Fix HSTS and update changelog

2019-08-14 13:56:37 +02:00
parent 26806a292b
commit 937e61305a
8 changed files with 46 additions and 18 deletions
--- a/.travis.yml
+++ b/.travis.yml
@@ -36,6 +36,7 @@ script:
  - sudo wo site create html.net --html && sudo wo site create php.com --php && sudo wo site create mysql.com --mysql && sudo wo site create proxy.com --proxy=127.0.0.1:3000
  - sudo wo site create wp1.com --wp && sudo wo site create wpsc1.net --wpsc && sudo wo site create wpfc1.com --wpfc
  - sudo wo site create wpsc-php73.net --wpsc --php73 && sudo wo site create wpfc-php73.net --wpfc --php73
+  - sudo wo site create wprocket.net --wprocket && sudo wo site create wprocket-php73.net --wprocket --php73
  - sudo wo site create wpredis.net --wpredis && sudo wo site create wpredis-php73.net --wpredis --php73
  - sudo wo site create wpsubdir1.com --wpsubdir && sudo wo site create wpsubdir-php73.com --wpsubdir --php73

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,14 +12,23 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),

 - Allow web browser caching for json and webmanifest files
 - nginx-core.mustache template used to render nginx.conf during stack setup
+- APT Packages configuration step with `wo stack upgrade` to apply new configurations
+- Cloudflare restore real_ip configuration
+- WP-Rocket support with the flag `--wprocket`

 #### Changed

 - Do not force Nginx upgrade if a custom Nginx package compiled with nginx-ee is detected
 - Gzip enabled again by default with configuration in /etc/nginx/conf.d/gzip.conf
- Brotli configuration moved in /etc/nginx/conf.d/brotli.conf (easier to disable in case of issues)
+- Brotli configuration moved in /etc/nginx/conf.d/brotli.conf.disabled (disabled by default)
 - Moving package configuration in a new plugin stack_pref.py
 - Cleanup templates by removing all doublons (with/without php7) and replacing them with variables
+- Updated Nginx to v1.16.1 in response to HTTP/2 vulnerabilites discovered
+- Disable temporary adding swap feature (not working)
+
+#### Fixed
+
+- Error in HSTS header syntax

 ### v3.9.7.2 - 2019-08-12

@@ -29,9 +38,6 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),

 ### v3.9.7.1 - 2019-08-09

- APT Packages configuration step with `wo stack upgrade` to apply new configurations
- Cloudflare restore real_ip configuration
-
 #### Changed

 - Set WordOps backend password length from 16 to 24
--- a/README.md
+++ b/README.md
@@ -42,7 +42,7 @@

 - **Easy to install** : One step automated installer with migration from EasyEngine v3 support
 - **Fast deployment** : Fast and automated WordPress, Nginx, PHP, MySQL & Redis installation
- **Custom Nginx build** : Nginx 1.16.0 - TLS v1.3 Cloudflare HTTP/2 HPACK & Brotli support
+- **Custom Nginx build** : Nginx 1.16.1 - TLS v1.3 Cloudflare HTTP/2 HPACK & Brotli support
 - **Up-to-date** : PHP 7.2 & 7.3, MariaDB 10.3 & Redis 5.0
 - **Secured** : Hardened WordPress security with strict Nginx location directives
 - **Powerful** : Optimized Nginx configurations with multiple cache backends support
--- a/wo/cli/plugins/site_functions.py
+++ b/wo/cli/plugins/site_functions.py
@@ -1534,7 +1534,7 @@ def setupHsts(self, wo_domain_name):
    hstsconf.write("more_set_headers "
                   "\"Strict-Transport-Security: "
                   "max-age=31536000; "
-                   "'includeSubDomains; "
+                   "includeSubDomains; "
                   "preload\";")
    hstsconf.close()
    return 0
--- a/wo/cli/plugins/stack.py
+++ b/wo/cli/plugins/stack.py
@@ -397,12 +397,12 @@ class WOStackController(CementBaseController):
            Log.debug(self, "Calling pre_pref")
            pre_pref(self, apt_packages)
            if (apt_packages):
-                meminfo = (os.popen('/bin/cat /proc/meminfo '
-                                    '| grep MemTotal').read()).split(":")
-                memsplit = re.split(" kB", meminfo[1])
-                wo_mem = int(memsplit[0])
-                if (wo_mem < 4000000):
-                    WOSwap.add(self)
+                # meminfo = (os.popen('/bin/cat /proc/meminfo '
+                #                    '| grep MemTotal').read()).split(":")
+                # memsplit = re.split(" kB", meminfo[1])
+                # wo_mem = int(memsplit[0])
+                # if (wo_mem < 4000000):
+                #    WOSwap.add(self)
                Log.info(self, "Updating apt-cache, please wait...")
                WOAptGet.update(self)
                Log.info(self, "Installing packages, please wait...")
--- a/wo/cli/plugins/stack_pref.py
+++ b/wo/cli/plugins/stack_pref.py
@@ -198,10 +198,10 @@ def post_pref(self, apt_packages, packages):
                    (data), 'gzip.mustache', out=wo_nginx)
                wo_nginx.close()

-            if not os.path.isfile('/etc/nginx/conf.d/brotli.conf'):
+            if not os.path.isfile('/etc/nginx/conf.d/brotli.conf.disabled'):
                Log.debug(self, 'Writting the nginx configuration to '
-                          'file /etc/nginx/conf.d/brotli.conf')
-                wo_nginx = open('/etc/nginx/conf.d/brotli.conf',
+                          'file /etc/nginx/conf.d/brotli.conf.disabled')
+                wo_nginx = open('/etc/nginx/conf.d/brotli.conf.disabled',
                                encoding='utf-8', mode='w')
                self.app.render(
                    (data), 'brotli.mustache', out=wo_nginx)
--- a/wo/cli/templates/gzip.mustache
+++ b/wo/cli/templates/gzip.mustache
@@ -12,19 +12,40 @@
 	gzip_http_version 1.1;
 	gzip_types
 	application/atom+xml
+	application/geo+json
 	application/javascript
 	application/json
+	application/ld+json
+	application/manifest+json
+	application/rdf+xml
 	application/rss+xml
 	application/vnd.ms-fontobject
+	application/wasm
+	application/x-font-opentype
+	application/x-font-truetype
 	application/x-font-ttf
+	application/x-javascript
 	application/x-web-app-manifest+json
 	application/xhtml+xml
 	application/xml
+	application/xml+rss
+	font/eot
 	font/opentype
+	font/otf
+	image/bmp
 	image/svg+xml
+	image/vnd.microsoft.icon
 	image/x-icon
+	image/x-win-bitmap
+	text/cache-manifest
+	text/calendar
 	text/css
+	text/javascript
+	text/markdown
 	text/plain
+	text/vcard
+	text/vnd.rim.location.xloc
+	text/vtt
 	text/x-component
-	text/xml
-	text/javascript;
+	text/x-cross-domain-policy
+	text/xml;
--- a/wo/cli/templates/nginx-core.mustache
+++ b/wo/cli/templates/nginx-core.mustache
@@ -66,7 +66,7 @@ http {
 	ssl_session_cache shared:SSL:50m;
 	ssl_session_tickets off;
 	ssl_prefer_server_ciphers on;
-    {{#tls13}}ssl_ciphers 'TLS13+AESGCM+AES256:TLS13+AESGCM+AES128:TLS13+CHACHA20:EECDH+AESGCM:EECDH+CHACHA20';
+	{{#tls13}}ssl_ciphers 'TLS13+AESGCM+AES256:TLS13+AESGCM+AES128:TLS13+CHACHA20:EECDH+AESGCM:EECDH+CHACHA20';
 	ssl_protocols TLSv1.2 TLSv1.3;{{/tls13}}
 	ssl_ecdh_curve X25519:P-521:P-384:P-256;
 	# Previous TLS v1.2 configuration