Malin/WPIQ
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

new nginx configurations

Browse Source 
* letsencrypt validation in /var/www/html 
* new static files rules
* robots.txt fallback for WP
* harden nginx configurations
This commit is contained in:
VirtuBox
2018-12-11 01:37:36 +01:00
parent afe8d0c9d5
commit 0510eb449c
5 changed files with 299 additions and 242 deletions
Download Patch File Download Diff File Expand all files Collapse all files

331
install
View File

@@ -7,7 +7,7 @@
### 1. VARIABLES AND DECLARATIONS
### 2. PREPARE FOR INSTALLATION
### 3. INSTALLATION
### 4.
### 4.
###
# 1 - Set the CLI output colors
@@ -112,7 +112,7 @@ function wo_install_dep()
{
if [ "$wo_linux_distro" == "Ubuntu" ]; then
apt-get -y install build-essential curl gzip python3 python3-apt python3-setuptools python3-dev sqlite3 git tar software-properties-common pigz || wo_lib_error "There was an error during dependency installation, exit status " 1
elif [ "$wo_linux_distro" == "Debian" ]; then
elif [ "$wo_linux_distro" == "Debian" ]; then
apt-get -y install build-essential curl gzip dirmngr python3 python3-apt python3-setuptools python3-dev sqlite3 git tar software-properties-common pigz || wo_lib_error "There was an error during dependency installation, exit status " 1
fi
@@ -143,7 +143,7 @@ function wo_install_dep()
touch /var/log/php/7.2/slow.log /var/log/php/7.2/fpm.log
systemctl php7.2-fpm restart &>> /dev/null
elif [ "$wo_linux_distro" == "Debian" ]; then
elif [ "$wo_linux_distro" == "Debian" ]; then
apt-get install apt-transport-https lsb-release ca-certificates locales locales-all -y
export LC_ALL=en_US.UTF-8
export LANG=en_US.UTF-8
@@ -151,7 +151,7 @@ function wo_install_dep()
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list
apt-get update &>> /dev/null
apt-get -y install php7.2-fpm php7.2-curl php7.2-gd php7.2-imap php-sodium php7.2-common php7.2-readline php7.2-redis php7.2-mysql php7.2-cli php7.2-memcache php7.2-imagick php7.2-mbstring php7.2-recode php7.2-bcmath php7.2-opcache php7.2-zip php7.2-xml php7.2-soap php7.2-msgpack memcached graphviz php-pear php7.2-xdebug || wo_lib_error "Not all PHP packages could be installed." 1
systemctl php7.2-fpm restart &>> /dev/null
systemctl php7.2-fpm restart &>> /dev/null
fi
}
@@ -169,17 +169,17 @@ function wo_sync_db()
# Backup the nginx directory
tar -cvf - /etc/nginx /etc/ee /var/lib/ee | pigz -9 > /var/lib/wo/ee-backup.tgz
# Copy the EasyEngine database
cp /var/lib/ee/ee.db /var/lib/wo/dbase-ee.db
# Set the migration variable for the closing text
migration=1
###
# Clean WO installation
###
elif [ ! -d /var/lib/wo ]; then
###
# Clean WO installation
###
elif [ ! -d /var/lib/wo ]; then
# Create the directory holding the WordOps database
mkdir -p /var/lib/wo
@@ -211,65 +211,65 @@ function wo_sync_db()
# Check site is enable/live or disable
for site in $(ls /etc/nginx/sites-available/ | grep -v default);
do
if [ -f /etc/nginx/sites-enabled/$site ]; then
wo_site_status='1'
else
wo_site_status='0'
fi
if [ -f /etc/nginx/sites-enabled/$site ]; then
wo_site_status='1'
else
wo_site_status='0'
fi
# Acquire information about the current nginx configuration
wo_site_current_type=$(head -n1 /etc/nginx/sites-available/$site | grep "NGINX CONFIGURATION" | rev | cut -d' ' -f3,4,5,6,7 | rev | cut -d ' ' -f2,3,4,5)
# Acquire information about the current nginx configuration
wo_site_current_type=$(head -n1 /etc/nginx/sites-available/$site | grep "NGINX CONFIGURATION" | rev | cut -d' ' -f3,4,5,6,7 | rev | cut -d ' ' -f2,3,4,5)
# Sniff out the vhost type and cache configuration
if [ "$wo_site_current_type" = "HTML" ]; then
wo_site_current="html"
wo_site_current_cache="basic"
elif [ "$wo_site_current_type" = "PHP" ]; then
wo_site_current="php"
wo_site_current_cache="basic"
elif [ "$wo_site_current_type" = "MYSQL" ]; then
wo_site_current="mysql"
wo_site_current_cache="basic"
# Caching types on a single WordPress installation
elif [ "$wo_site_current_type" = "WPSINGLE BASIC" ]; then
wo_site_current="wp"
wo_site_current_cache="basic"
elif [ "$wo_site_current_type" = "WPSINGLE WP SUPER CACHE" ]; then
wo_site_current="wp"
wo_site_current_cache="wpsc"
elif [ "$wo_site_current_type" = "WPSINGLE FAST CGI" ] || [ "$wo_site_current_type" = "WPSINGLE FASTCGI" ]; then
wo_site_current="wp"
wo_site_current_cache="wpfc"
# Sniff out the vhost type and cache configuration
if [ "$wo_site_current_type" = "HTML" ]; then
wo_site_current="html"
wo_site_current_cache="basic"
elif [ "$wo_site_current_type" = "PHP" ]; then
wo_site_current="php"
wo_site_current_cache="basic"
elif [ "$wo_site_current_type" = "MYSQL" ]; then
wo_site_current="mysql"
wo_site_current_cache="basic"
# Caching types on a single, subdirectory WordPress installation
elif [ "$wo_site_current_type" = "WPSUBDIR BASIC" ]; then
wo_site_current="wpsubdir"
wo_site_current_cache="basic"
elif [ "$wo_site_current_type" = "WPSUBDIR WP SUPER CACHE" ]; then
wo_site_current="wpsubdir"
wo_site_current_cache="wpsc"
elif [ "$wo_site_current_type" = "WPSUBDIR FAST CGI" ] || [ "$wo_site_current_type" = "WPSUBDIR FASTCGI" ]; then
wo_site_current="wpsubdir"
wo_site_current_cache="wpfc"
# Caching types on a single WordPress installation
elif [ "$wo_site_current_type" = "WPSINGLE BASIC" ]; then
wo_site_current="wp"
wo_site_current_cache="basic"
elif [ "$wo_site_current_type" = "WPSINGLE WP SUPER CACHE" ]; then
wo_site_current="wp"
wo_site_current_cache="wpsc"
elif [ "$wo_site_current_type" = "WPSINGLE FAST CGI" ] || [ "$wo_site_current_type" = "WPSINGLE FASTCGI" ]; then
wo_site_current="wp"
wo_site_current_cache="wpfc"
# Caching types on a single, subdomain WordPress installation
elif [ "$wo_site_current_type" = "WPSUBDOMAIN BASIC" ]; then
wo_site_current="wpsubdomain"
wo_site_current_cache="basic"
elif [ "$wo_site_current_type" = "WPSUBDOMAIN WP SUPER CACHE" ]; then
wo_site_current="wpsubdomain"
wo_site_current_cache="wpsc"
elif [ "$wo_site_current_type" = "WPSUBDOMAIN FAST CGI" ] || [ "$wo_site_current_type" = "WPSUBDOMAIN FASTCGI" ]; then
wo_site_current="wpsubdomain"
wo_site_current_cache="wpfc"
fi
# Caching types on a single, subdirectory WordPress installation
elif [ "$wo_site_current_type" = "WPSUBDIR BASIC" ]; then
wo_site_current="wpsubdir"
wo_site_current_cache="basic"
elif [ "$wo_site_current_type" = "WPSUBDIR WP SUPER CACHE" ]; then
wo_site_current="wpsubdir"
wo_site_current_cache="wpsc"
elif [ "$wo_site_current_type" = "WPSUBDIR FAST CGI" ] || [ "$wo_site_current_type" = "WPSUBDIR FASTCGI" ]; then
wo_site_current="wpsubdir"
wo_site_current_cache="wpfc"
wo_webroot="/var/www/$site"
# Caching types on a single, subdomain WordPress installation
elif [ "$wo_site_current_type" = "WPSUBDOMAIN BASIC" ]; then
wo_site_current="wpsubdomain"
wo_site_current_cache="basic"
elif [ "$wo_site_current_type" = "WPSUBDOMAIN WP SUPER CACHE" ]; then
wo_site_current="wpsubdomain"
wo_site_current_cache="wpsc"
elif [ "$wo_site_current_type" = "WPSUBDOMAIN FAST CGI" ] || [ "$wo_site_current_type" = "WPSUBDOMAIN FASTCGI" ]; then
wo_site_current="wpsubdomain"
wo_site_current_cache="wpfc"
fi
# Import the configuration into the WordOps SQLite database
echo "INSERT INTO sites (sitename, site_type, cache_type, site_path, is_enabled, is_ssl, storage_fs, storage_db)
VALUES (\"$site\", \"$wo_site_current\", \"$wo_site_current_cache\", \"$wo_webroot\", \"$wo_site_status\", 0, 'ext4', 'mysql');" | sqlite3 /var/lib/wo/dbase.db
wo_webroot="/var/www/$site"
# Import the configuration into the WordOps SQLite database
echo "INSERT INTO sites (sitename, site_type, cache_type, site_path, is_enabled, is_ssl, storage_fs, storage_db)
VALUES (\"$site\", \"$wo_site_current\", \"$wo_site_current_cache\", \"$wo_webroot\", \"$wo_site_status\", 0, 'ext4', 'mysql');" | sqlite3 /var/lib/wo/dbase.db
done
else
wo_php_version="7.2"
@@ -313,11 +313,11 @@ function wo_sync_db()
echo 'alias ee-acme="/root/.ee-acme/ee-acme.sh"' >> $HOME/.ee-acme/ee-acme
wget -qO $HOME/.ee-acme/ee-acme.sh https://raw.githubusercontent.com/WordOps/wo-acme-sh/master/script/ee-acme.sh
chmod +x $HOME/.ee-acme/ee-acme.sh
elif [ -x $HOME/.ee-acme/ee-acme.sh ]; then
elif [ -x $HOME/.ee-acme/ee-acme.sh ]; then
rm $HOME/.ee-acme/ee-acme.sh
wget -qO $HOME/.ee-acme/ee-acme.sh https://raw.githubusercontent.com/WordOps/wo-acme-sh/master/script/ee-acme.sh
chmod +x $HOME/.ee-acme/ee-acme.sh
elif [ ! -d $HOME/.ee-acme ]; then
elif [ ! -d $HOME/.ee-acme ]; then
mkdir -p $HOME/.ee-acme
wget -qO /usr/local/bin/wo-acme https://raw.githubusercontent.com/WordOps/wo-acme-sh/master/script/ee-acme.sh
chmod +x /usr/local/bin/wo-acme
@@ -346,8 +346,8 @@ function wo_update_wp_cli()
dpkg --compare-versions ${WP_CLI_VERSION} lt 1.4.1
# Update WP-CLI to the most recent version
if [ "$?" == "0" ]; then
wget -qO ${WP_CLI_PATH} https://raw.githubusercontent.com/WordOps/wpcli-builds/gh-pages/phar/wp-cli.phar
chmod +x ${WP_CLI_PATH}
wget -qO ${WP_CLI_PATH} https://raw.githubusercontent.com/WordOps/wpcli-builds/gh-pages/phar/wp-cli.phar
chmod +x ${WP_CLI_PATH}
fi
fi
}
@@ -374,24 +374,24 @@ function wo_install()
function wo_update_latest()
{
if [ -f /etc/nginx/fastcgi_params ]
then
cat /etc/nginx/fastcgi_params| grep -q 'HTTP_PROXY'
if [[ $? -ne 0 ]]; then
echo "fastcgi_param HTTP_PROXY \"\";" >> /etc/nginx/fastcgi_params
echo "fastcgi_param HTTP_PROXY \"\";" >> /etc/nginx/fastcgi.conf
service nginx restart &>> /dev/null
if [ -f /etc/nginx/fastcgi_params ]
then
cat /etc/nginx/fastcgi_params| grep -q 'HTTP_PROXY'
if [[ $? -ne 0 ]]; then
echo "fastcgi_param HTTP_PROXY \"\";" >> /etc/nginx/fastcgi_params
echo "fastcgi_param HTTP_PROXY \"\";" >> /etc/nginx/fastcgi.conf
service nginx restart &>> /dev/null
fi
fi
fi
if [ -f /etc/ImageMagick/policy.xml ]
then
if [ ! -f /etc/ImageMagick/patch.txt ]
then
echo -e "\t<policy domain="coder" rights="none" pattern="EPHEMERAL" />\n\t<policy domain="coder" rights="none" pattern="URL" />\n\t<policy domain="coder" rights="none" pattern="HTTPS" />\n\t<policy domain="coder" rights="none" pattern="MVG" />\n\t<policy domain="coder" rights="none" pattern="MSL" />" >> /etc/ImageMagick/patch.txt
sed -i '/<policymap>/r /etc/ImageMagick/patch.txt' /etc/ImageMagick/policy.xml
if [ -f /etc/ImageMagick/policy.xml ]
then
if [ ! -f /etc/ImageMagick/patch.txt ]
then
echo -e "\t<policy domain="coder" rights="none" pattern="EPHEMERAL" />\n\t<policy domain="coder" rights="none" pattern="URL" />\n\t<policy domain="coder" rights="none" pattern="HTTPS" />\n\t<policy domain="coder" rights="none" pattern="MVG" />\n\t<policy domain="coder" rights="none" pattern="MSL" />" >> /etc/ImageMagick/patch.txt
sed -i '/<policymap>/r /etc/ImageMagick/patch.txt' /etc/ImageMagick/policy.xml
fi
fi
fi
#Move ~/.my.cnf to /etc/mysql/conf.d/my.cnf
if [ ! -f /etc/mysql/conf.d/my.cnf ]
@@ -424,63 +424,63 @@ if [ -f /etc/ImageMagick/policy.xml ]
wo_lib_echo "Updating Nginx configuration, please wait..."
elif [ "$wo_distro_version" == "trusty" ]; then
grep -Hr 'http://download.opensuse.org/repositories/home:/rtCamp:/EasyEngine/xUbuntu_14.04/ /' /etc/apt/sources.list.d/ &>> /dev/null
if [[ $? -ne 0 ]]; then
if [ -f /etc/apt/sources.list.d/rtcamp-nginx-trusty.list ]; then
rm -rf /etc/apt/sources.list.d/rtcamp-nginx-trusty.list
fi
echo -e "\ndeb http://download.opensuse.org/repositories/home:/rtCamp:/EasyEngine/xUbuntu_14.04/ /" >> /etc/apt/sources.list.d/wo-repo.list
gpg --keyserver "hkp://pgp.mit.edu" --recv-keys '3050AC3CD2AE6F03'
gpg -a --export --armor '3050AC3CD2AE6F03' | apt-key add -
if [ -f /etc/nginx/conf.d/ee-nginx.conf ]; then
mv /etc/nginx/conf.d/ee-nginx.conf /etc/nginx/conf.d/wo-nginx.conf.old &>> /dev/null
fi
mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.old &>> /dev/null
apt-get update
service nginx stop &>> /dev/null
DEBIAN_FRONTEND=noninteractive apt-get -o Dpkg::Options::="--force-confmiss" -o Dpkg::Options::="--force-confold" -y install nginx-custom nginx-ee
service nginx restart &>> /dev/null
fi
dpkg --get-selections | grep -v deinstall | grep nginx-common
if [ $? -eq 0 ]; then
apt-get update
dpkg --get-selections | grep -v deinstall | grep nginx-mainline
if [ $? -eq 0 ]; then
apt-get remove -y nginx-mainline
fi
service nginx stop &>> /dev/null
DEBIAN_FRONTEND=noninteractive apt-get -o Dpkg::Options::="--force-confmiss" -o Dpkg::Options::="--force-confold" -y --allow-unauthenticated install nginx-ee nginx-custom
service nginx restart &>> /dev/null
fi
grep -Hr 'http://download.opensuse.org/repositories/home:/rtCamp:/EasyEngine/xUbuntu_14.04/ /' /etc/apt/sources.list.d/ &>> /dev/null
if [[ $? -ne 0 ]]; then
if [ -f /etc/apt/sources.list.d/rtcamp-nginx-trusty.list ]; then
rm -rf /etc/apt/sources.list.d/rtcamp-nginx-trusty.list
fi
echo -e "\ndeb http://download.opensuse.org/repositories/home:/rtCamp:/EasyEngine/xUbuntu_14.04/ /" >> /etc/apt/sources.list.d/wo-repo.list
gpg --keyserver "hkp://pgp.mit.edu" --recv-keys '3050AC3CD2AE6F03'
gpg -a --export --armor '3050AC3CD2AE6F03' | apt-key add -
if [ -f /etc/nginx/conf.d/ee-nginx.conf ]; then
mv /etc/nginx/conf.d/ee-nginx.conf /etc/nginx/conf.d/wo-nginx.conf.old &>> /dev/null
fi
mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.old &>> /dev/null
apt-get update
service nginx stop &>> /dev/null
DEBIAN_FRONTEND=noninteractive apt-get -o Dpkg::Options::="--force-confmiss" -o Dpkg::Options::="--force-confold" -y install nginx-custom nginx-ee
service nginx restart &>> /dev/null
fi
dpkg --get-selections | grep -v deinstall | grep nginx-common
if [ $? -eq 0 ]; then
apt-get update
dpkg --get-selections | grep -v deinstall | grep nginx-mainline
if [ $? -eq 0 ]; then
apt-get remove -y nginx-mainline
fi
service nginx stop &>> /dev/null
DEBIAN_FRONTEND=noninteractive apt-get -o Dpkg::Options::="--force-confmiss" -o Dpkg::Options::="--force-confold" -y --allow-unauthenticated install nginx-ee nginx-custom
service nginx restart &>> /dev/null
fi
elif [ "$wo_linux_distro" == "Debian" ]; then
grep -Hr 'http://download.opensuse.org/repositories/home:/rtCamp:/EasyEngine/Debian_8.0/ /' /etc/apt/sources.list.d/ &>> /dev/null
if [[ $? -ne 0 ]]; then
echo -e "deb http://download.opensuse.org/repositories/home:/rtCamp:/EasyEngine/Debian_8.0/ /" >> /etc/apt/sources.list.d/wo-repo.list
gpg --keyserver "hkp://pgp.mit.edu" --recv-keys '3050AC3CD2AE6F03'
gpg -a --export --armor '3050AC3CD2AE6F03' | apt-key add -
if [ -f /etc/nginx/conf.d/ee-nginx.conf ]; then
mv /etc/nginx/conf.d/ee-nginx.conf /etc/nginx/conf.d/ee-nginx.conf.old &>> /dev/null
fi
mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.old &>> /dev/null
mv /etc/nginx/fastcgi_params /etc/nginx/fastcgi_params.old &>> /dev/null
apt-get update
systemctl stop nginx &>> /dev/null
apt-get -o Dpkg::Options::="--force-confmiss" -o Dpkg::Options::="--force-confold" -y install nginx-custom
systemctl restart nginx &>> /dev/null
fi
dpkg --get-selections | grep -v deinstall | grep nginx-common
if [ $? -eq 0 ]; then
apt-get update
dpkg --get-selections | grep -v deinstall | grep nginx-mainline
if [ $? -eq 0 ]; then
apt-get remove -y nginx-mainline
fi
systemctl stop nginx &>> /dev/null
DEBIAN_FRONTEND=noninteractive apt-get -o Dpkg::Options::="--force-confmiss" -o Dpkg::Options::="--force-confold" -y --allow-unauthenticated install nginx-ee nginx-custom
systemctl restart nginx &>> /dev/null
grep -Hr 'http://download.opensuse.org/repositories/home:/rtCamp:/EasyEngine/Debian_8.0/ /' /etc/apt/sources.list.d/ &>> /dev/null
if [[ $? -ne 0 ]]; then
echo -e "deb http://download.opensuse.org/repositories/home:/rtCamp:/EasyEngine/Debian_8.0/ /" >> /etc/apt/sources.list.d/wo-repo.list
gpg --keyserver "hkp://pgp.mit.edu" --recv-keys '3050AC3CD2AE6F03'
gpg -a --export --armor '3050AC3CD2AE6F03' | apt-key add -
if [ -f /etc/nginx/conf.d/ee-nginx.conf ]; then
mv /etc/nginx/conf.d/ee-nginx.conf /etc/nginx/conf.d/ee-nginx.conf.old &>> /dev/null
fi
mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.old &>> /dev/null
mv /etc/nginx/fastcgi_params /etc/nginx/fastcgi_params.old &>> /dev/null
apt-get update
systemctl stop nginx &>> /dev/null
apt-get -o Dpkg::Options::="--force-confmiss" -o Dpkg::Options::="--force-confold" -y install nginx-custom
systemctl restart nginx &>> /dev/null
fi
dpkg --get-selections | grep -v deinstall | grep nginx-common
if [ $? -eq 0 ]; then
apt-get update
dpkg --get-selections | grep -v deinstall | grep nginx-mainline
if [ $? -eq 0 ]; then
apt-get remove -y nginx-mainline
fi
systemctl stop nginx &>> /dev/null
DEBIAN_FRONTEND=noninteractive apt-get -o Dpkg::Options::="--force-confmiss" -o Dpkg::Options::="--force-confold" -y --allow-unauthenticated install nginx-ee nginx-custom
systemctl restart nginx &>> /dev/null
fi
fi
if [ -f /etc/nginx/nginx.conf ]; then
sed -i "s/.*X-Powered-By.*/\tadd_header X-Powered-By \"WordOps $wo_version_new\";/" /etc/nginx/nginx.conf &>> /dev/null
@@ -521,56 +521,47 @@ if [ -f /etc/ImageMagick/policy.xml ]
# Rename Redis Header
if [ -f /etc/nginx/common/redis-hhvm.conf ]; then
sed -i "s/X-Cache /X-SRCache-Fetch-Status /g" /etc/nginx/common/redis-hhvm.conf &>> /dev/null
sed -i "s/X-Cache-2 /X-SRCache-Store-Status /g" /etc/nginx/common/redis-hhvm.conf &>> /dev/null
sed -i "s/X-Cache /X-SRCache-Fetch-Status /g" /etc/nginx/common/redis-hhvm.conf &>> /dev/null
sed -i "s/X-Cache-2 /X-SRCache-Store-Status /g" /etc/nginx/common/redis-hhvm.conf &>> /dev/null
fi
if [ -f /etc/nginx/common/redis.conf ]; then
sed -i "s/X-Cache /X-SRCache-Fetch-Status /g" /etc/nginx/common/redis.conf &>> /dev/null
sed -i "s/X-Cache-2 /X-SRCache-Store-Status /g" /etc/nginx/common/redis.conf &>> /dev/null
sed -i "s/X-Cache /X-SRCache-Fetch-Status /g" /etc/nginx/common/redis.conf &>> /dev/null
sed -i "s/X-Cache-2 /X-SRCache-Store-Status /g" /etc/nginx/common/redis.conf &>> /dev/null
fi
if [ -f /etc/nginx/common/redis-hhvm.conf ]; then
# Update Timeout redis-hhvm.conf
grep -0 'redis2_query expire $key 6h' /etc/nginx/common/redis-hhvm.conf &>> /dev/null
if [ $? -eq 0 ]; then
sed -i 's/redis2_query expire $key 6h/redis2_query expire $key 14400/g' /etc/nginx/common/redis-hhvm.conf &>> /dev/null
fi
# Update Timeout redis-hhvm.conf
grep -0 'redis2_query expire $key 6h' /etc/nginx/common/redis-hhvm.conf &>> /dev/null
if [ $? -eq 0 ]; then
sed -i 's/redis2_query expire $key 6h/redis2_query expire $key 14400/g' /etc/nginx/common/redis-hhvm.conf &>> /dev/null
fi
#Fix for 3.3.4 redis-hhvm issue
grep -0 'HTTP_ACCEPT_ENCODING' /etc/nginx/common/redis-hhvm.conf &>> /dev/null
if [ $? -ne 0 ]; then
sed -i 's/fastcgi_params;/fastcgi_params;\n fastcgi_param HTTP_ACCEPT_ENCODING "";/g' /etc/nginx/common/redis-hhvm.conf &>> /dev/null
fi
fi
#Fix Security Issue. commit #c64f28e
if [ -f /etc/nginx/common/locations.conf ]; then
grep -0 '$request_uri ~\* \"^.+(readme|license|example)\\.(txt|html)$\"' /etc/nginx/common/locations.conf &>> /dev/null
if [ $? -eq 0 ]; then
sed -i 's/$request_uri ~\* \"^.+(readme|license|example)\\.(txt|html)$\"/$uri ~\* \"^.+(readme|license|example)\\.(txt|html)$\"/g' /etc/nginx/common/locations.conf &>> /dev/null
fi
#Fix for 3.3.4 redis-hhvm issue
grep -0 'HTTP_ACCEPT_ENCODING' /etc/nginx/common/redis-hhvm.conf &>> /dev/null
if [ $? -ne 0 ]; then
sed -i 's/fastcgi_params;/fastcgi_params;\n fastcgi_param HTTP_ACCEPT_ENCODING "";/g' /etc/nginx/common/redis-hhvm.conf &>> /dev/null
fi
fi
#Fix Redis-server security issue
#http://redis.io/topics/security
if [ -f /etc/redis/redis.conf ]; then
grep -0 -v "#" /etc/redis/redis.confse | grep 'bind' &>> /dev/null
if [ $? -ne 0 ]; then
if [ -f /etc/redis/redis.conf ]; then
grep -0 -v "#" /etc/redis/redis.confse | grep 'bind' &>> /dev/null
if [ $? -ne 0 ]; then
sed -i '$ a bind 127.0.0.1' /etc/redis/redis.conf &>> /dev/null
service redis-server restart &>> /dev/null
fi
fi
#Fix For --letsencrypt
if [ -f /etc/nginx/common/locations.conf ]; then
grep -0 'location ~ \/\\.well-known' /etc/nginx/common/locations.conf &>> /dev/null
if [ $? -ne 0 ]; then
sed -i 's/# Deny hidden files/# Deny hidden files\nlocation ~ \/\\.well-known {\n allow all;\n}\n /g' /etc/nginx/common/locations.conf &>> /dev/null
fi
fi
fi
# Let's Encrypt .well-known folder setup
if [ ! -d /var/www/html/.well-known/acme-challenge ]; then
mkdir -p /var/www/html/.well-known/acme-challenge
chown -R www-data:www-data /var/www/html/.well-known
fi
# Fix for 3.3.2 renamed nginx.conf
nginx -V 2>&1 &>>/dev/null
if [[ $? -eq 0 ]]; then
@@ -618,7 +609,7 @@ if [ -f /etc/ImageMagick/policy.xml ]
touch /var/log/php/7.2/slow.log /var/log/php/7.2/fpm.log
systemctl php7.2-fpm restart &>> /dev/null
elif [ "$wo_linux_distro" == "Debian" ]; then
elif [ "$wo_linux_distro" == "Debian" ]; then
apt-get install apt-transport-https lsb-release ca-certificates locales locales-all -y
export LC_ALL=en_US.UTF-8
export LANG=en_US.UTF-8
@@ -626,7 +617,7 @@ if [ -f /etc/ImageMagick/policy.xml ]
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list
apt-get update &>> /dev/null
apt-get -y install php7.2-fpm php7.2-curl php7.2-gd php7.2-imap php-sodium php7.2-common php7.2-readline php7.2-redis php7.2-mysql php7.2-cli php7.2-memcache php7.2-imagick php7.2-mbstring php7.2-recode php7.2-bcmath php7.2-opcache php7.2-zip php7.2-xml php7.2-soap php7.2-msgpack memcached graphviz php-pear php7.2-xdebug || wo_lib_error "Not all PHP packages could be installed." 1
systemctl php7.2-fpm restart &>> /dev/null
systemctl php7.2-fpm restart &>> /dev/null
fi
#Fix for SSL cert --all

59
wo/cli/templates/locations-php7.mustache
View File

@@ -7,38 +7,49 @@ location = /favicon.ico {
expires max;
}
location = /robots.txt {
# Some WordPress plugin gererate robots.txt file
# Refer #340 issue
try_files $uri $uri/ /index.php?$args;
access_log off;
log_not_found off;
# Some WordPress plugin gererate robots.txt file
# Refer #340 issue
try_files $uri $uri/ /index.php?$args @robots;
access_log off;
log_not_found off;
}
# fallback for robots.txt with default wordpress rules
location @robots {
return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n";
}
# Cache static files
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf)$ {
add_header "Access-Control-Allow-Origin" "*";
access_log off;
log_not_found off;
expires max;
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|webm|mp3|aac|tgz|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
add_header "Access-Control-Allow-Origin" "*";
access_log off;
log_not_found off;
expires max;
}
# Cache css & js files
location ~* \.(?:css(\.map)?|js(\.map)?)$ {
add_header "Access-Control-Allow-Origin" "*";
access_log off;
log_not_found off;
expires 30d;
}
# Security settings for better privacy
# Deny hidden files
location ~ /\.well-known {
allow all;
location ~ /\.(?!well-known\/) {
deny all;
}
location ~ /\. {
deny all;
access_log off;
log_not_found off;
# letsencrypt validation
location /.well-known/acme-challenge/ {
alias /var/www/html/.well-known/acme-challenge/;
}
# Deny backup extensions & log files
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
deny all;
access_log off;
log_not_found off;
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
deny all;
}
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
return 403;
# Deny backup extensions & log files and return 403 forbidden
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
deny all;
}
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
deny all;
}
# Status pages
location = /nginx_status {

59
wo/cli/templates/locations.mustache
View File

@@ -7,38 +7,49 @@ location = /favicon.ico {
expires max;
}
location = /robots.txt {
# Some WordPress plugin gererate robots.txt file
# Refer #340 issue
try_files $uri $uri/ /index.php?$args;
access_log off;
log_not_found off;
# Some WordPress plugin gererate robots.txt file
# Refer #340 issue
try_files $uri $uri/ /index.php?$args @robots;
access_log off;
log_not_found off;
}
# fallback for robots.txt with default wordpress rules
location @robots {
return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n";
}
# Cache static files
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf)$ {
add_header "Access-Control-Allow-Origin" "*";
access_log off;
log_not_found off;
expires max;
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|webm|mp3|aac|tgz|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
add_header "Access-Control-Allow-Origin" "*";
access_log off;
log_not_found off;
expires max;
}
# Cache css & js files
location ~* \.(?:css(\.map)?|js(\.map)?)$ {
add_header "Access-Control-Allow-Origin" "*";
access_log off;
log_not_found off;
expires 30d;
}
# Security settings for better privacy
# Deny hidden files
location ~ /\.well-known {
allow all;
location ~ /\.(?!well-known\/) {
deny all;
}
location ~ /\. {
deny all;
access_log off;
log_not_found off;
# letsencrypt validation
location /.well-known/acme-challenge/ {
alias /var/www/html/.well-known/acme-challenge/;
}
# Deny backup extensions & log files
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
deny all;
access_log off;
log_not_found off;
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
deny all;
}
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
return 403;
# Deny backup extensions & log files and return 403 forbidden
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
deny all;
}
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
deny all;
}
# Status pages
location = /nginx_status {

46
wo/cli/templates/wpcommon-php7.mustache
View File

@@ -2,20 +2,42 @@
# DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
# Limit access to avoid brute force attack
location = /wp-login.php {
limit_req zone=one burst=1 nodelay;
include fastcgi_params;
fastcgi_pass php7;
limit_req zone=one burst=1 nodelay;
include fastcgi_params;
fastcgi_pass php7;
}
# Disable wp-config.txt
location = /wp-config.txt {
deny all;
access_log off;
log_not_found off;
}
# Disallow php in upload folder
location /wp-content/uploads/ {
location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers
deny all;
}
access_log off;
log_not_found off;
}
# webp rewrite rules for jpg and png images
# try to load alternative image.png.webp before image.png
location /wp-content/uploads {
location ~ \.(png|jpe?g)$ {
add_header Vary "Accept-Encoding";
add_header "Access-Control-Allow-Origin" "*";
add_header Cache-Control "public, no-transform";
access_log off;
log_not_found off;
expires max;
try_files $uri$webp_suffix $uri =404;
}
location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers
deny all;
}
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# mitigate DoS attack CVE with WordPress script concatenation
# add the following line to wp-config.php
# define( 'CONCATENATE_SCRIPTS', false );
location ~ \/wp-admin\/load-(scripts|styles).php {
deny all;
}

46
wo/cli/templates/wpcommon.mustache
View File

@@ -2,20 +2,42 @@
# DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
# Limit access to avoid brute force attack
location = /wp-login.php {
limit_req zone=one burst=1 nodelay;
include fastcgi_params;
fastcgi_pass php;
limit_req zone=one burst=1 nodelay;
include fastcgi_params;
fastcgi_pass php;
}
# Disable wp-config.txt
location = /wp-config.txt {
deny all;
access_log off;
log_not_found off;
}
# Disallow php in upload folder
location /wp-content/uploads/ {
location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers
deny all;
}
access_log off;
log_not_found off;
}
# webp rewrite rules for jpg and png images
# try to load alternative image.png.webp before image.png
location /wp-content/uploads {
location ~ \.(png|jpe?g)$ {
add_header Vary "Accept-Encoding";
add_header "Access-Control-Allow-Origin" "*";
add_header Cache-Control "public, no-transform";
access_log off;
log_not_found off;
expires max;
try_files $uri$webp_suffix $uri =404;
}
location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers
deny all;
}
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# mitigate DoS attack CVE with WordPress script concatenation
# add the following line to wp-config.php
# define( 'CONCATENATE_SCRIPTS', false );
location ~ \/wp-admin\/load-(scripts|styles).php {
deny all;
}