serveradminsh · bbbenji · Aug 26, 2017 · Aug 26, 2017 · Aug 26, 2017 · Aug 26, 2017
diff --git a/nginx/installer.sh b/nginx/installer.sh
@@ -52,11 +52,12 @@ fi
 cpuCount=$(nproc --all)
 currentPath="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 dhparamBits="4096"
-nginxUser="nginx"
-openSslVers="1.0.2k"
-pagespeedVers="1.12.34.2"
+nginxUser="www-data"
+openSslVers="1.1.0g"
+pagespeedVers="1.12.34.3"
 pcreVers="8.40"
 zlibVers="1.2.11"
+nginxVers="1.12.2"
 
 #+----------------------------------------------------------------------------+
 #+ Setup
@@ -99,17 +100,15 @@ nginxSetup()
     #+------------------------------------------------------------------------+
     #+ Clone required repositories from GitHub
     #+------------------------------------------------------------------------+
-    #+ 1). NGINX
-    #+ 2). NGINX Dev. Kit (Module)
-    #+ 3). NGINX Headers More (Module)
-    #+ 4). NGINX VTS (Module)
-    #+ 5). Brotli (for Brotli Compression)
-    #+ 6). LibBrotli
-    #+ 7). NGINX Brotli (Module)
-    #+ 8). NAXSI (Module)
+    #+ 1). NGINX Dev. Kit (Module)
+    #+ 2). NGINX Headers More (Module)
+    #+ 3). NGINX VTS (Module)
+    #+ 4). Brotli (for Brotli Compression)
+    #+ 5). LibBrotli
+    #+ 6). NGINX Brotli (Module)
+    #+ 7). NAXSI (Module)
     #+------------------------------------------------------------------------+
     cd /usr/local/src/github \
-    && git clone https://github.com/nginx/nginx.git \
     && git clone https://github.com/simpl/ngx_devel_kit.git \
     && git clone https://github.com/openresty/headers-more-nginx-module.git \
     && git clone https://github.com/vozlt/nginx-module-vts.git \
@@ -124,9 +123,9 @@ nginxSetup()
     #+ https://modpagespeed.com/doc/build_ngx_pagespeed_from_source
     #+------------------------------------------------------------------------+
     cd /usr/local/src/github \
-    && wget https://github.com/pagespeed/ngx_pagespeed/archive/v${pagespeedVers}-beta.zip \
-    && unzip v${pagespeedVers}-beta.zip \
-    && cd ngx_pagespeed-${pagespeedVers}-beta \
+    && wget https://github.com/pagespeed/ngx_pagespeed/archive/v${pagespeedVers}-stable.zip \
+    && unzip v${pagespeedVers}-stable.zip \
+    && cd incubator-pagespeed-ngx-${pagespeedVers}-stable \
     && export psol_url=https://dl.google.com/dl/page-speed/psol/${pagespeedVers}.tar.gz \
     && [ -e scripts/format_binary_url.sh ] && psol_url=$(scripts/format_binary_url.sh PSOL_BINARY_URL) \
     && wget ${psol_url} \
@@ -175,10 +174,13 @@ nginxSetup()
 nginxCompile()
 {
     #+------------------------------------------------------------------------+
-    #+ Configure & Compile NGINX
+    #+ Download, Extract, Configure & Compile NGINX
     #+------------------------------------------------------------------------+
-    cd /usr/local/src/github/nginx \
-    && ./auto/configure --prefix=/etc/nginx \
+    cd /usr/local/src/github \
+    && wget https://nginx.org/download/nginx-${nginxVers}.tar.gz \
+    && tar -xvzf nginx-${nginxVers}.tar.gz \
+    && cd /usr/local/src/github/nginx-${nginxVers} \
+    && ./configure --prefix=/etc/nginx \
                         --sbin-path=/usr/sbin/nginx \
                         --conf-path=/etc/nginx/config/nginx.conf \
                         --lock-path=/etc/nginx/lock/nginx.lock \
@@ -229,7 +231,7 @@ nginxCompile()
                         --add-module=/usr/local/src/github/ngx_brotli \
                         --add-module=/usr/local/src/github/headers-more-nginx-module \
                         --add-module=/usr/local/src/github/set-misc-nginx-module \
-                        --add-module=/usr/local/src/github/ngx_pagespeed-${pagespeedVers}-beta \
+                        --add-module=/usr/local/src/github/incubator-pagespeed-ngx-${pagespeedVers}-stable \
     && make -j ${cpuCount} \
     && make install
 }
@@ -259,6 +261,11 @@ nginxConfigure()
     && cp -R ${currentPath}/nginx/* /etc/nginx \
     && cp -R ${currentPath}/systemd/nginx.service /lib/systemd/system/nginx.service
 
+    #+------------------------------------------------------------------------+
+    #+ Copy UFW rules
+    #+------------------------------------------------------------------------+
+    cp -R ${currentPath}/ufw/* /etc/ufw/applications.d
+
     #+------------------------------------------------------------------------+
     #+ Set correct permissions and ownership
     #+------------------------------------------------------------------------+
@@ -283,4 +290,4 @@ nginxCleanup()
 nginxSetup \
 && nginxCompile \
 && nginxConfigure \
-&& nginxCleanup
+&& nginxCleanup
diff --git a/nginx/nginx/config/_general.conf b/nginx/nginx/config/_general.conf
@@ -0,0 +1,31 @@
+# headers
+add_header X-Frame-Options "SAMEORIGIN" always;
+add_header X-XSS-Protection "1; mode=block" always;
+add_header X-Content-Type-Options "nosniff" always;
+add_header X-UA-Compatible "IE=Edge" always;
+add_header Cache-Control "no-transform" always;
+
+# . files
+location ~ /\. {
+	deny all;
+}
+
+# assets, media
+location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
+	expires 7d;
+	access_log off;
+}
+
+# svg, fonts
+location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff|woff2)$ {
+	add_header Access-Control-Allow-Origin "*";
+	expires 7d;
+	access_log off;
+}
+
+# gzip
+gzip on;
+gzip_vary on;
+gzip_proxied any;
+gzip_comp_level 6;
+gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;
diff --git a/nginx/nginx/config/_letsencrypt.conf b/nginx/nginx/config/_letsencrypt.conf
@@ -0,0 +1,4 @@
+# ACME-challenge
+location ^~ /.well-known/acme-challenge/ {
+	root /srv/_letsencrypt;
+}
diff --git a/nginx/nginx/config/_php.conf b/nginx/nginx/config/_php.conf
@@ -0,0 +1,8 @@
+# index
+index index.php;
+
+# handle .php
+location ~ \.php$ {
+	include _php_fastcgi.conf;
+
+}
diff --git a/nginx/nginx/config/_php_fastcgi.conf b/nginx/nginx/config/_php_fastcgi.conf
@@ -0,0 +1,17 @@
+try_files $uri =404;
+
+# fastcgi
+fastcgi_pass				unix:/var/run/php/php7.2-fpm.sock;
+fastcgi_index				index.php;
+fastcgi_split_path_info		^(.+\.php)(/.+)$;
+fastcgi_param				SCRIPT_FILENAME $document_root$fastcgi_script_name;
+fastcgi_param				PHP_ADMIN_VALUE open_basedir=$base/:/usr/lib/php/:/tmp/;
+fastcgi_intercept_errors	off;
+
+fastcgi_buffer_size				128k;
+fastcgi_buffers					256 16k;
+fastcgi_busy_buffers_size		256k;
+fastcgi_temp_file_write_size	256k;
+
+# default fastcgi_params
+include fastcgi_params;
diff --git a/nginx/nginx/config/_ssl.conf b/nginx/nginx/config/_ssl.conf
@@ -0,0 +1,22 @@
+# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.1.0g&hsts=yes&profile=intermediate
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+
+# Diffie-Hellman parameter for DHE ciphersuites
+ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+
+# intermediate configuration
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
+ssl_prefer_server_ciphers on;
+
+# HSTS
+add_header Strict-Transport-Security "max-age=15768000" always;
+
+# OCSP Stapling
+ssl_stapling on;
+ssl_stapling_verify on;
+
+resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
+resolver_timeout 2s;
diff --git a/nginx/nginx/config/_wordpress.conf b/nginx/nginx/config/_wordpress.conf
@@ -0,0 +1,24 @@
+# allow tinymce
+location = /wp-includes/js/tinymce/wp-tinymce.php {
+	include _php_fastcgi.conf;
+}
+
+# wp-content, wp-includes php files
+location ~* ^/(?:wp-content|wp-includes)/.*\.php$ {
+	deny all;
+}
+
+# wp-content/uploads nasty stuff
+location ~* ^/wp-content/uploads/.*\.(?:s?html?|php|js|swf)$ {
+	deny all;
+}
+
+# wp-content/plugins nasty stuff
+location ~* ^/wp-content/plugins/.*\.(?!css(\.map)?|js(\.map)?|ttf|ttc|otf|eot|woff|woff2|svgz?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv|pdf|docx?|xlsx?|pptx?) {
+	deny all;
+}
+
+# WordPress stuff
+location ~* ^/(?:xmlrpc\.php|wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|wp-comments-post\.php|readme\.html|license\.txt)$ {
+	deny all;
+}
diff --git a/nginx/nginx/config/nginx.conf b/nginx/nginx/config/nginx.conf
@@ -1,107 +1,35 @@
-#+----------------------------------------------------------------------------+
-#+ NGINX Configuration v1.0.0
-#+----------------------------------------------------------------------------+
-pcre_jit                                                on;
-
-timer_resolution 100ms;
-user nginx nginx;
-
-worker_priority -10;
-worker_processes 1;
-worker_rlimit_nofile 260000;
+user www-data;
+#pid /run/nginx.pid;
+worker_processes auto;
+worker_rlimit_nofile 409600;
 
 events {
-    accept_mutex off;
-    accept_mutex_delay 200ms;
-    use epoll;
-    worker_connections 10000;
+	worker_connections 4096;
+	multi_accept on;
 }
 
-
 http {
-    #+------------------------------------------------------------------------+
-    #+ Enable Brotli
-    #+------------------------------------------------------------------------+
-    brotli on;
-    brotli_static on;
-    brotli_min_length 1000;
-    brotli_buffers 32 8k;
-    brotli_comp_level 5;
-    brotli_types *;
-
-    #+------------------------------------------------------------------------+
-    #+ client_max_body_size controls the maximum file upload size - this will
-    #+ need to be modified should you need to allow file uploads over 50MB.
-    #+------------------------------------------------------------------------+
-    client_body_buffer_size 256k;
-    client_body_in_file_only off;
-    client_body_timeout 10s;
-    client_header_buffer_size 64k;
-    client_header_timeout 5s;
-    client_max_body_size 50m;
-
-    charset utf-8;
-    connection_pool_size 512;
-    default_type application/octet-stream;
-    directio 4m;
-
-    #+------------------------------------------------------------------------+
-    #+ Enable GZIP
-    #+------------------------------------------------------------------------+
-    gzip on;
-    gzip_vary on;
-    gzip_disable "MSIE [1-6]\.";
-    gzip_static on;
-    gzip_min_length 1400;
-    gzip_buffers 32 8k;
-    gzip_http_version 1.0;
-    gzip_comp_level 5;
-    gzip_proxied any;
-    gzip_types text/plain text/css text/xml application/javascript application/x-javascript application/xml application/xml+rss application/ecmascript application/json image/svg+xml;
-
-    ignore_invalid_headers on;
-    include /etc/nginx/config/mime.types;
-    index index.php index.html;
-
-    keepalive_disable msie6;
-    keepalive_requests 500;
-    keepalive_timeout 5;
-
-    large_client_header_buffers 8 64k;
-    lingering_time 20s;
-    lingering_timeout 5s;
-
-    map_hash_bucket_size 128;
-    map_hash_max_size 4096;
-
-    open_file_cache max=50000 inactive=60s;
-    open_file_cache_errors off;
-    open_file_cache_min_uses 2;
-    open_file_cache_valid 120s;
-    open_log_file_cache max=10000 inactive=30s min_uses=2;
-
-    output_buffers 8 256k;
-    postpone_output 1460;
-
-    proxy_temp_path /etc/nginx/cache/proxy;
-
-    request_pool_size 32k;
-    reset_timedout_connection on;
-    sendfile on;
-    sendfile_max_chunk 512k;
-    send_timeout 10s;
-
-    server_names_hash_bucket_size 128;
-    server_names_hash_max_size 2048;
-    server_name_in_redirect off;
-
-    server_tokens off;
-
-    tcp_nodelay on;
-    tcp_nopush on;
-
-    types_hash_max_size 2048;
-    variables_hash_max_size 2048;
-
-    include /etc/nginx/sites/*.conf;
-}
+	charset utf-8;
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	types_hash_max_size 2048;
+	server_tokens off;
+	log_not_found off;
+
+	client_max_body_size 16M;
+	client_body_buffer_size 128k;
+
+	# mime
+	include mime.types;
+	default_type application/octet-stream;
+
+	# logging
+	access_log /var/log/nginx/access.log;
+	access_log off;
+	error_log /var/log/nginx/error.log warn;
+
+	# include configs
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+}
diff --git a/nginx/nginx/sites-available/_.conf b/nginx/nginx/sites-available/_.conf
@@ -0,0 +1,20 @@
+server {
+  listen 80 default_server;
+  listen [::]:80;
+
+  server_name _;
+  set $base /srv/default;
+  root $base/www;
+
+  # logging
+  access_log /srv/default/log/nginx.access.log;
+  access_log off;
+  error_log /srv/default/log/nginx.error.log;
+
+  # $url, index.html
+  location / {
+    try_files $uri $uri/ /index.html;
+  }
+
+  include _general.conf;
+}
diff --git a/nginx/nginx/sites/_.conf b/nginx/nginx/sites/_.conf