Malin/WPIQ
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add UFW

Browse Source
This commit is contained in:
VirtuBox
2019-08-20 00:26:12 +02:00
parent 9cffd032c4
commit 0a5596c093
2 changed files with 95 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGELOG.md
View File

@@ -14,6 +14,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
- Additional settings to support mobile with WP-Rocket - Additional settings to support mobile with WP-Rocket
- Add the ability to block nginx configuration overwriting by adding a file .custom. Example with webp.conf -> `touch webp.conf.custom` - Add the ability to block nginx configuration overwriting by adding a file .custom. Example with webp.conf -> `touch webp.conf.custom`
- If there is a custom file, WordOps will write the configuration in a file named fileconf.conf.orig to let users implement possible changes - If there is a custom file, WordOps will write the configuration in a file named fileconf.conf.orig to let users implement possible changes
- UFW minimal configuration during install. Can be disabled with the flag `-w`, `--wufw` or `--without-ufw`. Example : `wget -qO wo wops.cc && sudo bash wo -w`
#### Fixed
- WordOps internal database creation on servers running with custom setup
### v3.9.8.1 - 2019-08-18 ### v3.9.8.1 - 2019-08-18

128
install
View File

@@ -77,6 +77,9 @@ while [ "$#" -gt 0 ]; do
--purge | --uninstall) --purge | --uninstall)
wo_purge="y" wo_purge="y"
;; ;;
-w | --wufw | --without-ufw)
ufw="n"
;;
*) # positional args *) # positional args
;; ;;
esac esac
@@ -148,7 +151,9 @@ if [ -x /usr/local/bin/ee ]; then
elif [ -x /usr/local/bin/wo ]; then elif [ -x /usr/local/bin/wo ]; then
wo_upgrade=1 wo_upgrade=1
fi fi
if [ -z "$ufw" ]; then
ufw="y"
fi
### ###
# 1 - Checking linux distro # 1 - Checking linux distro
### ###
@@ -211,11 +216,15 @@ wo_install_dep() {
locale-gen en locale-gen en
# enable unattended upgades # enable unattended upgades
cp /usr/share/unattended-upgrades/20auto-upgrades /etc/apt/apt.conf.d/20auto-upgrades if [ ! -f /etc/apt/apt.conf.d/20auto-upgrades ]; then
cp /usr/share/unattended-upgrades/20auto-upgrades /etc/apt/apt.conf.d/20auto-upgrades
fi
# set default ntp pools # set default ntp pools
sed -e 's/^#NTP=/NTP=time.cloudflare.com 0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org/' -i /etc/systemd/timesyncd.conf if ! grep -q "time.cloudflare.com" /etc/systemd/timesyncd.conf; then
# enable ntp sed -e 's/^#NTP=/NTP=time.cloudflare.com 0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org/' -i /etc/systemd/timesyncd.conf
timedatectl set-ntp 1 # enable ntp
timedatectl set-ntp 1
fi
} >> "$wo_install_log" 2>&1 } >> "$wo_install_log" 2>&1
@@ -318,14 +327,14 @@ wo_sync_db() {
fi fi
fi fi
done wo_webroot="/var/www/$site"
wo_webroot="/var/www/$site" # Import the configuration into the WordOps SQLite database
echo "INSERT INTO sites (sitename, site_type, cache_type, site_path, is_enabled, is_ssl, storage_fs, storage_db)
# Import the configuration into the WordOps SQLite database
echo "INSERT INTO sites (sitename, site_type, cache_type, site_path, is_enabled, is_ssl, storage_fs, storage_db)
VALUES (\"$site\", \"$wo_site_current\", \"$wo_site_current_cache\", \"$wo_webroot\", \"$wo_site_status\", 0, 'ext4', 'mysql');" | sqlite3 /var/lib/wo/dbase.db VALUES (\"$site\", \"$wo_site_current\", \"$wo_site_current_cache\", \"$wo_webroot\", \"$wo_site_status\", 0, 'ext4', 'mysql');" | sqlite3 /var/lib/wo/dbase.db
done
fi fi
# echo "UPDATE sites SET php_version = REPLACE(php_version, '5.6', '7.2');" | sqlite3 /var/lib/wo/dbase.db # echo "UPDATE sites SET php_version = REPLACE(php_version, '5.6', '7.2');" | sqlite3 /var/lib/wo/dbase.db
@@ -401,9 +410,6 @@ wo_install_acme_sh() {
/etc/letsencrypt/renewal/ /etc/letsencrypt/renewal/
# remove previous acme.sh folder # remove previous acme.sh folder
rm -rf "$HOME/.acme.sh" rm -rf "$HOME/.acme.sh"
# create acme.sh.env file inlcuded in .bashrc to avoid error when logging in
mkdir -p "$HOME/.acme.sh"
echo '' > "$HOME/.acme.sh/acme.sh.env"
# removing previous cronjob # removing previous cronjob
crontab -l | sed '/41 0 \* \* \* "\/root\/\.acme\.sh"\/acme.sh --cron --home "\/root\/\.acme\.sh" > \/dev\/null/d' | crontab - crontab -l | sed '/41 0 \* \* \* "\/root\/\.acme\.sh"\/acme.sh --cron --home "\/root\/\.acme\.sh" > \/dev\/null/d' | crontab -
@@ -688,43 +694,73 @@ wo_uninstall() {
wo_ufw_setup() { wo_ufw_setup() {
CURRENT_SSH_PORT=$(grep "Port" /etc/ssh/sshd_config | awk -F " " '{print $2}') # get custom ssh port
if [ -f /etc/ssh/sshd_config ]; then
CURRENT_SSH_PORT=$(grep "Port" /etc/ssh/sshd_config | awk -F " " '{print $2}')
fi
# install ufw if needed
if [ ! -d /etc/ufw ]; then if [ ! -d /etc/ufw ]; then
apt-get install ufw -y apt-get install ufw -y
fi fi
# define firewall rules # define firewall rules
if ! grep -q "LOGLEVEL=low" /etc/ufw/ufw.conf; then
ufw logging low ufw logging low
ufw default allow outgoing fi
ufw default deny incoming if ! grep -q 'DEFAULT_OUTPUT_POLICY="ACCEPT"' /etc/default/ufw; then
ufw default allow outgoing
# default ssh port fi
ufw allow 22 if ! grep -q 'DEFAULT_INPUT_POLICY="DROP"' /etc/default/ufw; then
ufw default deny incoming
fi
if ! grep -q "\-\-dport 22 -j" /etc/ufw/user.rules; then
# default ssh port
ufw limit 22
fi
# custom ssh port # custom ssh port
if [ "$CURRENT_SSH_PORT" != "22" ]; then if [ "$CURRENT_SSH_PORT" != "22" ]; then
ufw allow "$CURRENT_SSH_PORT" if ! grep -q "\-\-dport $CURRENT_SSH_PORT -j" /etc/ufw/user.rules; then
ufw limit "$CURRENT_SSH_PORT"
fi
fi fi
# dns
ufw allow 53
# nginx # nginx
ufw allow http if ! grep -q "\-\-dport 80 -j" /etc/ufw/user.rules; then
ufw allow https # http
ufw allow http
fi
if ! grep -q "\-\-dport 443 -j" /etc/ufw/user.rules; then
# https
ufw allow https
fi
# ntp # ntp
ufw allow 123 if ! grep -q "\-\-dport 123 -j" /etc/ufw/user.rules; then
ufw allow 123
# wordops backend fi
ufw allow 22222
if ! grep -q "\-\-dport 22222 -j" /etc/ufw/user.rules; then
# wordops backend
ufw limit 22222
fi
# enable ufw # enable ufw
echo "y" | ufw enable if [ -n "$CURRENT_SSH_PORT" ]; then
if ! grep -q "ENABLED=yes" /etc/ufw/ufw.conf; then
ufw --force enable
else
ufw reload
fi
fi
} >> $wo_install_log # remove ufw from syslog
if [ -f /etc/rsyslog.d/20-ufw.conf ]; then
sed -i 's/\#\& stop/\& stop/' /etc/rsyslog.d/20-ufw.conf
service rsyslog restart
fi
} \
>> $wo_install_log
### ###
# 4 - WO MAIN SETUP # 4 - WO MAIN SETUP
@@ -740,7 +776,7 @@ else
# 1 - WO already installed # 1 - WO already installed
if [ -x /usr/local/bin/wo ]; then if [ -x /usr/local/bin/wo ]; then
if ! { if ! {
wo -v 2>&1 | grep $wo_version_new wo -v 2>&1 | grep "$wo_version_new"
} || [ "$wo_force_install" = "y" ]; then } || [ "$wo_force_install" = "y" ]; then
if [ -z "$wo_force_install" ]; then if [ -z "$wo_force_install" ]; then
echo -e "Update WordOps to $wo_version_new (y/n): " && read -r WO_ANSWER echo -e "Update WordOps to $wo_version_new (y/n): " && read -r WO_ANSWER
@@ -755,10 +791,14 @@ else
secure_wo_db | tee -ai $wo_install_log secure_wo_db | tee -ai $wo_install_log
wo_lib_echo "Installing WordOps " | tee -ai $wo_install_log wo_lib_echo "Installing WordOps " | tee -ai $wo_install_log
wo_clean | tee -ai $wo_install_log wo_clean | tee -ai $wo_install_log
if [ -f "$HOME/.gitconfig" ]; then if [ "$wo_travis" = "y" ]; then
wo_install >> $wo_install_log 2>&1 wo_install_travis | tee -ai $wo_install_log
else else
wo_install | tee -ai $wo_install_log if [ -f "$HOME/.gitconfig" ]; then
wo_install >> $wo_install_log 2>&1
else
wo_install | tee -ai $wo_install_log
fi
fi fi
if [ -z "$wo_preserve_config" ]; then if [ -z "$wo_preserve_config" ]; then
if [ -n "$(command -v nginx)" ]; then if [ -n "$(command -v nginx)" ]; then
@@ -773,6 +813,10 @@ else
wo_lib_echo "Updating acme.sh" | tee -ai $wo_install_log wo_lib_echo "Updating acme.sh" | tee -ai $wo_install_log
wo_install_acme_sh | tee -ai $wo_install_log wo_install_acme_sh | tee -ai $wo_install_log
fi fi
if [ "$ufw" = "y" ]; then
wo_lib_echo "Configuring UFW" | tee -ai $wo_install_log
wo_ufw_setup | tee -ai $wo_install_log
fi
wo_lib_echo "Applying Kernel tweaks" | tee -ai $wo_install_log wo_lib_echo "Applying Kernel tweaks" | tee -ai $wo_install_log
wo_tweak_kernel | tee -ai $wo_install_log wo_tweak_kernel | tee -ai $wo_install_log
wo_lib_echo "Running post-install steps " | tee -ai $wo_install_log wo_lib_echo "Running post-install steps " | tee -ai $wo_install_log
@@ -814,6 +858,10 @@ else
wo_update_latest | tee -ai $wo_install_log wo_update_latest | tee -ai $wo_install_log
wo_lib_echo "Installing acme.sh" | tee -ai $wo_install_log wo_lib_echo "Installing acme.sh" | tee -ai $wo_install_log
wo_install_acme_sh | tee -ai $wo_install_log wo_install_acme_sh | tee -ai $wo_install_log
if [ "$ufw" = "y" ]; then
wo_lib_echo "Configuring UFW" | tee -ai $wo_install_log
wo_ufw_setup | tee -ai $wo_install_log
fi
wo_lib_echo "Applying Kernel tweaks" | tee -ai $wo_install_log wo_lib_echo "Applying Kernel tweaks" | tee -ai $wo_install_log
wo_tweak_kernel | tee -ai $wo_install_log wo_tweak_kernel | tee -ai $wo_install_log
wo_lib_echo "Running post-install steps " | tee -ai $wo_install_log wo_lib_echo "Running post-install steps " | tee -ai $wo_install_log
@@ -834,6 +882,10 @@ else
else else
wo_install | tee -ai $wo_install_log wo_install | tee -ai $wo_install_log
fi fi
if [ "$ufw" = "y" ]; then
wo_lib_echo "Configuring UFW" | tee -ai $wo_install_log
wo_ufw_setup | tee -ai $wo_install_log
fi
wo_lib_echo "Applying Kernel tweaks" | tee -ai $wo_install_log wo_lib_echo "Applying Kernel tweaks" | tee -ai $wo_install_log
wo_tweak_kernel | tee -ai $wo_install_log wo_tweak_kernel | tee -ai $wo_install_log
wo_lib_echo "Installing acme.sh" | tee -ai $wo_install_log wo_lib_echo "Installing acme.sh" | tee -ai $wo_install_log