v3.11.0 (#211)

- PHP 7.4 support
- Improved Webp images support with Cloudflare (Issue [#95](https://github.com/WordOps/WordOps/issues/95)). Nginx will not serve webp images alternative with Cloudflare IP ranges.
- Stack upgrade for adminer
- Check acme.sh installation and setup acme.sh if needed before issuing certificate
- Add `--ufw` to `wo stack status`
- Add Nginx directive `gzip_static on;` to serve precompressed assets with Cache-Enabler or WP-Rocket. (Issue [#207](https://github.com/WordOps/WordOps/issues/207))
- Previous `--php73` & `--php73=off` flags are replaced by `--php72`, `--php73`, `--php74` to switch site's php version
- phpMyAdmin updated to v4.9.2
- Adminer updated to v4.7.5
- Replace dot and dashes by underscores in database names (Issue [#206](https://github.com/WordOps/WordOps/issues/206))
- Increased database name length to 32 characters from domain name + 8 random characters
- typo error in motd-news script (Issue [#204](https://github.com/WordOps/WordOps/issues/204))
- Install Nginx before ngxblocker
- WordOps install/update script text color
- Issue with MySQL stack on Raspbian 9/10
- Typo error  (PR [#205](https://github.com/WordOps/WordOps/pull/205))
- php version in `wo debug` (PR [#209](https://github.com/WordOps/WordOps/pull/209))
- SSL certificates expiration display with shared wildcard certificates

wo/cli/templates/22222.mustache

@@ -1,4 +1,4 @@
-# WordOps admin NGINX CONFIGURATION - WO v3.9.7
+# WordOps admin NGINX CONFIGURATION - WordOps {{release}}
 
 server {
 

wo/cli/templates/fail2ban.mustache

@@ -6,19 +6,21 @@ enabled = true
 
 [nginx-http-auth]
 enabled   = true
+logpath = /var/log/nginx/*error*.log
 
 [nginx-botsearch]
 enabled   = true
+logpath = /var/log/nginx/*access*.log
 
 [wo-wordpress]
 enabled = true
 filter = wo-wordpress
 action = iptables-multiport[name="wo-wordpress", port="http,https"]
-logpath = /var/log/nginx/*access.log
+logpath = /var/log/nginx/*access*.log
 maxretry = 5
 
 [nginx-forbidden]
 enabled = true
 filter = nginx-forbidden
-action = iptables-multiport[name="wo-wordpress", port="http,https"]
+action = iptables-multiport[name="nginx-forbidden", port="http,https"]
 logpath = /var/log/nginx/*error*.log

wo/cli/templates/gzip.mustache

@@ -6,6 +6,7 @@
 	gzip_disable "msie6";
 
 	gzip_vary on;
+    gzip_static on;
 	gzip_proxied any;
 	gzip_comp_level 6;
 	gzip_buffers 16 8k;

wo/cli/templates/locations.mustache

@@ -1,4 +1,4 @@
-# NGINX CONFIGURATION FOR COMMON LOCATION - WO v3.9.7
+# NGINX CONFIGURATION FOR COMMON LOCATION - WordOps {{release}}
 # DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
 # Basic locations files
 location = /favicon.ico {
@@ -41,7 +41,7 @@ location ~*  "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGE
     deny all;
 }
 # Deny backup extensions & log files and return 403 forbidden
-location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
+location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf|gz|zip|bz2|7z|pem|asc|conf|dump)$" {
     deny all;
 }
 location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {

wo/cli/templates/map-wp.mustache

@@ -1,4 +1,4 @@
-# NGINX CONFIGURATION FOR FASTCGI_CACHE EXCEPTION - WO v3.9.8
+# NGINX CONFIGURATION FOR FASTCGI_CACHE EXCEPTION - WordOps {{release}}
 # DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
 
 # do not cache xhtml request

wo/cli/templates/nginx-core.mustache

@@ -16,7 +16,7 @@ events {
 
 http {
 	##
-	# WordOps Settings
+	# WordOps Settings - WordOps {{release}}
 	##
 
 	keepalive_timeout 8;
@@ -51,17 +51,18 @@ http {
 	# SSL Settings
 	##
 
+	# Enable 0-RTT support for TLS 1.3
+	proxy_set_header Early-Data $ssl_early_data;
+	ssl_early_data on;
+
 	ssl_session_timeout 1d;
 	ssl_session_cache shared:SSL:50m;
 	ssl_session_tickets off;
 	ssl_prefer_server_ciphers on;
-	ssl_early_data on;
-	{{#tls13}}ssl_ciphers 'TLS13+AESGCM+AES256:TLS13+AESGCM+AES128:TLS13+CHACHA20:EECDH+AESGCM:EECDH+CHACHA20';
-	ssl_protocols TLSv1.2 TLSv1.3;{{/tls13}}
+	ssl_ciphers 'TLS13+AESGCM+AES256:TLS13+AESGCM+AES128:TLS13+CHACHA20:EECDH+AESGCM:EECDH+CHACHA20';
+	ssl_protocols TLSv1.2 TLSv1.3;
 	ssl_ecdh_curve X25519:P-521:P-384:P-256;
-	{{^tls13}}# Previous TLS v1.2 configuration
-	ssl_protocols TLSv1.2;
-	ssl_ciphers EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES;{{/tls13}}
+
 
 	# Common security headers
 	more_set_headers "X-Frame-Options : SAMEORIGIN";

wo/cli/templates/php.mustache

@@ -1,4 +1,4 @@
-# PHP NGINX CONFIGURATION - WO v3.9.7
+# PHP NGINX CONFIGURATION - WordOps {{release}}
 # DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
 location / {
   try_files $uri $uri/ /index.php$is_args$args;

wo/cli/templates/publicsuffix.mustache

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+# WordOps script to download public suffix list from Github
+
+# check if curl is available
+if ! { command -v curl; }; then
+    apt-get update && apt-get install curl -qq > /dev/null 2>&1
+fi
+# download the list
+rm -f /var/lib/wo/public_suffix_list.dat
+curl -sL -m 30 --retry 3 -k https://raw.githubusercontent.com/publicsuffix/list/master/public_suffix_list.dat | sed '/^\/\//d' | sed '/^$/d' | sed 's/^\s+//g' > /var/lib/wo/public_suffix_list.dat

wo/cli/templates/redis.mustache

@@ -1,4 +1,4 @@
-# Redis NGINX CONFIGURATION - WO v3.9.7
+# Redis NGINX CONFIGURATION - WordOps {{release}}
 # DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
 # $skip_cache variable set in /etc/nginx/conf.d/map-wp.conf
 

wo/cli/templates/siteinfo.mustache

@@ -2,13 +2,17 @@ Information about {{domain}}:
 
 Nginx configuration	 {{type}} {{enable}}
 {{#php_version}}PHP Version		 {{php_version}}{{/php_version}}
-{{#ssl}}SSL			 {{ssl}}{{/ssl}}
-{{#sslprovider}}SSL PROVIDER             {{sslprovider}}{{/sslprovider}}
-{{#sslexpiry}}SSL EXPIRY DATE          {{sslexpiry}}{{/sslexpiry}}
+
+{{#ssl}}SSL			 {{ssl}}{{/ssl}}{{#sslprovider}}
+SSL PROVIDER		 {{sslprovider}}{{/sslprovider}}{{#sslexpiry}}
+SSL EXPIRY DATE		 {{sslexpiry}}{{/sslexpiry}}
+
 access_log		 {{accesslog}}
 error_log		 {{errorlog}}
 {{#webroot}}Webroot			 {{webroot}}{{/webroot}}
-{{#dbname}}DB_NAME			 {{dbname}}{{/dbname}}
+
+{{#dbname}}
+DB_NAME			 {{dbname}}{{/dbname}}
 {{#dbname}}DB_USER			 {{dbuser}}{{/dbname}}
 {{#dbname}}DB_PASS			 {{dbpass}}{{/dbname}}
 {{#tablepref}}table_prefix		 {{tableprefix}}{{/tablepref}}

wo/cli/templates/tweaks.mustache

@@ -1,4 +1,4 @@
-# NGINX Tweaks  - WO v3.9.8
+# NGINX Tweaks  - WordOps {{release}}
 	directio 4m;
 	directio_alignment 512;
 	http2_max_field_size 16k;

wo/cli/templates/upstream.mustache

@@ -1,4 +1,4 @@
-# NGINX UPSTREAM CONFIGURATION - WO v3.9.8
+# NGINX UPSTREAM CONFIGURATION - WordOps {{release}}
 # DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
 #-------------------------------
 # PHP 5.6
@@ -41,8 +41,8 @@ upstream php72 {
 
 # PHP 7.2 debug
 upstream debug72 {
-# Debug Pool
-server 127.0.0.1:9172;
+    # Debug Pool
+    server 127.0.0.1:9172;
 }
 
 #-------------------------------
@@ -61,10 +61,30 @@ upstream php73 {
 
 # PHP 7.3 debug
 upstream debug73 {
-# Debug Pool
+    # Debug Pool
     server 127.0.0.1:9173;
 }
 
+#-------------------------------
+# PHP 7.4
+#-------------------------------
+
+# PHP 7.4 upstream with load-balancing on two unix sockets
+upstream php74 {
+    least_conn;
+
+    server unix:/var/run/php/php74-fpm.sock;
+    server unix:/var/run/php/php74-two-fpm.sock;
+
+    keepalive 5;
+}
+
+# PHP 7.4 debug
+upstream debug74 {
+    # Debug Pool
+    server 127.0.0.1:9174;
+}
+
 #-------------------------------
 # Netdata
 #-------------------------------

wo/cli/templates/virtualconf-php7.mustache

@@ -1,58 +0,0 @@
-
-server {
-
-    {{#multisite}}
-    # Uncomment the following line for domain mapping
-    # listen 80 default_server;
-    {{/multisite}}
-
-    server_name {{site_name}} {{#multisite}}*{{/multisite}}{{^multisite}}www{{/multisite}}.{{site_name}};
-
-    {{#multisite}}
-    # Uncomment the following line for domain mapping
-    #server_name_in_redirect off;
-    {{/multisite}}
-
-    access_log /var/log/nginx/{{site_name}}.access.log {{^wpredis}}{{^static}}rt_cache{{/static}}{{/wpredis}}{{#wpredis}}rt_cache_redis{{/wpredis}};
-    error_log /var/log/nginx/{{site_name}}.error.log;
-
-    {{#proxy}}
-    add_header X-Proxy-Cache $upstream_cache_status;
-    location / {
-        proxy_pass http://{{host}}:{{port}};
-        proxy_redirect      off;
-        proxy_set_header    Host            $host;
-        proxy_set_header    X-Real-IP       $remote_addr;
-        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
-    }
-
-    # Security settings for better privacy
-    # Deny hidden files
-    location ~ /\.(?!well-known\/) {
-        deny all;
-    }
-    # letsencrypt validation
-    location /.well-known/acme-challenge/ {
-        alias /var/www/html/.well-known/acme-challenge/;
-        allow all;
-    }
-    {{/proxy}}
-
-    {{^proxy}}
-    root {{webroot}}/htdocs;
-
-    index {{^static}}index.php{{/static}} index.html index.htm;
-
-    {{#static}}
-    location / {
-        try_files $uri $uri/ =404;
-    }
-    {{/static}}
-
-    {{^static}}include {{#basic}}common/php73.conf;{{/basic}}{{#wpfc}}common/wpfc-php73.conf;{{/wpfc}} {{#wpsc}}common/wpsc-php73.conf;{{/wpsc}}{{#wpredis}}common/redis-php73.conf;{{/wpredis}}{{#wprocket}}common/wprocket-php73.conf;{{/wprocket}}{{#wpce}}common/wpce-php73.conf;{{/wpce}}
-    {{#wpsubdir}}include common/wpsubdir.conf;{{/wpsubdir}}{{/static}}
-    {{#wp}}include common/wpcommon-php73.conf;{{/wp}}
-    include common/locations-wo.conf;{{/proxy}}
-    include {{webroot}}/conf/nginx/*.conf;
-
-}

wo/cli/templates/virtualconf.mustache

@@ -49,9 +49,9 @@ server {
     }
     {{/static}}
 
-    {{^static}}include {{#basic}}common/php72.conf;{{/basic}}{{#wpfc}}common/wpfc-php72.conf;{{/wpfc}}{{#wpsc}}common/wpsc-php72.conf;{{/wpsc}}{{#wpredis}}common/redis-php72.conf;{{/wpredis}}{{#wprocket}}common/wprocket-php72.conf;{{/wprocket}}{{#wpce}}common/wpce-php72.conf;{{/wpce}}
+    {{^static}}include {{#basic}}common/{{wo_php}}.conf;{{/basic}}{{#wpfc}}common/wpfc-{{wo_php}}.conf;{{/wpfc}}{{#wpsc}}common/wpsc-{{wo_php}}.conf;{{/wpsc}}{{#wpredis}}common/redis-{{wo_php}}.conf;{{/wpredis}}{{#wprocket}}common/wprocket-{{wo_php}}.conf;{{/wprocket}}{{#wpce}}common/wpce-{{wo_php}}.conf;{{/wpce}}
     {{#wpsubdir}}include common/wpsubdir.conf;{{/wpsubdir}}{{/static}}
-    {{#wp}}include common/wpcommon-php72.conf;{{/wp}}
+    {{#wp}}include common/wpcommon-{{wo_php}}.conf;{{/wp}}
     include common/locations-wo.conf;{{/proxy}}
     include {{webroot}}/conf/nginx/*.conf;
 

wo/cli/templates/webp.mustache

@@ -1,7 +1,39 @@
-# WEBP NGINX CONFIGURATION - WO v3.9.7
+# WEBP NGINX CONFIGURATION - WordOps {{release}}
 # DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
 
-map $http_accept $webp_suffix {
-   default "";
-   "~*webp" ".webp";
+map $http_accept $webp_suffix_valid {
+   default 1;
+   "~*webp" 0;
+}
+
+map $realip_remote_addr $webp_suffix_cf {
+    default 0;
+    103.21.244.0/22         1;
+    103.22.200.0/22         1;
+    103.31.4.0/22           1;
+    104.16.0.0/12           1;
+    108.162.192.0/18        1;
+    131.0.72.0/22           1;
+    141.101.64.0/18         1;
+    162.158.0.0/15          1;
+    172.64.0.0/13           1;
+    173.245.48.0/20         1;
+    188.114.96.0/20         1;
+    190.93.240.0/20         1;
+    197.234.240.0/22        1;
+    198.41.128.0/17         1;
+    199.27.128.0/21         1;
+    2400:cb00::/32          1;
+    2405:8100::/32          1;
+    2405:b500::/32          1;
+    2606:4700::/32          1;
+    2803:f800::/32          1;
+    2a06:98c0::/29          1;
+    2c0f:f248::/32          1;
+
+}
+
+map $webp_suffix_cf$webp_suffix_valid $webp_suffix {
+    default "";
+    00 ".webp";
 }

wo/cli/templates/wo-update.mustache

@@ -26,15 +26,16 @@ fi
 if [ -n "$CURRENT_RELEASE" ] && [ -n "$LATEST_RELEASE" ]; then
     if [ "$CURRENT_RELEASE" != "$LATEST_RELEASE" ]; then
         # display message with motd-news on Ubuntu
-        echo '*** A new WordOps release is available ***' > "$NEWS" 2> "$ERR"
+        echo '*** A new WordOps release is available ***' >"$NEWS" 2>"$ERR"
 
         echo
         # At most, 10 lines of text, remove control characters, print at most 80 characters per line
         safe_print "$NEWS"
         # Try to update the cache
-        safe_print "$NEWS" 2> /dev/null > $CACHE || true
+        safe_print "$NEWS" 2>/dev/null >$CACHE || true
     else
         # clean news
-        echo '' > "$NEWS" 2> "$ERR"
-        safe_print "$NEWS" 2> /dev/null > $CACHE || true
+        echo '' >"$NEWS" 2>"$ERR"
+        safe_print "$NEWS" 2>/dev/null >$CACHE || true
+    fi
 fi

wo/cli/templates/wpce.mustache

@@ -1,4 +1,4 @@
-# WPCE NGINX CONFIGURATION - WO v3.9.8
+# WPCE NGINX CONFIGURATION - WordOps {{release}}
 # DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
 # $cache_uri variable set in /etc/nginx/conf.d/map-wp.conf
 # Use cached or actual file if they exists, Otherwise pass request to WordPress
@@ -10,7 +10,7 @@ location ~ \.php$ {
     include fastcgi_params;
     fastcgi_pass {{upstream}};
 }
-location ~ /wp-content/cache/cache-enabler/.*html$ {
+location ~ /wp-content/cache/cache-enabler/*\.html$ {
     etag on;
     add_header Vary "Accept-Encoding, Cookie";
     access_log off;

wo/cli/templates/wpcommon.mustache

@@ -1,4 +1,4 @@
-# WordPress COMMON SETTINGS - WO v3.9.7
+# WordPress COMMON SETTINGS - WordOps {{release}}
 # DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
 # Limit access to avoid brute force attack
 location = /wp-login.php {
@@ -12,7 +12,7 @@ location = /wp-cron.php {
     include fastcgi_params;
     fastcgi_pass {{upstream}};
 }
-# Prevent Dos attacks with xmlrpc.php
+# Prevent DoS attacks with xmlrpc.php
 location = /xmlrpc.php {
     limit_req zone=two burst=1 nodelay;
     include fastcgi_params;
@@ -41,7 +41,7 @@ location /wp-content/uploads {
     location ~ \.(png|jpe?g)$ {
         add_header Vary "Accept-Encoding";
         more_set_headers 'Access-Control-Allow-Origin : *';
-        add_header Cache-Control "public, no-transform";
+        more_set_headers  "Cache-Control : public, no-transform";
         access_log off;
         log_not_found off;
         expires max;
@@ -57,7 +57,7 @@ location /wp-content/plugins/ewww-image-optimizer/images {
     location ~ \.(png|jpe?g)$ {
         add_header Vary "Accept-Encoding";
         more_set_headers 'Access-Control-Allow-Origin : *';
-        add_header Cache-Control "public, no-transform";
+        more_set_headers  "Cache-Control : public, no-transform";
         access_log off;
         log_not_found off;
         expires max;

wo/cli/templates/wpfc.mustache

@@ -1,4 +1,4 @@
-# WPFC NGINX CONFIGURATION - WO v3.9.7
+# WPFC NGINX CONFIGURATION - WordOps {{release}}
 # DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
 # $skip_cache variable set in /etc/nginx/conf.d/map-wp.conf
 

wo/cli/templates/wprocket.mustache

@@ -1,4 +1,4 @@
-# WPROCKET NGINX CONFIGURATION - WO v3.9.8
+# WPROCKET NGINX CONFIGURATION - WordOps {{release}}
 # DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
 # $cache_uri variable set in /etc/nginx/conf.d/map-wp.conf
 # Use cached or actual file if they exists, Otherwise pass request to WordPress
@@ -10,8 +10,9 @@ location ~ \.php$ {
     include fastcgi_params;
     fastcgi_pass {{upstream}};
 }
-location ~ /wp-content/cache/wp-rocket/.*html$ {
+location ~ /wp-content/cache/wp-rocket/*\.html$ {
     etag on;
+    gzip_static on;
     add_header Vary "Accept-Encoding, Cookie";
     access_log off;
     log_not_found off;

wo/cli/templates/wpsc.mustache

@@ -1,4 +1,4 @@
-# WPSC NGINX CONFIGURATION - WO v3.9.7
+# WPSC NGINX CONFIGURATION - WordOps {{release}}
 # DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
 # $cache_uri variable set in /etc/nginx/conf.d/map-wp.conf