diff --git a/nginx/installer.sh b/nginx/installer.sh index d8d604f..b62f9f5 100644 --- a/nginx/installer.sh +++ b/nginx/installer.sh @@ -52,11 +52,12 @@ fi cpuCount=$(nproc --all) currentPath="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" dhparamBits="4096" -nginxUser="nginx" -openSslVers="1.0.2k" -pagespeedVers="1.12.34.2" +nginxUser="www-data" +openSslVers="1.1.0g" +pagespeedVers="1.12.34.3" pcreVers="8.40" zlibVers="1.2.11" +nginxVers="1.12.2" #+----------------------------------------------------------------------------+ #+ Setup @@ -99,17 +100,15 @@ nginxSetup() #+------------------------------------------------------------------------+ #+ Clone required repositories from GitHub #+------------------------------------------------------------------------+ - #+ 1). NGINX - #+ 2). NGINX Dev. Kit (Module) - #+ 3). NGINX Headers More (Module) - #+ 4). NGINX VTS (Module) - #+ 5). Brotli (for Brotli Compression) - #+ 6). LibBrotli - #+ 7). NGINX Brotli (Module) - #+ 8). NAXSI (Module) + #+ 1). NGINX Dev. Kit (Module) + #+ 2). NGINX Headers More (Module) + #+ 3). NGINX VTS (Module) + #+ 4). Brotli (for Brotli Compression) + #+ 5). LibBrotli + #+ 6). NGINX Brotli (Module) + #+ 7). NAXSI (Module) #+------------------------------------------------------------------------+ cd /usr/local/src/github \ - && git clone https://github.com/nginx/nginx.git \ && git clone https://github.com/simpl/ngx_devel_kit.git \ && git clone https://github.com/openresty/headers-more-nginx-module.git \ && git clone https://github.com/vozlt/nginx-module-vts.git \ @@ -124,9 +123,9 @@ nginxSetup() #+ https://modpagespeed.com/doc/build_ngx_pagespeed_from_source #+------------------------------------------------------------------------+ cd /usr/local/src/github \ - && wget https://github.com/pagespeed/ngx_pagespeed/archive/v${pagespeedVers}-beta.zip \ - && unzip v${pagespeedVers}-beta.zip \ - && cd ngx_pagespeed-${pagespeedVers}-beta \ + && wget https://github.com/pagespeed/ngx_pagespeed/archive/v${pagespeedVers}-stable.zip \ + && unzip v${pagespeedVers}-stable.zip \ + && cd incubator-pagespeed-ngx-${pagespeedVers}-stable \ && export psol_url=https://dl.google.com/dl/page-speed/psol/${pagespeedVers}.tar.gz \ && [ -e scripts/format_binary_url.sh ] && psol_url=$(scripts/format_binary_url.sh PSOL_BINARY_URL) \ && wget ${psol_url} \ @@ -175,10 +174,13 @@ nginxSetup() nginxCompile() { #+------------------------------------------------------------------------+ - #+ Configure & Compile NGINX + #+ Download, Extract, Configure & Compile NGINX #+------------------------------------------------------------------------+ - cd /usr/local/src/github/nginx \ - && ./auto/configure --prefix=/etc/nginx \ + cd /usr/local/src/github \ + && wget https://nginx.org/download/nginx-${nginxVers}.tar.gz \ + && tar -xvzf nginx-${nginxVers}.tar.gz \ + && cd /usr/local/src/github/nginx-${nginxVers} \ + && ./configure --prefix=/etc/nginx \ --sbin-path=/usr/sbin/nginx \ --conf-path=/etc/nginx/config/nginx.conf \ --lock-path=/etc/nginx/lock/nginx.lock \ @@ -229,7 +231,7 @@ nginxCompile() --add-module=/usr/local/src/github/ngx_brotli \ --add-module=/usr/local/src/github/headers-more-nginx-module \ --add-module=/usr/local/src/github/set-misc-nginx-module \ - --add-module=/usr/local/src/github/ngx_pagespeed-${pagespeedVers}-beta \ + --add-module=/usr/local/src/github/incubator-pagespeed-ngx-${pagespeedVers}-stable \ && make -j ${cpuCount} \ && make install } @@ -259,6 +261,11 @@ nginxConfigure() && cp -R ${currentPath}/nginx/* /etc/nginx \ && cp -R ${currentPath}/systemd/nginx.service /lib/systemd/system/nginx.service + #+------------------------------------------------------------------------+ + #+ Copy UFW rules + #+------------------------------------------------------------------------+ + cp -R ${currentPath}/ufw/* /etc/ufw/applications.d + #+------------------------------------------------------------------------+ #+ Set correct permissions and ownership #+------------------------------------------------------------------------+ @@ -283,4 +290,4 @@ nginxCleanup() nginxSetup \ && nginxCompile \ && nginxConfigure \ -&& nginxCleanup \ No newline at end of file +&& nginxCleanup diff --git a/nginx/nginx/config/_general.conf b/nginx/nginx/config/_general.conf new file mode 100644 index 0000000..f771610 --- /dev/null +++ b/nginx/nginx/config/_general.conf @@ -0,0 +1,31 @@ +# headers +add_header X-Frame-Options "SAMEORIGIN" always; +add_header X-XSS-Protection "1; mode=block" always; +add_header X-Content-Type-Options "nosniff" always; +add_header X-UA-Compatible "IE=Edge" always; +add_header Cache-Control "no-transform" always; + +# . files +location ~ /\. { + deny all; +} + +# assets, media +location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ { + expires 7d; + access_log off; +} + +# svg, fonts +location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff|woff2)$ { + add_header Access-Control-Allow-Origin "*"; + expires 7d; + access_log off; +} + +# gzip +gzip on; +gzip_vary on; +gzip_proxied any; +gzip_comp_level 6; +gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml; \ No newline at end of file diff --git a/nginx/nginx/config/_letsencrypt.conf b/nginx/nginx/config/_letsencrypt.conf new file mode 100644 index 0000000..7666605 --- /dev/null +++ b/nginx/nginx/config/_letsencrypt.conf @@ -0,0 +1,4 @@ +# ACME-challenge +location ^~ /.well-known/acme-challenge/ { + root /srv/_letsencrypt; +} \ No newline at end of file diff --git a/nginx/nginx/config/_php.conf b/nginx/nginx/config/_php.conf new file mode 100644 index 0000000..8356916 --- /dev/null +++ b/nginx/nginx/config/_php.conf @@ -0,0 +1,8 @@ +# index +index index.php; + +# handle .php +location ~ \.php$ { + include _php_fastcgi.conf; + +} \ No newline at end of file diff --git a/nginx/nginx/config/_php_fastcgi.conf b/nginx/nginx/config/_php_fastcgi.conf new file mode 100644 index 0000000..0551b16 --- /dev/null +++ b/nginx/nginx/config/_php_fastcgi.conf @@ -0,0 +1,17 @@ +try_files $uri =404; + +# fastcgi +fastcgi_pass unix:/var/run/php/php7.2-fpm.sock; +fastcgi_index index.php; +fastcgi_split_path_info ^(.+\.php)(/.+)$; +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param PHP_ADMIN_VALUE open_basedir=$base/:/usr/lib/php/:/tmp/; +fastcgi_intercept_errors off; + +fastcgi_buffer_size 128k; +fastcgi_buffers 256 16k; +fastcgi_busy_buffers_size 256k; +fastcgi_temp_file_write_size 256k; + +# default fastcgi_params +include fastcgi_params; \ No newline at end of file diff --git a/nginx/nginx/config/_ssl.conf b/nginx/nginx/config/_ssl.conf new file mode 100644 index 0000000..1dfa80a --- /dev/null +++ b/nginx/nginx/config/_ssl.conf @@ -0,0 +1,22 @@ +# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.1.0g&hsts=yes&profile=intermediate +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:50m; +ssl_session_tickets off; + +# Diffie-Hellman parameter for DHE ciphersuites +ssl_dhparam /etc/nginx/ssl/dhparam.pem; + +# intermediate configuration +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; +ssl_prefer_server_ciphers on; + +# HSTS +add_header Strict-Transport-Security "max-age=15768000" always; + +# OCSP Stapling +ssl_stapling on; +ssl_stapling_verify on; + +resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s; +resolver_timeout 2s; diff --git a/nginx/nginx/config/_wordpress.conf b/nginx/nginx/config/_wordpress.conf new file mode 100644 index 0000000..addd1ee --- /dev/null +++ b/nginx/nginx/config/_wordpress.conf @@ -0,0 +1,24 @@ +# allow tinymce +location = /wp-includes/js/tinymce/wp-tinymce.php { + include _php_fastcgi.conf; +} + +# wp-content, wp-includes php files +location ~* ^/(?:wp-content|wp-includes)/.*\.php$ { + deny all; +} + +# wp-content/uploads nasty stuff +location ~* ^/wp-content/uploads/.*\.(?:s?html?|php|js|swf)$ { + deny all; +} + +# wp-content/plugins nasty stuff +location ~* ^/wp-content/plugins/.*\.(?!css(\.map)?|js(\.map)?|ttf|ttc|otf|eot|woff|woff2|svgz?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv|pdf|docx?|xlsx?|pptx?) { + deny all; +} + +# WordPress stuff +location ~* ^/(?:xmlrpc\.php|wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|wp-comments-post\.php|readme\.html|license\.txt)$ { + deny all; +} \ No newline at end of file diff --git a/nginx/nginx/config/nginx.conf b/nginx/nginx/config/nginx.conf index 027d0dc..5ec7de0 100644 --- a/nginx/nginx/config/nginx.conf +++ b/nginx/nginx/config/nginx.conf @@ -1,107 +1,35 @@ -#+----------------------------------------------------------------------------+ -#+ NGINX Configuration v1.0.0 -#+----------------------------------------------------------------------------+ -pcre_jit on; - -timer_resolution 100ms; -user nginx nginx; - -worker_priority -10; -worker_processes 1; -worker_rlimit_nofile 260000; +user www-data; +#pid /run/nginx.pid; +worker_processes auto; +worker_rlimit_nofile 409600; events { - accept_mutex off; - accept_mutex_delay 200ms; - use epoll; - worker_connections 10000; + worker_connections 4096; + multi_accept on; } - http { - #+------------------------------------------------------------------------+ - #+ Enable Brotli - #+------------------------------------------------------------------------+ - brotli on; - brotli_static on; - brotli_min_length 1000; - brotli_buffers 32 8k; - brotli_comp_level 5; - brotli_types *; - - #+------------------------------------------------------------------------+ - #+ client_max_body_size controls the maximum file upload size - this will - #+ need to be modified should you need to allow file uploads over 50MB. - #+------------------------------------------------------------------------+ - client_body_buffer_size 256k; - client_body_in_file_only off; - client_body_timeout 10s; - client_header_buffer_size 64k; - client_header_timeout 5s; - client_max_body_size 50m; - - charset utf-8; - connection_pool_size 512; - default_type application/octet-stream; - directio 4m; - - #+------------------------------------------------------------------------+ - #+ Enable GZIP - #+------------------------------------------------------------------------+ - gzip on; - gzip_vary on; - gzip_disable "MSIE [1-6]\."; - gzip_static on; - gzip_min_length 1400; - gzip_buffers 32 8k; - gzip_http_version 1.0; - gzip_comp_level 5; - gzip_proxied any; - gzip_types text/plain text/css text/xml application/javascript application/x-javascript application/xml application/xml+rss application/ecmascript application/json image/svg+xml; - - ignore_invalid_headers on; - include /etc/nginx/config/mime.types; - index index.php index.html; - - keepalive_disable msie6; - keepalive_requests 500; - keepalive_timeout 5; - - large_client_header_buffers 8 64k; - lingering_time 20s; - lingering_timeout 5s; - - map_hash_bucket_size 128; - map_hash_max_size 4096; - - open_file_cache max=50000 inactive=60s; - open_file_cache_errors off; - open_file_cache_min_uses 2; - open_file_cache_valid 120s; - open_log_file_cache max=10000 inactive=30s min_uses=2; - - output_buffers 8 256k; - postpone_output 1460; - - proxy_temp_path /etc/nginx/cache/proxy; - - request_pool_size 32k; - reset_timedout_connection on; - sendfile on; - sendfile_max_chunk 512k; - send_timeout 10s; - - server_names_hash_bucket_size 128; - server_names_hash_max_size 2048; - server_name_in_redirect off; - - server_tokens off; - - tcp_nodelay on; - tcp_nopush on; - - types_hash_max_size 2048; - variables_hash_max_size 2048; - - include /etc/nginx/sites/*.conf; -} \ No newline at end of file + charset utf-8; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + types_hash_max_size 2048; + server_tokens off; + log_not_found off; + + client_max_body_size 16M; + client_body_buffer_size 128k; + + # mime + include mime.types; + default_type application/octet-stream; + + # logging + access_log /var/log/nginx/access.log; + access_log off; + error_log /var/log/nginx/error.log warn; + + # include configs + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} diff --git a/nginx/nginx/sites-available/_.conf b/nginx/nginx/sites-available/_.conf new file mode 100644 index 0000000..cd92257 --- /dev/null +++ b/nginx/nginx/sites-available/_.conf @@ -0,0 +1,20 @@ +server { + listen 80 default_server; + listen [::]:80; + + server_name _; + set $base /srv/default; + root $base/www; + + # logging + access_log /srv/default/log/nginx.access.log; + access_log off; + error_log /srv/default/log/nginx.error.log; + + # $url, index.html + location / { + try_files $uri $uri/ /index.html; + } + + include _general.conf; +} diff --git a/nginx/nginx/sites/_.conf b/nginx/nginx/sites/_.conf deleted file mode 100644 index 3199df7..0000000 --- a/nginx/nginx/sites/_.conf +++ /dev/null @@ -1,13 +0,0 @@ -server -{ - listen 80 default_server; - listen [::]:80; - server_name _; - - root /home/nginx/htdocs/public; - - location / - { - try_files $uri $uri/ =404; - } -} \ No newline at end of file diff --git a/nginx/ufw/nginx b/nginx/ufw/nginx new file mode 100644 index 0000000..82a99c3 --- /dev/null +++ b/nginx/ufw/nginx @@ -0,0 +1,14 @@ +[NginxHTTP] +title=Web Server (Nginx, HTTP) +description=Small, but very powerful and efficient web server +ports=80/tcp + +[NginxHTTPS] +title=Web Server (Nginx, HTTPS) +description=Small, but very powerful and efficient web server +ports=443/tcp + +[NginxFull] +title=Web Server (Nginx, HTTP + HTTPS + phpMyAdmin) +description=Small, but very powerful and efficient web server +ports=80,443/tcp \ No newline at end of file diff --git a/nginx/ufw/phpmyadmin b/nginx/ufw/phpmyadmin new file mode 100644 index 0000000..e7f3652 --- /dev/null +++ b/nginx/ufw/phpmyadmin @@ -0,0 +1,4 @@ +[phpMyAdmin] +title=phpMyAdmin +description=A web interface for MySQL and MariaDB. +ports=8000/tcp \ No newline at end of file diff --git a/nginx/ufw/vsftpd b/nginx/ufw/vsftpd new file mode 100644 index 0000000..e2bf890 --- /dev/null +++ b/nginx/ufw/vsftpd @@ -0,0 +1,4 @@ +[VSFTPD] +title=VSFTPD +description=VSFTPD TCP +ports=20,21,990,40000:50000/tcp \ No newline at end of file diff --git a/php/7.2/installer.sh b/php/7.2/installer.sh new file mode 100644 index 0000000..4932ea9 --- /dev/null +++ b/php/7.2/installer.sh @@ -0,0 +1,38 @@ +#!/usr/bin/env bash +#+----------------------------------------------------------------------------+ +#+ ServerAdmin PHP 7.2.x Auto-Installer for Ubuntu +#+----------------------------------------------------------------------------+ +#+ Author: Jonathan Tittle +#+ Copyright: 2017 ServerAdmin.sh and Jonathan Tittle +#+ GitHub: https://github.com/serveradminsh/serveradmin-installers +#+ Issues: https://github.com/serveradminsh/serveradmin-installers/issues +#+ License: GPL v3.0 +#+ OS: Ubuntu 16.04, Ubuntu 16.10 +#+ Release: 1.0.0 +#+ Website: https://serveradmin.sh +#+----------------------------------------------------------------------------+ +clear + +#+----------------------------------------------------------------------------+ +#+ Check current users ID. If user is not 0 (root), exit. +#+----------------------------------------------------------------------------+ +if [ "${EUID}" != 0 ]; +then + echo "ServerAdmin PHP Auto-Installer should be executed as the root user." + exit +fi + +phpPackages="php7.2-cli php7.2-dev php7.2-fpm php7.2-bcmath php7.2-bz2 php7.2-common php7.2-curl php7.2-gd php7.2-gmp php7.2-imap php7.2-intl php7.2-json php7.2-mbstring php7.2-mysql php7.2-readline php7.2-recode php7.2-soap php7.2-sqlite3 php7.2-xml php7.2-xmlrpc php7.2-zip php7.2-opcache php7.2-xsl" + +if ls -U /etc/apt/sources.list.d | grep ondrej > /dev/null 2>&1; +then + echo "PHP Repository already exists. Updating/Syncing packages and then exiting." + apt-get update + exit; +else + apt-get update \ + && apt-get -y upgrade \ + && add-apt-repository -y ppa:ondrej/php \ + && apt-get update \ + && apt-get -y install ${phpPackages} +fi \ No newline at end of file