updating repository structure
the first release of ubuntu-nginx-web-server script will be available soon. Current documentation will be moved in docs folder
This commit is contained in:
parent
86129ef2fc
commit
da19927ea9
447
README.md
447
README.md
|
@ -1,452 +1,31 @@
|
|||
# Optimized configuration for Ubuntu server with EasyEngine
|
||||
# Bash Script to setup an optimized web server with EasyEngine v3
|
||||
|
||||
* * *
|
||||
|
||||
## Server Stack
|
||||
|
||||
- Ubuntu 16.04/18.04 LTS
|
||||
- Nginx 1.15.x / 1.14.x
|
||||
- PHP-FPM 7/7.1/7.2
|
||||
- MariaDB 10.3
|
||||
- MariaDB 10.1/10.2/10.3
|
||||
- REDIS 4.0
|
||||
- Memcached
|
||||
- Fail2ban
|
||||
- Fail2ban & UFW
|
||||
- Netdata
|
||||
- UFW
|
||||
- Proftpd
|
||||
- Acme.sh
|
||||
|
||||
* * *
|
||||
|
||||
**All Instructions and informations are listed on the [Github page](https://virtubox.github.io/ubuntu-nginx-web-server/)**
|
||||
|
||||
Configuration files with comments and informations available by following the link **source**
|
||||
### Features
|
||||
|
||||
### Initial configuration
|
||||
- Automated MariaDB install (10.1/10.2/10.3)
|
||||
- Apply Linux server tweaks
|
||||
- Install EasyEngine
|
||||
- Install php7.1-fpm & php7.2-fpm
|
||||
- Compile the latest Nginx release
|
||||
- Install and configure UFW & Fail2ban
|
||||
- Install Netdata and EasyEngine-Dashboard
|
||||
|
||||
#### System update and packages cleanup
|
||||
|
||||
```bash
|
||||
apt-get update && apt-get upgrade -y && apt-get autoremove --purge -y && apt-get clean
|
||||
```
|
||||
|
||||
#### Install useful packages
|
||||
|
||||
```bash
|
||||
sudo apt install haveged curl git unzip zip fail2ban htop nload nmon ntp -y
|
||||
```
|
||||
|
||||
#### Tweak Kernel & Increase open files limits
|
||||
|
||||
[source sysctl.conf](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) - [limits.conf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf)
|
||||
|
||||
```bash
|
||||
modprobe tcp_htcp
|
||||
wget -O /etc/sysctl.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.conf
|
||||
sysctl -p
|
||||
wget -O /etc/security/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/security/limits.conf
|
||||
```
|
||||
|
||||
#### disable transparent hugepage for redis
|
||||
|
||||
```bash
|
||||
echo never > /sys/kernel/mm/transparent_hugepage/enabled
|
||||
```
|
||||
|
||||
* * *
|
||||
|
||||
### EasyEngine Setup
|
||||
|
||||
#### Install MariaDB 10.3
|
||||
|
||||
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
|
||||
|
||||
```bash
|
||||
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \
|
||||
| sudo bash -s -- --mariadb-server-version=10.3 --skip-maxscale
|
||||
sudo apt update && sudo apt install mariadb-server percona-xtrabackup-24 -y
|
||||
```
|
||||
|
||||
#### MySQL Tuning
|
||||
|
||||
You can download my example of my.cnf, optimized for VPS with 4GB RAM. [my.cnf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/mysql/my.cnf)
|
||||
|
||||
```bash
|
||||
wget -O /etc/mysql/my.cnf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/mysql/my.cnf
|
||||
```
|
||||
|
||||
It include modification of innodb_log_file_size variable, so you need to use the following commands to apply the new configuration :
|
||||
|
||||
```bash
|
||||
sudo service mysql stop
|
||||
|
||||
sudo mv /var/lib/mysql/ib_logfile0 /var/lib/mysql/ib_logfile0.bak
|
||||
sudo mv /var/lib/mysql/ib_logfile1 /var/lib/mysql/ib_logfile1.bak
|
||||
|
||||
sudo service mysql start
|
||||
```
|
||||
|
||||
Increase MariaDB open files limits
|
||||
```bash
|
||||
wget -O /etc/systemd/system/mariadb.service.d/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/systemd/system/mariadb.service.d/limits.conf
|
||||
|
||||
sudo systemctl daemon-reload
|
||||
sudo systemctl restart mariadb
|
||||
```
|
||||
|
||||
#### Install EasyEngine
|
||||
|
||||
```bash
|
||||
# noninteractive install - you can replace $USER with your username & root@$HOSTNAME by your email
|
||||
sudo bash -c 'echo -e "[user]\n\tname = $USER\n\temail = root@$HOSTNAME" > $HOME/.gitconfig'
|
||||
|
||||
wget -qO ee rt.cx/ee && bash ee
|
||||
```
|
||||
|
||||
#### enable ee bash_completion
|
||||
|
||||
```bash
|
||||
source /etc/bash_completion.d/ee_auto.rc
|
||||
```
|
||||
|
||||
#### Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend
|
||||
|
||||
```bash
|
||||
ee stack install
|
||||
ee stack install --php7 --redis --admin --phpredisadmin
|
||||
```
|
||||
|
||||
#### Set your email instead of root@localhost
|
||||
|
||||
```bash
|
||||
echo 'root: my.email@address.com' >> /etc/aliases
|
||||
newaliases
|
||||
```
|
||||
|
||||
#### Install Composer - Fix phpmyadmin install issue
|
||||
|
||||
```bash
|
||||
cd ~/ ||exit
|
||||
curl -sS https://getcomposer.org/installer | php
|
||||
mv composer.phar /usr/bin/composer
|
||||
|
||||
chown www-data:www-data /var/www
|
||||
sudo -u www-data -H composer update -d /var/www/22222/htdocs/db/pma/
|
||||
```
|
||||
|
||||
#### Allow shell for www-data for SFTP usage
|
||||
|
||||
```bash
|
||||
usermod -s /bin/bash www-data
|
||||
```
|
||||
|
||||
### PHP 7.1 & 7.2 Setup
|
||||
|
||||
#### Install php7.1-fpm
|
||||
|
||||
```bash
|
||||
# php7.1-fpm
|
||||
apt update && apt install php7.1-fpm php7.1-cli php7.1-zip php7.1-opcache php7.1-mysql php7.1-mcrypt php7.1-mbstring php7.1-json php7.1-intl \
|
||||
php7.1-gd php7.1-curl php7.1-bz2 php7.1-xml php7.1-tidy php7.1-soap php7.1-bcmath -y php7.1-xsl
|
||||
|
||||
wget -O /etc/php/7.1/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/pool.d/www.conf
|
||||
|
||||
wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/php.ini
|
||||
service php7.1-fpm restart
|
||||
```
|
||||
|
||||
#### Install php7.2-fpm
|
||||
|
||||
```bash
|
||||
# php7.2-fpm
|
||||
apt update && apt install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring -y
|
||||
|
||||
wget -O /etc/php/7.2/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/pool.d/www.conf
|
||||
|
||||
wget -O /etc/php/7.2/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/php.ini
|
||||
service php7.2-fpm restart
|
||||
```
|
||||
|
||||
#### add nginx upstreams
|
||||
|
||||
```bash
|
||||
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
|
||||
service nginx reload
|
||||
```
|
||||
|
||||
#### add ee common configuration
|
||||
|
||||
```bash
|
||||
cd /etc/nginx/common || exit
|
||||
wget https://virtubox.github.io/ubuntu-nginx-web-server/files/common.zip
|
||||
unzip common.zip
|
||||
```
|
||||
|
||||
### Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee)
|
||||
|
||||
```bash
|
||||
bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
|
||||
```
|
||||
|
||||
* * *
|
||||
|
||||
### Custom configurations
|
||||
|
||||
#### clean php-fpm php.ini configuration
|
||||
|
||||
```bash
|
||||
# PHP 7.0
|
||||
wget -O /etc/php/7.0/fpm/php.ini https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/php/7.0/fpm/php.ini
|
||||
service php7.0-fpm restart
|
||||
```
|
||||
|
||||
#### Nginx optimized configurations
|
||||
|
||||
```bash
|
||||
# TLSv1.2 TLSv1.3 only
|
||||
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx.conf
|
||||
|
||||
# TLS intermediate - TLS v1.0 v1.1 v1.2 v1.3
|
||||
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-intermediate.conf
|
||||
|
||||
# TLSv1.2 only
|
||||
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-tlsv12.conf
|
||||
```
|
||||
|
||||
#### Nginx configuration for netdata & new upstreams
|
||||
|
||||
```bash
|
||||
# custom conf for netdata metrics (php-fpm & nginx status pages)
|
||||
wget -O /etc/nginx/sites-available/default https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/default
|
||||
|
||||
# add netdata, php7.1 and php7.2 upstream
|
||||
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
|
||||
|
||||
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
|
||||
wget -O /etc/nginx/sites-available/22222 https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/22222
|
||||
```
|
||||
|
||||
#### Increase Nginx open files limits
|
||||
|
||||
```bash
|
||||
sudo mkdir -p /etc/systemd/system/nginx.service.d
|
||||
wget -O /etc/systemd/system/nginx.service.d/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/systemd/system/nginx.service.d/limits.conf
|
||||
|
||||
sudo systemctl daemon-reload
|
||||
sudo systemctl restart nginx.service
|
||||
```
|
||||
|
||||
#### wpcommon-php7x configurations
|
||||
|
||||
- webp rewrite rules added
|
||||
- DoS attack CVE fix added
|
||||
- php7.1 & php7.2 configuration added
|
||||
|
||||
```bash
|
||||
# 1) add webp mapping
|
||||
wget -O /etc/nginx/conf.d/webp.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/webp.conf
|
||||
|
||||
# 2) wpcommon files
|
||||
# php7
|
||||
wget -O /etc/nginx/common/wpcommon-php7.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php7.conf
|
||||
|
||||
# php7.1
|
||||
wget -O /etc/nginx/common/wpcommon-php71.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php71.conf
|
||||
|
||||
# php7.2
|
||||
wget -O /etc/nginx/common/wpcommon-php72.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php72.conf
|
||||
|
||||
nginx -t
|
||||
service nginx reload
|
||||
```
|
||||
|
||||
* * *
|
||||
|
||||
### Security
|
||||
|
||||
#### Harden SSH Security
|
||||
|
||||
WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config)
|
||||
|
||||
wget -O /etc/ssh/sshd_config https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/ssh/sshd_config
|
||||
|
||||
#### UFW
|
||||
|
||||
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
|
||||
|
||||
```bash
|
||||
# enable ufw log - allow outgoing - deny incoming
|
||||
ufw logging low
|
||||
ufw default allow outgoing
|
||||
ufw default deny incoming
|
||||
|
||||
# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend
|
||||
ufw allow 22
|
||||
ufw allow 53
|
||||
ufw allow http
|
||||
ufw allow https
|
||||
ufw allow 21
|
||||
ufw allow 123
|
||||
ufw allow 161
|
||||
ufw allow 6556
|
||||
ufw allow 19999
|
||||
ufw allow 22222
|
||||
|
||||
# enable UFW
|
||||
ufw enable
|
||||
```
|
||||
|
||||
#### Custom jails for fail2ban
|
||||
|
||||
- wordpress bruteforce
|
||||
- ssh
|
||||
- recidive (after 3 bans)
|
||||
- backend http auth
|
||||
- nginx bad bots
|
||||
|
||||
```bash
|
||||
wget -O /etc/fail2ban/filter.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ddos.conf
|
||||
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ee-wordpress.conf
|
||||
wget -O /etc/fail2ban/filter.d/nginx-forbidden.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/nginx-forbidden.conf
|
||||
wget -O /etc/fail2ban/jail.d/custom.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/custom.conf
|
||||
wget -O /etc/fail2ban/jail.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/ddos.conf
|
||||
|
||||
fail2ban-client reload
|
||||
```
|
||||
|
||||
#### Secure Memcached server
|
||||
|
||||
```bash
|
||||
echo '-U 0' >> /etc/memcached.conf
|
||||
sudo systemctl restart memcached
|
||||
```
|
||||
|
||||
### Optional tools
|
||||
|
||||
#### ee-acme-sh
|
||||
|
||||
[Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers
|
||||
|
||||
* subdomain support
|
||||
* ivp6 support
|
||||
* wildcards certificates support
|
||||
|
||||
```bash
|
||||
wget -O install-ee-acme.sh https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh
|
||||
chmod +x install-ee-acme.sh
|
||||
./install-ee-acme.sh
|
||||
|
||||
# enable acme.sh & ee-acme-sh
|
||||
source .bashrc
|
||||
```
|
||||
|
||||
#### netdata
|
||||
|
||||
[Github repository](https://github.com/firehol/netdata)
|
||||
|
||||
```bash
|
||||
|
||||
bash <(curl -Ss https://my-netdata.io/kickstart.sh) all
|
||||
|
||||
# save 40-60% of netdata memory
|
||||
echo 1 >/sys/kernel/mm/ksm/run
|
||||
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
|
||||
|
||||
# disable email notifications
|
||||
sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /etc/netdata/health_alarm_notify.conf
|
||||
service netdata restart
|
||||
```
|
||||
|
||||
#### bash-snippets
|
||||
|
||||
[Github repository](https://github.com/alexanderepstein/Bash-Snippets)
|
||||
|
||||
```bash
|
||||
git clone https://github.com/alexanderepstein/Bash-Snippets
|
||||
cd Bash-Snippets
|
||||
git checkout v1.22.0
|
||||
./install.sh cheat
|
||||
```
|
||||
|
||||
usage : `cheat <command>`
|
||||
|
||||
```bash
|
||||
root@vps:~ cheat cat
|
||||
# cat
|
||||
|
||||
# Print and concatenate files.
|
||||
|
||||
# Print the contents of a file to the standard output:
|
||||
cat file
|
||||
|
||||
# Concatenate several files into the target file:
|
||||
cat file1 file2 > target_file
|
||||
|
||||
# Append several files into the target file:
|
||||
cat file1 file2 >> target_file
|
||||
|
||||
# Number all output lines:
|
||||
cat -n file
|
||||
```
|
||||
|
||||
#### nanorc - Improved Nano Syntax Highlighting Files
|
||||
|
||||
[Github repository](https://github.com/scopatz/nanorc)
|
||||
|
||||
```bash
|
||||
wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh
|
||||
```
|
||||
|
||||
#### ucaresystem - script to update & cleanup packages easily
|
||||
|
||||
```bash
|
||||
sudo add-apt-repository ppa:utappia/stable -y
|
||||
sudo apt update
|
||||
sudo apt install ucaresystem-core -y
|
||||
```
|
||||
|
||||
Run server maintenance with the command :
|
||||
|
||||
```bash
|
||||
sudo ucaresystem-core
|
||||
```
|
||||
|
||||
### WP-CLI
|
||||
|
||||
#### Add bash-completion for user www-data
|
||||
|
||||
```bashrc
|
||||
# download wp-cli bash_completion
|
||||
wget -O /etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash
|
||||
|
||||
# change /var/www owner
|
||||
chown www-data:www-data /var/www
|
||||
|
||||
# download .profile & .bashrc for www-data
|
||||
wget -O /var/www/.profile https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/docs/files/var/www/.profile
|
||||
wget -O /var/www/.bashrc https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/docs/files/var/www/.bashrc
|
||||
|
||||
# set owner
|
||||
chown www-data:www-data /var/www/.profile
|
||||
chown www-data:www-data /var/www/.bashrc
|
||||
```
|
||||
|
||||
### Custom Nginx error pages
|
||||
|
||||
[Github Repository](https://github.com/alexphelps/server-error-pages)
|
||||
|
||||
Installation
|
||||
|
||||
```bash
|
||||
# clone the github repository
|
||||
sudo -u www-data -H git clone https://github.com/alexphelps/server-error-pages.git /var/www/error
|
||||
|
||||
# download nginx configuration
|
||||
wget -O /etc/nginx/common/error_pages.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/error_pages.conf
|
||||
```
|
||||
|
||||
Then include this configuration in your nginx vhost by adding the following line
|
||||
|
||||
```bash
|
||||
include common/error_pages.conf;
|
||||
```
|
||||
|
||||
Published & maintained by [VirtuBox](https://virtubox.net)
|
||||
|
|
434
docs/README.md
434
docs/README.md
|
@ -1,4 +1,4 @@
|
|||
# Ubuntu optimized configuration with EasyEngine
|
||||
# Bash Script to setup an optimized web server with EasyEngine
|
||||
|
||||
* * *
|
||||
|
||||
|
@ -7,445 +7,19 @@
|
|||
- Ubuntu 16/18.04 LTS
|
||||
- Nginx 1.15.x / 1.14.x
|
||||
- PHP-FPM 7/7.1/7.2
|
||||
- MariaDB 10.3
|
||||
- MariaDB 10.1/10.2/10.3
|
||||
- REDIS 4.0
|
||||
- Memcached
|
||||
- Fail2ban
|
||||
- Netdata
|
||||
- UFW
|
||||
- Proftpd
|
||||
- Acme.sh
|
||||
|
||||
* * *
|
||||
|
||||
Configuration files with comments and informations available by following the link **source**
|
||||
|
||||
### Initial configuration
|
||||
|
||||
#### System update and packages cleanup
|
||||
|
||||
```bash
|
||||
apt-get update && apt-get upgrade -y && apt-get autoremove --purge -y && apt-get clean
|
||||
```
|
||||
|
||||
#### Install useful packages
|
||||
|
||||
```bash
|
||||
sudo apt install haveged curl git unzip zip fail2ban htop nload nmon ntp -y
|
||||
```
|
||||
|
||||
#### Tweak Kernel & Increase open files limits
|
||||
|
||||
[source sysctl.conf](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) - [limits.conf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf)
|
||||
|
||||
```bash
|
||||
modprobe tcp_htcp
|
||||
wget -O /etc/sysctl.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.conf
|
||||
sysctl -p
|
||||
wget -O /etc/security/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/security/limits.conf
|
||||
```
|
||||
|
||||
#### disable transparent hugepage for redis
|
||||
|
||||
```bash
|
||||
echo never > /sys/kernel/mm/transparent_hugepage/enabled
|
||||
```
|
||||
|
||||
* * *
|
||||
|
||||
### EasyEngine Setup
|
||||
|
||||
#### Install MariaDB 10.3
|
||||
|
||||
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
|
||||
|
||||
```bash
|
||||
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \
|
||||
| sudo bash -s -- --mariadb-server-version=10.3 --skip-maxscale
|
||||
sudo apt update && sudo apt install mariadb-server percona-xtrabackup-24 -y
|
||||
```
|
||||
|
||||
#### MySQL Tuning
|
||||
|
||||
You can download my example of my.cnf, optimized for VPS with 4GB RAM. [my.cnf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/mysql/my.cnf)
|
||||
|
||||
```bash
|
||||
wget -O /etc/mysql/my.cnf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/mysql/my.cnf
|
||||
```
|
||||
|
||||
It include modification of innodb_log_file_size variable, so you need to use the following commands to apply the new configuration :
|
||||
|
||||
```bash
|
||||
sudo service mysql stop
|
||||
|
||||
sudo mv /var/lib/mysql/ib_logfile0 /var/lib/mysql/ib_logfile0.bak
|
||||
sudo mv /var/lib/mysql/ib_logfile1 /var/lib/mysql/ib_logfile1.bak
|
||||
|
||||
sudo service mysql start
|
||||
```
|
||||
|
||||
Increase MariaDB open files limits
|
||||
|
||||
```bash
|
||||
wget -O /etc/systemd/system/mariadb.service.d/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/systemd/system/mariadb.service.d/limits.conf
|
||||
|
||||
sudo systemctl daemon-reload
|
||||
sudo systemctl restart mariadb
|
||||
```
|
||||
|
||||
#### Install EasyEngine
|
||||
|
||||
```bash
|
||||
# noninteractive install - you can replace $USER with your username & root@$HOSTNAME by your email
|
||||
sudo bash -c 'echo -e "[user]\n\tname = $USER\n\temail = root@$HOSTNAME" > $HOME/.gitconfig'
|
||||
|
||||
wget -qO ee rt.cx/ee && bash ee
|
||||
```
|
||||
|
||||
#### enable ee bash_completion
|
||||
|
||||
```bash
|
||||
source /etc/bash_completion.d/ee_auto.rc
|
||||
```
|
||||
|
||||
#### Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend
|
||||
|
||||
```bash
|
||||
ee stack install
|
||||
ee stack install --php7 --redis --admin --phpredisadmin
|
||||
```
|
||||
|
||||
#### Set your email instead of root@localhost
|
||||
|
||||
```bash
|
||||
echo 'root: my.email@address.com' >> /etc/aliases
|
||||
newaliases
|
||||
```
|
||||
|
||||
#### Install Composer - Fix phpmyadmin install issue
|
||||
|
||||
```bash
|
||||
cd ~/ ||exit
|
||||
curl -sS https://getcomposer.org/installer | php
|
||||
mv composer.phar /usr/bin/composer
|
||||
|
||||
chown www-data:www-data /var/www
|
||||
sudo -u www-data -H composer update -d /var/www/22222/htdocs/db/pma/
|
||||
```
|
||||
|
||||
#### Allow shell for www-data for SFTP usage
|
||||
|
||||
```bash
|
||||
usermod -s /bin/bash www-data
|
||||
```
|
||||
|
||||
### PHP 7.1 & 7.2 Setup
|
||||
|
||||
#### Install php7.1-fpm
|
||||
|
||||
```bash
|
||||
# php7.1-fpm
|
||||
apt update && apt install php7.1-fpm php7.1-cli php7.1-zip php7.1-opcache php7.1-mysql php7.1-mcrypt php7.1-mbstring php7.1-json php7.1-intl \
|
||||
php7.1-gd php7.1-curl php7.1-bz2 php7.1-xml php7.1-tidy php7.1-soap php7.1-bcmath -y php7.1-xsl
|
||||
|
||||
wget -O /etc/php/7.1/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/pool.d/www.conf
|
||||
|
||||
wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/php.ini
|
||||
service php7.1-fpm restart
|
||||
```
|
||||
|
||||
#### Install php7.2-fpm
|
||||
|
||||
```bash
|
||||
# php7.2-fpm
|
||||
apt update && apt install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring -y
|
||||
|
||||
wget -O /etc/php/7.2/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/pool.d/www.conf
|
||||
|
||||
wget -O /etc/php/7.2/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/php.ini
|
||||
service php7.2-fpm restart
|
||||
```
|
||||
|
||||
#### add nginx upstreams
|
||||
|
||||
```bash
|
||||
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
|
||||
service nginx reload
|
||||
```
|
||||
|
||||
#### add ee common configuration
|
||||
|
||||
```bash
|
||||
cd /etc/nginx/common || exit
|
||||
wget https://virtubox.github.io/ubuntu-nginx-web-server/files/common.zip
|
||||
unzip common.zip
|
||||
```
|
||||
|
||||
### Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee)
|
||||
|
||||
```bash
|
||||
bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
|
||||
```
|
||||
|
||||
* * *
|
||||
|
||||
### Custom configurations
|
||||
|
||||
#### clean php-fpm php.ini configuration
|
||||
|
||||
```bash
|
||||
# PHP 7.0
|
||||
wget -O /etc/php/7.0/fpm/php.ini https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/php/7.0/fpm/php.ini
|
||||
service php7.0-fpm restart
|
||||
```
|
||||
|
||||
#### Nginx optimized configurations
|
||||
|
||||
```bash
|
||||
# TLSv1.2 TLSv1.3 only
|
||||
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx.conf
|
||||
|
||||
# TLS intermediate - TLS v1.0 v1.1 v1.2 v1.3
|
||||
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-intermediate.conf
|
||||
|
||||
# TLSv1.2 only
|
||||
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-tlsv12.conf
|
||||
```
|
||||
|
||||
#### Nginx configuration for netdata & new upstreams
|
||||
|
||||
```bash
|
||||
# custom conf for netdata metrics (php-fpm & nginx status pages)
|
||||
wget -O /etc/nginx/sites-available/default https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/default
|
||||
|
||||
# add netdata, php7.1 and php7.2 upstream
|
||||
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
|
||||
|
||||
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
|
||||
wget -O /etc/nginx/sites-available/22222 https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/22222
|
||||
```
|
||||
|
||||
#### Increase Nginx open files limits
|
||||
|
||||
```bash
|
||||
sudo mkdir -p /etc/systemd/system/nginx.service.d
|
||||
wget -O /etc/systemd/system/nginx.service.d/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/systemd/system/nginx.service.d/limits.conf
|
||||
|
||||
sudo systemctl daemon-reload
|
||||
sudo systemctl restart nginx.service
|
||||
```
|
||||
|
||||
#### wpcommon-php7x configurations
|
||||
|
||||
- webp rewrite rules added
|
||||
- DoS attack CVE fix added
|
||||
- php7.1 & php7.2 configuration added
|
||||
|
||||
```bash
|
||||
# 1) add webp mapping
|
||||
wget -O /etc/nginx/conf.d/webp.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/webp.conf
|
||||
|
||||
# 2) wpcommon files
|
||||
# php7
|
||||
wget -O /etc/nginx/common/wpcommon-php7.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php7.conf
|
||||
|
||||
# php7.1
|
||||
wget -O /etc/nginx/common/wpcommon-php71.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php71.conf
|
||||
|
||||
# php7.2
|
||||
wget -O /etc/nginx/common/wpcommon-php72.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php72.conf
|
||||
|
||||
nginx -t
|
||||
service nginx reload
|
||||
```
|
||||
|
||||
* * *
|
||||
|
||||
### Security
|
||||
|
||||
#### Harden SSH Security
|
||||
|
||||
WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config)
|
||||
|
||||
wget -O /etc/ssh/sshd_config https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/ssh/sshd_config
|
||||
|
||||
#### UFW
|
||||
|
||||
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
|
||||
|
||||
```bash
|
||||
# enable ufw log - allow outgoing - deny incoming
|
||||
ufw logging low
|
||||
ufw default allow outgoing
|
||||
ufw default deny incoming
|
||||
|
||||
# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend
|
||||
ufw allow 22
|
||||
ufw allow 53
|
||||
ufw allow http
|
||||
ufw allow https
|
||||
ufw allow 21
|
||||
ufw allow 123
|
||||
ufw allow 161
|
||||
ufw allow 6556
|
||||
ufw allow 19999
|
||||
ufw allow 22222
|
||||
|
||||
# enable UFW
|
||||
ufw enable
|
||||
```
|
||||
|
||||
#### Custom jails for fail2ban
|
||||
|
||||
- wordpress bruteforce
|
||||
- ssh
|
||||
- recidive (after 3 bans)
|
||||
- backend http auth
|
||||
- nginx bad bots
|
||||
|
||||
```bash
|
||||
wget -O /etc/fail2ban/filter.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ddos.conf
|
||||
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ee-wordpress.conf
|
||||
wget -O /etc/fail2ban/filter.d/nginx-forbidden.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/nginx-forbidden.conf
|
||||
wget -O /etc/fail2ban/jail.d/custom.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/custom.conf
|
||||
wget -O /etc/fail2ban/jail.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/ddos.conf
|
||||
|
||||
fail2ban-client reload
|
||||
```
|
||||
|
||||
#### Secure Memcached server
|
||||
|
||||
```bash
|
||||
echo '-U 0' >> /etc/memcached.conf
|
||||
sudo systemctl restart memcached
|
||||
```
|
||||
|
||||
### Optional tools
|
||||
|
||||
#### ee-acme-sh
|
||||
|
||||
[Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers
|
||||
|
||||
* subdomain support
|
||||
* ivp6 support
|
||||
* wildcards certificates support
|
||||
|
||||
```bash
|
||||
wget -O install-ee-acme.sh https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh
|
||||
chmod +x install-ee-acme.sh
|
||||
./install-ee-acme.sh
|
||||
|
||||
# enable acme.sh & ee-acme-sh
|
||||
source .bashrc
|
||||
```
|
||||
|
||||
#### netdata
|
||||
|
||||
[Github repository](https://github.com/firehol/netdata)
|
||||
|
||||
```bash
|
||||
|
||||
bash <(curl -Ss https://my-netdata.io/kickstart.sh) all
|
||||
|
||||
# save 40-60% of netdata memory
|
||||
echo 1 >/sys/kernel/mm/ksm/run
|
||||
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
|
||||
|
||||
# disable email notifications
|
||||
sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /etc/netdata/health_alarm_notify.conf
|
||||
service netdata restart
|
||||
```
|
||||
|
||||
#### bash-snippets
|
||||
|
||||
[Github repository](https://github.com/alexanderepstein/Bash-Snippets)
|
||||
|
||||
```bash
|
||||
git clone https://github.com/alexanderepstein/Bash-Snippets
|
||||
cd Bash-Snippets
|
||||
git checkout v1.22.0
|
||||
./install.sh cheat
|
||||
```
|
||||
|
||||
usage : `cheat <command>`
|
||||
|
||||
```bash
|
||||
root@vps:~ cheat cat
|
||||
# cat
|
||||
|
||||
# Print and concatenate files.
|
||||
|
||||
# Print the contents of a file to the standard output:
|
||||
cat file
|
||||
|
||||
# Concatenate several files into the target file:
|
||||
cat file1 file2 > target_file
|
||||
|
||||
# Append several files into the target file:
|
||||
cat file1 file2 >> target_file
|
||||
|
||||
# Number all output lines:
|
||||
cat -n file
|
||||
```
|
||||
|
||||
#### nanorc - Improved Nano Syntax Highlighting Files
|
||||
|
||||
[Github repository](https://github.com/scopatz/nanorc)
|
||||
|
||||
```bash
|
||||
wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh
|
||||
```
|
||||
|
||||
#### ucaresystem - script to update & cleanup packages easily
|
||||
|
||||
```bash
|
||||
sudo add-apt-repository ppa:utappia/stable -y
|
||||
sudo apt update
|
||||
sudo apt install ucaresystem-core -y
|
||||
```
|
||||
|
||||
Run server maintenance with the command :
|
||||
|
||||
```bash
|
||||
sudo ucaresystem-core
|
||||
```
|
||||
|
||||
### WP-CLI
|
||||
|
||||
#### Add bash-completion for user www-data
|
||||
|
||||
```bashrc
|
||||
# download wp-cli bash_completion
|
||||
wget -O /etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash
|
||||
|
||||
# change /var/www owner
|
||||
chown www-data:www-data /var/www
|
||||
|
||||
# download .profile & .bashrc for www-data
|
||||
wget -O /var/www/.profile https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/docs/files/var/www/.profile
|
||||
wget -O /var/www/.bashrc https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/docs/files/var/www/.bashrc
|
||||
|
||||
# set owner
|
||||
chown www-data:www-data /var/www/.profile
|
||||
chown www-data:www-data /var/www/.bashrc
|
||||
```
|
||||
|
||||
### Custom Nginx error pages
|
||||
|
||||
[Github Repository](https://github.com/alexphelps/server-error-pages)
|
||||
|
||||
Installation
|
||||
|
||||
```bash
|
||||
# clone the github repository
|
||||
sudo -u www-data -H git clone https://github.com/alexphelps/server-error-pages.git /var/www/error
|
||||
|
||||
# download nginx configuration
|
||||
wget -O /etc/nginx/common/error_pages.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/error_pages.conf
|
||||
```
|
||||
|
||||
Then include this configuration in your nginx vhost by adding the following line
|
||||
|
||||
```bash
|
||||
include common/error_pages.conf;
|
||||
```
|
||||
|
||||
Published & maintained by [VirtuBox](https://virtubox.net)
|
||||
|
|
|
@ -1,27 +1,50 @@
|
|||
# Common upstream settings
|
||||
upstream php {
|
||||
# server unix:/run/php5-fpm.sock;
|
||||
server 127.0.0.1:9000;
|
||||
server 127.0.0.1:9000;
|
||||
}
|
||||
upstream debug {
|
||||
# Debug Pool
|
||||
server 127.0.0.1:9001;
|
||||
server 127.0.0.1:9001;
|
||||
}
|
||||
# php7.0-fpm
|
||||
####### php7.0-fpm
|
||||
# php7.0-fpm TCP
|
||||
upstream php7 {
|
||||
server 127.0.0.1:9070;
|
||||
server 127.0.0.1:9070;
|
||||
}
|
||||
|
||||
upstream debug7 {
|
||||
server 127.0.0.1:9170;
|
||||
server 127.0.0.1:9170;
|
||||
}
|
||||
# php7.1-fpm
|
||||
# php7.0-fpm socket
|
||||
upstream php7-sock {
|
||||
least_conn;
|
||||
server unix:/var/run/php7-fpm.sock;
|
||||
server unix:/var/run/php7-two-fpm.sock;
|
||||
keepalive 5;
|
||||
}
|
||||
####### php7.1-fpm
|
||||
# php7.1-fpm TCP
|
||||
upstream php71 {
|
||||
server 127.0.0.1:9080;
|
||||
server 127.0.0.1:9080;
|
||||
}
|
||||
# php7.2-fpm
|
||||
# php7.1-fpm socket
|
||||
upstream php71-sock {
|
||||
least_conn;
|
||||
server unix:/var/run/php71-fpm.sock;
|
||||
server unix:/var/run/php71-two-fpm.sock;
|
||||
keepalive 5;
|
||||
}
|
||||
####### php7.2-fpm
|
||||
# php7.2-fpm TCP
|
||||
upstream php72 {
|
||||
server 127.0.0.1:9090;
|
||||
server 127.0.0.1:9090;
|
||||
}
|
||||
# php7.2-fpm socket
|
||||
upstream php72-sock {
|
||||
least_conn;
|
||||
server unix:/var/run/php72-fpm.sock;
|
||||
server unix:/var/run/php72-two-fpm.sock;
|
||||
keepalive 5;
|
||||
}
|
||||
# redis
|
||||
upstream redis {
|
||||
|
|
|
@ -1,161 +0,0 @@
|
|||
user www-data;
|
||||
worker_processes auto;
|
||||
worker_cpu_affinity auto;
|
||||
worker_rlimit_nofile 100000;
|
||||
pid /run/nginx.pid;
|
||||
|
||||
events
|
||||
{
|
||||
worker_connections 16384;
|
||||
multi_accept on;
|
||||
use epoll;
|
||||
}
|
||||
|
||||
http
|
||||
{
|
||||
##
|
||||
# EasyEngine Settings
|
||||
##
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 30;
|
||||
types_hash_max_size 2048;
|
||||
|
||||
server_tokens off;
|
||||
reset_timedout_connection on;
|
||||
add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox";
|
||||
add_header rt-Fastcgi-Cache $upstream_cache_status;
|
||||
|
||||
# Limit Request
|
||||
limit_req_status 403;
|
||||
limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
|
||||
|
||||
#Simple DOS mitigation
|
||||
##Max c/s by ip
|
||||
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
|
||||
#limit_conn limit_per_ip 80;
|
||||
|
||||
##Max rq/s by ip
|
||||
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
|
||||
#limit_req zone=allips burst=400 nodelay;
|
||||
|
||||
# Proxy Settings
|
||||
# set_real_ip_from proxy-server-ip;
|
||||
# real_ip_header X-Forwarded-For;
|
||||
|
||||
fastcgi_read_timeout 300;
|
||||
client_max_body_size 100m;
|
||||
|
||||
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
|
||||
aio threads;
|
||||
|
||||
# tls dynamic records patch directive
|
||||
ssl_dyn_rec_enable on;
|
||||
|
||||
# nginx-vts-status module
|
||||
#vhost_traffic_status_zone;
|
||||
|
||||
resolver 8.8.8.8 1.1.1.1 valid=300s;
|
||||
resolver_timeout 10;
|
||||
|
||||
##
|
||||
# GeoIP module configuration, before removing comments
|
||||
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
|
||||
##
|
||||
#geoip_country /usr/share/GeoIP/GeoIP.dat;
|
||||
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
|
||||
|
||||
##
|
||||
# SSL Settings
|
||||
##
|
||||
# intermediate configuration. tweak to your needs.
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_tickets off;
|
||||
ssl_ecdh_curve X25519:P-521:P-384:P-256;
|
||||
|
||||
##Common headers for security
|
||||
more_set_headers "X-Frame-Options : SAMEORIGIN";
|
||||
more_set_headers "X-Xss-Protection : 1; mode=block";
|
||||
more_set_headers "X-Content-Type-Options : nosniff";
|
||||
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
|
||||
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
# server_names_hash_bucket_size 64;
|
||||
# server_name_in_redirect off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
# access_log disabled for performance
|
||||
##
|
||||
|
||||
access_log off;
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
# Log format Settings
|
||||
log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
|
||||
'$http_host "$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent" $server_protocol';
|
||||
|
||||
# ipscrub settings
|
||||
ipscrub_period_seconds 3600;
|
||||
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
|
||||
gzip_vary on;
|
||||
gzip_proxied any;
|
||||
gzip_comp_level 6;
|
||||
gzip_buffers 16 8k;
|
||||
gzip_http_version 1.1;
|
||||
gzip_types
|
||||
application/atom+xml
|
||||
application/javascript
|
||||
application/json
|
||||
application/rss+xml
|
||||
application/vnd.ms-fontobject
|
||||
application/x-font-ttf
|
||||
application/x-web-app-manifest+json
|
||||
application/xhtml+xml
|
||||
application/xml
|
||||
font/opentype
|
||||
image/svg+xml
|
||||
image/x-icon
|
||||
text/css
|
||||
text/plain
|
||||
text/x-component
|
||||
text/xml
|
||||
text/javascript;
|
||||
|
||||
##
|
||||
# Brotli Settings
|
||||
##
|
||||
|
||||
brotli on;
|
||||
brotli_static on;
|
||||
brotli_buffers 16 8k;
|
||||
brotli_comp_level 6;
|
||||
brotli_types *;
|
||||
|
||||
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
||||
|
|
@ -1,180 +0,0 @@
|
|||
user www-data;
|
||||
worker_processes auto;
|
||||
worker_cpu_affinity auto;
|
||||
worker_rlimit_nofile 100000;
|
||||
pid /run/nginx.pid;
|
||||
|
||||
events
|
||||
{
|
||||
worker_connections 16384;
|
||||
multi_accept on;
|
||||
use epoll;
|
||||
}
|
||||
|
||||
http
|
||||
{
|
||||
##
|
||||
# EasyEngine Settings
|
||||
##
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 30;
|
||||
types_hash_max_size 2048;
|
||||
|
||||
server_tokens off;
|
||||
reset_timedout_connection on;
|
||||
add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox";
|
||||
add_header rt-Fastcgi-Cache $upstream_cache_status;
|
||||
|
||||
# Limit Request
|
||||
limit_req_status 403;
|
||||
limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
|
||||
|
||||
#Simple DOS mitigation
|
||||
##Max c/s by ip
|
||||
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
|
||||
#limit_conn limit_per_ip 80;
|
||||
|
||||
##Max rq/s by ip
|
||||
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
|
||||
#limit_req zone=allips burst=400 nodelay;
|
||||
|
||||
# Proxy Settings
|
||||
# set_real_ip_from proxy-server-ip;
|
||||
# real_ip_header X-Forwarded-For;
|
||||
|
||||
fastcgi_read_timeout 120s;
|
||||
client_max_body_size 100m;
|
||||
|
||||
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
|
||||
aio threads;
|
||||
|
||||
# tls dynamic records patch directive
|
||||
ssl_dyn_rec_enable on;
|
||||
|
||||
# nginx-vts-status module
|
||||
#vhost_traffic_status_zone;
|
||||
|
||||
resolver 8.8.8.8 1.1.1.1 valid=300s;
|
||||
resolver_timeout 10;
|
||||
|
||||
##
|
||||
# GeoIP module configuration, before removing comments
|
||||
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
|
||||
##
|
||||
#geoip_country /usr/share/GeoIP/GeoIP.dat;
|
||||
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
|
||||
|
||||
##
|
||||
# SSL Settings
|
||||
##
|
||||
ssl_protocols TLSv1.2;
|
||||
ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM';
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_tickets off;
|
||||
ssl_ecdh_curve X25519:P-521:P-384:P-256;
|
||||
|
||||
##Common headers for security
|
||||
more_set_headers "X-Frame-Options : SAMEORIGIN";
|
||||
more_set_headers "X-Xss-Protection : 1; mode=block";
|
||||
more_set_headers "X-Content-Type-Options : nosniff";
|
||||
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
# server_names_hash_bucket_size 64;
|
||||
# server_name_in_redirect off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
# access_log disabled for performance
|
||||
##
|
||||
|
||||
access_log off;
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
# Log format Settings
|
||||
log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
|
||||
'$http_host "$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent" $server_protocol';
|
||||
|
||||
# ipscrub settings
|
||||
ipscrub_period_seconds 3600;
|
||||
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
|
||||
gzip_vary on;
|
||||
gzip_proxied any;
|
||||
gzip_comp_level 6;
|
||||
gzip_buffers 16 8k;
|
||||
gzip_http_version 1.1;
|
||||
gzip_types
|
||||
application/atom+xml
|
||||
application/javascript
|
||||
application/json
|
||||
application/rss+xml
|
||||
application/vnd.ms-fontobject
|
||||
application/x-font-ttf
|
||||
application/x-web-app-manifest+json
|
||||
application/xhtml+xml
|
||||
application/xml
|
||||
font/opentype
|
||||
image/svg+xml
|
||||
image/x-icon
|
||||
text/css
|
||||
text/plain
|
||||
text/x-component
|
||||
text/xml
|
||||
text/javascript;
|
||||
|
||||
##
|
||||
# Brotli Settings
|
||||
##
|
||||
|
||||
brotli on;
|
||||
brotli_static on;
|
||||
brotli_buffers 16 8k;
|
||||
brotli_comp_level 6;
|
||||
brotli_types *;
|
||||
|
||||
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
||||
|
||||
|
||||
#mail {
|
||||
# # See sample authentication script at:
|
||||
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
|
||||
#
|
||||
# # auth_http localhost/auth.php;
|
||||
# # pop3_capabilities "TOP" "USER";
|
||||
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
|
||||
#
|
||||
# server {
|
||||
# listen localhost:110;
|
||||
# protocol pop3;
|
||||
# proxy on;
|
||||
# }
|
||||
#
|
||||
# server {
|
||||
# listen localhost:143;
|
||||
# protocol imap;
|
||||
# proxy on;
|
||||
# }
|
||||
#}
|
|
@ -1,76 +1,76 @@
|
|||
user www-data;
|
||||
|
||||
worker_processes auto;
|
||||
worker_cpu_affinity auto;
|
||||
|
||||
worker_rlimit_nofile 100000;
|
||||
pid /run/nginx.pid;
|
||||
|
||||
events
|
||||
{
|
||||
events {
|
||||
|
||||
worker_connections 16384;
|
||||
multi_accept on;
|
||||
use epoll;
|
||||
}
|
||||
|
||||
http
|
||||
{
|
||||
##
|
||||
# EasyEngine Settings
|
||||
##
|
||||
http {
|
||||
|
||||
##
|
||||
# EasyEngine Settings
|
||||
##
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
|
||||
keepalive_timeout 30;
|
||||
types_hash_max_size 2048;
|
||||
|
||||
server_tokens off;
|
||||
reset_timedout_connection on;
|
||||
|
||||
add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox";
|
||||
add_header rt-Fastcgi-Cache $upstream_cache_status;
|
||||
|
||||
# Limit Request
|
||||
# Limit Request
|
||||
|
||||
limit_req_status 403;
|
||||
limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
|
||||
|
||||
#Simple DOS mitigation
|
||||
##Max c/s by ip
|
||||
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
|
||||
#limit_conn limit_per_ip 80;
|
||||
|
||||
##Max rq/s by ip
|
||||
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
|
||||
#limit_req zone=allips burst=400 nodelay;
|
||||
|
||||
# Proxy Settings
|
||||
# set_real_ip_from proxy-server-ip;
|
||||
# real_ip_header X-Forwarded-For;
|
||||
# fastcgi timeout and max_body_size limit
|
||||
|
||||
fastcgi_read_timeout 120s;
|
||||
client_max_body_size 100m;
|
||||
|
||||
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
|
||||
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
|
||||
aio threads;
|
||||
|
||||
# tls dynamic records patch directive
|
||||
|
||||
# tls dynamic records patch directive
|
||||
ssl_dyn_rec_enable on;
|
||||
|
||||
# nginx-vts-status module
|
||||
#vhost_traffic_status_zone;
|
||||
|
||||
# dns resolver for oscp
|
||||
|
||||
# nginx-vts-status module
|
||||
vhost_traffic_status_zone;
|
||||
|
||||
# oscp settings
|
||||
resolver 8.8.8.8 1.1.1.1 valid=300s;
|
||||
resolver_timeout 10;
|
||||
|
||||
##
|
||||
# GeoIP module configuration, before removing comments
|
||||
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
|
||||
##
|
||||
#geoip_country /usr/share/GeoIP/GeoIP.dat;
|
||||
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
|
||||
##
|
||||
# GeoIP module configuration, before removing comments
|
||||
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
|
||||
##
|
||||
#geoip_country /usr/share/GeoIP/GeoIP.dat;
|
||||
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
|
||||
|
||||
##
|
||||
# SSL Settings
|
||||
##
|
||||
|
||||
##
|
||||
# SSL Settings
|
||||
##
|
||||
|
||||
# TLS v1.2 & v1.3 only by default
|
||||
# uncomment the following lines if you still want to use TLS v1.0
|
||||
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
||||
# ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
@ -78,52 +78,60 @@ http
|
|||
ssl_session_timeout 1d;
|
||||
ssl_session_tickets off;
|
||||
ssl_ecdh_curve X25519:P-521:P-384:P-256;
|
||||
|
||||
##Common headers for security
|
||||
|
||||
##Common headers for security
|
||||
|
||||
more_set_headers "X-Frame-Options : SAMEORIGIN";
|
||||
more_set_headers "X-Xss-Protection : 1; mode=block";
|
||||
more_set_headers "X-Content-Type-Options : nosniff";
|
||||
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
|
||||
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
# server_names_hash_bucket_size 64;
|
||||
# server_name_in_redirect off;
|
||||
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
|
||||
# server_names_hash_bucket_size 64;
|
||||
# server_name_in_redirect off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
default_type application/octet-stream;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
# access_log disabled for performance
|
||||
##
|
||||
##
|
||||
# Logging Settings
|
||||
# access_log disabled for performance
|
||||
##
|
||||
|
||||
access_log off;
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
# Log format Settings
|
||||
# Log format Settings
|
||||
|
||||
log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
|
||||
'$http_host "$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent" $server_protocol';
|
||||
|
||||
# ipscrub settings
|
||||
|
||||
# ipscrub settings
|
||||
|
||||
ipscrub_period_seconds 3600;
|
||||
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
|
||||
gzip_vary on;
|
||||
gzip_proxied any;
|
||||
gzip_comp_level 6;
|
||||
gzip_buffers 16 8k;
|
||||
gzip_http_version 1.1;
|
||||
gzip_types
|
||||
application/atom+xml
|
||||
gzip_types application/atom+xml
|
||||
application/javascript
|
||||
application/json
|
||||
application/rss+xml
|
||||
|
@ -141,9 +149,9 @@ http
|
|||
text/xml
|
||||
text/javascript;
|
||||
|
||||
##
|
||||
# Brotli Settings
|
||||
##
|
||||
##
|
||||
# Brotli Settings
|
||||
##
|
||||
|
||||
brotli on;
|
||||
brotli_static on;
|
||||
|
@ -151,32 +159,18 @@ http
|
|||
brotli_comp_level 6;
|
||||
brotli_types *;
|
||||
|
||||
#Simple DOS mitigation
|
||||
|
||||
##Max c/s by ip
|
||||
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
|
||||
#limit_conn limit_per_ip 80;
|
||||
|
||||
##Max rq/s by ip
|
||||
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
|
||||
#limit_req zone=allips burst=400 nodelay;
|
||||
|
||||
# Proxy Settings
|
||||
# set_real_ip_from proxy-server-ip;
|
||||
# real_ip_header X-Forwarded-For;
|
||||
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
||||
|
||||
|
||||
#mail {
|
||||
# # See sample authentication script at:
|
||||
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
|
||||
#
|
||||
# # auth_http localhost/auth.php;
|
||||
# # pop3_capabilities "TOP" "USER";
|
||||
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
|
||||
#
|
||||
# server {
|
||||
# listen localhost:110;
|
||||
# protocol pop3;
|
||||
# proxy on;
|
||||
# }
|
||||
#
|
||||
# server {
|
||||
# listen localhost:143;
|
||||
# protocol imap;
|
||||
# proxy on;
|
||||
# }
|
||||
#}
|
||||
|
|
|
@ -0,0 +1,424 @@
|
|||
### Initial configuration
|
||||
|
||||
Configuration files with comments and informations available by following the link **source**
|
||||
|
||||
#### System update and packages cleanup
|
||||
|
||||
```bash
|
||||
apt-get update && apt-get upgrade -y && apt-get autoremove --purge -y && apt-get clean
|
||||
```
|
||||
|
||||
#### Install useful packages
|
||||
|
||||
```bash
|
||||
sudo apt install haveged curl git unzip zip fail2ban htop nload nmon ntp -y
|
||||
```
|
||||
|
||||
#### Tweak Kernel & Increase open files limits
|
||||
|
||||
[source sysctl.conf](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) - [limits.conf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf)
|
||||
|
||||
```bash
|
||||
modprobe tcp_htcp
|
||||
wget -O /etc/sysctl.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.conf
|
||||
sysctl -p
|
||||
wget -O /etc/security/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/security/limits.conf
|
||||
```
|
||||
|
||||
#### disable transparent hugepage for redis
|
||||
|
||||
```bash
|
||||
echo never > /sys/kernel/mm/transparent_hugepage/enabled
|
||||
```
|
||||
|
||||
* * *
|
||||
|
||||
### EasyEngine Setup
|
||||
|
||||
#### Install MariaDB 10.3
|
||||
|
||||
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
|
||||
|
||||
```bash
|
||||
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \
|
||||
| sudo bash -s -- --mariadb-server-version=10.3 --skip-maxscale
|
||||
sudo apt update && sudo apt install mariadb-server percona-xtrabackup-24 -y
|
||||
```
|
||||
|
||||
#### MySQL Tuning
|
||||
|
||||
You can download my example of my.cnf, optimized for VPS with 4GB RAM. [my.cnf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/mysql/my.cnf)
|
||||
|
||||
```bash
|
||||
wget -O /etc/mysql/my.cnf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/mysql/my.cnf
|
||||
```
|
||||
|
||||
It include modification of innodb_log_file_size variable, so you need to use the following commands to apply the new configuration :
|
||||
|
||||
```bash
|
||||
sudo service mysql stop
|
||||
|
||||
sudo mv /var/lib/mysql/ib_logfile0 /var/lib/mysql/ib_logfile0.bak
|
||||
sudo mv /var/lib/mysql/ib_logfile1 /var/lib/mysql/ib_logfile1.bak
|
||||
|
||||
sudo service mysql start
|
||||
```
|
||||
|
||||
Increase MariaDB open files limits
|
||||
|
||||
```bash
|
||||
wget -O /etc/systemd/system/mariadb.service.d/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/systemd/system/mariadb.service.d/limits.conf
|
||||
|
||||
sudo systemctl daemon-reload
|
||||
sudo systemctl restart mariadb
|
||||
```
|
||||
|
||||
#### Install EasyEngine
|
||||
|
||||
```bash
|
||||
# noninteractive install - you can replace $USER with your username & root@$HOSTNAME by your email
|
||||
sudo bash -c 'echo -e "[user]\n\tname = $USER\n\temail = root@$HOSTNAME" > $HOME/.gitconfig'
|
||||
|
||||
wget -qO ee rt.cx/ee && bash ee
|
||||
```
|
||||
|
||||
#### enable ee bash_completion
|
||||
|
||||
```bash
|
||||
source /etc/bash_completion.d/ee_auto.rc
|
||||
```
|
||||
|
||||
#### Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend
|
||||
|
||||
```bash
|
||||
ee stack install
|
||||
ee stack install --php7 --redis --admin --phpredisadmin
|
||||
```
|
||||
|
||||
#### Set your email instead of root@localhost
|
||||
|
||||
```bash
|
||||
echo 'root: my.email@address.com' >> /etc/aliases
|
||||
newaliases
|
||||
```
|
||||
|
||||
#### Install Composer - Fix phpmyadmin install issue
|
||||
|
||||
```bash
|
||||
cd ~/ ||exit
|
||||
curl -sS https://getcomposer.org/installer | php
|
||||
mv composer.phar /usr/bin/composer
|
||||
|
||||
chown www-data:www-data /var/www
|
||||
sudo -u www-data -H composer update -d /var/www/22222/htdocs/db/pma/
|
||||
```
|
||||
|
||||
#### Allow shell for www-data for SFTP usage
|
||||
|
||||
```bash
|
||||
usermod -s /bin/bash www-data
|
||||
```
|
||||
|
||||
### PHP 7.1 & 7.2 Setup
|
||||
|
||||
#### Install php7.1-fpm
|
||||
|
||||
```bash
|
||||
# php7.1-fpm
|
||||
apt update && apt install php7.1-fpm php7.1-cli php7.1-zip php7.1-opcache php7.1-mysql php7.1-mcrypt php7.1-mbstring php7.1-json php7.1-intl \
|
||||
php7.1-gd php7.1-curl php7.1-bz2 php7.1-xml php7.1-tidy php7.1-soap php7.1-bcmath -y php7.1-xsl
|
||||
|
||||
wget -O /etc/php/7.1/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/pool.d/www.conf
|
||||
|
||||
wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/php.ini
|
||||
service php7.1-fpm restart
|
||||
```
|
||||
|
||||
#### Install php7.2-fpm
|
||||
|
||||
```bash
|
||||
# php7.2-fpm
|
||||
apt update && apt install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring -y
|
||||
|
||||
wget -O /etc/php/7.2/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/pool.d/www.conf
|
||||
|
||||
wget -O /etc/php/7.2/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/php.ini
|
||||
service php7.2-fpm restart
|
||||
```
|
||||
|
||||
#### add nginx upstreams
|
||||
|
||||
```bash
|
||||
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
|
||||
service nginx reload
|
||||
```
|
||||
|
||||
#### add ee common configuration
|
||||
|
||||
```bash
|
||||
cd /etc/nginx/common || exit
|
||||
wget https://virtubox.github.io/ubuntu-nginx-web-server/files/common.zip
|
||||
unzip common.zip
|
||||
```
|
||||
|
||||
### Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee)
|
||||
|
||||
```bash
|
||||
bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
|
||||
```
|
||||
|
||||
* * *
|
||||
|
||||
### Custom configurations
|
||||
|
||||
#### clean php-fpm php.ini configuration
|
||||
|
||||
```bash
|
||||
# PHP 7.0
|
||||
wget -O /etc/php/7.0/fpm/php.ini https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/php/7.0/fpm/php.ini
|
||||
service php7.0-fpm restart
|
||||
```
|
||||
|
||||
#### Nginx optimized configurations
|
||||
|
||||
```bash
|
||||
# TLSv1.2 TLSv1.3 only
|
||||
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx.conf
|
||||
```
|
||||
|
||||
#### Nginx configuration for netdata & new upstreams
|
||||
|
||||
```bash
|
||||
# custom conf for netdata metrics (php-fpm & nginx status pages)
|
||||
wget -O /etc/nginx/sites-available/default https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/default
|
||||
|
||||
# add netdata, php7.1 and php7.2 upstream
|
||||
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
|
||||
|
||||
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
|
||||
wget -O /etc/nginx/sites-available/22222 https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/22222
|
||||
```
|
||||
|
||||
#### Increase Nginx open files limits
|
||||
|
||||
```bash
|
||||
sudo mkdir -p /etc/systemd/system/nginx.service.d
|
||||
wget -O /etc/systemd/system/nginx.service.d/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/systemd/system/nginx.service.d/limits.conf
|
||||
|
||||
sudo systemctl daemon-reload
|
||||
sudo systemctl restart nginx.service
|
||||
```
|
||||
|
||||
#### wpcommon-php7x configurations
|
||||
|
||||
- webp rewrite rules added
|
||||
- DoS attack CVE fix added
|
||||
- php7.1 & php7.2 configuration added
|
||||
|
||||
```bash
|
||||
# 1) add webp mapping
|
||||
wget -O /etc/nginx/conf.d/webp.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/webp.conf
|
||||
|
||||
# 2) wpcommon files
|
||||
# php7
|
||||
wget -O /etc/nginx/common/wpcommon-php7.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php7.conf
|
||||
|
||||
# php7.1
|
||||
wget -O /etc/nginx/common/wpcommon-php71.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php71.conf
|
||||
|
||||
# php7.2
|
||||
wget -O /etc/nginx/common/wpcommon-php72.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php72.conf
|
||||
|
||||
nginx -t
|
||||
service nginx reload
|
||||
```
|
||||
|
||||
* * *
|
||||
|
||||
### Security
|
||||
|
||||
#### Harden SSH Security
|
||||
|
||||
WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config)
|
||||
|
||||
wget -O /etc/ssh/sshd_config https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/ssh/sshd_config
|
||||
|
||||
#### UFW
|
||||
|
||||
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
|
||||
|
||||
```bash
|
||||
# enable ufw log - allow outgoing - deny incoming
|
||||
ufw logging low
|
||||
ufw default allow outgoing
|
||||
ufw default deny incoming
|
||||
|
||||
# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend
|
||||
ufw allow 22
|
||||
ufw allow 53
|
||||
ufw allow http
|
||||
ufw allow https
|
||||
ufw allow 21
|
||||
ufw allow 123
|
||||
ufw allow 161
|
||||
ufw allow 6556
|
||||
ufw allow 19999
|
||||
ufw allow 22222
|
||||
|
||||
# enable UFW
|
||||
ufw enable
|
||||
```
|
||||
|
||||
#### Custom jails for fail2ban
|
||||
|
||||
- wordpress bruteforce
|
||||
- ssh
|
||||
- recidive (after 3 bans)
|
||||
- backend http auth
|
||||
- nginx bad bots
|
||||
|
||||
```bash
|
||||
wget -O /etc/fail2ban/filter.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ddos.conf
|
||||
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ee-wordpress.conf
|
||||
wget -O /etc/fail2ban/jail.d/custom.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/custom.conf
|
||||
wget -O /etc/fail2ban/jail.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/ddos.conf
|
||||
|
||||
fail2ban-client reload
|
||||
```
|
||||
|
||||
#### Secure Memcached server
|
||||
|
||||
```bash
|
||||
echo '-U 0' >> /etc/memcached.conf
|
||||
sudo systemctl restart memcached
|
||||
```
|
||||
|
||||
### Optional tools
|
||||
|
||||
#### ee-acme-sh
|
||||
|
||||
[Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers
|
||||
|
||||
* subdomain support
|
||||
* ivp6 support
|
||||
* wildcards certificates support
|
||||
|
||||
```bash
|
||||
wget -O install-ee-acme.sh https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh
|
||||
chmod +x install-ee-acme.sh
|
||||
./install-ee-acme.sh
|
||||
|
||||
# enable acme.sh & ee-acme-sh
|
||||
source .bashrc
|
||||
```
|
||||
|
||||
#### netdata
|
||||
|
||||
[Github repository](https://github.com/firehol/netdata)
|
||||
|
||||
```bash
|
||||
|
||||
bash <(curl -Ss https://my-netdata.io/kickstart.sh) all
|
||||
|
||||
# save 40-60% of netdata memory
|
||||
echo 1 >/sys/kernel/mm/ksm/run
|
||||
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
|
||||
|
||||
# disable email notifications
|
||||
sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /etc/netdata/health_alarm_notify.conf
|
||||
service netdata restart
|
||||
```
|
||||
|
||||
#### bash-snippets
|
||||
|
||||
[Github repository](https://github.com/alexanderepstein/Bash-Snippets)
|
||||
|
||||
```bash
|
||||
git clone https://github.com/alexanderepstein/Bash-Snippets
|
||||
cd Bash-Snippets
|
||||
git checkout v1.22.0
|
||||
./install.sh cheat
|
||||
```
|
||||
|
||||
usage : `cheat <command>`
|
||||
|
||||
```bash
|
||||
root@vps:~ cheat cat
|
||||
# cat
|
||||
|
||||
# Print and concatenate files.
|
||||
|
||||
# Print the contents of a file to the standard output:
|
||||
cat file
|
||||
|
||||
# Concatenate several files into the target file:
|
||||
cat file1 file2 > target_file
|
||||
|
||||
# Append several files into the target file:
|
||||
cat file1 file2 >> target_file
|
||||
|
||||
# Number all output lines:
|
||||
cat -n file
|
||||
```
|
||||
|
||||
#### nanorc - Improved Nano Syntax Highlighting Files
|
||||
|
||||
[Github repository](https://github.com/scopatz/nanorc)
|
||||
|
||||
```bash
|
||||
wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh
|
||||
```
|
||||
|
||||
#### ucaresystem - script to update & cleanup packages easily
|
||||
|
||||
```bash
|
||||
sudo add-apt-repository ppa:utappia/stable -y
|
||||
sudo apt update
|
||||
sudo apt install ucaresystem-core -y
|
||||
```
|
||||
|
||||
Run server maintenance with the command :
|
||||
|
||||
```bash
|
||||
sudo ucaresystem-core
|
||||
```
|
||||
|
||||
### WP-CLI
|
||||
|
||||
#### Add bash-completion for user www-data
|
||||
|
||||
```bashrc
|
||||
# download wp-cli bash_completion
|
||||
wget -O /etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash
|
||||
|
||||
# change /var/www owner
|
||||
chown www-data:www-data /var/www
|
||||
|
||||
# download .profile & .bashrc for www-data
|
||||
wget -O /var/www/.profile https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/docs/files/var/www/.profile
|
||||
wget -O /var/www/.bashrc https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/docs/files/var/www/.bashrc
|
||||
|
||||
# set owner
|
||||
chown www-data:www-data /var/www/.profile
|
||||
chown www-data:www-data /var/www/.bashrc
|
||||
```
|
||||
|
||||
### Custom Nginx error pages
|
||||
|
||||
[Github Repository](https://github.com/alexphelps/server-error-pages)
|
||||
|
||||
Installation
|
||||
|
||||
```bash
|
||||
# clone the github repository
|
||||
sudo -u www-data -H git clone https://github.com/alexphelps/server-error-pages.git /var/www/error
|
||||
|
||||
# download nginx configuration
|
||||
wget -O /etc/nginx/common/error_pages.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/error_pages.conf
|
||||
```
|
||||
|
||||
Then include this configuration in your nginx vhost by adding the following line
|
||||
|
||||
```bash
|
||||
include common/error_pages.conf;
|
||||
```
|
|
@ -28,10 +28,6 @@ map $request_uri $uri_cache {
|
|||
~*\/wp-links-opml\.php 1;
|
||||
~*\/wp-locations\.php 1;
|
||||
~*\/wp-\.*\.php 1;
|
||||
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
||||
map $request_method $request_cache {
|
||||
|
|
|
@ -1,68 +1,51 @@
|
|||
# Common upstream settings
|
||||
upstream php {
|
||||
# server unix:/run/php5-fpm.sock;
|
||||
server 127.0.0.1:9000;
|
||||
server 127.0.0.1:9000;
|
||||
}
|
||||
upstream debug {
|
||||
# Debug Pool
|
||||
server 127.0.0.1:9001;
|
||||
server 127.0.0.1:9001;
|
||||
}
|
||||
|
||||
####### php7.0-fpm
|
||||
|
||||
# php7.0-fpm TCP
|
||||
upstream php7 {
|
||||
server 127.0.0.1:9070;
|
||||
server 127.0.0.1:9070;
|
||||
}
|
||||
|
||||
upstream debug7 {
|
||||
server 127.0.0.1:9170;
|
||||
server 127.0.0.1:9170;
|
||||
}
|
||||
|
||||
# php7.0-fpm socket
|
||||
upstream php7-sock {
|
||||
least_conn;
|
||||
|
||||
server unix:/var/run/php7-fpm.sock;
|
||||
server unix:/var/run/php7-two-fpm.sock;
|
||||
|
||||
keepalive 5;
|
||||
least_conn;
|
||||
server unix:/var/run/php7-fpm.sock;
|
||||
server unix:/var/run/php7-two-fpm.sock;
|
||||
keepalive 5;
|
||||
}
|
||||
|
||||
####### php7.1-fpm
|
||||
|
||||
# php7.1-fpm TCP
|
||||
upstream php71 {
|
||||
server 127.0.0.1:9080;
|
||||
server 127.0.0.1:9080;
|
||||
}
|
||||
|
||||
# php7.1-fpm socket
|
||||
upstream php71-sock {
|
||||
least_conn;
|
||||
|
||||
server unix:/var/run/php71-fpm.sock;
|
||||
server unix:/var/run/php71-two-fpm.sock;
|
||||
|
||||
keepalive 5;
|
||||
least_conn;
|
||||
server unix:/var/run/php71-fpm.sock;
|
||||
server unix:/var/run/php71-two-fpm.sock;
|
||||
keepalive 5;
|
||||
}
|
||||
|
||||
####### php7.2-fpm
|
||||
|
||||
# php7.2-fpm TCP
|
||||
upstream php72 {
|
||||
server 127.0.0.1:9090;
|
||||
server 127.0.0.1:9090;
|
||||
}
|
||||
|
||||
# php7.2-fpm socket
|
||||
upstream php72-sock {
|
||||
least_conn;
|
||||
|
||||
server unix:/var/run/php72-fpm.sock;
|
||||
server unix:/var/run/php72-two-fpm.sock;
|
||||
|
||||
keepalive 5;
|
||||
least_conn;
|
||||
server unix:/var/run/php72-fpm.sock;
|
||||
server unix:/var/run/php72-two-fpm.sock;
|
||||
keepalive 5;
|
||||
}
|
||||
|
||||
# redis
|
||||
upstream redis {
|
||||
server 127.0.0.1:6379;
|
||||
|
|
|
@ -1,162 +0,0 @@
|
|||
user www-data;
|
||||
worker_processes auto;
|
||||
worker_cpu_affinity auto;
|
||||
worker_rlimit_nofile 100000;
|
||||
pid /run/nginx.pid;
|
||||
|
||||
events
|
||||
{
|
||||
worker_connections 16384;
|
||||
multi_accept on;
|
||||
use epoll;
|
||||
}
|
||||
|
||||
http
|
||||
{
|
||||
##
|
||||
# EasyEngine Settings
|
||||
##
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 30;
|
||||
types_hash_max_size 2048;
|
||||
|
||||
server_tokens off;
|
||||
reset_timedout_connection on;
|
||||
add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox";
|
||||
add_header rt-Fastcgi-Cache $upstream_cache_status;
|
||||
|
||||
# Limit Request
|
||||
limit_req_status 403;
|
||||
limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
|
||||
|
||||
#Simple DOS mitigation
|
||||
##Max c/s by ip
|
||||
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
|
||||
#limit_conn limit_per_ip 80;
|
||||
|
||||
##Max rq/s by ip
|
||||
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
|
||||
#limit_req zone=allips burst=400 nodelay;
|
||||
|
||||
# Proxy Settings
|
||||
# set_real_ip_from proxy-server-ip;
|
||||
# real_ip_header X-Forwarded-For;
|
||||
|
||||
fastcgi_read_timeout 300;
|
||||
client_max_body_size 100m;
|
||||
|
||||
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
|
||||
aio threads;
|
||||
|
||||
# tls dynamic records patch directive
|
||||
ssl_dyn_rec_enable on;
|
||||
|
||||
# nginx-vts-status module
|
||||
#vhost_traffic_status_zone;
|
||||
|
||||
resolver 8.8.8.8 1.1.1.1 valid=300s;
|
||||
resolver_timeout 10;
|
||||
|
||||
|
||||
##
|
||||
# GeoIP module configuration, before removing comments
|
||||
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
|
||||
##
|
||||
#geoip_country /usr/share/GeoIP/GeoIP.dat;
|
||||
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
|
||||
|
||||
##
|
||||
# SSL Settings
|
||||
##
|
||||
# intermediate configuration. tweak to your needs.
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_tickets off;
|
||||
ssl_ecdh_curve X25519:P-521:P-384:P-256;
|
||||
|
||||
##Common headers for security
|
||||
more_set_headers "X-Frame-Options : SAMEORIGIN";
|
||||
more_set_headers "X-Xss-Protection : 1; mode=block";
|
||||
more_set_headers "X-Content-Type-Options : nosniff";
|
||||
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
|
||||
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
# server_names_hash_bucket_size 64;
|
||||
# server_name_in_redirect off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
# access_log disabled for performance
|
||||
##
|
||||
|
||||
access_log off;
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
# Log format Settings
|
||||
log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
|
||||
'$http_host "$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent" $server_protocol';
|
||||
|
||||
# ipscrub settings
|
||||
ipscrub_period_seconds 3600;
|
||||
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
|
||||
gzip_vary on;
|
||||
gzip_proxied any;
|
||||
gzip_comp_level 6;
|
||||
gzip_buffers 16 8k;
|
||||
gzip_http_version 1.1;
|
||||
gzip_types
|
||||
application/atom+xml
|
||||
application/javascript
|
||||
application/json
|
||||
application/rss+xml
|
||||
application/vnd.ms-fontobject
|
||||
application/x-font-ttf
|
||||
application/x-web-app-manifest+json
|
||||
application/xhtml+xml
|
||||
application/xml
|
||||
font/opentype
|
||||
image/svg+xml
|
||||
image/x-icon
|
||||
text/css
|
||||
text/plain
|
||||
text/x-component
|
||||
text/xml
|
||||
text/javascript;
|
||||
|
||||
##
|
||||
# Brotli Settings
|
||||
##
|
||||
|
||||
brotli on;
|
||||
brotli_static on;
|
||||
brotli_buffers 16 8k;
|
||||
brotli_comp_level 6;
|
||||
brotli_types *;
|
||||
|
||||
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
||||
|
|
@ -1,180 +0,0 @@
|
|||
user www-data;
|
||||
worker_processes auto;
|
||||
worker_cpu_affinity auto;
|
||||
worker_rlimit_nofile 100000;
|
||||
pid /run/nginx.pid;
|
||||
|
||||
events
|
||||
{
|
||||
worker_connections 16384;
|
||||
multi_accept on;
|
||||
use epoll;
|
||||
}
|
||||
|
||||
http
|
||||
{
|
||||
##
|
||||
# EasyEngine Settings
|
||||
##
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 30;
|
||||
types_hash_max_size 2048;
|
||||
|
||||
server_tokens off;
|
||||
reset_timedout_connection on;
|
||||
add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox";
|
||||
add_header rt-Fastcgi-Cache $upstream_cache_status;
|
||||
|
||||
# Limit Request
|
||||
limit_req_status 403;
|
||||
limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
|
||||
|
||||
#Simple DOS mitigation
|
||||
##Max c/s by ip
|
||||
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
|
||||
#limit_conn limit_per_ip 80;
|
||||
|
||||
##Max rq/s by ip
|
||||
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
|
||||
#limit_req zone=allips burst=400 nodelay;
|
||||
|
||||
# Proxy Settings
|
||||
# set_real_ip_from proxy-server-ip;
|
||||
# real_ip_header X-Forwarded-For;
|
||||
|
||||
fastcgi_read_timeout 120s;
|
||||
client_max_body_size 100m;
|
||||
|
||||
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
|
||||
aio threads;
|
||||
|
||||
# tls dynamic records patch directive
|
||||
ssl_dyn_rec_enable on;
|
||||
|
||||
# nginx-vts-status module
|
||||
#vhost_traffic_status_zone;
|
||||
|
||||
resolver 8.8.8.8 1.1.1.1 valid=300s;
|
||||
resolver_timeout 10;
|
||||
|
||||
##
|
||||
# GeoIP module configuration, before removing comments
|
||||
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
|
||||
##
|
||||
#geoip_country /usr/share/GeoIP/GeoIP.dat;
|
||||
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
|
||||
|
||||
##
|
||||
# SSL Settings
|
||||
##
|
||||
ssl_protocols TLSv1.2;
|
||||
ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM';
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_tickets off;
|
||||
ssl_ecdh_curve X25519:P-521:P-384:P-256;
|
||||
|
||||
##Common headers for security
|
||||
more_set_headers "X-Frame-Options : SAMEORIGIN";
|
||||
more_set_headers "X-Xss-Protection : 1; mode=block";
|
||||
more_set_headers "X-Content-Type-Options : nosniff";
|
||||
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
# server_names_hash_bucket_size 64;
|
||||
# server_name_in_redirect off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
# access_log disabled for performance
|
||||
##
|
||||
|
||||
access_log off;
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
# Log format Settings
|
||||
log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
|
||||
'$http_host "$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent" $server_protocol';
|
||||
|
||||
# ipscrub settings
|
||||
ipscrub_period_seconds 3600;
|
||||
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
|
||||
gzip_vary on;
|
||||
gzip_proxied any;
|
||||
gzip_comp_level 6;
|
||||
gzip_buffers 16 8k;
|
||||
gzip_http_version 1.1;
|
||||
gzip_types
|
||||
application/atom+xml
|
||||
application/javascript
|
||||
application/json
|
||||
application/rss+xml
|
||||
application/vnd.ms-fontobject
|
||||
application/x-font-ttf
|
||||
application/x-web-app-manifest+json
|
||||
application/xhtml+xml
|
||||
application/xml
|
||||
font/opentype
|
||||
image/svg+xml
|
||||
image/x-icon
|
||||
text/css
|
||||
text/plain
|
||||
text/x-component
|
||||
text/xml
|
||||
text/javascript;
|
||||
|
||||
##
|
||||
# Brotli Settings
|
||||
##
|
||||
|
||||
brotli on;
|
||||
brotli_static on;
|
||||
brotli_buffers 16 8k;
|
||||
brotli_comp_level 6;
|
||||
brotli_types *;
|
||||
|
||||
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
||||
|
||||
|
||||
#mail {
|
||||
# # See sample authentication script at:
|
||||
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
|
||||
#
|
||||
# # auth_http localhost/auth.php;
|
||||
# # pop3_capabilities "TOP" "USER";
|
||||
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
|
||||
#
|
||||
# server {
|
||||
# listen localhost:110;
|
||||
# protocol pop3;
|
||||
# proxy on;
|
||||
# }
|
||||
#
|
||||
# server {
|
||||
# listen localhost:143;
|
||||
# protocol imap;
|
||||
# proxy on;
|
||||
# }
|
||||
#}
|
|
@ -1,75 +1,76 @@
|
|||
user www-data;
|
||||
|
||||
worker_processes auto;
|
||||
worker_cpu_affinity auto;
|
||||
|
||||
worker_rlimit_nofile 100000;
|
||||
pid /run/nginx.pid;
|
||||
|
||||
events
|
||||
{
|
||||
events {
|
||||
|
||||
worker_connections 16384;
|
||||
multi_accept on;
|
||||
use epoll;
|
||||
}
|
||||
|
||||
http
|
||||
{
|
||||
##
|
||||
# EasyEngine Settings
|
||||
##
|
||||
http {
|
||||
|
||||
##
|
||||
# EasyEngine Settings
|
||||
##
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
|
||||
keepalive_timeout 30;
|
||||
types_hash_max_size 2048;
|
||||
|
||||
server_tokens off;
|
||||
reset_timedout_connection on;
|
||||
|
||||
add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox";
|
||||
add_header rt-Fastcgi-Cache $upstream_cache_status;
|
||||
|
||||
# Limit Request
|
||||
# Limit Request
|
||||
|
||||
limit_req_status 403;
|
||||
limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
|
||||
|
||||
#Simple DOS mitigation
|
||||
##Max c/s by ip
|
||||
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
|
||||
#limit_conn limit_per_ip 80;
|
||||
|
||||
##Max rq/s by ip
|
||||
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
|
||||
#limit_req zone=allips burst=400 nodelay;
|
||||
|
||||
# Proxy Settings
|
||||
# set_real_ip_from proxy-server-ip;
|
||||
# real_ip_header X-Forwarded-For;
|
||||
# fastcgi timeout and max_body_size limit
|
||||
|
||||
fastcgi_read_timeout 120s;
|
||||
client_max_body_size 100m;
|
||||
|
||||
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
|
||||
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
|
||||
aio threads;
|
||||
|
||||
# tls dynamic records patch directive
|
||||
|
||||
# tls dynamic records patch directive
|
||||
ssl_dyn_rec_enable on;
|
||||
|
||||
# nginx-vts-status module
|
||||
#vhost_traffic_status_zone;
|
||||
|
||||
|
||||
# nginx-vts-status module
|
||||
vhost_traffic_status_zone;
|
||||
|
||||
# oscp settings
|
||||
resolver 8.8.8.8 1.1.1.1 valid=300s;
|
||||
resolver_timeout 10;
|
||||
|
||||
##
|
||||
# GeoIP module configuration, before removing comments
|
||||
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
|
||||
##
|
||||
#geoip_country /usr/share/GeoIP/GeoIP.dat;
|
||||
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
|
||||
##
|
||||
# GeoIP module configuration, before removing comments
|
||||
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
|
||||
##
|
||||
#geoip_country /usr/share/GeoIP/GeoIP.dat;
|
||||
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
|
||||
|
||||
##
|
||||
# SSL Settings
|
||||
##
|
||||
|
||||
##
|
||||
# SSL Settings
|
||||
##
|
||||
|
||||
# TLS v1.2 & v1.3 only by default
|
||||
# uncomment the following lines if you still want to use TLS v1.0
|
||||
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
||||
# ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
@ -77,52 +78,60 @@ http
|
|||
ssl_session_timeout 1d;
|
||||
ssl_session_tickets off;
|
||||
ssl_ecdh_curve X25519:P-521:P-384:P-256;
|
||||
|
||||
##Common headers for security
|
||||
|
||||
##Common headers for security
|
||||
|
||||
more_set_headers "X-Frame-Options : SAMEORIGIN";
|
||||
more_set_headers "X-Xss-Protection : 1; mode=block";
|
||||
more_set_headers "X-Content-Type-Options : nosniff";
|
||||
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
|
||||
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
# server_names_hash_bucket_size 64;
|
||||
# server_name_in_redirect off;
|
||||
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
|
||||
# server_names_hash_bucket_size 64;
|
||||
# server_name_in_redirect off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
default_type application/octet-stream;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
# access_log disabled for performance
|
||||
##
|
||||
##
|
||||
# Logging Settings
|
||||
# access_log disabled for performance
|
||||
##
|
||||
|
||||
access_log off;
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
# Log format Settings
|
||||
# Log format Settings
|
||||
|
||||
log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
|
||||
'$http_host "$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent" $server_protocol';
|
||||
|
||||
# ipscrub settings
|
||||
|
||||
# ipscrub settings
|
||||
|
||||
ipscrub_period_seconds 3600;
|
||||
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
|
||||
gzip_vary on;
|
||||
gzip_proxied any;
|
||||
gzip_comp_level 6;
|
||||
gzip_buffers 16 8k;
|
||||
gzip_http_version 1.1;
|
||||
gzip_types
|
||||
application/atom+xml
|
||||
gzip_types application/atom+xml
|
||||
application/javascript
|
||||
application/json
|
||||
application/rss+xml
|
||||
|
@ -140,9 +149,9 @@ http
|
|||
text/xml
|
||||
text/javascript;
|
||||
|
||||
##
|
||||
# Brotli Settings
|
||||
##
|
||||
##
|
||||
# Brotli Settings
|
||||
##
|
||||
|
||||
brotli on;
|
||||
brotli_static on;
|
||||
|
@ -150,32 +159,18 @@ http
|
|||
brotli_comp_level 6;
|
||||
brotli_types *;
|
||||
|
||||
#Simple DOS mitigation
|
||||
|
||||
##Max c/s by ip
|
||||
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
|
||||
#limit_conn limit_per_ip 80;
|
||||
|
||||
##Max rq/s by ip
|
||||
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
|
||||
#limit_req zone=allips burst=400 nodelay;
|
||||
|
||||
# Proxy Settings
|
||||
# set_real_ip_from proxy-server-ip;
|
||||
# real_ip_header X-Forwarded-For;
|
||||
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
||||
|
||||
|
||||
#mail {
|
||||
# # See sample authentication script at:
|
||||
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
|
||||
#
|
||||
# # auth_http localhost/auth.php;
|
||||
# # pop3_capabilities "TOP" "USER";
|
||||
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
|
||||
#
|
||||
# server {
|
||||
# listen localhost:110;
|
||||
# protocol pop3;
|
||||
# proxy on;
|
||||
# }
|
||||
#
|
||||
# server {
|
||||
# listen localhost:143;
|
||||
# protocol imap;
|
||||
# proxy on;
|
||||
# }
|
||||
#}
|
||||
|
|
|
@ -1,90 +1,73 @@
|
|||
# EasyEngine admin NGINX CONFIGURATION
|
||||
|
||||
server {
|
||||
listen 22222 default_server ssl http2;
|
||||
access_log off;
|
||||
error_log /var/log/nginx/22222.error.log;
|
||||
ssl_certificate /var/www/22222/cert/22222.crt;
|
||||
ssl_certificate_key /var/www/22222/cert/22222.key;
|
||||
|
||||
listen 22222 default_server ssl http2;
|
||||
# Force HTTP to HTTPS
|
||||
error_page 497 =200 https://$host:22222$request_uri;
|
||||
root /var/www/22222/htdocs;
|
||||
index index.php index.htm index.html;
|
||||
|
||||
access_log off;
|
||||
error_log /var/log/nginx/22222.error.log;
|
||||
# Turn on directory listing
|
||||
autoindex on;
|
||||
|
||||
ssl_certificate /var/www/22222/cert/22222.crt;
|
||||
ssl_certificate_key /var/www/22222/cert/22222.key;
|
||||
# HTTP Authentication on port 22222
|
||||
include common/acl.conf;
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
}
|
||||
|
||||
# Force HTTP to HTTPS
|
||||
error_page 497 =200 https://$host:22222$request_uri;
|
||||
# nginx-vts-status
|
||||
location /vts_status {
|
||||
vhost_traffic_status_display;
|
||||
vhost_traffic_status_display_format html;
|
||||
}
|
||||
|
||||
root /var/www/22222/htdocs;
|
||||
index index.php index.htm index.html;
|
||||
|
||||
# Turn on directory listing
|
||||
autoindex on;
|
||||
|
||||
# HTTP Authentication on port 22222
|
||||
include common/acl.conf;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
}
|
||||
|
||||
# nginx-vts-status
|
||||
#location /vts_status {
|
||||
#vhost_traffic_status_display;
|
||||
#vhost_traffic_status_display_format html;
|
||||
#}
|
||||
|
||||
# Display menu at location /fpm/status/
|
||||
location = /fpm/status/ {}
|
||||
|
||||
location ~ /fpm/status/(.*) {
|
||||
try_files $uri =404;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_NAME /status;
|
||||
fastcgi_pass $1;
|
||||
}
|
||||
|
||||
location ~ \.php$ {
|
||||
try_files $uri =404;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php7;
|
||||
}
|
||||
|
||||
# ViMbAdmin Rules
|
||||
location = /vimbadmin/ {
|
||||
return 301 $scheme://$host:22222/vimbadmin/public/;
|
||||
}
|
||||
|
||||
|
||||
|
||||
location ~* /vimbadmin/public/(.*)/(.*) {
|
||||
root /var/www/22222/htdocs/vimbadmin/public;
|
||||
try_files $uri $uri/ /vimbadmin/public/index.php?$args;
|
||||
}
|
||||
|
||||
location ~* /vimbadmin/public/(.*) {
|
||||
root /var/www/22222/htdocs/vimbadmin/public;
|
||||
try_files $uri $uri/ /vimbadmin/public/index.php?$args;
|
||||
}
|
||||
|
||||
location /netdata {
|
||||
# Display menu at location /fpm/status/
|
||||
location = /fpm/status/;
|
||||
location ~ /fpm/status/(.*) {
|
||||
try_files $uri =404;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_NAME /status;
|
||||
fastcgi_pass $1;
|
||||
}
|
||||
location ~ \.php$ {
|
||||
try_files $uri =404;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php7;
|
||||
}
|
||||
|
||||
# ViMbAdmin Rules
|
||||
location = /vimbadmin/ {
|
||||
return 301 $scheme://$host:22222/vimbadmin/public/;
|
||||
}
|
||||
location ~* /vimbadmin/public/(.*)/(.*) {
|
||||
root /var/www/22222/htdocs/vimbadmin/public;
|
||||
try_files $uri $uri/ /vimbadmin/public/index.php?$args;
|
||||
}
|
||||
location ~* /vimbadmin/public/(.*) {
|
||||
root /var/www/22222/htdocs/vimbadmin/public;
|
||||
try_files $uri $uri/ /vimbadmin/public/index.php?$args;
|
||||
}
|
||||
location /netdata {
|
||||
return 301 /netdata/;
|
||||
}
|
||||
|
||||
location ~ /netdata/(?<ndpath>.*) {
|
||||
}
|
||||
location ~ /netdata/(?<ndpath>.*) {
|
||||
proxy_redirect off;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Connection "keep-alive";
|
||||
proxy_http_version 1.1;
|
||||
proxy_pass_request_headers on;
|
||||
proxy_set_header Connection "keep-alive";
|
||||
proxy_store off;
|
||||
proxy_pass http://netdata/$ndpath$is_args$args;
|
||||
|
||||
gzip on;
|
||||
gzip_proxied any;
|
||||
gzip_types *;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -10,103 +10,75 @@
|
|||
#
|
||||
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
|
||||
##
|
||||
|
||||
# Default server configuration
|
||||
#
|
||||
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
|
||||
# SSL configuration
|
||||
#
|
||||
# listen 443 ssl default_server;
|
||||
# listen [::]:443 ssl default_server;
|
||||
#
|
||||
# Self signed certs generated by the ssl-cert package
|
||||
# Don't use them in a production server!
|
||||
# include snippets/snakeoil.conf;
|
||||
#
|
||||
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
|
||||
# ssl_ciphers HIGH:!aNULL:!MD5;
|
||||
# ssl_prefer_server_ciphers on;
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
|
||||
root /var/www/html;
|
||||
# SSL configuration
|
||||
#
|
||||
# listen 443 ssl default_server;
|
||||
# listen [::]:443 ssl default_server;
|
||||
#
|
||||
# Self signed certs generated by the ssl-cert package
|
||||
# Don't use them in a production server!
|
||||
# include snippets/snakeoil.conf;
|
||||
#
|
||||
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
|
||||
# ssl_ciphers HIGH:!aNULL:!MD5;
|
||||
# ssl_prefer_server_ciphers on;
|
||||
|
||||
# Add index.php to the list if you are using PHP
|
||||
index index.html index.htm index.nginx-debian.html;
|
||||
root /var/www/html;
|
||||
|
||||
server_name _;
|
||||
|
||||
access_log off;
|
||||
error_log /var/log/nginx/default.error.log;
|
||||
# Add index.php to the list if you are using PHP
|
||||
|
||||
index index.html index.htm index.nginx-debian.html;
|
||||
server_name _;
|
||||
access_log off;
|
||||
error_log /var/log/nginx/default.error.log;
|
||||
|
||||
location / {
|
||||
# First attempt to serve request as file, then
|
||||
# as directory, then fall back to displaying a 404.
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
|
||||
location /stub_status {
|
||||
# First attempt to serve request as file, then
|
||||
# as directory, then fall back to displaying a 404.
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
# statut page for librenms
|
||||
location /stub_status {
|
||||
stub_status on;
|
||||
access_log off;
|
||||
allow 127.0.0.1;
|
||||
deny all;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
# Status pages
|
||||
location /nginx_status {
|
||||
stub_status on;
|
||||
access_log off;
|
||||
allow 127.0.0.1;
|
||||
deny all;
|
||||
}
|
||||
|
||||
# phpfpm pool monitoring
|
||||
location ~ ^/(status|ping) {
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php7;
|
||||
include common/acl.conf;
|
||||
}
|
||||
|
||||
|
||||
|
||||
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
|
||||
#
|
||||
#location ~ \.php$ {
|
||||
# include snippets/fastcgi-php.conf;
|
||||
#
|
||||
# # With php5-cgi alone:
|
||||
# fastcgi_pass 127.0.0.1:9000;
|
||||
# # With php5-fpm:
|
||||
# fastcgi_pass unix:/var/run/php5-fpm.sock;
|
||||
#}
|
||||
|
||||
# deny access to .htaccess files, if Apache's document root
|
||||
# concurs with nginx's one
|
||||
#
|
||||
#location ~ /\.ht {
|
||||
# deny all;
|
||||
#}
|
||||
}
|
||||
|
||||
|
||||
# Virtual Host configuration for example.com
|
||||
# Status pages for netdata
|
||||
location /nginx_status {
|
||||
stub_status on;
|
||||
access_log off;
|
||||
allow 127.0.0.1;
|
||||
deny all;
|
||||
}
|
||||
# phpfpm pool monitoring
|
||||
location ~ ^/(status|ping) {
|
||||
include fastcgi_params;
|
||||
include common/acl.conf;
|
||||
fastcgi_pass php7;
|
||||
}
|
||||
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
|
||||
#
|
||||
# You can move that to a different file under sites-available/ and symlink that
|
||||
# to sites-enabled/ to enable it.
|
||||
#location ~ \.php$ {
|
||||
# include snippets/fastcgi-php.conf;
|
||||
#
|
||||
#server {
|
||||
# listen 80;
|
||||
# listen [::]:80;
|
||||
#
|
||||
# server_name example.com;
|
||||
#
|
||||
# root /var/www/example.com;
|
||||
# index index.html;
|
||||
#
|
||||
# location / {
|
||||
# try_files $uri $uri/ =404;
|
||||
# }
|
||||
# # With php5-cgi alone:
|
||||
# fastcgi_pass 127.0.0.1:9000;
|
||||
# # With php5-fpm:
|
||||
# fastcgi_pass unix:/var/run/php5-fpm.sock;
|
||||
#}
|
||||
# deny access to .htaccess files, if Apache's document root
|
||||
# concurs with nginx's one
|
||||
#
|
||||
#location ~ /\.ht;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,190 @@
|
|||
[PHP]
|
||||
|
||||
engine = On
|
||||
short_open_tag = Off
|
||||
precision = 14
|
||||
output_buffering = 4096
|
||||
zlib.output_compression = Off
|
||||
implicit_flush = Off
|
||||
unserialize_callback_func =
|
||||
serialize_precision = -1
|
||||
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
|
||||
disable_classes =
|
||||
zend.enable_gc = On
|
||||
expose_php = Off
|
||||
max_execution_time = 300
|
||||
max_input_time = 600
|
||||
max_input_vars = 20000
|
||||
memory_limit = -1
|
||||
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
|
||||
display_errors = Off
|
||||
display_startup_errors = Off
|
||||
log_errors = On
|
||||
log_errors_max_len = 1024
|
||||
ignore_repeated_errors = Off
|
||||
ignore_repeated_source = Off
|
||||
report_memleaks = On
|
||||
track_errors = Off
|
||||
html_errors = On
|
||||
variables_order = "GPCS"
|
||||
request_order = "GP"
|
||||
register_argc_argv = Off
|
||||
auto_globals_jit = On
|
||||
post_max_size = 128M
|
||||
auto_prepend_file =
|
||||
auto_append_file =
|
||||
default_mimetype = "text/html"
|
||||
default_charset = "UTF-8"
|
||||
doc_root =
|
||||
user_dir =
|
||||
enable_dl = Off
|
||||
file_uploads = On
|
||||
upload_max_filesize = 128M
|
||||
max_file_uploads = 20
|
||||
allow_url_fopen = On
|
||||
allow_url_include = Off
|
||||
default_socket_timeout = 60
|
||||
|
||||
[CLI Server]
|
||||
cli_server.color = On
|
||||
|
||||
[Date]
|
||||
date.timezone = Europe/Paris
|
||||
|
||||
[filter]
|
||||
|
||||
[iconv]
|
||||
|
||||
[intl]
|
||||
|
||||
[sqlite3]
|
||||
|
||||
[Pcre]
|
||||
|
||||
[Pdo]
|
||||
|
||||
[Pdo_mysql]
|
||||
pdo_mysql.cache_size = 2000
|
||||
pdo_mysql.default_socket=
|
||||
|
||||
[Phar]
|
||||
|
||||
[mail function]
|
||||
SMTP = localhost
|
||||
smtp_port = 25
|
||||
mail.add_x_header = On
|
||||
|
||||
[SQL]
|
||||
sql.safe_mode = Off
|
||||
|
||||
[ODBC]
|
||||
odbc.allow_persistent = On
|
||||
odbc.check_persistent = On
|
||||
odbc.max_persistent = -1
|
||||
odbc.max_links = -1
|
||||
odbc.defaultlrl = 4096
|
||||
odbc.defaultbinmode = 1
|
||||
|
||||
[Interbase]
|
||||
ibase.allow_persistent = 1
|
||||
ibase.max_persistent = -1
|
||||
ibase.max_links = -1
|
||||
ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
|
||||
ibase.dateformat = "%Y-%m-%d"
|
||||
ibase.timeformat = "%H:%M:%S"
|
||||
|
||||
[MySQLi]
|
||||
mysqli.max_persistent = -1
|
||||
mysqli.allow_persistent = On
|
||||
mysqli.max_links = -1
|
||||
mysqli.cache_size = 2000
|
||||
mysqli.default_port = 3306
|
||||
mysqli.default_socket =
|
||||
mysqli.default_host =
|
||||
mysqli.default_user =
|
||||
mysqli.default_pw =
|
||||
mysqli.reconnect = Off
|
||||
|
||||
[mysqlnd]
|
||||
mysqlnd.collect_statistics = On
|
||||
mysqlnd.collect_memory_statistics = Off
|
||||
|
||||
[OCI8]
|
||||
|
||||
[PostgreSQL]
|
||||
pgsql.allow_persistent = On
|
||||
pgsql.auto_reset_persistent = Off
|
||||
pgsql.max_persistent = -1
|
||||
pgsql.max_links = -1
|
||||
pgsql.ignore_notice = 0
|
||||
pgsql.log_notice = 0
|
||||
|
||||
[bcmath]
|
||||
bcmath.scale = 0
|
||||
|
||||
[browscap]
|
||||
|
||||
[Session]
|
||||
session.save_handler = files
|
||||
session.use_strict_mode = 0
|
||||
session.use_cookies = 1
|
||||
session.cookie_secure = 1
|
||||
session.use_only_cookies = 1
|
||||
session.name = PHPSESSID
|
||||
session.auto_start = 0
|
||||
session.cookie_lifetime = 0
|
||||
session.cookie_path = /
|
||||
session.cookie_domain =
|
||||
session.cookie_httponly = 1
|
||||
session.serialize_handler = php
|
||||
session.gc_probability = 0
|
||||
session.gc_divisor = 1000
|
||||
session.gc_maxlifetime = 1440
|
||||
session.referer_check =
|
||||
session.cache_limiter = nocache
|
||||
session.cache_expire = 180
|
||||
session.use_trans_sid = 0
|
||||
session.sid_length = 26
|
||||
session.trans_sid_tags = "a=href,area=href,frame=src,form="
|
||||
session.sid_bits_per_character = 5
|
||||
|
||||
[Assertion]
|
||||
zend.assertions = -1
|
||||
|
||||
[COM]
|
||||
|
||||
[mbstring]
|
||||
|
||||
[gd]
|
||||
|
||||
[exif]
|
||||
|
||||
[Tidy]
|
||||
tidy.clean_output = Off
|
||||
|
||||
[soap]
|
||||
soap.wsdl_cache_enabled=1
|
||||
soap.wsdl_cache_dir="/tmp"
|
||||
soap.wsdl_cache_ttl=86400
|
||||
soap.wsdl_cache_limit = 5
|
||||
|
||||
[sysvshm]
|
||||
|
||||
[ldap]
|
||||
ldap.max_links = -1
|
||||
|
||||
[mcrypt]
|
||||
|
||||
[dba]
|
||||
|
||||
[opcache]
|
||||
opcache.enable=1
|
||||
opcache.enable_cli=1
|
||||
opcache.interned_strings_buffer=8
|
||||
opcache.max_accelerated_files=10000
|
||||
opcache.memory_consumption=256
|
||||
opcache.save_comments=1
|
||||
opcache.revalidate_freq=1
|
||||
|
||||
[curl]
|
||||
[openssl]
|
|
@ -0,0 +1,185 @@
|
|||
[PHP]
|
||||
|
||||
engine = On
|
||||
short_open_tag = Off
|
||||
precision = 14
|
||||
output_buffering = 4096
|
||||
zlib.output_compression = Off
|
||||
implicit_flush = Off
|
||||
unserialize_callback_func =
|
||||
serialize_precision = -1
|
||||
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
|
||||
disable_classes =
|
||||
zend.enable_gc = On
|
||||
expose_php = Off
|
||||
max_execution_time = 300
|
||||
max_input_vars = 10000
|
||||
max_input_time = 600
|
||||
memory_limit = -1
|
||||
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
|
||||
display_errors = Off
|
||||
display_startup_errors = Off
|
||||
log_errors = On
|
||||
log_errors_max_len = 1024
|
||||
ignore_repeated_errors = Off
|
||||
ignore_repeated_source = Off
|
||||
report_memleaks = On
|
||||
html_errors = On
|
||||
variables_order = "GPCS"
|
||||
request_order = "GP"
|
||||
register_argc_argv = Off
|
||||
auto_globals_jit = On
|
||||
post_max_size = 128M
|
||||
auto_prepend_file =
|
||||
auto_append_file =
|
||||
default_mimetype = "text/html"
|
||||
default_charset = "UTF-8"
|
||||
doc_root =
|
||||
user_dir =
|
||||
enable_dl = Off
|
||||
file_uploads = On
|
||||
upload_max_filesize = 128M
|
||||
max_file_uploads = 20
|
||||
allow_url_fopen = On
|
||||
allow_url_include = Off
|
||||
default_socket_timeout = 60
|
||||
|
||||
[CLI Server]
|
||||
cli_server.color = On
|
||||
|
||||
[Date]
|
||||
date.timezone = Europe/Paris
|
||||
|
||||
[filter]
|
||||
|
||||
[iconv]
|
||||
|
||||
[intl]
|
||||
|
||||
[sqlite3]
|
||||
|
||||
[Pcre]
|
||||
|
||||
[Pdo]
|
||||
|
||||
[Pdo_mysql]
|
||||
pdo_mysql.cache_size = 2000
|
||||
pdo_mysql.default_socket=
|
||||
|
||||
[Phar]
|
||||
|
||||
[mail function]
|
||||
SMTP = localhost
|
||||
smtp_port = 25
|
||||
mail.add_x_header = On
|
||||
|
||||
[ODBC]
|
||||
odbc.allow_persistent = On
|
||||
odbc.check_persistent = On
|
||||
odbc.max_persistent = -1
|
||||
odbc.max_links = -1
|
||||
odbc.defaultlrl = 4096
|
||||
odbc.defaultbinmode = 1
|
||||
|
||||
[Interbase]
|
||||
ibase.allow_persistent = 1
|
||||
ibase.max_persistent = -1
|
||||
ibase.max_links = -1
|
||||
ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
|
||||
ibase.dateformat = "%Y-%m-%d"
|
||||
ibase.timeformat = "%H:%M:%S"
|
||||
|
||||
[MySQLi]
|
||||
mysqli.max_persistent = -1
|
||||
mysqli.allow_persistent = On
|
||||
mysqli.max_links = -1
|
||||
mysqli.cache_size = 2000
|
||||
mysqli.default_port = 3306
|
||||
mysqli.default_socket =
|
||||
mysqli.default_host =
|
||||
mysqli.default_user =
|
||||
mysqli.default_pw =
|
||||
mysqli.reconnect = Off
|
||||
|
||||
[mysqlnd]
|
||||
mysqlnd.collect_statistics = On
|
||||
mysqlnd.collect_memory_statistics = Off
|
||||
|
||||
[OCI8]
|
||||
|
||||
[PostgreSQL]
|
||||
pgsql.allow_persistent = On
|
||||
pgsql.auto_reset_persistent = Off
|
||||
pgsql.max_persistent = -1
|
||||
pgsql.max_links = -1
|
||||
pgsql.ignore_notice = 0
|
||||
pgsql.log_notice = 0
|
||||
|
||||
[bcmath]
|
||||
bcmath.scale = 0
|
||||
|
||||
[browscap]
|
||||
|
||||
[Session]
|
||||
session.save_handler = files
|
||||
session.use_strict_mode = 0
|
||||
session.use_cookies = 1
|
||||
session.cookie_secure = 1
|
||||
session.use_only_cookies = 1
|
||||
session.name = PHPSESSID
|
||||
session.auto_start = 0
|
||||
session.cookie_lifetime = 0
|
||||
session.cookie_path = /
|
||||
session.cookie_domain =
|
||||
session.cookie_httponly =
|
||||
session.serialize_handler = php
|
||||
session.gc_probability = 0
|
||||
session.gc_divisor = 1000
|
||||
session.gc_maxlifetime = 1440
|
||||
session.referer_check =
|
||||
session.cache_limiter = nocache
|
||||
session.cache_expire = 180
|
||||
session.use_trans_sid = 0
|
||||
session.sid_length = 26
|
||||
session.trans_sid_tags = "a=href,area=href,frame=src,form="
|
||||
session.sid_bits_per_character = 5
|
||||
|
||||
[Assertion]
|
||||
zend.assertions = -1
|
||||
|
||||
[COM]
|
||||
|
||||
[mbstring]
|
||||
|
||||
[gd]
|
||||
|
||||
[exif]
|
||||
|
||||
[Tidy]
|
||||
tidy.clean_output = Off
|
||||
|
||||
[soap]
|
||||
soap.wsdl_cache_enabled=1
|
||||
soap.wsdl_cache_dir="/tmp"
|
||||
soap.wsdl_cache_ttl=86400
|
||||
soap.wsdl_cache_limit = 5
|
||||
|
||||
[sysvshm]
|
||||
|
||||
[ldap]
|
||||
ldap.max_links = -1
|
||||
|
||||
[dba]
|
||||
|
||||
[opcache]
|
||||
opcache.enable=1
|
||||
opcache.enable_cli=1
|
||||
opcache.interned_strings_buffer=8
|
||||
opcache.max_accelerated_files=10000
|
||||
opcache.memory_consumption=256
|
||||
opcache.save_comments=1
|
||||
opcache.revalidate_freq=1
|
||||
|
||||
[curl]
|
||||
|
||||
[openssl]
|
|
@ -3,10 +3,10 @@
|
|||
# automated EasyEngine server configuration script
|
||||
# currently in progress, not ready to be used in production yet
|
||||
|
||||
#CSI="\\033["
|
||||
#CEND="${CSI}0m"
|
||||
CSI="\\033["
|
||||
CEND="${CSI}0m"
|
||||
#CRED="${CSI}1;31m"
|
||||
#CGREEN="${CSI}1;32m"
|
||||
CGREEN="${CSI}1;32m"
|
||||
|
||||
##################################
|
||||
# Variables
|
||||
|
@ -47,10 +47,19 @@ while [[ $mariadb_server_install != "y" && $mariadb_server_install != "n" ]]; do
|
|||
done
|
||||
if [ "$mariadb_server_install" = "n" ]; then
|
||||
echo ""
|
||||
echo "Do you want to install MariaDB-client ? (y/n)"
|
||||
echo "Do you want to install MariaDB-client for a remote database ? (y/n)"
|
||||
while [[ $mariadb_client_install != "y" && $mariadb_client_install != "n" ]]; do
|
||||
read -p "Select an option [y/n]: " mariadb_client_install
|
||||
done
|
||||
echo ""
|
||||
echo "What is the IP of your remote database ?"
|
||||
read -p "IP : " mariadb_remote_ip
|
||||
echo ""
|
||||
echo "What is the user of your remote database ?"
|
||||
read -p "User : " mariadb_remote_user
|
||||
echo ""
|
||||
echo "What is the password of your remote database ?"
|
||||
read -s -p "password [hidden] : " mariadb_remote_pass
|
||||
fi
|
||||
if [[ "$mariadb_server_install" == "y" || "$mariadb_client_install" == "y" ]]; then
|
||||
echo ""
|
||||
|
@ -80,7 +89,8 @@ echo ""
|
|||
# Update packages
|
||||
##################################
|
||||
|
||||
echo "updating packages"
|
||||
|
||||
echo -ne " Updating packages [..]\\r"
|
||||
{
|
||||
apt-get update
|
||||
apt-get upgrade -y
|
||||
|
@ -88,10 +98,13 @@ echo "updating packages"
|
|||
apt-get autoclean -y
|
||||
} >>/tmp/ubuntu-nginx-web-server.log
|
||||
|
||||
echo -ne " Updating packages [${CGREEN}OK${CEND}]\\r"
|
||||
|
||||
##################################
|
||||
# UFW
|
||||
##################################
|
||||
echo "configuring UFW"
|
||||
echo ""
|
||||
echo -ne " Configuring UFW [..]\\r"
|
||||
{
|
||||
if [ ! -d /etc/ufw ]; then
|
||||
apt-get install ufw -y >>/tmp/ubuntu-nginx-web-server.log
|
||||
|
@ -121,35 +134,44 @@ echo "configuring UFW"
|
|||
|
||||
} >>/tmp/ubuntu-nginx-web-server.log
|
||||
|
||||
echo -ne " Configuring UFW [${CGREEN}OK${CEND}]\\r"
|
||||
|
||||
##################################
|
||||
# Useful packages
|
||||
##################################
|
||||
|
||||
echo "installing useful packages"
|
||||
echo -ne " Installing useful packages [..]\\r"
|
||||
{
|
||||
|
||||
apt-get install haveged curl git unzip zip fail2ban htop nload nmon ntp gnupg2 wget -y
|
||||
# ntp time
|
||||
systemctl enable ntp
|
||||
|
||||
# increase history size
|
||||
export HISTSIZE=10000
|
||||
|
||||
} >>/tmp/ubuntu-nginx-web-server.log
|
||||
|
||||
echo -ne " Installing useful packages [${CGREEN}OK${CEND}]\\r"
|
||||
|
||||
##################################
|
||||
# clone repository
|
||||
##################################
|
||||
|
||||
echo "cloning ubuntu-nginx-web-server"
|
||||
echo ""
|
||||
echo -ne " Cloning ubuntu-nginx-web-server [..]\\r"
|
||||
{
|
||||
cd /tmp || exit
|
||||
rm -rf /tmp/ubuntu-nginx-web-server
|
||||
git clone https://github.com/VirtuBox/ubuntu-nginx-web-server.git
|
||||
|
||||
} >>/tmp/ubuntu-nginx-web-server.log
|
||||
echo -ne " [${CGREEN}OK${CEND}]\\r"
|
||||
|
||||
##################################
|
||||
# Sysctl tweaks + open_files limits
|
||||
##################################
|
||||
echo "applying kernel tweaks"
|
||||
echo ""
|
||||
echo -ne " Applying kernel tweaks [..]\\r"
|
||||
{
|
||||
sudo modprobe tcp_htcp
|
||||
cp -f $REPO_PATH/etc/sysctl.conf /etc/sysctl.conf
|
||||
|
@ -160,16 +182,18 @@ echo "applying kernel tweaks"
|
|||
echo never >/sys/kernel/mm/transparent_hugepage/enabled
|
||||
|
||||
} >>/tmp/ubuntu-nginx-web-server.log
|
||||
|
||||
echo -ne " Cloning ubuntu-nginx-web-server [${CGREEN}OK${CEND}]\\r"
|
||||
##################################
|
||||
# Add MariaDB 10.3 repository
|
||||
##################################
|
||||
|
||||
if [[ "$mariadb_server_install" == "y" || "$mariadb_client_install" == "y" ]]; then
|
||||
echo "adding mariadb repository"
|
||||
echo ""
|
||||
echo -ne " Adding mariadb repository [..]\\r"
|
||||
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup |
|
||||
sudo bash -s -- --mariadb-server-version=$mariadb_version_install --skip-maxscale -y
|
||||
apt-get update >>/tmp/ubuntu-nginx-web-server.log
|
||||
echo -ne " Adding mariadb repository [${CGREEN}OK${CEND}]\\r"
|
||||
fi
|
||||
|
||||
##################################
|
||||
|
@ -177,7 +201,9 @@ fi
|
|||
##################################
|
||||
|
||||
if [ "$mariadb_server_install" = "y" ]; then
|
||||
echo "installing MariaDB $mariadb_version_install"
|
||||
echo ""
|
||||
echo -ne " Installing MariaDB $mariadb_version_install [..]\\r"
|
||||
|
||||
MYSQL_ROOT_PASS=$(date +%s | sha256sum | base64 | head -c 32)
|
||||
export DEBIAN_FRONTEND=noninteractive # to avoid prompt during installation
|
||||
sudo debconf-set-selections <<<"mariadb-server-$mariadb_version_install mysql-server/root_password password $MYSQL_ROOT_PASS"
|
||||
|
@ -192,7 +218,8 @@ if [ "$mariadb_server_install" = "y" ]; then
|
|||
Q2="FLUSH PRIVILEGES;"
|
||||
SQL="${Q1}${Q2}"
|
||||
mysql -uroot -e "$SQL"
|
||||
|
||||
|
||||
echo -ne " Installing MariaDB $mariadb_version_install [${CGREEN}OK${CEND}]\\r"
|
||||
##################################
|
||||
# MariaDB tweaks
|
||||
##################################
|
||||
|
@ -209,26 +236,40 @@ if [ "$mariadb_server_install" = "y" ]; then
|
|||
sudo systemctl daemon-reload >>/tmp/ubuntu-nginx-web-server.log
|
||||
|
||||
sudo service mysql start >>/tmp/ubuntu-nginx-web-server.log
|
||||
|
||||
elif [ "$mariadb_client_install" = "y" ]; then
|
||||
echo "installing mariadb-client"
|
||||
apt-get install -y mariadb-client >>/tmp/ubuntu-nginx-web-server.log
|
||||
echo "[client]" >>$HOME/.my.cnf
|
||||
echo "host = $mariadb_remote_ip" >>$HOME/.my.cnf
|
||||
echo "port = 3306" >>$HOME/.my.cnf
|
||||
echo "password = $mariadb_remote_user" >>$HOME/.my.cnf
|
||||
echo "password = $mariadb_remote_password" >>$HOME/.my.cnf
|
||||
cp -f $REPO_PATH/etc/mysql/my.cnf /etc/mysql/my.cnf
|
||||
sudo sed -i 's/grant-host = localhost/grant-host = \%/' /etc/ee/ee.conf
|
||||
fi
|
||||
|
||||
##################################
|
||||
# EasyEngine automated install
|
||||
##################################
|
||||
echo "installing easyengine"
|
||||
|
||||
sudo bash -c 'echo -e "[user]\n\tname = $USER\n\temail = $USER@$HOSTNAME" > $HOME/.gitconfig'
|
||||
sudo wget -qO ee rt.cx/ee && sudo bash ee
|
||||
{
|
||||
sudo wget -qO ee rt.cx/ee && sudo bash ee
|
||||
|
||||
source /etc/bash_completion.d/ee_auto.rc
|
||||
source /etc/bash_completion.d/ee_auto.rc
|
||||
} >>/tmp/ubuntu-nginx-web-server.log 2>&1
|
||||
|
||||
##################################
|
||||
# EasyEngine stacks install
|
||||
##################################
|
||||
|
||||
ee stack install
|
||||
ee stack install --php7 --redis --admin --phpredisadmin
|
||||
echo "Installing ee stack"
|
||||
{
|
||||
ee stack install
|
||||
ee stack install --php7 --redis --admin --phpredisadmin
|
||||
} >>/tmp/ubuntu-nginx-web-server.log 2>&1
|
||||
|
||||
##################################
|
||||
# Fix phpmyadmin install
|
||||
|
@ -243,7 +284,7 @@ echo "updating phpmyadmin"
|
|||
chown www-data:www-data /var/www
|
||||
sudo -u www-data -H composer update -d /var/www/22222/htdocs/db/pma/
|
||||
|
||||
} >>/tmp/ubuntu-nginx-web-server.log
|
||||
} >>/tmp/ubuntu-nginx-web-server.log 2>&1
|
||||
|
||||
##################################
|
||||
# Allow www-data shell access for SFTP + add .bashrc settings et completion
|
||||
|
@ -254,8 +295,8 @@ echo "configuring www-data permissions"
|
|||
usermod -s /bin/bash www-data
|
||||
|
||||
wget -O /etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash >>/tmp/ubuntu-nginx-web-server.log
|
||||
cp -f /var/www/.profile $REPO_PATH/files/var/www/.profile
|
||||
cp -f /var/www/.bashrc $REPO_PATH/files/var/www/.bashrc
|
||||
cp -f $REPO_PATH/var/www/.profile /var/www/.profile
|
||||
cp -f $REPO_PATH/var/www/.bashrc /var/www/.bashrc
|
||||
|
||||
chown www-data:www-data /var/www/.profile
|
||||
chown www-data:www-data /var/www/.bashrc
|
||||
|
@ -367,6 +408,7 @@ echo "configuring fail2ban"
|
|||
{
|
||||
|
||||
cp -f $REPO_PATH/etc/fail2ban/filter.d/ddos.conf /etc/fail2ban/filter.d/ddos.conf
|
||||
cp -f $REPO_PATH/etc/fail2ban/filter.d/nginx-forbidden.conf /etc/fail2ban/filter.d/nginx-forbidden.conf
|
||||
cp -f $REPO_PATH/etc/fail2ban/filter.d/ee-wordpress.conf /etc/fail2ban/filter.d/ee-wordpress.conf
|
||||
cp -f $REPO_PATH/etc/fail2ban/jail.d/custom.conf /etc/fail2ban/jail.d/custom.conf
|
||||
cp -f $REPO_PATH/etc/fail2ban/jail.d/ddos.conf /etc/fail2ban/jail.d/ddos.conf
|
||||
|
@ -424,22 +466,23 @@ fi
|
|||
|
||||
if [ ! -d /etc/netdata ]; then
|
||||
echo "installing netdata"
|
||||
## install dependencies
|
||||
apt-get install autoconf autoconf-archive autogen automake gcc libmnl-dev lm-sensors make nodejs pkg-config python python-mysqldb python-psycopg2 python-pymongo python-yaml uuid-dev zlib1g-dev -y >>/tmp/ubuntu-nginx-web-server.log
|
||||
{
|
||||
## install dependencies
|
||||
apt-get install autoconf autoconf-archive autogen automake gcc libmnl-dev lm-sensors make nodejs pkg-config python python-mysqldb python-psycopg2 python-pymongo python-yaml uuid-dev zlib1g-dev -y >>/tmp/ubuntu-nginx-web-server.log
|
||||
|
||||
## install nedata
|
||||
wget https://my-netdata.io/kickstart.sh >>/tmp/ubuntu-nginx-web-server.log
|
||||
chmod +x kickstart.sh
|
||||
./kickstart.sh all --dont-wait
|
||||
## install nedata
|
||||
wget https://my-netdata.io/kickstart.sh >>/tmp/ubuntu-nginx-web-server.log
|
||||
chmod +x kickstart.sh
|
||||
./kickstart.sh all --dont-wait
|
||||
|
||||
## optimize netdata resources usage
|
||||
echo 1 >/sys/kernel/mm/ksm/run
|
||||
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
|
||||
|
||||
## disable email notifigrep -cions
|
||||
sudo sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /etc/netdata/health_alarm_notify.conf
|
||||
sudo service netdata restart
|
||||
## optimize netdata resources usage
|
||||
echo 1 >/sys/kernel/mm/ksm/run
|
||||
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
|
||||
|
||||
## disable email notifigrep -cions
|
||||
sudo sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /etc/netdata/health_alarm_notify.conf
|
||||
sudo service netdata restart
|
||||
} >>/tmp/ubuntu-nginx-web-server.log
|
||||
fi
|
||||
|
||||
##################################
|
Loading…
Reference in New Issue