update version and cleanup readme
* mariadb 10.3 * ee v3.8.1 * Ubuntu 18.04 TLS
Cette révision appartient à :
Parent
da2c8ffc3c
révision
741817f489
383
README.md
383
README.md
|
@ -1,17 +1,20 @@
|
|||
# Optimized configuration for Ubuntu server with EasyEngine
|
||||
|
||||
* * *
|
||||
|
||||
# Ubuntu optimized configuration with EasyEngine
|
||||
----
|
||||
## Server Stack :
|
||||
* Nginx 1.14.x
|
||||
* PHP-FPM 7/7.1/7.2
|
||||
* MariaDB 10.2
|
||||
* REDIS 4.0
|
||||
* Memcached
|
||||
* Fail2ban
|
||||
* Netdata
|
||||
* UFW
|
||||
|
||||
----
|
||||
- Ubuntu 16.04/18.04 LTS
|
||||
- Nginx 1.14.x
|
||||
- PHP-FPM 7/7.1/7.2
|
||||
- MariaDB 10.3
|
||||
- REDIS 4.0
|
||||
- Memcached
|
||||
- Fail2ban
|
||||
- Netdata
|
||||
- UFW
|
||||
|
||||
* * *
|
||||
|
||||
## All Instructions and informations are listed on the [Github page](https://virtubox.github.io/ubuntu-nginx-web-server/)
|
||||
|
||||
|
@ -21,124 +24,66 @@ Configuration files with comments and informations available by following the li
|
|||
|
||||
**System update and packages cleanup**
|
||||
|
||||
```
|
||||
apt-get update && apt-get upgrade -y && apt-get autoremove -y && apt-get clean
|
||||
```
|
||||
apt-get update && apt-get upgrade -y && apt-get autoremove -y && apt-get clean
|
||||
|
||||
**Install useful packages**
|
||||
```
|
||||
sudo apt install haveged curl git unzip zip fail2ban htop -y
|
||||
```
|
||||
|
||||
|
||||
sudo apt install haveged curl git unzip zip fail2ban htop -y
|
||||
|
||||
**Tweak Kernel** [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) &
|
||||
**Increase open files limits** [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf)
|
||||
```
|
||||
wget -O /etc/sysctl.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/sysctl.conf
|
||||
sysctl -p
|
||||
wget -O /etc/security/limits.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/security/limits.conf
|
||||
```
|
||||
|
||||
modprobe tcp_htcp
|
||||
wget -O /etc/sysctl.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/sysctl.conf
|
||||
sysctl -p
|
||||
wget -O /etc/security/limits.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/security/limits.conf
|
||||
|
||||
**disable transparent hugepage for redis**
|
||||
```
|
||||
echo never > /sys/kernel/mm/transparent_hugepage/enabled
|
||||
```
|
||||
|
||||
## Security
|
||||
----
|
||||
echo never > /sys/kernel/mm/transparent_hugepage/enabled
|
||||
|
||||
**Harden SSH Security**
|
||||
WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config)
|
||||
```
|
||||
wget -O /etc/ssh/sshd_config https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/ssh/sshd_config
|
||||
```
|
||||
|
||||
**UFW** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
|
||||
|
||||
```
|
||||
# enable ufw log - allow outgoing - deny incoming
|
||||
ufw logging on
|
||||
ufw default allow outgoing
|
||||
ufw default deny incoming
|
||||
|
||||
# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend
|
||||
ufw allow 22
|
||||
ufw allow 53
|
||||
ufw allow http
|
||||
ufw allow https
|
||||
ufw allow 21
|
||||
ufw allow 123
|
||||
ufw allow 161
|
||||
ufw allow 6556
|
||||
ufw allow 19999
|
||||
ufw allow 22222
|
||||
|
||||
# enable UFW
|
||||
ufw enable
|
||||
```
|
||||
|
||||
|
||||
----
|
||||
* * *
|
||||
|
||||
## EasyEngine Setup
|
||||
|
||||
**Install MariaDB 10.2** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
|
||||
**Install MariaDB 10.3** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
|
||||
|
||||
```
|
||||
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \
|
||||
| sudo bash -s -- --mariadb-server-version=10.2 --skip-maxscale
|
||||
sudo apt update
|
||||
sudo apt install mariadb-server
|
||||
```
|
||||
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \
|
||||
| sudo bash -s -- --mariadb-server-version=10.3 --skip-maxscale
|
||||
sudo apt update && sudo apt install mariadb-server percona-xtrabackup-24 -y
|
||||
|
||||
**Install EasyEngine**
|
||||
```
|
||||
wget -qO ee rt.cx/ee && bash ee
|
||||
```
|
||||
|
||||
wget -qO ee rt.cx/ee && bash ee
|
||||
|
||||
**enable ee bash_completion**
|
||||
|
||||
source /etc/bash_completion.d/ee_auto.rc
|
||||
|
||||
**Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend**
|
||||
```
|
||||
ee stack install
|
||||
ee stack install --php7 --redis --admin --phpredisadmin
|
||||
```
|
||||
|
||||
ee stack install
|
||||
ee stack install --php7 --redis --admin --phpredisadmin
|
||||
|
||||
**Set your email instead of root@localhost**
|
||||
```
|
||||
echo 'root: my.email@address.com' >> /etc/aliases
|
||||
newaliases
|
||||
```
|
||||
|
||||
echo 'root: my.email@address.com' >> /etc/aliases
|
||||
newaliases
|
||||
|
||||
**Install Composer - Fix phpmyadmin install issue**
|
||||
```
|
||||
cd ~/
|
||||
curl -sS https://getcomposer.org/installer | php
|
||||
mv composer.phar /usr/bin/composer
|
||||
sudo -u www-data composer update -d /var/www/22222/htdocs/db/pma/
|
||||
```
|
||||
|
||||
cd ~/
|
||||
curl -sS https://getcomposer.org/installer | php
|
||||
mv composer.phar /usr/bin/composer
|
||||
sudo -u www-data composer update -d /var/www/22222/htdocs/db/pma/
|
||||
|
||||
**Allow shell for www-data for SFTP usage**
|
||||
```
|
||||
usermod -s /bin/bash www-data
|
||||
```
|
||||
|
||||
**Custom jails for fail2ban**
|
||||
usermod -s /bin/bash www-data
|
||||
|
||||
* wordpress bruteforce
|
||||
* ssh
|
||||
* recidive (after 3 bans)
|
||||
* backend http auth
|
||||
* nginx bad bots
|
||||
## PHP 7.1 & 7.2 Setup
|
||||
|
||||
```
|
||||
wget -O /etc/fail2ban/filter.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ddos.conf
|
||||
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ee-wordpress.conf
|
||||
wget -O /etc/fail2ban/jail.d/custom.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/custom.conf
|
||||
wget -O /etc/fail2ban/jail.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/ddos.conf
|
||||
|
||||
fail2ban-client reload
|
||||
```
|
||||
|
||||
## PHP 7.1 & 7.2 Setup
|
||||
|
||||
**Install php7.1-fpm & php7.2-fpm**
|
||||
|
||||
**Install php7.1-fpm**
|
||||
|
||||
```bash
|
||||
# php7.1-fpm
|
||||
|
@ -146,131 +91,185 @@ apt update && apt install php7.1-fpm php7.1-cli php7.1-zip php7.1-opcache php7.1
|
|||
php7.1-gd php7.1-curl php7.1-bz2 php7.1-xml php7.1-tidy php7.1-soap php7.1-bcmath -y php7.1-xsl
|
||||
|
||||
wget -O /etc/php/7.1/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/pool.d/www.conf
|
||||
service php7.1-fpm restart
|
||||
|
||||
wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/php.ini
|
||||
service php7.1-fpm restart
|
||||
```
|
||||
|
||||
**Install php7.2-fpm**
|
||||
```
|
||||
# php7.2-fpm
|
||||
apt update && apt install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring -y
|
||||
|
||||
wget -O /etc/php/7.2/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/pool.d/www.conf
|
||||
service php7.2-fpm restart
|
||||
```
|
||||
add nginx upstreams
|
||||
```
|
||||
wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf
|
||||
service nginx reload
|
||||
```
|
||||
add ee common configuration
|
||||
```
|
||||
cd /etc/nginx/common || exit
|
||||
wget https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/common.zip
|
||||
unzip common.zip
|
||||
```
|
||||
**Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee)**
|
||||
|
||||
```
|
||||
bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
|
||||
```
|
||||
----
|
||||
|
||||
## Custom configurations
|
||||
|
||||
**clean php-fpm php.ini configurations**
|
||||
```
|
||||
# PHP 7.0
|
||||
wget -O /etc/php/7.0/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.0/fpm/php.ini
|
||||
service php7.0-fpm restart
|
||||
|
||||
# PHP 7.1
|
||||
wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/php.ini
|
||||
service php7.1-fpm restart
|
||||
|
||||
# PHP 7.2
|
||||
wget -O /etc/php/7.2/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/php.ini
|
||||
service php7.2-fpm restart
|
||||
```
|
||||
|
||||
**add nginx upstreams**
|
||||
|
||||
wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf
|
||||
service nginx reload
|
||||
|
||||
add ee common configuration
|
||||
|
||||
cd /etc/nginx/common || exit
|
||||
wget https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/common.zip
|
||||
unzip common.zip
|
||||
|
||||
**Compile last Nginx mainline release with [nginx-ee script](https://virtubox.github.io/nginx-ee/)**
|
||||
|
||||
bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
|
||||
|
||||
* * *
|
||||
|
||||
## Custom configurations
|
||||
|
||||
**clean php-fpm php.ini configurations**
|
||||
|
||||
# PHP 7.0
|
||||
wget -O /etc/php/7.0/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.0/fpm/php.ini
|
||||
service php7.0-fpm restart
|
||||
|
||||
**Nginx optimized configurations**
|
||||
```
|
||||
|
||||
# TLSv1.2 TLSv1.3 only
|
||||
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx.conf
|
||||
# TLSv1.2 TLSv1.3 only
|
||||
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx.conf
|
||||
|
||||
# TLS intermediate
|
||||
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-intermediate.conf
|
||||
# TLS intermediate
|
||||
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-intermediate.conf
|
||||
|
||||
# TLSv1.2 only
|
||||
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-tlsv12.conf
|
||||
# TLSv1.2 only
|
||||
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-tlsv12.conf
|
||||
|
||||
```
|
||||
**nginx configuration for netdata & new upstreams**
|
||||
```
|
||||
# custom conf for netdata metrics (php-fpm & nginx status pages)
|
||||
wget -O /etc/nginx/sites-available/default https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/default
|
||||
|
||||
# add netdata, php7.1 and php7.2 upstream
|
||||
wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf
|
||||
# custom conf for netdata metrics (php-fpm & nginx status pages)
|
||||
wget -O /etc/nginx/sites-available/default https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/default
|
||||
|
||||
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
|
||||
wget -O /etc/nginx/sites-available/22222 https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/22222
|
||||
```
|
||||
# add netdata, php7.1 and php7.2 upstream
|
||||
wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf
|
||||
|
||||
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
|
||||
wget -O /etc/nginx/sites-available/22222 https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/22222
|
||||
|
||||
**wpcommon-php7x configurations**
|
||||
* webp rewrite rules added
|
||||
* DoS attack CVE fix added
|
||||
* php7.1 & php7.2 configuration added
|
||||
|
||||
```
|
||||
# 1) add webp mapping
|
||||
wget -O /etc/nginx/conf.d/webp.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/webp.conf
|
||||
- webp rewrite rules added
|
||||
- DoS attack CVE fix added
|
||||
- php7.1 & php7.2 configuration added
|
||||
|
||||
# 2) wpcommon files
|
||||
|
||||
# php7
|
||||
wget -O /etc/nginx/common/wpcommon-php7.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php7.conf
|
||||
# 1) add webp mapping
|
||||
wget -O /etc/nginx/conf.d/webp.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/webp.conf
|
||||
|
||||
# php7.1
|
||||
wget -O /etc/nginx/common/wpcommon-php71.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php71.conf
|
||||
# 2) wpcommon files
|
||||
|
||||
# php7.2
|
||||
wget -O /etc/nginx/common/wpcommon-php72.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php72.conf
|
||||
# php7
|
||||
wget -O /etc/nginx/common/wpcommon-php7.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php7.conf
|
||||
|
||||
nginx -t
|
||||
service nginx reload
|
||||
```
|
||||
----
|
||||
# php7.1
|
||||
wget -O /etc/nginx/common/wpcommon-php71.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php71.conf
|
||||
|
||||
# php7.2
|
||||
wget -O /etc/nginx/common/wpcommon-php72.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php72.conf
|
||||
|
||||
nginx -t
|
||||
service nginx reload
|
||||
|
||||
* * *
|
||||
|
||||
## Security
|
||||
|
||||
* * *
|
||||
|
||||
**Harden SSH Security**
|
||||
WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config)
|
||||
|
||||
wget -O /etc/ssh/sshd_config https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/ssh/sshd_config
|
||||
|
||||
**UFW** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
|
||||
|
||||
# enable ufw log - allow outgoing - deny incoming
|
||||
ufw logging low
|
||||
ufw default allow outgoing
|
||||
ufw default deny incoming
|
||||
|
||||
# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend
|
||||
ufw allow 22
|
||||
ufw allow 53
|
||||
ufw allow http
|
||||
ufw allow https
|
||||
ufw allow 21
|
||||
ufw allow 123
|
||||
ufw allow 161
|
||||
ufw allow 6556
|
||||
ufw allow 19999
|
||||
ufw allow 22222
|
||||
|
||||
# enable UFW
|
||||
ufw enable
|
||||
|
||||
**Custom jails for fail2ban**
|
||||
|
||||
- wordpress bruteforce
|
||||
- ssh
|
||||
- recidive (after 3 bans)
|
||||
- backend http auth
|
||||
- nginx bad bots
|
||||
|
||||
|
||||
wget -O /etc/fail2ban/filter.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ddos.conf
|
||||
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ee-wordpress.conf
|
||||
wget -O /etc/fail2ban/jail.d/custom.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/custom.conf
|
||||
wget -O /etc/fail2ban/jail.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/ddos.conf
|
||||
|
||||
fail2ban-client reload
|
||||
|
||||
**Secure Memcached server**
|
||||
|
||||
echo '-U 0' >> /etc/memcached.conf
|
||||
sudo systemctl restart memcached
|
||||
|
||||
## Optional tools
|
||||
|
||||
### Acme.sh
|
||||
[Github repository](https://github.com/Neilpang/acme.sh)
|
||||
```
|
||||
wget -O - https://get.acme.sh | sh
|
||||
source ~/.bashrc
|
||||
```
|
||||
### ee-acme-sh
|
||||
[Github repository](https://virtubox.github.io/ee-acme-sh/)
|
||||
My script to setup letsencrypt certificates using acme.sh on EasyEngine servers.
|
||||
* subdomain support
|
||||
* ivp6 support
|
||||
* wildcards certificates support
|
||||
|
||||
|
||||
wget -O - https://get.acme.sh | sh
|
||||
source ~/.bashrc
|
||||
|
||||
### netdata
|
||||
|
||||
### netdata
|
||||
[Github repository](https://github.com/firehol/netdata)
|
||||
```
|
||||
bash <(curl -Ss https://my-netdata.io/kickstart.sh) all
|
||||
|
||||
# save 40-60% of netdata memory
|
||||
echo 1 >/sys/kernel/mm/ksm/run
|
||||
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
|
||||
bash <(curl -Ss https://my-netdata.io/kickstart.sh) all
|
||||
|
||||
# disable email notifications
|
||||
wget -O /etc/netdata/health_alarm_notify.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/netdata/health_alarm_notify.conf
|
||||
# save 40-60% of netdata memory
|
||||
echo 1 >/sys/kernel/mm/ksm/run
|
||||
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
|
||||
|
||||
```
|
||||
# disable email notifications
|
||||
wget -O /etc/netdata/health_alarm_notify.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/netdata/health_alarm_notify.conf
|
||||
service netdata restart
|
||||
|
||||
### bash-snippets
|
||||
|
||||
[Github repository](https://github.com/alexanderepstein/Bash-Snippets)
|
||||
```bash
|
||||
|
||||
```bash
|
||||
git clone https://github.com/alexanderepstein/Bash-Snippets
|
||||
cd Bash-Snippets
|
||||
git checkout v1.22.0
|
||||
./install.sh cheat
|
||||
```
|
||||
|
||||
usage : cheat command
|
||||
|
||||
```bash
|
||||
|
@ -293,10 +292,10 @@ root@vps:~ cheat cat
|
|||
```
|
||||
|
||||
## nanorc - Improved Nano Syntax Highlighting Files
|
||||
|
||||
[Github repository](https://github.com/scopatz/nanorc)
|
||||
```
|
||||
wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh
|
||||
```
|
||||
|
||||
wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh
|
||||
|
||||
Published & maintained by [VirtuBox](https://virtubox.net)
|
||||
|
||||
Published & maintained by [VirtuBox](https://virtubox.net)
|
366
docs/README.md
366
docs/README.md
|
@ -1,17 +1,20 @@
|
|||
|
||||
# Ubuntu optimized configuration with EasyEngine
|
||||
----
|
||||
## Server Stack :
|
||||
* Nginx 1.14.x
|
||||
* PHP-FPM 7/7.1/7.2
|
||||
* MariaDB 10.2
|
||||
* REDIS 4.0
|
||||
* Memcached
|
||||
* Fail2ban
|
||||
* Netdata
|
||||
* UFW
|
||||
|
||||
----
|
||||
* * *
|
||||
|
||||
## Server Stack :
|
||||
|
||||
- Ubuntu 16.04/18.04 LTS
|
||||
- Nginx 1.14.x
|
||||
- PHP-FPM 7/7.1/7.2
|
||||
- MariaDB 10.3
|
||||
- REDIS 4.0
|
||||
- Memcached
|
||||
- Fail2ban
|
||||
- Netdata
|
||||
- UFW
|
||||
|
||||
* * *
|
||||
|
||||
Configuration files with comments and informations available by following the link **source**
|
||||
|
||||
|
@ -19,77 +22,66 @@ Configuration files with comments and informations available by following the li
|
|||
|
||||
**System update and packages cleanup**
|
||||
|
||||
```
|
||||
apt-get update && apt-get upgrade -y && apt-get autoremove -y && apt-get clean
|
||||
```
|
||||
apt-get update && apt-get upgrade -y && apt-get autoremove -y && apt-get clean
|
||||
|
||||
**Install useful packages**
|
||||
```
|
||||
sudo apt install haveged curl git unzip zip fail2ban htop -y
|
||||
```
|
||||
|
||||
|
||||
sudo apt install haveged curl git unzip zip fail2ban htop -y
|
||||
|
||||
**Tweak Kernel** [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) &
|
||||
**Increase open files limits** [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf)
|
||||
```
|
||||
modprobe tcp_htcp
|
||||
wget -O /etc/sysctl.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/sysctl.conf
|
||||
sysctl -p
|
||||
wget -O /etc/security/limits.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/security/limits.conf
|
||||
```
|
||||
**disable transparent hugepage for redis**
|
||||
```
|
||||
echo never > /sys/kernel/mm/transparent_hugepage/enabled
|
||||
```
|
||||
|
||||
----
|
||||
modprobe tcp_htcp
|
||||
wget -O /etc/sysctl.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/sysctl.conf
|
||||
sysctl -p
|
||||
wget -O /etc/security/limits.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/security/limits.conf
|
||||
|
||||
**disable transparent hugepage for redis**
|
||||
|
||||
echo never > /sys/kernel/mm/transparent_hugepage/enabled
|
||||
|
||||
* * *
|
||||
|
||||
## EasyEngine Setup
|
||||
|
||||
**Install MariaDB 10.2** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
|
||||
**Install MariaDB 10.3** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
|
||||
|
||||
```
|
||||
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \
|
||||
| sudo bash -s -- --mariadb-server-version=10.2 --skip-maxscale
|
||||
sudo apt update && sudo apt install mariadb-server percona-xtrabackup-24 -y
|
||||
```
|
||||
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \
|
||||
| sudo bash -s -- --mariadb-server-version=10.3 --skip-maxscale
|
||||
sudo apt update && sudo apt install mariadb-server percona-xtrabackup-24 -y
|
||||
|
||||
**Install EasyEngine**
|
||||
```
|
||||
wget -qO ee rt.cx/ee && bash ee
|
||||
```
|
||||
|
||||
wget -qO ee rt.cx/ee && bash ee
|
||||
|
||||
**enable ee bash_completion**
|
||||
```
|
||||
source /etc/bash_completion.d/ee_auto.rc
|
||||
```
|
||||
|
||||
source /etc/bash_completion.d/ee_auto.rc
|
||||
|
||||
**Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend**
|
||||
```
|
||||
ee stack install
|
||||
ee stack install --php7 --redis --admin --phpredisadmin
|
||||
```
|
||||
|
||||
ee stack install
|
||||
ee stack install --php7 --redis --admin --phpredisadmin
|
||||
|
||||
**Set your email instead of root@localhost**
|
||||
```
|
||||
echo 'root: my.email@address.com' >> /etc/aliases
|
||||
newaliases
|
||||
```
|
||||
|
||||
echo 'root: my.email@address.com' >> /etc/aliases
|
||||
newaliases
|
||||
|
||||
**Install Composer - Fix phpmyadmin install issue**
|
||||
```
|
||||
cd ~/
|
||||
curl -sS https://getcomposer.org/installer | php
|
||||
mv composer.phar /usr/bin/composer
|
||||
sudo -u www-data composer update -d /var/www/22222/htdocs/db/pma/
|
||||
```
|
||||
|
||||
cd ~/
|
||||
curl -sS https://getcomposer.org/installer | php
|
||||
mv composer.phar /usr/bin/composer
|
||||
sudo -u www-data composer update -d /var/www/22222/htdocs/db/pma/
|
||||
|
||||
**Allow shell for www-data for SFTP usage**
|
||||
```
|
||||
usermod -s /bin/bash www-data
|
||||
```
|
||||
|
||||
## PHP 7.1 & 7.2 Setup
|
||||
usermod -s /bin/bash www-data
|
||||
|
||||
**Install php7.1-fpm & php7.2-fpm**
|
||||
|
||||
## PHP 7.1 & 7.2 Setup
|
||||
|
||||
**Install php7.1-fpm**
|
||||
|
||||
```bash
|
||||
# php7.1-fpm
|
||||
|
@ -97,188 +89,185 @@ apt update && apt install php7.1-fpm php7.1-cli php7.1-zip php7.1-opcache php7.1
|
|||
php7.1-gd php7.1-curl php7.1-bz2 php7.1-xml php7.1-tidy php7.1-soap php7.1-bcmath -y php7.1-xsl
|
||||
|
||||
wget -O /etc/php/7.1/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/pool.d/www.conf
|
||||
service php7.1-fpm restart
|
||||
|
||||
wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/php.ini
|
||||
service php7.1-fpm restart
|
||||
```
|
||||
|
||||
**Install php7.2-fpm**
|
||||
```
|
||||
# php7.2-fpm
|
||||
apt update && apt install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring -y
|
||||
|
||||
wget -O /etc/php/7.2/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/pool.d/www.conf
|
||||
service php7.2-fpm restart
|
||||
```
|
||||
add nginx upstreams
|
||||
```
|
||||
wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf
|
||||
service nginx reload
|
||||
```
|
||||
add ee common configuration
|
||||
```
|
||||
cd /etc/nginx/common || exit
|
||||
wget https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/common.zip
|
||||
unzip common.zip
|
||||
```
|
||||
**Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee)**
|
||||
|
||||
```
|
||||
bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
|
||||
```
|
||||
----
|
||||
|
||||
## Custom configurations
|
||||
|
||||
**clean php-fpm php.ini configurations**
|
||||
```
|
||||
# PHP 7.0
|
||||
wget -O /etc/php/7.0/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.0/fpm/php.ini
|
||||
service php7.0-fpm restart
|
||||
|
||||
# PHP 7.1
|
||||
wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/php.ini
|
||||
service php7.1-fpm restart
|
||||
|
||||
# PHP 7.2
|
||||
wget -O /etc/php/7.2/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/php.ini
|
||||
service php7.2-fpm restart
|
||||
```
|
||||
|
||||
**add nginx upstreams**
|
||||
|
||||
wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf
|
||||
service nginx reload
|
||||
|
||||
add ee common configuration
|
||||
|
||||
cd /etc/nginx/common || exit
|
||||
wget https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/common.zip
|
||||
unzip common.zip
|
||||
|
||||
**Compile last Nginx mainline release with [nginx-ee script](https://virtubox.github.io/nginx-ee/)**
|
||||
|
||||
bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
|
||||
|
||||
* * *
|
||||
|
||||
## Custom configurations
|
||||
|
||||
**clean php-fpm php.ini configurations**
|
||||
|
||||
# PHP 7.0
|
||||
wget -O /etc/php/7.0/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.0/fpm/php.ini
|
||||
service php7.0-fpm restart
|
||||
|
||||
**Nginx optimized configurations**
|
||||
```
|
||||
|
||||
# TLSv1.2 TLSv1.3 only
|
||||
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx.conf
|
||||
# TLSv1.2 TLSv1.3 only
|
||||
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx.conf
|
||||
|
||||
# TLS intermediate
|
||||
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-intermediate.conf
|
||||
# TLS intermediate
|
||||
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-intermediate.conf
|
||||
|
||||
# TLSv1.2 only
|
||||
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-tlsv12.conf
|
||||
# TLSv1.2 only
|
||||
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-tlsv12.conf
|
||||
|
||||
```
|
||||
**nginx configuration for netdata & new upstreams**
|
||||
```
|
||||
# custom conf for netdata metrics (php-fpm & nginx status pages)
|
||||
wget -O /etc/nginx/sites-available/default https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/default
|
||||
|
||||
# add netdata, php7.1 and php7.2 upstream
|
||||
wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf
|
||||
# custom conf for netdata metrics (php-fpm & nginx status pages)
|
||||
wget -O /etc/nginx/sites-available/default https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/default
|
||||
|
||||
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
|
||||
wget -O /etc/nginx/sites-available/22222 https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/22222
|
||||
```
|
||||
# add netdata, php7.1 and php7.2 upstream
|
||||
wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf
|
||||
|
||||
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
|
||||
wget -O /etc/nginx/sites-available/22222 https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/22222
|
||||
|
||||
**wpcommon-php7x configurations**
|
||||
* webp rewrite rules added
|
||||
* DoS attack CVE fix added
|
||||
* php7.1 & php7.2 configuration added
|
||||
|
||||
```
|
||||
# 1) add webp mapping
|
||||
wget -O /etc/nginx/conf.d/webp.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/webp.conf
|
||||
- webp rewrite rules added
|
||||
- DoS attack CVE fix added
|
||||
- php7.1 & php7.2 configuration added
|
||||
|
||||
# 2) wpcommon files
|
||||
|
||||
# php7
|
||||
wget -O /etc/nginx/common/wpcommon-php7.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php7.conf
|
||||
# 1) add webp mapping
|
||||
wget -O /etc/nginx/conf.d/webp.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/webp.conf
|
||||
|
||||
# php7.1
|
||||
wget -O /etc/nginx/common/wpcommon-php71.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php71.conf
|
||||
# 2) wpcommon files
|
||||
|
||||
# php7.2
|
||||
wget -O /etc/nginx/common/wpcommon-php72.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php72.conf
|
||||
# php7
|
||||
wget -O /etc/nginx/common/wpcommon-php7.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php7.conf
|
||||
|
||||
nginx -t
|
||||
service nginx reload
|
||||
```
|
||||
----
|
||||
# php7.1
|
||||
wget -O /etc/nginx/common/wpcommon-php71.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php71.conf
|
||||
|
||||
## Security
|
||||
----
|
||||
# php7.2
|
||||
wget -O /etc/nginx/common/wpcommon-php72.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php72.conf
|
||||
|
||||
nginx -t
|
||||
service nginx reload
|
||||
|
||||
* * *
|
||||
|
||||
## Security
|
||||
|
||||
* * *
|
||||
|
||||
**Harden SSH Security**
|
||||
WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config)
|
||||
```
|
||||
wget -O /etc/ssh/sshd_config https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/ssh/sshd_config
|
||||
```
|
||||
|
||||
wget -O /etc/ssh/sshd_config https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/ssh/sshd_config
|
||||
|
||||
**UFW** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
|
||||
|
||||
```
|
||||
# enable ufw log - allow outgoing - deny incoming
|
||||
ufw logging on
|
||||
ufw default allow outgoing
|
||||
ufw default deny incoming
|
||||
# enable ufw log - allow outgoing - deny incoming
|
||||
ufw logging low
|
||||
ufw default allow outgoing
|
||||
ufw default deny incoming
|
||||
|
||||
# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend
|
||||
ufw allow 22
|
||||
ufw allow 53
|
||||
ufw allow http
|
||||
ufw allow https
|
||||
ufw allow 21
|
||||
ufw allow 123
|
||||
ufw allow 161
|
||||
ufw allow 6556
|
||||
ufw allow 19999
|
||||
ufw allow 22222
|
||||
# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend
|
||||
ufw allow 22
|
||||
ufw allow 53
|
||||
ufw allow http
|
||||
ufw allow https
|
||||
ufw allow 21
|
||||
ufw allow 123
|
||||
ufw allow 161
|
||||
ufw allow 6556
|
||||
ufw allow 19999
|
||||
ufw allow 22222
|
||||
|
||||
# enable UFW
|
||||
ufw enable
|
||||
```
|
||||
# enable UFW
|
||||
ufw enable
|
||||
|
||||
**Custom jails for fail2ban**
|
||||
|
||||
* wordpress bruteforce
|
||||
* ssh
|
||||
* recidive (after 3 bans)
|
||||
* backend http auth
|
||||
* nginx bad bots
|
||||
- wordpress bruteforce
|
||||
- ssh
|
||||
- recidive (after 3 bans)
|
||||
- backend http auth
|
||||
- nginx bad bots
|
||||
|
||||
```
|
||||
wget -O /etc/fail2ban/filter.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ddos.conf
|
||||
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ee-wordpress.conf
|
||||
wget -O /etc/fail2ban/jail.d/custom.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/custom.conf
|
||||
wget -O /etc/fail2ban/jail.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/ddos.conf
|
||||
|
||||
fail2ban-client reload
|
||||
```
|
||||
wget -O /etc/fail2ban/filter.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ddos.conf
|
||||
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ee-wordpress.conf
|
||||
wget -O /etc/fail2ban/jail.d/custom.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/custom.conf
|
||||
wget -O /etc/fail2ban/jail.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/ddos.conf
|
||||
|
||||
fail2ban-client reload
|
||||
|
||||
**Secure Memcached server**
|
||||
```
|
||||
echo '-U 0' >> /etc/memcached.conf
|
||||
sudo systemctl restart memcached
|
||||
```
|
||||
|
||||
echo '-U 0' >> /etc/memcached.conf
|
||||
sudo systemctl restart memcached
|
||||
|
||||
## Optional tools
|
||||
|
||||
### Acme.sh
|
||||
[Github repository](https://github.com/Neilpang/acme.sh)
|
||||
```
|
||||
wget -O - https://get.acme.sh | sh
|
||||
source ~/.bashrc
|
||||
```
|
||||
### ee-acme-sh
|
||||
[Github repository](https://virtubox.github.io/ee-acme-sh/)
|
||||
My script to setup letsencrypt certificates using acme.sh on EasyEngine servers.
|
||||
* subdomain support
|
||||
* ivp6 support
|
||||
* wildcards certificates support
|
||||
|
||||
|
||||
wget -O - https://get.acme.sh | sh
|
||||
source ~/.bashrc
|
||||
|
||||
### netdata
|
||||
|
||||
### netdata
|
||||
[Github repository](https://github.com/firehol/netdata)
|
||||
```
|
||||
bash <(curl -Ss https://my-netdata.io/kickstart.sh) all
|
||||
|
||||
# save 40-60% of netdata memory
|
||||
echo 1 >/sys/kernel/mm/ksm/run
|
||||
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
|
||||
bash <(curl -Ss https://my-netdata.io/kickstart.sh) all
|
||||
|
||||
# disable email notifications
|
||||
wget -O /etc/netdata/health_alarm_notify.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/netdata/health_alarm_notify.conf
|
||||
service netdata restart
|
||||
# save 40-60% of netdata memory
|
||||
echo 1 >/sys/kernel/mm/ksm/run
|
||||
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
|
||||
|
||||
```
|
||||
# disable email notifications
|
||||
wget -O /etc/netdata/health_alarm_notify.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/netdata/health_alarm_notify.conf
|
||||
service netdata restart
|
||||
|
||||
### bash-snippets
|
||||
|
||||
[Github repository](https://github.com/alexanderepstein/Bash-Snippets)
|
||||
```bash
|
||||
|
||||
```bash
|
||||
git clone https://github.com/alexanderepstein/Bash-Snippets
|
||||
cd Bash-Snippets
|
||||
git checkout v1.22.0
|
||||
./install.sh cheat
|
||||
```
|
||||
|
||||
usage : cheat command
|
||||
|
||||
```bash
|
||||
|
@ -300,11 +289,10 @@ root@vps:~ cheat cat
|
|||
cat -n file
|
||||
```
|
||||
|
||||
|
||||
## nanorc - Improved Nano Syntax Highlighting Files
|
||||
|
||||
[Github repository](https://github.com/scopatz/nanorc)
|
||||
```
|
||||
wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh
|
||||
```
|
||||
|
||||
wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh
|
||||
|
||||
Published & maintained by [VirtuBox](https://virtubox.net)
|
||||
|
|
|
@ -0,0 +1,217 @@
|
|||
# Kernel sysctl configuration file
|
||||
# Sources :
|
||||
# https://easyengine.io/tutorials/linux/sysctl-conf/
|
||||
# http://klaver.it/linux/
|
||||
#
|
||||
#
|
||||
# sysctl -e -p /etc/sysctl.conf
|
||||
#
|
||||
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and sysctl.conf(5) for more details.
|
||||
#
|
||||
#
|
||||
###
|
||||
### GENERAL SYSTEM SECURITY OPTIONS ###
|
||||
###
|
||||
|
||||
# Controls the System Request debugging functionality of the kernel
|
||||
kernel.sysrq = 0
|
||||
|
||||
#Allow for more PIDs
|
||||
kernel.pid_max = 65535
|
||||
|
||||
# Controls the maximum size of a message, in bytes
|
||||
kernel.msgmnb = 65535
|
||||
|
||||
# Controls the default maxmimum size of a mesage queue
|
||||
kernel.msgmax = 65535
|
||||
|
||||
# Restrict core dumps
|
||||
fs.suid_dumpable = 0
|
||||
|
||||
# Hide exposed kernel pointers
|
||||
kernel.kptr_restrict = 1
|
||||
|
||||
### IMPROVE SYSTEM MEMORY MANAGEMENT ###
|
||||
|
||||
# Increase size of file handles and inode cache
|
||||
fs.file-max = 2097152
|
||||
|
||||
# Increase size of file handles and inode cache
|
||||
fs.file-max = 209708
|
||||
# Do less swapping
|
||||
vm.swappiness = 10
|
||||
vm.dirty_ratio = 30
|
||||
vm.dirty_background_ratio = 2
|
||||
|
||||
# Redis configuration
|
||||
vm.overcommit_memory = 1
|
||||
|
||||
#Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
|
||||
net.ipv4.tcp_syncookies = 1
|
||||
net.ipv4.tcp_syn_retries = 2
|
||||
net.ipv4.tcp_synack_retries = 2
|
||||
net.ipv4.tcp_max_syn_backlog = 4096
|
||||
|
||||
# Disables packet forwarding
|
||||
net.ipv4.ip_forward = 0
|
||||
net.ipv4.conf.all.forwarding = 0
|
||||
net.ipv4.conf.default.forwarding = 0
|
||||
net.ipv6.conf.all.forwarding = 0
|
||||
net.ipv6.conf.default.forwarding = 0
|
||||
|
||||
# Disables IP source routing
|
||||
net.ipv4.conf.all.send_redirects = 0
|
||||
net.ipv4.conf.default.send_redirects = 0
|
||||
net.ipv4.conf.all.accept_source_route = 0
|
||||
net.ipv4.conf.default.accept_source_route = 0
|
||||
net.ipv6.conf.all.accept_source_route = 0
|
||||
net.ipv6.conf.default.accept_source_route = 0
|
||||
|
||||
# Enable IP spoofing protection, turn on source route verification
|
||||
net.ipv4.conf.all.rp_filter = 1
|
||||
net.ipv4.conf.default.rp_filter = 1
|
||||
|
||||
# Disable ICMP Redirect Acceptance
|
||||
net.ipv4.conf.all.accept_redirects = 0
|
||||
net.ipv4.conf.default.accept_redirects = 0
|
||||
net.ipv4.conf.all.secure_redirects = 0
|
||||
net.ipv4.conf.default.secure_redirects = 0
|
||||
net.ipv6.conf.all.accept_redirects = 0
|
||||
net.ipv6.conf.default.accept_redirects = 0
|
||||
|
||||
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
|
||||
net.ipv4.conf.all.log_martians = 1
|
||||
net.ipv4.conf.default.log_martians = 1
|
||||
|
||||
# Decrease the time default value for tcp_fin_timeout connection
|
||||
net.ipv4.tcp_fin_timeout = 7
|
||||
|
||||
# Decrease the time default value for connections to keep alive
|
||||
net.ipv4.tcp_keepalive_time = 300
|
||||
net.ipv4.tcp_keepalive_probes = 5
|
||||
net.ipv4.tcp_keepalive_intvl = 15
|
||||
|
||||
# Don't relay bootp
|
||||
net.ipv4.conf.all.bootp_relay = 0
|
||||
|
||||
# Don't proxy arp for anyone
|
||||
net.ipv4.conf.all.proxy_arp = 0
|
||||
|
||||
# Turn on the tcp_timestamps, accurate timestamp make TCP congestion control algorithms work better
|
||||
net.ipv4.tcp_timestamps = 1
|
||||
|
||||
# Don't ignore directed pings
|
||||
net.ipv4.icmp_echo_ignore_all = 0
|
||||
|
||||
# Enable ignoring broadcasts request
|
||||
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
||||
|
||||
# Enable bad error message Protection
|
||||
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||||
|
||||
# Allowed local port range
|
||||
net.ipv4.ip_local_port_range = 16384 65535
|
||||
|
||||
# Enable a fix for RFC1337 - time-wait assassination hazards in TCP
|
||||
net.ipv4.tcp_rfc1337 = 1
|
||||
|
||||
# Do not auto-configure IPv6
|
||||
net.ipv6.conf.all.autoconf=0
|
||||
net.ipv6.conf.all.accept_ra=0
|
||||
net.ipv6.conf.default.autoconf=0
|
||||
net.ipv6.conf.default.accept_ra=0
|
||||
|
||||
|
||||
###
|
||||
### TUNING NETWORK PERFORMANCE ###
|
||||
###
|
||||
|
||||
# For high-bandwidth low-latency networks, use 'htcp' congestion control
|
||||
# Do a 'modprobe tcp_htcp' first
|
||||
net.ipv4.tcp_congestion_control = htcp
|
||||
|
||||
# For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12)
|
||||
net.core.default_qdisc = fq
|
||||
|
||||
# Turn on the tcp_window_scaling
|
||||
net.ipv4.tcp_window_scaling = 1
|
||||
|
||||
# Increase the read-buffer space allocatable
|
||||
net.ipv4.tcp_rmem = 8192 87380 16777216
|
||||
net.ipv4.udp_rmem_min = 16384
|
||||
net.core.rmem_default = 262144
|
||||
net.core.rmem_max = 16777216
|
||||
|
||||
# Increase the write-buffer-space allocatable
|
||||
net.ipv4.tcp_wmem = 8192 65536 16777216
|
||||
net.ipv4.udp_wmem_min = 16384
|
||||
net.core.wmem_default = 262144
|
||||
net.core.wmem_max = 16777216
|
||||
|
||||
# Increase number of incoming connections
|
||||
net.core.somaxconn = 32768
|
||||
|
||||
# Increase number of incoming connections backlog
|
||||
net.core.netdev_max_backlog = 16384
|
||||
net.core.dev_weight = 64
|
||||
|
||||
# Increase the maximum amount of option memory buffers
|
||||
net.core.optmem_max = 65535
|
||||
|
||||
# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
|
||||
net.ipv4.tcp_max_tw_buckets = 1440000
|
||||
|
||||
# try to reuse time-wait connections, but don't recycle them (recycle can break clients behind NAT)
|
||||
net.ipv4.tcp_tw_recycle = 0
|
||||
net.ipv4.tcp_tw_reuse = 1
|
||||
|
||||
# Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory
|
||||
net.ipv4.tcp_max_orphans = 16384
|
||||
net.ipv4.tcp_orphan_retries = 0
|
||||
|
||||
# Increase the maximum memory used to reassemble IP fragments
|
||||
net.ipv4.ipfrag_high_thresh = 512000
|
||||
net.ipv4.ipfrag_low_thresh = 446464
|
||||
|
||||
# don't cache ssthresh from previous connection
|
||||
net.ipv4.tcp_no_metrics_save = 1
|
||||
net.ipv4.tcp_moderate_rcvbuf = 1
|
||||
|
||||
# Increase size of RPC datagram queue length
|
||||
net.unix.max_dgram_qlen = 50
|
||||
|
||||
# Don't allow the arp table to become bigger than this
|
||||
net.ipv4.neigh.default.gc_thresh3 = 2048
|
||||
|
||||
# Tell the gc when to become aggressive with arp table cleaning.
|
||||
# Adjust this based on size of the LAN. 1024 is suitable for most /24 networks
|
||||
net.ipv4.neigh.default.gc_thresh2 = 1024
|
||||
|
||||
# Adjust where the gc will leave arp table alone - set to 32.
|
||||
net.ipv4.neigh.default.gc_thresh1 = 32
|
||||
|
||||
# Adjust to arp table gc to clean-up more often
|
||||
net.ipv4.neigh.default.gc_interval = 30
|
||||
|
||||
# Increase TCP queue length
|
||||
net.ipv4.neigh.default.proxy_qlen = 96
|
||||
net.ipv4.neigh.default.unres_qlen = 6
|
||||
|
||||
# Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you
|
||||
net.ipv4.tcp_ecn = 1
|
||||
net.ipv4.tcp_reordering = 3
|
||||
|
||||
# How many times to retry killing an alive TCP connection
|
||||
net.ipv4.tcp_retries2 = 15
|
||||
net.ipv4.tcp_retries1 = 3
|
||||
|
||||
# Avoid falling back to slow start after a connection goes idle
|
||||
# keeps our cwnd large with the keep alive connections (kernel > 3.6)
|
||||
net.ipv4.tcp_slow_start_after_idle = 0
|
||||
|
||||
# Allow the TCP fastopen flag to be used, beware some firewalls do not like TFO! (kernel > 3.7)
|
||||
net.ipv4.tcp_fastopen = 3
|
||||
|
||||
# This will enusre that immediatly subsequent connections use the new values
|
||||
net.ipv4.route.flush = 1
|
||||
net.ipv6.route.flush = 1
|
|
@ -25,7 +25,7 @@ http
|
|||
|
||||
server_tokens off;
|
||||
reset_timedout_connection on;
|
||||
add_header X-Powered-By "EasyEngine v3.7.5 - Optimized by VirtuBox";
|
||||
add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox";
|
||||
add_header rt-Fastcgi-Cache $upstream_cache_status;
|
||||
|
||||
# Limit Request
|
||||
|
|
|
@ -25,7 +25,7 @@ http
|
|||
|
||||
server_tokens off;
|
||||
reset_timedout_connection on;
|
||||
add_header X-Powered-By "EasyEngine v3.7.5 - Optimized by VirtuBox";
|
||||
add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox";
|
||||
add_header rt-Fastcgi-Cache $upstream_cache_status;
|
||||
|
||||
# Limit Request
|
||||
|
|
|
@ -25,7 +25,7 @@ http
|
|||
|
||||
server_tokens off;
|
||||
reset_timedout_connection on;
|
||||
add_header X-Powered-By "EasyEngine v3.7.5 - Optimized by VirtuBox";
|
||||
add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox";
|
||||
add_header rt-Fastcgi-Cache $upstream_cache_status;
|
||||
|
||||
# Limit Request
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_buffering on;
|
||||
proxy_buffer_size 128k;
|
||||
proxy_buffers 256 16k;
|
||||
proxy_busy_buffers_size 256k;
|
||||
proxy_temp_file_write_size 256k;
|
||||
proxy_max_temp_file_size 0;
|
|
@ -14,7 +14,7 @@ zend.enable_gc = On
|
|||
expose_php = Off
|
||||
max_execution_time = 300
|
||||
max_input_time = 600
|
||||
max_input_vars = 5000
|
||||
max_input_vars = 10000
|
||||
memory_limit = 256M
|
||||
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
|
||||
display_errors = Off
|
||||
|
|
|
@ -12,7 +12,7 @@ disable_classes =
|
|||
zend.enable_gc = On
|
||||
expose_php = Off
|
||||
max_execution_time = 300
|
||||
max_input_vars = 5000
|
||||
max_input_vars = 10000
|
||||
max_input_time = 600
|
||||
memory_limit = 256M
|
||||
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
|
||||
|
|
|
@ -90,6 +90,8 @@ cat <<EOF >~/.my.cnf
|
|||
password=$ROOT_SQL_PASS
|
||||
EOF
|
||||
|
||||
cp ~/.my.cnf /etc/mysql/conf.d/my.cnf
|
||||
|
||||
wget -qO ee rt.cx/ee && bash ee
|
||||
|
||||
ee stack install
|
||||
|
|
Chargement…
Référencer dans un nouveau ticket