|
</head>
|
||||||
|
|
||||||
|
<body>
|
||||||
|
<!-- Content -->
|
||||||
|
<div id="doc" class="markdown-body container-fluid"><h1 id="Optimized-configuration-for-Ubuntu-server-with-EasyEngine"><a class="anchor hidden-xs" href="#Optimized-configuration-for-Ubuntu-server-with-EasyEngine" title="Optimized-configuration-for-Ubuntu-server-with-EasyEngine"><span class="octicon octicon-link"></span></a>Optimized configuration for Ubuntu server with EasyEngine</h1><hr><h2 id="Server-Stack"><a class="anchor hidden-xs" href="#Server-Stack" title="Server-Stack"><span class="octicon octicon-link"></span></a>Server Stack</h2><ul>
|
||||||
|
<li>Ubuntu 16.04/18.04 LTS</li>
|
||||||
|
<li>Nginx 1.15.x / 1.14.x</li>
|
||||||
|
<li>PHP-FPM 7/7.1/7.2</li>
|
||||||
|
<li>MariaDB 10.3</li>
|
||||||
|
<li>REDIS 4.0</li>
|
||||||
|
<li>Memcached</li>
|
||||||
|
<li>Fail2ban</li>
|
||||||
|
<li>Netdata</li>
|
||||||
|
<li>UFW</li>
|
||||||
|
</ul><hr><p>Configuration files with comments available by following the link <strong>source</strong></p><h2 id="Initial-configuration"><a class="anchor hidden-xs" href="#Initial-configuration" title="Initial-configuration"><span class="octicon octicon-link"></span></a>Initial configuration</h2><h3 id="System-update-and-packages-cleanup"><a class="anchor hidden-xs" href="#System-update-and-packages-cleanup" title="System-update-and-packages-cleanup"><span class="octicon octicon-link"></span></a>System update and packages cleanup</h3><pre><code class="bash hljs">apt-get update && apt-get upgrade -y && apt-get autoremove --purge -y && apt-get clean
|
||||||
|
</code></pre><h3 id="Install-useful-packages"><a class="anchor hidden-xs" href="#Install-useful-packages" title="Install-useful-packages"><span class="octicon octicon-link"></span></a>Install useful packages</h3><pre><code class="bash hljs">sudo apt-get install haveged curl git unzip zip fail2ban htop nload nmon ntp gnupg gnupg2 wget pigz tree ccze -y
|
||||||
|
</code></pre><h3 id="Clone-the-repository"><a class="anchor hidden-xs" href="#Clone-the-repository" title="Clone-the-repository"><span class="octicon octicon-link"></span></a>Clone the repository</h3><pre><code class="bash hljs">git <span class="hljs-built_in">clone</span> https://github.com/VirtuBox/ubuntu-nginx-web-server.git <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server
|
||||||
|
</code></pre><h3 id="Tweak-Kernel-amp-Increase-open-files-limits"><a class="anchor hidden-xs" href="#Tweak-Kernel-amp-Increase-open-files-limits" title="Tweak-Kernel-amp-Increase-open-files-limits"><span class="octicon octicon-link"></span></a>Tweak Kernel & Increase open files limits</h3><p><a href="https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf" target="_blank">source sysctl.conf</a> - <a href="https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf" target="_blank">limits.conf source</a></p><pre><code class="bash hljs">cp <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/sysctl.d/60-ubuntu-nginx-web-server.conf /etc/sysctl.d/60-ubuntu-nginx-web-server.conf
|
||||||
|
sysctl -e -p /etc/sysctl.d/60-ubuntu-nginx-web-server.conf
|
||||||
|
cp -f <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/security/limits.conf /etc/security/limits.conf
|
||||||
|
</code></pre><h3 id="disable-transparent-hugepage-for-redis"><a class="anchor hidden-xs" href="#disable-transparent-hugepage-for-redis" title="disable-transparent-hugepage-for-redis"><span class="octicon octicon-link"></span></a>disable transparent hugepage for redis</h3><pre><code class="bash hljs"><span class="hljs-built_in">echo</span> never > /sys/kernel/mm/transparent_hugepage/enabled
|
||||||
|
</code></pre><hr><h2 id="EasyEngine-Setup"><a class="anchor hidden-xs" href="#EasyEngine-Setup" title="EasyEngine-Setup"><span class="octicon octicon-link"></span></a>EasyEngine Setup</h2><h3 id="Install-MariaDB-103"><a class="anchor hidden-xs" href="#Install-MariaDB-103" title="Install-MariaDB-103"><span class="octicon octicon-link"></span></a>Install MariaDB 10.3</h3><p>Instructions available in <a href="https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/" target="_blank">VirtuBox Knowledgebase</a></p><pre><code class="bash hljs">bash <(wget -qO - https://downloads.mariadb.com/MariaDB/mariadb_repo_setup) --mariadb-server-version=10.3 --skip-maxscale -y
|
||||||
|
sudo apt update && sudo apt install mariadb-server -y
|
||||||
|
</code></pre><h3 id="MySQL-Tuning"><a class="anchor hidden-xs" href="#MySQL-Tuning" title="MySQL-Tuning"><span class="octicon octicon-link"></span></a>MySQL Tuning</h3><p>You can download my example of my.cnf, optimized for VPS with 4GB RAM. <a href="https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/mysql/my.cnf" target="_blank">my.cnf source</a></p><pre><code class="bash hljs">cp -f <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/mysql/my.cnf /etc/mysql/my.cnf
|
||||||
|
</code></pre><p>It include modification of innodb_log_file_size variable, so you need to use the following commands to apply the new configuration :</p><pre><code class="bash hljs">sudo service mysql stop
|
||||||
|
|
||||||
|
sudo mv /var/lib/mysql/ib_logfile0 /var/lib/mysql/ib_logfile0.bak
|
||||||
|
sudo mv /var/lib/mysql/ib_logfile1 /var/lib/mysql/ib_logfile1.bak
|
||||||
|
|
||||||
|
sudo service mysql start
|
||||||
|
</code></pre><h3 id="Increase-MariaDB-open-files-limits"><a class="anchor hidden-xs" href="#Increase-MariaDB-open-files-limits" title="Increase-MariaDB-open-files-limits"><span class="octicon octicon-link"></span></a>Increase MariaDB open files limits</h3><pre><code class="bash hljs">cp -f <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/systemd/system/mariadb.service.d/limits.conf /etc/systemd/system/mariadb.service.d/limits.conf
|
||||||
|
|
||||||
|
sudo systemctl daemon-reload
|
||||||
|
sudo systemctl restart mariadb
|
||||||
|
</code></pre><h2 id="Install-EasyEngine"><a class="anchor hidden-xs" href="#Install-EasyEngine" title="Install-EasyEngine"><span class="octicon octicon-link"></span></a>Install EasyEngine</h2><pre><code class="bash hljs"><span class="hljs-comment"># noninteractive install - you can replace $USER with your username & root@$HOSTNAME by your email</span>
|
||||||
|
sudo bash -c <span class="hljs-string">'echo -e "[user]\n\tname = $USER\n\temail = root@$HOSTNAME" > $HOME/.gitconfig'</span>
|
||||||
|
|
||||||
|
wget -qO ee rt.cx/ee && bash ee
|
||||||
|
</code></pre><h3 id="enable-ee-bash_completion"><a class="anchor hidden-xs" href="#enable-ee-bash_completion" title="enable-ee-bash_completion"><span class="octicon octicon-link"></span></a>enable ee bash_completion</h3><pre><code class="bash hljs"><span class="hljs-built_in">source</span> /etc/bash_completion.d/ee_auto.rc
|
||||||
|
</code></pre><h3 id="Install-Nginx-php56-php70-postfix-redis-and-configure-EE-backend"><a class="anchor hidden-xs" href="#Install-Nginx-php56-php70-postfix-redis-and-configure-EE-backend" title="Install-Nginx-php56-php70-postfix-redis-and-configure-EE-backend"><span class="octicon octicon-link"></span></a>Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend</h3><pre><code class="bash hljs">ee stack install
|
||||||
|
ee stack install --php7 --redis --admin --phpredisadmin
|
||||||
|
</code></pre><h3 id="Set-your-email-instead-of-rootlocalhost"><a class="anchor hidden-xs" href="#Set-your-email-instead-of-rootlocalhost" title="Set-your-email-instead-of-rootlocalhost"><span class="octicon octicon-link"></span></a>Set your email instead of root@localhost</h3><pre><code class="bash hljs"><span class="hljs-built_in">echo</span> <span class="hljs-string">'root: my.email@address.com'</span> >> /etc/aliases
|
||||||
|
newaliases
|
||||||
|
</code></pre><h3 id="Install-Composer---Fix-phpmyadmin-install-issue"><a class="anchor hidden-xs" href="#Install-Composer---Fix-phpmyadmin-install-issue" title="Install-Composer---Fix-phpmyadmin-install-issue"><span class="octicon octicon-link"></span></a>Install Composer - Fix phpmyadmin install issue</h3><pre><code class="bash hljs"><span class="hljs-built_in">cd</span> ~/ ||<span class="hljs-built_in">exit</span>
|
||||||
|
curl -sS https://getcomposer.org/installer | php
|
||||||
|
mv composer.phar /usr/bin/composer
|
||||||
|
|
||||||
|
chown www-data:www-data /var/www
|
||||||
|
sudo -u www-data -H composer update -d /var/www/22222/htdocs/db/pma/
|
||||||
|
</code></pre><h3 id="Allow-shell-for-www-data-for-SFTP-usage"><a class="anchor hidden-xs" href="#Allow-shell-for-www-data-for-SFTP-usage" title="Allow-shell-for-www-data-for-SFTP-usage"><span class="octicon octicon-link"></span></a>Allow shell for www-data for SFTP usage</h3><pre><code class="bash hljs">usermod -s /bin/bash www-data
|
||||||
|
</code></pre><h2 id="PHP-71-amp-72-Setup"><a class="anchor hidden-xs" href="#PHP-71-amp-72-Setup" title="PHP-71-amp-72-Setup"><span class="octicon octicon-link"></span></a>PHP 7.1 & 7.2 Setup</h2><h3 id="Install-php71-fpm"><a class="anchor hidden-xs" href="#Install-php71-fpm" title="Install-php71-fpm"><span class="octicon octicon-link"></span></a>Install php7.1-fpm</h3><pre><code class="bash hljs"><span class="hljs-comment"># php7.1-fpm</span>
|
||||||
|
apt update && apt install php7.1-fpm php7.1-cli php7.1-zip php7.1-opcache php7.1-mysql php7.1-mcrypt php7.1-mbstring php7.1-json php7.1-intl \
|
||||||
|
php7.1-gd php7.1-curl php7.1-bz2 php7.1-xml php7.1-tidy php7.1-soap php7.1-bcmath -y php7.1-xsl
|
||||||
|
|
||||||
|
<span class="hljs-comment"># copy php-fpm pools & php.ini configuration</span>
|
||||||
|
cp -rf <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/php/7.1/fpm/* /etc/php/7.1/fpm/
|
||||||
|
service php7.1-fpm restart
|
||||||
|
|
||||||
|
git -C /etc/php/ add /etc/php/ && git -C /etc/php/ commit -m <span class="hljs-string">"add php7.1 configuration"</span>
|
||||||
|
|
||||||
|
</code></pre><h3 id="Install-php72-fpm"><a class="anchor hidden-xs" href="#Install-php72-fpm" title="Install-php72-fpm"><span class="octicon octicon-link"></span></a>Install php7.2-fpm</h3><pre><code class="bash hljs"><span class="hljs-comment"># php7.2-fpm</span>
|
||||||
|
apt update && apt install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring php7.2-bcmath -y
|
||||||
|
|
||||||
|
<span class="hljs-comment"># copy php-fpm pools & php.ini configuration</span>
|
||||||
|
cp -rf <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/php/7.2/fpm/* /etc/php/7.2/fpm/
|
||||||
|
service php7.2-fpm restart
|
||||||
|
|
||||||
|
git -C /etc/php/ add /etc/php/ && git -C /etc/php/ commit -m <span class="hljs-string">"add php7.2 configuration"</span>
|
||||||
|
|
||||||
|
</code></pre><h2 id="NGINX-Configuration"><a class="anchor hidden-xs" href="#NGINX-Configuration" title="NGINX-Configuration"><span class="octicon octicon-link"></span></a>NGINX Configuration</h2><h3 id="Additional-Nginx-configuration-etcnginxconfd"><a class="anchor hidden-xs" href="#Additional-Nginx-configuration-etcnginxconfd" title="Additional-Nginx-configuration-etcnginxconfd"><span class="octicon octicon-link"></span></a>Additional Nginx configuration (/etc/nginx/conf.d)</h3><ul>
|
||||||
|
<li>New upstreams (php7.1, php7.2, netdata) : upstream.conf</li>
|
||||||
|
<li>webp image mapping : webp.conf</li>
|
||||||
|
<li>new fastcgi_cache_bypass mapping for wordpress : map-wp-fastcgi-cache.conf</li>
|
||||||
|
<li>stub_status configuration on 127.0.0.1:80 : stub_status.conf</li>
|
||||||
|
<li>restore visitor real IP under Cloudflare : cloudflare.conf</li>
|
||||||
|
<li>mitigate WordPress DoS attack</li>
|
||||||
|
</ul><pre><code class="bash hljs"><span class="hljs-comment"># copy all common nginx configurations</span>
|
||||||
|
cp -rf <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/nginx/conf.d/* /etc/nginx/conf.d/
|
||||||
|
|
||||||
|
<span class="hljs-comment"># commit change with git</span>
|
||||||
|
git -C /etc/nginx/ add /etc/nginx/ && git -C /etc/nginx/ commit -m <span class="hljs-string">"update conf.d configurations"</span>
|
||||||
|
</code></pre><h3 id="EE-common-configuration"><a class="anchor hidden-xs" href="#EE-common-configuration" title="EE-common-configuration"><span class="octicon octicon-link"></span></a>EE common configuration</h3><pre><code class="bash hljs">cp -rf <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/nginx/common/* /etc/nginx/common/
|
||||||
|
|
||||||
|
<span class="hljs-comment"># commit change with git</span>
|
||||||
|
git -C /etc/nginx/ add /etc/nginx/ && git -C /etc/nginx/ commit -m <span class="hljs-string">"update common configurations"</span>
|
||||||
|
</code></pre><h3 id="Compile-last-Nginx-mainline-release-with-nginx-ee-script"><a class="anchor hidden-xs" href="#Compile-last-Nginx-mainline-release-with-nginx-ee-script" title="Compile-last-Nginx-mainline-release-with-nginx-ee-script"><span class="octicon octicon-link"></span></a>Compile last Nginx mainline release with <a href="https://github.com/VirtuBox/nginx-ee" target="_blank">nginx-ee script</a></h3><pre><code class="bash hljs">bash <(wget-qO - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
|
||||||
|
</code></pre><hr><h2 id="Custom-configurations"><a class="anchor hidden-xs" href="#Custom-configurations" title="Custom-configurations"><span class="octicon octicon-link"></span></a>Custom configurations</h2><h3 id="clean-php-fpm-phpini-configuration"><a class="anchor hidden-xs" href="#clean-php-fpm-phpini-configuration" title="clean-php-fpm-phpini-configuration"><span class="octicon octicon-link"></span></a>clean php-fpm php.ini configuration</h3><pre><code class="bash hljs"><span class="hljs-comment"># PHP 7.0</span>
|
||||||
|
cp -rf <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/php/7.0/* /etc/php/7.0/
|
||||||
|
service php7.0-fpm restart
|
||||||
|
|
||||||
|
git -C /etc/php/ add /etc/php/ && git -C /etc/php/ commit -m <span class="hljs-string">"add php7.2 configuration"</span>
|
||||||
|
</code></pre><h3 id="Nginx-optimized-configurations"><a class="anchor hidden-xs" href="#Nginx-optimized-configurations" title="Nginx-optimized-configurations"><span class="octicon octicon-link"></span></a>Nginx optimized configurations</h3><pre><code class="bash hljs"><span class="hljs-comment"># TLSv1.2 TLSv1.3 only</span>
|
||||||
|
cp -f <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx.conf
|
||||||
|
|
||||||
|
<span class="hljs-comment"># TLS intermediate - TLS v1.0 v1.1 v1.2 v1.3</span>
|
||||||
|
cp -f <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-intermediate.conf
|
||||||
|
|
||||||
|
<span class="hljs-comment"># TLSv1.2 only</span>
|
||||||
|
cp -f <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-tlsv12.conf
|
||||||
|
|
||||||
|
<span class="hljs-comment"># commit change with git</span>
|
||||||
|
git -C /etc/nginx/ add /etc/nginx/ && git -C /etc/nginx/ commit -m <span class="hljs-string">"update nginx.conf configurations"</span>
|
||||||
|
</code></pre><h3 id="Nginx-configuration-for-netdata"><a class="anchor hidden-xs" href="#Nginx-configuration-for-netdata" title="Nginx-configuration-for-netdata"><span class="octicon octicon-link"></span></a>Nginx configuration for netdata</h3><pre><code class="bash hljs"><span class="hljs-comment"># add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/</span>
|
||||||
|
cp -f <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/nginx/sites-available/22222 /etc/nginx/sites-available/22222
|
||||||
|
|
||||||
|
<span class="hljs-comment"># commit change with git</span>
|
||||||
|
git -C /etc/nginx/ add /etc/nginx/ && git -C /etc/nginx/ commit -m <span class="hljs-string">"update 22222 configuration"</span>
|
||||||
|
</code></pre><h4 id="Increase-Nginx-open-files-limits"><a class="anchor hidden-xs" href="#Increase-Nginx-open-files-limits" title="Increase-Nginx-open-files-limits"><span class="octicon octicon-link"></span></a>Increase Nginx open files limits</h4><pre><code class="bash hljs">sudo mkdir -p /etc/systemd/system/nginx.service.d
|
||||||
|
cp -f <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/systemd/system/nginx.service.d/limits.conf /etc/systemd/system/nginx.service.d/limits.conf
|
||||||
|
|
||||||
|
sudo systemctl daemon-reload
|
||||||
|
sudo systemctl restart nginx.service
|
||||||
|
</code></pre><hr><h2 id="Security"><a class="anchor hidden-xs" href="#Security" title="Security"><span class="octicon octicon-link"></span></a>Security</h2><h3 id="Harden-SSH-Security"><a class="anchor hidden-xs" href="#Harden-SSH-Security" title="Harden-SSH-Security"><span class="octicon octicon-link"></span></a>Harden SSH Security</h3><p>WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only <a href="https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config" target="_blank">source</a></p><pre><code>cp -f $HOME/ubuntu-nginx-web-server/etc/ssh/sshd_config /etc/ssh/sshd_config
|
||||||
|
</code></pre><h3 id="UFW"><a class="anchor hidden-xs" href="#UFW" title="UFW"><span class="octicon octicon-link"></span></a>UFW</h3><p>Instructions available in <a href="https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/" target="_blank">VirtuBox Knowledgebase</a></p><pre><code class="bash hljs"><span class="hljs-comment"># enable ufw log - allow outgoing - deny incoming</span>
|
||||||
|
ufw logging low
|
||||||
|
ufw default allow outgoing
|
||||||
|
ufw default deny incoming
|
||||||
|
|
||||||
|
<span class="hljs-comment"># allow incoming traffic on SSH port</span>
|
||||||
|
CURRENT_SSH_PORT=$(grep <span class="hljs-string">"Port"</span> /etc/ssh/sshd_config | awk -F <span class="hljs-string">" "</span> <span class="hljs-string">'{print $2}'</span>)
|
||||||
|
ufw allow <span class="hljs-variable">$CURRENT_SSH_PORT</span>
|
||||||
|
|
||||||
|
<span class="hljs-comment"># DNS - HTTP/S - FTP - NTP - RSYNC - DHCP - SNMP - Librenms - Netdata - EE Backend</span>
|
||||||
|
ufw allow 53
|
||||||
|
ufw allow http
|
||||||
|
ufw allow https
|
||||||
|
ufw allow 21
|
||||||
|
ufw allow 123
|
||||||
|
ufw allow 161
|
||||||
|
ufw allow 68
|
||||||
|
ufw allow 546
|
||||||
|
ufw allow 873
|
||||||
|
ufw allow 6556
|
||||||
|
ufw allow 19999
|
||||||
|
ufw allow 22222
|
||||||
|
|
||||||
|
|
||||||
|
<span class="hljs-comment"># enable UFW</span>
|
||||||
|
ufw <span class="hljs-built_in">enable</span>
|
||||||
|
</code></pre><h3 id="Custom-jails-for-fail2ban"><a class="anchor hidden-xs" href="#Custom-jails-for-fail2ban" title="Custom-jails-for-fail2ban"><span class="octicon octicon-link"></span></a>Custom jails for fail2ban</h3><ul>
|
||||||
|
<li>wordpress bruteforce</li>
|
||||||
|
<li>ssh</li>
|
||||||
|
<li>recidive (after 3 bans)</li>
|
||||||
|
<li>backend http auth</li>
|
||||||
|
<li>nginx bad bots</li>
|
||||||
|
</ul><pre><code class="bash hljs">cp -rf <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/fail2ban/filter.d/* /etc/fail2ban/filter.d/
|
||||||
|
cp -rf <span class="hljs-variable">$HOME</span>/ubuntu-nginx-web-server/etc/fail2ban/jail.d/* /etc/fail2ban/jail.d/
|
||||||
|
|
||||||
|
fail2ban-client reload
|
||||||
|
</code></pre><h3 id="Secure-Memcached-server"><a class="anchor hidden-xs" href="#Secure-Memcached-server" title="Secure-Memcached-server"><span class="octicon octicon-link"></span></a>Secure Memcached server</h3><pre><code class="bash hljs"><span class="hljs-built_in">echo</span> <span class="hljs-string">'-U 0'</span> >> /etc/memcached.conf
|
||||||
|
sudo systemctl restart memcached
|
||||||
|
</code></pre><p>If you do not use memcached, you can safely stop and disable it :</p><pre><code class="bash hljs">sudo systemctl stop memcached
|
||||||
|
sudo systemctl <span class="hljs-built_in">disable</span> memcached.service
|
||||||
|
</code></pre><h2 id="Optional"><a class="anchor hidden-xs" href="#Optional" title="Optional"><span class="octicon octicon-link"></span></a>Optional</h2><h3 id="ee-acme-sh"><a class="anchor hidden-xs" href="#ee-acme-sh" title="ee-acme-sh"><span class="octicon octicon-link"></span></a>ee-acme-sh</h3><p><a href="https://virtubox.github.io/ee-acme-sh/" target="_blank">Github repository</a> - Script to setup letsencrypt certificates using <a href="http://acme.sh" target="_blank">acme.sh</a> on EasyEngine servers</p><ul>
|
||||||
|
<li>subdomain support</li>
|
||||||
|
<li>ivp6 support</li>
|
||||||
|
<li>wildcards certificates support</li>
|
||||||
|
</ul><pre><code class="bash hljs">wget-qO install-ee-acme.sh https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh
|
||||||
|
chmod +x install-ee-acme.sh
|
||||||
|
./install-ee-acme.sh
|
||||||
|
|
||||||
|
<span class="hljs-comment"># enable acme.sh & ee-acme-sh</span>
|
||||||
|
<span class="hljs-built_in">source</span> .bashrc
|
||||||
|
</code></pre><h3 id="netdata"><a class="anchor hidden-xs" href="#netdata" title="netdata"><span class="octicon octicon-link"></span></a>netdata</h3><p><a href="https://github.com/firehol/netdata" target="_blank">Github repository</a></p><pre><code class="bash hljs">
|
||||||
|
bash <(curl -Ss https://my-netdata.io/kickstart.sh) all
|
||||||
|
|
||||||
|
<span class="hljs-comment"># save 40-60% of netdata memory</span>
|
||||||
|
<span class="hljs-built_in">echo</span> 1 >/sys/kernel/mm/ksm/run
|
||||||
|
<span class="hljs-built_in">echo</span> 1000 >/sys/kernel/mm/ksm/sleep_millisecs
|
||||||
|
|
||||||
|
<span class="hljs-comment"># disable email notifications</span>
|
||||||
|
sudo sed -i <span class="hljs-string">'s/SEND_EMAIL="YES"/SEND_EMAIL="NO"/'</span> /usr/lib/netdata/conf.d/health_alarm_notify.conf
|
||||||
|
service netdata restart
|
||||||
|
</code></pre><h3 id="chtsh-cheat"><a class="anchor hidden-xs" href="#chtsh-cheat" title="chtsh-cheat"><span class="octicon octicon-link"></span></a><a href="http://cht.sh" target="_blank">cht.sh</a> (cheat)</h3><p><a href="https://github.com/chubin/cheat.sh" target="_blank">Github repository</a></p><pre><code class="bash hljs">curl https://cht.sh/:cht.sh > /usr/bin/cht.sh
|
||||||
|
chmod +x /usr/bin/cht.sh
|
||||||
|
|
||||||
|
|
||||||
|
<span class="hljs-built_in">echo</span> <span class="hljs-string">"alias cheat='cht.sh'"</span> >> <span class="hljs-variable">$HOME</span>/.bashrc
|
||||||
|
<span class="hljs-built_in">source</span> <span class="hljs-variable">$HOME</span>/.bashrc
|
||||||
|
</code></pre><p>usage : <code>cheat <command></code></p><pre><code class="bash hljs">root@vps:~ cheat cat
|
||||||
|
<span class="hljs-comment"># cat</span>
|
||||||
|
|
||||||
|
<span class="hljs-comment"># Print and concatenate files.</span>
|
||||||
|
|
||||||
|
<span class="hljs-comment"># Print the contents of a file to the standard output:</span>
|
||||||
|
cat file
|
||||||
|
|
||||||
|
<span class="hljs-comment"># Concatenate several files into the target file:</span>
|
||||||
|
cat file1 file2 > target_file
|
||||||
|
|
||||||
|
<span class="hljs-comment"># Append several files into the target file:</span>
|
||||||
|
cat file1 file2 >> target_file
|
||||||
|
|
||||||
|
<span class="hljs-comment"># Number all output lines:</span>
|
||||||
|
cat -n file
|
||||||
|
</code></pre><h3 id="nanorc---Improved-Nano-Syntax-Highlighting-Files"><a class="anchor hidden-xs" href="#nanorc---Improved-Nano-Syntax-Highlighting-Files" title="nanorc---Improved-Nano-Syntax-Highlighting-Files"><span class="octicon octicon-link"></span></a>nanorc - Improved Nano Syntax Highlighting Files</h3><p><a href="https://github.com/scopatz/nanorc" target="_blank">Github repository</a></p><pre><code class="bash hljs">wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh
|
||||||
|
</code></pre><h3 id="Add-WP-CLI-amp-bash-completion-for-user-www-data"><a class="anchor hidden-xs" href="#Add-WP-CLI-amp-bash-completion-for-user-www-data" title="Add-WP-CLI-amp-bash-completion-for-user-www-data"><span class="octicon octicon-link"></span></a>Add WP-CLI & bash-completion for user www-data</h3><pre><code class="bashrc hljs"><span class="hljs-comment"># download wp-cli bash_completion</span>
|
||||||
|
cp -f $HOME/ubuntu-nginx-web-server/etc/bash_completion.d/wp-completion.bash https:<span class="hljs-comment">//raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash</span>
|
||||||
|
|
||||||
|
<span class="hljs-comment"># change /var/www owner</span>
|
||||||
|
chown www-data:www-data /<span class="hljs-keyword">var</span>/www
|
||||||
|
|
||||||
|
<span class="hljs-comment"># download .profile & .bashrc for www-data</span>
|
||||||
|
cp -f $HOME/ubuntu-nginx-web-server/<span class="hljs-keyword">var</span>/www/.profile /<span class="hljs-keyword">var</span>/www/.profile
|
||||||
|
cp -f $HOME/ubuntu-nginx-web-server/<span class="hljs-keyword">var</span>/www/.bashrc /<span class="hljs-keyword">var</span>/www/.bashrc
|
||||||
|
|
||||||
|
<span class="hljs-comment"># set owner</span>
|
||||||
|
chown www-data:www-data /<span class="hljs-keyword">var</span>/www/.profile
|
||||||
|
chown www-data:www-data /<span class="hljs-keyword">var</span>/www/.bashrc
|
||||||
|
</code></pre><h3 id="Custom-Nginx-error-pages"><a class="anchor hidden-xs" href="#Custom-Nginx-error-pages" title="Custom-Nginx-error-pages"><span class="octicon octicon-link"></span></a>Custom Nginx error pages</h3><p><a href="https://github.com/alexphelps/server-error-pages" target="_blank">Github Repository</a></p><p>Installation</p><pre><code class="bash hljs"><span class="hljs-comment"># clone the github repository</span>
|
||||||
|
sudo -u www-data -H git <span class="hljs-built_in">clone</span> https://github.com/alexphelps/server-error-pages.git /var/www/error
|
||||||
|
</code></pre><p>Then include this configuration in your nginx vhost by adding the following line</p><pre><code class="bash hljs">include common/error_pages.conf;
|
||||||
|
</code></pre><p>Published & maintained by <a href="https://virtubox.net" target="_blank">VirtuBox</a></p></div>
|
||||||
|
<div class="ui-toc dropup unselectable hidden-print" style="display:none;">
|
||||||
|
<div class="pull-right dropdown">
|
||||||
|
<a id="tocLabel" class="ui-toc-label btn btn-default" data-toggle="dropdown" href="#" role="button" aria-haspopup="true" aria-expanded="false" title="Table of content">
|
||||||
|
<i class="fa fa-bars"></i>
|
||||||
|
</a>
|
||||||
|
<ul id="ui-toc" class="ui-toc-dropdown dropdown-menu" aria-labelledby="tocLabel">
|
||||||
|
<div class="toc"><ul class="nav">
|
||||||
|
<li class=""><a href="#Optimized-configuration-for-Ubuntu-server-with-EasyEngine" title="Optimized configuration for Ubuntu server with EasyEngine">Optimized configuration for Ubuntu server with EasyEngine</a><ul class="nav">
|
||||||
|
<li><a href="#Server-Stack" title="Server Stack">Server Stack</a></li>
|
||||||
|
<li><a href="#Initial-configuration" title="Initial configuration">Initial configuration</a><ul class="nav">
|
||||||
|
<li><a href="#System-update-and-packages-cleanup" title="System update and packages cleanup">System update and packages cleanup</a></li>
|
||||||
|
<li><a href="#Install-useful-packages" title="Install useful packages">Install useful packages</a></li>
|
||||||
|
<li><a href="#Clone-the-repository" title="Clone the repository">Clone the repository</a></li>
|
||||||
|
<li><a href="#Tweak-Kernel-amp-Increase-open-files-limits" title="Tweak Kernel & Increase open files limits">Tweak Kernel & Increase open files limits</a></li>
|
||||||
|
<li><a href="#disable-transparent-hugepage-for-redis" title="disable transparent hugepage for redis">disable transparent hugepage for redis</a></li>
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
|
<li><a href="#EasyEngine-Setup" title="EasyEngine Setup">EasyEngine Setup</a><ul class="nav">
|
||||||
|
<li><a href="#Install-MariaDB-103" title="Install MariaDB 10.3">Install MariaDB 10.3</a></li>
|
||||||
|
<li><a href="#MySQL-Tuning" title="MySQL Tuning">MySQL Tuning</a></li>
|
||||||
|
<li><a href="#Increase-MariaDB-open-files-limits" title="Increase MariaDB open files limits">Increase MariaDB open files limits</a></li>
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
|
<li><a href="#Install-EasyEngine" title="Install EasyEngine">Install EasyEngine</a><ul class="nav">
|
||||||
|
<li><a href="#enable-ee-bash_completion" title="enable ee bash_completion">enable ee bash_completion</a></li>
|
||||||
|
<li><a href="#Install-Nginx-php56-php70-postfix-redis-and-configure-EE-backend" title="Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend">Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend</a></li>
|
||||||
|
<li><a href="#Set-your-email-instead-of-rootlocalhost" title="Set your email instead of root@localhost">Set your email instead of root@localhost</a></li>
|
||||||
|
<li><a href="#Install-Composer---Fix-phpmyadmin-install-issue" title="Install Composer - Fix phpmyadmin install issue">Install Composer - Fix phpmyadmin install issue</a></li>
|
||||||
|
<li><a href="#Allow-shell-for-www-data-for-SFTP-usage" title="Allow shell for www-data for SFTP usage">Allow shell for www-data for SFTP usage</a></li>
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
|
<li><a href="#PHP-71-amp-72-Setup" title="PHP 7.1 & 7.2 Setup">PHP 7.1 & 7.2 Setup</a><ul class="nav">
|
||||||
|
<li><a href="#Install-php71-fpm" title="Install php7.1-fpm">Install php7.1-fpm</a></li>
|
||||||
|
<li><a href="#Install-php72-fpm" title="Install php7.2-fpm">Install php7.2-fpm</a></li>
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
|
<li><a href="#NGINX-Configuration" title="NGINX Configuration">NGINX Configuration</a><ul class="nav">
|
||||||
|
<li><a href="#Additional-Nginx-configuration-etcnginxconfd" title="Additional Nginx configuration (/etc/nginx/conf.d)">Additional Nginx configuration (/etc/nginx/conf.d)</a></li>
|
||||||
|
<li><a href="#EE-common-configuration" title="EE common configuration">EE common configuration</a></li>
|
||||||
|
<li><a href="#Compile-last-Nginx-mainline-release-with-nginx-ee-script" title="Compile last Nginx mainline release with nginx-ee script">Compile last Nginx mainline release with nginx-ee script</a></li>
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
|
<li><a href="#Custom-configurations" title="Custom configurations">Custom configurations</a><ul class="nav">
|
||||||
|
<li><a href="#clean-php-fpm-phpini-configuration" title="clean php-fpm php.ini configuration">clean php-fpm php.ini configuration</a></li>
|
||||||
|
<li><a href="#Nginx-optimized-configurations" title="Nginx optimized configurations">Nginx optimized configurations</a></li>
|
||||||
|
<li><a href="#Nginx-configuration-for-netdata" title="Nginx configuration for netdata">Nginx configuration for netdata</a></li>
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
|
<li><a href="#Security" title="Security">Security</a><ul class="nav">
|
||||||
|
<li><a href="#Harden-SSH-Security" title="Harden SSH Security">Harden SSH Security</a></li>
|
||||||
|
<li><a href="#UFW" title="UFW">UFW</a></li>
|
||||||
|
<li><a href="#Custom-jails-for-fail2ban" title="Custom jails for fail2ban">Custom jails for fail2ban</a></li>
|
||||||
|
<li><a href="#Secure-Memcached-server" title="Secure Memcached server">Secure Memcached server</a></li>
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
|
<li><a href="#Optional" title="Optional">Optional</a><ul class="nav">
|
||||||
|
<li><a href="#ee-acme-sh" title="ee-acme-sh">ee-acme-sh</a></li>
|
||||||
|
<li><a href="#netdata" title="netdata">netdata</a></li>
|
||||||
|
<li><a href="#chtsh-cheat" title="cht.sh (cheat)">cht.sh (cheat)</a></li>
|
||||||
|
<li><a href="#nanorc---Improved-Nano-Syntax-Highlighting-Files" title="nanorc - Improved Nano Syntax Highlighting Files">nanorc - Improved Nano Syntax Highlighting Files</a></li>
|
||||||
|
<li><a href="#Add-WP-CLI-amp-bash-completion-for-user-www-data" title="Add WP-CLI & bash-completion for user www-data">Add WP-CLI & bash-completion for user www-data</a></li>
|
||||||
|
<li><a href="#Custom-Nginx-error-pages" title="Custom Nginx error pages">Custom Nginx error pages</a></li>
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
|
</ul>
|
||||||
|
</div><div class="toc-menu"><a class="expand-toggle" href="#">Expand all</a><a class="back-to-top" href="#">Back to top</a><a class="go-to-bottom" href="#">Go to bottom</a></div>
|
||||||
|
</ul>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
<div id="ui-toc-affix" class="ui-affix-toc ui-toc-dropdown unselectable hidden-print" data-spy="affix" style="top:17px;display:none;" >
|
||||||
|
<div class="toc"><ul class="nav">
|
||||||
|
<li class=""><a href="#Optimized-configuration-for-Ubuntu-server-with-EasyEngine" title="Optimized configuration for Ubuntu server with EasyEngine">Optimized configuration for Ubuntu server with EasyEngine</a><ul class="nav">
|
||||||
|
<li><a href="#Server-Stack" title="Server Stack">Server Stack</a></li>
|
||||||
|
<li><a href="#Initial-configuration" title="Initial configuration">Initial configuration</a><ul class="nav">
|
||||||
|
<li><a href="#System-update-and-packages-cleanup" title="System update and packages cleanup">System update and packages cleanup</a></li>
|
||||||
|
<li><a href="#Install-useful-packages" title="Install useful packages">Install useful packages</a></li>
|
||||||
|
<li><a href="#Clone-the-repository" title="Clone the repository">Clone the repository</a></li>
|
||||||
|
<li><a href="#Tweak-Kernel-amp-Increase-open-files-limits" title="Tweak Kernel & Increase open files limits">Tweak Kernel & Increase open files limits</a></li>
|
||||||
|
<li><a href="#disable-transparent-hugepage-for-redis" title="disable transparent hugepage for redis">disable transparent hugepage for redis</a></li>
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
|
<li><a href="#EasyEngine-Setup" title="EasyEngine Setup">EasyEngine Setup</a><ul class="nav">
|
||||||
|
<li><a href="#Install-MariaDB-103" title="Install MariaDB 10.3">Install MariaDB 10.3</a></li>
|
||||||
|
<li><a href="#MySQL-Tuning" title="MySQL Tuning">MySQL Tuning</a></li>
|
||||||
|
<li><a href="#Increase-MariaDB-open-files-limits" title="Increase MariaDB open files limits">Increase MariaDB open files limits</a></li>
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
|
<li><a href="#Install-EasyEngine" title="Install EasyEngine">Install EasyEngine</a><ul class="nav">
|
||||||
|
<li><a href="#enable-ee-bash_completion" title="enable ee bash_completion">enable ee bash_completion</a></li>
|
||||||
|
<li><a href="#Install-Nginx-php56-php70-postfix-redis-and-configure-EE-backend" title="Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend">Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend</a></li>
|
||||||
|
<li><a href="#Set-your-email-instead-of-rootlocalhost" title="Set your email instead of root@localhost">Set your email instead of root@localhost</a></li>
|
||||||
|
<li><a href="#Install-Composer---Fix-phpmyadmin-install-issue" title="Install Composer - Fix phpmyadmin install issue">Install Composer - Fix phpmyadmin install issue</a></li>
|
||||||
|
<li><a href="#Allow-shell-for-www-data-for-SFTP-usage" title="Allow shell for www-data for SFTP usage">Allow shell for www-data for SFTP usage</a></li>
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
|
<li><a href="#PHP-71-amp-72-Setup" title="PHP 7.1 & 7.2 Setup">PHP 7.1 & 7.2 Setup</a><ul class="nav">
|
||||||
|
<li><a href="#Install-php71-fpm" title="Install php7.1-fpm">Install php7.1-fpm</a></li>
|
||||||
|
<li><a href="#Install-php72-fpm" title="Install php7.2-fpm">Install php7.2-fpm</a></li>
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
|
<li><a href="#NGINX-Configuration" title="NGINX Configuration">NGINX Configuration</a><ul class="nav">
|
||||||
|
<li><a href="#Additional-Nginx-configuration-etcnginxconfd" title="Additional Nginx configuration (/etc/nginx/conf.d)">Additional Nginx configuration (/etc/nginx/conf.d)</a></li>
|
||||||
|
<li><a href="#EE-common-configuration" title="EE common configuration">EE common configuration</a></li>
|
||||||
|
<li><a href="#Compile-last-Nginx-mainline-release-with-nginx-ee-script" title="Compile last Nginx mainline release with nginx-ee script">Compile last Nginx mainline release with nginx-ee script</a></li>
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
|
<li><a href="#Custom-configurations" title="Custom configurations">Custom configurations</a><ul class="nav">
|
||||||
|
<li><a href="#clean-php-fpm-phpini-configuration" title="clean php-fpm php.ini configuration">clean php-fpm php.ini configuration</a></li>
|
||||||
|
<li><a href="#Nginx-optimized-configurations" title="Nginx optimized configurations">Nginx optimized configurations</a></li>
|
||||||
|
<li><a href="#Nginx-configuration-for-netdata" title="Nginx configuration for netdata">Nginx configuration for netdata</a></li>
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
|
<li><a href="#Security" title="Security">Security</a><ul class="nav">
|
||||||
|
<li><a href="#Harden-SSH-Security" title="Harden SSH Security">Harden SSH Security</a></li>
|
||||||
|
<li><a href="#UFW" title="UFW">UFW</a></li>
|
||||||
|
<li><a href="#Custom-jails-for-fail2ban" title="Custom jails for fail2ban">Custom jails for fail2ban</a></li>
|
||||||
|
<li><a href="#Secure-Memcached-server" title="Secure Memcached server">Secure Memcached server</a></li>
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
|
<li><a href="#Optional" title="Optional">Optional</a><ul class="nav">
|
||||||
|
<li><a href="#ee-acme-sh" title="ee-acme-sh">ee-acme-sh</a></li>
|
||||||
|
<li><a href="#netdata" title="netdata">netdata</a></li>
|
||||||
|
<li><a href="#chtsh-cheat" title="cht.sh (cheat)">cht.sh (cheat)</a></li>
|
||||||
|
<li><a href="#nanorc---Improved-Nano-Syntax-Highlighting-Files" title="nanorc - Improved Nano Syntax Highlighting Files">nanorc - Improved Nano Syntax Highlighting Files</a></li>
|
||||||
|
<li><a href="#Add-WP-CLI-amp-bash-completion-for-user-www-data" title="Add WP-CLI & bash-completion for user www-data">Add WP-CLI & bash-completion for user www-data</a></li>
|
||||||
|
<li><a href="#Custom-Nginx-error-pages" title="Custom Nginx error pages">Custom Nginx error pages</a></li>
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
|
</ul>
|
||||||
|
</div><div class="toc-menu"><a class="expand-toggle" href="#">Expand all</a><a class="back-to-top" href="#">Back to top</a><a class="go-to-bottom" href="#">Go to bottom</a></div>
|
||||||
|
</div>
|
||||||
|
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js" integrity="sha256-hVVnYaiADRTO2PzUGmuLJr8BLUSjGIZsDYGmIJLv2b8=" crossorigin="anonymous"></script>
|
||||||
|
<script src="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha256-U5ZEeKfGNOja007MMD3YBI0A3OSZOQbeG6z2f2Y0hu8=" crossorigin="anonymous" defer></script>
|
||||||
|
<script src="https://cdnjs.cloudflare.com/ajax/libs/gist-embed/2.6.0/gist-embed.min.js" integrity="sha256-KyF2D6xPIJUW5sUDSs93vWyZm+1RzIpKCexxElmxl8g=" crossorigin="anonymous" defer></script>
|
||||||
|
<script>
|
||||||
|
var markdown = $(".markdown-body");
|
||||||
|
//smooth all hash trigger scrolling
|
||||||
|
function smoothHashScroll() {
|
||||||
|
var hashElements = $("a[href^='#']").toArray();
|
||||||
|
for (var i = 0; i < hashElements.length; i++) {
|
||||||
|
var element = hashElements[i];
|
||||||
|
var $element = $(element);
|
||||||
|
var hash = element.hash;
|
||||||
|
if (hash) {
|
||||||
|
$element.on('click', function (e) {
|
||||||
|
// store hash
|
||||||
|
var hash = this.hash;
|
||||||
|
if ($(hash).length <= 0) return;
|
||||||
|
// prevent default anchor click behavior
|
||||||
|
e.preventDefault();
|
||||||
|
// animate
|
||||||
|
$('body, html').stop(true, true).animate({
|
||||||
|
scrollTop: $(hash).offset().top
|
||||||
|
}, 100, "linear", function () {
|
||||||
|
// when done, add hash to url
|
||||||
|
// (default click behaviour)
|
||||||
|
window.location.hash = hash;
|
||||||
|
});
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
smoothHashScroll();
|
||||||
|
var toc = $('.ui-toc');
|
||||||
|
var tocAffix = $('.ui-affix-toc');
|
||||||
|
var tocDropdown = $('.ui-toc-dropdown');
|
||||||
|
//toc
|
||||||
|
tocDropdown.click(function (e) {
|
||||||
|
e.stopPropagation();
|
||||||
|
});
|
||||||
|
|
||||||
|
var enoughForAffixToc = true;
|
||||||
|
|
||||||
|
function generateScrollspy() {
|
||||||
|
$(document.body).scrollspy({
|
||||||
|
target: ''
|
||||||
|
});
|
||||||
|
$(document.body).scrollspy('refresh');
|
||||||
|
if (enoughForAffixToc) {
|
||||||
|
toc.hide();
|
||||||
|
tocAffix.show();
|
||||||
|
} else {
|
||||||
|
tocAffix.hide();
|
||||||
|
toc.show();
|
||||||
|
}
|
||||||
|
$(document.body).scroll();
|
||||||
|
}
|
||||||
|
|
||||||
|
function windowResize() {
|
||||||
|
//toc right
|
||||||
|
var paddingRight = parseFloat(markdown.css('padding-right'));
|
||||||
|
var right = ($(window).width() - (markdown.offset().left + markdown.outerWidth() - paddingRight));
|
||||||
|
toc.css('right', right + 'px');
|
||||||
|
//affix toc left
|
||||||
|
var newbool;
|
||||||
|
var rightMargin = (markdown.parent().outerWidth() - markdown.outerWidth()) / 2;
|
||||||
|
//for ipad or wider device
|
||||||
|
if (rightMargin >= 133) {
|
||||||
|
newbool = true;
|
||||||
|
var affixLeftMargin = (tocAffix.outerWidth() - tocAffix.width()) / 2;
|
||||||
|
var left = markdown.offset().left + markdown.outerWidth() - affixLeftMargin;
|
||||||
|
tocAffix.css('left', left + 'px');
|
||||||
|
} else {
|
||||||
|
newbool = false;
|
||||||
|
}
|
||||||
|
if (newbool != enoughForAffixToc) {
|
||||||
|
enoughForAffixToc = newbool;
|
||||||
|
generateScrollspy();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
$(window).resize(function () {
|
||||||
|
windowResize();
|
||||||
|
});
|
||||||
|
$(document).ready(function () {
|
||||||
|
windowResize();
|
||||||
|
generateScrollspy();
|
||||||
|
});
|
||||||
|
|
||||||
|
//remove hash
|
||||||
|
function removeHash() {
|
||||||
|
window.location.hash = '';
|
||||||
|
}
|
||||||
|
|
||||||
|
var backtotop = $('.back-to-top');
|
||||||
|
var gotobottom = $('.go-to-bottom');
|
||||||
|
|
||||||
|
backtotop.click(function (e) {
|
||||||
|
e.preventDefault();
|
||||||
|
e.stopPropagation();
|
||||||
|
if (scrollToTop)
|
||||||
|
scrollToTop();
|
||||||
|
removeHash();
|
||||||
|
});
|
||||||
|
gotobottom.click(function (e) {
|
||||||
|
e.preventDefault();
|
||||||
|
e.stopPropagation();
|
||||||
|
if (scrollToBottom)
|
||||||
|
scrollToBottom();
|
||||||
|
removeHash();
|
||||||
|
});
|
||||||
|
|
||||||
|
var toggle = $('.expand-toggle');
|
||||||
|
var tocExpand = false;
|
||||||
|
|
||||||
|
checkExpandToggle();
|
||||||
|
toggle.click(function (e) {
|
||||||
|
e.preventDefault();
|
||||||
|
e.stopPropagation();
|
||||||
|
tocExpand = !tocExpand;
|
||||||
|
checkExpandToggle();
|
||||||
|
})
|
||||||
|
|
||||||
|
function checkExpandToggle () {
|
||||||
|
var toc = $('.ui-toc-dropdown .toc');
|
||||||
|
var toggle = $('.expand-toggle');
|
||||||
|
if (!tocExpand) {
|
||||||
|
toc.removeClass('expand');
|
||||||
|
toggle.text('Expand all');
|
||||||
|
} else {
|
||||||
|
toc.addClass('expand');
|
||||||
|
toggle.text('Collapse all');
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
function scrollToTop() {
|
||||||
|
$('body, html').stop(true, true).animate({
|
||||||
|
scrollTop: 0
|
||||||
|
}, 100, "linear");
|
||||||
|
}
|
||||||
|
|
||||||
|
function scrollToBottom() {
|
||||||
|
$('body, html').stop(true, true).animate({
|
||||||
|
scrollTop: $(document.body)[0].scrollHeight
|
||||||
|
}, 100, "linear");
|
||||||
|
}
|
||||||
|
</script>
|
||||||
|
</body>
|
||||||
|
|
||||||
|
</html>
|
|
@ -1,453 +0,0 @@
|
||||||
# Optimized configuration for Ubuntu server with EasyEngine
|
|
||||||
|
|
||||||
* * *
|
|
||||||
|
|
||||||
## Server Stack
|
|
||||||
|
|
||||||
- Ubuntu 16.04/18.04 LTS
|
|
||||||
- Nginx 1.15.x / 1.14.x
|
|
||||||
- PHP-FPM 7/7.1/7.2
|
|
||||||
- MariaDB 10.3
|
|
||||||
- REDIS 4.0
|
|
||||||
- Memcached
|
|
||||||
- Fail2ban
|
|
||||||
- Netdata
|
|
||||||
- UFW
|
|
||||||
|
|
||||||
* * *
|
|
||||||
|
|
||||||
Configuration files with comments and informations available by following the link **source**
|
|
||||||
|
|
||||||
### Initial configuration
|
|
||||||
|
|
||||||
#### System update and packages cleanup
|
|
||||||
|
|
||||||
```bash
|
|
||||||
apt-get update && apt-get upgrade -y && apt-get autoremove --purge -y && apt-get clean
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Install useful packages
|
|
||||||
|
|
||||||
```bash
|
|
||||||
sudo apt-get install haveged curl git unzip zip fail2ban htop nload nmon ntp gnupg gnupg2 wget pigz tree ccze -y
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Tweak Kernel & Increase open files limits
|
|
||||||
|
|
||||||
[source sysctl.conf](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) - [limits.conf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf)
|
|
||||||
|
|
||||||
```bash
|
|
||||||
modprobe tcp_htcp
|
|
||||||
wget -O /etc/sysctl.d/60-ubuntu-nginx-web-server.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.d/60-ubuntu-nginx-web-server.conf
|
|
||||||
sysctl -e -p /etc/sysctl.d/60-ubuntu-nginx-web-server.conf
|
|
||||||
wget -O /etc/security/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/security/limits.conf
|
|
||||||
```
|
|
||||||
|
|
||||||
#### disable transparent hugepage for redis
|
|
||||||
|
|
||||||
```bash
|
|
||||||
echo never > /sys/kernel/mm/transparent_hugepage/enabled
|
|
||||||
```
|
|
||||||
|
|
||||||
* * *
|
|
||||||
|
|
||||||
### EasyEngine Setup
|
|
||||||
|
|
||||||
#### Install MariaDB 10.3
|
|
||||||
|
|
||||||
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
|
|
||||||
|
|
||||||
```bash
|
|
||||||
bash <(wget -qO - https://downloads.mariadb.com/MariaDB/mariadb_repo_setup) --mariadb-server-version=10.3 --skip-maxscale -y
|
|
||||||
sudo apt update && sudo apt install mariadb-server -y
|
|
||||||
```
|
|
||||||
|
|
||||||
#### MySQL Tuning
|
|
||||||
|
|
||||||
You can download my example of my.cnf, optimized for VPS with 4GB RAM. [my.cnf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/mysql/my.cnf)
|
|
||||||
|
|
||||||
```bash
|
|
||||||
wget -O /etc/mysql/my.cnf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/mysql/my.cnf
|
|
||||||
```
|
|
||||||
|
|
||||||
It include modification of innodb_log_file_size variable, so you need to use the following commands to apply the new configuration :
|
|
||||||
|
|
||||||
```bash
|
|
||||||
sudo service mysql stop
|
|
||||||
|
|
||||||
sudo mv /var/lib/mysql/ib_logfile0 /var/lib/mysql/ib_logfile0.bak
|
|
||||||
sudo mv /var/lib/mysql/ib_logfile1 /var/lib/mysql/ib_logfile1.bak
|
|
||||||
|
|
||||||
sudo service mysql start
|
|
||||||
```
|
|
||||||
|
|
||||||
Increase MariaDB open files limits
|
|
||||||
|
|
||||||
```bash
|
|
||||||
wget -O /etc/systemd/system/mariadb.service.d/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/systemd/system/mariadb.service.d/limits.conf
|
|
||||||
|
|
||||||
sudo systemctl daemon-reload
|
|
||||||
sudo systemctl restart mariadb
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Install EasyEngine
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# noninteractive install - you can replace $USER with your username & root@$HOSTNAME by your email
|
|
||||||
sudo bash -c 'echo -e "[user]\n\tname = $USER\n\temail = root@$HOSTNAME" > $HOME/.gitconfig'
|
|
||||||
|
|
||||||
wget -qO ee rt.cx/ee && bash ee
|
|
||||||
```
|
|
||||||
|
|
||||||
#### enable ee bash_completion
|
|
||||||
|
|
||||||
```bash
|
|
||||||
source /etc/bash_completion.d/ee_auto.rc
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend
|
|
||||||
|
|
||||||
```bash
|
|
||||||
ee stack install
|
|
||||||
ee stack install --php7 --redis --admin --phpredisadmin
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Set your email instead of root@localhost
|
|
||||||
|
|
||||||
```bash
|
|
||||||
echo 'root: my.email@address.com' >> /etc/aliases
|
|
||||||
newaliases
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Install Composer - Fix phpmyadmin install issue
|
|
||||||
|
|
||||||
```bash
|
|
||||||
cd ~/ ||exit
|
|
||||||
curl -sS https://getcomposer.org/installer | php
|
|
||||||
mv composer.phar /usr/bin/composer
|
|
||||||
|
|
||||||
chown www-data:www-data /var/www
|
|
||||||
sudo -u www-data -H composer update -d /var/www/22222/htdocs/db/pma/
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Allow shell for www-data for SFTP usage
|
|
||||||
|
|
||||||
```bash
|
|
||||||
usermod -s /bin/bash www-data
|
|
||||||
```
|
|
||||||
|
|
||||||
### PHP 7.1 & 7.2 Setup
|
|
||||||
|
|
||||||
#### Install php7.1-fpm
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# php7.1-fpm
|
|
||||||
apt update && apt install php7.1-fpm php7.1-cli php7.1-zip php7.1-opcache php7.1-mysql php7.1-mcrypt php7.1-mbstring php7.1-json php7.1-intl \
|
|
||||||
php7.1-gd php7.1-curl php7.1-bz2 php7.1-xml php7.1-tidy php7.1-soap php7.1-bcmath -y php7.1-xsl
|
|
||||||
|
|
||||||
wget -O /etc/php/7.1/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/pool.d/www.conf
|
|
||||||
|
|
||||||
wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/php.ini
|
|
||||||
service php7.1-fpm restart
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Install php7.2-fpm
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# php7.2-fpm
|
|
||||||
apt update && apt install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring -y
|
|
||||||
|
|
||||||
wget -O /etc/php/7.2/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/pool.d/www.conf
|
|
||||||
|
|
||||||
wget -O /etc/php/7.2/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/php.ini
|
|
||||||
service php7.2-fpm restart
|
|
||||||
```
|
|
||||||
|
|
||||||
#### add nginx upstreams
|
|
||||||
|
|
||||||
```bash
|
|
||||||
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
|
|
||||||
service nginx reload
|
|
||||||
```
|
|
||||||
|
|
||||||
#### add ee common configuration
|
|
||||||
|
|
||||||
```bash
|
|
||||||
cd /etc/nginx/common || exit
|
|
||||||
wget https://virtubox.github.io/ubuntu-nginx-web-server/files/common.zip
|
|
||||||
unzip common.zip
|
|
||||||
```
|
|
||||||
|
|
||||||
### Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee)
|
|
||||||
|
|
||||||
```bash
|
|
||||||
bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
|
|
||||||
```
|
|
||||||
|
|
||||||
* * *
|
|
||||||
|
|
||||||
### Custom configurations
|
|
||||||
|
|
||||||
#### clean php-fpm php.ini configuration
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# PHP 7.0
|
|
||||||
wget -O /etc/php/7.0/fpm/php.ini https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/php/7.0/fpm/php.ini
|
|
||||||
service php7.0-fpm restart
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Nginx optimized configurations
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# TLSv1.2 TLSv1.3 only
|
|
||||||
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx.conf
|
|
||||||
|
|
||||||
# TLS intermediate - TLS v1.0 v1.1 v1.2 v1.3
|
|
||||||
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-intermediate.conf
|
|
||||||
|
|
||||||
# TLSv1.2 only
|
|
||||||
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-tlsv12.conf
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Nginx configuration for netdata & new upstreams
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# custom conf for netdata metrics (php-fpm & nginx status pages)
|
|
||||||
wget -O /etc/nginx/sites-available/default https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/default
|
|
||||||
|
|
||||||
# add netdata, php7.1 and php7.2 upstream
|
|
||||||
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
|
|
||||||
|
|
||||||
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
|
|
||||||
wget -O /etc/nginx/sites-available/22222 https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/22222
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Increase Nginx open files limits
|
|
||||||
|
|
||||||
```bash
|
|
||||||
sudo mkdir -p /etc/systemd/system/nginx.service.d
|
|
||||||
wget -O /etc/systemd/system/nginx.service.d/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/systemd/system/nginx.service.d/limits.conf
|
|
||||||
|
|
||||||
sudo systemctl daemon-reload
|
|
||||||
sudo systemctl restart nginx.service
|
|
||||||
```
|
|
||||||
|
|
||||||
#### wpcommon-php7x configurations
|
|
||||||
|
|
||||||
- webp rewrite rules added
|
|
||||||
- DoS attack CVE fix added
|
|
||||||
- php7.1 & php7.2 configuration added
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# 1) add webp mapping
|
|
||||||
wget -O /etc/nginx/conf.d/webp.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/webp.conf
|
|
||||||
|
|
||||||
# 2) wpcommon files
|
|
||||||
# php7
|
|
||||||
wget -O /etc/nginx/common/wpcommon-php7.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php7.conf
|
|
||||||
|
|
||||||
# php7.1
|
|
||||||
wget -O /etc/nginx/common/wpcommon-php71.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php71.conf
|
|
||||||
|
|
||||||
# php7.2
|
|
||||||
wget -O /etc/nginx/common/wpcommon-php72.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php72.conf
|
|
||||||
|
|
||||||
nginx -t
|
|
||||||
service nginx reload
|
|
||||||
```
|
|
||||||
|
|
||||||
* * *
|
|
||||||
|
|
||||||
### Security
|
|
||||||
|
|
||||||
#### Harden SSH Security
|
|
||||||
|
|
||||||
WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config)
|
|
||||||
|
|
||||||
wget -O /etc/ssh/sshd_config https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/ssh/sshd_config
|
|
||||||
|
|
||||||
#### UFW
|
|
||||||
|
|
||||||
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# enable ufw log - allow outgoing - deny incoming
|
|
||||||
ufw logging low
|
|
||||||
ufw default allow outgoing
|
|
||||||
ufw default deny incoming
|
|
||||||
|
|
||||||
# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend
|
|
||||||
ufw allow 22
|
|
||||||
ufw allow 53
|
|
||||||
ufw allow http
|
|
||||||
ufw allow https
|
|
||||||
ufw allow 21
|
|
||||||
ufw allow 123
|
|
||||||
ufw allow 161
|
|
||||||
ufw allow 6556
|
|
||||||
ufw allow 19999
|
|
||||||
ufw allow 22222
|
|
||||||
|
|
||||||
# enable UFW
|
|
||||||
ufw enable
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Custom jails for fail2ban
|
|
||||||
|
|
||||||
- wordpress bruteforce
|
|
||||||
- ssh
|
|
||||||
- recidive (after 3 bans)
|
|
||||||
- backend http auth
|
|
||||||
- nginx bad bots
|
|
||||||
|
|
||||||
```bash
|
|
||||||
wget -O /etc/fail2ban/filter.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ddos.conf
|
|
||||||
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ee-wordpress.conf
|
|
||||||
wget -O /etc/fail2ban/filter.d/nginx-forbidden.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/nginx-forbidden.conf
|
|
||||||
wget -O /etc/fail2ban/jail.d/custom.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/custom.conf
|
|
||||||
wget -O /etc/fail2ban/jail.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/ddos.conf
|
|
||||||
|
|
||||||
fail2ban-client reload
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Secure Memcached server
|
|
||||||
|
|
||||||
```bash
|
|
||||||
echo '-U 0' >> /etc/memcached.conf
|
|
||||||
sudo systemctl restart memcached
|
|
||||||
```
|
|
||||||
|
|
||||||
### Optional
|
|
||||||
|
|
||||||
#### ee-acme-sh
|
|
||||||
|
|
||||||
[Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers
|
|
||||||
|
|
||||||
* subdomain support
|
|
||||||
* ivp6 support
|
|
||||||
* wildcards certificates support
|
|
||||||
|
|
||||||
```bash
|
|
||||||
wget -O install-ee-acme.sh https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh
|
|
||||||
chmod +x install-ee-acme.sh
|
|
||||||
./install-ee-acme.sh
|
|
||||||
|
|
||||||
# enable acme.sh & ee-acme-sh
|
|
||||||
source .bashrc
|
|
||||||
```
|
|
||||||
|
|
||||||
#### netdata
|
|
||||||
|
|
||||||
[Github repository](https://github.com/firehol/netdata)
|
|
||||||
|
|
||||||
```bash
|
|
||||||
|
|
||||||
bash <(curl -Ss https://my-netdata.io/kickstart.sh) all
|
|
||||||
|
|
||||||
# save 40-60% of netdata memory
|
|
||||||
echo 1 >/sys/kernel/mm/ksm/run
|
|
||||||
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
|
|
||||||
|
|
||||||
# disable email notifications
|
|
||||||
sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /etc/netdata/health_alarm_notify.conf
|
|
||||||
service netdata restart
|
|
||||||
```
|
|
||||||
|
|
||||||
#### cht.sh (cheat)
|
|
||||||
|
|
||||||
[Github repository](https://github.com/chubin/cheat.sh)
|
|
||||||
|
|
||||||
```bash
|
|
||||||
curl https://cht.sh/:cht.sh > /usr/bin/cht.sh
|
|
||||||
chmod +x /usr/bin/cht.sh
|
|
||||||
|
|
||||||
|
|
||||||
echo "alias cheat='cht.sh'" >> $HOME/.bashrc
|
|
||||||
source $HOME/.bashrc
|
|
||||||
```
|
|
||||||
|
|
||||||
usage : `cheat <command>`
|
|
||||||
|
|
||||||
```bash
|
|
||||||
root@vps:~ cheat cat
|
|
||||||
# cat
|
|
||||||
|
|
||||||
# Print and concatenate files.
|
|
||||||
|
|
||||||
# Print the contents of a file to the standard output:
|
|
||||||
cat file
|
|
||||||
|
|
||||||
# Concatenate several files into the target file:
|
|
||||||
cat file1 file2 > target_file
|
|
||||||
|
|
||||||
# Append several files into the target file:
|
|
||||||
cat file1 file2 >> target_file
|
|
||||||
|
|
||||||
# Number all output lines:
|
|
||||||
cat -n file
|
|
||||||
```
|
|
||||||
|
|
||||||
#### nanorc - Improved Nano Syntax Highlighting Files
|
|
||||||
|
|
||||||
[Github repository](https://github.com/scopatz/nanorc)
|
|
||||||
|
|
||||||
```bash
|
|
||||||
wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh
|
|
||||||
```
|
|
||||||
|
|
||||||
#### ucaresystem - script to update & cleanup packages easily
|
|
||||||
|
|
||||||
```bash
|
|
||||||
sudo add-apt-repository ppa:utappia/stable -y
|
|
||||||
sudo apt update
|
|
||||||
sudo apt install ucaresystem-core -y
|
|
||||||
```
|
|
||||||
|
|
||||||
Run server maintenance with the command :
|
|
||||||
|
|
||||||
```bash
|
|
||||||
sudo ucaresystem-core
|
|
||||||
```
|
|
||||||
|
|
||||||
### WP-CLI
|
|
||||||
|
|
||||||
#### Add bash-completion for user www-data
|
|
||||||
|
|
||||||
```bashrc
|
|
||||||
# download wp-cli bash_completion
|
|
||||||
wget -O /etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash
|
|
||||||
|
|
||||||
# change /var/www owner
|
|
||||||
chown www-data:www-data /var/www
|
|
||||||
|
|
||||||
# download .profile & .bashrc for www-data
|
|
||||||
wget -O /var/www/.profile https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/docs/files/var/www/.profile
|
|
||||||
wget -O /var/www/.bashrc https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/docs/files/var/www/.bashrc
|
|
||||||
|
|
||||||
# set owner
|
|
||||||
chown www-data:www-data /var/www/.profile
|
|
||||||
chown www-data:www-data /var/www/.bashrc
|
|
||||||
```
|
|
||||||
|
|
||||||
### Custom Nginx error pages
|
|
||||||
|
|
||||||
[Github Repository](https://github.com/alexphelps/server-error-pages)
|
|
||||||
|
|
||||||
Installation
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# clone the github repository
|
|
||||||
sudo -u www-data -H git clone https://github.com/alexphelps/server-error-pages.git /var/www/error
|
|
||||||
|
|
||||||
# download nginx configuration
|
|
||||||
wget -O /etc/nginx/common/error_pages.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/error_pages.conf
|
|
||||||
```
|
|
||||||
|
|
||||||
Then include this configuration in your nginx vhost by adding the following line
|
|
||||||
|
|
||||||
```bash
|
|
||||||
include common/error_pages.conf;
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
Published & maintained by [VirtuBox](https://virtubox.net)
|
|
|
@ -2,9 +2,15 @@
|
||||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||||
# Basic locations files
|
# Basic locations files
|
||||||
location = /favicon.ico {
|
location = /favicon.ico {
|
||||||
|
try_files /favicon.ico @empty;
|
||||||
access_log off;
|
access_log off;
|
||||||
log_not_found off;
|
log_not_found off;
|
||||||
expires max;
|
expires max;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
location @empty {
|
||||||
|
empty_gif;
|
||||||
}
|
}
|
||||||
location = /robots.txt {
|
location = /robots.txt {
|
||||||
# Some WordPress plugin gererate robots.txt file
|
# Some WordPress plugin gererate robots.txt file
|
||||||
|
@ -14,7 +20,7 @@ location = /robots.txt {
|
||||||
log_not_found off;
|
log_not_found off;
|
||||||
}
|
}
|
||||||
# Cache static files
|
# Cache static files
|
||||||
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
|
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
|
||||||
add_header "Access-Control-Allow-Origin" "*";
|
add_header "Access-Control-Allow-Origin" "*";
|
||||||
access_log off;
|
access_log off;
|
||||||
log_not_found off;
|
log_not_found off;
|
||||||
|
@ -33,19 +39,19 @@ location ~ /\.(?!well-known\/) {
|
||||||
deny all;
|
deny all;
|
||||||
}
|
}
|
||||||
# Use the directory /var/www/html to valide acme-challenge
|
# Use the directory /var/www/html to valide acme-challenge
|
||||||
# just create the sub-directories .well-known/acme-challenge and set www-data as owner
|
# just create the sub-directories .well-known/acme-challenge
|
||||||
# #
|
####
|
||||||
# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
|
# sudo chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
|
||||||
# #
|
####
|
||||||
location /.well-known/acme-challenge/ {
|
# location /.well-known/acme-challenge/ {
|
||||||
alias /var/www/html/.well-known/acme-challenge/;
|
# alias /var/www/html/.well-known/acme-challenge/;
|
||||||
}
|
# }
|
||||||
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
|
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
|
||||||
location ~* "/(^$|readme|license|example|README|changelog)\.(txt|html|md)" {
|
location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
|
||||||
deny all;
|
deny all;
|
||||||
}
|
}
|
||||||
# Deny backup extensions & log files and return 403 forbidden
|
# Deny backup extensions & log files and return 403 forbidden
|
||||||
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
|
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
|
||||||
deny all;
|
deny all;
|
||||||
}
|
}
|
||||||
# common nginx configuration to block sql injection and other attacks
|
# common nginx configuration to block sql injection and other attacks
|
||||||
|
@ -100,32 +106,9 @@ location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
|
||||||
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
|
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
|
||||||
deny all;
|
deny all;
|
||||||
}
|
}
|
||||||
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" {
|
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|configuration)\.php" {
|
||||||
deny all;
|
deny all;
|
||||||
}
|
}
|
||||||
# Status pages
|
|
||||||
location = /nginx_status {
|
|
||||||
stub_status on;
|
|
||||||
access_log off;
|
|
||||||
include common/acl.conf;
|
|
||||||
}
|
|
||||||
location ~ ^/(status|ping)$ {
|
|
||||||
include fastcgi_params;
|
|
||||||
include common/acl.conf;
|
|
||||||
fastcgi_pass php7;
|
|
||||||
}
|
|
||||||
# EasyEngine (ee) utilities
|
|
||||||
# phpMyAdmin settings
|
|
||||||
location = /pma {
|
|
||||||
return 301 https://$host:22222/db/pma;
|
|
||||||
}
|
|
||||||
location = /phpMyAdmin {
|
|
||||||
return 301 https://$host:22222/db/pma;
|
|
||||||
}
|
|
||||||
location = /phpmyadmin {
|
|
||||||
return 301 https://$host:22222/db/pma;
|
|
||||||
}
|
|
||||||
# Adminer settings
|
|
||||||
location = /adminer {
|
|
||||||
return 301 https://$host:22222/db/adminer;
|
|
||||||
}
|
|
||||||
|
|
|
@ -2,32 +2,36 @@
|
||||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||||
# Basic locations files
|
# Basic locations files
|
||||||
location = /favicon.ico {
|
location = /favicon.ico {
|
||||||
access_log off;
|
try_files /favicon.ico @empty;
|
||||||
log_not_found off;
|
access_log off;
|
||||||
expires max;
|
log_not_found off;
|
||||||
|
expires max;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
location @empty {
|
||||||
|
empty_gif;
|
||||||
}
|
}
|
||||||
location = /robots.txt {
|
location = /robots.txt {
|
||||||
# Some WordPress plugin gererate robots.txt file
|
# Some WordPress plugin gererate robots.txt file
|
||||||
# Refer #340 issue
|
# Refer #340 issue
|
||||||
try_files $uri $uri/ /index.php?$args;
|
try_files $uri $uri/ /index.php?$args;
|
||||||
access_log off;
|
access_log off;
|
||||||
log_not_found off;
|
log_not_found off;
|
||||||
}
|
}
|
||||||
# Cache static files
|
# Cache static files
|
||||||
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$
|
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
|
||||||
{
|
add_header "Access-Control-Allow-Origin" "*";
|
||||||
add_header "Access-Control-Allow-Origin" "*";
|
access_log off;
|
||||||
access_log off;
|
log_not_found off;
|
||||||
log_not_found off;
|
expires max;
|
||||||
expires max;
|
|
||||||
}
|
}
|
||||||
# Cache css & js files
|
# Cache css & js files
|
||||||
location ~* \.(?:css(\.map)?|js(\.map)?)$
|
location ~* \.(?:css(\.map)?|js(\.map)?)$ {
|
||||||
{
|
add_header "Access-Control-Allow-Origin" "*";
|
||||||
add_header "Access-Control-Allow-Origin" "*";
|
access_log off;
|
||||||
access_log off;
|
log_not_found off;
|
||||||
log_not_found off;
|
expires 30d;
|
||||||
expires 30d;
|
|
||||||
}
|
}
|
||||||
# Security settings for better privacy
|
# Security settings for better privacy
|
||||||
# Deny hidden files
|
# Deny hidden files
|
||||||
|
@ -43,12 +47,12 @@ location ~ /\.(?!well-known\/) {
|
||||||
# alias /var/www/html/.well-known/acme-challenge/;
|
# alias /var/www/html/.well-known/acme-challenge/;
|
||||||
# }
|
# }
|
||||||
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
|
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
|
||||||
location ~* "/(^$|readme|license|example|README|changelog)\.(txt|html|md)" {
|
location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
|
||||||
deny all;
|
deny all;
|
||||||
}
|
}
|
||||||
# Deny backup extensions & log files and return 403 forbidden
|
# Deny backup extensions & log files and return 403 forbidden
|
||||||
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
|
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
|
||||||
deny all;
|
deny all;
|
||||||
}
|
}
|
||||||
# common nginx configuration to block sql injection and other attacks
|
# common nginx configuration to block sql injection and other attacks
|
||||||
location ~* "(eval\()" {
|
location ~* "(eval\()" {
|
||||||
|
@ -102,32 +106,9 @@ location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
|
||||||
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
|
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
|
||||||
deny all;
|
deny all;
|
||||||
}
|
}
|
||||||
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" {
|
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|configuration)\.php" {
|
||||||
deny all;
|
deny all;
|
||||||
}
|
}
|
||||||
# Status pages
|
|
||||||
location /nginx_status {
|
|
||||||
stub_status on;
|
|
||||||
access_log off;
|
|
||||||
include common/acl.conf;
|
|
||||||
}
|
|
||||||
location ~ ^/(status|ping) {
|
|
||||||
include fastcgi_params;
|
|
||||||
fastcgi_pass php71;
|
|
||||||
include common/acl.conf;
|
|
||||||
}
|
|
||||||
# EasyEngine (ee) utilities
|
|
||||||
# phpMyAdmin settings
|
|
||||||
location /pma {
|
|
||||||
return 301 https://$host:22222/db/pma;
|
|
||||||
}
|
|
||||||
location /phpMyAdmin {
|
|
||||||
return 301 https://$host:22222/db/pma;
|
|
||||||
}
|
|
||||||
location /phpmyadmin {
|
|
||||||
return 301 https://$host:22222/db/pma;
|
|
||||||
}
|
|
||||||
# Adminer settings
|
|
||||||
location /adminer {
|
|
||||||
return 301 https://$host:22222/db/adminer;
|
|
||||||
}
|
|
||||||
|
|
|
@ -106,32 +106,9 @@ location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
|
||||||
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
|
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
|
||||||
deny all;
|
deny all;
|
||||||
}
|
}
|
||||||
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|settings|configuration)\.php" {
|
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|configuration)\.php" {
|
||||||
deny all;
|
deny all;
|
||||||
}
|
}
|
||||||
# Status pages
|
|
||||||
location /nginx_status {
|
|
||||||
stub_status on;
|
|
||||||
access_log off;
|
|
||||||
include common/acl.conf;
|
|
||||||
}
|
|
||||||
location ~ ^/(status|ping) {
|
|
||||||
include fastcgi_params;
|
|
||||||
include common/acl.conf;
|
|
||||||
fastcgi_pass php72;
|
|
||||||
}
|
|
||||||
# EasyEngine (ee) utilities
|
|
||||||
# phpMyAdmin settings
|
|
||||||
location /pma {
|
|
||||||
return 301 https://$host:22222/db/pma;
|
|
||||||
}
|
|
||||||
location /phpMyAdmin {
|
|
||||||
return 301 https://$host:22222/db/pma;
|
|
||||||
}
|
|
||||||
location /phpmyadmin {
|
|
||||||
return 301 https://$host:22222/db/pma;
|
|
||||||
}
|
|
||||||
# Adminer settings
|
|
||||||
location /adminer {
|
|
||||||
return 301 https://$host:22222/db/adminer;
|
|
||||||
}
|
|
||||||
|
|
|
@ -2,9 +2,15 @@
|
||||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||||
# Basic locations files
|
# Basic locations files
|
||||||
location = /favicon.ico {
|
location = /favicon.ico {
|
||||||
|
try_files /favicon.ico @empty;
|
||||||
access_log off;
|
access_log off;
|
||||||
log_not_found off;
|
log_not_found off;
|
||||||
expires max;
|
expires max;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
location @empty {
|
||||||
|
empty_gif;
|
||||||
}
|
}
|
||||||
location = /robots.txt {
|
location = /robots.txt {
|
||||||
# Some WordPress plugin gererate robots.txt file
|
# Some WordPress plugin gererate robots.txt file
|
||||||
|
@ -14,7 +20,7 @@ location = /robots.txt {
|
||||||
log_not_found off;
|
log_not_found off;
|
||||||
}
|
}
|
||||||
# Cache static files
|
# Cache static files
|
||||||
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
|
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
|
||||||
add_header "Access-Control-Allow-Origin" "*";
|
add_header "Access-Control-Allow-Origin" "*";
|
||||||
access_log off;
|
access_log off;
|
||||||
log_not_found off;
|
log_not_found off;
|
||||||
|
@ -33,19 +39,19 @@ location ~ /\.(?!well-known\/) {
|
||||||
deny all;
|
deny all;
|
||||||
}
|
}
|
||||||
# Use the directory /var/www/html to valide acme-challenge
|
# Use the directory /var/www/html to valide acme-challenge
|
||||||
# just create the sub-directories .well-known/acme-challenge and set www-data as owner
|
# just create the sub-directories .well-known/acme-challenge
|
||||||
# #
|
####
|
||||||
# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
|
# sudo chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
|
||||||
# #
|
####
|
||||||
location /.well-known/acme-challenge/ {
|
# location /.well-known/acme-challenge/ {
|
||||||
alias /var/www/html/.well-known/acme-challenge/;
|
# alias /var/www/html/.well-known/acme-challenge/;
|
||||||
}
|
# }
|
||||||
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
|
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
|
||||||
location ~* "/(^$|readme|license|example|README|changelog)\.(txt|html|md)" {
|
location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
|
||||||
deny all;
|
deny all;
|
||||||
}
|
}
|
||||||
# Deny backup extensions & log files and return 403 forbidden
|
# Deny backup extensions & log files and return 403 forbidden
|
||||||
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
|
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
|
||||||
deny all;
|
deny all;
|
||||||
}
|
}
|
||||||
# common nginx configuration to block sql injection and other attacks
|
# common nginx configuration to block sql injection and other attacks
|
||||||
|
@ -100,13 +106,9 @@ location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
|
||||||
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
|
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
|
||||||
deny all;
|
deny all;
|
||||||
}
|
}
|
||||||
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" {
|
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|configuration)\.php" {
|
||||||
deny all;
|
deny all;
|
||||||
}
|
}
|
||||||
# Status pages
|
|
||||||
location = /nginx_status {
|
|
||||||
stub_status on;
|
|
||||||
access_log off;
|
|
||||||
include common/acl.conf;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
|
@ -19,7 +19,7 @@ pagespeed PreserveUrlRelativity on;
|
||||||
pagespeed AvoidRenamingIntrospectiveJavascript on;
|
pagespeed AvoidRenamingIntrospectiveJavascript on;
|
||||||
#pagespeed MaxInlinedPreviewImagesIndex -1;
|
#pagespeed MaxInlinedPreviewImagesIndex -1;
|
||||||
pagespeed EnableFilters convert_meta_tags,extend_cache,rewrite_javascript_inline;
|
pagespeed EnableFilters convert_meta_tags,extend_cache,rewrite_javascript_inline;
|
||||||
pagespeed Domain *.virtubox.net;
|
#pagespeed Domain *.yourdomain.tld;
|
||||||
|
|
||||||
location /ngx_pagespeed_statistics { include common/acl.conf; }
|
location /ngx_pagespeed_statistics { include common/acl.conf; }
|
||||||
location /ngx_pagespeed_global_statistics { include common/acl.conf; }
|
location /ngx_pagespeed_global_statistics { include common/acl.conf; }
|
||||||
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
# PHP NGINX CONFIGURATION
|
||||||
|
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ /index.php?$args;
|
||||||
|
}
|
||||||
|
location ~ \.php$ {
|
||||||
|
try_files $uri =404;
|
||||||
|
include fastcgi_params;
|
||||||
|
fastcgi_pass php71-sock;
|
||||||
|
}
|
|
@ -0,0 +1,10 @@
|
||||||
|
# PHP NGINX CONFIGURATION
|
||||||
|
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ /index.php?$args;
|
||||||
|
}
|
||||||
|
location ~ \.php$ {
|
||||||
|
try_files $uri =404;
|
||||||
|
include fastcgi_params;
|
||||||
|
fastcgi_pass php72-sock;
|
||||||
|
}
|
|
@ -1,21 +0,0 @@
|
||||||
# nginx common web app exploits protection
|
|
||||||
|
|
||||||
location ~* "(eval\()" { deny all; }
|
|
||||||
location ~* "(127\.0\.0\.1)" { deny all; }
|
|
||||||
location ~* "([a-z0-9]{2000})" { deny all; }
|
|
||||||
location ~* "(javascript\:)(.*)(\;)" { deny all; }
|
|
||||||
location ~* "(base64_encode)(.*)(\()" { deny all; }
|
|
||||||
location ~* "(GLOBALS|REQUEST)(=|\[|%)" { deny all; }
|
|
||||||
location ~* "(<|%3C).*script.*(>|%3)" { deny all; }
|
|
||||||
location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" { deny all; }
|
|
||||||
location ~* "(boot\.ini|etc/passwd|self/environ)" { deny all; }
|
|
||||||
location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" { deny all; }
|
|
||||||
location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" { deny all; }
|
|
||||||
location ~* "(https?|ftp|php):/" { deny all; }
|
|
||||||
location ~* "(=\\\'|=\\%27|/\\\'/?)\." { deny all; }
|
|
||||||
location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" { deny all; }
|
|
||||||
location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" { deny all; }
|
|
||||||
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { deny all; }
|
|
||||||
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { deny all; }
|
|
||||||
location ~* "\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" { deny all; }
|
|
||||||
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" { deny all; }
|
|
|
@ -0,0 +1,25 @@
|
||||||
|
# wordpress fastcgi cache configuration
|
||||||
|
|
||||||
|
add_header X-fastcgi-cache $upstream_cache_status;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ /index.php?$args;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ \.php$ {
|
||||||
|
try_files $uri =404;
|
||||||
|
include fastcgi_params;
|
||||||
|
fastcgi_pass php7-sock;
|
||||||
|
|
||||||
|
fastcgi_cache_bypass $skip_cache;
|
||||||
|
fastcgi_no_cache $skip_cache;
|
||||||
|
|
||||||
|
fastcgi_cache WORDPRESS;
|
||||||
|
fastcgi_cache_valid 200 60m;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ /purge(/.*) {
|
||||||
|
fastcgi_cache_purge WORDPRESS "$scheme$request_method$host$1";
|
||||||
|
access_log off;
|
||||||
|
}
|
|
@ -0,0 +1,25 @@
|
||||||
|
# wordpress fastcgi cache configuration
|
||||||
|
|
||||||
|
add_header X-fastcgi-cache $upstream_cache_status;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ /index.php?$args;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ \.php$ {
|
||||||
|
try_files $uri =404;
|
||||||
|
include fastcgi_params;
|
||||||
|
fastcgi_pass php71-sock;
|
||||||
|
|
||||||
|
fastcgi_cache_bypass $skip_cache;
|
||||||
|
fastcgi_no_cache $skip_cache;
|
||||||
|
|
||||||
|
fastcgi_cache WORDPRESS;
|
||||||
|
fastcgi_cache_valid 200 60m;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ /purge(/.*) {
|
||||||
|
fastcgi_cache_purge WORDPRESS "$scheme$request_method$host$1";
|
||||||
|
access_log off;
|
||||||
|
}
|
|
@ -0,0 +1,25 @@
|
||||||
|
# wordpress fastcgi cache configuration
|
||||||
|
|
||||||
|
add_header X-fastcgi-cache $upstream_cache_status;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ /index.php?$args;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ \.php$ {
|
||||||
|
try_files $uri =404;
|
||||||
|
include fastcgi_params;
|
||||||
|
fastcgi_pass php72-sock;
|
||||||
|
|
||||||
|
fastcgi_cache_bypass $skip_cache;
|
||||||
|
fastcgi_no_cache $skip_cache;
|
||||||
|
|
||||||
|
fastcgi_cache WORDPRESS;
|
||||||
|
fastcgi_cache_valid 200 60m;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ /purge(/.*) {
|
||||||
|
fastcgi_cache_purge WORDPRESS "$scheme$request_method$host$1";
|
||||||
|
access_log off;
|
||||||
|
}
|
|
@ -12,22 +12,26 @@ location = /wp-config.txt {
|
||||||
access_log off;
|
access_log off;
|
||||||
log_not_found off;
|
log_not_found off;
|
||||||
}
|
}
|
||||||
# Disallow php in upload folder and add webp rewrite
|
# webp rewrite rules for jpg and png images
|
||||||
location /wp-content/uploads/ {
|
# try to load alternative image.png.webp before image.png
|
||||||
location ~ \.php$ {
|
location ~ ^/wp-content/uploads/.*\.(png|jpe?g)$ {
|
||||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
add_header Vary "Accept-Encoding";
|
||||||
deny all;
|
add_header "Access-Control-Allow-Origin" "*";
|
||||||
}
|
add_header Cache-Control "public, no-transform";
|
||||||
# webp rewrite rules
|
access_log off;
|
||||||
location ~ \.(png|jpe?g)$ {
|
log_not_found off;
|
||||||
add_header Vary "Accept-Encoding";
|
expires max;
|
||||||
add_header "Access-Control-Allow-Origin" "*";
|
try_files $uri$webp_suffix $uri =404;
|
||||||
add_header Cache-Control "public, no-transform";
|
}
|
||||||
access_log off;
|
# Deny access to any files with a .php extension in the uploads directory for the single site
|
||||||
log_not_found off;
|
location ~ ^/wp-content/uploads/.*\.php$ {
|
||||||
expires max;
|
deny all;
|
||||||
try_files $uri$webp_suffix $uri =404;
|
}
|
||||||
}
|
# Deny access to any files with a .php extension in the uploads directory
|
||||||
|
# Works in sub-directory installs and also in multisite network
|
||||||
|
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
|
||||||
|
location ~* /(?:uploads|files)/.*\.php$ {
|
||||||
|
deny all;
|
||||||
}
|
}
|
||||||
# mitigate DoS attack CVE with WordPress script concatenation
|
# mitigate DoS attack CVE with WordPress script concatenation
|
||||||
# add the following line to wp-config.php
|
# add the following line to wp-config.php
|
||||||
|
|
|
@ -12,22 +12,26 @@ location = /wp-config.txt {
|
||||||
access_log off;
|
access_log off;
|
||||||
log_not_found off;
|
log_not_found off;
|
||||||
}
|
}
|
||||||
# Disallow php in upload folder and add webp rewrite
|
# webp rewrite rules for jpg and png images
|
||||||
location /wp-content/uploads/ {
|
# try to load alternative image.png.webp before image.png
|
||||||
location ~ \.php$ {
|
location ~ ^/wp-content/uploads/.*\.(png|jpe?g)$ {
|
||||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
add_header Vary "Accept-Encoding";
|
||||||
deny all;
|
add_header "Access-Control-Allow-Origin" "*";
|
||||||
}
|
add_header Cache-Control "public, no-transform";
|
||||||
# webp rewrite rules
|
access_log off;
|
||||||
location ~ \.(png|jpe?g)$ {
|
log_not_found off;
|
||||||
add_header Vary "Accept-Encoding";
|
expires max;
|
||||||
add_header "Access-Control-Allow-Origin" "*";
|
try_files $uri$webp_suffix $uri =404;
|
||||||
add_header Cache-Control "public, no-transform";
|
}
|
||||||
access_log off;
|
# Deny access to any files with a .php extension in the uploads directory for the single site
|
||||||
log_not_found off;
|
location ~ ^/wp-content/uploads/.*\.php$ {
|
||||||
expires max;
|
deny all;
|
||||||
try_files $uri$webp_suffix $uri =404;
|
}
|
||||||
}
|
# Deny access to any files with a .php extension in the uploads directory
|
||||||
|
# Works in sub-directory installs and also in multisite network
|
||||||
|
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
|
||||||
|
location ~* /(?:uploads|files)/.*\.php$ {
|
||||||
|
deny all;
|
||||||
}
|
}
|
||||||
# mitigate DoS attack CVE with WordPress script concatenation
|
# mitigate DoS attack CVE with WordPress script concatenation
|
||||||
# add the following line to wp-config.php
|
# add the following line to wp-config.php
|
||||||
|
|
|
@ -12,22 +12,26 @@ location = /wp-config.txt {
|
||||||
access_log off;
|
access_log off;
|
||||||
log_not_found off;
|
log_not_found off;
|
||||||
}
|
}
|
||||||
# Disallow php in upload folder and add webp rewrite
|
# webp rewrite rules for jpg and png images
|
||||||
location /wp-content/uploads/ {
|
# try to load alternative image.png.webp before image.png
|
||||||
location ~ \.php$ {
|
location /wp-content/uploads/.*\.(png|jpe?g)$ {
|
||||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
add_header Vary "Accept-Encoding";
|
||||||
deny all;
|
add_header "Access-Control-Allow-Origin" "*";
|
||||||
}
|
add_header Cache-Control "public, no-transform";
|
||||||
# webp rewrite rules
|
access_log off;
|
||||||
location ~ \.(png|jpe?g)$ {
|
log_not_found off;
|
||||||
add_header Vary "Accept-Encoding";
|
expires max;
|
||||||
add_header "Access-Control-Allow-Origin" "*";
|
try_files $uri$webp_suffix $uri =404;
|
||||||
add_header Cache-Control "public, no-transform";
|
}
|
||||||
access_log off;
|
# Deny access to any files with a .php extension in the uploads directory for the single site
|
||||||
log_not_found off;
|
location ~ ^/wp-content/uploads/.*\.php$ {
|
||||||
expires max;
|
deny all;
|
||||||
try_files $uri$webp_suffix $uri =404;
|
}
|
||||||
}
|
# Deny access to any files with a .php extension in the uploads directory
|
||||||
|
# Works in sub-directory installs and also in multisite network
|
||||||
|
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
|
||||||
|
location ~* /(?:uploads|files)/.*\.php$ {
|
||||||
|
deny all;
|
||||||
}
|
}
|
||||||
# mitigate DoS attack CVE with WordPress script concatenation
|
# mitigate DoS attack CVE with WordPress script concatenation
|
||||||
# add the following line to wp-config.php
|
# add the following line to wp-config.php
|
||||||
|
|
|
@ -1,5 +1,7 @@
|
||||||
# $remote_addr rewriting in case of NGINX behind CloudFlare.
|
##
|
||||||
# See also mod_cloudflare Apache module configuration.
|
# nginx-cloudflare-real-ip - restore visitor IP under Cloudflare CDN
|
||||||
|
##
|
||||||
|
# Source : https://virtubox.github.io/nginx-cloudflare-real-ip/
|
||||||
|
|
||||||
set_real_ip_from 103.21.244.0/22;
|
set_real_ip_from 103.21.244.0/22;
|
||||||
set_real_ip_from 103.22.200.0/22;
|
set_real_ip_from 103.22.200.0/22;
|
||||||
|
@ -16,12 +18,10 @@ set_real_ip_from 190.93.240.0/20;
|
||||||
set_real_ip_from 197.234.240.0/22;
|
set_real_ip_from 197.234.240.0/22;
|
||||||
set_real_ip_from 198.41.128.0/17;
|
set_real_ip_from 198.41.128.0/17;
|
||||||
set_real_ip_from 2400:cb00::/32;
|
set_real_ip_from 2400:cb00::/32;
|
||||||
|
set_real_ip_from 2405:b500::/32;
|
||||||
set_real_ip_from 2606:4700::/32;
|
set_real_ip_from 2606:4700::/32;
|
||||||
set_real_ip_from 2803:f800::/32;
|
set_real_ip_from 2803:f800::/32;
|
||||||
set_real_ip_from 2405:b500::/32;
|
|
||||||
set_real_ip_from 2405:8100::/32;
|
|
||||||
set_real_ip_from 2c0f:f248::/32;
|
set_real_ip_from 2c0f:f248::/32;
|
||||||
set_real_ip_from 2a06:98c0::/29;
|
set_real_ip_from 2a06:98c0::/29;
|
||||||
|
|
||||||
real_ip_header CF-Connecting-IP;
|
real_ip_header CF-Connecting-IP;
|
||||||
#real_ip_header X-Forwarded-For;
|
|
||||||
|
|
|
@ -0,0 +1,15 @@
|
||||||
|
server {
|
||||||
|
listen 127.0.0.1:80;
|
||||||
|
server_name 127.0.0.1;
|
||||||
|
location ~ ^/(stub_status|nginx_status)$ {
|
||||||
|
stub_status on;
|
||||||
|
allow 127.0.0.1;
|
||||||
|
deny all;
|
||||||
|
}
|
||||||
|
location ~ ^/(status|ping) {
|
||||||
|
include fastcgi_params;
|
||||||
|
allow 127.0.0.1;
|
||||||
|
deny all;
|
||||||
|
fastcgi_pass php7;
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,6 +1,10 @@
|
||||||
# Common upstream settings
|
# Common upstream settings
|
||||||
|
|
||||||
|
##################
|
||||||
|
# php5.6-fpm
|
||||||
|
##################
|
||||||
|
|
||||||
upstream php {
|
upstream php {
|
||||||
# server unix:/run/php5-fpm.sock;
|
|
||||||
server 127.0.0.1:9000;
|
server 127.0.0.1:9000;
|
||||||
}
|
}
|
||||||
upstream debug {
|
upstream debug {
|
||||||
|
@ -8,9 +12,11 @@ upstream debug {
|
||||||
server 127.0.0.1:9001;
|
server 127.0.0.1:9001;
|
||||||
}
|
}
|
||||||
|
|
||||||
####### php7.0-fpm
|
##################
|
||||||
|
# php7.0-fpm
|
||||||
|
##################
|
||||||
|
|
||||||
# php7.0-fpm TCP
|
# TCP/IP on loopback interface
|
||||||
upstream php7 {
|
upstream php7 {
|
||||||
server 127.0.0.1:9070;
|
server 127.0.0.1:9070;
|
||||||
}
|
}
|
||||||
|
@ -19,7 +25,7 @@ upstream debug7 {
|
||||||
server 127.0.0.1:9170;
|
server 127.0.0.1:9170;
|
||||||
}
|
}
|
||||||
|
|
||||||
# php7.0-fpm socket
|
# load-balancing on unix socket
|
||||||
upstream php7-sock {
|
upstream php7-sock {
|
||||||
least_conn;
|
least_conn;
|
||||||
|
|
||||||
|
@ -29,14 +35,16 @@ server unix:/var/run/php7-two-fpm.sock;
|
||||||
keepalive 5;
|
keepalive 5;
|
||||||
}
|
}
|
||||||
|
|
||||||
####### php7.1-fpm
|
##################
|
||||||
|
# php7.1-fpm
|
||||||
|
##################
|
||||||
|
|
||||||
# php7.1-fpm TCP
|
# TCP/IP on loopback interface
|
||||||
upstream php71 {
|
upstream php71 {
|
||||||
server 127.0.0.1:9080;
|
server 127.0.0.1:9080;
|
||||||
}
|
}
|
||||||
|
|
||||||
# php7.1-fpm socket
|
# load-balancing on unix socket
|
||||||
upstream php71-sock {
|
upstream php71-sock {
|
||||||
least_conn;
|
least_conn;
|
||||||
|
|
||||||
|
@ -46,14 +54,16 @@ server unix:/var/run/php71-two-fpm.sock;
|
||||||
keepalive 5;
|
keepalive 5;
|
||||||
}
|
}
|
||||||
|
|
||||||
####### php7.2-fpm
|
##################
|
||||||
|
# php7.2-fpm
|
||||||
|
##################
|
||||||
|
|
||||||
# php7.2-fpm TCP
|
# TCP/IP on loopback interface
|
||||||
upstream php72 {
|
upstream php72 {
|
||||||
server 127.0.0.1:9090;
|
server 127.0.0.1:9090;
|
||||||
}
|
}
|
||||||
|
|
||||||
# php7.2-fpm socket
|
# load-balancing on unix socket
|
||||||
upstream php72-sock {
|
upstream php72-sock {
|
||||||
least_conn;
|
least_conn;
|
||||||
|
|
||||||
|
@ -63,12 +73,19 @@ server unix:/var/run/php72-two-fpm.sock;
|
||||||
keepalive 5;
|
keepalive 5;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
##################
|
||||||
# redis
|
# redis
|
||||||
|
##################
|
||||||
|
|
||||||
upstream redis {
|
upstream redis {
|
||||||
server 127.0.0.1:6379;
|
server 127.0.0.1:6379;
|
||||||
keepalive 10;
|
keepalive 10;
|
||||||
}
|
}
|
||||||
# netdata (optional)
|
|
||||||
|
##################
|
||||||
|
# netdata
|
||||||
|
##################
|
||||||
|
|
||||||
upstream netdata {
|
upstream netdata {
|
||||||
server 127.0.0.1:19999;
|
server 127.0.0.1:19999;
|
||||||
keepalive 64;
|
keepalive 64;
|
||||||
|
|
|
@ -38,12 +38,15 @@ http
|
||||||
limit_req_status 403;
|
limit_req_status 403;
|
||||||
limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
|
limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
|
||||||
|
|
||||||
#Simple DOS mitigation
|
##
|
||||||
##Max c/s by ip
|
# Simple DOS mitigation
|
||||||
|
##
|
||||||
|
|
||||||
|
# Max c/s by ip
|
||||||
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
|
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
|
||||||
#limit_conn limit_per_ip 80;
|
#limit_conn limit_per_ip 80;
|
||||||
|
|
||||||
##Max rq/s by ip
|
# Max rq/s by ip
|
||||||
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
|
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
|
||||||
#limit_req zone=allips burst=400 nodelay;
|
#limit_req zone=allips burst=400 nodelay;
|
||||||
|
|
||||||
|
@ -54,7 +57,7 @@ http
|
||||||
fastcgi_read_timeout 120s;
|
fastcgi_read_timeout 120s;
|
||||||
client_max_body_size 100m;
|
client_max_body_size 100m;
|
||||||
|
|
||||||
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
|
# See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
|
||||||
aio threads;
|
aio threads;
|
||||||
|
|
||||||
# tls dynamic records patch directive
|
# tls dynamic records patch directive
|
||||||
|
@ -63,6 +66,7 @@ http
|
||||||
# nginx-vts-status module
|
# nginx-vts-status module
|
||||||
vhost_traffic_status_zone;
|
vhost_traffic_status_zone;
|
||||||
|
|
||||||
|
# oscp settings
|
||||||
resolver 8.8.8.8 1.1.1.1 valid=300s;
|
resolver 8.8.8.8 1.1.1.1 valid=300s;
|
||||||
resolver_timeout 10;
|
resolver_timeout 10;
|
||||||
|
|
||||||
|
@ -84,7 +88,7 @@ http
|
||||||
ssl_session_tickets off;
|
ssl_session_tickets off;
|
||||||
ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
|
ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
|
||||||
|
|
||||||
##Common headers for security
|
# Common security headers
|
||||||
more_set_headers "X-Frame-Options : SAMEORIGIN";
|
more_set_headers "X-Frame-Options : SAMEORIGIN";
|
||||||
more_set_headers "X-Xss-Protection : 1; mode=block";
|
more_set_headers "X-Xss-Protection : 1; mode=block";
|
||||||
more_set_headers "X-Content-Type-Options : nosniff";
|
more_set_headers "X-Content-Type-Options : nosniff";
|
||||||
|
@ -101,13 +105,13 @@ http
|
||||||
|
|
||||||
##
|
##
|
||||||
# Logging Settings
|
# Logging Settings
|
||||||
# access_log disabled for performance
|
|
||||||
##
|
##
|
||||||
|
|
||||||
|
# disable access_log for performance
|
||||||
access_log off;
|
access_log off;
|
||||||
error_log /var/log/nginx/error.log;
|
error_log /var/log/nginx/error.log;
|
||||||
|
|
||||||
# Log format Settings
|
# Log format Settings - user IP hashed with the module ipscrub
|
||||||
log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
|
log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
|
||||||
'$http_host "$request" $status $body_bytes_sent '
|
'$http_host "$request" $status $body_bytes_sent '
|
||||||
'"$http_referer" "$http_user_agent" $server_protocol';
|
'"$http_referer" "$http_user_agent" $server_protocol';
|
||||||
|
|
|
@ -1,19 +1,23 @@
|
||||||
##
|
##
|
||||||
# You should look at the following URL's in order to grasp a solid understanding
|
# You should look at the following URL's in order to grasp a solid understanding
|
||||||
# of Nginx configuration files in order to fully unleash the power of Nginx.
|
# of Nginx configuration files in order to fully unleash the power of Nginx.
|
||||||
# http://wiki.nginx.org/Pitfalls
|
# https://www.nginx.com/resources/wiki/start/
|
||||||
# http://wiki.nginx.org/QuickStart
|
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
|
||||||
# http://wiki.nginx.org/Configuration
|
# https://wiki.debian.org/Nginx/DirectoryStructure
|
||||||
#
|
#
|
||||||
# Generally, you will want to move this file somewhere, and start with a clean
|
# In most cases, administrators will remove this file from sites-enabled/ and
|
||||||
# file but keep this around for reference. Or just disable in sites-enabled.
|
# leave it as reference inside of sites-available where it will continue to be
|
||||||
|
# updated by the nginx packaging team.
|
||||||
|
#
|
||||||
|
# This file will automatically load configuration files provided by other
|
||||||
|
# applications, such as Drupal or Wordpress. These applications will be made
|
||||||
|
# available underneath a path with that package name, such as /drupal8.
|
||||||
#
|
#
|
||||||
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
|
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
|
||||||
##
|
##
|
||||||
|
|
||||||
# Default server configuration
|
# Default server configuration
|
||||||
#
|
#
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 80 default_server;
|
listen 80 default_server;
|
||||||
listen [::]:80 default_server;
|
listen [::]:80 default_server;
|
||||||
|
@ -23,13 +27,16 @@ server {
|
||||||
# listen 443 ssl default_server;
|
# listen 443 ssl default_server;
|
||||||
# listen [::]:443 ssl default_server;
|
# listen [::]:443 ssl default_server;
|
||||||
#
|
#
|
||||||
|
# Note: You should disable gzip for SSL traffic.
|
||||||
|
# See: https://bugs.debian.org/773332
|
||||||
|
#
|
||||||
|
# Read up on ssl_ciphers to ensure a secure configuration.
|
||||||
|
# See: https://bugs.debian.org/765782
|
||||||
|
#
|
||||||
# Self signed certs generated by the ssl-cert package
|
# Self signed certs generated by the ssl-cert package
|
||||||
# Don't use them in a production server!
|
# Don't use them in a production server!
|
||||||
# include snippets/snakeoil.conf;
|
|
||||||
#
|
#
|
||||||
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
|
# include snippets/snakeoil.conf;
|
||||||
# ssl_ciphers HIGH:!aNULL:!MD5;
|
|
||||||
# ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
root /var/www/html;
|
root /var/www/html;
|
||||||
|
|
||||||
|
@ -37,9 +44,6 @@ server {
|
||||||
index index.html index.htm index.nginx-debian.html;
|
index index.html index.htm index.nginx-debian.html;
|
||||||
|
|
||||||
server_name _;
|
server_name _;
|
||||||
|
|
||||||
access_log off;
|
|
||||||
error_log /var/log/nginx/default.error.log;
|
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
# First attempt to serve request as file, then
|
# First attempt to serve request as file, then
|
||||||
|
@ -47,40 +51,15 @@ server {
|
||||||
try_files $uri $uri/ =404;
|
try_files $uri $uri/ =404;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /stub_status {
|
# pass PHP scripts to FastCGI server
|
||||||
stub_status on;
|
|
||||||
access_log off;
|
|
||||||
allow 127.0.0.1;
|
|
||||||
deny all;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# Status pages
|
|
||||||
location /nginx_status {
|
|
||||||
stub_status on;
|
|
||||||
access_log off;
|
|
||||||
allow 127.0.0.1;
|
|
||||||
deny all;
|
|
||||||
}
|
|
||||||
|
|
||||||
# phpfpm pool monitoring
|
|
||||||
location ~ ^/(status|ping) {
|
|
||||||
include fastcgi_params;
|
|
||||||
fastcgi_pass php7;
|
|
||||||
include common/acl.conf;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
|
|
||||||
#
|
#
|
||||||
#location ~ \.php$ {
|
#location ~ \.php$ {
|
||||||
# include snippets/fastcgi-php.conf;
|
# include snippets/fastcgi-php.conf;
|
||||||
#
|
#
|
||||||
# # With php5-cgi alone:
|
# # With php-fpm (or other unix sockets):
|
||||||
|
# fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
|
||||||
|
# # With php-cgi (or other tcp sockets):
|
||||||
# fastcgi_pass 127.0.0.1:9000;
|
# fastcgi_pass 127.0.0.1:9000;
|
||||||
# # With php5-fpm:
|
|
||||||
# fastcgi_pass unix:/var/run/php5-fpm.sock;
|
|
||||||
#}
|
#}
|
||||||
|
|
||||||
# deny access to .htaccess files, if Apache's document root
|
# deny access to .htaccess files, if Apache's document root
|
||||||
|
|
|
@ -36,6 +36,9 @@ AcceptEnv LANG LC_*
|
||||||
# override default of no subsystems
|
# override default of no subsystems
|
||||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||||
|
|
||||||
|
# Host keys the client accepts - order here is honored by OpenSSH
|
||||||
|
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
|
||||||
|
|
||||||
# use strong ciphers (you may have to comment those lines with some sftp clients)
|
# use strong ciphers (you may have to comment those lines with some sftp clients)
|
||||||
KexAlgorithms curve25519-sha256@libssh.org
|
KexAlgorithms curve25519-sha256@libssh.org
|
||||||
Ciphers chacha20-poly1305@openssh.com
|
Ciphers chacha20-poly1305@openssh.com
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# Kernel sysctl configuration file for Linux
|
# Kernel sysctl configuration file for Linux
|
||||||
#
|
#
|
||||||
# Version 1.14 - 2018-09-13
|
# Version 1.15 - 2018-10-13
|
||||||
# Michiel Klaver - IT Professional
|
# Michiel Klaver - IT Professional
|
||||||
# Modified by VirtuBox
|
# Modified by VirtuBox
|
||||||
#
|
#
|
||||||
|
@ -174,9 +174,10 @@ net.ipv6.conf.default.accept_ra_pinfo = 0
|
||||||
### TUNING NETWORK PERFORMANCE ###
|
### TUNING NETWORK PERFORMANCE ###
|
||||||
###
|
###
|
||||||
|
|
||||||
# For high-bandwidth low-latency networks, use 'htcp' congestion control
|
# enable BBR congestion control and set tcp_notsent_lowat to 16KB for HTTP/2 prioritization to work reliably
|
||||||
# Do a 'modprobe tcp_htcp' first
|
# source : https://blog.cloudflare.com/http-2-prioritization-with-nginx/
|
||||||
net.ipv4.tcp_congestion_control = htcp
|
net.ipv4.tcp_congestion_control = bbr
|
||||||
|
net.ipv4.tcp_notsent_lowat = 16384
|
||||||
|
|
||||||
# For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12)
|
# For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12)
|
||||||
net.core.default_qdisc = fq
|
net.core.default_qdisc = fq
|
||||||
|
|
Loading…
Reference in New Issue