diff --git a/README.md b/README.md index 6e3d1ca..d57249c 100644 --- a/README.md +++ b/README.md @@ -1,17 +1,20 @@ +# Optimized configuration for Ubuntu server with EasyEngine + +* * * -# Ubuntu optimized configuration with EasyEngine ----- ## Server Stack : -* Nginx 1.14.x -* PHP-FPM 7/7.1/7.2 -* MariaDB 10.2 -* REDIS 4.0 -* Memcached -* Fail2ban -* Netdata -* UFW ----- +- Ubuntu 16.04/18.04 LTS +- Nginx 1.14.x +- PHP-FPM 7/7.1/7.2 +- MariaDB 10.3 +- REDIS 4.0 +- Memcached +- Fail2ban +- Netdata +- UFW + +* * * ## All Instructions and informations are listed on the [Github page](https://virtubox.github.io/ubuntu-nginx-web-server/) @@ -21,124 +24,66 @@ Configuration files with comments and informations available by following the li **System update and packages cleanup** -``` -apt-get update && apt-get upgrade -y && apt-get autoremove -y && apt-get clean -``` + apt-get update && apt-get upgrade -y && apt-get autoremove -y && apt-get clean **Install useful packages** -``` -sudo apt install haveged curl git unzip zip fail2ban htop -y -``` - + + sudo apt install haveged curl git unzip zip fail2ban htop -y + **Tweak Kernel** [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) & **Increase open files limits** [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf) -``` -wget -O /etc/sysctl.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/sysctl.conf -sysctl -p -wget -O /etc/security/limits.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/security/limits.conf -``` + + modprobe tcp_htcp + wget -O /etc/sysctl.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/sysctl.conf + sysctl -p + wget -O /etc/security/limits.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/security/limits.conf + **disable transparent hugepage for redis** -``` -echo never > /sys/kernel/mm/transparent_hugepage/enabled -``` -## Security ----- + echo never > /sys/kernel/mm/transparent_hugepage/enabled -**Harden SSH Security** -WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config) -``` -wget -O /etc/ssh/sshd_config https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/ssh/sshd_config -``` - -**UFW** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/) - -``` -# enable ufw log - allow outgoing - deny incoming -ufw logging on -ufw default allow outgoing -ufw default deny incoming - -# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend -ufw allow 22 -ufw allow 53 -ufw allow http -ufw allow https -ufw allow 21 -ufw allow 123 -ufw allow 161 -ufw allow 6556 -ufw allow 19999 -ufw allow 22222 - -# enable UFW -ufw enable -``` - - ----- +* * * ## EasyEngine Setup -**Install MariaDB 10.2** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/) +**Install MariaDB 10.3** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/) -``` -curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \ -| sudo bash -s -- --mariadb-server-version=10.2 --skip-maxscale -sudo apt update -sudo apt install mariadb-server -``` + curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \ + | sudo bash -s -- --mariadb-server-version=10.3 --skip-maxscale + sudo apt update && sudo apt install mariadb-server percona-xtrabackup-24 -y **Install EasyEngine** -``` -wget -qO ee rt.cx/ee && bash ee -``` + + wget -qO ee rt.cx/ee && bash ee + +**enable ee bash_completion** + + source /etc/bash_completion.d/ee_auto.rc + **Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend** -``` -ee stack install -ee stack install --php7 --redis --admin --phpredisadmin -``` + + ee stack install + ee stack install --php7 --redis --admin --phpredisadmin **Set your email instead of root@localhost** -``` -echo 'root: my.email@address.com' >> /etc/aliases -newaliases -``` + + echo 'root: my.email@address.com' >> /etc/aliases + newaliases **Install Composer - Fix phpmyadmin install issue** -``` -cd ~/ -curl -sS https://getcomposer.org/installer | php -mv composer.phar /usr/bin/composer -sudo -u www-data composer update -d /var/www/22222/htdocs/db/pma/ -``` + + cd ~/ + curl -sS https://getcomposer.org/installer | php + mv composer.phar /usr/bin/composer + sudo -u www-data composer update -d /var/www/22222/htdocs/db/pma/ **Allow shell for www-data for SFTP usage** -``` -usermod -s /bin/bash www-data -``` -**Custom jails for fail2ban** + usermod -s /bin/bash www-data -* wordpress bruteforce -* ssh -* recidive (after 3 bans) -* backend http auth -* nginx bad bots +## PHP 7.1 & 7.2 Setup -``` -wget -O /etc/fail2ban/filter.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ddos.conf -wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ee-wordpress.conf -wget -O /etc/fail2ban/jail.d/custom.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/custom.conf -wget -O /etc/fail2ban/jail.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/ddos.conf - -fail2ban-client reload -``` - -## PHP 7.1 & 7.2 Setup - -**Install php7.1-fpm & php7.2-fpm** - +**Install php7.1-fpm** ```bash # php7.1-fpm @@ -146,131 +91,185 @@ apt update && apt install php7.1-fpm php7.1-cli php7.1-zip php7.1-opcache php7.1 php7.1-gd php7.1-curl php7.1-bz2 php7.1-xml php7.1-tidy php7.1-soap php7.1-bcmath -y php7.1-xsl wget -O /etc/php/7.1/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/pool.d/www.conf -service php7.1-fpm restart +wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/php.ini +service php7.1-fpm restart +``` + +**Install php7.2-fpm** +``` # php7.2-fpm apt update && apt install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring -y wget -O /etc/php/7.2/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/pool.d/www.conf -service php7.2-fpm restart -``` -add nginx upstreams -``` -wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf -service nginx reload -``` -add ee common configuration -``` -cd /etc/nginx/common || exit -wget https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/common.zip -unzip common.zip -``` -**Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee)** -``` -bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh) -``` ----- - -## Custom configurations - -**clean php-fpm php.ini configurations** -``` -# PHP 7.0 -wget -O /etc/php/7.0/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.0/fpm/php.ini -service php7.0-fpm restart - -# PHP 7.1 -wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/php.ini -service php7.1-fpm restart - -# PHP 7.2 wget -O /etc/php/7.2/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/php.ini service php7.2-fpm restart ``` +**add nginx upstreams** + + wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf + service nginx reload + +add ee common configuration + + cd /etc/nginx/common || exit + wget https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/common.zip + unzip common.zip + +**Compile last Nginx mainline release with [nginx-ee script](https://virtubox.github.io/nginx-ee/)** + + bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh) + +* * * + +## Custom configurations + +**clean php-fpm php.ini configurations** + + # PHP 7.0 + wget -O /etc/php/7.0/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.0/fpm/php.ini + service php7.0-fpm restart **Nginx optimized configurations** -``` -# TLSv1.2 TLSv1.3 only -wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx.conf + # TLSv1.2 TLSv1.3 only + wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx.conf -# TLS intermediate -wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-intermediate.conf + # TLS intermediate + wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-intermediate.conf -# TLSv1.2 only -wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-tlsv12.conf + # TLSv1.2 only + wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-tlsv12.conf -``` **nginx configuration for netdata & new upstreams** -``` -# custom conf for netdata metrics (php-fpm & nginx status pages) -wget -O /etc/nginx/sites-available/default https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/default -# add netdata, php7.1 and php7.2 upstream -wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf + # custom conf for netdata metrics (php-fpm & nginx status pages) + wget -O /etc/nginx/sites-available/default https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/default -# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/ -wget -O /etc/nginx/sites-available/22222 https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/22222 -``` + # add netdata, php7.1 and php7.2 upstream + wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf + + # add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/ + wget -O /etc/nginx/sites-available/22222 https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/22222 **wpcommon-php7x configurations** -* webp rewrite rules added -* DoS attack CVE fix added -* php7.1 & php7.2 configuration added -``` -# 1) add webp mapping -wget -O /etc/nginx/conf.d/webp.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/webp.conf +- webp rewrite rules added +- DoS attack CVE fix added +- php7.1 & php7.2 configuration added -# 2) wpcommon files -# php7 -wget -O /etc/nginx/common/wpcommon-php7.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php7.conf + # 1) add webp mapping + wget -O /etc/nginx/conf.d/webp.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/webp.conf -# php7.1 -wget -O /etc/nginx/common/wpcommon-php71.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php71.conf + # 2) wpcommon files -# php7.2 -wget -O /etc/nginx/common/wpcommon-php72.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php72.conf + # php7 + wget -O /etc/nginx/common/wpcommon-php7.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php7.conf -nginx -t -service nginx reload -``` ----- + # php7.1 + wget -O /etc/nginx/common/wpcommon-php71.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php71.conf + + # php7.2 + wget -O /etc/nginx/common/wpcommon-php72.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php72.conf + + nginx -t + service nginx reload + +* * * + +## Security + +* * * + +**Harden SSH Security** +WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config) + + wget -O /etc/ssh/sshd_config https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/ssh/sshd_config + +**UFW** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/) + + # enable ufw log - allow outgoing - deny incoming + ufw logging low + ufw default allow outgoing + ufw default deny incoming + + # SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend + ufw allow 22 + ufw allow 53 + ufw allow http + ufw allow https + ufw allow 21 + ufw allow 123 + ufw allow 161 + ufw allow 6556 + ufw allow 19999 + ufw allow 22222 + + # enable UFW + ufw enable + +**Custom jails for fail2ban** + +- wordpress bruteforce +- ssh +- recidive (after 3 bans) +- backend http auth +- nginx bad bots + + + wget -O /etc/fail2ban/filter.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ddos.conf + wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ee-wordpress.conf + wget -O /etc/fail2ban/jail.d/custom.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/custom.conf + wget -O /etc/fail2ban/jail.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/ddos.conf + + fail2ban-client reload + +**Secure Memcached server** + + echo '-U 0' >> /etc/memcached.conf + sudo systemctl restart memcached ## Optional tools -### Acme.sh -[Github repository](https://github.com/Neilpang/acme.sh) -``` -wget -O - https://get.acme.sh | sh -source ~/.bashrc -``` +### ee-acme-sh +[Github repository](https://virtubox.github.io/ee-acme-sh/) +My script to setup letsencrypt certificates using acme.sh on EasyEngine servers. +* subdomain support +* ivp6 support +* wildcards certificates support + + + wget -O - https://get.acme.sh | sh + source ~/.bashrc + +### netdata -### netdata [Github repository](https://github.com/firehol/netdata) -``` -bash <(curl -Ss https://my-netdata.io/kickstart.sh) all -# save 40-60% of netdata memory -echo 1 >/sys/kernel/mm/ksm/run -echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs + bash <(curl -Ss https://my-netdata.io/kickstart.sh) all -# disable email notifications -wget -O /etc/netdata/health_alarm_notify.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/netdata/health_alarm_notify.conf + # save 40-60% of netdata memory + echo 1 >/sys/kernel/mm/ksm/run + echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs -``` + # disable email notifications + wget -O /etc/netdata/health_alarm_notify.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/netdata/health_alarm_notify.conf + service netdata restart ### bash-snippets + [Github repository](https://github.com/alexanderepstein/Bash-Snippets) -```bash + +```bash git clone https://github.com/alexanderepstein/Bash-Snippets cd Bash-Snippets git checkout v1.22.0 ./install.sh cheat ``` + usage : cheat command ```bash @@ -293,10 +292,10 @@ root@vps:~ cheat cat ``` ## nanorc - Improved Nano Syntax Highlighting Files + [Github repository](https://github.com/scopatz/nanorc) -``` -wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh -``` + wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh + +Published & maintained by [VirtuBox](https://virtubox.net) -Published & maintained by [VirtuBox](https://virtubox.net) \ No newline at end of file diff --git a/docs/README.md b/docs/README.md index 7f1d6e8..63349e8 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1,17 +1,20 @@ - # Ubuntu optimized configuration with EasyEngine ----- -## Server Stack : -* Nginx 1.14.x -* PHP-FPM 7/7.1/7.2 -* MariaDB 10.2 -* REDIS 4.0 -* Memcached -* Fail2ban -* Netdata -* UFW ----- +* * * + +## Server Stack : + +- Ubuntu 16.04/18.04 LTS +- Nginx 1.14.x +- PHP-FPM 7/7.1/7.2 +- MariaDB 10.3 +- REDIS 4.0 +- Memcached +- Fail2ban +- Netdata +- UFW + +* * * Configuration files with comments and informations available by following the link **source** @@ -19,77 +22,66 @@ Configuration files with comments and informations available by following the li **System update and packages cleanup** -``` -apt-get update && apt-get upgrade -y && apt-get autoremove -y && apt-get clean -``` + apt-get update && apt-get upgrade -y && apt-get autoremove -y && apt-get clean **Install useful packages** -``` -sudo apt install haveged curl git unzip zip fail2ban htop -y -``` - + + sudo apt install haveged curl git unzip zip fail2ban htop -y + **Tweak Kernel** [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) & **Increase open files limits** [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf) -``` -modprobe tcp_htcp -wget -O /etc/sysctl.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/sysctl.conf -sysctl -p -wget -O /etc/security/limits.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/security/limits.conf -``` -**disable transparent hugepage for redis** -``` -echo never > /sys/kernel/mm/transparent_hugepage/enabled -``` ----- + modprobe tcp_htcp + wget -O /etc/sysctl.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/sysctl.conf + sysctl -p + wget -O /etc/security/limits.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/security/limits.conf + +**disable transparent hugepage for redis** + + echo never > /sys/kernel/mm/transparent_hugepage/enabled + +* * * ## EasyEngine Setup -**Install MariaDB 10.2** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/) +**Install MariaDB 10.3** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/) -``` -curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \ -| sudo bash -s -- --mariadb-server-version=10.2 --skip-maxscale -sudo apt update && sudo apt install mariadb-server percona-xtrabackup-24 -y -``` + curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \ + | sudo bash -s -- --mariadb-server-version=10.3 --skip-maxscale + sudo apt update && sudo apt install mariadb-server percona-xtrabackup-24 -y **Install EasyEngine** -``` -wget -qO ee rt.cx/ee && bash ee -``` + + wget -qO ee rt.cx/ee && bash ee + **enable ee bash_completion** -``` -source /etc/bash_completion.d/ee_auto.rc -``` + + source /etc/bash_completion.d/ee_auto.rc + **Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend** -``` -ee stack install -ee stack install --php7 --redis --admin --phpredisadmin -``` + + ee stack install + ee stack install --php7 --redis --admin --phpredisadmin **Set your email instead of root@localhost** -``` -echo 'root: my.email@address.com' >> /etc/aliases -newaliases -``` + + echo 'root: my.email@address.com' >> /etc/aliases + newaliases **Install Composer - Fix phpmyadmin install issue** -``` -cd ~/ -curl -sS https://getcomposer.org/installer | php -mv composer.phar /usr/bin/composer -sudo -u www-data composer update -d /var/www/22222/htdocs/db/pma/ -``` + + cd ~/ + curl -sS https://getcomposer.org/installer | php + mv composer.phar /usr/bin/composer + sudo -u www-data composer update -d /var/www/22222/htdocs/db/pma/ **Allow shell for www-data for SFTP usage** -``` -usermod -s /bin/bash www-data -``` -## PHP 7.1 & 7.2 Setup + usermod -s /bin/bash www-data -**Install php7.1-fpm & php7.2-fpm** - +## PHP 7.1 & 7.2 Setup + +**Install php7.1-fpm** ```bash # php7.1-fpm @@ -97,188 +89,185 @@ apt update && apt install php7.1-fpm php7.1-cli php7.1-zip php7.1-opcache php7.1 php7.1-gd php7.1-curl php7.1-bz2 php7.1-xml php7.1-tidy php7.1-soap php7.1-bcmath -y php7.1-xsl wget -O /etc/php/7.1/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/pool.d/www.conf -service php7.1-fpm restart +wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/php.ini +service php7.1-fpm restart +``` + +**Install php7.2-fpm** +``` # php7.2-fpm apt update && apt install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring -y wget -O /etc/php/7.2/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/pool.d/www.conf -service php7.2-fpm restart -``` -add nginx upstreams -``` -wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf -service nginx reload -``` -add ee common configuration -``` -cd /etc/nginx/common || exit -wget https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/common.zip -unzip common.zip -``` -**Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee)** -``` -bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh) -``` ----- - -## Custom configurations - -**clean php-fpm php.ini configurations** -``` -# PHP 7.0 -wget -O /etc/php/7.0/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.0/fpm/php.ini -service php7.0-fpm restart - -# PHP 7.1 -wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/php.ini -service php7.1-fpm restart - -# PHP 7.2 wget -O /etc/php/7.2/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/php.ini service php7.2-fpm restart ``` +**add nginx upstreams** + + wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf + service nginx reload + +add ee common configuration + + cd /etc/nginx/common || exit + wget https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/common.zip + unzip common.zip + +**Compile last Nginx mainline release with [nginx-ee script](https://virtubox.github.io/nginx-ee/)** + + bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh) + +* * * + +## Custom configurations + +**clean php-fpm php.ini configurations** + + # PHP 7.0 + wget -O /etc/php/7.0/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.0/fpm/php.ini + service php7.0-fpm restart **Nginx optimized configurations** -``` -# TLSv1.2 TLSv1.3 only -wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx.conf + # TLSv1.2 TLSv1.3 only + wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx.conf -# TLS intermediate -wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-intermediate.conf + # TLS intermediate + wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-intermediate.conf -# TLSv1.2 only -wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-tlsv12.conf + # TLSv1.2 only + wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-tlsv12.conf -``` **nginx configuration for netdata & new upstreams** -``` -# custom conf for netdata metrics (php-fpm & nginx status pages) -wget -O /etc/nginx/sites-available/default https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/default -# add netdata, php7.1 and php7.2 upstream -wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf + # custom conf for netdata metrics (php-fpm & nginx status pages) + wget -O /etc/nginx/sites-available/default https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/default -# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/ -wget -O /etc/nginx/sites-available/22222 https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/22222 -``` + # add netdata, php7.1 and php7.2 upstream + wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf + + # add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/ + wget -O /etc/nginx/sites-available/22222 https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/22222 **wpcommon-php7x configurations** -* webp rewrite rules added -* DoS attack CVE fix added -* php7.1 & php7.2 configuration added -``` -# 1) add webp mapping -wget -O /etc/nginx/conf.d/webp.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/webp.conf +- webp rewrite rules added +- DoS attack CVE fix added +- php7.1 & php7.2 configuration added -# 2) wpcommon files -# php7 -wget -O /etc/nginx/common/wpcommon-php7.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php7.conf + # 1) add webp mapping + wget -O /etc/nginx/conf.d/webp.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/webp.conf -# php7.1 -wget -O /etc/nginx/common/wpcommon-php71.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php71.conf + # 2) wpcommon files -# php7.2 -wget -O /etc/nginx/common/wpcommon-php72.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php72.conf + # php7 + wget -O /etc/nginx/common/wpcommon-php7.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php7.conf -nginx -t -service nginx reload -``` ----- + # php7.1 + wget -O /etc/nginx/common/wpcommon-php71.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php71.conf -## Security ----- + # php7.2 + wget -O /etc/nginx/common/wpcommon-php72.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php72.conf + + nginx -t + service nginx reload + +* * * + +## Security + +* * * **Harden SSH Security** WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config) -``` -wget -O /etc/ssh/sshd_config https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/ssh/sshd_config -``` + + wget -O /etc/ssh/sshd_config https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/ssh/sshd_config **UFW** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/) -``` -# enable ufw log - allow outgoing - deny incoming -ufw logging on -ufw default allow outgoing -ufw default deny incoming + # enable ufw log - allow outgoing - deny incoming + ufw logging low + ufw default allow outgoing + ufw default deny incoming -# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend -ufw allow 22 -ufw allow 53 -ufw allow http -ufw allow https -ufw allow 21 -ufw allow 123 -ufw allow 161 -ufw allow 6556 -ufw allow 19999 -ufw allow 22222 + # SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend + ufw allow 22 + ufw allow 53 + ufw allow http + ufw allow https + ufw allow 21 + ufw allow 123 + ufw allow 161 + ufw allow 6556 + ufw allow 19999 + ufw allow 22222 -# enable UFW -ufw enable -``` + # enable UFW + ufw enable **Custom jails for fail2ban** -* wordpress bruteforce -* ssh -* recidive (after 3 bans) -* backend http auth -* nginx bad bots +- wordpress bruteforce +- ssh +- recidive (after 3 bans) +- backend http auth +- nginx bad bots -``` -wget -O /etc/fail2ban/filter.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ddos.conf -wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ee-wordpress.conf -wget -O /etc/fail2ban/jail.d/custom.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/custom.conf -wget -O /etc/fail2ban/jail.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/ddos.conf -fail2ban-client reload -``` + wget -O /etc/fail2ban/filter.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ddos.conf + wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ee-wordpress.conf + wget -O /etc/fail2ban/jail.d/custom.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/custom.conf + wget -O /etc/fail2ban/jail.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/ddos.conf + + fail2ban-client reload **Secure Memcached server** -``` -echo '-U 0' >> /etc/memcached.conf -sudo systemctl restart memcached -``` + + echo '-U 0' >> /etc/memcached.conf + sudo systemctl restart memcached ## Optional tools -### Acme.sh -[Github repository](https://github.com/Neilpang/acme.sh) -``` -wget -O - https://get.acme.sh | sh -source ~/.bashrc -``` +### ee-acme-sh +[Github repository](https://virtubox.github.io/ee-acme-sh/) +My script to setup letsencrypt certificates using acme.sh on EasyEngine servers. +* subdomain support +* ivp6 support +* wildcards certificates support + + + wget -O - https://get.acme.sh | sh + source ~/.bashrc + +### netdata -### netdata [Github repository](https://github.com/firehol/netdata) -``` -bash <(curl -Ss https://my-netdata.io/kickstart.sh) all -# save 40-60% of netdata memory -echo 1 >/sys/kernel/mm/ksm/run -echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs + bash <(curl -Ss https://my-netdata.io/kickstart.sh) all -# disable email notifications -wget -O /etc/netdata/health_alarm_notify.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/netdata/health_alarm_notify.conf -service netdata restart + # save 40-60% of netdata memory + echo 1 >/sys/kernel/mm/ksm/run + echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs -``` + # disable email notifications + wget -O /etc/netdata/health_alarm_notify.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/netdata/health_alarm_notify.conf + service netdata restart ### bash-snippets + [Github repository](https://github.com/alexanderepstein/Bash-Snippets) -```bash + +```bash git clone https://github.com/alexanderepstein/Bash-Snippets cd Bash-Snippets git checkout v1.22.0 ./install.sh cheat ``` + usage : cheat command ```bash @@ -300,11 +289,10 @@ root@vps:~ cheat cat cat -n file ``` - ## nanorc - Improved Nano Syntax Highlighting Files + [Github repository](https://github.com/scopatz/nanorc) -``` -wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh -``` + + wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh Published & maintained by [VirtuBox](https://virtubox.net) diff --git a/docs/files/etc/sysctl.conf b/docs/files/etc/sysctl.conf new file mode 100644 index 0000000..fffc4f5 --- /dev/null +++ b/docs/files/etc/sysctl.conf @@ -0,0 +1,217 @@ +# Kernel sysctl configuration file +# Sources : +# https://easyengine.io/tutorials/linux/sysctl-conf/ +# http://klaver.it/linux/ +# +# +# sysctl -e -p /etc/sysctl.conf +# +# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and sysctl.conf(5) for more details. +# +# +### +### GENERAL SYSTEM SECURITY OPTIONS ### +### + +# Controls the System Request debugging functionality of the kernel +kernel.sysrq = 0 + +#Allow for more PIDs +kernel.pid_max = 65535 + +# Controls the maximum size of a message, in bytes +kernel.msgmnb = 65535 + +# Controls the default maxmimum size of a mesage queue +kernel.msgmax = 65535 + +# Restrict core dumps +fs.suid_dumpable = 0 + +# Hide exposed kernel pointers +kernel.kptr_restrict = 1 + +### IMPROVE SYSTEM MEMORY MANAGEMENT ### + +# Increase size of file handles and inode cache +fs.file-max = 2097152 + +# Increase size of file handles and inode cache +fs.file-max = 209708 +# Do less swapping +vm.swappiness = 10 +vm.dirty_ratio = 30 +vm.dirty_background_ratio = 2 + +# Redis configuration +vm.overcommit_memory = 1 + +#Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached) +net.ipv4.tcp_syncookies = 1 +net.ipv4.tcp_syn_retries = 2 +net.ipv4.tcp_synack_retries = 2 +net.ipv4.tcp_max_syn_backlog = 4096 + +# Disables packet forwarding +net.ipv4.ip_forward = 0 +net.ipv4.conf.all.forwarding = 0 +net.ipv4.conf.default.forwarding = 0 +net.ipv6.conf.all.forwarding = 0 +net.ipv6.conf.default.forwarding = 0 + +# Disables IP source routing +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.send_redirects = 0 +net.ipv4.conf.all.accept_source_route = 0 +net.ipv4.conf.default.accept_source_route = 0 +net.ipv6.conf.all.accept_source_route = 0 +net.ipv6.conf.default.accept_source_route = 0 + +# Enable IP spoofing protection, turn on source route verification +net.ipv4.conf.all.rp_filter = 1 +net.ipv4.conf.default.rp_filter = 1 + +# Disable ICMP Redirect Acceptance +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.default.accept_redirects = 0 +net.ipv4.conf.all.secure_redirects = 0 +net.ipv4.conf.default.secure_redirects = 0 +net.ipv6.conf.all.accept_redirects = 0 +net.ipv6.conf.default.accept_redirects = 0 + +# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets +net.ipv4.conf.all.log_martians = 1 +net.ipv4.conf.default.log_martians = 1 + +# Decrease the time default value for tcp_fin_timeout connection +net.ipv4.tcp_fin_timeout = 7 + +# Decrease the time default value for connections to keep alive +net.ipv4.tcp_keepalive_time = 300 +net.ipv4.tcp_keepalive_probes = 5 +net.ipv4.tcp_keepalive_intvl = 15 + +# Don't relay bootp +net.ipv4.conf.all.bootp_relay = 0 + +# Don't proxy arp for anyone +net.ipv4.conf.all.proxy_arp = 0 + +# Turn on the tcp_timestamps, accurate timestamp make TCP congestion control algorithms work better +net.ipv4.tcp_timestamps = 1 + +# Don't ignore directed pings +net.ipv4.icmp_echo_ignore_all = 0 + +# Enable ignoring broadcasts request +net.ipv4.icmp_echo_ignore_broadcasts = 1 + +# Enable bad error message Protection +net.ipv4.icmp_ignore_bogus_error_responses = 1 + +# Allowed local port range +net.ipv4.ip_local_port_range = 16384 65535 + +# Enable a fix for RFC1337 - time-wait assassination hazards in TCP +net.ipv4.tcp_rfc1337 = 1 + +# Do not auto-configure IPv6 +net.ipv6.conf.all.autoconf=0 +net.ipv6.conf.all.accept_ra=0 +net.ipv6.conf.default.autoconf=0 +net.ipv6.conf.default.accept_ra=0 + + +### +### TUNING NETWORK PERFORMANCE ### +### + +# For high-bandwidth low-latency networks, use 'htcp' congestion control +# Do a 'modprobe tcp_htcp' first +net.ipv4.tcp_congestion_control = htcp + +# For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12) +net.core.default_qdisc = fq + +# Turn on the tcp_window_scaling +net.ipv4.tcp_window_scaling = 1 + +# Increase the read-buffer space allocatable +net.ipv4.tcp_rmem = 8192 87380 16777216 +net.ipv4.udp_rmem_min = 16384 +net.core.rmem_default = 262144 +net.core.rmem_max = 16777216 + +# Increase the write-buffer-space allocatable +net.ipv4.tcp_wmem = 8192 65536 16777216 +net.ipv4.udp_wmem_min = 16384 +net.core.wmem_default = 262144 +net.core.wmem_max = 16777216 + +# Increase number of incoming connections +net.core.somaxconn = 32768 + +# Increase number of incoming connections backlog +net.core.netdev_max_backlog = 16384 +net.core.dev_weight = 64 + +# Increase the maximum amount of option memory buffers +net.core.optmem_max = 65535 + +# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks +net.ipv4.tcp_max_tw_buckets = 1440000 + +# try to reuse time-wait connections, but don't recycle them (recycle can break clients behind NAT) +net.ipv4.tcp_tw_recycle = 0 +net.ipv4.tcp_tw_reuse = 1 + +# Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory +net.ipv4.tcp_max_orphans = 16384 +net.ipv4.tcp_orphan_retries = 0 + +# Increase the maximum memory used to reassemble IP fragments +net.ipv4.ipfrag_high_thresh = 512000 +net.ipv4.ipfrag_low_thresh = 446464 + +# don't cache ssthresh from previous connection +net.ipv4.tcp_no_metrics_save = 1 +net.ipv4.tcp_moderate_rcvbuf = 1 + +# Increase size of RPC datagram queue length +net.unix.max_dgram_qlen = 50 + +# Don't allow the arp table to become bigger than this +net.ipv4.neigh.default.gc_thresh3 = 2048 + +# Tell the gc when to become aggressive with arp table cleaning. +# Adjust this based on size of the LAN. 1024 is suitable for most /24 networks +net.ipv4.neigh.default.gc_thresh2 = 1024 + +# Adjust where the gc will leave arp table alone - set to 32. +net.ipv4.neigh.default.gc_thresh1 = 32 + +# Adjust to arp table gc to clean-up more often +net.ipv4.neigh.default.gc_interval = 30 + +# Increase TCP queue length +net.ipv4.neigh.default.proxy_qlen = 96 +net.ipv4.neigh.default.unres_qlen = 6 + +# Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you +net.ipv4.tcp_ecn = 1 +net.ipv4.tcp_reordering = 3 + +# How many times to retry killing an alive TCP connection +net.ipv4.tcp_retries2 = 15 +net.ipv4.tcp_retries1 = 3 + +# Avoid falling back to slow start after a connection goes idle +# keeps our cwnd large with the keep alive connections (kernel > 3.6) +net.ipv4.tcp_slow_start_after_idle = 0 + +# Allow the TCP fastopen flag to be used, beware some firewalls do not like TFO! (kernel > 3.7) +net.ipv4.tcp_fastopen = 3 + +# This will enusre that immediatly subsequent connections use the new values +net.ipv4.route.flush = 1 +net.ipv6.route.flush = 1 diff --git a/etc/nginx/nginx-intermediate.conf b/etc/nginx/nginx-intermediate.conf index 55d1437..2cee242 100644 --- a/etc/nginx/nginx-intermediate.conf +++ b/etc/nginx/nginx-intermediate.conf @@ -25,7 +25,7 @@ http server_tokens off; reset_timedout_connection on; - add_header X-Powered-By "EasyEngine v3.7.5 - Optimized by VirtuBox"; + add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox"; add_header rt-Fastcgi-Cache $upstream_cache_status; # Limit Request diff --git a/etc/nginx/nginx-tlsv12.conf b/etc/nginx/nginx-tlsv12.conf index cf6cdd1..351afa5 100644 --- a/etc/nginx/nginx-tlsv12.conf +++ b/etc/nginx/nginx-tlsv12.conf @@ -25,7 +25,7 @@ http server_tokens off; reset_timedout_connection on; - add_header X-Powered-By "EasyEngine v3.7.5 - Optimized by VirtuBox"; + add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox"; add_header rt-Fastcgi-Cache $upstream_cache_status; # Limit Request diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf index 0cb9e59..845f86f 100644 --- a/etc/nginx/nginx.conf +++ b/etc/nginx/nginx.conf @@ -25,7 +25,7 @@ http server_tokens off; reset_timedout_connection on; - add_header X-Powered-By "EasyEngine v3.7.5 - Optimized by VirtuBox"; + add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox"; add_header rt-Fastcgi-Cache $upstream_cache_status; # Limit Request diff --git a/etc/nginx/proxy_params b/etc/nginx/proxy_params new file mode 100644 index 0000000..8cfa9cd --- /dev/null +++ b/etc/nginx/proxy_params @@ -0,0 +1,10 @@ +proxy_set_header Host $http_host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_buffering on; +proxy_buffer_size 128k; +proxy_buffers 256 16k; +proxy_busy_buffers_size 256k; +proxy_temp_file_write_size 256k; +proxy_max_temp_file_size 0; diff --git a/etc/php/7.1/fpm/php.ini b/etc/php/7.1/fpm/php.ini index 09e7007..271f280 100644 --- a/etc/php/7.1/fpm/php.ini +++ b/etc/php/7.1/fpm/php.ini @@ -14,7 +14,7 @@ zend.enable_gc = On expose_php = Off max_execution_time = 300 max_input_time = 600 -max_input_vars = 5000 +max_input_vars = 10000 memory_limit = 256M error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT display_errors = Off diff --git a/etc/php/7.2/fpm/php.ini b/etc/php/7.2/fpm/php.ini index 60912ae..7be1582 100644 --- a/etc/php/7.2/fpm/php.ini +++ b/etc/php/7.2/fpm/php.ini @@ -12,7 +12,7 @@ disable_classes = zend.enable_gc = On expose_php = Off max_execution_time = 300 -max_input_vars = 5000 +max_input_vars = 10000 max_input_time = 600 memory_limit = 256M error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT diff --git a/scripts/init.sh b/scripts/init.sh index 56955de..cab4ab7 100644 --- a/scripts/init.sh +++ b/scripts/init.sh @@ -90,6 +90,8 @@ cat <~/.my.cnf password=$ROOT_SQL_PASS EOF +cp ~/.my.cnf /etc/mysql/conf.d/my.cnf + wget -qO ee rt.cx/ee && bash ee ee stack install