Malin/WPIQ
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #122 from WordOps/updating-configuration

Browse Source 
Updating configuration
This commit is contained in:
VirtuBox
2019-08-21 01:28:12 +02:00
committed by GitHub
parent de8d3da7c0 79ab9494d7
commit c409336cdb
6 changed files with 179 additions and 177 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG.md
View File

@@ -8,6 +8,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
### v3.9.x - [Unreleased] ### v3.9.x - [Unreleased]
#### Fixed
- `wo upgrade` output
### v3.9.8.2 - 2019-08-20 ### v3.9.8.2 - 2019-08-20
#### Added #### Added

16
install
View File

@@ -548,22 +548,6 @@ wo_upgrade_nginx() {
wo_update_latest() { wo_update_latest() {
if [ -f /etc/nginx/fastcgi_params ]; then
CHECK_HTTP_PROXY=$(grep 'HTTP_PROXY' /etc/nginx/fastcgi_params)
if [ -z "$CHECK_HTTP_PROXY" ]; then
echo 'fastcgi_param HTTP_PROXY "";' >> /etc/nginx/fastcgi_params
echo 'fastcgi_param HTTP_PROXY "";' >> /etc/nginx/fastcgi.conf
service nginx restart | tee -ai $wo_install_log
fi
fi
if [ -f /etc/ImageMagick/policy.xml ]; then
if [ ! -f /etc/ImageMagick/patch.txt ]; then
echo -e "\t<policy domain=\"coder\" rights=\"none\" pattern=\"EPHEMERAL\" />\n\t<policy domain=\"coder\" rights=\"none\" pattern=\"URL\" />\n\t<policy domain=\"coder\" rights=\"none\" pattern=\"HTTPS\" />\n\t<policy domain=\"coder\" rights=\"none\" pattern=\"MVG\" />\n\t<policy domain=\"coder\" rights=\"none\" pattern=\"MSL\" />" >> /etc/ImageMagick/patch.txt
sed -i '/<policymap>/r /etc/ImageMagick/patch.txt' /etc/ImageMagick/policy.xml
fi
fi
# Move ~/.my.cnf to /etc/mysql/conf.d/my.cnf # Move ~/.my.cnf to /etc/mysql/conf.d/my.cnf
if [ ! -f /etc/mysql/conf.d/my.cnf ]; then if [ ! -f /etc/mysql/conf.d/my.cnf ]; then
# create conf.d folder if not exist # create conf.d folder if not exist

122
wo/cli/plugins/stack_pref.py
View File

@@ -354,15 +354,10 @@ def post_pref(self, apt_packages, packages):
os.makedirs('/etc/nginx/sites-enabled') os.makedirs('/etc/nginx/sites-enabled')
# 22222 port settings # 22222 port settings
if not os.path.isfile("/etc/nginx/sites-available/22222"): if not os.path.isfile('/etc/nginx/sites-available/22222'):
Log.debug(self, 'Writting the nginx configuration to ' WOTemplate.tmpl_render(self,
'file /etc/nginx/sites-available/' '/etc/nginx/sites-available/22222',
'22222') '22222.mustache', data, overwrite=False)
wo_nginx = open('/etc/nginx/sites-available/22222',
encoding='utf-8', mode='w')
self.app.render((data), '22222.mustache',
out=wo_nginx)
wo_nginx.close()
passwd = ''.join([random.choice passwd = ''.join([random.choice
(string.ascii_letters + string.digits) (string.ascii_letters + string.digits)
@@ -497,57 +492,6 @@ def post_pref(self, apt_packages, packages):
else: else:
WOService.restart_service(self, 'nginx') WOService.restart_service(self, 'nginx')
# add rule for Nginx with UFW
if WOAptGet.is_installed(self, 'ufw'):
try:
WOShellExec.cmd_exec(self, "/usr/bin/ufw allow "
"http")
WOShellExec.cmd_exec(self, "/usr/bin/ufw allow "
"https")
WOShellExec.cmd_exec(self, "/usr/bin/ufw allow "
"22222")
except CommandExecutionError as e:
Log.debug(self, "{0}".format(e))
Log.error(self, "Unable to add UFW rule")
# create nginx configuration for redis
if set(WOVariables.wo_redis).issubset(set(apt_packages)):
if os.path.isdir('/etc/nginx/common'):
data = dict(upstream="php72")
Log.debug(self, 'Writting the nginx configuration to '
'file /etc/nginx/common/redis-php72.conf')
wo_nginx = open('/etc/nginx/common/redis-php72.conf',
encoding='utf-8', mode='w')
self.app.render((data), 'redis.mustache',
out=wo_nginx)
wo_nginx.close()
if os.path.isfile("/etc/nginx/conf.d/upstream.conf"):
if not WOFileUtils.grep(self, "/etc/nginx/conf.d/"
"upstream.conf",
"redis"):
with open("/etc/nginx/conf.d/upstream.conf",
"a") as redis_file:
redis_file.write("upstream redis {\n"
" server 127.0.0.1:6379;\n"
" keepalive 10;\n}\n")
if os.path.isfile("/etc/nginx/nginx.conf"):
if not os.path.isfile("/etc/nginx/conf.d/redis.conf"):
with open("/etc/nginx/conf.d/redis.conf",
"a") as redis_file:
redis_file.write("# Log format Settings\n"
"log_format rt_cache_redis "
"'$remote_addr "
"$upstream_response_time "
"$srcache_fetch_status "
"[$time_local]"
" '\n '$http_host"
" \"$request\" "
"$status $body_bytes_sent '\n"
"'\"$http_referer\" "
"\"$http_user_agent\"';\n")
if set(WOVariables.wo_php).issubset(set(apt_packages)): if set(WOVariables.wo_php).issubset(set(apt_packages)):
ngxroot = '/var/www/' ngxroot = '/var/www/'
# Create log directories # Create log directories
@@ -1007,28 +951,21 @@ def post_pref(self, apt_packages, packages):
if set(WOVariables.wo_fail2ban).issubset(set(apt_packages)): if set(WOVariables.wo_fail2ban).issubset(set(apt_packages)):
if not os.path.isfile("/etc/fail2ban/jail.d/custom.conf"): if not os.path.isfile("/etc/fail2ban/jail.d/custom.conf"):
data = dict() data = dict()
Log.debug(self, "Setting up fail2ban jails configuration") WOTemplate.tmpl_render(self,
fail2ban_config = open('/etc/fail2ban/jail.d/custom.conf', '/etc/fail2ban/jail.d/custom.conf',
encoding='utf-8', mode='w') 'fail2ban.mustache',
self.app.render((data), 'fail2ban.mustache', data, overwrite=False)
out=fail2ban_config) WOTemplate.tmpl_render(self,
fail2ban_config.close() '/etc/fail2ban/filter.d/'
Log.debug(self, "Setting up fail2ban wp filter")
fail2ban_config = open('/etc/fail2ban/filter.d/'
'wo-wordpress.conf', 'wo-wordpress.conf',
encoding='utf-8', mode='w') 'fail2ban-wp.mustache',
self.app.render((data), 'fail2ban-wp.mustache', data, overwrite=False)
out=fail2ban_config) WOTemplate.tmpl_render(self,
fail2ban_config.close() '/etc/fail2ban/filter.d/'
Log.debug(self, "Setting up fail2ban wp filter")
fail2ban_config = open('/etc/fail2ban/filter.d/'
'nginx-forbidden.conf', 'nginx-forbidden.conf',
encoding='utf-8', mode='w') 'fail2ban-forbidden.mustache',
self.app.render((data), 'fail2ban-forbidden.mustache', data, overwrite=False)
out=fail2ban_config)
fail2ban_config.close()
WOGit.add(self, ["/etc/fail2ban"], WOGit.add(self, ["/etc/fail2ban"],
msg="Adding Fail2ban into Git") msg="Adding Fail2ban into Git")
WOService.reload_service(self, 'fail2ban') WOService.reload_service(self, 'fail2ban')
@@ -1115,6 +1052,31 @@ def post_pref(self, apt_packages, packages):
# Redis configuration # Redis configuration
if set(WOVariables.wo_redis).issubset(set(apt_packages)): if set(WOVariables.wo_redis).issubset(set(apt_packages)):
if os.path.isfile("/etc/nginx/conf.d/upstream.conf"):
if not WOFileUtils.grep(self, "/etc/nginx/conf.d/"
"upstream.conf",
"redis"):
with open("/etc/nginx/conf.d/upstream.conf",
"a") as redis_file:
redis_file.write("upstream redis {\n"
" server 127.0.0.1:6379;\n"
" keepalive 10;\n}\n")
if os.path.isfile("/etc/nginx/nginx.conf"):
if not os.path.isfile("/etc/nginx/conf.d/redis.conf"):
with open("/etc/nginx/conf.d/redis.conf",
"a") as redis_file:
redis_file.write("# Log format Settings\n"
"log_format rt_cache_redis "
"'$remote_addr "
"$upstream_response_time "
"$srcache_fetch_status "
"[$time_local]"
" '\n '$http_host"
" \"$request\" "
"$status $body_bytes_sent '\n"
"'\"$http_referer\" "
"\"$http_user_agent\"';\n")
# set redis.conf parameter # set redis.conf parameter
# set maxmemory 10% for ram below 512MB and 20% for others # set maxmemory 10% for ram below 512MB and 20% for others
# set maxmemory-policy allkeys-lru # set maxmemory-policy allkeys-lru

2
wo/cli/plugins/stack_upgrade.py
View File

@@ -171,7 +171,7 @@ class WOStackUpgradeController(CementBaseController):
"Composer"]] "Composer"]]
else: else:
Log.error(self, "Composer isn't installed") Log.error(self, "Composer isn't installed")
if len(apt_packages) or len(packages):
if len(apt_packages): if len(apt_packages):
Log.info(self, "Your site may be down for few seconds if " Log.info(self, "Your site may be down for few seconds if "
"you are upgrading Nginx, PHP-FPM, MariaDB or Redis") "you are upgrading Nginx, PHP-FPM, MariaDB or Redis")

52
wo/cli/templates/locations.mustache
View File

@@ -41,3 +41,55 @@ location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|b
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
deny all; deny all;
} }
# block base64_encoded content
location ~* "(base64_encode)(.*)(\()" {
deny all;
}
# block javascript eval()
location ~* "(eval\()" {
deny all;
}
# Additional security settings
location ~* "(127\.0\.0\.1)" {
deny all;
}
location ~* "([a-z0-9]{2000})" {
deny all;
}
location ~* "(javascript\:)(.*)(\;)" {
deny all;
}
location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
deny all;
}
location ~* "(<|%3C).*script.*(>|%3)" {
deny all;
}
location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
deny all;
}
location ~* "(boot\.ini|etc/passwd|self/environ)" {
deny all;
}
location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
deny all;
}
location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
deny all;
}
location ~* "(https?|ftp|php):/" {
deny all;
}
location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
deny all;
}
location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
deny all;
}
location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
deny all;
}