diff --git a/README.md b/README.md index b77c264..b089d9c 100644 --- a/README.md +++ b/README.md @@ -226,12 +226,11 @@ Then you can check php version with command `php -v` ### Additional Nginx configuration (/etc/nginx/conf.d) -- New upstreams (php7.1, php7.2, netdata) : upstream.conf +- New upstreams (php7.1, php7.2, netdata and php socket) : upstream.conf - webp image mapping : webp.conf - new fastcgi_cache_bypass mapping for wordpress : map-wp-fastcgi-cache.conf - stub_status configuration on 127.0.0.1:80 : stub_status.conf - restore visitor real IP under Cloudflare : cloudflare.conf -- mitigate WordPress DoS attack ```bash # copy all common nginx configurations @@ -243,6 +242,10 @@ git -C /etc/nginx/ add /etc/nginx/ && git -C /etc/nginx/ commit -m "update conf. ### EE common configuration +- mitigate WordPress DoS attack (wpcommon-phpX.conf) +- webp image conditional rewrite (wpcommon-phpX.conf) +- additional directives to prevent hack (locations-phpX.conf) + ```bash cp -rf $HOME/ubuntu-nginx-web-server/etc/nginx/common/* /etc/nginx/common/ @@ -253,7 +256,7 @@ git -C /etc/nginx/ add /etc/nginx/ && git -C /etc/nginx/ commit -m "update commo ### Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee) ```bash -bash <(wget-qO - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh) +bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh) ``` * * * @@ -375,8 +378,62 @@ sudo systemctl stop memcached sudo systemctl disable memcached.service ``` +* * * + ## Optional +### proftpd + +#### Install proftpd + +```bash +apt-get install proftpd -y +``` + +secure proftpd and enable passive ports + +```bash +sed -i 's/# DefaultRoot/DefaultRoot/' /etc/proftpd/proftpd.conf +sed -i 's/# RequireValidShell/RequireValidShell/' /etc/proftpd/proftpd.conf +sed -i 's/# PassivePorts 49152 65534/PassivePorts 49000 50000/' /etc/proftpd/proftpd.conf +``` + +restart proftpd + +```bash +sudo service proftpd restart +``` + +Allow FTP ports with UFW + +```bash +# ftp active port +sudo ufw allow 21 + +# ftp passive ports +sudo ufw allow 49000:50000/tcp +``` + +Enable fail2ban proftpd jail + +```bash +echo -e '\n[proftpd]\nenabled = true\n' >> /etc/fail2ban/jail.d/custom.conf + +fail2ban-client reload +``` + +#### Adding users + +```bash +# create user without shell access in group www-data +adduser --home /var/www/yourdomain.tld/ --shell /bin/false --ingroup www-data youruser + +# allow group read/write on website folder +chmod -R g+rw /var/www/yourdomain.tld +``` + +* * * + ### ee-acme-sh [Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers @@ -394,6 +451,8 @@ chmod +x install-ee-acme.sh source .bashrc ``` +* * * + ### netdata [Github repository](https://github.com/firehol/netdata) @@ -418,6 +477,8 @@ sudo sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /usr/lib/netdata/conf.d/health service netdata restart ``` +* * * + ### cht.sh (cheat) [Github repository](https://github.com/chubin/cheat.sh) @@ -452,6 +513,8 @@ root@vps:~ cheat cat cat -n file ``` +* * * + ### nanorc - Improved Nano Syntax Highlighting Files [Github repository](https://github.com/scopatz/nanorc) @@ -460,6 +523,8 @@ root@vps:~ cheat cat wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -qO- | sh ``` +* * * + ### Add WP-CLI & bash-completion for user www-data ```bashrc diff --git a/docs/README.md b/docs/README.md index b77c264..b089d9c 100644 --- a/docs/README.md +++ b/docs/README.md @@ -226,12 +226,11 @@ Then you can check php version with command `php -v` ### Additional Nginx configuration (/etc/nginx/conf.d) -- New upstreams (php7.1, php7.2, netdata) : upstream.conf +- New upstreams (php7.1, php7.2, netdata and php socket) : upstream.conf - webp image mapping : webp.conf - new fastcgi_cache_bypass mapping for wordpress : map-wp-fastcgi-cache.conf - stub_status configuration on 127.0.0.1:80 : stub_status.conf - restore visitor real IP under Cloudflare : cloudflare.conf -- mitigate WordPress DoS attack ```bash # copy all common nginx configurations @@ -243,6 +242,10 @@ git -C /etc/nginx/ add /etc/nginx/ && git -C /etc/nginx/ commit -m "update conf. ### EE common configuration +- mitigate WordPress DoS attack (wpcommon-phpX.conf) +- webp image conditional rewrite (wpcommon-phpX.conf) +- additional directives to prevent hack (locations-phpX.conf) + ```bash cp -rf $HOME/ubuntu-nginx-web-server/etc/nginx/common/* /etc/nginx/common/ @@ -253,7 +256,7 @@ git -C /etc/nginx/ add /etc/nginx/ && git -C /etc/nginx/ commit -m "update commo ### Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee) ```bash -bash <(wget-qO - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh) +bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh) ``` * * * @@ -375,8 +378,62 @@ sudo systemctl stop memcached sudo systemctl disable memcached.service ``` +* * * + ## Optional +### proftpd + +#### Install proftpd + +```bash +apt-get install proftpd -y +``` + +secure proftpd and enable passive ports + +```bash +sed -i 's/# DefaultRoot/DefaultRoot/' /etc/proftpd/proftpd.conf +sed -i 's/# RequireValidShell/RequireValidShell/' /etc/proftpd/proftpd.conf +sed -i 's/# PassivePorts 49152 65534/PassivePorts 49000 50000/' /etc/proftpd/proftpd.conf +``` + +restart proftpd + +```bash +sudo service proftpd restart +``` + +Allow FTP ports with UFW + +```bash +# ftp active port +sudo ufw allow 21 + +# ftp passive ports +sudo ufw allow 49000:50000/tcp +``` + +Enable fail2ban proftpd jail + +```bash +echo -e '\n[proftpd]\nenabled = true\n' >> /etc/fail2ban/jail.d/custom.conf + +fail2ban-client reload +``` + +#### Adding users + +```bash +# create user without shell access in group www-data +adduser --home /var/www/yourdomain.tld/ --shell /bin/false --ingroup www-data youruser + +# allow group read/write on website folder +chmod -R g+rw /var/www/yourdomain.tld +``` + +* * * + ### ee-acme-sh [Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers @@ -394,6 +451,8 @@ chmod +x install-ee-acme.sh source .bashrc ``` +* * * + ### netdata [Github repository](https://github.com/firehol/netdata) @@ -418,6 +477,8 @@ sudo sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /usr/lib/netdata/conf.d/health service netdata restart ``` +* * * + ### cht.sh (cheat) [Github repository](https://github.com/chubin/cheat.sh) @@ -452,6 +513,8 @@ root@vps:~ cheat cat cat -n file ``` +* * * + ### nanorc - Improved Nano Syntax Highlighting Files [Github repository](https://github.com/scopatz/nanorc) @@ -460,6 +523,8 @@ root@vps:~ cheat cat wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -qO- | sh ``` +* * * + ### Add WP-CLI & bash-completion for user www-data ```bashrc diff --git a/etc/nginx/common/locations-php7.conf b/etc/nginx/common/locations-php7.conf index 029c6c5..81b4cc0 100644 --- a/etc/nginx/common/locations-php7.conf +++ b/etc/nginx/common/locations-php7.conf @@ -20,7 +20,7 @@ location = /robots.txt { log_not_found off; } # Cache static files -location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ { +location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|webm|mp3|aac|tgz|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ { add_header "Access-Control-Allow-Origin" "*"; access_log off; log_not_found off; diff --git a/etc/nginx/common/wpcommon-php7.conf b/etc/nginx/common/wpcommon-php7.conf index d5bf238..c44d2bd 100644 --- a/etc/nginx/common/wpcommon-php7.conf +++ b/etc/nginx/common/wpcommon-php7.conf @@ -14,18 +14,20 @@ location = /wp-config.txt { } # webp rewrite rules for jpg and png images # try to load alternative image.png.webp before image.png -location ~ ^/wp-content/uploads/.*\.(png|jpe?g)$ { - add_header Vary "Accept-Encoding"; - add_header "Access-Control-Allow-Origin" "*"; - add_header Cache-Control "public, no-transform"; - access_log off; - log_not_found off; - expires max; - try_files $uri$webp_suffix $uri =404; -} -# Deny access to any files with a .php extension in the uploads directory for the single site -location ~ ^/wp-content/uploads/.*\.php$ { - deny all; +location /wp-content/uploads { + location ~ \.(png|jpe?g)$ { + add_header Vary "Accept-Encoding"; + add_header "Access-Control-Allow-Origin" "*"; + add_header Cache-Control "public, no-transform"; + access_log off; + log_not_found off; + expires max; + try_files $uri$webp_suffix $uri =404; + } + location ~ \.php$ { +#Prevent Direct Access Of PHP Files From Web Browsers + deny all; + } } # Deny access to any files with a .php extension in the uploads directory # Works in sub-directory installs and also in multisite network diff --git a/etc/nginx/common/wpcommon-php71.conf b/etc/nginx/common/wpcommon-php71.conf index 9db44c3..8208b44 100644 --- a/etc/nginx/common/wpcommon-php71.conf +++ b/etc/nginx/common/wpcommon-php71.conf @@ -14,18 +14,20 @@ location = /wp-config.txt { } # webp rewrite rules for jpg and png images # try to load alternative image.png.webp before image.png -location ~ ^/wp-content/uploads/.*\.(png|jpe?g)$ { - add_header Vary "Accept-Encoding"; - add_header "Access-Control-Allow-Origin" "*"; - add_header Cache-Control "public, no-transform"; - access_log off; - log_not_found off; - expires max; - try_files $uri$webp_suffix $uri =404; -} -# Deny access to any files with a .php extension in the uploads directory for the single site -location ~ ^/wp-content/uploads/.*\.php$ { - deny all; +location /wp-content/uploads { + location ~ \.(png|jpe?g)$ { + add_header Vary "Accept-Encoding"; + add_header "Access-Control-Allow-Origin" "*"; + add_header Cache-Control "public, no-transform"; + access_log off; + log_not_found off; + expires max; + try_files $uri$webp_suffix $uri =404; + } + location ~ \.php$ { +#Prevent Direct Access Of PHP Files From Web Browsers + deny all; + } } # Deny access to any files with a .php extension in the uploads directory # Works in sub-directory installs and also in multisite network diff --git a/etc/nginx/common/wpcommon-php72.conf b/etc/nginx/common/wpcommon-php72.conf index 1f8eae7..afda8a7 100644 --- a/etc/nginx/common/wpcommon-php72.conf +++ b/etc/nginx/common/wpcommon-php72.conf @@ -14,18 +14,20 @@ location = /wp-config.txt { } # webp rewrite rules for jpg and png images # try to load alternative image.png.webp before image.png -location /wp-content/uploads/.*\.(png|jpe?g)$ { - add_header Vary "Accept-Encoding"; - add_header "Access-Control-Allow-Origin" "*"; - add_header Cache-Control "public, no-transform"; - access_log off; - log_not_found off; - expires max; - try_files $uri$webp_suffix $uri =404; -} -# Deny access to any files with a .php extension in the uploads directory for the single site -location ~ ^/wp-content/uploads/.*\.php$ { - deny all; +location /wp-content/uploads { + location ~ \.(png|jpe?g)$ { + add_header Vary "Accept-Encoding"; + add_header "Access-Control-Allow-Origin" "*"; + add_header Cache-Control "public, no-transform"; + access_log off; + log_not_found off; + expires max; + try_files $uri$webp_suffix $uri =404; + } + location ~ \.php$ { +#Prevent Direct Access Of PHP Files From Web Browsers + deny all; + } } # Deny access to any files with a .php extension in the uploads directory # Works in sub-directory installs and also in multisite network diff --git a/etc/nginx/conf.d/tweaks.conf b/etc/nginx/conf.d/tweaks.conf index 91be8f8..60bc6ac 100644 --- a/etc/nginx/conf.d/tweaks.conf +++ b/etc/nginx/conf.d/tweaks.conf @@ -6,7 +6,6 @@ keepalive_disable msie6; large_client_header_buffers 8 64k; - open_file_cache max=50000 inactive=60s; open_file_cache_errors off; open_file_cache_min_uses 2; diff --git a/etc/nginx/conf.d/upstream.conf b/etc/nginx/conf.d/upstream.conf index 9c4ff60..3309cab 100644 --- a/etc/nginx/conf.d/upstream.conf +++ b/etc/nginx/conf.d/upstream.conf @@ -29,8 +29,8 @@ server 127.0.0.1:9170; upstream php7-sock { least_conn; -server unix:/var/run/php7-fpm.sock; -server unix:/var/run/php7-two-fpm.sock; +server unix:/var/run/php70-fpm.sock; +server unix:/var/run/php70-two-fpm.sock; keepalive 5; } diff --git a/etc/nginx/nginx-intermediate.conf b/etc/nginx/nginx-intermediate.conf index 8dc90c3..b2fcfe1 100644 --- a/etc/nginx/nginx-intermediate.conf +++ b/etc/nginx/nginx-intermediate.conf @@ -59,6 +59,11 @@ http # tls dynamic records patch directive ssl_dyn_rec_enable on; + ssl_dyn_rec_enable on; + ssl_dyn_rec_size_hi 4229; + ssl_dyn_rec_size_lo 1369; + ssl_dyn_rec_threshold 40; + ssl_dyn_rec_timeout 1000; # nginx-vts-status module vhost_traffic_status_zone; diff --git a/etc/nginx/nginx-tlsv12.conf b/etc/nginx/nginx-tlsv12.conf index f18ab26..90909ad 100644 --- a/etc/nginx/nginx-tlsv12.conf +++ b/etc/nginx/nginx-tlsv12.conf @@ -59,6 +59,10 @@ http # tls dynamic records patch directive ssl_dyn_rec_enable on; + ssl_dyn_rec_size_hi 4229; + ssl_dyn_rec_size_lo 1369; + ssl_dyn_rec_threshold 40; + ssl_dyn_rec_timeout 1000; # nginx-vts-status module vhost_traffic_status_zone; @@ -82,7 +86,7 @@ http ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; ssl_session_tickets off; - ssl_ecdh_curve X25519:P-521:P-384:P-256; + ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1; ##Common headers for security more_set_headers "X-Frame-Options : SAMEORIGIN"; diff --git a/etc/php/7.0/pool.d/www-sock.conf b/etc/php/7.0/pool.d/www-sock.conf index 430ff66..cb7924a 100644 --- a/etc/php/7.0/pool.d/www-sock.conf +++ b/etc/php/7.0/pool.d/www-sock.conf @@ -3,7 +3,7 @@ user = www-data group = www-data prefix = /var/run -listen = php7-fpm.sock +listen = php70-fpm.sock listen.owner = www-data listen.group = www-data listen.mode = 0660 diff --git a/etc/php/7.0/pool.d/www-two-sock..conf b/etc/php/7.0/pool.d/www-two-sock..conf index b124843..5c09206 100644 --- a/etc/php/7.0/pool.d/www-two-sock..conf +++ b/etc/php/7.0/pool.d/www-two-sock..conf @@ -3,7 +3,7 @@ user = www-data group = www-data prefix = /var/run -listen = php7-two-fpm.sock +listen = php70-two-fpm.sock listen.owner = www-data listen.group = www-data listen.mode = 0660 diff --git a/etc/php/7.2/cli/php.ini b/etc/php/7.2/cli/php.ini new file mode 100644 index 0000000..7be1582 --- /dev/null +++ b/etc/php/7.2/cli/php.ini @@ -0,0 +1,184 @@ +[PHP] +engine = On +short_open_tag = Off +precision = 14 +output_buffering = 4096 +zlib.output_compression = Off +implicit_flush = Off +unserialize_callback_func = +serialize_precision = -1 +disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals, +disable_classes = +zend.enable_gc = On +expose_php = Off +max_execution_time = 300 +max_input_vars = 10000 +max_input_time = 600 +memory_limit = 256M +error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT +display_errors = Off +display_startup_errors = Off +log_errors = On +log_errors_max_len = 1024 +ignore_repeated_errors = Off +ignore_repeated_source = Off +report_memleaks = On +html_errors = On +variables_order = "GPCS" +request_order = "GP" +register_argc_argv = Off +auto_globals_jit = On +post_max_size = 128M +auto_prepend_file = +auto_append_file = +default_mimetype = "text/html" +default_charset = "UTF-8" +doc_root = +user_dir = +enable_dl = Off +file_uploads = On +upload_max_filesize = 128M +max_file_uploads = 20 +allow_url_fopen = On +allow_url_include = Off +default_socket_timeout = 60 + +[CLI Server] +cli_server.color = On + +[Date] +date.timezone = Europe/Paris + +[filter] + +[iconv] + +[intl] + +[sqlite3] + +[Pcre] + +[Pdo] + +[Pdo_mysql] +pdo_mysql.cache_size = 2000 +pdo_mysql.default_socket= + +[Phar] + +[mail function] +SMTP = localhost +smtp_port = 25 +mail.add_x_header = On + +[ODBC] +odbc.allow_persistent = On +odbc.check_persistent = On +odbc.max_persistent = -1 +odbc.max_links = -1 +odbc.defaultlrl = 4096 +odbc.defaultbinmode = 1 + +[Interbase] +ibase.allow_persistent = 1 +ibase.max_persistent = -1 +ibase.max_links = -1 +ibase.timestampformat = "%Y-%m-%d %H:%M:%S" +ibase.dateformat = "%Y-%m-%d" +ibase.timeformat = "%H:%M:%S" + +[MySQLi] +mysqli.max_persistent = -1 +mysqli.allow_persistent = On +mysqli.max_links = -1 +mysqli.cache_size = 2000 +mysqli.default_port = 3306 +mysqli.default_socket = +mysqli.default_host = +mysqli.default_user = +mysqli.default_pw = +mysqli.reconnect = Off + +[mysqlnd] +mysqlnd.collect_statistics = On +mysqlnd.collect_memory_statistics = Off + +[OCI8] + +[PostgreSQL] +pgsql.allow_persistent = On +pgsql.auto_reset_persistent = Off +pgsql.max_persistent = -1 +pgsql.max_links = -1 +pgsql.ignore_notice = 0 +pgsql.log_notice = 0 + +[bcmath] +bcmath.scale = 0 + +[browscap] + +[Session] +session.save_handler = files +session.use_strict_mode = 0 +session.use_cookies = 1 +session.cookie_secure = 1 +session.use_only_cookies = 1 +session.name = PHPSESSID +session.auto_start = 0 +session.cookie_lifetime = 0 +session.cookie_path = / +session.cookie_domain = +session.cookie_httponly = +session.serialize_handler = php +session.gc_probability = 0 +session.gc_divisor = 1000 +session.gc_maxlifetime = 1440 +session.referer_check = +session.cache_limiter = nocache +session.cache_expire = 180 +session.use_trans_sid = 0 +session.sid_length = 26 +session.trans_sid_tags = "a=href,area=href,frame=src,form=" +session.sid_bits_per_character = 5 + +[Assertion] +zend.assertions = -1 + +[COM] + +[mbstring] + +[gd] + +[exif] + +[Tidy] +tidy.clean_output = Off + +[soap] +soap.wsdl_cache_enabled=1 +soap.wsdl_cache_dir="/tmp" +soap.wsdl_cache_ttl=86400 +soap.wsdl_cache_limit = 5 + +[sysvshm] + +[ldap] +ldap.max_links = -1 + +[dba] + +[opcache] +opcache.enable=1 +opcache.enable_cli=1 +opcache.interned_strings_buffer=8 +opcache.max_accelerated_files=10000 +opcache.memory_consumption=256 +opcache.save_comments=1 +opcache.revalidate_freq=1 + +[curl] + +[openssl] diff --git a/scripts/freshclam b/scripts/freshclam deleted file mode 100644 index 6734f86..0000000 --- a/scripts/freshclam +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -# make sure the process is stopped -/etc/init.d/clamav-freshclam stop - -# check if database is outdated -/usr/bin/freshclam -v >> /var/log/result_freshclam.log 2>&1 - -# update virus database -/etc/init.d/clamav-freshclam start >> /dev/null 2>&1 diff --git a/scripts/init.sh b/scripts/init.sh deleted file mode 100644 index 98cc842..0000000 --- a/scripts/init.sh +++ /dev/null @@ -1,528 +0,0 @@ -#!/bin/bash - -# automated EasyEngine server configuration script -# currently in progress, not ready to be used in production yet - -#CSI="\\033[" -#CEND="${CSI}0m" -#CRED="${CSI}1;31m" -#CGREEN="${CSI}1;32m" - -################################## -# Variables -################################## - -EXTPLORER_VER="2.1.10" -REPO_PATH=/tmp/ubuntu-nginx-web-server - -################################## -# Check if user is root -################################## - -if [ "$(id -u)" != "0" ]; then - echo "Error: You must be root to run this script, please use the root user to install the software." - echo "" - echo "Use 'sudo su - root' to login as root" - exit 1 -fi - -clear - -################################## -# Welcome -################################## - -echo "" -echo "Welcome to ubuntu-nginx-web-server install script." -echo "" - -################################## -# Menu -################################## - -echo "" -echo "Do you want to install MariaDB-server ? (y/n)" -while [[ $mariadb_server_install != "y" && $mariadb_server_install != "n" ]]; do - read -p "Select an option [y/n]: " mariadb_server_install -done -if [ "$mariadb_server_install" = "n" ]; then - echo "" - echo "Do you want to install MariaDB-client ? (y/n)" - while [[ $mariadb_client_install != "y" && $mariadb_client_install != "n" ]]; do - read -p "Select an option [y/n]: " mariadb_client_install - done -fi -if [[ "$mariadb_server_install" == "y" || "$mariadb_client_install" == "y" ]]; then - echo "" - echo "What version of MariaDB Client/Server do you want to install, 10.1, 10.2 or 10.3 ?" - while [[ $mariadb_version_install != "10.1" && $mariadb_version_install != "10.2" && $mariadb_version_install != "10.3" ]]; do - read -p "Select an option [10.1 / 10.2 / 10.3]: " mariadb_version_install - done -fi -echo "" -echo "Do you want php7.1-fpm ? (y/n)" -while [[ $phpfpm71_install != "y" && $phpfpm71_install != "n" ]]; do - read -p "Select an option [y/n]: " phpfpm71_install -done -echo "" -echo "Do you want php7.2-fpm ? (y/n)" -while [[ $phpfpm72_install != "y" && $phpfpm72_install != "n" ]]; do - read -p "Select an option [y/n]: " phpfpm72_install -done -echo "" -echo "Do you want proftpd ? (y/n)" -while [[ $proftpd_install != "y" && $proftpd_install != "n" ]]; do - read -p "Select an option [y/n]: " proftpd_install -done -echo "" - -################################## -# Update packages -################################## - -echo "updating packages" -{ - apt-get update - apt-get upgrade -y - apt-get autoremove -y --purge - apt-get autoclean -y -} >>/tmp/ubuntu-nginx-web-server.log - -################################## -# UFW -################################## -echo "configuring UFW" -{ - if [ ! -d /etc/ufw ]; then - apt-get install ufw -y >>/tmp/ubuntu-nginx-web-server.log - fi - - ufw logging low - ufw default allow outgoing - ufw default deny incoming - - # required - ufw allow 22 - ufw allow 53 - ufw allow http - ufw allow https - ufw allow 21 - ufw allow 68 - ufw allow 546 - ufw allow 873 - ufw allow 123 - ufw allow 22222 - - # optional for monitoring - - ufw allow 161 - ufw allow 6556 - ufw allow 10050 - -} >>/tmp/ubuntu-nginx-web-server.log - -################################## -# Useful packages -################################## - -echo "installing useful packages" -{ - - apt-get install haveged curl git unzip zip fail2ban htop nload nmon ntp gnupg2 wget -y - # ntp time - systemctl enable ntp - -} >>/tmp/ubuntu-nginx-web-server.log - -################################## -# clone repository -################################## - -echo "cloning ubuntu-nginx-web-server" -{ - cd /tmp || exit - rm -rf /tmp/ubuntu-nginx-web-server - git clone https://github.com/VirtuBox/ubuntu-nginx-web-server.git - -} >>/tmp/ubuntu-nginx-web-server.log - -################################## -# Sysctl tweaks + open_files limits -################################## -echo "applying kernel tweaks" -{ - sudo modprobe tcp_htcp - cp -f $REPO_PATH/etc/sysctl.conf /etc/sysctl.conf - sysctl -p - cp -f $REPO_PATH/etc/security/limits.conf /etc/security/limits.conf - - # Redis transparent_hugepage - echo never >/sys/kernel/mm/transparent_hugepage/enabled - -} >>/tmp/ubuntu-nginx-web-server.log - -################################## -# Add MariaDB 10.3 repository -################################## - -if [[ "$mariadb_server_install" == "y" || "$mariadb_client_install" == "y" ]]; then - echo "adding mariadb repository" - curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | - sudo bash -s -- --mariadb-server-version=$mariadb_version_install --skip-maxscale -y - apt-get update >>/tmp/ubuntu-nginx-web-server.log -fi - -################################## -# MariaDB 10.3 install -################################## - -if [ "$mariadb_server_install" = "y" ]; then - echo "installing MariaDB $mariadb_version_install" - MYSQL_ROOT_PASS=$(date +%s | sha256sum | base64 | head -c 32) - export DEBIAN_FRONTEND=noninteractive # to avoid prompt during installation - sudo debconf-set-selections <<<"mariadb-server-$mariadb_version_install mysql-server/root_password password $MYSQL_ROOT_PASS" - sudo debconf-set-selections <<<"mariadb-server-$mariadb_version_install mysql-server/root_password_again password $MYSQL_ROOT_PASS" - # install mariadb server - DEBIAN_FRONTEND=noninteractive apt-get install -qq mariadb-server >>/tmp/ubuntu-nginx-web-server.log # -qq implies -y --force-yes - sudo bash -c 'echo -e "[client]\nuser = root" > $HOME/.my.cnf' - echo "password = $MYSQL_ROOT_PASS" >>$HOME/.my.cnf - cp $HOME/.my.cnf /etc/mysql/conf.d/my.cnf - # set password to the root user and grant privileges - Q1="GRANT ALL PRIVILEGES on *.* to 'root'@'localhost' IDENTIFIED BY '$MYSQL_ROOT_PASS' WITH GRANT OPTION;" - Q2="FLUSH PRIVILEGES;" - SQL="${Q1}${Q2}" - mysql -uroot -e "$SQL" - - ################################## - # MariaDB tweaks - ################################## - - echo "Configuring MariaDB tweaks" - cp -f $REPO_PATH/etc/mysql/my.cnf /etc/mysql/my.cnf - - sudo service mysql stop >>/tmp/ubuntu-nginx-web-server.log - - sudo mv /var/lib/mysql/ib_logfile0 /var/lib/mysql/ib_logfile0.bak - sudo mv /var/lib/mysql/ib_logfile1 /var/lib/mysql/ib_logfile1.bak - - cp -f $REPO_PATH/etc/systemd/system/mariadb.service.d/limits.conf /etc/systemd/system/mariadb.service.d/limits.conf - sudo systemctl daemon-reload >>/tmp/ubuntu-nginx-web-server.log - - sudo service mysql start >>/tmp/ubuntu-nginx-web-server.log -elif [ "$mariadb_client_install" = "y" ]; then - echo "installing mariadb-client" - apt-get install -y mariadb-client >>/tmp/ubuntu-nginx-web-server.log -fi - -################################## -# EasyEngine automated install -################################## - -sudo bash -c 'echo -e "[user]\n\tname = $USER\n\temail = $USER@$HOSTNAME" > $HOME/.gitconfig' -sudo wget -qO ee rt.cx/ee && sudo bash ee - -source /etc/bash_completion.d/ee_auto.rc - -################################## -# EasyEngine stacks install -################################## - -ee stack install -ee stack install --php7 --redis --admin --phpredisadmin - -################################## -# Fix phpmyadmin install -################################## -echo "updating phpmyadmin" -{ - - cd ~/ || exit - curl -sS https://getcomposer.org/installer | php >>/tmp/ubuntu-nginx-web-server.log - mv composer.phar /usr/bin/composer - - chown www-data:www-data /var/www - sudo -u www-data -H composer update -d /var/www/22222/htdocs/db/pma/ - -} >>/tmp/ubuntu-nginx-web-server.log - -################################## -# Allow www-data shell access for SFTP + add .bashrc settings et completion -################################## -echo "configuring www-data permissions" -{ - - usermod -s /bin/bash www-data - - wget -O /etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash >>/tmp/ubuntu-nginx-web-server.log - cp -f /var/www/.profile $REPO_PATH/files/var/www/.profile - cp -f /var/www/.bashrc $REPO_PATH/files/var/www/.bashrc - - chown www-data:www-data /var/www/.profile - chown www-data:www-data /var/www/.bashrc - - sudo -u www-data -H wget https://raw.githubusercontent.com/scopatz/nanorc/files/install.sh -O- | sh - -} >>/tmp/ubuntu-nginx-web-server.log - -################################## -# Install php7.1-fpm -################################## - -if [ "$phpfpm71_install" = "y" ]; then - - echo "installing php7.1-fpm" - apt-get install php7.1-fpm php7.1-cli php7.1-zip php7.1-opcache php7.1-mysql php7.1-mcrypt php7.1-mbstring php7.1-json php7.1-intl \ - php7.1-gd php7.1-curl php7.1-bz2 php7.1-xml php7.1-tidy php7.1-soap php7.1-bcmath -y php7.1-xsl >>/tmp/ubuntu-nginx-web-server.log - - sudo cp -f $REPO_PATH/etc/php/7.1/fpm/pool.d/www.conf /etc/php/7.1/fpm/pool.d/www.conf - - sudo cp -f $REPO_PATH/etc/php/7.1/fpm/php.ini /etc/php/7.1/fpm/php.ini - cp -f $REPO_PATH/etc/php/7.1/cli/php.ini /etc/php/7.1/cli/php.ini - sudo service php7.1-fpm restart - -fi - -################################## -# Install php7.2-fpm -################################## - -if [ "$phpfpm72_install" = "y" ]; then - echo "installing php7.2-fpm" - apt-get install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring -y >>/tmp/ubuntu-nginx-web-server.log - - cp -f $REPO_PATH/etc/php/7.2/fpm/pool.d/www.conf /etc/php/7.2/fpm/pool.d/www.conf - cp -f $REPO_PATH/etc/php/7.2/cli/php.ini /etc/php/7.2/cli/php.ini - service php7.2-fpm restart - -fi - -################################## -# Update php7.0-fpm config -################################## -echo "updating php7.0 configuration" -{ - - if [ ! -d /etc/php/7.0 ]; then - - cp -f $REPO_PATH/etc/php/7.0/cli/php.ini /etc/php/7.0/cli/php.ini - cp -f $REPO_PATH/etc/php/7.0/fpm/php.ini /etc/php/7.0/fpm/php.ini - - fi - -} >>/tmp/ubuntu-nginx-web-server.log - -################################## -# Compile latest nginx release from source -################################## - -wget https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh -chmod +x nginx-build.sh -./nginx-build.sh - -################################## -# Add nginx additional conf -################################## -echo "optimizing nginx configuration" -{ - - # php7.1 & 7.2 common configurations - - cp -rf $REPO_PATH/etc/nginx/common/* /etc/nginx/common/ - - # optimized nginx.config - cp -f $REPO_PATH/etc/nginx/nginx.conf /etc/nginx/nginx.conf - - # check nginx configuration - CONF_22222=$(grep -c netdata /etc/nginx/sites-available/22222) - CONF_UPSTREAM=$(grep -c netdata /etc/nginx/conf.d/upstream.conf) - CONF_DEFAULT=$(grep -c status /etc/nginx/sites-available/default) - - if [ "$CONF_22222" = "0" ]; then - # add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/ - sudo cp -f $REPO_PATH/etc/nginx/sites-available/22222 /etc/nginx/sites-available/22222 - fi - - if [ "$CONF_UPSTREAM" = "0" ]; then - # add netdata, php7.1 and php7.2 upstream - sudo cp -f $REPO_PATH/etc/nginx/conf.d/upstream.conf /etc/nginx/conf.d/upstream.conf - fi - - if [ "$CONF_DEFAULT" = "0" ]; then - # additional nginx locations for monitoring - sudo cp -f $REPO_PATH/etc/nginx/sites-available/default /etc/nginx/sites-available/default - fi - - # 1) add webp mapping - cp -f $REPO_PATH/etc/nginx/conf.d/webp.conf /etc/nginx/conf.d/webp.conf - - nginx -t - service nginx reload - -} >>/tmp/ubuntu-nginx-web-server.log - -################################## -# Add fail2ban configurations -################################## -echo "configuring fail2ban" -{ - - cp -f $REPO_PATH/etc/fail2ban/filter.d/ddos.conf /etc/fail2ban/filter.d/ddos.conf - cp -f $REPO_PATH/etc/fail2ban/filter.d/ee-wordpress.conf /etc/fail2ban/filter.d/ee-wordpress.conf - cp -f $REPO_PATH/etc/fail2ban/jail.d/custom.conf /etc/fail2ban/jail.d/custom.conf - cp -f $REPO_PATH/etc/fail2ban/jail.d/ddos.conf /etc/fail2ban/jail.d/ddos.conf - - fail2ban-client reload - -} >>/tmp/ubuntu-nginx-web-server.log - -################################## -# Install cheat & nanorc -################################## -echo "installing cheat CLI" -{ - - curl https://cht.sh/:cht.sh >/usr/bin/cht.sh - chmod +x /usr/bin/cht.sh - curl https://cht.sh/:bash_completion >/etc/bash_completion.d/cht.sh - sed -i 's/complete -F _cht_complete cht.sh/complete -F _cht_complete cheat/' /etc/bash_completion.d/cht.sh - - cd || exit - echo "alias cheat='cht.sh'" >>.bashrc - source .bashrc - - wget https://raw.githubusercontent.com/scopatz/nanorc/files/install.sh -O- | sh - -} >>/tmp/ubuntu-nginx-web-server.log - -################################## -# Install ProFTPd -################################## - -if [ "$proftpd_install" = "y" ]; then - - echo "installing proftpd" - apt-get install proftpd -y >>/tmp/ubuntu-nginx-web-server.log - - # secure proftpd and enable PassivePorts - - sed -i 's/# DefaultRoot/DefaultRoot/' /etc/proftpd/proftpd.conf - sed -i 's/# RequireValidShell/RequireValidShell/' /etc/proftpd/proftpd.conf - sed -i 's/# PassivePorts 49152 65534/PassivePorts 49000 50000/' /etc/proftpd/proftpd.conf - - sudo service proftpd restart - - if [ -d /etc/ufw ]; then - # ftp passive ports - ufw allow 49000:50000/tcp - fi - -fi - -################################## -# Install Netdata -################################## - -if [ ! -d /etc/netdata ]; then - echo "installing netdata" - ## install dependencies - apt-get install autoconf autoconf-archive autogen automake gcc libmnl-dev lm-sensors make nodejs pkg-config python python-mysqldb python-psycopg2 python-pymongo python-yaml uuid-dev zlib1g-dev -y >>/tmp/ubuntu-nginx-web-server.log - - ## install nedata - wget https://my-netdata.io/kickstart.sh >>/tmp/ubuntu-nginx-web-server.log - chmod +x kickstart.sh - ./kickstart.sh all --dont-wait - - ## optimize netdata resources usage - echo 1 >/sys/kernel/mm/ksm/run - echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs - - ## disable email notifigrep -cions - sudo sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /etc/netdata/health_alarm_notify.conf - sudo service netdata restart - -fi - -################################## -# Install EasyEngine Dashboard -################################## - -echo "installing easyengine-dashboard" -{ - if [ ! -d /var/www/22222/htdocs/files ]; then - - mkdir /var/www/22222/htdocs/files - wget http://extplorer.net/attachments/download/74/eXtplorer_$EXTPLORER_VER.zip -O /var/www/22222/htdocs/files/ex.zip - cd /var/www/22222/htdocs/files || exit 1 - unzip ex.zip - rm ex.zip - fi - - cd /var/www/22222 || exit - - ## download latest version of EasyEngine-dashboard - cd /tmp || exit - git clone https://github.com/VirtuBox/easyengine-dashboard.git - cp -rf /tmp/easyengine-dashboard/* /var/www/22222/htdocs/ - chown -R www-data:www-data /var/www/22222/htdocs - -} >>/tmp/ubuntu-nginx-web-server.log - -################################## -# Install Acme.sh -################################## -echo "installing acme.sh" -{ - - # install acme.sh if needed - echo "" - echo "checking if acme.sh is already installed" - echo "" - if [ ! -f $HOME/.acme.sh/acme.sh ]; then - echo "" - - echo "" - wget -O - https://get.acme.sh | sh - cd || exit - source .bashrc - fi - -} >>/tmp/ubuntu-nginx-web-server.log - -################################## -# Secure EasyEngine Dashboard with Acme.sh -################################## - -MY_HOSTNAME=$(hostname -f) -MY_IP=$(curl -s v4.vtbox.net) -MY_HOSTNAME_IP=$(dig +short @8.8.8.8 "$MY_HOSTNAME") - -if [[ "$MY_IP" == "$MY_HOSTNAME_IP" ]]; then - echo "securing easyengine backend" - if [ ! -f /etc/systemd/system/multi-user.target.wants/nginx.service ]; then - systemctl enable nginx.service >>/tmp/ubuntu-nginx-web-server.log - fi - - if [ ! -d $HOME/.acme.sh/${MY_HOSTNAME}_ecc ]; then - $HOME/.acme.sh/acme.sh --issue -d $MY_HOSTNAME --keylength ec-384 --standalone --pre-hook "service nginx stop " --post-hook "service nginx start" - fi - - if [ -d /etc/letsencrypt/live/$MY_HOSTNAME ]; then - rm -rf /etc/letsencrypt/live/$MY_HOSTNAME/* - else - mkdir -p /etc/letsencrypt/live/$MY_HOSTNAME - fi - - # install the cert and reload nginx - $HOME/.acme.sh/acme.sh --install-cert -d ${MY_HOSTNAME} --ecc \ - --cert-file /etc/letsencrypt/live/${MY_HOSTNAME}/cert.pem \ - --key-file /etc/letsencrypt/live/${MY_HOSTNAME}/key.pem \ - --fullchain-file /etc/letsencrypt/live/${MY_HOSTNAME}/fullchain.pem \ - --reloadcmd "systemctl reload nginx.service" - - if [ -f /etc/letsencrypt/live/${MY_HOSTNAME}/fullchain.pem ] && [ -f /etc/letsencrypt/live/${MY_HOSTNAME}/key.pem ]; then - sed -i "s/ssl_certificate \\/var\\/www\\/22222\\/cert\\/22222.crt;/ssl_certificate \\/etc\\/letsencrypt\\/live\\/${MY_HOSTNAME}\\/fullchain.pem;/" /etc/nginx/sites-available/22222 - sed -i "s/ssl_certificate_key \\/var\\/www\\/22222\\/cert\\/22222.key;/ssl_certificate_key \\/etc\\/letsencrypt\\/live\\/${MY_HOSTNAME}\\/key.pem;/" /etc/nginx/sites-available/22222 - fi - service nginx reload - -fi