From 0e356edba97b570a53bcb7db68143973c2dd11d3 Mon Sep 17 00:00:00 2001 From: VirtuBox Date: Fri, 6 Sep 2019 02:23:40 +0200 Subject: [PATCH] Several improvements * logging improvements * gpg keys import improvements --- install | 110 ++++++++++++++-------------- tests/travis.sh | 2 +- wo/cli/plugins/site_functions.py | 2 +- wo/cli/plugins/stack.py | 1 + wo/cli/plugins/stack_pref.py | 17 +++-- wo/cli/templates/nextcloud.mustache | 82 +++++++++++++++++++++ wo/core/apt_repo.py | 3 +- wo/core/variables.py | 6 +- 8 files changed, 152 insertions(+), 71 deletions(-) create mode 100644 wo/cli/templates/nextcloud.mustache diff --git a/install b/install index 97d8544..b571510 100755 --- a/install +++ b/install @@ -390,7 +390,7 @@ wo_update_wp_cli() { wo_install_acme_sh() { # check if acme.sh is already installed - if [ ! -x /etc/letsencrypt/acme.sh ]; then + if [ ! -x /etc/letsencrypt/acme.sh ] && [ ! -d /etc/letsencrypt/{renewal,archive} ]; then { # clone the git repository if [ -d /opt/acme.sh/.git ]; then @@ -731,75 +731,71 @@ wo_uninstall() { } wo_ufw_setup() { - - # get custom ssh port - if [ -f /etc/ssh/sshd_config ]; then - CURRENT_SSH_PORT=$(grep "Port" /etc/ssh/sshd_config | awk -F " " '{print $2}') - fi - # define firewall rules - if ! grep -q "LOGLEVEL=low" /etc/ufw/ufw.conf; then - ufw logging low - fi - if ! grep -q 'DEFAULT_OUTPUT_POLICY="ACCEPT"' /etc/default/ufw; then - ufw default allow outgoing - fi - if ! grep -q 'DEFAULT_INPUT_POLICY="DROP"' /etc/default/ufw; then - ufw default deny incoming - fi - if ! grep -q "\-\-dport 22 -j" /etc/ufw/user.rules; then - # default ssh port - ufw limit 22 - fi - - # custom ssh port - if [ "$CURRENT_SSH_PORT" != "22" ]; then - if ! grep -q "\-\-dport $CURRENT_SSH_PORT -j" /etc/ufw/user.rules; then - ufw limit "$CURRENT_SSH_PORT" + if ! grep -q "ENABLED=yes" /etc/ufw/ufw.conf; then + # get custom ssh port + if [ -f /etc/ssh/sshd_config ]; then + CURRENT_SSH_PORT=$(grep "Port" /etc/ssh/sshd_config | awk -F " " '{print $2}') + fi + # define firewall rules + if ! grep -q "LOGLEVEL=low" /etc/ufw/ufw.conf; then + ufw logging low + fi + if ! grep -q 'DEFAULT_OUTPUT_POLICY="ACCEPT"' /etc/default/ufw; then + ufw default allow outgoing + fi + if ! grep -q 'DEFAULT_INPUT_POLICY="DROP"' /etc/default/ufw; then + ufw default deny incoming + fi + if ! grep -q "\-\-dport 22 -j" /etc/ufw/user.rules; then + # default ssh port + ufw limit 22 fi - fi - # nginx - if ! grep -q "\-\-dport 80 -j" /etc/ufw/user.rules; then - # http - ufw allow http - fi - if ! grep -q "\-\-dport 443 -j" /etc/ufw/user.rules; then - # https - ufw allow https - fi + # custom ssh port + if [ "$CURRENT_SSH_PORT" != "22" ]; then + if ! grep -q "\-\-dport $CURRENT_SSH_PORT -j" /etc/ufw/user.rules; then + ufw limit "$CURRENT_SSH_PORT" + fi + fi - # ntp - if ! grep -q "\-\-dport 123 -j" /etc/ufw/user.rules; then - ufw allow 123 - fi + # nginx + if ! grep -q "\-\-dport 80 -j" /etc/ufw/user.rules; then + # http + ufw allow http + fi + if ! grep -q "\-\-dport 443 -j" /etc/ufw/user.rules; then + # https + ufw allow https + fi - if ! grep -q "\-\-dport 22222 -j" /etc/ufw/user.rules; then - # wordops backend - ufw limit 22222 - fi - # enable ufw - if [ -n "$CURRENT_SSH_PORT" ]; then - if ! grep -q "ENABLED=yes" /etc/ufw/ufw.conf; then + # ntp + if ! grep -q "\-\-dport 123 -j" /etc/ufw/user.rules; then + ufw allow 123 + fi + + if ! grep -q "\-\-dport 22222 -j" /etc/ufw/user.rules; then + # wordops backend + ufw limit 22222 + fi + # enable ufw + if [ -n "$CURRENT_SSH_PORT" ]; then ufw --force enable - else - ufw reload + fi + + # remove ufw from syslog + if [ -f /etc/rsyslog.d/20-ufw.conf ]; then + sed -i 's/\#\& stop/\& stop/' /etc/rsyslog.d/20-ufw.conf + service rsyslog restart fi fi - - # remove ufw from syslog - if [ -f /etc/rsyslog.d/20-ufw.conf ]; then - sed -i 's/\#\& stop/\& stop/' /etc/rsyslog.d/20-ufw.conf - service rsyslog restart - fi - } \ >> $wo_install_log wo_cheat_install() { curl -sL https://cht.sh/:cht.sh > /usr/local/bin/cht.sh chmod +x /usr/local/bin/cht.sh - [ ! -h /usr/local/bin/cheat ] && { - ln -s /usr/local/bin/cht.sh /usr/local/bin/cheat + [ ! -h /usr/local/bin/cheat ] && { + ln -s /usr/local/bin/cht.sh /usr/local/bin/cheat } curl -sL https://cheat.sh/:bash_completion > /etc/bash_completion.d/cht.sh } diff --git a/tests/travis.sh b/tests/travis.sh index 747379a..2542b61 100644 --- a/tests/travis.sh +++ b/tests/travis.sh @@ -10,7 +10,7 @@ CGREEN="${CSI}1;32m" CEND="${CSI}0m" exit_script() { - curl --progress-bar --upload-file /var/log/wo/wordops.log https://transfer.vtbox.net/"$(basename wordops.log)" && echo "" | sudo tee -a $HOME/.transfer.log && echo "" + curl --progress-bar --upload-file /var/log/wo/wordops.log https://transfer.vtbox.net/"$(basename wordops.log)" && echo "" exit 1 } diff --git a/wo/cli/plugins/site_functions.py b/wo/cli/plugins/site_functions.py index 80ff436..db8b466 100644 --- a/wo/cli/plugins/site_functions.py +++ b/wo/cli/plugins/site_functions.py @@ -736,7 +736,7 @@ def setupwp_plugin(self, plugin_name, plugin_option, plugin_data, data): )) except CommandExecutionError as e: Log.failed(self, "Setting plugin {0}" - .format(plugin_name)) + .format(plugin_name)) Log.debug(self, "{0}".format(e)) raise SiteError("plugin setup failed") else: diff --git a/wo/cli/plugins/stack.py b/wo/cli/plugins/stack.py index ec55bf9..a0d8ebd 100644 --- a/wo/cli/plugins/stack.py +++ b/wo/cli/plugins/stack.py @@ -548,6 +548,7 @@ class WOStackController(CementBaseController): pargs.proftpd = True pargs.utils = True pargs.redis = True + pargs.security = True packages = packages + ['/var/www/22222/htdocs'] if pargs.web: diff --git a/wo/cli/plugins/stack_pref.py b/wo/cli/plugins/stack_pref.py index b131c13..3ac7dca 100644 --- a/wo/cli/plugins/stack_pref.py +++ b/wo/cli/plugins/stack_pref.py @@ -26,6 +26,7 @@ from wo.core.variables import WOVariables def pre_pref(self, apt_packages): + apt_repo_key = [] """Pre settings to do before installation packages""" if (set(["mariadb-server"]).issubset(set(apt_packages)) or @@ -41,12 +42,8 @@ def pre_pref(self, apt_packages): 'MariaDB.pref', 'w') as mysql_pref_file: mysql_pref_file.write(mysql_pref) WORepo.add(self, repo_url=WOVariables.wo_mysql_repo) - Log.debug(self, 'Adding key for {0}' - .format(WOVariables.wo_mysql_repo)) - WORepo.add_key(self, '0xcbcb082a1bb943db', - keyserver="keyserver.ubuntu.com") - WORepo.add_key(self, '0xF1656F24C74CD1D8', - keyserver="keyserver.ubuntu.com") + apt_repo_key = (apt_repo_key + + ['0xcbcb082a1bb943db', '0xF1656F24C74CD1D8']) if set(["mariadb-server"]).issubset(set(apt_packages)): # generate random 24 characters root password chars = ''.join(random.sample(string.ascii_letters, 24)) @@ -114,6 +111,8 @@ def pre_pref(self, apt_packages): WORepo.add(self, ppa=WOVariables.wo_nginx_repo) Log.debug(self, 'Adding ppa for Nginx') else: + apt_repo_key = apt_repo_key + WOVariables.wo_nginx_key + WORepo.add(self, repo_url=WOVariables.wo_nginx_repo) Log.debug(self, 'Adding repository for Nginx') WORepo.add_key(self, WOVariables.wo_nginx_key) @@ -137,6 +136,7 @@ def pre_pref(self, apt_packages): Log.debug(self, 'Adding repo_url of php for debian') WORepo.add(self, repo_url=WOVariables.wo_php_repo) Log.debug(self, 'Adding deb.sury GPG key') + apt_repo_key = apt_repo_key + WOVariables.wo_php_key WORepo.add_key(self, WOVariables.wo_php_key) # add redis repository if set(['redis-server']).issubset(set(apt_packages)): @@ -145,6 +145,9 @@ def pre_pref(self, apt_packages): Log.debug(self, 'Adding ppa for redis') WORepo.add(self, ppa=WOVariables.wo_redis_repo) + if (apt_repo_key): + WORepo.add_key(self, apt_repo_key) + def post_pref(self, apt_packages, packages, upgrade=False): """Post activity after installation of packages""" @@ -367,7 +370,7 @@ def post_pref(self, apt_packages, packages, upgrade=False): WOTemplate.render( self, '/etc/nginx/sites-available/22222', - '22222.mustache', data, overwrite=False) + '22222.mustache', data, overwrite=True) passwd = ''.join([random.choice (string.ascii_letters + string.digits) for n in range(24)]) diff --git a/wo/cli/templates/nextcloud.mustache b/wo/cli/templates/nextcloud.mustache new file mode 100644 index 0000000..f907de7 --- /dev/null +++ b/wo/cli/templates/nextcloud.mustache @@ -0,0 +1,82 @@ +# WordOps nextcloud configuration + add_header X-Robots-Tag none; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + location / { + rewrite ^ /index.php$request_uri; + } + + location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { + deny all; + } + location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { + fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTPS on; + # Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + # Enable pretty urls + fastcgi_param front_controller_active true; + fastcgi_pass {{upstream}}; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { + try_files $uri/ =404; + index index.php; + } + + # Adding the cache control header for js, css and map files + # Make sure it is BELOW the PHP block + location ~ \.(?:css|js|woff2?|svg|gif|map)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + # Add headers to serve security related headers (It is intended to + # have those duplicated to the ones above) + # Before enabling Strict-Transport-Security headers please read into + # this topic first. + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + # + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + + # Optional: Don't log access to assets + access_log off; + } + + location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ { + try_files $uri /index.php$request_uri; + # Optional: Don't log access to other assets + access_log off; + } diff --git a/wo/core/apt_repo.py b/wo/core/apt_repo.py index 1715639..fed5bac 100644 --- a/wo/core/apt_repo.py +++ b/wo/core/apt_repo.py @@ -83,7 +83,8 @@ class WORepo(): default keyserver is hkp://keyserver.ubuntu.com user can provide other keyserver with keyserver="hkp://xyz" """ + all_keys = ' '.join(keyids) WOShellExec.cmd_exec(self, "apt-key adv --keyserver {serv}" .format(serv=(keyserver or "hkp://keyserver.ubuntu.com")) + - " --recv-keys {key}".format(key=keyids)) + " --recv-keys {keys}".format(key=all_keys)) diff --git a/wo/core/variables.py b/wo/core/variables.py index 10349b5..22a8a17 100644 --- a/wo/core/variables.py +++ b/wo/core/variables.py @@ -109,7 +109,7 @@ class WOVariables(): .format(wo_deb_repo)) wo_nginx = ["nginx-custom", "nginx-wo"] - wo_nginx_key = '188C9FB063F0247A' + wo_nginx_key = ['188C9FB063F0247A'] # PHP repo and packages if wo_distro == 'ubuntu': @@ -118,7 +118,7 @@ class WOVariables(): wo_php_repo = ( "deb https://packages.sury.org/php/ {codename} main" .format(codename=wo_platform_codename)) - wo_php_key = 'AC0E47584A7A714D' + wo_php_key = ['AC0E47584A7A714D'] wo_php = ["php7.2-fpm", "php7.2-curl", "php7.2-gd", "php7.2-imap", "php7.2-readline", "php7.2-common", "php7.2-recode", @@ -150,8 +150,6 @@ class WOVariables(): else: wo_mysql_client = ["mariadb-client", "python3-mysql.connector"] - - wo_fail2ban = ["fail2ban"] wo_clamav = ["clamav", "clamav-freshclam"]