update version and cleanup readme

* mariadb 10.3
* ee v3.8.1
* Ubuntu 18.04 TLS
Cette révision appartient à :
VirtuBox 2018-06-03 16:03:36 +02:00
Parent da2c8ffc3c
révision 741817f489
10 fichiers modifiés avec 602 ajouts et 386 suppressions

383
README.md
Voir le fichier

@ -1,17 +1,20 @@
# Optimized configuration for Ubuntu server with EasyEngine
* * *
# Ubuntu optimized configuration with EasyEngine
----
## Server Stack :
* Nginx 1.14.x
* PHP-FPM 7/7.1/7.2
* MariaDB 10.2
* REDIS 4.0
* Memcached
* Fail2ban
* Netdata
* UFW
----
- Ubuntu 16.04/18.04 LTS
- Nginx 1.14.x
- PHP-FPM 7/7.1/7.2
- MariaDB 10.3
- REDIS 4.0
- Memcached
- Fail2ban
- Netdata
- UFW
* * *
## All Instructions and informations are listed on the [Github page](https://virtubox.github.io/ubuntu-nginx-web-server/)
@ -21,124 +24,66 @@ Configuration files with comments and informations available by following the li
**System update and packages cleanup**
```
apt-get update && apt-get upgrade -y && apt-get autoremove -y && apt-get clean
```
apt-get update && apt-get upgrade -y && apt-get autoremove -y && apt-get clean
**Install useful packages**
```
sudo apt install haveged curl git unzip zip fail2ban htop -y
```
sudo apt install haveged curl git unzip zip fail2ban htop -y
**Tweak Kernel** [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) &
**Increase open files limits** [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf)
```
wget -O /etc/sysctl.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/sysctl.conf
sysctl -p
wget -O /etc/security/limits.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/security/limits.conf
```
modprobe tcp_htcp
wget -O /etc/sysctl.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/sysctl.conf
sysctl -p
wget -O /etc/security/limits.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/security/limits.conf
**disable transparent hugepage for redis**
```
echo never > /sys/kernel/mm/transparent_hugepage/enabled
```
## Security
----
echo never > /sys/kernel/mm/transparent_hugepage/enabled
**Harden SSH Security**
WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config)
```
wget -O /etc/ssh/sshd_config https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/ssh/sshd_config
```
**UFW** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
```
# enable ufw log - allow outgoing - deny incoming
ufw logging on
ufw default allow outgoing
ufw default deny incoming
# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend
ufw allow 22
ufw allow 53
ufw allow http
ufw allow https
ufw allow 21
ufw allow 123
ufw allow 161
ufw allow 6556
ufw allow 19999
ufw allow 22222
# enable UFW
ufw enable
```
----
* * *
## EasyEngine Setup
**Install MariaDB 10.2** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
**Install MariaDB 10.3** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
```
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \
| sudo bash -s -- --mariadb-server-version=10.2 --skip-maxscale
sudo apt update
sudo apt install mariadb-server
```
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \
| sudo bash -s -- --mariadb-server-version=10.3 --skip-maxscale
sudo apt update && sudo apt install mariadb-server percona-xtrabackup-24 -y
**Install EasyEngine**
```
wget -qO ee rt.cx/ee && bash ee
```
wget -qO ee rt.cx/ee && bash ee
**enable ee bash_completion**
source /etc/bash_completion.d/ee_auto.rc
**Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend**
```
ee stack install
ee stack install --php7 --redis --admin --phpredisadmin
```
ee stack install
ee stack install --php7 --redis --admin --phpredisadmin
**Set your email instead of root@localhost**
```
echo 'root: my.email@address.com' >> /etc/aliases
newaliases
```
echo 'root: my.email@address.com' >> /etc/aliases
newaliases
**Install Composer - Fix phpmyadmin install issue**
```
cd ~/
curl -sS https://getcomposer.org/installer | php
mv composer.phar /usr/bin/composer
sudo -u www-data composer update -d /var/www/22222/htdocs/db/pma/
```
cd ~/
curl -sS https://getcomposer.org/installer | php
mv composer.phar /usr/bin/composer
sudo -u www-data composer update -d /var/www/22222/htdocs/db/pma/
**Allow shell for www-data for SFTP usage**
```
usermod -s /bin/bash www-data
```
**Custom jails for fail2ban**
usermod -s /bin/bash www-data
* wordpress bruteforce
* ssh
* recidive (after 3 bans)
* backend http auth
* nginx bad bots
## PHP 7.1 & 7.2 Setup
```
wget -O /etc/fail2ban/filter.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ddos.conf
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ee-wordpress.conf
wget -O /etc/fail2ban/jail.d/custom.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/custom.conf
wget -O /etc/fail2ban/jail.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/ddos.conf
fail2ban-client reload
```
## PHP 7.1 & 7.2 Setup
**Install php7.1-fpm & php7.2-fpm**
**Install php7.1-fpm**
```bash
# php7.1-fpm
@ -146,131 +91,185 @@ apt update && apt install php7.1-fpm php7.1-cli php7.1-zip php7.1-opcache php7.1
php7.1-gd php7.1-curl php7.1-bz2 php7.1-xml php7.1-tidy php7.1-soap php7.1-bcmath -y php7.1-xsl
wget -O /etc/php/7.1/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/pool.d/www.conf
service php7.1-fpm restart
wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/php.ini
service php7.1-fpm restart
```
**Install php7.2-fpm**
```
# php7.2-fpm
apt update && apt install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring -y
wget -O /etc/php/7.2/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/pool.d/www.conf
service php7.2-fpm restart
```
add nginx upstreams
```
wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf
service nginx reload
```
add ee common configuration
```
cd /etc/nginx/common || exit
wget https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/common.zip
unzip common.zip
```
**Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee)**
```
bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
```
----
## Custom configurations
**clean php-fpm php.ini configurations**
```
# PHP 7.0
wget -O /etc/php/7.0/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.0/fpm/php.ini
service php7.0-fpm restart
# PHP 7.1
wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/php.ini
service php7.1-fpm restart
# PHP 7.2
wget -O /etc/php/7.2/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/php.ini
service php7.2-fpm restart
```
**add nginx upstreams**
wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf
service nginx reload
add ee common configuration
cd /etc/nginx/common || exit
wget https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/common.zip
unzip common.zip
**Compile last Nginx mainline release with [nginx-ee script](https://virtubox.github.io/nginx-ee/)**
bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
* * *
## Custom configurations
**clean php-fpm php.ini configurations**
# PHP 7.0
wget -O /etc/php/7.0/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.0/fpm/php.ini
service php7.0-fpm restart
**Nginx optimized configurations**
```
# TLSv1.2 TLSv1.3 only
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx.conf
# TLSv1.2 TLSv1.3 only
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx.conf
# TLS intermediate
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-intermediate.conf
# TLS intermediate
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-intermediate.conf
# TLSv1.2 only
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-tlsv12.conf
# TLSv1.2 only
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-tlsv12.conf
```
**nginx configuration for netdata & new upstreams**
```
# custom conf for netdata metrics (php-fpm & nginx status pages)
wget -O /etc/nginx/sites-available/default https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/default
# add netdata, php7.1 and php7.2 upstream
wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf
# custom conf for netdata metrics (php-fpm & nginx status pages)
wget -O /etc/nginx/sites-available/default https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/default
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
wget -O /etc/nginx/sites-available/22222 https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/22222
```
# add netdata, php7.1 and php7.2 upstream
wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
wget -O /etc/nginx/sites-available/22222 https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/22222
**wpcommon-php7x configurations**
* webp rewrite rules added
* DoS attack CVE fix added
* php7.1 & php7.2 configuration added
```
# 1) add webp mapping
wget -O /etc/nginx/conf.d/webp.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/webp.conf
- webp rewrite rules added
- DoS attack CVE fix added
- php7.1 & php7.2 configuration added
# 2) wpcommon files
# php7
wget -O /etc/nginx/common/wpcommon-php7.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php7.conf
# 1) add webp mapping
wget -O /etc/nginx/conf.d/webp.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/webp.conf
# php7.1
wget -O /etc/nginx/common/wpcommon-php71.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php71.conf
# 2) wpcommon files
# php7.2
wget -O /etc/nginx/common/wpcommon-php72.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php72.conf
# php7
wget -O /etc/nginx/common/wpcommon-php7.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php7.conf
nginx -t
service nginx reload
```
----
# php7.1
wget -O /etc/nginx/common/wpcommon-php71.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php71.conf
# php7.2
wget -O /etc/nginx/common/wpcommon-php72.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php72.conf
nginx -t
service nginx reload
* * *
## Security
* * *
**Harden SSH Security**
WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config)
wget -O /etc/ssh/sshd_config https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/ssh/sshd_config
**UFW** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
# enable ufw log - allow outgoing - deny incoming
ufw logging low
ufw default allow outgoing
ufw default deny incoming
# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend
ufw allow 22
ufw allow 53
ufw allow http
ufw allow https
ufw allow 21
ufw allow 123
ufw allow 161
ufw allow 6556
ufw allow 19999
ufw allow 22222
# enable UFW
ufw enable
**Custom jails for fail2ban**
- wordpress bruteforce
- ssh
- recidive (after 3 bans)
- backend http auth
- nginx bad bots
wget -O /etc/fail2ban/filter.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ddos.conf
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ee-wordpress.conf
wget -O /etc/fail2ban/jail.d/custom.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/custom.conf
wget -O /etc/fail2ban/jail.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/ddos.conf
fail2ban-client reload
**Secure Memcached server**
echo '-U 0' >> /etc/memcached.conf
sudo systemctl restart memcached
## Optional tools
### Acme.sh
[Github repository](https://github.com/Neilpang/acme.sh)
```
wget -O - https://get.acme.sh | sh
source ~/.bashrc
```
### ee-acme-sh
[Github repository](https://virtubox.github.io/ee-acme-sh/)
My script to setup letsencrypt certificates using acme.sh on EasyEngine servers.
* subdomain support
* ivp6 support
* wildcards certificates support
wget -O - https://get.acme.sh | sh
source ~/.bashrc
### netdata
### netdata
[Github repository](https://github.com/firehol/netdata)
```
bash <(curl -Ss https://my-netdata.io/kickstart.sh) all
# save 40-60% of netdata memory
echo 1 >/sys/kernel/mm/ksm/run
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
bash <(curl -Ss https://my-netdata.io/kickstart.sh) all
# disable email notifications
wget -O /etc/netdata/health_alarm_notify.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/netdata/health_alarm_notify.conf
# save 40-60% of netdata memory
echo 1 >/sys/kernel/mm/ksm/run
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
```
# disable email notifications
wget -O /etc/netdata/health_alarm_notify.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/netdata/health_alarm_notify.conf
service netdata restart
### bash-snippets
[Github repository](https://github.com/alexanderepstein/Bash-Snippets)
```bash
```bash
git clone https://github.com/alexanderepstein/Bash-Snippets
cd Bash-Snippets
git checkout v1.22.0
./install.sh cheat
```
usage : cheat command
```bash
@ -293,10 +292,10 @@ root@vps:~ cheat cat
```
## nanorc - Improved Nano Syntax Highlighting Files
[Github repository](https://github.com/scopatz/nanorc)
```
wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh
```
wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh
Published & maintained by [VirtuBox](https://virtubox.net)
Published & maintained by [VirtuBox](https://virtubox.net)

Voir le fichier

@ -1,17 +1,20 @@
# Ubuntu optimized configuration with EasyEngine
----
## Server Stack :
* Nginx 1.14.x
* PHP-FPM 7/7.1/7.2
* MariaDB 10.2
* REDIS 4.0
* Memcached
* Fail2ban
* Netdata
* UFW
----
* * *
## Server Stack :
- Ubuntu 16.04/18.04 LTS
- Nginx 1.14.x
- PHP-FPM 7/7.1/7.2
- MariaDB 10.3
- REDIS 4.0
- Memcached
- Fail2ban
- Netdata
- UFW
* * *
Configuration files with comments and informations available by following the link **source**
@ -19,77 +22,66 @@ Configuration files with comments and informations available by following the li
**System update and packages cleanup**
```
apt-get update && apt-get upgrade -y && apt-get autoremove -y && apt-get clean
```
apt-get update && apt-get upgrade -y && apt-get autoremove -y && apt-get clean
**Install useful packages**
```
sudo apt install haveged curl git unzip zip fail2ban htop -y
```
sudo apt install haveged curl git unzip zip fail2ban htop -y
**Tweak Kernel** [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) &
**Increase open files limits** [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf)
```
modprobe tcp_htcp
wget -O /etc/sysctl.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/sysctl.conf
sysctl -p
wget -O /etc/security/limits.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/security/limits.conf
```
**disable transparent hugepage for redis**
```
echo never > /sys/kernel/mm/transparent_hugepage/enabled
```
----
modprobe tcp_htcp
wget -O /etc/sysctl.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/sysctl.conf
sysctl -p
wget -O /etc/security/limits.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/security/limits.conf
**disable transparent hugepage for redis**
echo never > /sys/kernel/mm/transparent_hugepage/enabled
* * *
## EasyEngine Setup
**Install MariaDB 10.2** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
**Install MariaDB 10.3** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
```
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \
| sudo bash -s -- --mariadb-server-version=10.2 --skip-maxscale
sudo apt update && sudo apt install mariadb-server percona-xtrabackup-24 -y
```
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \
| sudo bash -s -- --mariadb-server-version=10.3 --skip-maxscale
sudo apt update && sudo apt install mariadb-server percona-xtrabackup-24 -y
**Install EasyEngine**
```
wget -qO ee rt.cx/ee && bash ee
```
wget -qO ee rt.cx/ee && bash ee
**enable ee bash_completion**
```
source /etc/bash_completion.d/ee_auto.rc
```
source /etc/bash_completion.d/ee_auto.rc
**Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend**
```
ee stack install
ee stack install --php7 --redis --admin --phpredisadmin
```
ee stack install
ee stack install --php7 --redis --admin --phpredisadmin
**Set your email instead of root@localhost**
```
echo 'root: my.email@address.com' >> /etc/aliases
newaliases
```
echo 'root: my.email@address.com' >> /etc/aliases
newaliases
**Install Composer - Fix phpmyadmin install issue**
```
cd ~/
curl -sS https://getcomposer.org/installer | php
mv composer.phar /usr/bin/composer
sudo -u www-data composer update -d /var/www/22222/htdocs/db/pma/
```
cd ~/
curl -sS https://getcomposer.org/installer | php
mv composer.phar /usr/bin/composer
sudo -u www-data composer update -d /var/www/22222/htdocs/db/pma/
**Allow shell for www-data for SFTP usage**
```
usermod -s /bin/bash www-data
```
## PHP 7.1 & 7.2 Setup
usermod -s /bin/bash www-data
**Install php7.1-fpm & php7.2-fpm**
## PHP 7.1 & 7.2 Setup
**Install php7.1-fpm**
```bash
# php7.1-fpm
@ -97,188 +89,185 @@ apt update && apt install php7.1-fpm php7.1-cli php7.1-zip php7.1-opcache php7.1
php7.1-gd php7.1-curl php7.1-bz2 php7.1-xml php7.1-tidy php7.1-soap php7.1-bcmath -y php7.1-xsl
wget -O /etc/php/7.1/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/pool.d/www.conf
service php7.1-fpm restart
wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/php.ini
service php7.1-fpm restart
```
**Install php7.2-fpm**
```
# php7.2-fpm
apt update && apt install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring -y
wget -O /etc/php/7.2/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/pool.d/www.conf
service php7.2-fpm restart
```
add nginx upstreams
```
wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf
service nginx reload
```
add ee common configuration
```
cd /etc/nginx/common || exit
wget https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/common.zip
unzip common.zip
```
**Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee)**
```
bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
```
----
## Custom configurations
**clean php-fpm php.ini configurations**
```
# PHP 7.0
wget -O /etc/php/7.0/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.0/fpm/php.ini
service php7.0-fpm restart
# PHP 7.1
wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/php.ini
service php7.1-fpm restart
# PHP 7.2
wget -O /etc/php/7.2/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/php.ini
service php7.2-fpm restart
```
**add nginx upstreams**
wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf
service nginx reload
add ee common configuration
cd /etc/nginx/common || exit
wget https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/common.zip
unzip common.zip
**Compile last Nginx mainline release with [nginx-ee script](https://virtubox.github.io/nginx-ee/)**
bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
* * *
## Custom configurations
**clean php-fpm php.ini configurations**
# PHP 7.0
wget -O /etc/php/7.0/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.0/fpm/php.ini
service php7.0-fpm restart
**Nginx optimized configurations**
```
# TLSv1.2 TLSv1.3 only
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx.conf
# TLSv1.2 TLSv1.3 only
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx.conf
# TLS intermediate
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-intermediate.conf
# TLS intermediate
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-intermediate.conf
# TLSv1.2 only
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-tlsv12.conf
# TLSv1.2 only
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/nginx-tlsv12.conf
```
**nginx configuration for netdata & new upstreams**
```
# custom conf for netdata metrics (php-fpm & nginx status pages)
wget -O /etc/nginx/sites-available/default https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/default
# add netdata, php7.1 and php7.2 upstream
wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf
# custom conf for netdata metrics (php-fpm & nginx status pages)
wget -O /etc/nginx/sites-available/default https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/default
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
wget -O /etc/nginx/sites-available/22222 https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/22222
```
# add netdata, php7.1 and php7.2 upstream
wget -O /etc/nginx/conf.d/upstream.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/upstream.conf
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
wget -O /etc/nginx/sites-available/22222 https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/sites-available/22222
**wpcommon-php7x configurations**
* webp rewrite rules added
* DoS attack CVE fix added
* php7.1 & php7.2 configuration added
```
# 1) add webp mapping
wget -O /etc/nginx/conf.d/webp.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/webp.conf
- webp rewrite rules added
- DoS attack CVE fix added
- php7.1 & php7.2 configuration added
# 2) wpcommon files
# php7
wget -O /etc/nginx/common/wpcommon-php7.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php7.conf
# 1) add webp mapping
wget -O /etc/nginx/conf.d/webp.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/conf.d/webp.conf
# php7.1
wget -O /etc/nginx/common/wpcommon-php71.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php71.conf
# 2) wpcommon files
# php7.2
wget -O /etc/nginx/common/wpcommon-php72.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php72.conf
# php7
wget -O /etc/nginx/common/wpcommon-php7.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php7.conf
nginx -t
service nginx reload
```
----
# php7.1
wget -O /etc/nginx/common/wpcommon-php71.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php71.conf
## Security
----
# php7.2
wget -O /etc/nginx/common/wpcommon-php72.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/nginx/common/wpcommon-php72.conf
nginx -t
service nginx reload
* * *
## Security
* * *
**Harden SSH Security**
WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config)
```
wget -O /etc/ssh/sshd_config https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/ssh/sshd_config
```
wget -O /etc/ssh/sshd_config https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/ssh/sshd_config
**UFW** Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
```
# enable ufw log - allow outgoing - deny incoming
ufw logging on
ufw default allow outgoing
ufw default deny incoming
# enable ufw log - allow outgoing - deny incoming
ufw logging low
ufw default allow outgoing
ufw default deny incoming
# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend
ufw allow 22
ufw allow 53
ufw allow http
ufw allow https
ufw allow 21
ufw allow 123
ufw allow 161
ufw allow 6556
ufw allow 19999
ufw allow 22222
# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend
ufw allow 22
ufw allow 53
ufw allow http
ufw allow https
ufw allow 21
ufw allow 123
ufw allow 161
ufw allow 6556
ufw allow 19999
ufw allow 22222
# enable UFW
ufw enable
```
# enable UFW
ufw enable
**Custom jails for fail2ban**
* wordpress bruteforce
* ssh
* recidive (after 3 bans)
* backend http auth
* nginx bad bots
- wordpress bruteforce
- ssh
- recidive (after 3 bans)
- backend http auth
- nginx bad bots
```
wget -O /etc/fail2ban/filter.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ddos.conf
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ee-wordpress.conf
wget -O /etc/fail2ban/jail.d/custom.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/custom.conf
wget -O /etc/fail2ban/jail.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/ddos.conf
fail2ban-client reload
```
wget -O /etc/fail2ban/filter.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ddos.conf
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/filter.d/ee-wordpress.conf
wget -O /etc/fail2ban/jail.d/custom.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/custom.conf
wget -O /etc/fail2ban/jail.d/ddos.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/fail2ban/jail.d/ddos.conf
fail2ban-client reload
**Secure Memcached server**
```
echo '-U 0' >> /etc/memcached.conf
sudo systemctl restart memcached
```
echo '-U 0' >> /etc/memcached.conf
sudo systemctl restart memcached
## Optional tools
### Acme.sh
[Github repository](https://github.com/Neilpang/acme.sh)
```
wget -O - https://get.acme.sh | sh
source ~/.bashrc
```
### ee-acme-sh
[Github repository](https://virtubox.github.io/ee-acme-sh/)
My script to setup letsencrypt certificates using acme.sh on EasyEngine servers.
* subdomain support
* ivp6 support
* wildcards certificates support
wget -O - https://get.acme.sh | sh
source ~/.bashrc
### netdata
### netdata
[Github repository](https://github.com/firehol/netdata)
```
bash <(curl -Ss https://my-netdata.io/kickstart.sh) all
# save 40-60% of netdata memory
echo 1 >/sys/kernel/mm/ksm/run
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
bash <(curl -Ss https://my-netdata.io/kickstart.sh) all
# disable email notifications
wget -O /etc/netdata/health_alarm_notify.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/netdata/health_alarm_notify.conf
service netdata restart
# save 40-60% of netdata memory
echo 1 >/sys/kernel/mm/ksm/run
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
```
# disable email notifications
wget -O /etc/netdata/health_alarm_notify.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/netdata/health_alarm_notify.conf
service netdata restart
### bash-snippets
[Github repository](https://github.com/alexanderepstein/Bash-Snippets)
```bash
```bash
git clone https://github.com/alexanderepstein/Bash-Snippets
cd Bash-Snippets
git checkout v1.22.0
./install.sh cheat
```
usage : cheat command
```bash
@ -300,11 +289,10 @@ root@vps:~ cheat cat
cat -n file
```
## nanorc - Improved Nano Syntax Highlighting Files
[Github repository](https://github.com/scopatz/nanorc)
```
wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh
```
wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh
Published & maintained by [VirtuBox](https://virtubox.net)

217
docs/files/etc/sysctl.conf Fichier normal
Voir le fichier

@ -0,0 +1,217 @@
# Kernel sysctl configuration file
# Sources :
# https://easyengine.io/tutorials/linux/sysctl-conf/
# http://klaver.it/linux/
#
#
# sysctl -e -p /etc/sysctl.conf
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and sysctl.conf(5) for more details.
#
#
###
### GENERAL SYSTEM SECURITY OPTIONS ###
###
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
#Allow for more PIDs
kernel.pid_max = 65535
# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65535
# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65535
# Restrict core dumps
fs.suid_dumpable = 0
# Hide exposed kernel pointers
kernel.kptr_restrict = 1
### IMPROVE SYSTEM MEMORY MANAGEMENT ###
# Increase size of file handles and inode cache
fs.file-max = 2097152
# Increase size of file handles and inode cache
fs.file-max = 209708
# Do less swapping
vm.swappiness = 10
vm.dirty_ratio = 30
vm.dirty_background_ratio = 2
# Redis configuration
vm.overcommit_memory = 1
#Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_syn_backlog = 4096
# Disables packet forwarding
net.ipv4.ip_forward = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.default.forwarding = 0
# Disables IP source routing
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 7
# Decrease the time default value for connections to keep alive
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15
# Don't relay bootp
net.ipv4.conf.all.bootp_relay = 0
# Don't proxy arp for anyone
net.ipv4.conf.all.proxy_arp = 0
# Turn on the tcp_timestamps, accurate timestamp make TCP congestion control algorithms work better
net.ipv4.tcp_timestamps = 1
# Don't ignore directed pings
net.ipv4.icmp_echo_ignore_all = 0
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65535
# Enable a fix for RFC1337 - time-wait assassination hazards in TCP
net.ipv4.tcp_rfc1337 = 1
# Do not auto-configure IPv6
net.ipv6.conf.all.autoconf=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.autoconf=0
net.ipv6.conf.default.accept_ra=0
###
### TUNING NETWORK PERFORMANCE ###
###
# For high-bandwidth low-latency networks, use 'htcp' congestion control
# Do a 'modprobe tcp_htcp' first
net.ipv4.tcp_congestion_control = htcp
# For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12)
net.core.default_qdisc = fq
# Turn on the tcp_window_scaling
net.ipv4.tcp_window_scaling = 1
# Increase the read-buffer space allocatable
net.ipv4.tcp_rmem = 8192 87380 16777216
net.ipv4.udp_rmem_min = 16384
net.core.rmem_default = 262144
net.core.rmem_max = 16777216
# Increase the write-buffer-space allocatable
net.ipv4.tcp_wmem = 8192 65536 16777216
net.ipv4.udp_wmem_min = 16384
net.core.wmem_default = 262144
net.core.wmem_max = 16777216
# Increase number of incoming connections
net.core.somaxconn = 32768
# Increase number of incoming connections backlog
net.core.netdev_max_backlog = 16384
net.core.dev_weight = 64
# Increase the maximum amount of option memory buffers
net.core.optmem_max = 65535
# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
net.ipv4.tcp_max_tw_buckets = 1440000
# try to reuse time-wait connections, but don't recycle them (recycle can break clients behind NAT)
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_tw_reuse = 1
# Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory
net.ipv4.tcp_max_orphans = 16384
net.ipv4.tcp_orphan_retries = 0
# Increase the maximum memory used to reassemble IP fragments
net.ipv4.ipfrag_high_thresh = 512000
net.ipv4.ipfrag_low_thresh = 446464
# don't cache ssthresh from previous connection
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1
# Increase size of RPC datagram queue length
net.unix.max_dgram_qlen = 50
# Don't allow the arp table to become bigger than this
net.ipv4.neigh.default.gc_thresh3 = 2048
# Tell the gc when to become aggressive with arp table cleaning.
# Adjust this based on size of the LAN. 1024 is suitable for most /24 networks
net.ipv4.neigh.default.gc_thresh2 = 1024
# Adjust where the gc will leave arp table alone - set to 32.
net.ipv4.neigh.default.gc_thresh1 = 32
# Adjust to arp table gc to clean-up more often
net.ipv4.neigh.default.gc_interval = 30
# Increase TCP queue length
net.ipv4.neigh.default.proxy_qlen = 96
net.ipv4.neigh.default.unres_qlen = 6
# Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you
net.ipv4.tcp_ecn = 1
net.ipv4.tcp_reordering = 3
# How many times to retry killing an alive TCP connection
net.ipv4.tcp_retries2 = 15
net.ipv4.tcp_retries1 = 3
# Avoid falling back to slow start after a connection goes idle
# keeps our cwnd large with the keep alive connections (kernel > 3.6)
net.ipv4.tcp_slow_start_after_idle = 0
# Allow the TCP fastopen flag to be used, beware some firewalls do not like TFO! (kernel > 3.7)
net.ipv4.tcp_fastopen = 3
# This will enusre that immediatly subsequent connections use the new values
net.ipv4.route.flush = 1
net.ipv6.route.flush = 1

Voir le fichier

@ -25,7 +25,7 @@ http
server_tokens off;
reset_timedout_connection on;
add_header X-Powered-By "EasyEngine v3.7.5 - Optimized by VirtuBox";
add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox";
add_header rt-Fastcgi-Cache $upstream_cache_status;
# Limit Request

Voir le fichier

@ -25,7 +25,7 @@ http
server_tokens off;
reset_timedout_connection on;
add_header X-Powered-By "EasyEngine v3.7.5 - Optimized by VirtuBox";
add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox";
add_header rt-Fastcgi-Cache $upstream_cache_status;
# Limit Request

Voir le fichier

@ -25,7 +25,7 @@ http
server_tokens off;
reset_timedout_connection on;
add_header X-Powered-By "EasyEngine v3.7.5 - Optimized by VirtuBox";
add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox";
add_header rt-Fastcgi-Cache $upstream_cache_status;
# Limit Request

10
etc/nginx/proxy_params Fichier normal
Voir le fichier

@ -0,0 +1,10 @@
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering on;
proxy_buffer_size 128k;
proxy_buffers 256 16k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_max_temp_file_size 0;

Voir le fichier

@ -14,7 +14,7 @@ zend.enable_gc = On
expose_php = Off
max_execution_time = 300
max_input_time = 600
max_input_vars = 5000
max_input_vars = 10000
memory_limit = 256M
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off

Voir le fichier

@ -12,7 +12,7 @@ disable_classes =
zend.enable_gc = On
expose_php = Off
max_execution_time = 300
max_input_vars = 5000
max_input_vars = 10000
max_input_time = 600
memory_limit = 256M
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT

Voir le fichier

@ -90,6 +90,8 @@ cat <<EOF >~/.my.cnf
password=$ROOT_SQL_PASS
EOF
cp ~/.my.cnf /etc/mysql/conf.d/my.cnf
wget -qO ee rt.cx/ee && bash ee
ee stack install