virtubox
/
ubuntu-nginx-web-server
mirror of https://github.com/VirtuBox/ubuntu-nginx-web-server
1
0
Fork 0
Code Issues Releases Wiki Activity

updating repository structure 

the first release of ubuntu-nginx-web-server script will be available soon. Current documentation will be moved in docs folder
This commit is contained in:
VirtuBox 2018-08-08 07:23:19 +02:00
parent 86129ef2fc
commit da19927ea9
19 changed files with 1213 additions and 1955 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

447
README.md
View File

@ -1,452 +1,31 @@
# Optimized configuration for Ubuntu server with EasyEngine
# Bash Script to setup an optimized web server with EasyEngine v3
* * *
## Server Stack
- Ubuntu 16.04/18.04 LTS
- Nginx 1.15.x / 1.14.x
- PHP-FPM 7/7.1/7.2
- MariaDB 10.3
- MariaDB 10.1/10.2/10.3
- REDIS 4.0
- Memcached
- Fail2ban
- Fail2ban & UFW
- Netdata
- UFW
- Proftpd
- Acme.sh
* * *
**All Instructions and informations are listed on the [Github page](https://virtubox.github.io/ubuntu-nginx-web-server/)**
Configuration files with comments and informations available by following the link **source**
### Features
### Initial configuration
- Automated MariaDB install (10.1/10.2/10.3)
- Apply Linux server tweaks
- Install EasyEngine
- Install php7.1-fpm & php7.2-fpm
- Compile the latest Nginx release
- Install and configure UFW & Fail2ban
- Install Netdata and EasyEngine-Dashboard
#### System update and packages cleanup
```bash
apt-get update && apt-get upgrade -y && apt-get autoremove --purge -y && apt-get clean
```
#### Install useful packages
```bash
sudo apt install haveged curl git unzip zip fail2ban htop nload nmon ntp -y
```
#### Tweak Kernel & Increase open files limits
[source sysctl.conf](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) - [limits.conf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf)
```bash
modprobe tcp_htcp
wget -O /etc/sysctl.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.conf
sysctl -p
wget -O /etc/security/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/security/limits.conf
```
#### disable transparent hugepage for redis
```bash
echo never > /sys/kernel/mm/transparent_hugepage/enabled
```
* * *
### EasyEngine Setup
#### Install MariaDB 10.3
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
```bash
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \
| sudo bash -s -- --mariadb-server-version=10.3 --skip-maxscale
sudo apt update && sudo apt install mariadb-server percona-xtrabackup-24 -y
```
#### MySQL Tuning
You can download my example of my.cnf, optimized for VPS with 4GB RAM. [my.cnf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/mysql/my.cnf)
```bash
wget -O /etc/mysql/my.cnf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/mysql/my.cnf
```
It include modification of innodb_log_file_size variable, so you need to use the following commands to apply the new configuration :
```bash
sudo service mysql stop
sudo mv /var/lib/mysql/ib_logfile0 /var/lib/mysql/ib_logfile0.bak
sudo mv /var/lib/mysql/ib_logfile1 /var/lib/mysql/ib_logfile1.bak
sudo service mysql start
```
Increase MariaDB open files limits
```bash
wget -O /etc/systemd/system/mariadb.service.d/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/systemd/system/mariadb.service.d/limits.conf
sudo systemctl daemon-reload
sudo systemctl restart mariadb
```
#### Install EasyEngine
```bash
# noninteractive install - you can replace $USER with your username & root@$HOSTNAME by your email
sudo bash -c 'echo -e "[user]\n\tname = $USER\n\temail = root@$HOSTNAME" > $HOME/.gitconfig'
wget -qO ee rt.cx/ee && bash ee
```
#### enable ee bash_completion
```bash
source /etc/bash_completion.d/ee_auto.rc
```
#### Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend
```bash
ee stack install
ee stack install --php7 --redis --admin --phpredisadmin
```
#### Set your email instead of root@localhost
```bash
echo 'root: my.email@address.com' >> /etc/aliases
newaliases
```
#### Install Composer - Fix phpmyadmin install issue
```bash
cd ~/ ||exit
curl -sS https://getcomposer.org/installer | php
mv composer.phar /usr/bin/composer
chown www-data:www-data /var/www
sudo -u www-data -H composer update -d /var/www/22222/htdocs/db/pma/
```
#### Allow shell for www-data for SFTP usage
```bash
usermod -s /bin/bash www-data
```
### PHP 7.1 & 7.2 Setup
#### Install php7.1-fpm
```bash
# php7.1-fpm
apt update && apt install php7.1-fpm php7.1-cli php7.1-zip php7.1-opcache php7.1-mysql php7.1-mcrypt php7.1-mbstring php7.1-json php7.1-intl \
php7.1-gd php7.1-curl php7.1-bz2 php7.1-xml php7.1-tidy php7.1-soap php7.1-bcmath -y php7.1-xsl
wget -O /etc/php/7.1/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/pool.d/www.conf
wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/php.ini
service php7.1-fpm restart
```
#### Install php7.2-fpm
```bash
# php7.2-fpm
apt update && apt install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring -y
wget -O /etc/php/7.2/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/pool.d/www.conf
wget -O /etc/php/7.2/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/php.ini
service php7.2-fpm restart
```
#### add nginx upstreams
```bash
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
service nginx reload
```
#### add ee common configuration
```bash
cd /etc/nginx/common || exit
wget https://virtubox.github.io/ubuntu-nginx-web-server/files/common.zip
unzip common.zip
```
### Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee)
```bash
bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
```
* * *
### Custom configurations
#### clean php-fpm php.ini configuration
```bash
# PHP 7.0
wget -O /etc/php/7.0/fpm/php.ini https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/php/7.0/fpm/php.ini
service php7.0-fpm restart
```
#### Nginx optimized configurations
```bash
# TLSv1.2 TLSv1.3 only
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx.conf
# TLS intermediate - TLS v1.0 v1.1 v1.2 v1.3
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-intermediate.conf
# TLSv1.2 only
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-tlsv12.conf
```
#### Nginx configuration for netdata & new upstreams
```bash
# custom conf for netdata metrics (php-fpm & nginx status pages)
wget -O /etc/nginx/sites-available/default https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/default
# add netdata, php7.1 and php7.2 upstream
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
wget -O /etc/nginx/sites-available/22222 https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/22222
```
#### Increase Nginx open files limits
```bash
sudo mkdir -p /etc/systemd/system/nginx.service.d
wget -O /etc/systemd/system/nginx.service.d/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/systemd/system/nginx.service.d/limits.conf
sudo systemctl daemon-reload
sudo systemctl restart nginx.service
```
#### wpcommon-php7x configurations
- webp rewrite rules added
- DoS attack CVE fix added
- php7.1 & php7.2 configuration added
```bash
# 1) add webp mapping
wget -O /etc/nginx/conf.d/webp.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/webp.conf
# 2) wpcommon files
# php7
wget -O /etc/nginx/common/wpcommon-php7.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php7.conf
# php7.1
wget -O /etc/nginx/common/wpcommon-php71.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php71.conf
# php7.2
wget -O /etc/nginx/common/wpcommon-php72.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php72.conf
nginx -t
service nginx reload
```
* * *
### Security
#### Harden SSH Security
WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config)
wget -O /etc/ssh/sshd_config https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/ssh/sshd_config
#### UFW
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
```bash
# enable ufw log - allow outgoing - deny incoming
ufw logging low
ufw default allow outgoing
ufw default deny incoming
# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend
ufw allow 22
ufw allow 53
ufw allow http
ufw allow https
ufw allow 21
ufw allow 123
ufw allow 161
ufw allow 6556
ufw allow 19999
ufw allow 22222
# enable UFW
ufw enable
```
#### Custom jails for fail2ban
- wordpress bruteforce
- ssh
- recidive (after 3 bans)
- backend http auth
- nginx bad bots
```bash
wget -O /etc/fail2ban/filter.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ddos.conf
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ee-wordpress.conf
wget -O /etc/fail2ban/filter.d/nginx-forbidden.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/nginx-forbidden.conf
wget -O /etc/fail2ban/jail.d/custom.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/custom.conf
wget -O /etc/fail2ban/jail.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/ddos.conf
fail2ban-client reload
```
#### Secure Memcached server
```bash
echo '-U 0' >> /etc/memcached.conf
sudo systemctl restart memcached
```
### Optional tools
#### ee-acme-sh
[Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers
* subdomain support
* ivp6 support
* wildcards certificates support
```bash
wget -O install-ee-acme.sh https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh
chmod +x install-ee-acme.sh
./install-ee-acme.sh
# enable acme.sh & ee-acme-sh
source .bashrc
```
#### netdata
[Github repository](https://github.com/firehol/netdata)
```bash
bash <(curl -Ss https://my-netdata.io/kickstart.sh) all
# save 40-60% of netdata memory
echo 1 >/sys/kernel/mm/ksm/run
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
# disable email notifications
sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /etc/netdata/health_alarm_notify.conf
service netdata restart
```
#### bash-snippets
[Github repository](https://github.com/alexanderepstein/Bash-Snippets)
```bash
git clone https://github.com/alexanderepstein/Bash-Snippets
cd Bash-Snippets
git checkout v1.22.0
./install.sh cheat
```
usage : `cheat <command>`
```bash
root@vps:~ cheat cat
# cat
# Print and concatenate files.
# Print the contents of a file to the standard output:
cat file
# Concatenate several files into the target file:
cat file1 file2 > target_file
# Append several files into the target file:
cat file1 file2 >> target_file
# Number all output lines:
cat -n file
```
#### nanorc - Improved Nano Syntax Highlighting Files
[Github repository](https://github.com/scopatz/nanorc)
```bash
wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh
```
#### ucaresystem - script to update & cleanup packages easily
```bash
sudo add-apt-repository ppa:utappia/stable -y
sudo apt update
sudo apt install ucaresystem-core -y
```
Run server maintenance with the command :
```bash
sudo ucaresystem-core
```
### WP-CLI
#### Add bash-completion for user www-data
```bashrc
# download wp-cli bash_completion
wget -O /etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash
# change /var/www owner
chown www-data:www-data /var/www
# download .profile & .bashrc for www-data
wget -O /var/www/.profile https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/docs/files/var/www/.profile
wget -O /var/www/.bashrc https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/docs/files/var/www/.bashrc
# set owner
chown www-data:www-data /var/www/.profile
chown www-data:www-data /var/www/.bashrc
```
### Custom Nginx error pages
[Github Repository](https://github.com/alexphelps/server-error-pages)
Installation
```bash
# clone the github repository
sudo -u www-data -H git clone https://github.com/alexphelps/server-error-pages.git /var/www/error
# download nginx configuration
wget -O /etc/nginx/common/error_pages.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/error_pages.conf
```
Then include this configuration in your nginx vhost by adding the following line
```bash
include common/error_pages.conf;
```
Published & maintained by [VirtuBox](https://virtubox.net)

434
docs/README.md
View File

@ -1,4 +1,4 @@
# Ubuntu optimized configuration with EasyEngine
# Bash Script to setup an optimized web server with EasyEngine
* * *
@ -7,445 +7,19 @@
- Ubuntu 16/18.04 LTS
- Nginx 1.15.x / 1.14.x
- PHP-FPM 7/7.1/7.2
- MariaDB 10.3
- MariaDB 10.1/10.2/10.3
- REDIS 4.0
- Memcached
- Fail2ban
- Netdata
- UFW
- Proftpd
- Acme.sh
* * *
Configuration files with comments and informations available by following the link **source**
### Initial configuration
#### System update and packages cleanup
```bash
apt-get update && apt-get upgrade -y && apt-get autoremove --purge -y && apt-get clean
```
#### Install useful packages
```bash
sudo apt install haveged curl git unzip zip fail2ban htop nload nmon ntp -y
```
#### Tweak Kernel & Increase open files limits
[source sysctl.conf](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) - [limits.conf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf)
```bash
modprobe tcp_htcp
wget -O /etc/sysctl.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.conf
sysctl -p
wget -O /etc/security/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/security/limits.conf
```
#### disable transparent hugepage for redis
```bash
echo never > /sys/kernel/mm/transparent_hugepage/enabled
```
* * *
### EasyEngine Setup
#### Install MariaDB 10.3
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
```bash
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \
| sudo bash -s -- --mariadb-server-version=10.3 --skip-maxscale
sudo apt update && sudo apt install mariadb-server percona-xtrabackup-24 -y
```
#### MySQL Tuning
You can download my example of my.cnf, optimized for VPS with 4GB RAM. [my.cnf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/mysql/my.cnf)
```bash
wget -O /etc/mysql/my.cnf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/mysql/my.cnf
```
It include modification of innodb_log_file_size variable, so you need to use the following commands to apply the new configuration :
```bash
sudo service mysql stop
sudo mv /var/lib/mysql/ib_logfile0 /var/lib/mysql/ib_logfile0.bak
sudo mv /var/lib/mysql/ib_logfile1 /var/lib/mysql/ib_logfile1.bak
sudo service mysql start
```
Increase MariaDB open files limits
```bash
wget -O /etc/systemd/system/mariadb.service.d/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/systemd/system/mariadb.service.d/limits.conf
sudo systemctl daemon-reload
sudo systemctl restart mariadb
```
#### Install EasyEngine
```bash
# noninteractive install - you can replace $USER with your username & root@$HOSTNAME by your email
sudo bash -c 'echo -e "[user]\n\tname = $USER\n\temail = root@$HOSTNAME" > $HOME/.gitconfig'
wget -qO ee rt.cx/ee && bash ee
```
#### enable ee bash_completion
```bash
source /etc/bash_completion.d/ee_auto.rc
```
#### Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend
```bash
ee stack install
ee stack install --php7 --redis --admin --phpredisadmin
```
#### Set your email instead of root@localhost
```bash
echo 'root: my.email@address.com' >> /etc/aliases
newaliases
```
#### Install Composer - Fix phpmyadmin install issue
```bash
cd ~/ ||exit
curl -sS https://getcomposer.org/installer | php
mv composer.phar /usr/bin/composer
chown www-data:www-data /var/www
sudo -u www-data -H composer update -d /var/www/22222/htdocs/db/pma/
```
#### Allow shell for www-data for SFTP usage
```bash
usermod -s /bin/bash www-data
```
### PHP 7.1 & 7.2 Setup
#### Install php7.1-fpm
```bash
# php7.1-fpm
apt update && apt install php7.1-fpm php7.1-cli php7.1-zip php7.1-opcache php7.1-mysql php7.1-mcrypt php7.1-mbstring php7.1-json php7.1-intl \
php7.1-gd php7.1-curl php7.1-bz2 php7.1-xml php7.1-tidy php7.1-soap php7.1-bcmath -y php7.1-xsl
wget -O /etc/php/7.1/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/pool.d/www.conf
wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/php.ini
service php7.1-fpm restart
```
#### Install php7.2-fpm
```bash
# php7.2-fpm
apt update && apt install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring -y
wget -O /etc/php/7.2/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/pool.d/www.conf
wget -O /etc/php/7.2/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/php.ini
service php7.2-fpm restart
```
#### add nginx upstreams
```bash
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
service nginx reload
```
#### add ee common configuration
```bash
cd /etc/nginx/common || exit
wget https://virtubox.github.io/ubuntu-nginx-web-server/files/common.zip
unzip common.zip
```
### Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee)
```bash
bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
```
* * *
### Custom configurations
#### clean php-fpm php.ini configuration
```bash
# PHP 7.0
wget -O /etc/php/7.0/fpm/php.ini https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/php/7.0/fpm/php.ini
service php7.0-fpm restart
```
#### Nginx optimized configurations
```bash
# TLSv1.2 TLSv1.3 only
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx.conf
# TLS intermediate - TLS v1.0 v1.1 v1.2 v1.3
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-intermediate.conf
# TLSv1.2 only
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-tlsv12.conf
```
#### Nginx configuration for netdata & new upstreams
```bash
# custom conf for netdata metrics (php-fpm & nginx status pages)
wget -O /etc/nginx/sites-available/default https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/default
# add netdata, php7.1 and php7.2 upstream
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
wget -O /etc/nginx/sites-available/22222 https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/22222
```
#### Increase Nginx open files limits
```bash
sudo mkdir -p /etc/systemd/system/nginx.service.d
wget -O /etc/systemd/system/nginx.service.d/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/systemd/system/nginx.service.d/limits.conf
sudo systemctl daemon-reload
sudo systemctl restart nginx.service
```
#### wpcommon-php7x configurations
- webp rewrite rules added
- DoS attack CVE fix added
- php7.1 & php7.2 configuration added
```bash
# 1) add webp mapping
wget -O /etc/nginx/conf.d/webp.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/webp.conf
# 2) wpcommon files
# php7
wget -O /etc/nginx/common/wpcommon-php7.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php7.conf
# php7.1
wget -O /etc/nginx/common/wpcommon-php71.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php71.conf
# php7.2
wget -O /etc/nginx/common/wpcommon-php72.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php72.conf
nginx -t
service nginx reload
```
* * *
### Security
#### Harden SSH Security
WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config)
wget -O /etc/ssh/sshd_config https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/ssh/sshd_config
#### UFW
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
```bash
# enable ufw log - allow outgoing - deny incoming
ufw logging low
ufw default allow outgoing
ufw default deny incoming
# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend
ufw allow 22
ufw allow 53
ufw allow http
ufw allow https
ufw allow 21
ufw allow 123
ufw allow 161
ufw allow 6556
ufw allow 19999
ufw allow 22222
# enable UFW
ufw enable
```
#### Custom jails for fail2ban
- wordpress bruteforce
- ssh
- recidive (after 3 bans)
- backend http auth
- nginx bad bots
```bash
wget -O /etc/fail2ban/filter.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ddos.conf
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ee-wordpress.conf
wget -O /etc/fail2ban/filter.d/nginx-forbidden.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/nginx-forbidden.conf
wget -O /etc/fail2ban/jail.d/custom.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/custom.conf
wget -O /etc/fail2ban/jail.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/ddos.conf
fail2ban-client reload
```
#### Secure Memcached server
```bash
echo '-U 0' >> /etc/memcached.conf
sudo systemctl restart memcached
```
### Optional tools
#### ee-acme-sh
[Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers
* subdomain support
* ivp6 support
* wildcards certificates support
```bash
wget -O install-ee-acme.sh https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh
chmod +x install-ee-acme.sh
./install-ee-acme.sh
# enable acme.sh & ee-acme-sh
source .bashrc
```
#### netdata
[Github repository](https://github.com/firehol/netdata)
```bash
bash <(curl -Ss https://my-netdata.io/kickstart.sh) all
# save 40-60% of netdata memory
echo 1 >/sys/kernel/mm/ksm/run
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
# disable email notifications
sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /etc/netdata/health_alarm_notify.conf
service netdata restart
```
#### bash-snippets
[Github repository](https://github.com/alexanderepstein/Bash-Snippets)
```bash
git clone https://github.com/alexanderepstein/Bash-Snippets
cd Bash-Snippets
git checkout v1.22.0
./install.sh cheat
```
usage : `cheat <command>`
```bash
root@vps:~ cheat cat
# cat
# Print and concatenate files.
# Print the contents of a file to the standard output:
cat file
# Concatenate several files into the target file:
cat file1 file2 > target_file
# Append several files into the target file:
cat file1 file2 >> target_file
# Number all output lines:
cat -n file
```
#### nanorc - Improved Nano Syntax Highlighting Files
[Github repository](https://github.com/scopatz/nanorc)
```bash
wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh
```
#### ucaresystem - script to update & cleanup packages easily
```bash
sudo add-apt-repository ppa:utappia/stable -y
sudo apt update
sudo apt install ucaresystem-core -y
```
Run server maintenance with the command :
```bash
sudo ucaresystem-core
```
### WP-CLI
#### Add bash-completion for user www-data
```bashrc
# download wp-cli bash_completion
wget -O /etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash
# change /var/www owner
chown www-data:www-data /var/www
# download .profile & .bashrc for www-data
wget -O /var/www/.profile https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/docs/files/var/www/.profile
wget -O /var/www/.bashrc https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/docs/files/var/www/.bashrc
# set owner
chown www-data:www-data /var/www/.profile
chown www-data:www-data /var/www/.bashrc
```
### Custom Nginx error pages
[Github Repository](https://github.com/alexphelps/server-error-pages)
Installation
```bash
# clone the github repository
sudo -u www-data -H git clone https://github.com/alexphelps/server-error-pages.git /var/www/error
# download nginx configuration
wget -O /etc/nginx/common/error_pages.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/error_pages.conf
```
Then include this configuration in your nginx vhost by adding the following line
```bash
include common/error_pages.conf;
```
Published & maintained by [VirtuBox](https://virtubox.net)

43
docs/files/etc/nginx/conf.d/upstream.conf
View File

@ -1,27 +1,50 @@
# Common upstream settings
upstream php {
# server unix:/run/php5-fpm.sock;
server 127.0.0.1:9000;
server 127.0.0.1:9000;
}
upstream debug {
# Debug Pool
server 127.0.0.1:9001;
server 127.0.0.1:9001;
}
# php7.0-fpm
####### php7.0-fpm
# php7.0-fpm TCP
upstream php7 {
server 127.0.0.1:9070;
server 127.0.0.1:9070;
}
upstream debug7 {
server 127.0.0.1:9170;
server 127.0.0.1:9170;
}
# php7.1-fpm
# php7.0-fpm socket
upstream php7-sock {
least_conn;
server unix:/var/run/php7-fpm.sock;
server unix:/var/run/php7-two-fpm.sock;
keepalive 5;
}
####### php7.1-fpm
# php7.1-fpm TCP
upstream php71 {
server 127.0.0.1:9080;
server 127.0.0.1:9080;
}
# php7.2-fpm
# php7.1-fpm socket
upstream php71-sock {
least_conn;
server unix:/var/run/php71-fpm.sock;
server unix:/var/run/php71-two-fpm.sock;
keepalive 5;
}
####### php7.2-fpm
# php7.2-fpm TCP
upstream php72 {
server 127.0.0.1:9090;
server 127.0.0.1:9090;
}
# php7.2-fpm socket
upstream php72-sock {
least_conn;
server unix:/var/run/php72-fpm.sock;
server unix:/var/run/php72-two-fpm.sock;
keepalive 5;
}
# redis
upstream redis {

161
docs/files/etc/nginx/nginx-intermediate.conf
View File

@ -1,161 +0,0 @@
user www-data;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 100000;
pid /run/nginx.pid;
events
{
worker_connections 16384;
multi_accept on;
use epoll;
}
http
{
##
# EasyEngine Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 30;
types_hash_max_size 2048;
server_tokens off;
reset_timedout_connection on;
add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox";
add_header rt-Fastcgi-Cache $upstream_cache_status;
# Limit Request
limit_req_status 403;
limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
#Simple DOS mitigation
##Max c/s by ip
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
#limit_conn limit_per_ip 80;
##Max rq/s by ip
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
#limit_req zone=allips burst=400 nodelay;
# Proxy Settings
# set_real_ip_from proxy-server-ip;
# real_ip_header X-Forwarded-For;
fastcgi_read_timeout 300;
client_max_body_size 100m;
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
aio threads;
# tls dynamic records patch directive
ssl_dyn_rec_enable on;
# nginx-vts-status module
#vhost_traffic_status_zone;
resolver 8.8.8.8 1.1.1.1 valid=300s;
resolver_timeout 10;
##
# GeoIP module configuration, before removing comments
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
##
#geoip_country /usr/share/GeoIP/GeoIP.dat;
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
##
# SSL Settings
##
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_ecdh_curve X25519:P-521:P-384:P-256;
##Common headers for security
more_set_headers "X-Frame-Options : SAMEORIGIN";
more_set_headers "X-Xss-Protection : 1; mode=block";
more_set_headers "X-Content-Type-Options : nosniff";
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
##
# Basic Settings
##
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
# access_log disabled for performance
##
access_log off;
error_log /var/log/nginx/error.log;
# Log format Settings
log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
'$http_host "$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $server_protocol';
# ipscrub settings
ipscrub_period_seconds 3600;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/svg+xml
image/x-icon
text/css
text/plain
text/x-component
text/xml
text/javascript;
##
# Brotli Settings
##
brotli on;
brotli_static on;
brotli_buffers 16 8k;
brotli_comp_level 6;
brotli_types *;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

180
docs/files/etc/nginx/nginx-tlsv12.conf
View File

@ -1,180 +0,0 @@
user www-data;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 100000;
pid /run/nginx.pid;
events
{
worker_connections 16384;
multi_accept on;
use epoll;
}
http
{
##
# EasyEngine Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 30;
types_hash_max_size 2048;
server_tokens off;
reset_timedout_connection on;
add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox";
add_header rt-Fastcgi-Cache $upstream_cache_status;
# Limit Request
limit_req_status 403;
limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
#Simple DOS mitigation
##Max c/s by ip
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
#limit_conn limit_per_ip 80;
##Max rq/s by ip
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
#limit_req zone=allips burst=400 nodelay;
# Proxy Settings
# set_real_ip_from proxy-server-ip;
# real_ip_header X-Forwarded-For;
fastcgi_read_timeout 120s;
client_max_body_size 100m;
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
aio threads;
# tls dynamic records patch directive
ssl_dyn_rec_enable on;
# nginx-vts-status module
#vhost_traffic_status_zone;
resolver 8.8.8.8 1.1.1.1 valid=300s;
resolver_timeout 10;
##
# GeoIP module configuration, before removing comments
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
##
#geoip_country /usr/share/GeoIP/GeoIP.dat;
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
##
# SSL Settings
##
ssl_protocols TLSv1.2;
ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_ecdh_curve X25519:P-521:P-384:P-256;
##Common headers for security
more_set_headers "X-Frame-Options : SAMEORIGIN";
more_set_headers "X-Xss-Protection : 1; mode=block";
more_set_headers "X-Content-Type-Options : nosniff";
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
##
# Basic Settings
##
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
# access_log disabled for performance
##
access_log off;
error_log /var/log/nginx/error.log;
# Log format Settings
log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
'$http_host "$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $server_protocol';
# ipscrub settings
ipscrub_period_seconds 3600;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/svg+xml
image/x-icon
text/css
text/plain
text/x-component
text/xml
text/javascript;
##
# Brotli Settings
##
brotli on;
brotli_static on;
brotli_buffers 16 8k;
brotli_comp_level 6;
brotli_types *;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}

170
docs/files/etc/nginx/nginx.conf
View File

@ -1,76 +1,76 @@
user www-data;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 100000;
pid /run/nginx.pid;
events
{
events {
worker_connections 16384;
multi_accept on;
use epoll;
}
http
{
##
# EasyEngine Settings
##
http {
##
# EasyEngine Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 30;
types_hash_max_size 2048;
server_tokens off;
reset_timedout_connection on;
add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox";
add_header rt-Fastcgi-Cache $upstream_cache_status;
# Limit Request
# Limit Request
limit_req_status 403;
limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
#Simple DOS mitigation
##Max c/s by ip
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
#limit_conn limit_per_ip 80;
##Max rq/s by ip
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
#limit_req zone=allips burst=400 nodelay;
# Proxy Settings
# set_real_ip_from proxy-server-ip;
# real_ip_header X-Forwarded-For;
# fastcgi timeout and max_body_size limit
fastcgi_read_timeout 120s;
client_max_body_size 100m;
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
aio threads;
# tls dynamic records patch directive
# tls dynamic records patch directive
ssl_dyn_rec_enable on;
# nginx-vts-status module
#vhost_traffic_status_zone;
# dns resolver for oscp
# nginx-vts-status module
vhost_traffic_status_zone;
# oscp settings
resolver 8.8.8.8 1.1.1.1 valid=300s;
resolver_timeout 10;
##
# GeoIP module configuration, before removing comments
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
##
#geoip_country /usr/share/GeoIP/GeoIP.dat;
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
##
# GeoIP module configuration, before removing comments
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
##
#geoip_country /usr/share/GeoIP/GeoIP.dat;
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
##
# SSL Settings
##
##
# SSL Settings
##
# TLS v1.2 & v1.3 only by default
# uncomment the following lines if you still want to use TLS v1.0
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
# ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
@ -78,52 +78,60 @@ http
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_ecdh_curve X25519:P-521:P-384:P-256;
##Common headers for security
##Common headers for security
more_set_headers "X-Frame-Options : SAMEORIGIN";
more_set_headers "X-Xss-Protection : 1; mode=block";
more_set_headers "X-Content-Type-Options : nosniff";
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
##
# Basic Settings
##
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
##
# Basic Settings
##
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
default_type application/octet-stream;
##
# Logging Settings
# access_log disabled for performance
##
##
# Logging Settings
# access_log disabled for performance
##
access_log off;
error_log /var/log/nginx/error.log;
# Log format Settings
# Log format Settings
log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
'$http_host "$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $server_protocol';
# ipscrub settings
# ipscrub settings
ipscrub_period_seconds 3600;
##
# Gzip Settings
##
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types
application/atom+xml
gzip_types application/atom+xml
application/javascript
application/json
application/rss+xml
@ -141,9 +149,9 @@ http
text/xml
text/javascript;
##
# Brotli Settings
##
##
# Brotli Settings
##
brotli on;
brotli_static on;
@ -151,32 +159,18 @@ http
brotli_comp_level 6;
brotli_types *;
#Simple DOS mitigation
##Max c/s by ip
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
#limit_conn limit_per_ip 80;
##Max rq/s by ip
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
#limit_req zone=allips burst=400 nodelay;
# Proxy Settings
# set_real_ip_from proxy-server-ip;
# real_ip_header X-Forwarded-For;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}

424
docs/pages/documentation.md Normal file
View File

@ -0,0 +1,424 @@
### Initial configuration
Configuration files with comments and informations available by following the link **source**
#### System update and packages cleanup
```bash
apt-get update && apt-get upgrade -y && apt-get autoremove --purge -y && apt-get clean
```
#### Install useful packages
```bash
sudo apt install haveged curl git unzip zip fail2ban htop nload nmon ntp -y
```
#### Tweak Kernel & Increase open files limits
[source sysctl.conf](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) - [limits.conf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf)
```bash
modprobe tcp_htcp
wget -O /etc/sysctl.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.conf
sysctl -p
wget -O /etc/security/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/security/limits.conf
```
#### disable transparent hugepage for redis
```bash
echo never > /sys/kernel/mm/transparent_hugepage/enabled
```
* * *
### EasyEngine Setup
#### Install MariaDB 10.3
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
```bash
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \
| sudo bash -s -- --mariadb-server-version=10.3 --skip-maxscale
sudo apt update && sudo apt install mariadb-server percona-xtrabackup-24 -y
```
#### MySQL Tuning
You can download my example of my.cnf, optimized for VPS with 4GB RAM. [my.cnf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/mysql/my.cnf)
```bash
wget -O /etc/mysql/my.cnf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/mysql/my.cnf
```
It include modification of innodb_log_file_size variable, so you need to use the following commands to apply the new configuration :
```bash
sudo service mysql stop
sudo mv /var/lib/mysql/ib_logfile0 /var/lib/mysql/ib_logfile0.bak
sudo mv /var/lib/mysql/ib_logfile1 /var/lib/mysql/ib_logfile1.bak
sudo service mysql start
```
Increase MariaDB open files limits
```bash
wget -O /etc/systemd/system/mariadb.service.d/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/systemd/system/mariadb.service.d/limits.conf
sudo systemctl daemon-reload
sudo systemctl restart mariadb
```
#### Install EasyEngine
```bash
# noninteractive install - you can replace $USER with your username & root@$HOSTNAME by your email
sudo bash -c 'echo -e "[user]\n\tname = $USER\n\temail = root@$HOSTNAME" > $HOME/.gitconfig'
wget -qO ee rt.cx/ee && bash ee
```
#### enable ee bash_completion
```bash
source /etc/bash_completion.d/ee_auto.rc
```
#### Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend
```bash
ee stack install
ee stack install --php7 --redis --admin --phpredisadmin
```
#### Set your email instead of root@localhost
```bash
echo 'root: my.email@address.com' >> /etc/aliases
newaliases
```
#### Install Composer - Fix phpmyadmin install issue
```bash
cd ~/ ||exit
curl -sS https://getcomposer.org/installer | php
mv composer.phar /usr/bin/composer
chown www-data:www-data /var/www
sudo -u www-data -H composer update -d /var/www/22222/htdocs/db/pma/
```
#### Allow shell for www-data for SFTP usage
```bash
usermod -s /bin/bash www-data
```
### PHP 7.1 & 7.2 Setup
#### Install php7.1-fpm
```bash
# php7.1-fpm
apt update && apt install php7.1-fpm php7.1-cli php7.1-zip php7.1-opcache php7.1-mysql php7.1-mcrypt php7.1-mbstring php7.1-json php7.1-intl \
php7.1-gd php7.1-curl php7.1-bz2 php7.1-xml php7.1-tidy php7.1-soap php7.1-bcmath -y php7.1-xsl
wget -O /etc/php/7.1/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/pool.d/www.conf
wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/php.ini
service php7.1-fpm restart
```
#### Install php7.2-fpm
```bash
# php7.2-fpm
apt update && apt install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring -y
wget -O /etc/php/7.2/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/pool.d/www.conf
wget -O /etc/php/7.2/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/php.ini
service php7.2-fpm restart
```
#### add nginx upstreams
```bash
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
service nginx reload
```
#### add ee common configuration
```bash
cd /etc/nginx/common || exit
wget https://virtubox.github.io/ubuntu-nginx-web-server/files/common.zip
unzip common.zip
```
### Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee)
```bash
bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)
```
* * *
### Custom configurations
#### clean php-fpm php.ini configuration
```bash
# PHP 7.0
wget -O /etc/php/7.0/fpm/php.ini https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/php/7.0/fpm/php.ini
service php7.0-fpm restart
```
#### Nginx optimized configurations
```bash
# TLSv1.2 TLSv1.3 only
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx.conf
```
#### Nginx configuration for netdata & new upstreams
```bash
# custom conf for netdata metrics (php-fpm & nginx status pages)
wget -O /etc/nginx/sites-available/default https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/default
# add netdata, php7.1 and php7.2 upstream
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
wget -O /etc/nginx/sites-available/22222 https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/22222
```
#### Increase Nginx open files limits
```bash
sudo mkdir -p /etc/systemd/system/nginx.service.d
wget -O /etc/systemd/system/nginx.service.d/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/systemd/system/nginx.service.d/limits.conf
sudo systemctl daemon-reload
sudo systemctl restart nginx.service
```
#### wpcommon-php7x configurations
- webp rewrite rules added
- DoS attack CVE fix added
- php7.1 & php7.2 configuration added
```bash
# 1) add webp mapping
wget -O /etc/nginx/conf.d/webp.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/webp.conf
# 2) wpcommon files
# php7
wget -O /etc/nginx/common/wpcommon-php7.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php7.conf
# php7.1
wget -O /etc/nginx/common/wpcommon-php71.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php71.conf
# php7.2
wget -O /etc/nginx/common/wpcommon-php72.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php72.conf
nginx -t
service nginx reload
```
* * *
### Security
#### Harden SSH Security
WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config)
wget -O /etc/ssh/sshd_config https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/ssh/sshd_config
#### UFW
Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
```bash
# enable ufw log - allow outgoing - deny incoming
ufw logging low
ufw default allow outgoing
ufw default deny incoming
# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend
ufw allow 22
ufw allow 53
ufw allow http
ufw allow https
ufw allow 21
ufw allow 123
ufw allow 161
ufw allow 6556
ufw allow 19999
ufw allow 22222
# enable UFW
ufw enable
```
#### Custom jails for fail2ban
- wordpress bruteforce
- ssh
- recidive (after 3 bans)
- backend http auth
- nginx bad bots
```bash
wget -O /etc/fail2ban/filter.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ddos.conf
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ee-wordpress.conf
wget -O /etc/fail2ban/jail.d/custom.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/custom.conf
wget -O /etc/fail2ban/jail.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/ddos.conf
fail2ban-client reload
```
#### Secure Memcached server
```bash
echo '-U 0' >> /etc/memcached.conf
sudo systemctl restart memcached
```
### Optional tools
#### ee-acme-sh
[Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers
* subdomain support
* ivp6 support
* wildcards certificates support
```bash
wget -O install-ee-acme.sh https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh
chmod +x install-ee-acme.sh
./install-ee-acme.sh
# enable acme.sh & ee-acme-sh
source .bashrc
```
#### netdata
[Github repository](https://github.com/firehol/netdata)
```bash
bash <(curl -Ss https://my-netdata.io/kickstart.sh) all
# save 40-60% of netdata memory
echo 1 >/sys/kernel/mm/ksm/run
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
# disable email notifications
sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /etc/netdata/health_alarm_notify.conf
service netdata restart
```
#### bash-snippets
[Github repository](https://github.com/alexanderepstein/Bash-Snippets)
```bash
git clone https://github.com/alexanderepstein/Bash-Snippets
cd Bash-Snippets
git checkout v1.22.0
./install.sh cheat
```
usage : `cheat <command>`
```bash
root@vps:~ cheat cat
# cat
# Print and concatenate files.
# Print the contents of a file to the standard output:
cat file
# Concatenate several files into the target file:
cat file1 file2 > target_file
# Append several files into the target file:
cat file1 file2 >> target_file
# Number all output lines:
cat -n file
```
#### nanorc - Improved Nano Syntax Highlighting Files
[Github repository](https://github.com/scopatz/nanorc)
```bash
wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh
```
#### ucaresystem - script to update & cleanup packages easily
```bash
sudo add-apt-repository ppa:utappia/stable -y
sudo apt update
sudo apt install ucaresystem-core -y
```
Run server maintenance with the command :
```bash
sudo ucaresystem-core
```
### WP-CLI
#### Add bash-completion for user www-data
```bashrc
# download wp-cli bash_completion
wget -O /etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash
# change /var/www owner
chown www-data:www-data /var/www
# download .profile & .bashrc for www-data
wget -O /var/www/.profile https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/docs/files/var/www/.profile
wget -O /var/www/.bashrc https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/docs/files/var/www/.bashrc
# set owner
chown www-data:www-data /var/www/.profile
chown www-data:www-data /var/www/.bashrc
```
### Custom Nginx error pages
[Github Repository](https://github.com/alexphelps/server-error-pages)
Installation
```bash
# clone the github repository
sudo -u www-data -H git clone https://github.com/alexphelps/server-error-pages.git /var/www/error
# download nginx configuration
wget -O /etc/nginx/common/error_pages.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/error_pages.conf
```
Then include this configuration in your nginx vhost by adding the following line
```bash
include common/error_pages.conf;
```

0
docs/pages/nginx.md Normal file
View File

0
docs/pages/php.md Normal file
View File

4
etc/nginx/conf.d/map-wp-cache.conf
View File

@ -28,10 +28,6 @@ map $request_uri $uri_cache {
~*\/wp-links-opml\.php 1;
~*\/wp-locations\.php 1;
~*\/wp-\.*\.php 1;
}
map $request_method $request_cache {

53
etc/nginx/conf.d/upstream.conf
View File

@ -1,68 +1,51 @@
# Common upstream settings
upstream php {
# server unix:/run/php5-fpm.sock;
server 127.0.0.1:9000;
server 127.0.0.1:9000;
}
upstream debug {
# Debug Pool
server 127.0.0.1:9001;
server 127.0.0.1:9001;
}
####### php7.0-fpm
# php7.0-fpm TCP
upstream php7 {
server 127.0.0.1:9070;
server 127.0.0.1:9070;
}
upstream debug7 {
server 127.0.0.1:9170;
server 127.0.0.1:9170;
}
# php7.0-fpm socket
upstream php7-sock {
least_conn;
server unix:/var/run/php7-fpm.sock;
server unix:/var/run/php7-two-fpm.sock;
keepalive 5;
least_conn;
server unix:/var/run/php7-fpm.sock;
server unix:/var/run/php7-two-fpm.sock;
keepalive 5;
}
####### php7.1-fpm
# php7.1-fpm TCP
upstream php71 {
server 127.0.0.1:9080;
server 127.0.0.1:9080;
}
# php7.1-fpm socket
upstream php71-sock {
least_conn;
server unix:/var/run/php71-fpm.sock;
server unix:/var/run/php71-two-fpm.sock;
keepalive 5;
least_conn;
server unix:/var/run/php71-fpm.sock;
server unix:/var/run/php71-two-fpm.sock;
keepalive 5;
}
####### php7.2-fpm
# php7.2-fpm TCP
upstream php72 {
server 127.0.0.1:9090;
server 127.0.0.1:9090;
}
# php7.2-fpm socket
upstream php72-sock {
least_conn;
server unix:/var/run/php72-fpm.sock;
server unix:/var/run/php72-two-fpm.sock;
keepalive 5;
least_conn;
server unix:/var/run/php72-fpm.sock;
server unix:/var/run/php72-two-fpm.sock;
keepalive 5;
}
# redis
upstream redis {
server 127.0.0.1:6379;

162
etc/nginx/nginx-intermediate.conf
View File

@ -1,162 +0,0 @@
user www-data;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 100000;
pid /run/nginx.pid;
events
{
worker_connections 16384;
multi_accept on;
use epoll;
}
http
{
##
# EasyEngine Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 30;
types_hash_max_size 2048;
server_tokens off;
reset_timedout_connection on;
add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox";
add_header rt-Fastcgi-Cache $upstream_cache_status;
# Limit Request
limit_req_status 403;
limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
#Simple DOS mitigation
##Max c/s by ip
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
#limit_conn limit_per_ip 80;
##Max rq/s by ip
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
#limit_req zone=allips burst=400 nodelay;
# Proxy Settings
# set_real_ip_from proxy-server-ip;
# real_ip_header X-Forwarded-For;
fastcgi_read_timeout 300;
client_max_body_size 100m;
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
aio threads;
# tls dynamic records patch directive
ssl_dyn_rec_enable on;
# nginx-vts-status module
#vhost_traffic_status_zone;
resolver 8.8.8.8 1.1.1.1 valid=300s;
resolver_timeout 10;
##
# GeoIP module configuration, before removing comments
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
##
#geoip_country /usr/share/GeoIP/GeoIP.dat;
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
##
# SSL Settings
##
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_ecdh_curve X25519:P-521:P-384:P-256;
##Common headers for security
more_set_headers "X-Frame-Options : SAMEORIGIN";
more_set_headers "X-Xss-Protection : 1; mode=block";
more_set_headers "X-Content-Type-Options : nosniff";
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
##
# Basic Settings
##
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
# access_log disabled for performance
##
access_log off;
error_log /var/log/nginx/error.log;
# Log format Settings
log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
'$http_host "$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $server_protocol';
# ipscrub settings
ipscrub_period_seconds 3600;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/svg+xml
image/x-icon
text/css
text/plain
text/x-component
text/xml
text/javascript;
##
# Brotli Settings
##
brotli on;
brotli_static on;
brotli_buffers 16 8k;
brotli_comp_level 6;
brotli_types *;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

180
etc/nginx/nginx-tlsv12.conf
View File

@ -1,180 +0,0 @@
user www-data;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 100000;
pid /run/nginx.pid;
events
{
worker_connections 16384;
multi_accept on;
use epoll;
}
http
{
##
# EasyEngine Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 30;
types_hash_max_size 2048;
server_tokens off;
reset_timedout_connection on;
add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox";
add_header rt-Fastcgi-Cache $upstream_cache_status;
# Limit Request
limit_req_status 403;
limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
#Simple DOS mitigation
##Max c/s by ip
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
#limit_conn limit_per_ip 80;
##Max rq/s by ip
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
#limit_req zone=allips burst=400 nodelay;
# Proxy Settings
# set_real_ip_from proxy-server-ip;
# real_ip_header X-Forwarded-For;
fastcgi_read_timeout 120s;
client_max_body_size 100m;
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
aio threads;
# tls dynamic records patch directive
ssl_dyn_rec_enable on;
# nginx-vts-status module
#vhost_traffic_status_zone;
resolver 8.8.8.8 1.1.1.1 valid=300s;
resolver_timeout 10;
##
# GeoIP module configuration, before removing comments
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
##
#geoip_country /usr/share/GeoIP/GeoIP.dat;
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
##
# SSL Settings
##
ssl_protocols TLSv1.2;
ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_ecdh_curve X25519:P-521:P-384:P-256;
##Common headers for security
more_set_headers "X-Frame-Options : SAMEORIGIN";
more_set_headers "X-Xss-Protection : 1; mode=block";
more_set_headers "X-Content-Type-Options : nosniff";
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
##
# Basic Settings
##
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
# access_log disabled for performance
##
access_log off;
error_log /var/log/nginx/error.log;
# Log format Settings
log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
'$http_host "$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $server_protocol';
# ipscrub settings
ipscrub_period_seconds 3600;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/svg+xml
image/x-icon
text/css
text/plain
text/x-component
text/xml
text/javascript;
##
# Brotli Settings
##
brotli on;
brotli_static on;
brotli_buffers 16 8k;
brotli_comp_level 6;
brotli_types *;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}

169
etc/nginx/nginx.conf
View File

@ -1,75 +1,76 @@
user www-data;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 100000;
pid /run/nginx.pid;
events
{
events {
worker_connections 16384;
multi_accept on;
use epoll;
}
http
{
##
# EasyEngine Settings
##
http {
##
# EasyEngine Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 30;
types_hash_max_size 2048;
server_tokens off;
reset_timedout_connection on;
add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox";
add_header rt-Fastcgi-Cache $upstream_cache_status;
# Limit Request
# Limit Request
limit_req_status 403;
limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
#Simple DOS mitigation
##Max c/s by ip
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
#limit_conn limit_per_ip 80;
##Max rq/s by ip
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
#limit_req zone=allips burst=400 nodelay;
# Proxy Settings
# set_real_ip_from proxy-server-ip;
# real_ip_header X-Forwarded-For;
# fastcgi timeout and max_body_size limit
fastcgi_read_timeout 120s;
client_max_body_size 100m;
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
aio threads;
# tls dynamic records patch directive
# tls dynamic records patch directive
ssl_dyn_rec_enable on;
# nginx-vts-status module
#vhost_traffic_status_zone;
# nginx-vts-status module
vhost_traffic_status_zone;
# oscp settings
resolver 8.8.8.8 1.1.1.1 valid=300s;
resolver_timeout 10;
##
# GeoIP module configuration, before removing comments
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
##
#geoip_country /usr/share/GeoIP/GeoIP.dat;
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
##
# GeoIP module configuration, before removing comments
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
##
#geoip_country /usr/share/GeoIP/GeoIP.dat;
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
##
# SSL Settings
##
##
# SSL Settings
##
# TLS v1.2 & v1.3 only by default
# uncomment the following lines if you still want to use TLS v1.0
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
# ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
@ -77,52 +78,60 @@ http
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_ecdh_curve X25519:P-521:P-384:P-256;
##Common headers for security
##Common headers for security
more_set_headers "X-Frame-Options : SAMEORIGIN";
more_set_headers "X-Xss-Protection : 1; mode=block";
more_set_headers "X-Content-Type-Options : nosniff";
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
##
# Basic Settings
##
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
##
# Basic Settings
##
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
default_type application/octet-stream;
##
# Logging Settings
# access_log disabled for performance
##
##
# Logging Settings
# access_log disabled for performance
##
access_log off;
error_log /var/log/nginx/error.log;
# Log format Settings
# Log format Settings
log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
'$http_host "$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $server_protocol';
# ipscrub settings
# ipscrub settings
ipscrub_period_seconds 3600;
##
# Gzip Settings
##
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types
application/atom+xml
gzip_types application/atom+xml
application/javascript
application/json
application/rss+xml
@ -140,9 +149,9 @@ http
text/xml
text/javascript;
##
# Brotli Settings
##
##
# Brotli Settings
##
brotli on;
brotli_static on;
@ -150,32 +159,18 @@ http
brotli_comp_level 6;
brotli_types *;
#Simple DOS mitigation
##Max c/s by ip
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
#limit_conn limit_per_ip 80;
##Max rq/s by ip
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
#limit_req zone=allips burst=400 nodelay;
# Proxy Settings
# set_real_ip_from proxy-server-ip;
# real_ip_header X-Forwarded-For;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}

119
etc/nginx/sites-available/22222
View File

@ -1,90 +1,73 @@
# EasyEngine admin NGINX CONFIGURATION
server {
listen 22222 default_server ssl http2;
access_log off;
error_log /var/log/nginx/22222.error.log;
ssl_certificate /var/www/22222/cert/22222.crt;
ssl_certificate_key /var/www/22222/cert/22222.key;
listen 22222 default_server ssl http2;
# Force HTTP to HTTPS
error_page 497 =200 https://$host:22222$request_uri;
root /var/www/22222/htdocs;
index index.php index.htm index.html;
access_log off;
error_log /var/log/nginx/22222.error.log;
# Turn on directory listing
autoindex on;
ssl_certificate /var/www/22222/cert/22222.crt;
ssl_certificate_key /var/www/22222/cert/22222.key;
# HTTP Authentication on port 22222
include common/acl.conf;
location / {
try_files $uri $uri/ /index.php?$args;
}
# Force HTTP to HTTPS
error_page 497 =200 https://$host:22222$request_uri;
# nginx-vts-status
location /vts_status {
vhost_traffic_status_display;
vhost_traffic_status_display_format html;
}
root /var/www/22222/htdocs;
index index.php index.htm index.html;
# Turn on directory listing
autoindex on;
# HTTP Authentication on port 22222
include common/acl.conf;
location / {
try_files $uri $uri/ /index.php?$args;
}
# nginx-vts-status
#location /vts_status {
#vhost_traffic_status_display;
#vhost_traffic_status_display_format html;
#}
# Display menu at location /fpm/status/
location = /fpm/status/ {}
location ~ /fpm/status/(.*) {
try_files $uri =404;
include fastcgi_params;
fastcgi_param SCRIPT_NAME /status;
fastcgi_pass $1;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php7;
}
# ViMbAdmin Rules
location = /vimbadmin/ {
return 301 $scheme://$host:22222/vimbadmin/public/;
}
location ~* /vimbadmin/public/(.*)/(.*) {
root /var/www/22222/htdocs/vimbadmin/public;
try_files $uri $uri/ /vimbadmin/public/index.php?$args;
}
location ~* /vimbadmin/public/(.*) {
root /var/www/22222/htdocs/vimbadmin/public;
try_files $uri $uri/ /vimbadmin/public/index.php?$args;
}
location /netdata {
# Display menu at location /fpm/status/
location = /fpm/status/;
location ~ /fpm/status/(.*) {
try_files $uri =404;
include fastcgi_params;
fastcgi_param SCRIPT_NAME /status;
fastcgi_pass $1;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php7;
}
# ViMbAdmin Rules
location = /vimbadmin/ {
return 301 $scheme://$host:22222/vimbadmin/public/;
}
location ~* /vimbadmin/public/(.*)/(.*) {
root /var/www/22222/htdocs/vimbadmin/public;
try_files $uri $uri/ /vimbadmin/public/index.php?$args;
}
location ~* /vimbadmin/public/(.*) {
root /var/www/22222/htdocs/vimbadmin/public;
try_files $uri $uri/ /vimbadmin/public/index.php?$args;
}
location /netdata {
return 301 /netdata/;
}
location ~ /netdata/(?<ndpath>.*) {
}
location ~ /netdata/(?<ndpath>.*) {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Connection "keep-alive";
proxy_http_version 1.1;
proxy_pass_request_headers on;
proxy_set_header Connection "keep-alive";
proxy_store off;
proxy_pass http://netdata/$ndpath$is_args$args;
gzip on;
gzip_proxied any;
gzip_types *;
}
}

136
etc/nginx/sites-available/default
View File

@ -10,103 +10,75 @@
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
# include snippets/snakeoil.conf;
#
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # dont use SSLv3 ref: POODLE
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
# include snippets/snakeoil.conf;
#
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # dont use SSLv3 ref: POODLE
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
root /var/www/html;
server_name _;
access_log off;
error_log /var/log/nginx/default.error.log;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
access_log off;
error_log /var/log/nginx/default.error.log;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location /stub_status {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# statut page for librenms
location /stub_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
}
# Status pages
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
# phpfpm pool monitoring
location ~ ^/(status|ping) {
include fastcgi_params;
fastcgi_pass php7;
include common/acl.conf;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php5-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php5-fpm:
# fastcgi_pass unix:/var/run/php5-fpm.sock;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
# Status pages for netdata
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
# phpfpm pool monitoring
location ~ ^/(status|ping) {
include fastcgi_params;
include common/acl.conf;
fastcgi_pass php7;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
# # With php5-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php5-fpm:
# fastcgi_pass unix:/var/run/php5-fpm.sock;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht;
}
}

190
etc/php/7.1/cli/php.ini Normal file
View File

@ -0,0 +1,190 @@
[PHP]
engine = On
short_open_tag = Off
precision = 14
output_buffering = 4096
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func =
serialize_precision = -1
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
disable_classes =
zend.enable_gc = On
expose_php = Off
max_execution_time = 300
max_input_time = 600
max_input_vars = 20000
memory_limit = -1
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
html_errors = On
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 128M
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
default_charset = "UTF-8"
doc_root =
user_dir =
enable_dl = Off
file_uploads = On
upload_max_filesize = 128M
max_file_uploads = 20
allow_url_fopen = On
allow_url_include = Off
default_socket_timeout = 60
[CLI Server]
cli_server.color = On
[Date]
date.timezone = Europe/Paris
[filter]
[iconv]
[intl]
[sqlite3]
[Pcre]
[Pdo]
[Pdo_mysql]
pdo_mysql.cache_size = 2000
pdo_mysql.default_socket=
[Phar]
[mail function]
SMTP = localhost
smtp_port = 25
mail.add_x_header = On
[SQL]
sql.safe_mode = Off
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1
[Interbase]
ibase.allow_persistent = 1
ibase.max_persistent = -1
ibase.max_links = -1
ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
ibase.dateformat = "%Y-%m-%d"
ibase.timeformat = "%H:%M:%S"
[MySQLi]
mysqli.max_persistent = -1
mysqli.allow_persistent = On
mysqli.max_links = -1
mysqli.cache_size = 2000
mysqli.default_port = 3306
mysqli.default_socket =
mysqli.default_host =
mysqli.default_user =
mysqli.default_pw =
mysqli.reconnect = Off
[mysqlnd]
mysqlnd.collect_statistics = On
mysqlnd.collect_memory_statistics = Off
[OCI8]
[PostgreSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0
[bcmath]
bcmath.scale = 0
[browscap]
[Session]
session.save_handler = files
session.use_strict_mode = 0
session.use_cookies = 1
session.cookie_secure = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly = 1
session.serialize_handler = php
session.gc_probability = 0
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.sid_length = 26
session.trans_sid_tags = "a=href,area=href,frame=src,form="
session.sid_bits_per_character = 5
[Assertion]
zend.assertions = -1
[COM]
[mbstring]
[gd]
[exif]
[Tidy]
tidy.clean_output = Off
[soap]
soap.wsdl_cache_enabled=1
soap.wsdl_cache_dir="/tmp"
soap.wsdl_cache_ttl=86400
soap.wsdl_cache_limit = 5
[sysvshm]
[ldap]
ldap.max_links = -1
[mcrypt]
[dba]
[opcache]
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=256
opcache.save_comments=1
opcache.revalidate_freq=1
[curl]
[openssl]

185
etc/php/7.2/cli/php.ini Normal file
View File

@ -0,0 +1,185 @@
[PHP]
engine = On
short_open_tag = Off
precision = 14
output_buffering = 4096
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func =
serialize_precision = -1
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
disable_classes =
zend.enable_gc = On
expose_php = Off
max_execution_time = 300
max_input_vars = 10000
max_input_time = 600
memory_limit = -1
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
html_errors = On
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 128M
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
default_charset = "UTF-8"
doc_root =
user_dir =
enable_dl = Off
file_uploads = On
upload_max_filesize = 128M
max_file_uploads = 20
allow_url_fopen = On
allow_url_include = Off
default_socket_timeout = 60
[CLI Server]
cli_server.color = On
[Date]
date.timezone = Europe/Paris
[filter]
[iconv]
[intl]
[sqlite3]
[Pcre]
[Pdo]
[Pdo_mysql]
pdo_mysql.cache_size = 2000
pdo_mysql.default_socket=
[Phar]
[mail function]
SMTP = localhost
smtp_port = 25
mail.add_x_header = On
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1
[Interbase]
ibase.allow_persistent = 1
ibase.max_persistent = -1
ibase.max_links = -1
ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
ibase.dateformat = "%Y-%m-%d"
ibase.timeformat = "%H:%M:%S"
[MySQLi]
mysqli.max_persistent = -1
mysqli.allow_persistent = On
mysqli.max_links = -1
mysqli.cache_size = 2000
mysqli.default_port = 3306
mysqli.default_socket =
mysqli.default_host =
mysqli.default_user =
mysqli.default_pw =
mysqli.reconnect = Off
[mysqlnd]
mysqlnd.collect_statistics = On
mysqlnd.collect_memory_statistics = Off
[OCI8]
[PostgreSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0
[bcmath]
bcmath.scale = 0
[browscap]
[Session]
session.save_handler = files
session.use_strict_mode = 0
session.use_cookies = 1
session.cookie_secure = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 0
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.sid_length = 26
session.trans_sid_tags = "a=href,area=href,frame=src,form="
session.sid_bits_per_character = 5
[Assertion]
zend.assertions = -1
[COM]
[mbstring]
[gd]
[exif]
[Tidy]
tidy.clean_output = Off
[soap]
soap.wsdl_cache_enabled=1
soap.wsdl_cache_dir="/tmp"
soap.wsdl_cache_ttl=86400
soap.wsdl_cache_limit = 5
[sysvshm]
[ldap]
ldap.max_links = -1
[dba]
[opcache]
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=256
opcache.save_comments=1
opcache.revalidate_freq=1
[curl]
[openssl]

111
scripts/init.sh → init.sh
View File

@ -3,10 +3,10 @@
# automated EasyEngine server configuration script
# currently in progress, not ready to be used in production yet
#CSI="\\033["
#CEND="${CSI}0m"
CSI="\\033["
CEND="${CSI}0m"
#CRED="${CSI}1;31m"
#CGREEN="${CSI}1;32m"
CGREEN="${CSI}1;32m"
##################################
# Variables
@ -47,10 +47,19 @@ while [[ $mariadb_server_install != "y" && $mariadb_server_install != "n" ]]; do
done
if [ "$mariadb_server_install" = "n" ]; then
echo ""
echo "Do you want to install MariaDB-client ? (y/n)"
echo "Do you want to install MariaDB-client for a remote database ? (y/n)"
while [[ $mariadb_client_install != "y" && $mariadb_client_install != "n" ]]; do
read -p "Select an option [y/n]: " mariadb_client_install
done
echo ""
echo "What is the IP of your remote database ?"
read -p "IP : " mariadb_remote_ip
echo ""
echo "What is the user of your remote database ?"
read -p "User : " mariadb_remote_user
echo ""
echo "What is the password of your remote database ?"
read -s -p "password [hidden] : " mariadb_remote_pass
fi
if [[ "$mariadb_server_install" == "y" || "$mariadb_client_install" == "y" ]]; then
echo ""
@ -80,7 +89,8 @@ echo ""
# Update packages
##################################
echo "updating packages"
echo -ne " Updating packages [..]\\r"
{
apt-get update
apt-get upgrade -y
@ -88,10 +98,13 @@ echo "updating packages"
apt-get autoclean -y
} >>/tmp/ubuntu-nginx-web-server.log
echo -ne " Updating packages [${CGREEN}OK${CEND}]\\r"
##################################
# UFW
##################################
echo "configuring UFW"
echo ""
echo -ne " Configuring UFW [..]\\r"
{
if [ ! -d /etc/ufw ]; then
apt-get install ufw -y >>/tmp/ubuntu-nginx-web-server.log
@ -121,35 +134,44 @@ echo "configuring UFW"
} >>/tmp/ubuntu-nginx-web-server.log
echo -ne " Configuring UFW [${CGREEN}OK${CEND}]\\r"
##################################
# Useful packages
##################################
echo "installing useful packages"
echo -ne " Installing useful packages [..]\\r"
{
apt-get install haveged curl git unzip zip fail2ban htop nload nmon ntp gnupg2 wget -y
# ntp time
systemctl enable ntp
# increase history size
export HISTSIZE=10000
} >>/tmp/ubuntu-nginx-web-server.log
echo -ne " Installing useful packages [${CGREEN}OK${CEND}]\\r"
##################################
# clone repository
##################################
echo "cloning ubuntu-nginx-web-server"
echo ""
echo -ne " Cloning ubuntu-nginx-web-server [..]\\r"
{
cd /tmp || exit
rm -rf /tmp/ubuntu-nginx-web-server
git clone https://github.com/VirtuBox/ubuntu-nginx-web-server.git
} >>/tmp/ubuntu-nginx-web-server.log
echo -ne " [${CGREEN}OK${CEND}]\\r"
##################################
# Sysctl tweaks + open_files limits
##################################
echo "applying kernel tweaks"
echo ""
echo -ne " Applying kernel tweaks [..]\\r"
{
sudo modprobe tcp_htcp
cp -f $REPO_PATH/etc/sysctl.conf /etc/sysctl.conf
@ -160,16 +182,18 @@ echo "applying kernel tweaks"
echo never >/sys/kernel/mm/transparent_hugepage/enabled
} >>/tmp/ubuntu-nginx-web-server.log
echo -ne " Cloning ubuntu-nginx-web-server [${CGREEN}OK${CEND}]\\r"
##################################
# Add MariaDB 10.3 repository
##################################
if [[ "$mariadb_server_install" == "y" || "$mariadb_client_install" == "y" ]]; then
echo "adding mariadb repository"
echo ""
echo -ne " Adding mariadb repository [..]\\r"
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup |
sudo bash -s -- --mariadb-server-version=$mariadb_version_install --skip-maxscale -y
apt-get update >>/tmp/ubuntu-nginx-web-server.log
echo -ne " Adding mariadb repository [${CGREEN}OK${CEND}]\\r"
fi
##################################
@ -177,7 +201,9 @@ fi
##################################
if [ "$mariadb_server_install" = "y" ]; then
echo "installing MariaDB $mariadb_version_install"
echo ""
echo -ne " Installing MariaDB $mariadb_version_install [..]\\r"
MYSQL_ROOT_PASS=$(date +%s | sha256sum | base64 | head -c 32)
export DEBIAN_FRONTEND=noninteractive # to avoid prompt during installation
sudo debconf-set-selections <<<"mariadb-server-$mariadb_version_install mysql-server/root_password password $MYSQL_ROOT_PASS"
@ -192,7 +218,8 @@ if [ "$mariadb_server_install" = "y" ]; then
Q2="FLUSH PRIVILEGES;"
SQL="${Q1}${Q2}"
mysql -uroot -e "$SQL"
echo -ne " Installing MariaDB $mariadb_version_install [${CGREEN}OK${CEND}]\\r"
##################################
# MariaDB tweaks
##################################
@ -209,26 +236,40 @@ if [ "$mariadb_server_install" = "y" ]; then
sudo systemctl daemon-reload >>/tmp/ubuntu-nginx-web-server.log
sudo service mysql start >>/tmp/ubuntu-nginx-web-server.log
elif [ "$mariadb_client_install" = "y" ]; then
echo "installing mariadb-client"
apt-get install -y mariadb-client >>/tmp/ubuntu-nginx-web-server.log
echo "[client]" >>$HOME/.my.cnf
echo "host = $mariadb_remote_ip" >>$HOME/.my.cnf
echo "port = 3306" >>$HOME/.my.cnf
echo "password = $mariadb_remote_user" >>$HOME/.my.cnf
echo "password = $mariadb_remote_password" >>$HOME/.my.cnf
cp -f $REPO_PATH/etc/mysql/my.cnf /etc/mysql/my.cnf
sudo sed -i 's/grant-host = localhost/grant-host = \%/' /etc/ee/ee.conf
fi
##################################
# EasyEngine automated install
##################################
echo "installing easyengine"
sudo bash -c 'echo -e "[user]\n\tname = $USER\n\temail = $USER@$HOSTNAME" > $HOME/.gitconfig'
sudo wget -qO ee rt.cx/ee && sudo bash ee
{
sudo wget -qO ee rt.cx/ee && sudo bash ee
source /etc/bash_completion.d/ee_auto.rc
source /etc/bash_completion.d/ee_auto.rc
} >>/tmp/ubuntu-nginx-web-server.log 2>&1
##################################
# EasyEngine stacks install
##################################
ee stack install
ee stack install --php7 --redis --admin --phpredisadmin
echo "Installing ee stack"
{
ee stack install
ee stack install --php7 --redis --admin --phpredisadmin
} >>/tmp/ubuntu-nginx-web-server.log 2>&1
##################################
# Fix phpmyadmin install
@ -243,7 +284,7 @@ echo "updating phpmyadmin"
chown www-data:www-data /var/www
sudo -u www-data -H composer update -d /var/www/22222/htdocs/db/pma/
} >>/tmp/ubuntu-nginx-web-server.log
} >>/tmp/ubuntu-nginx-web-server.log 2>&1
##################################
# Allow www-data shell access for SFTP + add .bashrc settings et completion
@ -254,8 +295,8 @@ echo "configuring www-data permissions"
usermod -s /bin/bash www-data
wget -O /etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash >>/tmp/ubuntu-nginx-web-server.log
cp -f /var/www/.profile $REPO_PATH/files/var/www/.profile
cp -f /var/www/.bashrc $REPO_PATH/files/var/www/.bashrc
cp -f $REPO_PATH/var/www/.profile /var/www/.profile
cp -f $REPO_PATH/var/www/.bashrc /var/www/.bashrc
chown www-data:www-data /var/www/.profile
chown www-data:www-data /var/www/.bashrc
@ -367,6 +408,7 @@ echo "configuring fail2ban"
{
cp -f $REPO_PATH/etc/fail2ban/filter.d/ddos.conf /etc/fail2ban/filter.d/ddos.conf
cp -f $REPO_PATH/etc/fail2ban/filter.d/nginx-forbidden.conf /etc/fail2ban/filter.d/nginx-forbidden.conf
cp -f $REPO_PATH/etc/fail2ban/filter.d/ee-wordpress.conf /etc/fail2ban/filter.d/ee-wordpress.conf
cp -f $REPO_PATH/etc/fail2ban/jail.d/custom.conf /etc/fail2ban/jail.d/custom.conf
cp -f $REPO_PATH/etc/fail2ban/jail.d/ddos.conf /etc/fail2ban/jail.d/ddos.conf
@ -424,22 +466,23 @@ fi
if [ ! -d /etc/netdata ]; then
echo "installing netdata"
## install dependencies
apt-get install autoconf autoconf-archive autogen automake gcc libmnl-dev lm-sensors make nodejs pkg-config python python-mysqldb python-psycopg2 python-pymongo python-yaml uuid-dev zlib1g-dev -y >>/tmp/ubuntu-nginx-web-server.log
{
## install dependencies
apt-get install autoconf autoconf-archive autogen automake gcc libmnl-dev lm-sensors make nodejs pkg-config python python-mysqldb python-psycopg2 python-pymongo python-yaml uuid-dev zlib1g-dev -y >>/tmp/ubuntu-nginx-web-server.log
## install nedata
wget https://my-netdata.io/kickstart.sh >>/tmp/ubuntu-nginx-web-server.log
chmod +x kickstart.sh
./kickstart.sh all --dont-wait
## install nedata
wget https://my-netdata.io/kickstart.sh >>/tmp/ubuntu-nginx-web-server.log
chmod +x kickstart.sh
./kickstart.sh all --dont-wait
## optimize netdata resources usage
echo 1 >/sys/kernel/mm/ksm/run
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
## disable email notifigrep -cions
sudo sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /etc/netdata/health_alarm_notify.conf
sudo service netdata restart
## optimize netdata resources usage
echo 1 >/sys/kernel/mm/ksm/run
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
## disable email notifigrep -cions
sudo sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /etc/netdata/health_alarm_notify.conf
sudo service netdata restart
} >>/tmp/ubuntu-nginx-web-server.log
fi
##################################