bachir/debion-web-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

started to refactoring for LEMP + redis

Browse Source
This commit is contained in:
Bachir Soussi Chiadmi 2018-04-05 18:47:02 +02:00
parent 8dca26fc81
commit 0fc667d9cc
2 changed files with 313 additions and 250 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
assets/nginx.conf Normal file
View File

@ -0,0 +1,36 @@
server {
listen 80 default_server;
root /var/www/html;
index index.html index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log on;
error_log /var/log/nginx/error.log error;
sendfile off;
client_max_body_size 100m;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass php:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
}
location ~ /\.ht {
deny all;
}
}

227
install-debian-server.sh
View File

@ -78,7 +78,8 @@ echo "\033[35;1mInstalling fall2ban \033[0m"
apt-get install fail2ban apt-get install fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# ToDo ask for email and configure jail.local with it # ToDo ask for email and configure jail.local with it
service fail2ban restart systemctl enable fail2ban
systemctl restart fail2ban
echo "\033[92;1mfail2ban installed and configured\033[Om" echo "\033[92;1mfail2ban installed and configured\033[Om"
echo '\033[35m echo '\033[35m
@ -98,7 +99,8 @@ read sq2
sed -i "s/7000,8000,9000/$sq1/g" /etc/knockd.conf sed -i "s/7000,8000,9000/$sq1/g" /etc/knockd.conf
sed -i "s/9000,8000,7000/$sq2/g" /etc/knockd.conf sed -i "s/9000,8000,7000/$sq2/g" /etc/knockd.conf
sed -i 's/START_KNOCKD=0/START_KNOCKD=1/g' /etc/default/knockd sed -i 's/START_KNOCKD=0/START_KNOCKD=1/g' /etc/default/knockd
service knockd start systemctl enable knockd
systemctl start knockd
echo "\033[92;1mknockd installed and configured\033[Om" echo "\033[92;1mknockd installed and configured\033[Om"
echo "\033[92;1mplease note these sequences for future knocking\033[Om" echo "\033[92;1mplease note these sequences for future knocking\033[Om"
echo "opening : $sq1 ; closing : $sq2" echo "opening : $sq1 ; closing : $sq2"
@ -149,7 +151,8 @@ if [ "$configexim" = "y" ]; then
else else
echo 'exim not configured' echo 'exim not configured'
fi fi
service exim4 restart systemctl enable exim4
systemctl restart exim4
# dkim spf # dkim spf
# https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4 # https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
@ -175,7 +178,7 @@ if [ "$installdkim" = "y" ]; then
sed -ir "s/DATE_TO_CHANGE/$selector/g" /etc/exim4/conf.d/main/00_local_macros sed -ir "s/DATE_TO_CHANGE/$selector/g" /etc/exim4/conf.d/main/00_local_macros
update-exim4.conf update-exim4.conf
service exim4 restart systemctl restart exim4
echo "please create a TXT entry in your dns zone : $selector._domainkey.$domain \n" echo "please create a TXT entry in your dns zone : $selector._domainkey.$domain \n"
echo "your public key is : \n" echo "your public key is : \n"
cat /etc/exim4/dkim/"$domain".pem cat /etc/exim4/dkim/"$domain".pem
@ -205,7 +208,7 @@ if [ "$securssh" = "y" ]; then
sed -i 's/PermitRootLogin\ yes/PermitRootLogin no/g' /etc/ssh/sshd_config sed -i 's/PermitRootLogin\ yes/PermitRootLogin no/g' /etc/ssh/sshd_config
sed -i 's/PermitEmptyPasswords\ yes/PermitEmptyPasswords no/g' /etc/ssh/sshd_config sed -i 's/PermitEmptyPasswords\ yes/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
sed -i 's/Protocol\ [0-9]/Protocol 2/g' /etc/ssh/sshd_config sed -i 's/Protocol\ [0-9]/Protocol 2/g' /etc/ssh/sshd_config
service ssh reload systemctl reload ssh
echo "\033[92;1mSSH secured\033[Om" echo "\033[92;1mSSH secured\033[Om"
else else
echo 'root user can still conect through ssh' echo 'root user can still conect through ssh'
@ -246,15 +249,35 @@ if [ "$yn" = "y" ]; then
ufw allow ftp ufw allow ftp
addgroup ftpuser addgroup ftpuser
systemctl enable proftpd
systemctl restart proftpd
echo "ftp installtion done" echo "ftp installtion done"
echo "to permit to a user to connect through ftp, add him to the ftpuser group by running : usermod -a -G admin USERNAME" echo "to permit to a user to connect through ftp, add him to the ftpuser group by running : usermod -a -G ftpuser USERNAME"
echo "FTP users are jailed on their home by default" echo "FTP users are jailed on their home by default"
fi fi
# TODO : allow ssh/ftp connection only from given ips # TODO : allow ssh/ftp connection only from given ips
echo "\033[35;1mInstalling AMP web server \033[0m"
echo '\033[35m
__
/ /__ ____ ___ ____
/ / _ \/ __ `__ \/ __ \
/ / __/ / / / / / /_/ /
/_/\___/_/ /_/ /_/ .___/
/_/
\033[0m'
echo "\033[35;1mLEMP server (Nginx Mysql Php) \033[0m"
sleep 3
while [ "$lemp" != "y" ] && [ "$lemp" != "n" ]
do
echo -n "Should we install lemp ? [y|n] "
read lemp
done
if [ "$lemp" = "y" ]; then
echo '\033[35m echo '\033[35m
__ ___ __ __ ___ __
@ -268,33 +291,27 @@ echo "\033[35;1minstalling Mysql \033[0m"
sleep 3 sleep 3
apt-get install mariadb-server apt-get install mariadb-server
mysql_secure_installation mysql_secure_installation
systemctl enable mariadb.service
systemctl restart mariadb.service systemctl restart mariadb.service
echo "\033[92;1mmysql installed\033[Om" echo "\033[92;1mmysql installed\033[Om"
echo '\033[35m echo '\033[35m
___ __ ___ _ __ _
/ | ____ ____ ______/ /_ ___ |__ \ / | / /___ _(_)___ _ __
/ /| | / __ \/ __ `/ ___/ __ \/ _ \__/ / / |/ / __ `/ / __ \| |/_/
/ ___ |/ /_/ / /_/ / /__/ / / / __/ __/ / /| / /_/ / / / / /> <
/_/ |_/ .___/\__,_/\___/_/ /_/\___/____/ /_/ |_/\__, /_/_/ /_/_/|_|
/_/ /____/
\033[0m' \033[0m'
echo "\033[35;1mInstalling Apache2 \033[0m" echo "\033[35;1mInstalling Nginx \033[0m"
sleep 3 sleep 3
apt-get install apache2 apt-get install nginx
a2enmod rewrite cp "$_cwd"/assets/nginx.conf /etc/nginx/conf.d/
# cp /etc/apache2/apache2.conf /etc/apache2/apache2.conf.back
# cat "$_cwd"/assets/apache2.conf > /etc/apache2/apache2.conf
# Change logrotate for Apache2 log files to keep 10 days worth of logs
sed -i 's/\tweekly/\tdaily/' /etc/logrotate.d/apache2
sed -i 's/\trotate .*/\trotate 10/' /etc/logrotate.d/apache2
# Remove Apache server information from headers.
sed -i 's/ServerTokens .*/ServerTokens Prod/' /etc/apache2/conf-enabled/security.conf
sed -i 's/ServerSignature .*/ServerSignature Off/' /etc/apache2/conf-enabled/security.conf
service apache2 restart
echo "\033[92;1mApache2 installed\033[Om"
systemctl enable nginx
systemctl restart nginx
echo "\033[92;1mNginx installed\033[Om"
echo '\033[35m echo '\033[35m
____ __ ______ ____ __ ______
@ -303,33 +320,24 @@ echo '\033[35m
/ ____/ __ / ____/ / ____/ __ / ____/
/_/ /_/ /_/_/ /_/ /_/ /_/_/
\033[0m' \033[0m'
echo "\033[35;1mInstalling PHP \033[0m" echo "\033[35;1mInstalling PHP 7.0 \033[0m"
sleep 3 sleep 3
apt-get install php7.0 php-pear php7-gd apt-get install php7.0-fpm php7.0-mysql php7.0-opcache php7.0-curl php7.0-mbstring php7.0-zip php7.0-xml php7.0-gd php7.0-mcrypt php-memcached
echo "Configuring PHP" echo "Configuring PHP"
cp "$_cwd"/assets/99-lamp-php.ini /etc/php/7.0/apache2/conf.d/
# conffile=/etc/php/7.0/apache2/conf.d/99-lamp-php.ini
# cp /etc/php/7.0/apache2/php.ini $conffile
# sed -i "s/max_execution_time\ =\ [0-9]\+/max_execution_time = 60/g" $conffile
# sed -i "s/max_input_time\ =\ [0-9]\+/max_input_time = 60/g" $conffile
# sed -i "s/memory_limit\ =\ [0-9]\+M/memory_limit = 512M/g" $conffile
# sed -i "s/;\?error_reporting\ =\ [^\n]\+/error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR/g" $conffile
# sed -i "s/;\?display_errors\ =\ On/display_errors = Off/g" $conffile
# sed -i "s/;\?log_errors\ =\ Off/log_errors = On/g" $conffile
# echo "register_globals = Off" >> $conffile
# following command doesn't work, make teh change manualy
#sed -ri ":a;$!{N;ba};s/;\?\ \?error_log\ =\ [^\n]\+([^\n]*\n(\n|$))/error_log = \/var\/log\/php\/error.log\1/g" /etc/php5/apache2/php.ini
mkdir /var/log/php mkdir /var/log/php
chown www-data /var/log/php chown www-data /var/log/php
cp "$_cwd"/assets/logrotate-php /etc/logrotate.d/php cp "$_cwd"/assets/logrotate-php /etc/logrotate.d/php
apt-get install php7.0-mysql php7.0-curl php7.0-mbstring php7.0-zip php7.0-xml php7.0-gd php7.0-mcrypt php-memcached
apt-get install memcached # echo "Installing memecached"
sed -i "s/-m\s64/-m 128/g" /etc/memcached.conf # replaced by redis
# apt-get install memcached
systemctl start memcached # sed -i "s/-m\s64/-m 128/g" /etc/memcached.conf
#
# systemctl start memcached
echo "\033[92;1mphp installed\033[Om" echo "\033[92;1mphp installed\033[Om"
@ -344,71 +352,88 @@ echo '\033[35m
echo "\033[35;1mInstalling phpMyAdmin \033[0m" echo "\033[35;1mInstalling phpMyAdmin \033[0m"
apt-get install phpmyadmin apt-get install phpmyadmin
# echo "include /etc/phpmyadmin/apache.conf" >> /etc/apache2/apache2.conf # echo "include /etc/phpmyadmin/apache.conf" >> /etc/apache2/apache2.conf
ln -s /etc/phpmyadmin/apache.conf /etc/apache2/conf-available/phpmyadmin.conf # ln -s /etc/phpmyadmin/apache.conf /etc/apache2/conf-available/phpmyadmin.conf
a2enconf phpmyadmin.conf # a2enconf phpmyadmin.conf
echo "\033[35;1msecuring phpMyAdmin \033[0m" echo "\033[35;1msecuring phpMyAdmin \033[0m"
# sed -i "s/DirectoryIndex index.php/DirectoryIndex index.php\nAllowOverride all/" # sed -i "s/DirectoryIndex index.php/DirectoryIndex index.php\nAllowOverride all/"
cp "$_cwd"/assets/phpmyadmin_htaccess > /usr/share/phpmyadmin/.htaccess cp "$_cwd"/assets/phpmyadmin_htaccess > /usr/share/phpmyadmin/.htaccess
echo -n "define a user name for phpmyadmin : " echo -n "define a user name for phpmyadmin : "
read un read un
htpasswd -c /etc/phpmyadmin/.htpasswd $un htpasswd -c /etc/phpmyadmin/.htpasswd $un
service apache2 restart # service apache2 restart
echo "\033[92;1mphpMyAdmin installed\033[Om" echo "\033[92;1mphpMyAdmin installed\033[Om"
echo "\033[92;1mYou can access it at yourip/phpmyadmin\033[Om" echo "\033[92;1mYou can access it at yourip/phpmyadmin\033[Om"
echo '\033[35m echo '\033[35m
__ __ ____ ___
_ __/ /_ ____ _____/ /_ / __ \___ ____/ (_)____
| | / / __ \/ __ \/ ___/ __/ / /_/ / _ \/ __ / / ___/
| |/ / / / / /_/ (__ ) /_ / _, _/ __/ /_/ / (__ )
|___/_/ /_/\____/____/\__/ /_/ |_|\___/\__,_/_/____/
\033[0m' \033[0m'
echo "\033[35;1mVHOST install \033[0m" echo "\033[35;1mInstalling Redis \033[0m"
while [ "$vh" != "y" ] && [ "$vh" != "n" ] sleep 3
do apt-get install redis-server php-redis
echo -n "Should we install a vhost? [y|n] " # cp "$_cwd"/assets/nginx.conf /etc/nginx/conf.d/
read vh
# vh=${vh:-y}
done
if [ "$vh" = "y" ]; then
while [ "$_host_name" = "" ] systemctl enable redis-server
do systemctl restart redis-server
read -p "enter a hostname ? " _host_name echo "\033[92;1mRedis installed\033[Om"
if [ "$_host_name" != "" ]; then
read -p "is hostname $_host_name correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
_host_name=""
fi
fi
done
cp "$_cwd"/assets/example.org.conf /etc/apache2/sites-available/"$_host_name".conf # echo '\033[35m
sed -ir "s/example\.org/$_host_name/g" /etc/apache2/sites-available/"$_host_name".conf # __ __
# _ __/ /_ ____ _____/ /_
mkdir -p /srv/www/"$_host_name"/public_html # | | / / __ \/ __ \/ ___/ __/
mkdir /srv/www/"$_host_name"/logs # | |/ / / / / /_/ (__ ) /_
#set proper right to user will handle the app # |___/_/ /_/\____/____/\__/
chown -R root:admin /srv/www/"$_host_name"/ # \033[0m'
chmod -R g+w /srv/www/"$_host_name"/ # echo "\033[35;1mVHOST install \033[0m"
chmod -R g+r /srv/www/"$_host_name"/ # while [ "$vh" != "y" ] && [ "$vh" != "n" ]
# do
# create a shortcut to the site # echo -n "Should we install a vhost? [y|n] "
mkdir /home/"$user"/www/ # read vh
chown "$user":admin /home/"$user"/www/ # # vh=${vh:-y}
ln -s /srv/www/"$_host_name" /home/"$user"/www/"$_host_name" # done
# if [ "$vh" = "y" ]; then
#activate the vhost #
a2ensite "$_host_name".conf # while [ "$_host_name" = "" ]
# do
#restart apache # read -p "enter a hostname ? " _host_name
service apache2 restart # if [ "$_host_name" != "" ]; then
echo "\033[92;1mvhost $_host_name configured\033[Om" # read -p "is hostname $_host_name correcte [y|n] " validated
else # if [ "$validated" = "y" ]; then
echo "Vhost installation aborted" # break
fi # else
# _host_name=""
# fi
# fi
# done
#
# cp "$_cwd"/assets/example.org.conf /etc/apache2/sites-available/"$_host_name".conf
# sed -ir "s/example\.org/$_host_name/g" /etc/apache2/sites-available/"$_host_name".conf
#
# mkdir -p /srv/www/"$_host_name"/public_html
# mkdir /srv/www/"$_host_name"/logs
# #set proper right to user will handle the app
# chown -R root:admin /srv/www/"$_host_name"/
# chmod -R g+w /srv/www/"$_host_name"/
# chmod -R g+r /srv/www/"$_host_name"/
#
# # create a shortcut to the site
# mkdir /home/"$user"/www/
# chown "$user":admin /home/"$user"/www/
# ln -s /srv/www/"$_host_name" /home/"$user"/www/"$_host_name"
#
# #activate the vhost
# a2ensite "$_host_name".conf
#
# #restart apache
# service apache2 restart
# echo "\033[92;1mvhost $_host_name configured\033[Om"
# else
# echo "Vhost installation aborted"
# fi
# TODO supervising # TODO supervising
@ -511,6 +536,11 @@ fi
# echo "\033[92;1mAwstat installed\033[Om" # echo "\033[92;1mAwstat installed\033[Om"
else
echo 'lemp server not installed'
fi
# echo '\033[35m # echo '\033[35m
# ______________ _______ # ______________ _______
# /_ __/ ____/ |/ / __ \ # /_ __/ ____/ |/ / __ \
@ -610,9 +640,6 @@ sed -ir "s/EMAIL=\"root\"/EMAIL=\"$email\"/g" /etc/apticron/apticron.conf
# sed -ir "s/# DIFF_ONLY=\"1\"/DIFF_ONLY=\"1\"/g" /etc/apticron/apticron.conf # sed -ir "s/# DIFF_ONLY=\"1\"/DIFF_ONLY=\"1\"/g" /etc/apticron/apticron.conf
sed -ir "s/# NOTIFY_NEW=\"0\"/NOTIFY_NEW=\"0\"/g" /etc/apticron/apticron.conf sed -ir "s/# NOTIFY_NEW=\"0\"/NOTIFY_NEW=\"0\"/g" /etc/apticron/apticron.conf
echo "\033[92;1mApticron installed and configured\033[0m" echo "\033[92;1mApticron installed and configured\033[0m"