Malin/WPIQ
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #122 from WordOps/updating-configuration

Browse Source 
Updating configuration
This commit is contained in:
VirtuBox
2019-08-21 01:28:12 +02:00
committed by GitHub
parent de8d3da7c0 79ab9494d7
commit c409336cdb
6 changed files with 179 additions and 177 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG.md
View File

@@ -8,6 +8,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
### v3.9.x - [Unreleased] ### v3.9.x - [Unreleased]
#### Fixed
- `wo upgrade` output
### v3.9.8.2 - 2019-08-20 ### v3.9.8.2 - 2019-08-20
#### Added #### Added

16
install
View File

@@ -548,22 +548,6 @@ wo_upgrade_nginx() {
wo_update_latest() { wo_update_latest() {
if [ -f /etc/nginx/fastcgi_params ]; then
CHECK_HTTP_PROXY=$(grep 'HTTP_PROXY' /etc/nginx/fastcgi_params)
if [ -z "$CHECK_HTTP_PROXY" ]; then
echo 'fastcgi_param HTTP_PROXY "";' >> /etc/nginx/fastcgi_params
echo 'fastcgi_param HTTP_PROXY "";' >> /etc/nginx/fastcgi.conf
service nginx restart | tee -ai $wo_install_log
fi
fi
if [ -f /etc/ImageMagick/policy.xml ]; then
if [ ! -f /etc/ImageMagick/patch.txt ]; then
echo -e "\t<policy domain=\"coder\" rights=\"none\" pattern=\"EPHEMERAL\" />\n\t<policy domain=\"coder\" rights=\"none\" pattern=\"URL\" />\n\t<policy domain=\"coder\" rights=\"none\" pattern=\"HTTPS\" />\n\t<policy domain=\"coder\" rights=\"none\" pattern=\"MVG\" />\n\t<policy domain=\"coder\" rights=\"none\" pattern=\"MSL\" />" >> /etc/ImageMagick/patch.txt
sed -i '/<policymap>/r /etc/ImageMagick/patch.txt' /etc/ImageMagick/policy.xml
fi
fi
# Move ~/.my.cnf to /etc/mysql/conf.d/my.cnf # Move ~/.my.cnf to /etc/mysql/conf.d/my.cnf
if [ ! -f /etc/mysql/conf.d/my.cnf ]; then if [ ! -f /etc/mysql/conf.d/my.cnf ]; then
# create conf.d folder if not exist # create conf.d folder if not exist

122
wo/cli/plugins/stack_pref.py
View File

@@ -354,15 +354,10 @@ def post_pref(self, apt_packages, packages):
os.makedirs('/etc/nginx/sites-enabled') os.makedirs('/etc/nginx/sites-enabled')
# 22222 port settings # 22222 port settings
if not os.path.isfile("/etc/nginx/sites-available/22222"): if not os.path.isfile('/etc/nginx/sites-available/22222'):
Log.debug(self, 'Writting the nginx configuration to ' WOTemplate.tmpl_render(self,
'file /etc/nginx/sites-available/' '/etc/nginx/sites-available/22222',
'22222') '22222.mustache', data, overwrite=False)
wo_nginx = open('/etc/nginx/sites-available/22222',
encoding='utf-8', mode='w')
self.app.render((data), '22222.mustache',
out=wo_nginx)
wo_nginx.close()
passwd = ''.join([random.choice passwd = ''.join([random.choice
(string.ascii_letters + string.digits) (string.ascii_letters + string.digits)
@@ -497,57 +492,6 @@ def post_pref(self, apt_packages, packages):
else: else:
WOService.restart_service(self, 'nginx') WOService.restart_service(self, 'nginx')
# add rule for Nginx with UFW
if WOAptGet.is_installed(self, 'ufw'):
try:
WOShellExec.cmd_exec(self, "/usr/bin/ufw allow "
"http")
WOShellExec.cmd_exec(self, "/usr/bin/ufw allow "
"https")
WOShellExec.cmd_exec(self, "/usr/bin/ufw allow "
"22222")
except CommandExecutionError as e:
Log.debug(self, "{0}".format(e))
Log.error(self, "Unable to add UFW rule")
# create nginx configuration for redis
if set(WOVariables.wo_redis).issubset(set(apt_packages)):
if os.path.isdir('/etc/nginx/common'):
data = dict(upstream="php72")
Log.debug(self, 'Writting the nginx configuration to '
'file /etc/nginx/common/redis-php72.conf')
wo_nginx = open('/etc/nginx/common/redis-php72.conf',
encoding='utf-8', mode='w')
self.app.render((data), 'redis.mustache',
out=wo_nginx)
wo_nginx.close()
if os.path.isfile("/etc/nginx/conf.d/upstream.conf"):
if not WOFileUtils.grep(self, "/etc/nginx/conf.d/"
"upstream.conf",
"redis"):
with open("/etc/nginx/conf.d/upstream.conf",
"a") as redis_file:
redis_file.write("upstream redis {\n"
" server 127.0.0.1:6379;\n"
" keepalive 10;\n}\n")
if os.path.isfile("/etc/nginx/nginx.conf"):
if not os.path.isfile("/etc/nginx/conf.d/redis.conf"):
with open("/etc/nginx/conf.d/redis.conf",
"a") as redis_file:
redis_file.write("# Log format Settings\n"
"log_format rt_cache_redis "
"'$remote_addr "
"$upstream_response_time "
"$srcache_fetch_status "
"[$time_local]"
" '\n '$http_host"
" \"$request\" "
"$status $body_bytes_sent '\n"
"'\"$http_referer\" "
"\"$http_user_agent\"';\n")
if set(WOVariables.wo_php).issubset(set(apt_packages)): if set(WOVariables.wo_php).issubset(set(apt_packages)):
ngxroot = '/var/www/' ngxroot = '/var/www/'
# Create log directories # Create log directories
@@ -1007,28 +951,21 @@ def post_pref(self, apt_packages, packages):
if set(WOVariables.wo_fail2ban).issubset(set(apt_packages)): if set(WOVariables.wo_fail2ban).issubset(set(apt_packages)):
if not os.path.isfile("/etc/fail2ban/jail.d/custom.conf"): if not os.path.isfile("/etc/fail2ban/jail.d/custom.conf"):
data = dict() data = dict()
Log.debug(self, "Setting up fail2ban jails configuration") WOTemplate.tmpl_render(self,
fail2ban_config = open('/etc/fail2ban/jail.d/custom.conf', '/etc/fail2ban/jail.d/custom.conf',
encoding='utf-8', mode='w') 'fail2ban.mustache',
self.app.render((data), 'fail2ban.mustache', data, overwrite=False)
out=fail2ban_config) WOTemplate.tmpl_render(self,
fail2ban_config.close() '/etc/fail2ban/filter.d/'
Log.debug(self, "Setting up fail2ban wp filter")
fail2ban_config = open('/etc/fail2ban/filter.d/'
'wo-wordpress.conf', 'wo-wordpress.conf',
encoding='utf-8', mode='w') 'fail2ban-wp.mustache',
self.app.render((data), 'fail2ban-wp.mustache', data, overwrite=False)
out=fail2ban_config) WOTemplate.tmpl_render(self,
fail2ban_config.close() '/etc/fail2ban/filter.d/'
Log.debug(self, "Setting up fail2ban wp filter")
fail2ban_config = open('/etc/fail2ban/filter.d/'
'nginx-forbidden.conf', 'nginx-forbidden.conf',
encoding='utf-8', mode='w') 'fail2ban-forbidden.mustache',
self.app.render((data), 'fail2ban-forbidden.mustache', data, overwrite=False)
out=fail2ban_config)
fail2ban_config.close()
WOGit.add(self, ["/etc/fail2ban"], WOGit.add(self, ["/etc/fail2ban"],
msg="Adding Fail2ban into Git") msg="Adding Fail2ban into Git")
WOService.reload_service(self, 'fail2ban') WOService.reload_service(self, 'fail2ban')
@@ -1115,6 +1052,31 @@ def post_pref(self, apt_packages, packages):
# Redis configuration # Redis configuration
if set(WOVariables.wo_redis).issubset(set(apt_packages)): if set(WOVariables.wo_redis).issubset(set(apt_packages)):
if os.path.isfile("/etc/nginx/conf.d/upstream.conf"):
if not WOFileUtils.grep(self, "/etc/nginx/conf.d/"
"upstream.conf",
"redis"):
with open("/etc/nginx/conf.d/upstream.conf",
"a") as redis_file:
redis_file.write("upstream redis {\n"
" server 127.0.0.1:6379;\n"
" keepalive 10;\n}\n")
if os.path.isfile("/etc/nginx/nginx.conf"):
if not os.path.isfile("/etc/nginx/conf.d/redis.conf"):
with open("/etc/nginx/conf.d/redis.conf",
"a") as redis_file:
redis_file.write("# Log format Settings\n"
"log_format rt_cache_redis "
"'$remote_addr "
"$upstream_response_time "
"$srcache_fetch_status "
"[$time_local]"
" '\n '$http_host"
" \"$request\" "
"$status $body_bytes_sent '\n"
"'\"$http_referer\" "
"\"$http_user_agent\"';\n")
# set redis.conf parameter # set redis.conf parameter
# set maxmemory 10% for ram below 512MB and 20% for others # set maxmemory 10% for ram below 512MB and 20% for others
# set maxmemory-policy allkeys-lru # set maxmemory-policy allkeys-lru

160
wo/cli/plugins/stack_upgrade.py
View File

@@ -171,95 +171,95 @@ class WOStackUpgradeController(CementBaseController):
"Composer"]] "Composer"]]
else: else:
Log.error(self, "Composer isn't installed") Log.error(self, "Composer isn't installed")
if len(apt_packages) or len(packages):
if len(apt_packages):
Log.info(self, "Your site may be down for few seconds if "
"you are upgrading Nginx, PHP-FPM, MariaDB or Redis")
# Check prompt
if ((not pargs.no_prompt) and (not pargs.force)):
start_upgrade = input("Do you want to continue:[y/N]")
if start_upgrade != "Y" and start_upgrade != "y":
Log.error(self, "Not starting package update")
Log.info(self, "Updating APT packages, please wait...")
# apt-get update
WOAptGet.update(self)
if set(WOVariables.wo_php).issubset(set(apt_packages)):
WOAptGet.remove(self, ['php7.2-fpm'],
auto=False, purge=True)
if set(WOVariables.wo_php73).issubset(set(apt_packages)):
WOAptGet.remove(self, ['php7.3-fpm'],
auto=False, purge=True)
# Update packages
WOAptGet.install(self, apt_packages)
post_pref(self, apt_packages, empty_packages)
# Post Actions after package updates
if len(apt_packages): if len(packages):
Log.info(self, "Your site may be down for few seconds if " if pargs.wpcli:
"you are upgrading Nginx, PHP-FPM, MariaDB or Redis") WOFileUtils.rm(self, '/usr/local/bin/wp')
# Check prompt
if ((not pargs.no_prompt) and (not pargs.force)):
start_upgrade = input("Do you want to continue:[y/N]")
if start_upgrade != "Y" and start_upgrade != "y":
Log.error(self, "Not starting package update")
Log.info(self, "Updating APT packages, please wait...")
# apt-get update
WOAptGet.update(self)
if set(WOVariables.wo_php).issubset(set(apt_packages)):
WOAptGet.remove(self, ['php7.2-fpm'],
auto=False, purge=True)
if set(WOVariables.wo_php73).issubset(set(apt_packages)):
WOAptGet.remove(self, ['php7.3-fpm'],
auto=False, purge=True)
# Update packages
WOAptGet.install(self, apt_packages)
post_pref(self, apt_packages, empty_packages)
# Post Actions after package updates
if len(packages): if pargs.netdata:
if pargs.wpcli: WOFileUtils.rm(self, '/var/lib/wo/tmp/kickstart.sh')
WOFileUtils.rm(self, '/usr/local/bin/wp')
if pargs.netdata: if pargs.dashboard:
WOFileUtils.rm(self, '/var/lib/wo/tmp/kickstart.sh') WOFileUtils.rm(self, '/var/www/22222/htdocs/index.php')
if pargs.dashboard: Log.debug(self, "Downloading following: {0}".format(packages))
WOFileUtils.rm(self, '/var/www/22222/htdocs/index.php') WODownload.download(self, packages)
Log.debug(self, "Downloading following: {0}".format(packages)) if pargs.wpcli:
WODownload.download(self, packages) WOFileUtils.chmod(self, "/usr/local/bin/wp", 0o775)
if pargs.wpcli: if pargs.netdata:
WOFileUtils.chmod(self, "/usr/local/bin/wp", 0o775) Log.info(self, "Upgrading Netdata, please wait...")
WOShellExec.cmd_exec(self, "/bin/bash /var/lib/wo/tmp/"
"kickstart.sh "
"--dont-wait")
if pargs.netdata: if pargs.dashboard:
Log.info(self, "Upgrading Netdata, please wait...") Log.debug(self, "Extracting wo-dashboard.tar.gz "
WOShellExec.cmd_exec(self, "/bin/bash /var/lib/wo/tmp/" "to location {0}22222/htdocs/"
"kickstart.sh " .format(WOVariables.wo_webroot))
"--dont-wait") WOExtract.extract(self, '/var/lib/wo/tmp/'
'wo-dashboard.tar.gz',
'{0}22222/htdocs'
.format(WOVariables.wo_webroot))
WOFileUtils.chown(self, "{0}22222/htdocs"
.format(WOVariables.wo_webroot),
WOVariables.wo_php_user,
WOVariables.wo_php_user, recursive=True)
if pargs.dashboard: if pargs.composer:
Log.debug(self, "Extracting wo-dashboard.tar.gz " Log.info(self, "Upgrading Composer, please wait...")
"to location {0}22222/htdocs/" WOShellExec.cmd_exec(self, "php -q /var/lib/wo"
.format(WOVariables.wo_webroot)) "/tmp/composer-install "
WOExtract.extract(self, '/var/lib/wo/tmp/' "--install-dir=/var/lib/wo/tmp/")
'wo-dashboard.tar.gz', shutil.copyfile('/var/lib/wo/tmp/composer.phar',
'{0}22222/htdocs' '/usr/local/bin/composer')
.format(WOVariables.wo_webroot)) WOFileUtils.chmod(self, "/usr/local/bin/composer", 0o775)
WOFileUtils.chown(self, "{0}22222/htdocs"
.format(WOVariables.wo_webroot),
WOVariables.wo_php_user,
WOVariables.wo_php_user, recursive=True)
if pargs.composer: if pargs.phpmyadmin:
Log.info(self, "Upgrading Composer, please wait...") Log.info(self, "Upgrading phpMyAdmin, please wait...")
WOShellExec.cmd_exec(self, "php -q /var/lib/wo" WOExtract.extract(self, '/var/lib/wo/tmp/pma.tar.gz',
"/tmp/composer-install " '/var/lib/wo/tmp/')
"--install-dir=/var/lib/wo/tmp/") shutil.copyfile(('{0}22222/htdocs/db/pma'
shutil.copyfile('/var/lib/wo/tmp/composer.phar', '/config.inc.php'
'/usr/local/bin/composer') .format(WOVariables.wo_webroot)),
WOFileUtils.chmod(self, "/usr/local/bin/composer", 0o775) ('/var/lib/wo/tmp/phpMyAdmin-{0}'
'-all-languages/config.inc.php'
if pargs.phpmyadmin: .format(WOVariables.wo_phpmyadmin))
Log.info(self, "Upgrading phpMyAdmin, please wait...") )
WOExtract.extract(self, '/var/lib/wo/tmp/pma.tar.gz', WOFileUtils.rm(self, '{0}22222/htdocs/db/pma'
'/var/lib/wo/tmp/') .format(WOVariables.wo_webroot))
shutil.copyfile(('{0}22222/htdocs/db/pma' shutil.move('/var/lib/wo/tmp/phpMyAdmin-{0}'
'/config.inc.php' '-all-languages/'
.format(WOVariables.wo_webroot)), .format(WOVariables.wo_phpmyadmin),
('/var/lib/wo/tmp/phpMyAdmin-{0}' '{0}22222/htdocs/db/pma/'
'-all-languages/config.inc.php' .format(WOVariables.wo_webroot))
.format(WOVariables.wo_phpmyadmin)) WOFileUtils.chown(self, "{0}22222/htdocs"
) .format(WOVariables.wo_webroot),
WOFileUtils.rm(self, '{0}22222/htdocs/db/pma' WOVariables.wo_php_user,
.format(WOVariables.wo_webroot)) WOVariables.wo_php_user, recursive=True)
shutil.move('/var/lib/wo/tmp/phpMyAdmin-{0}'
'-all-languages/'
.format(WOVariables.wo_phpmyadmin),
'{0}22222/htdocs/db/pma/'
.format(WOVariables.wo_webroot))
WOFileUtils.chown(self, "{0}22222/htdocs"
.format(WOVariables.wo_webroot),
WOVariables.wo_php_user,
WOVariables.wo_php_user, recursive=True)
Log.info(self, "Successfully updated packages") Log.info(self, "Successfully updated packages")
else: else:

52
wo/cli/templates/locations.mustache
View File

@@ -41,3 +41,55 @@ location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|b
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
deny all; deny all;
} }
# block base64_encoded content
location ~* "(base64_encode)(.*)(\()" {
deny all;
}
# block javascript eval()
location ~* "(eval\()" {
deny all;
}
# Additional security settings
location ~* "(127\.0\.0\.1)" {
deny all;
}
location ~* "([a-z0-9]{2000})" {
deny all;
}
location ~* "(javascript\:)(.*)(\;)" {
deny all;
}
location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
deny all;
}
location ~* "(<|%3C).*script.*(>|%3)" {
deny all;
}
location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
deny all;
}
location ~* "(boot\.ini|etc/passwd|self/environ)" {
deny all;
}
location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
deny all;
}
location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
deny all;
}
location ~* "(https?|ftp|php):/" {
deny all;
}
location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
deny all;
}
location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
deny all;
}
location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
deny all;
}

2
wo/cli/templates/wpcommon.mustache
View File

@@ -66,7 +66,7 @@ location /wp-content/cache {
expires 30d; expires 30d;
} }
location ~ \.php$ { location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers #Prevent Direct Access Of PHP Files From Web Browsers
deny all; deny all;
} }
} }