update documentation and fix error in nginx conf
* nginx webp rewrite wasn't working properly * add proftpd setup directives * cleanup old files
This commit is contained in:
parent
7a2a01ff8d
commit
52b17221bd
71
README.md
71
README.md
|
@ -226,12 +226,11 @@ Then you can check php version with command `php -v`
|
|||
|
||||
### Additional Nginx configuration (/etc/nginx/conf.d)
|
||||
|
||||
- New upstreams (php7.1, php7.2, netdata) : upstream.conf
|
||||
- New upstreams (php7.1, php7.2, netdata and php socket) : upstream.conf
|
||||
- webp image mapping : webp.conf
|
||||
- new fastcgi_cache_bypass mapping for wordpress : map-wp-fastcgi-cache.conf
|
||||
- stub_status configuration on 127.0.0.1:80 : stub_status.conf
|
||||
- restore visitor real IP under Cloudflare : cloudflare.conf
|
||||
- mitigate WordPress DoS attack
|
||||
|
||||
```bash
|
||||
# copy all common nginx configurations
|
||||
|
@ -243,6 +242,10 @@ git -C /etc/nginx/ add /etc/nginx/ && git -C /etc/nginx/ commit -m "update conf.
|
|||
|
||||
### EE common configuration
|
||||
|
||||
- mitigate WordPress DoS attack (wpcommon-phpX.conf)
|
||||
- webp image conditional rewrite (wpcommon-phpX.conf)
|
||||
- additional directives to prevent hack (locations-phpX.conf)
|
||||
|
||||
```bash
|
||||
cp -rf $HOME/ubuntu-nginx-web-server/etc/nginx/common/* /etc/nginx/common/
|
||||
|
||||
|
@ -253,7 +256,7 @@ git -C /etc/nginx/ add /etc/nginx/ && git -C /etc/nginx/ commit -m "update commo
|
|||
### Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee)
|
||||
|
||||
```bash
|
||||
bash <(wget-qO - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
|
||||
bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
|
||||
```
|
||||
|
||||
* * *
|
||||
|
@ -375,8 +378,62 @@ sudo systemctl stop memcached
|
|||
sudo systemctl disable memcached.service
|
||||
```
|
||||
|
||||
* * *
|
||||
|
||||
## Optional
|
||||
|
||||
### proftpd
|
||||
|
||||
#### Install proftpd
|
||||
|
||||
```bash
|
||||
apt-get install proftpd -y
|
||||
```
|
||||
|
||||
secure proftpd and enable passive ports
|
||||
|
||||
```bash
|
||||
sed -i 's/# DefaultRoot/DefaultRoot/' /etc/proftpd/proftpd.conf
|
||||
sed -i 's/# RequireValidShell/RequireValidShell/' /etc/proftpd/proftpd.conf
|
||||
sed -i 's/# PassivePorts 49152 65534/PassivePorts 49000 50000/' /etc/proftpd/proftpd.conf
|
||||
```
|
||||
|
||||
restart proftpd
|
||||
|
||||
```bash
|
||||
sudo service proftpd restart
|
||||
```
|
||||
|
||||
Allow FTP ports with UFW
|
||||
|
||||
```bash
|
||||
# ftp active port
|
||||
sudo ufw allow 21
|
||||
|
||||
# ftp passive ports
|
||||
sudo ufw allow 49000:50000/tcp
|
||||
```
|
||||
|
||||
Enable fail2ban proftpd jail
|
||||
|
||||
```bash
|
||||
echo -e '\n[proftpd]\nenabled = true\n' >> /etc/fail2ban/jail.d/custom.conf
|
||||
|
||||
fail2ban-client reload
|
||||
```
|
||||
|
||||
#### Adding users
|
||||
|
||||
```bash
|
||||
# create user without shell access in group www-data
|
||||
adduser --home /var/www/yourdomain.tld/ --shell /bin/false --ingroup www-data youruser
|
||||
|
||||
# allow group read/write on website folder
|
||||
chmod -R g+rw /var/www/yourdomain.tld
|
||||
```
|
||||
|
||||
* * *
|
||||
|
||||
### ee-acme-sh
|
||||
|
||||
[Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers
|
||||
|
@ -394,6 +451,8 @@ chmod +x install-ee-acme.sh
|
|||
source .bashrc
|
||||
```
|
||||
|
||||
* * *
|
||||
|
||||
### netdata
|
||||
|
||||
[Github repository](https://github.com/firehol/netdata)
|
||||
|
@ -418,6 +477,8 @@ sudo sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /usr/lib/netdata/conf.d/health
|
|||
service netdata restart
|
||||
```
|
||||
|
||||
* * *
|
||||
|
||||
### cht.sh (cheat)
|
||||
|
||||
[Github repository](https://github.com/chubin/cheat.sh)
|
||||
|
@ -452,6 +513,8 @@ root@vps:~ cheat cat
|
|||
cat -n file
|
||||
```
|
||||
|
||||
* * *
|
||||
|
||||
### nanorc - Improved Nano Syntax Highlighting Files
|
||||
|
||||
[Github repository](https://github.com/scopatz/nanorc)
|
||||
|
@ -460,6 +523,8 @@ root@vps:~ cheat cat
|
|||
wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -qO- | sh
|
||||
```
|
||||
|
||||
* * *
|
||||
|
||||
### Add WP-CLI & bash-completion for user www-data
|
||||
|
||||
```bashrc
|
||||
|
|
|
@ -226,12 +226,11 @@ Then you can check php version with command `php -v`
|
|||
|
||||
### Additional Nginx configuration (/etc/nginx/conf.d)
|
||||
|
||||
- New upstreams (php7.1, php7.2, netdata) : upstream.conf
|
||||
- New upstreams (php7.1, php7.2, netdata and php socket) : upstream.conf
|
||||
- webp image mapping : webp.conf
|
||||
- new fastcgi_cache_bypass mapping for wordpress : map-wp-fastcgi-cache.conf
|
||||
- stub_status configuration on 127.0.0.1:80 : stub_status.conf
|
||||
- restore visitor real IP under Cloudflare : cloudflare.conf
|
||||
- mitigate WordPress DoS attack
|
||||
|
||||
```bash
|
||||
# copy all common nginx configurations
|
||||
|
@ -243,6 +242,10 @@ git -C /etc/nginx/ add /etc/nginx/ && git -C /etc/nginx/ commit -m "update conf.
|
|||
|
||||
### EE common configuration
|
||||
|
||||
- mitigate WordPress DoS attack (wpcommon-phpX.conf)
|
||||
- webp image conditional rewrite (wpcommon-phpX.conf)
|
||||
- additional directives to prevent hack (locations-phpX.conf)
|
||||
|
||||
```bash
|
||||
cp -rf $HOME/ubuntu-nginx-web-server/etc/nginx/common/* /etc/nginx/common/
|
||||
|
||||
|
@ -253,7 +256,7 @@ git -C /etc/nginx/ add /etc/nginx/ && git -C /etc/nginx/ commit -m "update commo
|
|||
### Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee)
|
||||
|
||||
```bash
|
||||
bash <(wget-qO - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
|
||||
bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
|
||||
```
|
||||
|
||||
* * *
|
||||
|
@ -375,8 +378,62 @@ sudo systemctl stop memcached
|
|||
sudo systemctl disable memcached.service
|
||||
```
|
||||
|
||||
* * *
|
||||
|
||||
## Optional
|
||||
|
||||
### proftpd
|
||||
|
||||
#### Install proftpd
|
||||
|
||||
```bash
|
||||
apt-get install proftpd -y
|
||||
```
|
||||
|
||||
secure proftpd and enable passive ports
|
||||
|
||||
```bash
|
||||
sed -i 's/# DefaultRoot/DefaultRoot/' /etc/proftpd/proftpd.conf
|
||||
sed -i 's/# RequireValidShell/RequireValidShell/' /etc/proftpd/proftpd.conf
|
||||
sed -i 's/# PassivePorts 49152 65534/PassivePorts 49000 50000/' /etc/proftpd/proftpd.conf
|
||||
```
|
||||
|
||||
restart proftpd
|
||||
|
||||
```bash
|
||||
sudo service proftpd restart
|
||||
```
|
||||
|
||||
Allow FTP ports with UFW
|
||||
|
||||
```bash
|
||||
# ftp active port
|
||||
sudo ufw allow 21
|
||||
|
||||
# ftp passive ports
|
||||
sudo ufw allow 49000:50000/tcp
|
||||
```
|
||||
|
||||
Enable fail2ban proftpd jail
|
||||
|
||||
```bash
|
||||
echo -e '\n[proftpd]\nenabled = true\n' >> /etc/fail2ban/jail.d/custom.conf
|
||||
|
||||
fail2ban-client reload
|
||||
```
|
||||
|
||||
#### Adding users
|
||||
|
||||
```bash
|
||||
# create user without shell access in group www-data
|
||||
adduser --home /var/www/yourdomain.tld/ --shell /bin/false --ingroup www-data youruser
|
||||
|
||||
# allow group read/write on website folder
|
||||
chmod -R g+rw /var/www/yourdomain.tld
|
||||
```
|
||||
|
||||
* * *
|
||||
|
||||
### ee-acme-sh
|
||||
|
||||
[Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers
|
||||
|
@ -394,6 +451,8 @@ chmod +x install-ee-acme.sh
|
|||
source .bashrc
|
||||
```
|
||||
|
||||
* * *
|
||||
|
||||
### netdata
|
||||
|
||||
[Github repository](https://github.com/firehol/netdata)
|
||||
|
@ -418,6 +477,8 @@ sudo sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /usr/lib/netdata/conf.d/health
|
|||
service netdata restart
|
||||
```
|
||||
|
||||
* * *
|
||||
|
||||
### cht.sh (cheat)
|
||||
|
||||
[Github repository](https://github.com/chubin/cheat.sh)
|
||||
|
@ -452,6 +513,8 @@ root@vps:~ cheat cat
|
|||
cat -n file
|
||||
```
|
||||
|
||||
* * *
|
||||
|
||||
### nanorc - Improved Nano Syntax Highlighting Files
|
||||
|
||||
[Github repository](https://github.com/scopatz/nanorc)
|
||||
|
@ -460,6 +523,8 @@ root@vps:~ cheat cat
|
|||
wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -qO- | sh
|
||||
```
|
||||
|
||||
* * *
|
||||
|
||||
### Add WP-CLI & bash-completion for user www-data
|
||||
|
||||
```bashrc
|
||||
|
|
|
@ -20,7 +20,7 @@ location = /robots.txt {
|
|||
log_not_found off;
|
||||
}
|
||||
# Cache static files
|
||||
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
|
||||
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|webm|mp3|aac|tgz|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
|
|
|
@ -14,18 +14,20 @@ location = /wp-config.txt {
|
|||
}
|
||||
# webp rewrite rules for jpg and png images
|
||||
# try to load alternative image.png.webp before image.png
|
||||
location ~ ^/wp-content/uploads/.*\.(png|jpe?g)$ {
|
||||
add_header Vary "Accept-Encoding";
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
add_header Cache-Control "public, no-transform";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
try_files $uri$webp_suffix $uri =404;
|
||||
}
|
||||
# Deny access to any files with a .php extension in the uploads directory for the single site
|
||||
location ~ ^/wp-content/uploads/.*\.php$ {
|
||||
deny all;
|
||||
location /wp-content/uploads {
|
||||
location ~ \.(png|jpe?g)$ {
|
||||
add_header Vary "Accept-Encoding";
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
add_header Cache-Control "public, no-transform";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
try_files $uri$webp_suffix $uri =404;
|
||||
}
|
||||
location ~ \.php$ {
|
||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
||||
deny all;
|
||||
}
|
||||
}
|
||||
# Deny access to any files with a .php extension in the uploads directory
|
||||
# Works in sub-directory installs and also in multisite network
|
||||
|
|
|
@ -14,18 +14,20 @@ location = /wp-config.txt {
|
|||
}
|
||||
# webp rewrite rules for jpg and png images
|
||||
# try to load alternative image.png.webp before image.png
|
||||
location ~ ^/wp-content/uploads/.*\.(png|jpe?g)$ {
|
||||
add_header Vary "Accept-Encoding";
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
add_header Cache-Control "public, no-transform";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
try_files $uri$webp_suffix $uri =404;
|
||||
}
|
||||
# Deny access to any files with a .php extension in the uploads directory for the single site
|
||||
location ~ ^/wp-content/uploads/.*\.php$ {
|
||||
deny all;
|
||||
location /wp-content/uploads {
|
||||
location ~ \.(png|jpe?g)$ {
|
||||
add_header Vary "Accept-Encoding";
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
add_header Cache-Control "public, no-transform";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
try_files $uri$webp_suffix $uri =404;
|
||||
}
|
||||
location ~ \.php$ {
|
||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
||||
deny all;
|
||||
}
|
||||
}
|
||||
# Deny access to any files with a .php extension in the uploads directory
|
||||
# Works in sub-directory installs and also in multisite network
|
||||
|
|
|
@ -14,18 +14,20 @@ location = /wp-config.txt {
|
|||
}
|
||||
# webp rewrite rules for jpg and png images
|
||||
# try to load alternative image.png.webp before image.png
|
||||
location /wp-content/uploads/.*\.(png|jpe?g)$ {
|
||||
add_header Vary "Accept-Encoding";
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
add_header Cache-Control "public, no-transform";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
try_files $uri$webp_suffix $uri =404;
|
||||
}
|
||||
# Deny access to any files with a .php extension in the uploads directory for the single site
|
||||
location ~ ^/wp-content/uploads/.*\.php$ {
|
||||
deny all;
|
||||
location /wp-content/uploads {
|
||||
location ~ \.(png|jpe?g)$ {
|
||||
add_header Vary "Accept-Encoding";
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
add_header Cache-Control "public, no-transform";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
try_files $uri$webp_suffix $uri =404;
|
||||
}
|
||||
location ~ \.php$ {
|
||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
||||
deny all;
|
||||
}
|
||||
}
|
||||
# Deny access to any files with a .php extension in the uploads directory
|
||||
# Works in sub-directory installs and also in multisite network
|
||||
|
|
|
@ -6,7 +6,6 @@
|
|||
keepalive_disable msie6;
|
||||
large_client_header_buffers 8 64k;
|
||||
|
||||
|
||||
open_file_cache max=50000 inactive=60s;
|
||||
open_file_cache_errors off;
|
||||
open_file_cache_min_uses 2;
|
||||
|
|
|
@ -29,8 +29,8 @@ server 127.0.0.1:9170;
|
|||
upstream php7-sock {
|
||||
least_conn;
|
||||
|
||||
server unix:/var/run/php7-fpm.sock;
|
||||
server unix:/var/run/php7-two-fpm.sock;
|
||||
server unix:/var/run/php70-fpm.sock;
|
||||
server unix:/var/run/php70-two-fpm.sock;
|
||||
|
||||
keepalive 5;
|
||||
}
|
||||
|
|
|
@ -59,6 +59,11 @@ http
|
|||
|
||||
# tls dynamic records patch directive
|
||||
ssl_dyn_rec_enable on;
|
||||
ssl_dyn_rec_enable on;
|
||||
ssl_dyn_rec_size_hi 4229;
|
||||
ssl_dyn_rec_size_lo 1369;
|
||||
ssl_dyn_rec_threshold 40;
|
||||
ssl_dyn_rec_timeout 1000;
|
||||
|
||||
# nginx-vts-status module
|
||||
vhost_traffic_status_zone;
|
||||
|
|
|
@ -59,6 +59,10 @@ http
|
|||
|
||||
# tls dynamic records patch directive
|
||||
ssl_dyn_rec_enable on;
|
||||
ssl_dyn_rec_size_hi 4229;
|
||||
ssl_dyn_rec_size_lo 1369;
|
||||
ssl_dyn_rec_threshold 40;
|
||||
ssl_dyn_rec_timeout 1000;
|
||||
|
||||
# nginx-vts-status module
|
||||
vhost_traffic_status_zone;
|
||||
|
@ -82,7 +86,7 @@ http
|
|||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_tickets off;
|
||||
ssl_ecdh_curve X25519:P-521:P-384:P-256;
|
||||
ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
|
||||
|
||||
##Common headers for security
|
||||
more_set_headers "X-Frame-Options : SAMEORIGIN";
|
||||
|
|
|
@ -3,7 +3,7 @@ user = www-data
|
|||
group = www-data
|
||||
prefix = /var/run
|
||||
|
||||
listen = php7-fpm.sock
|
||||
listen = php70-fpm.sock
|
||||
listen.owner = www-data
|
||||
listen.group = www-data
|
||||
listen.mode = 0660
|
||||
|
|
|
@ -3,7 +3,7 @@ user = www-data
|
|||
group = www-data
|
||||
prefix = /var/run
|
||||
|
||||
listen = php7-two-fpm.sock
|
||||
listen = php70-two-fpm.sock
|
||||
listen.owner = www-data
|
||||
listen.group = www-data
|
||||
listen.mode = 0660
|
||||
|
|
|
@ -0,0 +1,184 @@
|
|||
[PHP]
|
||||
engine = On
|
||||
short_open_tag = Off
|
||||
precision = 14
|
||||
output_buffering = 4096
|
||||
zlib.output_compression = Off
|
||||
implicit_flush = Off
|
||||
unserialize_callback_func =
|
||||
serialize_precision = -1
|
||||
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
|
||||
disable_classes =
|
||||
zend.enable_gc = On
|
||||
expose_php = Off
|
||||
max_execution_time = 300
|
||||
max_input_vars = 10000
|
||||
max_input_time = 600
|
||||
memory_limit = 256M
|
||||
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
|
||||
display_errors = Off
|
||||
display_startup_errors = Off
|
||||
log_errors = On
|
||||
log_errors_max_len = 1024
|
||||
ignore_repeated_errors = Off
|
||||
ignore_repeated_source = Off
|
||||
report_memleaks = On
|
||||
html_errors = On
|
||||
variables_order = "GPCS"
|
||||
request_order = "GP"
|
||||
register_argc_argv = Off
|
||||
auto_globals_jit = On
|
||||
post_max_size = 128M
|
||||
auto_prepend_file =
|
||||
auto_append_file =
|
||||
default_mimetype = "text/html"
|
||||
default_charset = "UTF-8"
|
||||
doc_root =
|
||||
user_dir =
|
||||
enable_dl = Off
|
||||
file_uploads = On
|
||||
upload_max_filesize = 128M
|
||||
max_file_uploads = 20
|
||||
allow_url_fopen = On
|
||||
allow_url_include = Off
|
||||
default_socket_timeout = 60
|
||||
|
||||
[CLI Server]
|
||||
cli_server.color = On
|
||||
|
||||
[Date]
|
||||
date.timezone = Europe/Paris
|
||||
|
||||
[filter]
|
||||
|
||||
[iconv]
|
||||
|
||||
[intl]
|
||||
|
||||
[sqlite3]
|
||||
|
||||
[Pcre]
|
||||
|
||||
[Pdo]
|
||||
|
||||
[Pdo_mysql]
|
||||
pdo_mysql.cache_size = 2000
|
||||
pdo_mysql.default_socket=
|
||||
|
||||
[Phar]
|
||||
|
||||
[mail function]
|
||||
SMTP = localhost
|
||||
smtp_port = 25
|
||||
mail.add_x_header = On
|
||||
|
||||
[ODBC]
|
||||
odbc.allow_persistent = On
|
||||
odbc.check_persistent = On
|
||||
odbc.max_persistent = -1
|
||||
odbc.max_links = -1
|
||||
odbc.defaultlrl = 4096
|
||||
odbc.defaultbinmode = 1
|
||||
|
||||
[Interbase]
|
||||
ibase.allow_persistent = 1
|
||||
ibase.max_persistent = -1
|
||||
ibase.max_links = -1
|
||||
ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
|
||||
ibase.dateformat = "%Y-%m-%d"
|
||||
ibase.timeformat = "%H:%M:%S"
|
||||
|
||||
[MySQLi]
|
||||
mysqli.max_persistent = -1
|
||||
mysqli.allow_persistent = On
|
||||
mysqli.max_links = -1
|
||||
mysqli.cache_size = 2000
|
||||
mysqli.default_port = 3306
|
||||
mysqli.default_socket =
|
||||
mysqli.default_host =
|
||||
mysqli.default_user =
|
||||
mysqli.default_pw =
|
||||
mysqli.reconnect = Off
|
||||
|
||||
[mysqlnd]
|
||||
mysqlnd.collect_statistics = On
|
||||
mysqlnd.collect_memory_statistics = Off
|
||||
|
||||
[OCI8]
|
||||
|
||||
[PostgreSQL]
|
||||
pgsql.allow_persistent = On
|
||||
pgsql.auto_reset_persistent = Off
|
||||
pgsql.max_persistent = -1
|
||||
pgsql.max_links = -1
|
||||
pgsql.ignore_notice = 0
|
||||
pgsql.log_notice = 0
|
||||
|
||||
[bcmath]
|
||||
bcmath.scale = 0
|
||||
|
||||
[browscap]
|
||||
|
||||
[Session]
|
||||
session.save_handler = files
|
||||
session.use_strict_mode = 0
|
||||
session.use_cookies = 1
|
||||
session.cookie_secure = 1
|
||||
session.use_only_cookies = 1
|
||||
session.name = PHPSESSID
|
||||
session.auto_start = 0
|
||||
session.cookie_lifetime = 0
|
||||
session.cookie_path = /
|
||||
session.cookie_domain =
|
||||
session.cookie_httponly =
|
||||
session.serialize_handler = php
|
||||
session.gc_probability = 0
|
||||
session.gc_divisor = 1000
|
||||
session.gc_maxlifetime = 1440
|
||||
session.referer_check =
|
||||
session.cache_limiter = nocache
|
||||
session.cache_expire = 180
|
||||
session.use_trans_sid = 0
|
||||
session.sid_length = 26
|
||||
session.trans_sid_tags = "a=href,area=href,frame=src,form="
|
||||
session.sid_bits_per_character = 5
|
||||
|
||||
[Assertion]
|
||||
zend.assertions = -1
|
||||
|
||||
[COM]
|
||||
|
||||
[mbstring]
|
||||
|
||||
[gd]
|
||||
|
||||
[exif]
|
||||
|
||||
[Tidy]
|
||||
tidy.clean_output = Off
|
||||
|
||||
[soap]
|
||||
soap.wsdl_cache_enabled=1
|
||||
soap.wsdl_cache_dir="/tmp"
|
||||
soap.wsdl_cache_ttl=86400
|
||||
soap.wsdl_cache_limit = 5
|
||||
|
||||
[sysvshm]
|
||||
|
||||
[ldap]
|
||||
ldap.max_links = -1
|
||||
|
||||
[dba]
|
||||
|
||||
[opcache]
|
||||
opcache.enable=1
|
||||
opcache.enable_cli=1
|
||||
opcache.interned_strings_buffer=8
|
||||
opcache.max_accelerated_files=10000
|
||||
opcache.memory_consumption=256
|
||||
opcache.save_comments=1
|
||||
opcache.revalidate_freq=1
|
||||
|
||||
[curl]
|
||||
|
||||
[openssl]
|
|
@ -1,9 +0,0 @@
|
|||
#!/bin/sh
|
||||
# make sure the process is stopped
|
||||
/etc/init.d/clamav-freshclam stop
|
||||
|
||||
# check if database is outdated
|
||||
/usr/bin/freshclam -v >> /var/log/result_freshclam.log 2>&1
|
||||
|
||||
# update virus database
|
||||
/etc/init.d/clamav-freshclam start >> /dev/null 2>&1
|
528
scripts/init.sh
528
scripts/init.sh
|
@ -1,528 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
# automated EasyEngine server configuration script
|
||||
# currently in progress, not ready to be used in production yet
|
||||
|
||||
#CSI="\\033["
|
||||
#CEND="${CSI}0m"
|
||||
#CRED="${CSI}1;31m"
|
||||
#CGREEN="${CSI}1;32m"
|
||||
|
||||
##################################
|
||||
# Variables
|
||||
##################################
|
||||
|
||||
EXTPLORER_VER="2.1.10"
|
||||
REPO_PATH=/tmp/ubuntu-nginx-web-server
|
||||
|
||||
##################################
|
||||
# Check if user is root
|
||||
##################################
|
||||
|
||||
if [ "$(id -u)" != "0" ]; then
|
||||
echo "Error: You must be root to run this script, please use the root user to install the software."
|
||||
echo ""
|
||||
echo "Use 'sudo su - root' to login as root"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
clear
|
||||
|
||||
##################################
|
||||
# Welcome
|
||||
##################################
|
||||
|
||||
echo ""
|
||||
echo "Welcome to ubuntu-nginx-web-server install script."
|
||||
echo ""
|
||||
|
||||
##################################
|
||||
# Menu
|
||||
##################################
|
||||
|
||||
echo ""
|
||||
echo "Do you want to install MariaDB-server ? (y/n)"
|
||||
while [[ $mariadb_server_install != "y" && $mariadb_server_install != "n" ]]; do
|
||||
read -p "Select an option [y/n]: " mariadb_server_install
|
||||
done
|
||||
if [ "$mariadb_server_install" = "n" ]; then
|
||||
echo ""
|
||||
echo "Do you want to install MariaDB-client ? (y/n)"
|
||||
while [[ $mariadb_client_install != "y" && $mariadb_client_install != "n" ]]; do
|
||||
read -p "Select an option [y/n]: " mariadb_client_install
|
||||
done
|
||||
fi
|
||||
if [[ "$mariadb_server_install" == "y" || "$mariadb_client_install" == "y" ]]; then
|
||||
echo ""
|
||||
echo "What version of MariaDB Client/Server do you want to install, 10.1, 10.2 or 10.3 ?"
|
||||
while [[ $mariadb_version_install != "10.1" && $mariadb_version_install != "10.2" && $mariadb_version_install != "10.3" ]]; do
|
||||
read -p "Select an option [10.1 / 10.2 / 10.3]: " mariadb_version_install
|
||||
done
|
||||
fi
|
||||
echo ""
|
||||
echo "Do you want php7.1-fpm ? (y/n)"
|
||||
while [[ $phpfpm71_install != "y" && $phpfpm71_install != "n" ]]; do
|
||||
read -p "Select an option [y/n]: " phpfpm71_install
|
||||
done
|
||||
echo ""
|
||||
echo "Do you want php7.2-fpm ? (y/n)"
|
||||
while [[ $phpfpm72_install != "y" && $phpfpm72_install != "n" ]]; do
|
||||
read -p "Select an option [y/n]: " phpfpm72_install
|
||||
done
|
||||
echo ""
|
||||
echo "Do you want proftpd ? (y/n)"
|
||||
while [[ $proftpd_install != "y" && $proftpd_install != "n" ]]; do
|
||||
read -p "Select an option [y/n]: " proftpd_install
|
||||
done
|
||||
echo ""
|
||||
|
||||
##################################
|
||||
# Update packages
|
||||
##################################
|
||||
|
||||
echo "updating packages"
|
||||
{
|
||||
apt-get update
|
||||
apt-get upgrade -y
|
||||
apt-get autoremove -y --purge
|
||||
apt-get autoclean -y
|
||||
} >>/tmp/ubuntu-nginx-web-server.log
|
||||
|
||||
##################################
|
||||
# UFW
|
||||
##################################
|
||||
echo "configuring UFW"
|
||||
{
|
||||
if [ ! -d /etc/ufw ]; then
|
||||
apt-get install ufw -y >>/tmp/ubuntu-nginx-web-server.log
|
||||
fi
|
||||
|
||||
ufw logging low
|
||||
ufw default allow outgoing
|
||||
ufw default deny incoming
|
||||
|
||||
# required
|
||||
ufw allow 22
|
||||
ufw allow 53
|
||||
ufw allow http
|
||||
ufw allow https
|
||||
ufw allow 21
|
||||
ufw allow 68
|
||||
ufw allow 546
|
||||
ufw allow 873
|
||||
ufw allow 123
|
||||
ufw allow 22222
|
||||
|
||||
# optional for monitoring
|
||||
|
||||
ufw allow 161
|
||||
ufw allow 6556
|
||||
ufw allow 10050
|
||||
|
||||
} >>/tmp/ubuntu-nginx-web-server.log
|
||||
|
||||
##################################
|
||||
# Useful packages
|
||||
##################################
|
||||
|
||||
echo "installing useful packages"
|
||||
{
|
||||
|
||||
apt-get install haveged curl git unzip zip fail2ban htop nload nmon ntp gnupg2 wget -y
|
||||
# ntp time
|
||||
systemctl enable ntp
|
||||
|
||||
} >>/tmp/ubuntu-nginx-web-server.log
|
||||
|
||||
##################################
|
||||
# clone repository
|
||||
##################################
|
||||
|
||||
echo "cloning ubuntu-nginx-web-server"
|
||||
{
|
||||
cd /tmp || exit
|
||||
rm -rf /tmp/ubuntu-nginx-web-server
|
||||
git clone https://github.com/VirtuBox/ubuntu-nginx-web-server.git
|
||||
|
||||
} >>/tmp/ubuntu-nginx-web-server.log
|
||||
|
||||
##################################
|
||||
# Sysctl tweaks + open_files limits
|
||||
##################################
|
||||
echo "applying kernel tweaks"
|
||||
{
|
||||
sudo modprobe tcp_htcp
|
||||
cp -f $REPO_PATH/etc/sysctl.conf /etc/sysctl.conf
|
||||
sysctl -p
|
||||
cp -f $REPO_PATH/etc/security/limits.conf /etc/security/limits.conf
|
||||
|
||||
# Redis transparent_hugepage
|
||||
echo never >/sys/kernel/mm/transparent_hugepage/enabled
|
||||
|
||||
} >>/tmp/ubuntu-nginx-web-server.log
|
||||
|
||||
##################################
|
||||
# Add MariaDB 10.3 repository
|
||||
##################################
|
||||
|
||||
if [[ "$mariadb_server_install" == "y" || "$mariadb_client_install" == "y" ]]; then
|
||||
echo "adding mariadb repository"
|
||||
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup |
|
||||
sudo bash -s -- --mariadb-server-version=$mariadb_version_install --skip-maxscale -y
|
||||
apt-get update >>/tmp/ubuntu-nginx-web-server.log
|
||||
fi
|
||||
|
||||
##################################
|
||||
# MariaDB 10.3 install
|
||||
##################################
|
||||
|
||||
if [ "$mariadb_server_install" = "y" ]; then
|
||||
echo "installing MariaDB $mariadb_version_install"
|
||||
MYSQL_ROOT_PASS=$(date +%s | sha256sum | base64 | head -c 32)
|
||||
export DEBIAN_FRONTEND=noninteractive # to avoid prompt during installation
|
||||
sudo debconf-set-selections <<<"mariadb-server-$mariadb_version_install mysql-server/root_password password $MYSQL_ROOT_PASS"
|
||||
sudo debconf-set-selections <<<"mariadb-server-$mariadb_version_install mysql-server/root_password_again password $MYSQL_ROOT_PASS"
|
||||
# install mariadb server
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install -qq mariadb-server >>/tmp/ubuntu-nginx-web-server.log # -qq implies -y --force-yes
|
||||
sudo bash -c 'echo -e "[client]\nuser = root" > $HOME/.my.cnf'
|
||||
echo "password = $MYSQL_ROOT_PASS" >>$HOME/.my.cnf
|
||||
cp $HOME/.my.cnf /etc/mysql/conf.d/my.cnf
|
||||
# set password to the root user and grant privileges
|
||||
Q1="GRANT ALL PRIVILEGES on *.* to 'root'@'localhost' IDENTIFIED BY '$MYSQL_ROOT_PASS' WITH GRANT OPTION;"
|
||||
Q2="FLUSH PRIVILEGES;"
|
||||
SQL="${Q1}${Q2}"
|
||||
mysql -uroot -e "$SQL"
|
||||
|
||||
##################################
|
||||
# MariaDB tweaks
|
||||
##################################
|
||||
|
||||
echo "Configuring MariaDB tweaks"
|
||||
cp -f $REPO_PATH/etc/mysql/my.cnf /etc/mysql/my.cnf
|
||||
|
||||
sudo service mysql stop >>/tmp/ubuntu-nginx-web-server.log
|
||||
|
||||
sudo mv /var/lib/mysql/ib_logfile0 /var/lib/mysql/ib_logfile0.bak
|
||||
sudo mv /var/lib/mysql/ib_logfile1 /var/lib/mysql/ib_logfile1.bak
|
||||
|
||||
cp -f $REPO_PATH/etc/systemd/system/mariadb.service.d/limits.conf /etc/systemd/system/mariadb.service.d/limits.conf
|
||||
sudo systemctl daemon-reload >>/tmp/ubuntu-nginx-web-server.log
|
||||
|
||||
sudo service mysql start >>/tmp/ubuntu-nginx-web-server.log
|
||||
elif [ "$mariadb_client_install" = "y" ]; then
|
||||
echo "installing mariadb-client"
|
||||
apt-get install -y mariadb-client >>/tmp/ubuntu-nginx-web-server.log
|
||||
fi
|
||||
|
||||
##################################
|
||||
# EasyEngine automated install
|
||||
##################################
|
||||
|
||||
sudo bash -c 'echo -e "[user]\n\tname = $USER\n\temail = $USER@$HOSTNAME" > $HOME/.gitconfig'
|
||||
sudo wget -qO ee rt.cx/ee && sudo bash ee
|
||||
|
||||
source /etc/bash_completion.d/ee_auto.rc
|
||||
|
||||
##################################
|
||||
# EasyEngine stacks install
|
||||
##################################
|
||||
|
||||
ee stack install
|
||||
ee stack install --php7 --redis --admin --phpredisadmin
|
||||
|
||||
##################################
|
||||
# Fix phpmyadmin install
|
||||
##################################
|
||||
echo "updating phpmyadmin"
|
||||
{
|
||||
|
||||
cd ~/ || exit
|
||||
curl -sS https://getcomposer.org/installer | php >>/tmp/ubuntu-nginx-web-server.log
|
||||
mv composer.phar /usr/bin/composer
|
||||
|
||||
chown www-data:www-data /var/www
|
||||
sudo -u www-data -H composer update -d /var/www/22222/htdocs/db/pma/
|
||||
|
||||
} >>/tmp/ubuntu-nginx-web-server.log
|
||||
|
||||
##################################
|
||||
# Allow www-data shell access for SFTP + add .bashrc settings et completion
|
||||
##################################
|
||||
echo "configuring www-data permissions"
|
||||
{
|
||||
|
||||
usermod -s /bin/bash www-data
|
||||
|
||||
wget -O /etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash >>/tmp/ubuntu-nginx-web-server.log
|
||||
cp -f /var/www/.profile $REPO_PATH/files/var/www/.profile
|
||||
cp -f /var/www/.bashrc $REPO_PATH/files/var/www/.bashrc
|
||||
|
||||
chown www-data:www-data /var/www/.profile
|
||||
chown www-data:www-data /var/www/.bashrc
|
||||
|
||||
sudo -u www-data -H wget https://raw.githubusercontent.com/scopatz/nanorc/files/install.sh -O- | sh
|
||||
|
||||
} >>/tmp/ubuntu-nginx-web-server.log
|
||||
|
||||
##################################
|
||||
# Install php7.1-fpm
|
||||
##################################
|
||||
|
||||
if [ "$phpfpm71_install" = "y" ]; then
|
||||
|
||||
echo "installing php7.1-fpm"
|
||||
apt-get install php7.1-fpm php7.1-cli php7.1-zip php7.1-opcache php7.1-mysql php7.1-mcrypt php7.1-mbstring php7.1-json php7.1-intl \
|
||||
php7.1-gd php7.1-curl php7.1-bz2 php7.1-xml php7.1-tidy php7.1-soap php7.1-bcmath -y php7.1-xsl >>/tmp/ubuntu-nginx-web-server.log
|
||||
|
||||
sudo cp -f $REPO_PATH/etc/php/7.1/fpm/pool.d/www.conf /etc/php/7.1/fpm/pool.d/www.conf
|
||||
|
||||
sudo cp -f $REPO_PATH/etc/php/7.1/fpm/php.ini /etc/php/7.1/fpm/php.ini
|
||||
cp -f $REPO_PATH/etc/php/7.1/cli/php.ini /etc/php/7.1/cli/php.ini
|
||||
sudo service php7.1-fpm restart
|
||||
|
||||
fi
|
||||
|
||||
##################################
|
||||
# Install php7.2-fpm
|
||||
##################################
|
||||
|
||||
if [ "$phpfpm72_install" = "y" ]; then
|
||||
echo "installing php7.2-fpm"
|
||||
apt-get install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring -y >>/tmp/ubuntu-nginx-web-server.log
|
||||
|
||||
cp -f $REPO_PATH/etc/php/7.2/fpm/pool.d/www.conf /etc/php/7.2/fpm/pool.d/www.conf
|
||||
cp -f $REPO_PATH/etc/php/7.2/cli/php.ini /etc/php/7.2/cli/php.ini
|
||||
service php7.2-fpm restart
|
||||
|
||||
fi
|
||||
|
||||
##################################
|
||||
# Update php7.0-fpm config
|
||||
##################################
|
||||
echo "updating php7.0 configuration"
|
||||
{
|
||||
|
||||
if [ ! -d /etc/php/7.0 ]; then
|
||||
|
||||
cp -f $REPO_PATH/etc/php/7.0/cli/php.ini /etc/php/7.0/cli/php.ini
|
||||
cp -f $REPO_PATH/etc/php/7.0/fpm/php.ini /etc/php/7.0/fpm/php.ini
|
||||
|
||||
fi
|
||||
|
||||
} >>/tmp/ubuntu-nginx-web-server.log
|
||||
|
||||
##################################
|
||||
# Compile latest nginx release from source
|
||||
##################################
|
||||
|
||||
wget https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh
|
||||
chmod +x nginx-build.sh
|
||||
./nginx-build.sh
|
||||
|
||||
##################################
|
||||
# Add nginx additional conf
|
||||
##################################
|
||||
echo "optimizing nginx configuration"
|
||||
{
|
||||
|
||||
# php7.1 & 7.2 common configurations
|
||||
|
||||
cp -rf $REPO_PATH/etc/nginx/common/* /etc/nginx/common/
|
||||
|
||||
# optimized nginx.config
|
||||
cp -f $REPO_PATH/etc/nginx/nginx.conf /etc/nginx/nginx.conf
|
||||
|
||||
# check nginx configuration
|
||||
CONF_22222=$(grep -c netdata /etc/nginx/sites-available/22222)
|
||||
CONF_UPSTREAM=$(grep -c netdata /etc/nginx/conf.d/upstream.conf)
|
||||
CONF_DEFAULT=$(grep -c status /etc/nginx/sites-available/default)
|
||||
|
||||
if [ "$CONF_22222" = "0" ]; then
|
||||
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
|
||||
sudo cp -f $REPO_PATH/etc/nginx/sites-available/22222 /etc/nginx/sites-available/22222
|
||||
fi
|
||||
|
||||
if [ "$CONF_UPSTREAM" = "0" ]; then
|
||||
# add netdata, php7.1 and php7.2 upstream
|
||||
sudo cp -f $REPO_PATH/etc/nginx/conf.d/upstream.conf /etc/nginx/conf.d/upstream.conf
|
||||
fi
|
||||
|
||||
if [ "$CONF_DEFAULT" = "0" ]; then
|
||||
# additional nginx locations for monitoring
|
||||
sudo cp -f $REPO_PATH/etc/nginx/sites-available/default /etc/nginx/sites-available/default
|
||||
fi
|
||||
|
||||
# 1) add webp mapping
|
||||
cp -f $REPO_PATH/etc/nginx/conf.d/webp.conf /etc/nginx/conf.d/webp.conf
|
||||
|
||||
nginx -t
|
||||
service nginx reload
|
||||
|
||||
} >>/tmp/ubuntu-nginx-web-server.log
|
||||
|
||||
##################################
|
||||
# Add fail2ban configurations
|
||||
##################################
|
||||
echo "configuring fail2ban"
|
||||
{
|
||||
|
||||
cp -f $REPO_PATH/etc/fail2ban/filter.d/ddos.conf /etc/fail2ban/filter.d/ddos.conf
|
||||
cp -f $REPO_PATH/etc/fail2ban/filter.d/ee-wordpress.conf /etc/fail2ban/filter.d/ee-wordpress.conf
|
||||
cp -f $REPO_PATH/etc/fail2ban/jail.d/custom.conf /etc/fail2ban/jail.d/custom.conf
|
||||
cp -f $REPO_PATH/etc/fail2ban/jail.d/ddos.conf /etc/fail2ban/jail.d/ddos.conf
|
||||
|
||||
fail2ban-client reload
|
||||
|
||||
} >>/tmp/ubuntu-nginx-web-server.log
|
||||
|
||||
##################################
|
||||
# Install cheat & nanorc
|
||||
##################################
|
||||
echo "installing cheat CLI"
|
||||
{
|
||||
|
||||
curl https://cht.sh/:cht.sh >/usr/bin/cht.sh
|
||||
chmod +x /usr/bin/cht.sh
|
||||
curl https://cht.sh/:bash_completion >/etc/bash_completion.d/cht.sh
|
||||
sed -i 's/complete -F _cht_complete cht.sh/complete -F _cht_complete cheat/' /etc/bash_completion.d/cht.sh
|
||||
|
||||
cd || exit
|
||||
echo "alias cheat='cht.sh'" >>.bashrc
|
||||
source .bashrc
|
||||
|
||||
wget https://raw.githubusercontent.com/scopatz/nanorc/files/install.sh -O- | sh
|
||||
|
||||
} >>/tmp/ubuntu-nginx-web-server.log
|
||||
|
||||
##################################
|
||||
# Install ProFTPd
|
||||
##################################
|
||||
|
||||
if [ "$proftpd_install" = "y" ]; then
|
||||
|
||||
echo "installing proftpd"
|
||||
apt-get install proftpd -y >>/tmp/ubuntu-nginx-web-server.log
|
||||
|
||||
# secure proftpd and enable PassivePorts
|
||||
|
||||
sed -i 's/# DefaultRoot/DefaultRoot/' /etc/proftpd/proftpd.conf
|
||||
sed -i 's/# RequireValidShell/RequireValidShell/' /etc/proftpd/proftpd.conf
|
||||
sed -i 's/# PassivePorts 49152 65534/PassivePorts 49000 50000/' /etc/proftpd/proftpd.conf
|
||||
|
||||
sudo service proftpd restart
|
||||
|
||||
if [ -d /etc/ufw ]; then
|
||||
# ftp passive ports
|
||||
ufw allow 49000:50000/tcp
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
##################################
|
||||
# Install Netdata
|
||||
##################################
|
||||
|
||||
if [ ! -d /etc/netdata ]; then
|
||||
echo "installing netdata"
|
||||
## install dependencies
|
||||
apt-get install autoconf autoconf-archive autogen automake gcc libmnl-dev lm-sensors make nodejs pkg-config python python-mysqldb python-psycopg2 python-pymongo python-yaml uuid-dev zlib1g-dev -y >>/tmp/ubuntu-nginx-web-server.log
|
||||
|
||||
## install nedata
|
||||
wget https://my-netdata.io/kickstart.sh >>/tmp/ubuntu-nginx-web-server.log
|
||||
chmod +x kickstart.sh
|
||||
./kickstart.sh all --dont-wait
|
||||
|
||||
## optimize netdata resources usage
|
||||
echo 1 >/sys/kernel/mm/ksm/run
|
||||
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
|
||||
|
||||
## disable email notifigrep -cions
|
||||
sudo sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /etc/netdata/health_alarm_notify.conf
|
||||
sudo service netdata restart
|
||||
|
||||
fi
|
||||
|
||||
##################################
|
||||
# Install EasyEngine Dashboard
|
||||
##################################
|
||||
|
||||
echo "installing easyengine-dashboard"
|
||||
{
|
||||
if [ ! -d /var/www/22222/htdocs/files ]; then
|
||||
|
||||
mkdir /var/www/22222/htdocs/files
|
||||
wget http://extplorer.net/attachments/download/74/eXtplorer_$EXTPLORER_VER.zip -O /var/www/22222/htdocs/files/ex.zip
|
||||
cd /var/www/22222/htdocs/files || exit 1
|
||||
unzip ex.zip
|
||||
rm ex.zip
|
||||
fi
|
||||
|
||||
cd /var/www/22222 || exit
|
||||
|
||||
## download latest version of EasyEngine-dashboard
|
||||
cd /tmp || exit
|
||||
git clone https://github.com/VirtuBox/easyengine-dashboard.git
|
||||
cp -rf /tmp/easyengine-dashboard/* /var/www/22222/htdocs/
|
||||
chown -R www-data:www-data /var/www/22222/htdocs
|
||||
|
||||
} >>/tmp/ubuntu-nginx-web-server.log
|
||||
|
||||
##################################
|
||||
# Install Acme.sh
|
||||
##################################
|
||||
echo "installing acme.sh"
|
||||
{
|
||||
|
||||
# install acme.sh if needed
|
||||
echo ""
|
||||
echo "checking if acme.sh is already installed"
|
||||
echo ""
|
||||
if [ ! -f $HOME/.acme.sh/acme.sh ]; then
|
||||
echo ""
|
||||
|
||||
echo ""
|
||||
wget -O - https://get.acme.sh | sh
|
||||
cd || exit
|
||||
source .bashrc
|
||||
fi
|
||||
|
||||
} >>/tmp/ubuntu-nginx-web-server.log
|
||||
|
||||
##################################
|
||||
# Secure EasyEngine Dashboard with Acme.sh
|
||||
##################################
|
||||
|
||||
MY_HOSTNAME=$(hostname -f)
|
||||
MY_IP=$(curl -s v4.vtbox.net)
|
||||
MY_HOSTNAME_IP=$(dig +short @8.8.8.8 "$MY_HOSTNAME")
|
||||
|
||||
if [[ "$MY_IP" == "$MY_HOSTNAME_IP" ]]; then
|
||||
echo "securing easyengine backend"
|
||||
if [ ! -f /etc/systemd/system/multi-user.target.wants/nginx.service ]; then
|
||||
systemctl enable nginx.service >>/tmp/ubuntu-nginx-web-server.log
|
||||
fi
|
||||
|
||||
if [ ! -d $HOME/.acme.sh/${MY_HOSTNAME}_ecc ]; then
|
||||
$HOME/.acme.sh/acme.sh --issue -d $MY_HOSTNAME --keylength ec-384 --standalone --pre-hook "service nginx stop " --post-hook "service nginx start"
|
||||
fi
|
||||
|
||||
if [ -d /etc/letsencrypt/live/$MY_HOSTNAME ]; then
|
||||
rm -rf /etc/letsencrypt/live/$MY_HOSTNAME/*
|
||||
else
|
||||
mkdir -p /etc/letsencrypt/live/$MY_HOSTNAME
|
||||
fi
|
||||
|
||||
# install the cert and reload nginx
|
||||
$HOME/.acme.sh/acme.sh --install-cert -d ${MY_HOSTNAME} --ecc \
|
||||
--cert-file /etc/letsencrypt/live/${MY_HOSTNAME}/cert.pem \
|
||||
--key-file /etc/letsencrypt/live/${MY_HOSTNAME}/key.pem \
|
||||
--fullchain-file /etc/letsencrypt/live/${MY_HOSTNAME}/fullchain.pem \
|
||||
--reloadcmd "systemctl reload nginx.service"
|
||||
|
||||
if [ -f /etc/letsencrypt/live/${MY_HOSTNAME}/fullchain.pem ] && [ -f /etc/letsencrypt/live/${MY_HOSTNAME}/key.pem ]; then
|
||||
sed -i "s/ssl_certificate \\/var\\/www\\/22222\\/cert\\/22222.crt;/ssl_certificate \\/etc\\/letsencrypt\\/live\\/${MY_HOSTNAME}\\/fullchain.pem;/" /etc/nginx/sites-available/22222
|
||||
sed -i "s/ssl_certificate_key \\/var\\/www\\/22222\\/cert\\/22222.key;/ssl_certificate_key \\/etc\\/letsencrypt\\/live\\/${MY_HOSTNAME}\\/key.pem;/" /etc/nginx/sites-available/22222
|
||||
fi
|
||||
service nginx reload
|
||||
|
||||
fi
|
Loading…
Reference in New Issue