From 0510eb449c46a03fde70b582c488f24489ccebbe Mon Sep 17 00:00:00 2001 From: VirtuBox Date: Tue, 11 Dec 2018 01:37:36 +0100 Subject: [PATCH] new nginx configurations * letsencrypt validation in /var/www/html * new static files rules * robots.txt fallback for WP * harden nginx configurations --- install | 331 +++++++++++------------ wo/cli/templates/locations-php7.mustache | 59 ++-- wo/cli/templates/locations.mustache | 59 ++-- wo/cli/templates/wpcommon-php7.mustache | 46 +++- wo/cli/templates/wpcommon.mustache | 46 +++- 5 files changed, 299 insertions(+), 242 deletions(-) diff --git a/install b/install index dd41517..7c39927 100644 --- a/install +++ b/install @@ -7,7 +7,7 @@ ### 1. VARIABLES AND DECLARATIONS ### 2. PREPARE FOR INSTALLATION ### 3. INSTALLATION -### 4. +### 4. ### # 1 - Set the CLI output colors @@ -112,7 +112,7 @@ function wo_install_dep() { if [ "$wo_linux_distro" == "Ubuntu" ]; then apt-get -y install build-essential curl gzip python3 python3-apt python3-setuptools python3-dev sqlite3 git tar software-properties-common pigz || wo_lib_error "There was an error during dependency installation, exit status " 1 - elif [ "$wo_linux_distro" == "Debian" ]; then + elif [ "$wo_linux_distro" == "Debian" ]; then apt-get -y install build-essential curl gzip dirmngr python3 python3-apt python3-setuptools python3-dev sqlite3 git tar software-properties-common pigz || wo_lib_error "There was an error during dependency installation, exit status " 1 fi @@ -143,7 +143,7 @@ function wo_install_dep() touch /var/log/php/7.2/slow.log /var/log/php/7.2/fpm.log systemctl php7.2-fpm restart &>> /dev/null - elif [ "$wo_linux_distro" == "Debian" ]; then + elif [ "$wo_linux_distro" == "Debian" ]; then apt-get install apt-transport-https lsb-release ca-certificates locales locales-all -y export LC_ALL=en_US.UTF-8 export LANG=en_US.UTF-8 @@ -151,7 +151,7 @@ function wo_install_dep() echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list apt-get update &>> /dev/null apt-get -y install php7.2-fpm php7.2-curl php7.2-gd php7.2-imap php-sodium php7.2-common php7.2-readline php7.2-redis php7.2-mysql php7.2-cli php7.2-memcache php7.2-imagick php7.2-mbstring php7.2-recode php7.2-bcmath php7.2-opcache php7.2-zip php7.2-xml php7.2-soap php7.2-msgpack memcached graphviz php-pear php7.2-xdebug || wo_lib_error "Not all PHP packages could be installed." 1 - systemctl php7.2-fpm restart &>> /dev/null + systemctl php7.2-fpm restart &>> /dev/null fi } @@ -169,17 +169,17 @@ function wo_sync_db() # Backup the nginx directory tar -cvf - /etc/nginx /etc/ee /var/lib/ee | pigz -9 > /var/lib/wo/ee-backup.tgz - + # Copy the EasyEngine database cp /var/lib/ee/ee.db /var/lib/wo/dbase-ee.db # Set the migration variable for the closing text migration=1 - ### - # Clean WO installation - ### - elif [ ! -d /var/lib/wo ]; then + ### + # Clean WO installation + ### + elif [ ! -d /var/lib/wo ]; then # Create the directory holding the WordOps database mkdir -p /var/lib/wo @@ -211,65 +211,65 @@ function wo_sync_db() # Check site is enable/live or disable for site in $(ls /etc/nginx/sites-available/ | grep -v default); do - if [ -f /etc/nginx/sites-enabled/$site ]; then - wo_site_status='1' - else - wo_site_status='0' - fi + if [ -f /etc/nginx/sites-enabled/$site ]; then + wo_site_status='1' + else + wo_site_status='0' + fi - # Acquire information about the current nginx configuration - wo_site_current_type=$(head -n1 /etc/nginx/sites-available/$site | grep "NGINX CONFIGURATION" | rev | cut -d' ' -f3,4,5,6,7 | rev | cut -d ' ' -f2,3,4,5) + # Acquire information about the current nginx configuration + wo_site_current_type=$(head -n1 /etc/nginx/sites-available/$site | grep "NGINX CONFIGURATION" | rev | cut -d' ' -f3,4,5,6,7 | rev | cut -d ' ' -f2,3,4,5) - # Sniff out the vhost type and cache configuration - if [ "$wo_site_current_type" = "HTML" ]; then - wo_site_current="html" - wo_site_current_cache="basic" - elif [ "$wo_site_current_type" = "PHP" ]; then - wo_site_current="php" - wo_site_current_cache="basic" - elif [ "$wo_site_current_type" = "MYSQL" ]; then - wo_site_current="mysql" - wo_site_current_cache="basic" - - # Caching types on a single WordPress installation - elif [ "$wo_site_current_type" = "WPSINGLE BASIC" ]; then - wo_site_current="wp" - wo_site_current_cache="basic" - elif [ "$wo_site_current_type" = "WPSINGLE WP SUPER CACHE" ]; then - wo_site_current="wp" - wo_site_current_cache="wpsc" - elif [ "$wo_site_current_type" = "WPSINGLE FAST CGI" ] || [ "$wo_site_current_type" = "WPSINGLE FASTCGI" ]; then - wo_site_current="wp" - wo_site_current_cache="wpfc" + # Sniff out the vhost type and cache configuration + if [ "$wo_site_current_type" = "HTML" ]; then + wo_site_current="html" + wo_site_current_cache="basic" + elif [ "$wo_site_current_type" = "PHP" ]; then + wo_site_current="php" + wo_site_current_cache="basic" + elif [ "$wo_site_current_type" = "MYSQL" ]; then + wo_site_current="mysql" + wo_site_current_cache="basic" - # Caching types on a single, subdirectory WordPress installation - elif [ "$wo_site_current_type" = "WPSUBDIR BASIC" ]; then - wo_site_current="wpsubdir" - wo_site_current_cache="basic" - elif [ "$wo_site_current_type" = "WPSUBDIR WP SUPER CACHE" ]; then - wo_site_current="wpsubdir" - wo_site_current_cache="wpsc" - elif [ "$wo_site_current_type" = "WPSUBDIR FAST CGI" ] || [ "$wo_site_current_type" = "WPSUBDIR FASTCGI" ]; then - wo_site_current="wpsubdir" - wo_site_current_cache="wpfc" + # Caching types on a single WordPress installation + elif [ "$wo_site_current_type" = "WPSINGLE BASIC" ]; then + wo_site_current="wp" + wo_site_current_cache="basic" + elif [ "$wo_site_current_type" = "WPSINGLE WP SUPER CACHE" ]; then + wo_site_current="wp" + wo_site_current_cache="wpsc" + elif [ "$wo_site_current_type" = "WPSINGLE FAST CGI" ] || [ "$wo_site_current_type" = "WPSINGLE FASTCGI" ]; then + wo_site_current="wp" + wo_site_current_cache="wpfc" - # Caching types on a single, subdomain WordPress installation - elif [ "$wo_site_current_type" = "WPSUBDOMAIN BASIC" ]; then - wo_site_current="wpsubdomain" - wo_site_current_cache="basic" - elif [ "$wo_site_current_type" = "WPSUBDOMAIN WP SUPER CACHE" ]; then - wo_site_current="wpsubdomain" - wo_site_current_cache="wpsc" - elif [ "$wo_site_current_type" = "WPSUBDOMAIN FAST CGI" ] || [ "$wo_site_current_type" = "WPSUBDOMAIN FASTCGI" ]; then - wo_site_current="wpsubdomain" - wo_site_current_cache="wpfc" - fi + # Caching types on a single, subdirectory WordPress installation + elif [ "$wo_site_current_type" = "WPSUBDIR BASIC" ]; then + wo_site_current="wpsubdir" + wo_site_current_cache="basic" + elif [ "$wo_site_current_type" = "WPSUBDIR WP SUPER CACHE" ]; then + wo_site_current="wpsubdir" + wo_site_current_cache="wpsc" + elif [ "$wo_site_current_type" = "WPSUBDIR FAST CGI" ] || [ "$wo_site_current_type" = "WPSUBDIR FASTCGI" ]; then + wo_site_current="wpsubdir" + wo_site_current_cache="wpfc" - wo_webroot="/var/www/$site" + # Caching types on a single, subdomain WordPress installation + elif [ "$wo_site_current_type" = "WPSUBDOMAIN BASIC" ]; then + wo_site_current="wpsubdomain" + wo_site_current_cache="basic" + elif [ "$wo_site_current_type" = "WPSUBDOMAIN WP SUPER CACHE" ]; then + wo_site_current="wpsubdomain" + wo_site_current_cache="wpsc" + elif [ "$wo_site_current_type" = "WPSUBDOMAIN FAST CGI" ] || [ "$wo_site_current_type" = "WPSUBDOMAIN FASTCGI" ]; then + wo_site_current="wpsubdomain" + wo_site_current_cache="wpfc" + fi - # Import the configuration into the WordOps SQLite database - echo "INSERT INTO sites (sitename, site_type, cache_type, site_path, is_enabled, is_ssl, storage_fs, storage_db) - VALUES (\"$site\", \"$wo_site_current\", \"$wo_site_current_cache\", \"$wo_webroot\", \"$wo_site_status\", 0, 'ext4', 'mysql');" | sqlite3 /var/lib/wo/dbase.db + wo_webroot="/var/www/$site" + + # Import the configuration into the WordOps SQLite database + echo "INSERT INTO sites (sitename, site_type, cache_type, site_path, is_enabled, is_ssl, storage_fs, storage_db) + VALUES (\"$site\", \"$wo_site_current\", \"$wo_site_current_cache\", \"$wo_webroot\", \"$wo_site_status\", 0, 'ext4', 'mysql');" | sqlite3 /var/lib/wo/dbase.db done else wo_php_version="7.2" @@ -313,11 +313,11 @@ function wo_sync_db() echo 'alias ee-acme="/root/.ee-acme/ee-acme.sh"' >> $HOME/.ee-acme/ee-acme wget -qO $HOME/.ee-acme/ee-acme.sh https://raw.githubusercontent.com/WordOps/wo-acme-sh/master/script/ee-acme.sh chmod +x $HOME/.ee-acme/ee-acme.sh - elif [ -x $HOME/.ee-acme/ee-acme.sh ]; then + elif [ -x $HOME/.ee-acme/ee-acme.sh ]; then rm $HOME/.ee-acme/ee-acme.sh wget -qO $HOME/.ee-acme/ee-acme.sh https://raw.githubusercontent.com/WordOps/wo-acme-sh/master/script/ee-acme.sh chmod +x $HOME/.ee-acme/ee-acme.sh - elif [ ! -d $HOME/.ee-acme ]; then + elif [ ! -d $HOME/.ee-acme ]; then mkdir -p $HOME/.ee-acme wget -qO /usr/local/bin/wo-acme https://raw.githubusercontent.com/WordOps/wo-acme-sh/master/script/ee-acme.sh chmod +x /usr/local/bin/wo-acme @@ -346,8 +346,8 @@ function wo_update_wp_cli() dpkg --compare-versions ${WP_CLI_VERSION} lt 1.4.1 # Update WP-CLI to the most recent version if [ "$?" == "0" ]; then - wget -qO ${WP_CLI_PATH} https://raw.githubusercontent.com/WordOps/wpcli-builds/gh-pages/phar/wp-cli.phar - chmod +x ${WP_CLI_PATH} + wget -qO ${WP_CLI_PATH} https://raw.githubusercontent.com/WordOps/wpcli-builds/gh-pages/phar/wp-cli.phar + chmod +x ${WP_CLI_PATH} fi fi } @@ -374,24 +374,24 @@ function wo_install() function wo_update_latest() { -if [ -f /etc/nginx/fastcgi_params ] -then - cat /etc/nginx/fastcgi_params| grep -q 'HTTP_PROXY' - if [[ $? -ne 0 ]]; then - echo "fastcgi_param HTTP_PROXY \"\";" >> /etc/nginx/fastcgi_params - echo "fastcgi_param HTTP_PROXY \"\";" >> /etc/nginx/fastcgi.conf - service nginx restart &>> /dev/null + if [ -f /etc/nginx/fastcgi_params ] + then + cat /etc/nginx/fastcgi_params| grep -q 'HTTP_PROXY' + if [[ $? -ne 0 ]]; then + echo "fastcgi_param HTTP_PROXY \"\";" >> /etc/nginx/fastcgi_params + echo "fastcgi_param HTTP_PROXY \"\";" >> /etc/nginx/fastcgi.conf + service nginx restart &>> /dev/null + fi fi -fi -if [ -f /etc/ImageMagick/policy.xml ] - then - if [ ! -f /etc/ImageMagick/patch.txt ] - then - echo -e "\t\n\t\n\t\n\t\n\t" >> /etc/ImageMagick/patch.txt - sed -i '//r /etc/ImageMagick/patch.txt' /etc/ImageMagick/policy.xml + if [ -f /etc/ImageMagick/policy.xml ] + then + if [ ! -f /etc/ImageMagick/patch.txt ] + then + echo -e "\t\n\t\n\t\n\t\n\t" >> /etc/ImageMagick/patch.txt + sed -i '//r /etc/ImageMagick/patch.txt' /etc/ImageMagick/policy.xml + fi fi - fi #Move ~/.my.cnf to /etc/mysql/conf.d/my.cnf if [ ! -f /etc/mysql/conf.d/my.cnf ] @@ -424,63 +424,63 @@ if [ -f /etc/ImageMagick/policy.xml ] wo_lib_echo "Updating Nginx configuration, please wait..." elif [ "$wo_distro_version" == "trusty" ]; then - grep -Hr 'http://download.opensuse.org/repositories/home:/rtCamp:/EasyEngine/xUbuntu_14.04/ /' /etc/apt/sources.list.d/ &>> /dev/null - if [[ $? -ne 0 ]]; then - if [ -f /etc/apt/sources.list.d/rtcamp-nginx-trusty.list ]; then - rm -rf /etc/apt/sources.list.d/rtcamp-nginx-trusty.list - fi - echo -e "\ndeb http://download.opensuse.org/repositories/home:/rtCamp:/EasyEngine/xUbuntu_14.04/ /" >> /etc/apt/sources.list.d/wo-repo.list - gpg --keyserver "hkp://pgp.mit.edu" --recv-keys '3050AC3CD2AE6F03' - gpg -a --export --armor '3050AC3CD2AE6F03' | apt-key add - - if [ -f /etc/nginx/conf.d/ee-nginx.conf ]; then - mv /etc/nginx/conf.d/ee-nginx.conf /etc/nginx/conf.d/wo-nginx.conf.old &>> /dev/null - fi - mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.old &>> /dev/null - apt-get update - service nginx stop &>> /dev/null - DEBIAN_FRONTEND=noninteractive apt-get -o Dpkg::Options::="--force-confmiss" -o Dpkg::Options::="--force-confold" -y install nginx-custom nginx-ee - service nginx restart &>> /dev/null - fi - dpkg --get-selections | grep -v deinstall | grep nginx-common - if [ $? -eq 0 ]; then - apt-get update - dpkg --get-selections | grep -v deinstall | grep nginx-mainline - if [ $? -eq 0 ]; then - apt-get remove -y nginx-mainline - fi - service nginx stop &>> /dev/null - DEBIAN_FRONTEND=noninteractive apt-get -o Dpkg::Options::="--force-confmiss" -o Dpkg::Options::="--force-confold" -y --allow-unauthenticated install nginx-ee nginx-custom - service nginx restart &>> /dev/null - fi + grep -Hr 'http://download.opensuse.org/repositories/home:/rtCamp:/EasyEngine/xUbuntu_14.04/ /' /etc/apt/sources.list.d/ &>> /dev/null + if [[ $? -ne 0 ]]; then + if [ -f /etc/apt/sources.list.d/rtcamp-nginx-trusty.list ]; then + rm -rf /etc/apt/sources.list.d/rtcamp-nginx-trusty.list + fi + echo -e "\ndeb http://download.opensuse.org/repositories/home:/rtCamp:/EasyEngine/xUbuntu_14.04/ /" >> /etc/apt/sources.list.d/wo-repo.list + gpg --keyserver "hkp://pgp.mit.edu" --recv-keys '3050AC3CD2AE6F03' + gpg -a --export --armor '3050AC3CD2AE6F03' | apt-key add - + if [ -f /etc/nginx/conf.d/ee-nginx.conf ]; then + mv /etc/nginx/conf.d/ee-nginx.conf /etc/nginx/conf.d/wo-nginx.conf.old &>> /dev/null + fi + mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.old &>> /dev/null + apt-get update + service nginx stop &>> /dev/null + DEBIAN_FRONTEND=noninteractive apt-get -o Dpkg::Options::="--force-confmiss" -o Dpkg::Options::="--force-confold" -y install nginx-custom nginx-ee + service nginx restart &>> /dev/null + fi + dpkg --get-selections | grep -v deinstall | grep nginx-common + if [ $? -eq 0 ]; then + apt-get update + dpkg --get-selections | grep -v deinstall | grep nginx-mainline + if [ $? -eq 0 ]; then + apt-get remove -y nginx-mainline + fi + service nginx stop &>> /dev/null + DEBIAN_FRONTEND=noninteractive apt-get -o Dpkg::Options::="--force-confmiss" -o Dpkg::Options::="--force-confold" -y --allow-unauthenticated install nginx-ee nginx-custom + service nginx restart &>> /dev/null + fi elif [ "$wo_linux_distro" == "Debian" ]; then - grep -Hr 'http://download.opensuse.org/repositories/home:/rtCamp:/EasyEngine/Debian_8.0/ /' /etc/apt/sources.list.d/ &>> /dev/null - if [[ $? -ne 0 ]]; then - echo -e "deb http://download.opensuse.org/repositories/home:/rtCamp:/EasyEngine/Debian_8.0/ /" >> /etc/apt/sources.list.d/wo-repo.list - gpg --keyserver "hkp://pgp.mit.edu" --recv-keys '3050AC3CD2AE6F03' - gpg -a --export --armor '3050AC3CD2AE6F03' | apt-key add - - if [ -f /etc/nginx/conf.d/ee-nginx.conf ]; then - mv /etc/nginx/conf.d/ee-nginx.conf /etc/nginx/conf.d/ee-nginx.conf.old &>> /dev/null - fi - mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.old &>> /dev/null - mv /etc/nginx/fastcgi_params /etc/nginx/fastcgi_params.old &>> /dev/null - apt-get update - systemctl stop nginx &>> /dev/null - apt-get -o Dpkg::Options::="--force-confmiss" -o Dpkg::Options::="--force-confold" -y install nginx-custom - systemctl restart nginx &>> /dev/null - fi - dpkg --get-selections | grep -v deinstall | grep nginx-common - if [ $? -eq 0 ]; then - apt-get update - dpkg --get-selections | grep -v deinstall | grep nginx-mainline - if [ $? -eq 0 ]; then - apt-get remove -y nginx-mainline - fi - systemctl stop nginx &>> /dev/null - DEBIAN_FRONTEND=noninteractive apt-get -o Dpkg::Options::="--force-confmiss" -o Dpkg::Options::="--force-confold" -y --allow-unauthenticated install nginx-ee nginx-custom - systemctl restart nginx &>> /dev/null + grep -Hr 'http://download.opensuse.org/repositories/home:/rtCamp:/EasyEngine/Debian_8.0/ /' /etc/apt/sources.list.d/ &>> /dev/null + if [[ $? -ne 0 ]]; then + echo -e "deb http://download.opensuse.org/repositories/home:/rtCamp:/EasyEngine/Debian_8.0/ /" >> /etc/apt/sources.list.d/wo-repo.list + gpg --keyserver "hkp://pgp.mit.edu" --recv-keys '3050AC3CD2AE6F03' + gpg -a --export --armor '3050AC3CD2AE6F03' | apt-key add - + if [ -f /etc/nginx/conf.d/ee-nginx.conf ]; then + mv /etc/nginx/conf.d/ee-nginx.conf /etc/nginx/conf.d/ee-nginx.conf.old &>> /dev/null fi + mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.old &>> /dev/null + mv /etc/nginx/fastcgi_params /etc/nginx/fastcgi_params.old &>> /dev/null + apt-get update + systemctl stop nginx &>> /dev/null + apt-get -o Dpkg::Options::="--force-confmiss" -o Dpkg::Options::="--force-confold" -y install nginx-custom + systemctl restart nginx &>> /dev/null fi + dpkg --get-selections | grep -v deinstall | grep nginx-common + if [ $? -eq 0 ]; then + apt-get update + dpkg --get-selections | grep -v deinstall | grep nginx-mainline + if [ $? -eq 0 ]; then + apt-get remove -y nginx-mainline + fi + systemctl stop nginx &>> /dev/null + DEBIAN_FRONTEND=noninteractive apt-get -o Dpkg::Options::="--force-confmiss" -o Dpkg::Options::="--force-confold" -y --allow-unauthenticated install nginx-ee nginx-custom + systemctl restart nginx &>> /dev/null + fi + fi if [ -f /etc/nginx/nginx.conf ]; then sed -i "s/.*X-Powered-By.*/\tadd_header X-Powered-By \"WordOps $wo_version_new\";/" /etc/nginx/nginx.conf &>> /dev/null @@ -521,56 +521,47 @@ if [ -f /etc/ImageMagick/policy.xml ] # Rename Redis Header if [ -f /etc/nginx/common/redis-hhvm.conf ]; then - sed -i "s/X-Cache /X-SRCache-Fetch-Status /g" /etc/nginx/common/redis-hhvm.conf &>> /dev/null - sed -i "s/X-Cache-2 /X-SRCache-Store-Status /g" /etc/nginx/common/redis-hhvm.conf &>> /dev/null + sed -i "s/X-Cache /X-SRCache-Fetch-Status /g" /etc/nginx/common/redis-hhvm.conf &>> /dev/null + sed -i "s/X-Cache-2 /X-SRCache-Store-Status /g" /etc/nginx/common/redis-hhvm.conf &>> /dev/null fi if [ -f /etc/nginx/common/redis.conf ]; then - sed -i "s/X-Cache /X-SRCache-Fetch-Status /g" /etc/nginx/common/redis.conf &>> /dev/null - sed -i "s/X-Cache-2 /X-SRCache-Store-Status /g" /etc/nginx/common/redis.conf &>> /dev/null + sed -i "s/X-Cache /X-SRCache-Fetch-Status /g" /etc/nginx/common/redis.conf &>> /dev/null + sed -i "s/X-Cache-2 /X-SRCache-Store-Status /g" /etc/nginx/common/redis.conf &>> /dev/null fi if [ -f /etc/nginx/common/redis-hhvm.conf ]; then - # Update Timeout redis-hhvm.conf - grep -0 'redis2_query expire $key 6h' /etc/nginx/common/redis-hhvm.conf &>> /dev/null - if [ $? -eq 0 ]; then - sed -i 's/redis2_query expire $key 6h/redis2_query expire $key 14400/g' /etc/nginx/common/redis-hhvm.conf &>> /dev/null - fi + # Update Timeout redis-hhvm.conf + grep -0 'redis2_query expire $key 6h' /etc/nginx/common/redis-hhvm.conf &>> /dev/null + if [ $? -eq 0 ]; then + sed -i 's/redis2_query expire $key 6h/redis2_query expire $key 14400/g' /etc/nginx/common/redis-hhvm.conf &>> /dev/null + fi - #Fix for 3.3.4 redis-hhvm issue - grep -0 'HTTP_ACCEPT_ENCODING' /etc/nginx/common/redis-hhvm.conf &>> /dev/null - if [ $? -ne 0 ]; then - sed -i 's/fastcgi_params;/fastcgi_params;\n fastcgi_param HTTP_ACCEPT_ENCODING "";/g' /etc/nginx/common/redis-hhvm.conf &>> /dev/null - fi - fi - - #Fix Security Issue. commit #c64f28e - if [ -f /etc/nginx/common/locations.conf ]; then - grep -0 '$request_uri ~\* \"^.+(readme|license|example)\\.(txt|html)$\"' /etc/nginx/common/locations.conf &>> /dev/null - if [ $? -eq 0 ]; then - sed -i 's/$request_uri ~\* \"^.+(readme|license|example)\\.(txt|html)$\"/$uri ~\* \"^.+(readme|license|example)\\.(txt|html)$\"/g' /etc/nginx/common/locations.conf &>> /dev/null - fi + #Fix for 3.3.4 redis-hhvm issue + grep -0 'HTTP_ACCEPT_ENCODING' /etc/nginx/common/redis-hhvm.conf &>> /dev/null + if [ $? -ne 0 ]; then + sed -i 's/fastcgi_params;/fastcgi_params;\n fastcgi_param HTTP_ACCEPT_ENCODING "";/g' /etc/nginx/common/redis-hhvm.conf &>> /dev/null + fi fi #Fix Redis-server security issue #http://redis.io/topics/security - if [ -f /etc/redis/redis.conf ]; then - grep -0 -v "#" /etc/redis/redis.confse | grep 'bind' &>> /dev/null - if [ $? -ne 0 ]; then + if [ -f /etc/redis/redis.conf ]; then + grep -0 -v "#" /etc/redis/redis.confse | grep 'bind' &>> /dev/null + if [ $? -ne 0 ]; then sed -i '$ a bind 127.0.0.1' /etc/redis/redis.conf &>> /dev/null service redis-server restart &>> /dev/null - fi - fi - - #Fix For --letsencrypt - if [ -f /etc/nginx/common/locations.conf ]; then - grep -0 'location ~ \/\\.well-known' /etc/nginx/common/locations.conf &>> /dev/null - if [ $? -ne 0 ]; then - sed -i 's/# Deny hidden files/# Deny hidden files\nlocation ~ \/\\.well-known {\n allow all;\n}\n /g' /etc/nginx/common/locations.conf &>> /dev/null - fi + fi fi + # Let's Encrypt .well-known folder setup + if [ ! -d /var/www/html/.well-known/acme-challenge ]; then + mkdir -p /var/www/html/.well-known/acme-challenge + chown -R www-data:www-data /var/www/html/.well-known + fi + + # Fix for 3.3.2 renamed nginx.conf nginx -V 2>&1 &>>/dev/null if [[ $? -eq 0 ]]; then @@ -618,7 +609,7 @@ if [ -f /etc/ImageMagick/policy.xml ] touch /var/log/php/7.2/slow.log /var/log/php/7.2/fpm.log systemctl php7.2-fpm restart &>> /dev/null - elif [ "$wo_linux_distro" == "Debian" ]; then + elif [ "$wo_linux_distro" == "Debian" ]; then apt-get install apt-transport-https lsb-release ca-certificates locales locales-all -y export LC_ALL=en_US.UTF-8 export LANG=en_US.UTF-8 @@ -626,7 +617,7 @@ if [ -f /etc/ImageMagick/policy.xml ] echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list apt-get update &>> /dev/null apt-get -y install php7.2-fpm php7.2-curl php7.2-gd php7.2-imap php-sodium php7.2-common php7.2-readline php7.2-redis php7.2-mysql php7.2-cli php7.2-memcache php7.2-imagick php7.2-mbstring php7.2-recode php7.2-bcmath php7.2-opcache php7.2-zip php7.2-xml php7.2-soap php7.2-msgpack memcached graphviz php-pear php7.2-xdebug || wo_lib_error "Not all PHP packages could be installed." 1 - systemctl php7.2-fpm restart &>> /dev/null + systemctl php7.2-fpm restart &>> /dev/null fi #Fix for SSL cert --all diff --git a/wo/cli/templates/locations-php7.mustache b/wo/cli/templates/locations-php7.mustache index f7de530..ec75110 100644 --- a/wo/cli/templates/locations-php7.mustache +++ b/wo/cli/templates/locations-php7.mustache @@ -7,38 +7,49 @@ location = /favicon.ico { expires max; } location = /robots.txt { - # Some WordPress plugin gererate robots.txt file - # Refer #340 issue - try_files $uri $uri/ /index.php?$args; - access_log off; - log_not_found off; +# Some WordPress plugin gererate robots.txt file +# Refer #340 issue + try_files $uri $uri/ /index.php?$args @robots; + access_log off; + log_not_found off; +} +# fallback for robots.txt with default wordpress rules +location @robots { + return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n"; } # Cache static files -location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf)$ { - add_header "Access-Control-Allow-Origin" "*"; - access_log off; - log_not_found off; - expires max; +location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|webm|mp3|aac|tgz|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ { + add_header "Access-Control-Allow-Origin" "*"; + access_log off; + log_not_found off; + expires max; +} +# Cache css & js files +location ~* \.(?:css(\.map)?|js(\.map)?)$ { + add_header "Access-Control-Allow-Origin" "*"; + access_log off; + log_not_found off; + expires 30d; } # Security settings for better privacy # Deny hidden files -location ~ /\.well-known { - allow all; +location ~ /\.(?!well-known\/) { + deny all; } -location ~ /\. { - deny all; - access_log off; - log_not_found off; +# letsencrypt validation +location /.well-known/acme-challenge/ { + alias /var/www/html/.well-known/acme-challenge/; } -# Deny backup extensions & log files -location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ { - deny all; - access_log off; - log_not_found off; +# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files +location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" { + deny all; } -# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) -if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") { - return 403; +# Deny backup extensions & log files and return 403 forbidden +location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" { + deny all; +} +location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { + deny all; } # Status pages location = /nginx_status { diff --git a/wo/cli/templates/locations.mustache b/wo/cli/templates/locations.mustache index 1acfb17..38e20dd 100644 --- a/wo/cli/templates/locations.mustache +++ b/wo/cli/templates/locations.mustache @@ -7,38 +7,49 @@ location = /favicon.ico { expires max; } location = /robots.txt { - # Some WordPress plugin gererate robots.txt file - # Refer #340 issue - try_files $uri $uri/ /index.php?$args; - access_log off; - log_not_found off; +# Some WordPress plugin gererate robots.txt file +# Refer #340 issue + try_files $uri $uri/ /index.php?$args @robots; + access_log off; + log_not_found off; +} +# fallback for robots.txt with default wordpress rules +location @robots { + return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n"; } # Cache static files -location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf)$ { - add_header "Access-Control-Allow-Origin" "*"; - access_log off; - log_not_found off; - expires max; +location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|webm|mp3|aac|tgz|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ { + add_header "Access-Control-Allow-Origin" "*"; + access_log off; + log_not_found off; + expires max; +} +# Cache css & js files +location ~* \.(?:css(\.map)?|js(\.map)?)$ { + add_header "Access-Control-Allow-Origin" "*"; + access_log off; + log_not_found off; + expires 30d; } # Security settings for better privacy # Deny hidden files -location ~ /\.well-known { - allow all; +location ~ /\.(?!well-known\/) { + deny all; } -location ~ /\. { - deny all; - access_log off; - log_not_found off; +# letsencrypt validation +location /.well-known/acme-challenge/ { + alias /var/www/html/.well-known/acme-challenge/; } -# Deny backup extensions & log files -location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ { - deny all; - access_log off; - log_not_found off; +# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files +location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" { + deny all; } -# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) -if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") { - return 403; +# Deny backup extensions & log files and return 403 forbidden +location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" { + deny all; +} +location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { + deny all; } # Status pages location = /nginx_status { diff --git a/wo/cli/templates/wpcommon-php7.mustache b/wo/cli/templates/wpcommon-php7.mustache index f43f426..1b4b0fc 100644 --- a/wo/cli/templates/wpcommon-php7.mustache +++ b/wo/cli/templates/wpcommon-php7.mustache @@ -2,20 +2,42 @@ # DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE # Limit access to avoid brute force attack location = /wp-login.php { - limit_req zone=one burst=1 nodelay; - include fastcgi_params; - fastcgi_pass php7; + limit_req zone=one burst=1 nodelay; + include fastcgi_params; + fastcgi_pass php7; } # Disable wp-config.txt location = /wp-config.txt { - deny all; - access_log off; - log_not_found off; -} -# Disallow php in upload folder -location /wp-content/uploads/ { - location ~ \.php$ { - #Prevent Direct Access Of PHP Files From Web Browsers deny all; - } + access_log off; + log_not_found off; +} +# webp rewrite rules for jpg and png images +# try to load alternative image.png.webp before image.png +location /wp-content/uploads { + location ~ \.(png|jpe?g)$ { + add_header Vary "Accept-Encoding"; + add_header "Access-Control-Allow-Origin" "*"; + add_header Cache-Control "public, no-transform"; + access_log off; + log_not_found off; + expires max; + try_files $uri$webp_suffix $uri =404; + } + location ~ \.php$ { +#Prevent Direct Access Of PHP Files From Web Browsers + deny all; + } +} +# Deny access to any files with a .php extension in the uploads directory +# Works in sub-directory installs and also in multisite network +# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) +location ~* /(?:uploads|files)/.*\.php$ { + deny all; +} +# mitigate DoS attack CVE with WordPress script concatenation +# add the following line to wp-config.php +# define( 'CONCATENATE_SCRIPTS', false ); +location ~ \/wp-admin\/load-(scripts|styles).php { + deny all; } diff --git a/wo/cli/templates/wpcommon.mustache b/wo/cli/templates/wpcommon.mustache index e866a99..1444c22 100644 --- a/wo/cli/templates/wpcommon.mustache +++ b/wo/cli/templates/wpcommon.mustache @@ -2,20 +2,42 @@ # DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE # Limit access to avoid brute force attack location = /wp-login.php { - limit_req zone=one burst=1 nodelay; - include fastcgi_params; - fastcgi_pass php; + limit_req zone=one burst=1 nodelay; + include fastcgi_params; + fastcgi_pass php; } # Disable wp-config.txt location = /wp-config.txt { - deny all; - access_log off; - log_not_found off; -} -# Disallow php in upload folder -location /wp-content/uploads/ { - location ~ \.php$ { - #Prevent Direct Access Of PHP Files From Web Browsers deny all; - } + access_log off; + log_not_found off; +} +# webp rewrite rules for jpg and png images +# try to load alternative image.png.webp before image.png +location /wp-content/uploads { + location ~ \.(png|jpe?g)$ { + add_header Vary "Accept-Encoding"; + add_header "Access-Control-Allow-Origin" "*"; + add_header Cache-Control "public, no-transform"; + access_log off; + log_not_found off; + expires max; + try_files $uri$webp_suffix $uri =404; + } + location ~ \.php$ { +#Prevent Direct Access Of PHP Files From Web Browsers + deny all; + } +} +# Deny access to any files with a .php extension in the uploads directory +# Works in sub-directory installs and also in multisite network +# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) +location ~* /(?:uploads|files)/.*\.php$ { + deny all; +} +# mitigate DoS attack CVE with WordPress script concatenation +# add the following line to wp-config.php +# define( 'CONCATENATE_SCRIPTS', false ); +location ~ \/wp-admin\/load-(scripts|styles).php { + deny all; }