Malin/WPIQ
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add UFW

Browse Source
This commit is contained in:
VirtuBox
2019-08-20 00:26:12 +02:00
parent 9cffd032c4
commit 0a5596c093
2 changed files with 95 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGELOG.md
View File

@@ -14,6 +14,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
- Additional settings to support mobile with WP-Rocket
- Add the ability to block nginx configuration overwriting by adding a file .custom. Example with webp.conf -> `touch webp.conf.custom`
- If there is a custom file, WordOps will write the configuration in a file named fileconf.conf.orig to let users implement possible changes
- UFW minimal configuration during install. Can be disabled with the flag `-w`, `--wufw` or `--without-ufw`. Example : `wget -qO wo wops.cc && sudo bash wo -w`
#### Fixed
- WordOps internal database creation on servers running with custom setup
### v3.9.8.1 - 2019-08-18

128
install
View File

@@ -77,6 +77,9 @@ while [ "$#" -gt 0 ]; do
--purge | --uninstall)
wo_purge="y"
;;
-w | --wufw | --without-ufw)
ufw="n"
;;
*) # positional args
;;
esac
@@ -148,7 +151,9 @@ if [ -x /usr/local/bin/ee ]; then
elif [ -x /usr/local/bin/wo ]; then
wo_upgrade=1
fi
if [ -z "$ufw" ]; then
ufw="y"
fi
###
# 1 - Checking linux distro
###
@@ -211,11 +216,15 @@ wo_install_dep() {
locale-gen en
# enable unattended upgades
cp /usr/share/unattended-upgrades/20auto-upgrades /etc/apt/apt.conf.d/20auto-upgrades
if [ ! -f /etc/apt/apt.conf.d/20auto-upgrades ]; then
cp /usr/share/unattended-upgrades/20auto-upgrades /etc/apt/apt.conf.d/20auto-upgrades
fi
# set default ntp pools
sed -e 's/^#NTP=/NTP=time.cloudflare.com 0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org/' -i /etc/systemd/timesyncd.conf
# enable ntp
timedatectl set-ntp 1
if ! grep -q "time.cloudflare.com" /etc/systemd/timesyncd.conf; then
sed -e 's/^#NTP=/NTP=time.cloudflare.com 0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org/' -i /etc/systemd/timesyncd.conf
# enable ntp
timedatectl set-ntp 1
fi
} >> "$wo_install_log" 2>&1
@@ -318,14 +327,14 @@ wo_sync_db() {
fi
fi
done
wo_webroot="/var/www/$site"
wo_webroot="/var/www/$site"
# Import the configuration into the WordOps SQLite database
echo "INSERT INTO sites (sitename, site_type, cache_type, site_path, is_enabled, is_ssl, storage_fs, storage_db)
# Import the configuration into the WordOps SQLite database
echo "INSERT INTO sites (sitename, site_type, cache_type, site_path, is_enabled, is_ssl, storage_fs, storage_db)
VALUES (\"$site\", \"$wo_site_current\", \"$wo_site_current_cache\", \"$wo_webroot\", \"$wo_site_status\", 0, 'ext4', 'mysql');" | sqlite3 /var/lib/wo/dbase.db
done
fi
# echo "UPDATE sites SET php_version = REPLACE(php_version, '5.6', '7.2');" | sqlite3 /var/lib/wo/dbase.db
@@ -401,9 +410,6 @@ wo_install_acme_sh() {
/etc/letsencrypt/renewal/
# remove previous acme.sh folder
rm -rf "$HOME/.acme.sh"
# create acme.sh.env file inlcuded in .bashrc to avoid error when logging in
mkdir -p "$HOME/.acme.sh"
echo '' > "$HOME/.acme.sh/acme.sh.env"
# removing previous cronjob
crontab -l | sed '/41 0 \* \* \* "\/root\/\.acme\.sh"\/acme.sh --cron --home "\/root\/\.acme\.sh" > \/dev\/null/d' | crontab -
@@ -688,43 +694,73 @@ wo_uninstall() {
wo_ufw_setup() {
CURRENT_SSH_PORT=$(grep "Port" /etc/ssh/sshd_config | awk -F " " '{print $2}')
# get custom ssh port
if [ -f /etc/ssh/sshd_config ]; then
CURRENT_SSH_PORT=$(grep "Port" /etc/ssh/sshd_config | awk -F " " '{print $2}')
fi
# install ufw if needed
if [ ! -d /etc/ufw ]; then
apt-get install ufw -y
fi
# define firewall rules
ufw logging low
ufw default allow outgoing
ufw default deny incoming
# default ssh port
ufw allow 22
if ! grep -q "LOGLEVEL=low" /etc/ufw/ufw.conf; then
ufw logging low
fi
if ! grep -q 'DEFAULT_OUTPUT_POLICY="ACCEPT"' /etc/default/ufw; then
ufw default allow outgoing
fi
if ! grep -q 'DEFAULT_INPUT_POLICY="DROP"' /etc/default/ufw; then
ufw default deny incoming
fi
if ! grep -q "\-\-dport 22 -j" /etc/ufw/user.rules; then
# default ssh port
ufw limit 22
fi
# custom ssh port
if [ "$CURRENT_SSH_PORT" != "22" ]; then
ufw allow "$CURRENT_SSH_PORT"
if ! grep -q "\-\-dport $CURRENT_SSH_PORT -j" /etc/ufw/user.rules; then
ufw limit "$CURRENT_SSH_PORT"
fi
fi
# dns
ufw allow 53
# nginx
ufw allow http
ufw allow https
if ! grep -q "\-\-dport 80 -j" /etc/ufw/user.rules; then
# http
ufw allow http
fi
if ! grep -q "\-\-dport 443 -j" /etc/ufw/user.rules; then
# https
ufw allow https
fi
# ntp
ufw allow 123
# wordops backend
ufw allow 22222
if ! grep -q "\-\-dport 123 -j" /etc/ufw/user.rules; then
ufw allow 123
fi
if ! grep -q "\-\-dport 22222 -j" /etc/ufw/user.rules; then
# wordops backend
ufw limit 22222
fi
# enable ufw
echo "y" | ufw enable
if [ -n "$CURRENT_SSH_PORT" ]; then
if ! grep -q "ENABLED=yes" /etc/ufw/ufw.conf; then
ufw --force enable
else
ufw reload
fi
fi
} >> $wo_install_log
# remove ufw from syslog
if [ -f /etc/rsyslog.d/20-ufw.conf ]; then
sed -i 's/\#\& stop/\& stop/' /etc/rsyslog.d/20-ufw.conf
service rsyslog restart
fi
} \
>> $wo_install_log
###
# 4 - WO MAIN SETUP
@@ -740,7 +776,7 @@ else
# 1 - WO already installed
if [ -x /usr/local/bin/wo ]; then
if ! {
wo -v 2>&1 | grep $wo_version_new
wo -v 2>&1 | grep "$wo_version_new"
} || [ "$wo_force_install" = "y" ]; then
if [ -z "$wo_force_install" ]; then
echo -e "Update WordOps to $wo_version_new (y/n): " && read -r WO_ANSWER
@@ -755,10 +791,14 @@ else
secure_wo_db | tee -ai $wo_install_log
wo_lib_echo "Installing WordOps " | tee -ai $wo_install_log
wo_clean | tee -ai $wo_install_log
if [ -f "$HOME/.gitconfig" ]; then
wo_install >> $wo_install_log 2>&1
if [ "$wo_travis" = "y" ]; then
wo_install_travis | tee -ai $wo_install_log
else
wo_install | tee -ai $wo_install_log
if [ -f "$HOME/.gitconfig" ]; then
wo_install >> $wo_install_log 2>&1
else
wo_install | tee -ai $wo_install_log
fi
fi
if [ -z "$wo_preserve_config" ]; then
if [ -n "$(command -v nginx)" ]; then
@@ -773,6 +813,10 @@ else
wo_lib_echo "Updating acme.sh" | tee -ai $wo_install_log
wo_install_acme_sh | tee -ai $wo_install_log
fi
if [ "$ufw" = "y" ]; then
wo_lib_echo "Configuring UFW" | tee -ai $wo_install_log
wo_ufw_setup | tee -ai $wo_install_log
fi
wo_lib_echo "Applying Kernel tweaks" | tee -ai $wo_install_log
wo_tweak_kernel | tee -ai $wo_install_log
wo_lib_echo "Running post-install steps " | tee -ai $wo_install_log
@@ -814,6 +858,10 @@ else
wo_update_latest | tee -ai $wo_install_log
wo_lib_echo "Installing acme.sh" | tee -ai $wo_install_log
wo_install_acme_sh | tee -ai $wo_install_log
if [ "$ufw" = "y" ]; then
wo_lib_echo "Configuring UFW" | tee -ai $wo_install_log
wo_ufw_setup | tee -ai $wo_install_log
fi
wo_lib_echo "Applying Kernel tweaks" | tee -ai $wo_install_log
wo_tweak_kernel | tee -ai $wo_install_log
wo_lib_echo "Running post-install steps " | tee -ai $wo_install_log
@@ -834,6 +882,10 @@ else
else
wo_install | tee -ai $wo_install_log
fi
if [ "$ufw" = "y" ]; then
wo_lib_echo "Configuring UFW" | tee -ai $wo_install_log
wo_ufw_setup | tee -ai $wo_install_log
fi
wo_lib_echo "Applying Kernel tweaks" | tee -ai $wo_install_log
wo_tweak_kernel | tee -ai $wo_install_log
wo_lib_echo "Installing acme.sh" | tee -ai $wo_install_log