├── config ├── nginx │ ├── server.configs │ │ ├── location │ │ │ ├── pma.conf │ │ │ ├── letsencrypt.conf │ │ │ ├── cross-domain-fonts.conf │ │ │ ├── extensionless-uri.conf │ │ │ ├── cache-busting.conf │ │ │ ├── protect-system-files.conf │ │ │ └── expires.conf │ │ ├── directives │ │ │ ├── x-ua-compatible.conf │ │ │ ├── mime-type-security.conf │ │ │ ├── output-buffering.conf │ │ │ ├── reflected-xss-prevention.conf │ │ │ ├── sec-php-easter-eggs.conf │ │ │ ├── server-security-options.conf │ │ │ ├── timeout-handling.conf │ │ │ ├── socket-settings.conf │ │ │ ├── spdy.conf │ │ │ ├── sec-file-injection.conf │ │ │ ├── no-transform.conf │ │ │ ├── cross-domain-insecure.conf │ │ │ ├── common-exploit-prevention.conf │ │ │ ├── ssl-stapling.conf │ │ │ ├── cache-file-descriptors.conf │ │ │ ├── content-security-policy.conf │ │ │ ├── cloudflare-real-ip.conf │ │ │ ├── compression.conf │ │ │ ├── ssl.conf │ │ │ └── sec-bad-bots.conf │ │ └── basic.conf │ ├── restrictions.conf │ ├── fcgi.conf │ ├── wordpress.conf │ ├── nginx.conf │ ├── mime.types │ └── pagespeed │ │ ├── wily │ │ ├── rules │ │ └── changelog │ │ └── [wip]nginx-pagespeed.sh ├── hhvm │ ├── server.ini │ ├── php.ini │ └── nginx │ │ └── default.hhvm.conf ├── varnish │ ├── varnish.service │ ├── custom.vcl │ └── default.vcl ├── php5 │ └── nginx │ │ └── default.php5.conf.deprecated ├── php8 │ └── nginx │ │ ├── varnish │ │ └── default.php8.conf │ │ └── default.php8.conf └── php7 │ └── nginx │ ├── varnish │ └── default.php7.conf │ └── default.php7.conf ├── .trunk ├── .gitignore ├── config │ ├── .shellcheckrc │ └── .markdownlint.yaml └── trunk.yaml ├── developer_resources ├── images │ ├── vstacklet-logo.png │ ├── vstacklet-lemp-kit.png │ ├── vs-backup-utility-preview.png │ ├── vs-perms-utility-preview.png │ ├── vstacklet-script-preview1.png │ ├── vstacklet_install_preview.png │ ├── vstacklet-varnish_cache_stat-verification.png │ ├── vstacklet-csf_install-ui_service-verification.png │ ├── vstacklet-php_install-checkinfo-verification.png │ ├── vstacklet-php83_install-checkinfo-verification.png │ ├── vstacklet-phpmyadmin_mariadb_install-verification.png │ ├── vstacklet-varnish_nginx_ssl_termination-verification.png │ ├── vstacklet-phpmyadmin_mariadb_install-verification_php83.png │ ├── vstacklet-wordpress_install-verification-proxy_cache_test.png │ └── vstacklet-wordpress_install-site_health_check-verification.png ├── onSave └── doc.awk ├── setup └── templates │ ├── ssl │ └── openssl.conf │ ├── vsftpd │ └── vsftpd.conf │ ├── nginx │ └── acme │ ├── profile │ └── bashrc ├── docs ├── developer_resources │ └── onSave.md ├── bin │ ├── www-permissions-standalone.sh.md │ ├── backup │ │ ├── vstacklet-backup-standalone.sh.md │ │ └── vs-backup.md │ └── www-permissions.sh.md └── setup │ ├── vstacklet.sh.md │ └── www-permissions.sh.md ├── .gitignore ├── .gitmodules ├── LICENSE ├── bin ├── www-permissions-standalone.sh └── backup │ └── vstacklet-backup-standalone.sh └── CONTRIBUTING.md /config/nginx/server.configs/location/pma.conf: -------------------------------------------------------------------------------- 1 | location /phpmyadmin { 2 | try_files $uri =404; 3 | } -------------------------------------------------------------------------------- /.trunk/.gitignore: -------------------------------------------------------------------------------- 1 | *out 2 | *logs 3 | *actions 4 | *notifications 5 | plugins 6 | user_trunk.yaml 7 | user.yaml 8 | -------------------------------------------------------------------------------- /config/nginx/server.configs/directives/x-ua-compatible.conf: -------------------------------------------------------------------------------- 1 | # Force the latest IE version 2 | add_header "X-UA-Compatible" "IE=Edge"; 3 | -------------------------------------------------------------------------------- /developer_resources/images/vstacklet-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JMSDOnline/vstacklet/HEAD/developer_resources/images/vstacklet-logo.png -------------------------------------------------------------------------------- /config/nginx/server.configs/directives/mime-type-security.conf: -------------------------------------------------------------------------------- 1 | # Reduce MIME type security risks 2 | 3 | add_header X-Content-Type-Options "nosniff"; -------------------------------------------------------------------------------- /config/nginx/server.configs/directives/output-buffering.conf: -------------------------------------------------------------------------------- 1 | # -- Output buffering, see http://wiki.nginx.org/HttpCoreModule 2 | 3 | output_buffers 8 32k; -------------------------------------------------------------------------------- /config/nginx/server.configs/directives/reflected-xss-prevention.conf: -------------------------------------------------------------------------------- 1 | # Reflected XSS prevention 2 | 3 | add_header X-XSS-Protection "1; mode=block" always; -------------------------------------------------------------------------------- /developer_resources/images/vstacklet-lemp-kit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JMSDOnline/vstacklet/HEAD/developer_resources/images/vstacklet-lemp-kit.png -------------------------------------------------------------------------------- /developer_resources/images/vs-backup-utility-preview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JMSDOnline/vstacklet/HEAD/developer_resources/images/vs-backup-utility-preview.png -------------------------------------------------------------------------------- /developer_resources/images/vs-perms-utility-preview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JMSDOnline/vstacklet/HEAD/developer_resources/images/vs-perms-utility-preview.png -------------------------------------------------------------------------------- /developer_resources/images/vstacklet-script-preview1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JMSDOnline/vstacklet/HEAD/developer_resources/images/vstacklet-script-preview1.png -------------------------------------------------------------------------------- /developer_resources/images/vstacklet_install_preview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JMSDOnline/vstacklet/HEAD/developer_resources/images/vstacklet_install_preview.png -------------------------------------------------------------------------------- /config/nginx/server.configs/location/letsencrypt.conf: -------------------------------------------------------------------------------- 1 | location ^~ /.well-known { 2 | allow all; 3 | auth_basic off; 4 | alias {{webroot}}/public/.well-known/; 5 | } 6 | -------------------------------------------------------------------------------- /config/nginx/server.configs/directives/sec-php-easter-eggs.conf: -------------------------------------------------------------------------------- 1 | if ($query_string ~ "\=PHP[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}") { 2 | return 403; 3 | break; 4 | } -------------------------------------------------------------------------------- /developer_resources/images/vstacklet-varnish_cache_stat-verification.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JMSDOnline/vstacklet/HEAD/developer_resources/images/vstacklet-varnish_cache_stat-verification.png -------------------------------------------------------------------------------- /developer_resources/images/vstacklet-csf_install-ui_service-verification.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JMSDOnline/vstacklet/HEAD/developer_resources/images/vstacklet-csf_install-ui_service-verification.png -------------------------------------------------------------------------------- /developer_resources/images/vstacklet-php_install-checkinfo-verification.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JMSDOnline/vstacklet/HEAD/developer_resources/images/vstacklet-php_install-checkinfo-verification.png -------------------------------------------------------------------------------- /developer_resources/images/vstacklet-php83_install-checkinfo-verification.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JMSDOnline/vstacklet/HEAD/developer_resources/images/vstacklet-php83_install-checkinfo-verification.png -------------------------------------------------------------------------------- /developer_resources/images/vstacklet-phpmyadmin_mariadb_install-verification.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JMSDOnline/vstacklet/HEAD/developer_resources/images/vstacklet-phpmyadmin_mariadb_install-verification.png -------------------------------------------------------------------------------- /.trunk/config/.shellcheckrc: -------------------------------------------------------------------------------- 1 | enable=all 2 | source-path=SCRIPTDIR 3 | disable=SC2154 4 | 5 | # If you're having issues with shellcheck following source, disable the errors via: 6 | # disable=SC1090 7 | # disable=SC1091 8 | -------------------------------------------------------------------------------- /config/nginx/server.configs/directives/server-security-options.conf: -------------------------------------------------------------------------------- 1 | # -- Security options, see http://wiki.nginx.org/HttpCoreModule 2 | 3 | server_name_in_redirect off; 4 | server_tokens off; 5 | ignore_invalid_headers on; -------------------------------------------------------------------------------- /developer_resources/images/vstacklet-varnish_nginx_ssl_termination-verification.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JMSDOnline/vstacklet/HEAD/developer_resources/images/vstacklet-varnish_nginx_ssl_termination-verification.png -------------------------------------------------------------------------------- /developer_resources/images/vstacklet-phpmyadmin_mariadb_install-verification_php83.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JMSDOnline/vstacklet/HEAD/developer_resources/images/vstacklet-phpmyadmin_mariadb_install-verification_php83.png -------------------------------------------------------------------------------- /developer_resources/images/vstacklet-wordpress_install-verification-proxy_cache_test.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JMSDOnline/vstacklet/HEAD/developer_resources/images/vstacklet-wordpress_install-verification-proxy_cache_test.png -------------------------------------------------------------------------------- /developer_resources/images/vstacklet-wordpress_install-site_health_check-verification.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JMSDOnline/vstacklet/HEAD/developer_resources/images/vstacklet-wordpress_install-site_health_check-verification.png -------------------------------------------------------------------------------- /config/nginx/server.configs/directives/timeout-handling.conf: -------------------------------------------------------------------------------- 1 | # -- Timeout handling, see http://wiki.nginx.org/HttpCoreModule 2 | 3 | client_header_timeout 10; 4 | client_body_timeout 10; 5 | send_timeout 30; 6 | keepalive_timeout 300; -------------------------------------------------------------------------------- /setup/templates/ssl/openssl.conf: -------------------------------------------------------------------------------- 1 | [ req ] 2 | prompt = no 3 | distinguished_name = req_distinguished_name 4 | [ req_distinguished_name ] 5 | C = US 6 | ST = Some State 7 | L = LOCALLY 8 | O = SELF 9 | OU = SELF 10 | CN = SELF 11 | emailAddress = dont@think.so 12 | -------------------------------------------------------------------------------- /config/nginx/server.configs/directives/socket-settings.conf: -------------------------------------------------------------------------------- 1 | # -- Socket settings, see http://wiki.nginx.org/HttpCoreModule 2 | 3 | connection_pool_size 8192; 4 | client_header_buffer_size 4k; 5 | large_client_header_buffers 8 8k; 6 | request_pool_size 8k; -------------------------------------------------------------------------------- /config/nginx/server.configs/directives/spdy.conf: -------------------------------------------------------------------------------- 1 | # Nginx's spdy module is currently experimental 2 | 3 | # Adjust connection keepalive for SPDY clients: 4 | spdy_keepalive_timeout 300; # up from 180 secs default 5 | 6 | # enable SPDY header compression 7 | spdy_headers_comp 6; 8 | -------------------------------------------------------------------------------- /.trunk/config/.markdownlint.yaml: -------------------------------------------------------------------------------- 1 | # Autoformatter friendly markdownlint config (all formatting rules disabled) 2 | default: true 3 | blank_lines: false 4 | bullet: false 5 | html: false 6 | indentation: false 7 | line_length: false 8 | spaces: false 9 | url: false 10 | whitespace: false 11 | -------------------------------------------------------------------------------- /config/nginx/server.configs/basic.conf: -------------------------------------------------------------------------------- 1 | # Basic vstacklet rules 2 | 3 | include server.configs/directives/x-ua-compatible.conf; 4 | include server.configs/location/expires.conf; 5 | include server.configs/location/cross-domain-fonts.conf; 6 | include server.configs/location/protect-system-files.conf; 7 | -------------------------------------------------------------------------------- /config/nginx/server.configs/location/cross-domain-fonts.conf: -------------------------------------------------------------------------------- 1 | # Cross domain webfont access 2 | location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ { 3 | include server.configs/directives/cross-domain-insecure.conf; 4 | 5 | expires 1M; 6 | access_log off; 7 | add_header Cache-Control "public"; 8 | } 9 | -------------------------------------------------------------------------------- /config/nginx/server.configs/location/extensionless-uri.conf: -------------------------------------------------------------------------------- 1 | location / { 2 | try_files $uri $uri.html $uri/ @extensionless-php; 3 | index index.html index.htm index.php; 4 | } 5 | 6 | location ~ \.php$ { 7 | try_files $uri =404; 8 | } 9 | 10 | location @extensionless-php { 11 | rewrite ^(.*)$ $1.php last; 12 | } -------------------------------------------------------------------------------- /config/hhvm/server.ini: -------------------------------------------------------------------------------- 1 | ; php options 2 | 3 | pid = /var/run/hhvm/pid 4 | 5 | ; hhvm specific 6 | 7 | hhvm.server.file_socket = /var/run/hhvm/hhvm.sock 8 | hhvm.server.type = fastcgi 9 | hhvm.server.default_document = index.php 10 | hhvm.log.use_log_file = true 11 | hhvm.log.file = /var/log/hhvm/error.log 12 | hhvm.repo.central.path = /var/run/hhvm/hhvm.hhbc 13 | hhvm.enable_zend_ini_compat=false 14 | -------------------------------------------------------------------------------- /config/nginx/server.configs/directives/sec-file-injection.conf: -------------------------------------------------------------------------------- 1 | set $file_injection 0; 2 | if ($query_string ~ "[a-zA-Z0-9_]=http://") { 3 | set $file_injection 1; 4 | } 5 | if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { 6 | set $file_injection 1; 7 | } 8 | if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { 9 | set $file_injection 1; 10 | } 11 | if ($file_injection = 1) { 12 | return 403; 13 | break; 14 | } -------------------------------------------------------------------------------- /.trunk/trunk.yaml: -------------------------------------------------------------------------------- 1 | version: 0.1 2 | cli: 3 | version: 1.0.1 4 | plugins: 5 | sources: 6 | - id: trunk 7 | ref: v0.0.5 8 | uri: https://github.com/trunk-io/plugins 9 | lint: 10 | enabled: 11 | - git-diff-check 12 | - gitleaks@8.15.0 13 | - markdownlint@0.32.2 14 | - shellcheck@0.8.0 15 | - prettier@2.7.1 16 | - shfmt@3.5.0 17 | runtimes: 18 | enabled: 19 | - go@1.18.3 20 | - node@16.14.2 21 | actions: 22 | enabled: 23 | - trunk-upgrade-available 24 | -------------------------------------------------------------------------------- /config/nginx/server.configs/directives/no-transform.conf: -------------------------------------------------------------------------------- 1 | # Prevent mobile network providers from modifying your site 2 | # 3 | # (!) If you are using `ngx_pagespeed`, please note that setting 4 | # the `Cache-Control: no-transform` response header will prevent 5 | # `PageSpeed` from rewriting `HTML` files, and, if 6 | # `pagespeed DisableRewriteOnNoTransform off` is not used, also 7 | # from rewriting other resources. 8 | # 9 | # https://developers.google.com/speed/pagespeed/module/configuration#notransform 10 | 11 | add_header "Cache-Control" "no-transform"; 12 | -------------------------------------------------------------------------------- /config/hhvm/php.ini: -------------------------------------------------------------------------------- 1 | ; php options 2 | session.save_handler = files 3 | session.save_path = /var/lib/hhvm/sessions 4 | session.gc_maxlifetime = 1440 5 | session.gc_probability = 0 6 | 7 | ; hhvm specific 8 | hhvm.log.level = Warning 9 | hhvm.log.always_log_unhandled_exceptions = true 10 | hhvm.log.runtime_error_reporting_level = 8191 11 | hhvm.mysql.typed_results = false 12 | expose_php = off 13 | memory_limit = 600M 14 | upload_max_filesize = 128M 15 | post_max_size = 128M 16 | max_input_time = 60 17 | max_execution_time = 300 18 | hhvm.enable_zend_ini_compat=false 19 | -------------------------------------------------------------------------------- /config/nginx/server.configs/location/cache-busting.conf: -------------------------------------------------------------------------------- 1 | # Built-in filename-based cache busting 2 | 3 | # https://github.com/h5bp/html5-boilerplate/blob/5370479476dceae7cc3ea105946536d6bc0ee468/.htaccess#L403 4 | # This will route all requests for /css/style.20120716.css to /css/style.css 5 | # Read also this: github.com/h5bp/html5-boilerplate/wiki/cachebusting 6 | # This is not included by default, because it'd be better if you use the build 7 | # script to manage the file names. 8 | location ~* (.+)\.(?:\d+)\.(js|css|png|jpg|jpeg|gif)$ { 9 | try_files $uri $1.$2; 10 | } 11 | -------------------------------------------------------------------------------- /config/nginx/server.configs/directives/cross-domain-insecure.conf: -------------------------------------------------------------------------------- 1 | # Cross domain AJAX requests 2 | 3 | # **Security Warning** 4 | # Do not use this without understanding the consequences. 5 | # This will permit access from any other website. 6 | # 7 | add_header "Access-Control-Allow-Origin" "*"; 8 | add_header Timing-Allow-Origin "*"; 9 | 10 | # Instead of using this file, consider using a specific rule such as: 11 | # 12 | # Allow access based on [sub]domain: 13 | # add_header "Access-Control-Allow-Origin" "subdomain.example.com"; 14 | # OR 15 | # add_header "Access-Control-Allow-Origin" "*.example.com"; 16 | 17 | -------------------------------------------------------------------------------- /docs/developer_resources/onSave.md: -------------------------------------------------------------------------------- 1 | # on_save - v1.0.39 2 | 3 | 4 | 5 | ### load::variables() 6 | 7 | loads variables for save script 8 | 9 | #### arguments: 10 | 11 | - $1 - file 12 | - $2 - workspace 13 | 14 | ### parse::meta_data() 15 | 16 | parses variables from supplied file for post-process 17 | 18 | *function has no arguments* 19 | 20 | ### save::versioning() 21 | 22 | automated incrementation of necessary file version information 23 | 24 | *function has no arguments* 25 | 26 | ### save::documentation() 27 | 28 | automated documentation for files 29 | 30 | *function has no arguments* 31 | 32 | ### save::changelog() 33 | 34 | automated changelog 35 | 36 | *function has no arguments* 37 | 38 | 39 | -------------------------------------------------------------------------------- /config/nginx/server.configs/directives/common-exploit-prevention.conf: -------------------------------------------------------------------------------- 1 | # Common Exploit Prevention 2 | 3 | set $common_exploit 0; 4 | if ($query_string ~ "proc/self/environ") { 5 | set $common_exploit 1; 6 | } 7 | if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { 8 | set $common_exploit 1; 9 | } 10 | if ($query_string ~ "base64_(en|de)code\(.*\)") { 11 | set $common_exploit 1; 12 | } 13 | if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { 14 | set $common_exploit 1; 15 | } 16 | if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { 17 | set $common_exploit 1; 18 | } 19 | if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { 20 | set $common_exploit 1; 21 | } 22 | if ($common_exploit = 1) { 23 | return 403; 24 | } -------------------------------------------------------------------------------- /config/nginx/restrictions.conf: -------------------------------------------------------------------------------- 1 | # Global restrictions configuration file. 2 | # Designed to be included in any server {} block.

3 | location = /favicon.ico { 4 | log_not_found off; 5 | access_log off; 6 | } 7 | 8 | location = /robots.txt { 9 | allow all; 10 | log_not_found off; 11 | access_log off; 12 | } 13 | 14 | # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). 15 | # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) 16 | location ~ /\. { 17 | deny all; 18 | } 19 | 20 | # Deny access to any files with a .php extension in the uploads directory 21 | # Works in sub-directory installs and also in multisite network 22 | # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) 23 | location ~* /(?:uploads|files)/.*\.php$ { 24 | deny all; 25 | } -------------------------------------------------------------------------------- /config/nginx/server.configs/directives/ssl-stapling.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | Online Certificate Status Protocol stapling | 3 | # ---------------------------------------------------------------------- 4 | 5 | # OCSP is a lightweight, only one record to help clients verify the 6 | # validity of the server certificate. 7 | # OCSP stapling allow the server to send its cached OCSP record during 8 | # the TLS handshake, whithout the need of 3rd party OCSP responder. 9 | # 10 | # https://wiki.mozilla.org/Security/Server_Side_TLS#OCSP_Stapling 11 | # https://tools.ietf.org/html/rfc6066#section-8 12 | # https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling 13 | 14 | ssl_stapling on; 15 | ssl_stapling_verify on; 16 | 17 | resolver 1.1.1.1 valid=300s; # Cloudflare 18 | resolver_timeout 5s; -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Windows image file caches 2 | Thumbs.db 3 | ehthumbs.db 4 | 5 | # Folder config file 6 | Desktop.ini 7 | 8 | # Recycle Bin used on file shares 9 | $RECYCLE.BIN/ 10 | 11 | # Windows Installer files 12 | *.cab 13 | *.msi 14 | *.msm 15 | *.msp 16 | 17 | # Windows shortcuts 18 | *.lnk 19 | 20 | # ========================= 21 | # Operating System Files 22 | # ========================= 23 | 24 | # OSX 25 | # ========================= 26 | 27 | .DS_Store 28 | .AppleDouble 29 | .LSOverride 30 | 31 | # Thumbnails 32 | ._* 33 | 34 | # Files that might appear in the root of a volume 35 | .DocumentRevisions-V100 36 | .fseventsd 37 | .Spotlight-V100 38 | .TemporaryItems 39 | .Trashes 40 | .VolumeIcon.icns 41 | 42 | # Directories potentially created on remote AFP share 43 | .AppleDB 44 | .AppleDesktop 45 | Network Trash Folder 46 | Temporary Items 47 | .apdisk 48 | 49 | php8 50 | 51 | setup~origin_deprecated 52 | -------------------------------------------------------------------------------- /setup/templates/vsftpd/vsftpd.conf: -------------------------------------------------------------------------------- 1 | listen=YES 2 | anonymous_enable=NO 3 | guest_enable=NO 4 | dirmessage_enable=YES 5 | dirlist_enable=YES 6 | download_enable=YES 7 | secure_chroot_dir=/var/run/vsftpd/empty 8 | chroot_local_user=YES 9 | chroot_list_file=/etc/vsftpd.chroot_list 10 | passwd_chroot_enable=YES 11 | allow_writeable_chroot=YES 12 | pam_service_name=vsftpd 13 | ssl_enable=YES 14 | allow_anon_ssl=NO 15 | force_local_data_ssl=NO 16 | force_local_logins_ssl=NO 17 | ssl_tlsv1=YES 18 | ssl_sslv2=NO 19 | ssl_sslv3=NO 20 | require_ssl_reuse=NO 21 | ssl_request_cert=YES 22 | ssl_ciphers=HIGH 23 | rsa_cert_file=/etc/ssl/private/vsftpd.pem 24 | local_enable=YES 25 | write_enable=YES 26 | local_umask=022 27 | max_per_ip=0 28 | pasv_enable=YES 29 | port_enable=YES 30 | pasv_promiscuous=NO 31 | port_promiscuous=NO 32 | pasv_min_port=110090 33 | pasv_max_port=110100 34 | listen_port={{ftp_port}} 35 | seccomp_sandbox=no 36 | utf8_filesystem=YES 37 | pasv_address={{server_ip}} -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | #[submodule "php7"] 2 | # path = php7 3 | # url = https://github.com/JMSDOnline/vstacklet_php7_base.git 4 | # branch = development 5 | #[submodule "php5"] (deprecated) 6 | # path = php5 7 | # url = https://github.com/JMSDOnline/vstacklet_php5_base.git 8 | # branch = development 9 | #[submodule "hhvm"] 10 | # path = hhvm 11 | # url = https://github.com/JMSDOnline/vstacklet_hhvm_base.git 12 | # branch = development 13 | #[submodule "nginx"] 14 | # path = nginx 15 | # url = https://github.com/JMSDOnline/vstacklet_nginx_base.git 16 | # branch = development 17 | #[submodule "varnish"] 18 | # path = varnish 19 | # url = https://github.com/JMSDOnline/vstacklet_varnish_base.git 20 | # branch = development 21 | #[submodule "packages"] 22 | # path = packages 23 | # url = https://github.com/JMSDOnline/vstacklet_packages.git 24 | # branch = development 25 | #[submodule "php8"] 26 | # path = php8 27 | # url = https://github.com/JMSDOnline/vstacklet_php8_base.git -------------------------------------------------------------------------------- /setup/templates/nginx/acme: -------------------------------------------------------------------------------- 1 | server { 2 | listen {{http_port}}; 3 | listen [::]:{{http_port}}; 4 | server_name {{domain}}; 5 | 6 | location /.well-known { 7 | alias {{webroot}}/.well-known; 8 | allow all; 9 | default_type "text/plain"; 10 | autoindex on; 11 | } 12 | 13 | } 14 | 15 | # SSL configuration 16 | server { 17 | listen {{https_port}} ssl; 18 | listen [::]:{{https_port}} ssl; 19 | http2 on; 20 | server_name {{domain}}; 21 | ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; 22 | ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; 23 | include server.configs/directives/ssl.conf; 24 | client_max_body_size 40M; 25 | server_tokens off; 26 | root {{webroot}}/; 27 | 28 | index index.html index.php index.htm; 29 | 30 | location ~ \.php$ { 31 | include fcgi.conf; 32 | fastcgi_pass unix:/run/php/php{{php}}-fpm.sock; 33 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 34 | } 35 | 36 | location ~ /\.ht { 37 | deny all; 38 | } 39 | 40 | } -------------------------------------------------------------------------------- /setup/templates/profile: -------------------------------------------------------------------------------- 1 | # /etc/profile: system-wide .profile file for the Bourne shell (sh(1)) 2 | # and Bourne compatible shells (bash(1), ksh(1), ash(1), ...). 3 | 4 | export TERM 5 | TERM=xterm 6 | 7 | if [ "$(id -u)" -eq 0 ]; then 8 | PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" 9 | else 10 | PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games" 11 | fi 12 | export PATH 13 | 14 | if [ "$BASH" ]; then 15 | if [ -f ~/.bashrc ]; then 16 | . ~/.bashrc 17 | fi 18 | fi 19 | 20 | if [ "${PS1-}" ]; then 21 | if [ "${BASH-}" ] && [ "$BASH" != "/bin/sh" ]; then 22 | # The file bash.bashrc already sets the default PS1. 23 | # PS1='\h:\w\$ ' 24 | if [ -f /etc/bash.bashrc ]; then 25 | . /etc/bash.bashrc 26 | fi 27 | else 28 | if [ "$(id -u)" -eq 0 ]; then 29 | PS1='# ' 30 | else 31 | PS1='$ ' 32 | fi 33 | fi 34 | fi 35 | 36 | if [ -d /etc/profile.d ]; then 37 | for i in /etc/profile.d/*.sh; do 38 | if [ -r $i ]; then 39 | . $i 40 | fi 41 | done 42 | unset i 43 | fi 44 | -------------------------------------------------------------------------------- /config/nginx/server.configs/directives/cache-file-descriptors.conf: -------------------------------------------------------------------------------- 1 | # This tells Nginx to cache open file handles, "not found" errors, metadata about files and their permissions, etc. 2 | # 3 | # The upside of this is that Nginx can immediately begin sending data when a popular file is requested, 4 | # and will also know to immediately send a 404 if a file is missing on disk, and so on. 5 | # 6 | # However, it also means that the server won't react immediately to changes on disk, which may be undesirable. 7 | # 8 | # In the below configuration, inactive files are released from the cache after 20 seconds, whereas 9 | # active (recently requested) files are re-validated every 30 seconds. 10 | # 11 | # Descriptors will not be cached unless they are used at least 2 times within 20 seconds (the inactive time). 12 | # 13 | # A maximum of the 1000 most recently used file descriptors can be cached at any time. 14 | # 15 | # Production servers with stable file collections will definitely want to enable the cache. 16 | open_file_cache max=1000 inactive=20s; 17 | open_file_cache_valid 30s; 18 | open_file_cache_min_uses 2; 19 | open_file_cache_errors on; 20 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2016-2023 Jason Matthews 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /config/varnish/varnish.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Varnish Cache, a high-performance HTTP accelerator 3 | After=network-online.target nss-lookup.target 4 | 5 | [Service] 6 | Type=forking 7 | KillMode=mixed 8 | 9 | # Maximum number of open files (for ulimit -n) 10 | LimitNOFILE=131072 11 | 12 | # Shared memory (VSM) segments are tentatively locked in memory. The 13 | # default value for vsl_space (or shorthand varnishd -l option) is 80MB. 14 | # There are other types of segments that would benefit from allowing 15 | # more memory to be locked. 16 | LimitMEMLOCK=100M 17 | 18 | # Enable this to avoid "fork failed" on reload. 19 | TasksMax=infinity 20 | 21 | # Maximum size of the corefile. 22 | LimitCORE=infinity 23 | 24 | # A PID file makes the main process selection deterministic. 25 | RuntimeDirectory=%N 26 | PIDFile=%t/%N/varnishd.pid 27 | 28 | ExecStart=/usr/sbin/varnishd \ 29 | -a :6081 \ 30 | -a localhost:8443,PROXY \ 31 | -f /etc/varnish/custom.vcl \ 32 | -P %t/%N/varnishd.pid \ 33 | -p feature=+http2 \ 34 | -s malloc,1g \ 35 | -S /etc/varnish/secret \ 36 | -T :6082 37 | ExecReload=/usr/sbin/varnishreload 38 | 39 | [Install] 40 | WantedBy=multi-user.target 41 | -------------------------------------------------------------------------------- /config/nginx/server.configs/directives/content-security-policy.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | Content Security Policy (CSP) | 3 | # ---------------------------------------------------------------------- 4 | 5 | # Mitigate the risk of cross-site scripting and other content-injection 6 | # attacks. 7 | # 8 | # This can be done by setting a `Content Security Policy` which 9 | # whitelists trusted sources of content for your website. 10 | # 11 | # The example header below allows ONLY scripts that are loaded from 12 | # the current website's origin (no inline scripts, no CDN, etc). 13 | # That almost certainly won't work as-is for your website! 14 | # 15 | # To make things easier, you can use an online CSP header generator 16 | # such as: https://www.cspisawesome.com/. 17 | # 18 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy 19 | # https://www.w3.org/TR/CSP3/ 20 | # https://content-security-policy.com/ 21 | # https://www.html5rocks.com/en/tutorials/security/content-security-policy/ 22 | 23 | add_header Content-Security-Policy "script-src 'self'; object-src 'self'" always; 24 | -------------------------------------------------------------------------------- /config/nginx/server.configs/directives/cloudflare-real-ip.conf: -------------------------------------------------------------------------------- 1 | # CloudFlare Real IP 2 | 3 | ###################################################################### 4 | ## CloudFlare support - see: 5 | # https://support.cloudflare.com/hc/en-us/articles/200170706-Does-CloudFlare-have-an-IP-module-for-Nginx- 6 | ###################################################################### 7 | set_real_ip_from 103.21.244.0/22; 8 | set_real_ip_from 103.22.200.0/22; 9 | set_real_ip_from 103.31.4.0/22; 10 | set_real_ip_from 104.16.0.0/12; 11 | set_real_ip_from 108.162.192.0/18; 12 | set_real_ip_from 131.0.72.0/22; 13 | set_real_ip_from 141.101.64.0/18; 14 | set_real_ip_from 162.158.0.0/15; 15 | set_real_ip_from 172.64.0.0/13; 16 | set_real_ip_from 173.245.48.0/20; 17 | set_real_ip_from 188.114.96.0/20; 18 | set_real_ip_from 190.93.240.0/20; 19 | set_real_ip_from 197.234.240.0/22; 20 | set_real_ip_from 198.41.128.0/17; 21 | set_real_ip_from 199.27.128.0/21; 22 | set_real_ip_from 2400:cb00::/32; 23 | set_real_ip_from 2606:4700::/32; 24 | set_real_ip_from 2803:f800::/32; 25 | set_real_ip_from 2405:b500::/32; 26 | set_real_ip_from 2405:8100::/32; 27 | set_real_ip_from {{server_ip}}; 28 | real_ip_header X-Forwarded-For; 29 | -------------------------------------------------------------------------------- /config/nginx/server.configs/location/protect-system-files.conf: -------------------------------------------------------------------------------- 1 | # Block access to all hidden files and directories with the exception of 2 | # the visible content from within the `/.well-known/` hidden directory. 3 | # 4 | # These types of files usually contain user preferences or the preserved 5 | # state of an utility, and can include rather private places like, for 6 | # example, the `.git` or `.svn` directories. 7 | # 8 | # The `/.well-known/` directory represents the standard (RFC 5785) path 9 | # prefix for "well-known locations" (e.g.: `/.well-known/manifest.json`, 10 | # `/.well-known/keybase.txt`), and therefore, access to its visible 11 | # content should not be blocked. 12 | # 13 | # https://www.mnot.net/blog/2010/04/07/well-known 14 | # https://tools.ietf.org/html/rfc5785 15 | 16 | location ~* /\.(?!well-known\/) { 17 | deny all; 18 | } 19 | 20 | # Prevent clients from accessing hidden files (starting with a dot) 21 | # This is particularly important if you store .htpasswd files in the site hierarchy 22 | location ~* (?:^|/)\. { 23 | deny all; 24 | } 25 | 26 | # Prevent clients from accessing to backup/config/source files 27 | location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$ { 28 | deny all; 29 | } 30 | -------------------------------------------------------------------------------- /config/nginx/fcgi.conf: -------------------------------------------------------------------------------- 1 | 2 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 3 | fastcgi_param QUERY_STRING $query_string; 4 | fastcgi_param REQUEST_METHOD $request_method; 5 | fastcgi_param CONTENT_TYPE $content_type; 6 | fastcgi_param CONTENT_LENGTH $content_length; 7 | 8 | fastcgi_param SCRIPT_NAME $fastcgi_script_name; 9 | fastcgi_param REQUEST_URI $request_uri; 10 | fastcgi_param DOCUMENT_URI $document_uri; 11 | fastcgi_param DOCUMENT_ROOT $document_root; 12 | fastcgi_param SERVER_PROTOCOL $server_protocol; 13 | fastcgi_param HTTPS $https if_not_empty; 14 | fastcgi_param SCRIPT_FILENAME $request_filename; 15 | fastcgi_param PATH_INFO $fastcgi_path_info; 16 | 17 | fastcgi_param GATEWAY_INTERFACE CGI/1.1; 18 | fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; 19 | 20 | fastcgi_param REMOTE_ADDR $remote_addr; 21 | fastcgi_param REMOTE_PORT $remote_port; 22 | fastcgi_param SERVER_ADDR $server_addr; 23 | fastcgi_param SERVER_PORT $server_port; 24 | fastcgi_param SERVER_NAME $server_name; 25 | 26 | # PHP only, required if PHP was built with --enable-force-cgi-redirect 27 | fastcgi_param REDIRECT_STATUS 200; 28 | -------------------------------------------------------------------------------- /config/nginx/wordpress.conf: -------------------------------------------------------------------------------- 1 | # WordPress single site rules. 2 | # Designed to be included in any server {} block. 3 | 4 | # This order might seem weird - this is attempted to match last if rules below fail. 5 | # http://wiki.nginx.org/HttpCoreModule 6 | location / { 7 | try_files $uri $uri/ /index.php?$args; 8 | } 9 | 10 | # Add trailing slash to */wp-admin requests. 11 | rewrite /wp-admin$ $scheme://$host$uri/ permanent; 12 | 13 | # Directives to send expires headers and turn off 404 error logging. 14 | location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ { 15 | access_log off; 16 | log_not_found off; 17 | expires max; 18 | } 19 | 20 | # Uncomment one of the lines below for the appropriate caching plugin (if used). 21 | #include global/wordpress-wp-super-cache.conf; 22 | #include global/wordpress-w3-total-cache.conf; 23 | 24 | # Pass all .php files onto a php-fpm/php-fcgi server. 25 | location ~ [^/]\.php(/|$) { 26 | fastcgi_split_path_info ^(.+?\.php)(/.*)$; 27 | if (!-f $document_root$fastcgi_script_name) { 28 | return 404; 29 | } 30 | # This is a robust solution for path info security issue and works with "cgi.fix_pathinfo = 1" in /etc/php.ini (default) 31 | 32 | include fastcgi_params; 33 | fastcgi_index index.php; 34 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 35 | # fastcgi_intercept_errors on; 36 | fastcgi_pass unix:/var/run/php{{php}}-fpm.sock; 37 | } -------------------------------------------------------------------------------- /setup/templates/bashrc: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | export TERM 4 | TERM=xterm 5 | 6 | case $- in 7 | *i*) ;; 8 | *) return ;; 9 | esac 10 | [[ -z ${debian_chroot:-} && -r /etc/debian_chroot ]] && debian_chroot=$(cat /etc/debian_chroot) 11 | case "${TERM}" in 12 | xterm-color | *-256color) color_prompt=yes ;; 13 | *) ;; 14 | esac 15 | if [[ -n ${force_color_prompt:-} ]]; then 16 | if [[ -x /usr/bin/tput ]] && tput setaf 1 >&/dev/null; then 17 | color_prompt=yes 18 | else 19 | color_prompt= 20 | fi 21 | fi 22 | if [[ ${color_prompt} == yes ]]; then 23 | PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' 24 | else 25 | PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ ' 26 | fi 27 | unset color_prompt force_color_prompt 28 | case "${TERM}" in 29 | xterm* | rxvt*) PS1="\[\e]0;${debian_chroot:+(${debian_chroot})}\u@\h: \w\a\]${PS1}" ;; 30 | *) ;; 31 | esac 32 | if [[ -x "/usr/bin/dircolors" ]]; then 33 | # shellcheck disable=SC2015 34 | test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)" 35 | alias ls='ls --color=auto' 36 | alias ll='ls --color=auto -l' 37 | alias la='ls --color=auto -lA' 38 | alias grep='grep --color=auto' 39 | alias fgrep='fgrep --color=auto' 40 | alias egrep='egrep --color=auto' 41 | alias v='ls --color=auto -lA' 42 | alias vsb='vs-backup' 43 | alias vsp='vs-perms' 44 | fi 45 | alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"' 46 | # shellcheck disable=SC1090 47 | [[ -f ~/.bash_aliases ]] && . ~/.bash_aliases 48 | -------------------------------------------------------------------------------- /docs/bin/www-permissions-standalone.sh.md: -------------------------------------------------------------------------------- 1 | # www-permissions-standalone.sh - v3.1.1070 2 | 3 | 4 | --- 5 | 6 | vs-perms can be used on any server to set the correct permissions 7 | for the web root directory, but it is designed to work with the vStacklet 8 | server stack. This script will set the correct permissions for the web root 9 | directory. 10 | Please ensure you have read the documentation before continuing. 11 | 12 | --- 13 | 14 | - [vStacklet Documentation](https://github.com/JMSDOnline/vstacklet/blob/main/docs/setup/vstacklet.sh.md) 15 | - [vStacklet Server Stack Documentation](https://github.com/JMSDOnline/vstacklet/blob/main/docs/setup/vstacklet-server-stack.sh.md) 16 | - [vStacklet www-permissions](https://github.com/JMSDOnline/vstacklet/blob/main/docs/bin/www-permissions.sh.md) 17 | 18 | --- 19 | 20 | This script will do the following: 21 | - Download the latest version of vs-perms. 22 | - Convert vs-perms shell scripts to executable. 23 | - Move `vs-perms` to /usr/local/bin for system execution. 24 | - From there, you can run `vs-perms` from anywhere on your server to do the following: 25 | - Check the www-data group exists, if not, create it. 26 | - Check the user group exists, if not, create it. 27 | - Check the user exists, if not, create it. 28 | - Check the user is a member of the www-data group, if not, add them. 29 | - Set the correct permissions for the web root directory. 30 | - see `vs-perms -h` for more information. 31 | 32 | --- 33 | 34 | 35 | 36 | ### vstacklet::vsperms::standalone() 37 | 38 | This function will download the latest version of vs-perms 39 | and install it on your server. It will also convert vs-perms shell scripts 40 | to executable. From there, you can run vs-perms from anywhere on your server. 41 | [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/www-permissions-standalone.sh#L61-L66) 42 | 43 | --- 44 | 45 | ### vstacklet::vsperms::outro() 46 | 47 | This function will display the outro. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/www-permissions-standalone.sh#L74-L86) 48 | 49 | --- 50 | 51 | 52 | -------------------------------------------------------------------------------- /docs/bin/backup/vstacklet-backup-standalone.sh.md: -------------------------------------------------------------------------------- 1 | # vstacklet-backup-standalone.sh - v3.1.1147 2 | 3 | 4 | --- 5 | 6 | vs-backup can be used on any server to backup files, directories and mysql 7 | databases, but it is designed to work with the vStacklet server stack. 8 | This script will backup your database and files. 9 | Please ensure you have read the documentation before continuing. 10 | 11 | --- 12 | 13 | - [vStacklet Documentation](https://github.com/JMSDOnline/vstacklet/blob/main/docs/setup/vstacklet.sh.md) 14 | - [vStacklet Server Stack Documentation](https://github.com/JMSDOnline/vstacklet/blob/main/docs/setup/vstacklet-server-stack.sh.md) 15 | - [vStacklet VS-Backup Documentation](https://github.com/JMSDOnline/vstacklet/blob/main/docs/bin/backup/vs-backup.md) 16 | 17 | --- 18 | 19 | This script will do the following: 20 | - Download the latest version of vs-backup. 21 | - Convert vs-backup shell scripts to executable. 22 | - Move `vs-backup` to /usr/local/bin for system execution. 23 | - From there, you can run `vs-backup` from anywhere on your server to do the following: 24 | - Backup your database. 25 | - Backup your files. 26 | - Compress the backup files. (default: tar.gz - for files and sql.gz - for database) 27 | - Automatically encrypt the backup files. (password: set to your database password by default - `-dbpass`) 28 | - Retain the backup files based on the retention options. (default: 7 days) 29 | - see `vs-backup -h` for more information. 30 | 31 | --- 32 | 33 | 34 | 35 | ### vstacklet::vsbackup::standalone() 36 | 37 | This function will download the latest version of vs-backup 38 | and install it on your server. It will also convert vs-backup shell scripts 39 | to executable. From there, you can run vs-backup from anywhere on your server. 40 | [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/backup/vstacklet-backup-standalone.sh#L60-L67) 41 | 42 | --- 43 | 44 | ### vstacklet::vsbackup::outro() 45 | 46 | This function will display the outro. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/backup/vstacklet-backup-standalone.sh#L75-L87) 47 | 48 | --- 49 | 50 | 51 | -------------------------------------------------------------------------------- /config/nginx/server.configs/location/expires.conf: -------------------------------------------------------------------------------- 1 | # Expire rules for static content 2 | 3 | # No default expire rule. This config mirrors that of apache as outlined in the 4 | # html5-boilerplate .htaccess file. However, nginx applies rules by location, 5 | # the apache rules are defined by type. A concequence of this difference is that 6 | # if you use no file extension in the url and serve html, with apache you get an 7 | # expire time of 0s, with nginx you'd get an expire header of one month in the 8 | # future (if the default expire rule is 1 month). Therefore, do not use a 9 | # default expire rule with nginx unless your site is completely static 10 | 11 | # cache.appcache, your document html and data 12 | location ~* \.(?:manifest|appcache|html?|xml|json)$ { 13 | expires -1; 14 | access_log /var/log/nginx/static.log; 15 | } 16 | 17 | # Feed 18 | location ~* \.(?:rss|atom)$ { 19 | expires 1h; 20 | add_header Cache-Control "public"; 21 | } 22 | 23 | # Media: svgz files are already compressed. 24 | location ~* \.svgz$ { 25 | access_log off; 26 | gzip off; 27 | expires 1M; 28 | } 29 | 30 | # CSS and JavaScript : 1 year 31 | location ~* \.(?:css|js)$ { 32 | access_log off; log_not_found off; 33 | expires 1y; 34 | add_header Cache-Control "public"; 35 | } 36 | 37 | # Image files : 1 month 38 | location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|mp4|ogg|ogv|webm|htc)$ { 39 | access_log off; log_not_found off; 40 | expires 1M; 41 | add_header Cache-Control "public"; 42 | } 43 | 44 | # Document files : 1 month 45 | location ~* \.(pdf|txt|xml)$ { 46 | access_log off; log_not_found off; 47 | expires 1M; 48 | add_header Cache-Control "public"; 49 | } 50 | 51 | # Audio files : 1 month 52 | location ~* \.(mid|midi|mp3|m4a|m4r|aif|aiff|ra|wav|voc|ogg)$ { 53 | access_log off; log_not_found off; 54 | expires 1M; 55 | add_header Cache-Control "public"; 56 | } 57 | 58 | # Video files : 1 month 59 | location ~* \.(swf|vrml|avi|mkv|mpg|mpeg|mp4|m4v|mov|asf)$ { 60 | access_log off; log_not_found off; 61 | expires 1M; 62 | add_header Cache-Control "public"; 63 | } 64 | 65 | # WebFonts 66 | # If you are NOT using cross-domain-fonts.conf, uncomment the following directive 67 | # location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ { 68 | # expires 1M; 69 | # access_log off; 70 | # add_header Cache-Control "public"; 71 | # } 72 | -------------------------------------------------------------------------------- /config/nginx/server.configs/directives/compression.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | Compression | 3 | # ---------------------------------------------------------------------- 4 | 5 | # https://nginx.org/en/docs/http/ngx_http_gzip_module.html 6 | 7 | # Enable gzip compression. 8 | # Default: off 9 | gzip on; 10 | 11 | # Compression level (1-9). 12 | # 5 is a perfect compromise between size and CPU usage, offering about 13 | # 75% reduction for most ASCII files (almost identical to level 9). 14 | # Default: 1 15 | gzip_comp_level 5; 16 | 17 | # Don't compress anything that's already small and unlikely to shrink much 18 | # if at all (the default is 20 bytes, which is bad as that usually leads to 19 | # larger files after gzipping). 20 | # Default: 20 21 | gzip_min_length 256; 22 | 23 | # Compress data even for clients that are connecting to us via proxies, 24 | # identified by the "Via" header (required for CloudFront). 25 | # Default: off 26 | gzip_proxied any; 27 | 28 | # Tell proxies to cache both the gzipped and regular version of a resource 29 | # whenever the client's Accept-Encoding capabilities header varies; 30 | # Avoids the issue where a non-gzip capable client (which is extremely rare 31 | # today) would display gibberish if their proxy gave them the gzipped version. 32 | # Default: off 33 | gzip_vary on; 34 | 35 | # Compress all output labeled with one of the following MIME-types. 36 | # text/html is always compressed by gzip module. 37 | # Default: text/html 38 | gzip_types 39 | application/atom+xml 40 | application/javascript 41 | application/json 42 | application/ld+json 43 | application/manifest+json 44 | application/rss+xml 45 | application/geo+json 46 | application/vnd.ms-fontobject 47 | application/x-font-ttf 48 | application/x-web-app-manifest+json 49 | application/xhtml+xml 50 | application/xml 51 | application/rdf+xml 52 | font/collection 53 | font/opentype 54 | font/otf 55 | font/ttf 56 | image/bmp 57 | image/svg+xml 58 | image/x-icon 59 | text/cache-manifest 60 | text/css 61 | text/javascript 62 | text/plain 63 | text/vcard 64 | text/vnd.rim.location.xloc 65 | text/vtt 66 | text/x-component 67 | text/x-cross-domain-policy; 68 | 69 | # This should be turned on if you are going to have pre-compressed copies (.gz) of 70 | # static files available. If not it should be left off as it will cause extra I/O 71 | # for the check. It is best if you enable this in a location{} block for 72 | # a specific directory, or on an individual server{} level. 73 | # gzip_static on; 74 | -------------------------------------------------------------------------------- /config/nginx/nginx.conf: -------------------------------------------------------------------------------- 1 | # nginx Configuration File 2 | # http://wiki.nginx.org/Configuration 3 | 4 | user www-data www-data; 5 | worker_processes auto; 6 | worker_rlimit_nofile 8192; 7 | 8 | events { 9 | worker_connections 8000; 10 | multi_accept on; 11 | use epoll; 12 | } 13 | 14 | error_log /var/log/nginx/error.log warn; 15 | pid /var/run/nginx.pid; 16 | 17 | http { 18 | server_tokens off; 19 | types_hash_max_size 2048; 20 | client_max_body_size 1G; 21 | index index.php index.html index.htm; 22 | 23 | include mime.types; 24 | default_type application/octet-stream; 25 | charset_types text/css 26 | text/xml 27 | text/plain 28 | text/vnd.wap.wml 29 | application/x-javascript 30 | application/rss+xml 31 | application/javascript 32 | application/json; 33 | 34 | log_format main 35 | '$remote_addr - $remote_user [$time_local] "$request" ' 36 | '$status $body_bytes_sent "$http_referer" ' 37 | '"$http_user_agent" "$http_x_forwarded_for"'; 38 | access_log /var/log/nginx/access.log main; 39 | 40 | sendfile on; 41 | tcp_nopush on; 42 | tcp_nodelay on; 43 | 44 | # Compression 45 | gzip on; 46 | gzip_comp_level 5; 47 | gzip_min_length 256; 48 | gzip_proxied any; 49 | gzip_vary on; 50 | gzip_types application/atom+xml 51 | application/javascript 52 | application/json 53 | application/rss+xml 54 | application/vnd.ms-fontobject 55 | application/x-font-ttf 56 | application/x-web-app-manifest+json 57 | application/xhtml+xml 58 | application/xml 59 | font/opentype 60 | image/svg+xml 61 | image/x-icon 62 | text/css 63 | text/plain 64 | text/x-component; 65 | # text/html is always compressed by HttpGzipModule 66 | gzip_buffers 16 8k; 67 | gzip_disable "MSIE [1-6]\.(?!.*SV1)"; 68 | gzip_static on; 69 | 70 | #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; 71 | 72 | # Set caches, protocols, and accepted ciphers. This config will merit an A+ SSL Labs score as of Sept 2015. 73 | #ssl_session_cache shared:SSL:20m; 74 | #ssl_session_timeout 10m; 75 | #ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 76 | #ssl_prefer_server_ciphers on; 77 | #ssl_ciphers 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5'; 78 | 79 | fastcgi_cache_path /etc/nginx/cache 80 | levels=1:2 81 | keys_zone=phpcache:100m 82 | max_size=1000m 83 | inactive=600m; 84 | fastcgi_cache_key "$scheme$request_method$host$request_uri"; 85 | # note: can also use HTTP headers to form the cache key, e.g. 86 | #fastcgi_cache_key $scheme$request_method$host$request_uri$http_x_custom_header; 87 | fastcgi_cache_lock on; 88 | fastcgi_cache_use_stale error timeout invalid_header updating http_500; 89 | fastcgi_cache_valid 5m; 90 | fastcgi_ignore_headers Cache-Control Expires Set-Cookie; 91 | 92 | # Sites Enabled 93 | include /etc/nginx/sites-enabled/*; 94 | # Virtual Host Configs 95 | include /etc/nginx/conf.d/*.conf; 96 | 97 | } -------------------------------------------------------------------------------- /config/php5/nginx/default.php5.conf.deprecated: -------------------------------------------------------------------------------- 1 | server { 2 | listen *:8080; 3 | listen [::]:8080; 4 | # listen [::]:443 ssl http2; 5 | # listen *:443 ssl http2; 6 | server_name sitename; 7 | 8 | access_log /srv/www/sitename/logs/sitename_access.log; 9 | error_log /srv/www/sitename/logs/sitename_error.log; 10 | 11 | # include vstacklet/directive-only/ssl.conf; 12 | # ssl_certificate /srv/www/sitename/ssl/sitename.crt; 13 | # ssl_certificate_key /srv/www/sitename/ssl/sitename.key; 14 | root /srv/www/sitename/public; 15 | index index.html index.htm index.php; 16 | 17 | 18 | # These options are for nginx caching. 19 | # Update the uri paths to match your needs. 20 | # Typically you would want to add 21 | # /wp-admin/ - Wordpress 22 | # /administrator/ - Joomla! etc... 23 | set $no_cache 0; 24 | if ($query_string) { 25 | set $no_cache 1; 26 | } 27 | if ($http_x_custom_header) { 28 | set $no_cache 0; 29 | } 30 | if ($request_uri ~* "/(your-admin-login/)") { 31 | set $no_cache 1; 32 | } 33 | if ($request_uri ~* "/(another-link/)") { 34 | set $no_cache 1; 35 | } 36 | if ($http_cookie ~ "users_login_cookie") { 37 | set $no_cache 1; 38 | } 39 | 40 | location ~ [^/]\.php(/|$) { 41 | try_files $uri =404; 42 | 43 | # These options are for nginx caching. 44 | # All cached files are stored in /etc/nginx/cache. 45 | # Uncomment if caching with Nginx is your jam! 46 | #fastcgi_cache phpcache; 47 | #fastcgi_cache_methods GET HEAD; 48 | #add_header X-Fastcgi-Cache $upstream_cache_status; 49 | #fastcgi_cache_bypass $no_cache; 50 | #fastcgi_no_cache $no_cache; 51 | #fastcgi_cache_valid 200 302 60m; 52 | #fastcgi_cache_valid 404 5m; 53 | #proxy_read_timeout 300; 54 | 55 | # These are typical nginx settings. 56 | fastcgi_split_path_info ^(.+\.php)(/.+)$; 57 | fastcgi_index index.php; 58 | include fcgi.conf; 59 | fastcgi_pass unix:/var/run/php/php5.6-fpm.sock; 60 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 61 | fastcgi_read_timeout 300; 62 | fastcgi_ignore_headers X-Accel-Expires Expires Cache-Control; 63 | } 64 | 65 | # Location Functions 66 | locconf1 67 | locconf2 68 | locconf3 69 | locconf4 70 | 71 | # Security Functions 72 | secconf1 73 | secconf2 74 | secconf3 75 | 76 | # WordPress Specific 77 | # include wordpress.conf; 78 | # include restrictions.conf; 79 | # We only enable this option if either W3TC is in effect on a WordPress install 80 | # Or you manage an override from your application root. 81 | # An example would be that of Admin Tools for Joomla! 82 | # include /srv/www/sitename/public/nginx.conf; 83 | 84 | } -------------------------------------------------------------------------------- /config/php8/nginx/varnish/default.php8.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen {{https_port}} ssl; 3 | listen [::]:{{https_port}} ssl; 4 | http2 on; 5 | server_name {{domain}}; 6 | port_in_redirect off; 7 | 8 | ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; 9 | ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; 10 | 11 | expires 365d; 12 | add_header Pragma public; 13 | add_header Cache-Control "public"; 14 | add_header Strict-Transport-Security "max-age=31536000"; 15 | add_header X-Content-Type-Options nosniff; 16 | 17 | location / { 18 | proxy_pass http://127.0.0.1:{{varnish_port}}; 19 | proxy_set_header X-Real-IP $remote_addr; 20 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 21 | proxy_set_header X-Forwarded-Proto https; 22 | proxy_set_header X-Forwarded-Port 443; 23 | proxy_set_header Host $host; 24 | proxy_set_header HTTPS "on"; 25 | proxy_connect_timeout 86400; 26 | proxy_send_timeout 86400; 27 | proxy_read_timeout 86400; 28 | send_timeout 86400; 29 | client_max_body_size 50m; 30 | client_body_buffer_size 16k; 31 | 32 | access_log /var/log/vstacklet/{{domain}}.access.log; 33 | error_log /var/log/vstacklet/{{domain}}.error.log notice; 34 | } 35 | 36 | location /.well-known { 37 | alias {{webroot}}/.well-known; 38 | allow all; 39 | default_type "text/plain"; 40 | autoindex on; 41 | } 42 | } 43 | 44 | server { 45 | listen {{http_port}}; 46 | listen [::]:{{http_port}}; 47 | server_name {{domain}}; 48 | root {{webroot}}/public; 49 | index index.html index.htm index.php; 50 | port_in_redirect off; 51 | 52 | location / { 53 | try_files $uri $uri/ /index.php?$args; 54 | } 55 | 56 | location /.well-known { 57 | alias {{webroot}}/.well-known; 58 | allow all; 59 | default_type "text/plain"; 60 | autoindex on; 61 | } 62 | 63 | location ~ \.php$ { 64 | if (!-f $document_root$fastcgi_script_name) { 65 | return 404; 66 | } 67 | fastcgi_split_path_info ^(.+\.php)(/.+)$; 68 | include fcgi.conf; 69 | fastcgi_index index.php; 70 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 71 | fastcgi_param HTTPS on; 72 | fastcgi_pass unix:/var/run/php/php{{php}}-fpm.sock; 73 | } 74 | 75 | # Add age headers to various static resources. Tune to your liking. 76 | location ~* \.(?:css|js|woff|woff2|svg|gif|png|jpg|jpeg|ico|ttf|otf)$ { 77 | expires 365d; 78 | add_header Pragma public; 79 | add_header Cache-Control "public"; 80 | add_header X-Content-Type-Options nosniff; 81 | } 82 | 83 | # Location Profiles 84 | include server.configs/location/cache-busting.conf; 85 | include server.configs/location/cross-domain-fonts.conf; 86 | include server.configs/location/expires.conf; 87 | include server.configs/location/protect-system-files.conf; 88 | 89 | # Security Profiles 90 | include server.configs/directives/cloudflare-real-ip.conf; 91 | include server.configs/directives/common-exploit-prevention.conf; 92 | include server.configs/directives/mime-type-security.conf; 93 | include server.configs/directives/reflected-xss-prevention.conf; 94 | include server.configs/directives/sec-bad-bots.conf; 95 | include server.configs/directives/sec-file-injection.conf; 96 | include server.configs/directives/sec-php-easter-eggs.conf; 97 | include server.configs/directives/server-security-options.conf; 98 | include server.configs/directives/socket-settings.conf; 99 | 100 | # We only enable this option if either W3TC is in effect on a WordPress install 101 | # Or you manage an override from your application root. 102 | # An example would be that of Admin Tools for Joomla! 103 | # include {{webroot}}/public/nginx.conf; 104 | } -------------------------------------------------------------------------------- /config/php7/nginx/varnish/default.php7.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen {{https_port}} ssl; 3 | listen [::]:{{https_port}} ssl; 4 | http2 on; 5 | server_name {{domain}}; 6 | port_in_redirect off; 7 | 8 | ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; 9 | ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; 10 | 11 | expires 365d; 12 | add_header Pragma public; 13 | add_header Cache-Control "public"; 14 | add_header Strict-Transport-Security "max-age=31536000"; 15 | add_header X-Content-Type-Options nosniff; 16 | 17 | location / { 18 | proxy_pass http://127.0.0.1:{{varnish_port}}; 19 | proxy_set_header X-Real-IP $remote_addr; 20 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 21 | proxy_set_header X-Forwarded-Proto https; 22 | proxy_set_header X-Forwarded-Port 443; 23 | proxy_set_header Host $host; 24 | proxy_set_header HTTPS "on"; 25 | proxy_connect_timeout 86400; 26 | proxy_send_timeout 86400; 27 | proxy_read_timeout 86400; 28 | send_timeout 86400; 29 | client_max_body_size 50m; 30 | client_body_buffer_size 16k; 31 | 32 | access_log /var/log/vstacklet/{{domain}}.access.log; 33 | error_log /var/log/vstacklet/{{domain}}.error.log notice; 34 | } 35 | 36 | location /.well-known { 37 | alias {{webroot}}/.well-known; 38 | allow all; 39 | default_type "text/plain"; 40 | autoindex on; 41 | } 42 | } 43 | 44 | server { 45 | listen {{http_port}}; 46 | listen [::]:{{http_port}}; 47 | server_name {{domain}}; 48 | root {{webroot}}/public; 49 | index index.html index.htm index.php; 50 | port_in_redirect off; 51 | 52 | location / { 53 | try_files $uri $uri/ /index.php?$args; 54 | } 55 | 56 | location /.well-known { 57 | alias {{webroot}}/.well-known; 58 | allow all; 59 | default_type "text/plain"; 60 | autoindex on; 61 | } 62 | 63 | location ~ \.php$ { 64 | if (!-f $document_root$fastcgi_script_name) { 65 | return 404; 66 | } 67 | fastcgi_split_path_info ^(.+\.php)(/.+)$; 68 | include fcgi.conf; 69 | fastcgi_index index.php; 70 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 71 | fastcgi_param HTTPS on; 72 | fastcgi_pass unix:/var/run/php/php{{php}}-fpm.sock; 73 | } 74 | 75 | # Add age headers to various static resources. Tune to your liking. 76 | location ~* \.(?:css|js|woff|woff2|svg|gif|png|jpg|jpeg|ico|ttf|otf)$ { 77 | expires 365d; 78 | add_header Pragma public; 79 | add_header Cache-Control "public"; 80 | add_header X-Content-Type-Options nosniff; 81 | } 82 | 83 | # Location Profiles 84 | include server.configs/location/cache-busting.conf; 85 | include server.configs/location/cross-domain-fonts.conf; 86 | include server.configs/location/expires.conf; 87 | include server.configs/location/protect-system-files.conf; 88 | #include server.configs/location/letsencrypt.conf; 89 | 90 | # Security Profiles 91 | include server.configs/directives/cloudflare-real-ip.conf; 92 | include server.configs/directives/common-exploit-prevention.conf; 93 | include server.configs/directives/mime-type-security.conf; 94 | include server.configs/directives/reflected-xss-prevention.conf; 95 | include server.configs/directives/sec-bad-bots.conf; 96 | include server.configs/directives/sec-file-injection.conf; 97 | include server.configs/directives/sec-php-easter-eggs.conf; 98 | include server.configs/directives/server-security-options.conf; 99 | include server.configs/directives/socket-settings.conf; 100 | 101 | # We only enable this option if either W3TC is in effect on a WordPress install 102 | # Or you manage an override from your application root. 103 | # An example would be that of Admin Tools for Joomla! 104 | # include {{webroot}}/public/nginx.conf; 105 | } -------------------------------------------------------------------------------- /docs/setup/vstacklet.sh.md: -------------------------------------------------------------------------------- 1 | # vstacklet.sh - v3.1.1096 2 | 3 | 4 | --- 5 | 6 | This script is designed to be run on a fresh Ubuntu 20.04/22.04 or 7 | Debian 11/12 server. I have done my best to keep it tidy and with as much 8 | error checking as possible. Couple this with loads of comments and you should 9 | have a pretty good idea of what is going on. If you have any questions, 10 | comments, or suggestions, please feel free to open an issue on GitHub. 11 | 12 | --- 13 | 14 | - Documentation is available at: [/docs/](https://github.com/JMSDOnline/vstacklet/tree/main/docs) 15 | - :book: [vStacklet Documentation](https://github.com/JMSDOnline/vstacklet/blob/main/docs/setup/vstacklet.sh.md) 16 | - :book: [vStacklet Server Stack Documentation](https://github.com/JMSDOnline/vstacklet/blob/main/docs/setup/vstacklet-server-stack.sh.md) 17 | - :book: [vStacklet VS-Perms (www-permissions.sh) Documentation](https://github.com/JMSDOnline/vstacklet/blob/main/docs/bin/www-permissions.sh.md) 18 | - :book: [vStacklet vs-perms (www-permissions-standalone.sh) Documentation](https://github.com/JMSDOnline/vstacklet/blob/main/docs/bin/www-permissions-standalone.sh.md) 19 | - :book: [vStacklet VS-Backup (vs-backup) Documentation](https://github.com/JMSDOnline/vstacklet/blob/main/docs/bin/backup/vs-backup.md) 20 | - :book: [vStacklet vs-backup (vstacklet-backup-standalone.sh) Documentation](https://github.com/JMSDOnline/vstacklet/blob/main/docs/bin/backup/vstacklet-backup-standalone.sh.md) 21 | 22 | --- 23 | 24 | vStacklet will install and configure the following: 25 | - NGinx 1.25.+ (mainline) | 1.18.+ (extras) (HTTP Server) 26 | - PHP 7.4 (FPM) with common extensions 27 | - PHP 8.1 (FPM) with common extensions 28 | - PHP 8.3 (FPM) with common extensions 29 | - MariaDB 10.11.+ (MySQL Database) 30 | - Varnish 7.4.x (HTTP Cache) 31 | - CSF 14.+ (Config Server Firewall) 32 | - and more! 33 | 34 | --- 35 | 36 | 37 | 38 | ### vstacklet::environment::checkroot() 39 | 40 | Check if the user is root. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/setup/vstacklet.sh#L66-L71) 41 | 42 | --- 43 | 44 | ### vstacklet::environment::functions() 45 | 46 | Stage various functions for the setup environment. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/setup/vstacklet.sh#L80-L245) 47 | 48 | ![@dev-note: This function is required](https://img.shields.io/badge/%40dev--note-This%20function%20is%20required-blue) 49 | 50 | --- 51 | 52 | ### vstacklet::setup::variables() 53 | 54 | Set the variables for the setup. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/setup/vstacklet.sh#L254-L312) 55 | 56 | notes: this script function is responsible for setting the variables for the setup. 57 | 58 | --- 59 | 60 | ### vstacklet::setup::download() 61 | 62 | Setup the environment and download vStacklet. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/setup/vstacklet.sh#L337-L396) 63 | 64 | notes: 65 | - This script function is responsible for downloading vStacklet from GitHub 66 | and setting up the environment for the installation. 67 | - VStacklet will be downloaded to `/opt/vstacklet`. 68 | - `vstacklet-server-stack.sh` will be loaded to `/usr/local/bin/vstacklet`. This 69 | will allow you to run `vstacklet [options] [args]` from anywhere on the server. 70 | - `vs-backup` will be loaded to `/usr/local/bin/vs-backup`. This 71 | will allow you to run `vs-backup` from anywhere on the server. 72 | - `www-permissions.sh` will be loaded to `/usr/local/bin/vs-perms`. This 73 | will allow you to run `vs-perms` from anywhere on the server. 74 | - This script function will also check for the existence of the required 75 | packages and install them if they are not found. 76 | - these include: 77 | ```bash 78 | curl sudo wget git apt-transport-https lsb-release dnsutils openssl 79 | ``` 80 | 81 | --- 82 | 83 | ### vstacklet::setup::help() 84 | 85 | Display the help menu for the setup script. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/setup/vstacklet.sh#L403-L424) 86 | 87 | --- 88 | 89 | ### vstacklet::version::display() 90 | 91 | Display the version of vStacklet. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/setup/vstacklet.sh#L431-L439) 92 | 93 | --- 94 | 95 | ### vstacklet::setup::main() 96 | 97 | Calls functions in required order. 98 | 99 | --- 100 | 101 | 102 | -------------------------------------------------------------------------------- /bin/www-permissions-standalone.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ################################################################################ 3 | # 4 | # @file_name: www-permissions-standalone.sh 5 | # @version: 3.1.1070 6 | # @description: This script will grab the latest version of vs-perms and 7 | # install it on your server. 8 | # 9 | # @project_name: vstacklet 10 | # 11 | # @path: bin/www-permissions-standalone.sh 12 | # 13 | # @brief: vs-perms can be used on any server to set the correct permissions 14 | # for the web root directory, but it is designed to work with the vStacklet 15 | # server stack. This script will set the correct permissions for the web root 16 | # directory. 17 | # Please ensure you have read the documentation before continuing. 18 | # 19 | # - [vStacklet Documentation](https://github.com/JMSDOnline/vstacklet/blob/main/docs/setup/vstacklet.sh.md) 20 | # - [vStacklet Server Stack Documentation](https://github.com/JMSDOnline/vstacklet/blob/main/docs/setup/vstacklet-server-stack.sh.md) 21 | # - [vStacklet www-permissions](https://github.com/JMSDOnline/vstacklet/blob/main/docs/bin/www-permissions.sh.md) 22 | # 23 | # This script will do the following: 24 | # - Download the latest version of vs-perms. 25 | # - Convert vs-perms shell scripts to executable. 26 | # - Move `vs-perms` to /usr/local/bin for system execution. 27 | # - From there, you can run `vs-perms` from anywhere on your server to do the following: 28 | # - Check the www-data group exists, if not, create it. 29 | # - Check the user group exists, if not, create it. 30 | # - Check the user exists, if not, create it. 31 | # - Check the user is a member of the www-data group, if not, add them. 32 | # - Set the correct permissions for the web root directory. 33 | # - see `vs-perms -h` for more information. 34 | # 35 | # @save_tasks: 36 | # automated_versioning: true 37 | # automated_documentation: true 38 | # 39 | # @build_tasks: 40 | # automated_comment_strip: false 41 | # automated_encryption: false 42 | # 43 | # @author: Jason Matthews (JMSolo) 44 | # @author_contact: https://github.com/JMSDOnline/vstacklet 45 | # 46 | # @license: MIT License (Included in LICENSE) 47 | # Copyright (C) 2016-2024, Jason Matthews 48 | # All rights reserved. 49 | # 50 | ################################################################################ 51 | 52 | ################################################################################ 53 | # @name: vstacklet::vsperms::standalone 54 | # @description: This function will download the latest version of vs-perms 55 | # and install it on your server. It will also convert vs-perms shell scripts 56 | # to executable. From there, you can run vs-perms from anywhere on your server. 57 | # [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/www-permissions-standalone.sh#L61-L66) 58 | # 59 | # @break 60 | ################################################################################ 61 | vstacklet::vsperms::standalone() { 62 | # @script-note: download the latest version of vs-perms and move it to /usr/local/bin 63 | curl -s "https://raw.githubusercontent.com/JMSDOnline/vstacklet/main/bin/www-permissions.sh" >/usr/local/bin/vs-perms 64 | # @script-note: convert vs-perms shell scripts to executable 65 | chmod +x /usr/local/bin/vs-perms 66 | } 67 | 68 | ################################################################################ 69 | # @name: vstacklet::vsperms::outro 70 | # @description: This function will display the outro. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/www-permissions-standalone.sh#L74-L86) 71 | # 72 | # @break 73 | ################################################################################ 74 | vstacklet::vsperms::outro() { 75 | # @script-note: display the outro 76 | echo "vs-perms (www-permissions) has been installed on your server." 77 | echo "You can now run vs-perms from anywhere on your server." 78 | echo "Please see the documentation for more information." 79 | echo "" 80 | echo "Documentation can be found here:" 81 | echo "https://github.com/JMSDOnline/vstacklet/blob/main/docs/bin/www-permissions.sh.md" 82 | echo "" 83 | echo "You can also run the following command for more information:" 84 | echo "vs-perms -h" 85 | echo "" 86 | } 87 | 88 | ################################################################################ 89 | # @description: Calls functions in required order. 90 | # @break 91 | ################################################################################ 92 | vstacklet::vsperms::standalone 93 | vstacklet::vsperms::outro 94 | -------------------------------------------------------------------------------- /bin/backup/vstacklet-backup-standalone.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ################################################################################ 3 | # 4 | # @file_name: vstacklet-backup-standalone.sh 5 | # @version: 3.1.1147 6 | # @description: This script will grab the latest version of vs-backup and 7 | # install it on your server. 8 | # 9 | # @project_name: vstacklet 10 | # 11 | # @brief: vs-backup can be used on any server to backup files, directories and mysql 12 | # databases, but it is designed to work with the vStacklet server stack. 13 | # This script will backup your database and files. 14 | # Please ensure you have read the documentation before continuing. 15 | # 16 | # - [vStacklet Documentation](https://github.com/JMSDOnline/vstacklet/blob/main/docs/setup/vstacklet.sh.md) 17 | # - [vStacklet Server Stack Documentation](https://github.com/JMSDOnline/vstacklet/blob/main/docs/setup/vstacklet-server-stack.sh.md) 18 | # - [vStacklet VS-Backup Documentation](https://github.com/JMSDOnline/vstacklet/blob/main/docs/bin/backup/vs-backup.md) 19 | # 20 | # This script will do the following: 21 | # - Download the latest version of vs-backup. 22 | # - Convert vs-backup shell scripts to executable. 23 | # - Move `vs-backup` to /usr/local/bin for system execution. 24 | # - From there, you can run `vs-backup` from anywhere on your server to do the following: 25 | # - Backup your database. 26 | # - Backup your files. 27 | # - Compress the backup files. (default: tar.gz - for files and sql.gz - for database) 28 | # - Automatically encrypt the backup files. (password: set to your database password by default - `-dbpass`) 29 | # - Retain the backup files based on the retention options. (default: 7 days) 30 | # - see `vs-backup -h` for more information. 31 | # 32 | # @path: bin/backup/vstacklet-backup-standalone.sh 33 | # 34 | # @save_tasks: 35 | # automated_versioning: true 36 | # automated_documentation: true 37 | # 38 | # @build_tasks: 39 | # automated_comment_strip: false 40 | # automated_encryption: false 41 | # 42 | # @author: Jason Matthews (JMSolo) 43 | # @author_contact: https://github.com/JMSDOnline/vstacklet 44 | # 45 | # @license: MIT License (Included in LICENSE) 46 | # Copyright (C) 2016-2024, Jason Matthews 47 | # All rights reserved. 48 | # 49 | ################################################################################ 50 | 51 | ################################################################################ 52 | # @name: vstacklet::vsbackup::standalone 53 | # @description: This function will download the latest version of vs-backup 54 | # and install it on your server. It will also convert vs-backup shell scripts 55 | # to executable. From there, you can run vs-backup from anywhere on your server. 56 | # [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/backup/vstacklet-backup-standalone.sh#L60-L67) 57 | # 58 | # @break 59 | ################################################################################ 60 | vstacklet::vsbackup::standalone() { 61 | # @script-note: download the latest version of vs-backup 62 | curl -s "https://raw.githubusercontent.com/JMSDOnline/vstacklet/main/bin/backup/vs-backup" >/usr/local/bin/vs-backup 63 | # @script-note: copy the backup script to the /opt/vstacklet/bin/backup directory 64 | cp -f /usr/local/bin/vs-backup /opt/vstacklet/bin/backup/vs-backup 65 | # @script-note: convert vs-backup shell scripts to executable 66 | chmod +x /usr/local/bin/vs-backup /opt/vstacklet/bin/backup/vs-backup 67 | } 68 | 69 | ################################################################################ 70 | # @name: vstacklet::vsbackup::outro 71 | # @description: This function will display the outro. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/backup/vstacklet-backup-standalone.sh#L75-L87) 72 | # 73 | # @break 74 | ################################################################################ 75 | vstacklet::vsbackup::outro() { 76 | # @script-note: display the outro 77 | echo "vs-backup has been installed on your server." 78 | echo "You can now run vs-backup from anywhere on your server." 79 | echo "Please see the documentation for more information." 80 | echo "" 81 | echo "Documentation can be found here:" 82 | echo "https://github.com/JMSDOnline/vstacklet/blob/main/docs/bin/backup/vs-backup.md" 83 | echo "" 84 | echo "You can also run the following command for more information:" 85 | echo "vs-backup -h" 86 | echo "" 87 | } 88 | 89 | ################################################################################ 90 | # @description: Calls functions in required order. 91 | # @break 92 | ################################################################################ 93 | vstacklet::vsbackup::standalone 94 | vstacklet::vsbackup::outro 95 | -------------------------------------------------------------------------------- /config/nginx/mime.types: -------------------------------------------------------------------------------- 1 | types { 2 | 3 | # Audio 4 | audio/midi mid midi kar; 5 | audio/mp4 aac f4a f4b m4a; 6 | audio/mpeg mp3; 7 | audio/ogg oga ogg; 8 | audio/x-realaudio ra; 9 | audio/x-wav wav; 10 | 11 | # Images 12 | image/bmp bmp; 13 | image/gif gif; 14 | image/jpeg jpeg jpg; 15 | image/png png; 16 | image/tiff tif tiff; 17 | image/vnd.wap.wbmp wbmp; 18 | image/webp webp; 19 | image/x-icon ico cur; 20 | image/x-jng jng; 21 | 22 | # JavaScript 23 | application/javascript js; 24 | application/json json; 25 | 26 | # Manifest files 27 | application/x-web-app-manifest+json webapp; 28 | text/cache-manifest manifest appcache; 29 | 30 | # Microsoft Office 31 | application/msword doc; 32 | application/vnd.ms-excel xls; 33 | application/vnd.ms-powerpoint ppt; 34 | application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; 35 | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; 36 | application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; 37 | 38 | # Video 39 | video/3gpp 3gpp 3gp; 40 | video/mp4 mp4 m4v f4v f4p; 41 | video/mpeg mpeg mpg; 42 | video/ogg ogv; 43 | video/quicktime mov; 44 | video/webm webm; 45 | video/x-flv flv; 46 | video/x-mng mng; 47 | video/x-ms-asf asx asf; 48 | video/x-ms-wmv wmv; 49 | video/x-msvideo avi; 50 | 51 | # Web feeds 52 | application/xml atom rdf rss xml; 53 | 54 | # Web fonts 55 | application/font-woff woff; 56 | application/font-woff2 woff2; 57 | application/vnd.ms-fontobject eot; 58 | application/x-font-ttf ttc ttf; 59 | font/opentype otf; 60 | image/svg+xml svg svgz; 61 | 62 | # Other 63 | application/java-archive jar war ear; 64 | application/mac-binhex40 hqx; 65 | application/pdf pdf; 66 | application/postscript ps eps ai; 67 | application/rtf rtf; 68 | application/vnd.wap.wmlc wmlc; 69 | application/xhtml+xml xhtml; 70 | application/vnd.google-earth.kml+xml kml; 71 | application/vnd.google-earth.kmz kmz; 72 | application/x-7z-compressed 7z; 73 | application/x-chrome-extension crx; 74 | application/x-opera-extension oex; 75 | application/x-xpinstall xpi; 76 | application/x-cocoa cco; 77 | application/x-java-archive-diff jardiff; 78 | application/x-java-jnlp-file jnlp; 79 | application/x-makeself run; 80 | application/x-perl pl pm; 81 | application/x-pilot prc pdb; 82 | application/x-rar-compressed rar; 83 | application/x-redhat-package-manager rpm; 84 | application/x-sea sea; 85 | application/x-shockwave-flash swf; 86 | application/x-stuffit sit; 87 | application/x-tcl tcl tk; 88 | application/x-x509-ca-cert der pem crt; 89 | application/x-bittorrent torrent; 90 | application/zip zip; 91 | 92 | application/octet-stream bin exe dll; 93 | application/octet-stream deb; 94 | application/octet-stream dmg; 95 | application/octet-stream iso img; 96 | application/octet-stream msi msp msm; 97 | application/octet-stream safariextz; 98 | 99 | text/css css; 100 | text/html html htm shtml; 101 | text/mathml mml; 102 | text/plain txt; 103 | text/vnd.sun.j2me.app-descriptor jad; 104 | text/vnd.wap.wml wml; 105 | text/vtt vtt; 106 | text/x-component htc; 107 | text/x-vcard vcf; 108 | 109 | } 110 | -------------------------------------------------------------------------------- /docs/setup/www-permissions.sh.md: -------------------------------------------------------------------------------- 1 | # www-permissions.sh - v3.1.1059 2 | 3 | 4 | --- 5 | 6 | Quickly create a new www-data group and set permissions for 7 | ${www_root:-/var/www/html/vsapp}. 8 | 9 | --- 10 | 11 | - [vStacklet Documentation](https://github.com/JMSDOnline/vstacklet/blob/development/docs/setup/vstacklet.sh.md) 12 | - [vStacklet Server Stack Documentation](https://github.com/JMSDOnline/vstacklet/blob/development/docs/setup/vstacklet-server-stack.sh.md) 13 | 14 | --- 15 | 16 | This script will do the following: 17 | - Checks the www-data group exists, if not, create it. 18 | - Checks the user group exists, if not, create it. 19 | - Checks the user exists, if not, create it. 20 | - Checks the user is a member of the www-data group, if not, add them. 21 | - Set the correct permissions for the web root directory. 22 | 23 | --- 24 | 25 | #### examples: 26 | ```bash 27 | vstacklet -www-perms -wwwR "/var/www/html/vsapp" 28 | vstacklet -www-perms -wwwU "www-data" -wwwG "www-data" -wwwR "/var/www/html/vsapp" 29 | ``` 30 | 31 | --- 32 | 33 | #### or as a standalone script: 34 | ```bash 35 | /opt/vstacklet/setup/www-permissions.sh -wwwU "www-data" -wwwG "www-data" -wwwR "/var/www/html/vsapp" 36 | ``` 37 | 38 | --- 39 | 40 | 41 | 42 | ### vstacklet::wwwperms::args() 43 | 44 | Process the options passed to the script. [see function](https://github.com/JMSDOnline/vstacklet/blob/development/setup/www-permissions.sh#L68-L99) 45 | 46 | notes: 47 | - This script function is responsible for processing the options passed to the 48 | script. 49 | 50 | #### parameters: 51 | 52 | - $1 (string) - The option to process. 53 | - $2 (string) - The value of the option to process. 54 | 55 | --- 56 | 57 | ### vstacklet::environment::functions() 58 | 59 | Stage various functions for the setup environment. [see function](https://github.com/JMSDOnline/vstacklet/blob/development/setup/www-permissions.sh#L108-L178) 60 | 61 | --- 62 | 63 | ### vstacklet::environment::checkroot() 64 | 65 | Check if the user is root. [see function](https://github.com/JMSDOnline/vstacklet/blob/development/setup/www-permissions.sh#L187-L192) 66 | 67 | --- 68 | 69 | ### vstacklet::intro() 70 | 71 | Prints the intro message. [see function](https://github.com/JMSDOnline/vstacklet/blob/development/setup/www-permissions.sh#L201-L212) 72 | 73 | --- 74 | 75 | ### vstacklet::wwwdata::create() 76 | 77 | Adds a new www-data group and sets permissions for ${www_root:-/var/www/html/vsapp}. [see function](https://github.com/JMSDOnline/vstacklet/blob/development/setup/www-permissions.sh#L229-L260) 78 | 79 | #### options: 80 | 81 | - $1 `-wwwU | --www_user` - The user to add to the www-data group. (default: www-data) 82 | - $2 `-wwwG | --www_group` - The group to create. (default: www-data) (optional) 83 | - $3 `-wwwR | --www_root` - The root directory to set permissions for. (default: /var/www/html/vsapp) (optional) 84 | - $4 `-wwwh | --www_help` - Prints the help message. 85 | - $5 `-wwwv | --www_version` - Prints the version number. 86 | 87 | #### arguments: 88 | 89 | - $1 - The username to add to the www-data group. 90 | - $2 - The groupname to add to the www-data group. 91 | - $3 - The web root directory to set permissions for. 92 | - $4 - (no args) - Prints the help message. 93 | - $5 - (no args) - Prints the version number. 94 | 95 | --- 96 | 97 | ### vstacklet::permissions::adjust() 98 | 99 | Adjust permissions for the web root. [see function](https://github.com/JMSDOnline/vstacklet/blob/development/setup/www-permissions.sh#L323-L326) 100 | 101 | notes: 102 | - Permissions are adjusted based the following variables: 103 | - adjustments are made to the assigned web root on the `-wwwR | --www_root` 104 | option 105 | - adjustments are made to the default web root of `/var/www/html/vsapp` 106 | if the `-wwwR | --www_root` option is not used. 107 | - permissions are adjusted to the following: 108 | - `root:www-data` (user:group) 109 | - `755` (directory) 110 | - `644` (file) 111 | - `g+rw` (group read/write) 112 | - `g+s` (group sticky) 113 | 114 | *function has no options* 115 | 116 | *function has no arguments* 117 | 118 | --- 119 | 120 | ### vstacklet::permissions::complete() 121 | 122 | Complete the permissions adjustment process. [see function](https://github.com/JMSDOnline/vstacklet/blob/development/setup/www-permissions.sh#L326-L329) 123 | 124 | *function has no options* 125 | 126 | *function has no arguments* 127 | 128 | --- 129 | 130 | ### vstacklet::wwwperms::help() 131 | 132 | Prints the help message for the www-data group. [see function](https://github.com/JMSDOnline/vstacklet/blob/development/setup/www-permissions.sh#L335-L366) 133 | 134 | *function has no options* 135 | 136 | *function has no arguments* 137 | 138 | --- 139 | 140 | ### vstacklet::wwwperms::version() 141 | 142 | Prints the version of the www-permissions script. [see function](https://github.com/JMSDOnline/vstacklet/blob/development/setup/www-permissions.sh#L375-L378) 143 | 144 | *function has no options* 145 | 146 | *function has no arguments* 147 | 148 | --- 149 | 150 | 151 | -------------------------------------------------------------------------------- /docs/bin/www-permissions.sh.md: -------------------------------------------------------------------------------- 1 | # www-permissions.sh - v3.1.1098 2 | 3 | 4 | --- 5 | 6 | Quickly create a new www-data group and set permissions for 7 | ${www_root:-/var/www/html/vsapp}. 8 | 9 | --- 10 | 11 | - [vStacklet Documentation](https://github.com/JMSDOnline/vstacklet/blob/main/docs/setup/vstacklet.sh.md) 12 | - [vStacklet Server Stack Documentation](https://github.com/JMSDOnline/vstacklet/blob/main/docs/setup/vstacklet-server-stack.sh.md) 13 | 14 | --- 15 | 16 | This script will do the following: 17 | - Checks the www-data group exists, if not, create it. 18 | - Checks the user group exists, if not, create it. 19 | - Checks the user exists, if not, create it. 20 | - Checks the user is a member of the www-data group, if not, add them. 21 | - Set the correct permissions for the web root directory. 22 | 23 | --- 24 | 25 | #### examples: 26 | Set the correct permissions for the web root directory: 27 | ```bash 28 | vs-perms -wwwU "www-data" -wwwG "www-data" -wwwR "/var/www/html/vsapp" 29 | ``` 30 | Display the help message: 31 | ```bash 32 | vs-perms -h 33 | ``` 34 | Display the version number: 35 | ```bash 36 | vs-perms -V 37 | ``` 38 | 39 | --- 40 | 41 | 42 | 43 | ### vstacklet::vsperms::args() 44 | 45 | Process the options passed to the script. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/www-permissions.sh#L69-L100) 46 | 47 | notes: 48 | - This script function is responsible for processing the options passed to the 49 | script. 50 | 51 | #### parameters: 52 | 53 | - $1 (string) - The option to process. 54 | - $2 (string) - The value of the option to process. 55 | 56 | --- 57 | 58 | ### vstacklet::environment::functions() 59 | 60 | Stage various functions for the setup environment. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/www-permissions.sh#L107-L186) 61 | 62 | --- 63 | 64 | ### vstacklet::environment::checkroot() 65 | 66 | Check if the user is root. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/www-permissions.sh#L193-L198) 67 | 68 | --- 69 | 70 | ### vstacklet::vsperms::updater() 71 | 72 | Update the permissions script. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/www-permissions.sh#L205-L219) 73 | 74 | --- 75 | 76 | ### vstacklet::intro() 77 | 78 | Prints the intro message. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/www-permissions.sh#L226-L243) 79 | 80 | --- 81 | 82 | ### vstacklet::vsperms::create() 83 | 84 | Adds a new www-data group and sets permissions for ${www_root:-/var/www/html/vsapp}. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/www-permissions.sh#L260-L291) 85 | 86 | #### options: 87 | 88 | - $1 `-wwwU | --www_user` - The user to add to the www-data group. (default: www-data) 89 | - $2 `-wwwG | --www_group` - The group to create. (default: www-data) (optional) 90 | - $3 `-wwwR | --www_root` - The root directory to set permissions for. (default: /var/www/html/vsapp) (optional) 91 | - $4 `-wwwh | --www_help` - Prints the help message. 92 | - $5 `-wwwv | --www_version` - Prints the version number. 93 | 94 | #### arguments: 95 | 96 | - $1 - The username to add to the www-data group. 97 | - $2 - The groupname to add to the www-data group. 98 | - $3 - The web root directory to set permissions for. 99 | - $4 - (no args) - Prints the help message. 100 | - $5 - (no args) - Prints the version number. 101 | 102 | --- 103 | 104 | ### vstacklet::vsperms::adjust() 105 | 106 | Adjust permissions for the web root. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/www-permissions.sh#L313-L351) 107 | 108 | notes: 109 | - Permissions are adjusted based the following variables: 110 | - adjustments are made to the assigned web root on the `-wwwR | --www_root` 111 | option 112 | - adjustments are made to the default web root of `/var/www/html/vsapp` 113 | if the `-wwwR | --www_root` option is not used. 114 | - permissions are adjusted to the following: 115 | - `root:www-data` (user:group) 116 | - `755` (directory) 117 | - `644` (file) 118 | - `g+rw` (group read/write) 119 | - `g+s` (group sticky) 120 | 121 | *function has no options* 122 | 123 | *function has no arguments* 124 | 125 | --- 126 | 127 | ### vstacklet::vsperms::complete() 128 | 129 | Prints completion of the permissions adjustment process. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/www-permissions.sh#L360-L365) 130 | 131 | *function has no options* 132 | 133 | *function has no arguments* 134 | 135 | --- 136 | 137 | ### vstacklet::vsperms::help() 138 | 139 | Prints the help message for the vs-perms script. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/www-permissions.sh#L374-L419) 140 | 141 | *function has no options* 142 | 143 | *function has no arguments* 144 | 145 | --- 146 | 147 | ### vstacklet::vsperms::version() 148 | 149 | Prints the version of the vs-perms (www-permissions) script. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/www-permissions.sh#L428-L435) 150 | 151 | *function has no options* 152 | 153 | *function has no arguments* 154 | 155 | --- 156 | 157 | 158 | -------------------------------------------------------------------------------- /config/nginx/server.configs/directives/ssl.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | SSL policy - Modern | 3 | # ---------------------------------------------------------------------- 4 | 5 | # For services that don't need backward compatibility, the parameters 6 | # below provide a higher level of security. 7 | # 8 | # (!) This policy enfore a strong SSL configuration, which may raise 9 | # errors with old clients. 10 | # If a more compatible profile is required, use intermediate policy. 11 | 12 | # Protect against the BEAST and POODLE attacks by not using SSLv3 at all. 13 | # If you need to support older browsers (IE6) you may need to add 14 | # SSLv3 to the list of protocols below. 15 | #ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 16 | ssl_protocols TLSv1.2 TLSv1.3; 17 | 18 | # Ciphers set to best allow protection from Beast, while providing forwarding secrecy, 19 | # as defined by Mozilla - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx 20 | ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA; 21 | ssl_prefer_server_ciphers on; 22 | 23 | # The NIST curves (prime256v1, secp384r1, secp521r1) are known 24 | # to be weak and potentially vulnerable but are required to support 25 | # Microsoft Edge and Safari. 26 | # https://safecurves.cr.yp.to/ 27 | ssl_ecdh_curve prime256v1:secp521r1:secp384r1;#X25519:; 28 | 29 | # Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes. 30 | # The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection. 31 | # By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state. 32 | # Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS. 33 | ssl_session_cache shared:SSL:60m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions 34 | ssl_session_timeout 24h; 35 | 36 | # SSL buffer size was added in 1.5.9 37 | ssl_buffer_size 1400; # 1400 bytes to fit in one MTU 38 | 39 | # Session tickets appeared in version 1.5.9 40 | # 41 | # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and 42 | # when a restart is performed the previous key is lost, which resets all previous 43 | # sessions. The fix for this is to setup a manual rotation mechanism: 44 | # http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx 45 | # 46 | # Note that you'll have to define and rotate the keys securely by yourself. In absence 47 | # of such infrastructure, consider turning off session tickets: 48 | #ssl_session_tickets off; 49 | ssl_session_tickets off; 50 | 51 | # verify chain of trust of OCSP response using Root CA and Intermediate certs 52 | #ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; 53 | 54 | # Resolvers for OCSP stapling 55 | resolver 1.1.1.1 valid=300s; # Cloudflare 56 | resolver_timeout 5s; 57 | 58 | # HSTS (HTTP Strict Transport Security) 59 | # Enable HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months | 31536000 seconds = 1 year) 60 | add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; 61 | 62 | # SAMEORIGIN is the default value for X-Frame-Options. It prevents the page from being loaded in an iframe, 63 | # unless the iframe is from the same domain. 64 | # DENY prevents the page from being loaded in an iframe, even if the page is on the same domain. 65 | # ALLOW-FROM allows the page to be loaded in an iframe only if the iframe comes from the specified domain. 66 | add_header X-Frame-Options SAMEORIGIN always; 67 | 68 | # nosniff is a security feature that tells the browser not to guess the MIME type of the file 69 | add_header X-Content-Type-Options nosniff always; 70 | 71 | # Use a higher keepalive timeout to reduce the need for repeated handshakes 72 | # keepalive_timeout 300; # up from 75 secs default 73 | keepalive_timeout 300s; 74 | 75 | # SSL dhparam - this is a calculated diffie-hellman key exchange parameter that is used for perfect forward secrecy 76 | # Generate with: openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 77 | ssl_dhparam /etc/nginx/ssl/dhparam.pem; 78 | 79 | # This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication). 80 | # Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors. 81 | #ssl_certificate /etc/nginx/default_ssl.crt; 82 | #ssl_certificate_key /etc/nginx/default_ssl.key; 83 | -------------------------------------------------------------------------------- /config/nginx/pagespeed/wily/rules: -------------------------------------------------------------------------------- 1 | #!/usr/bin/make -f 2 | 3 | #export DH_VERBOSE=1 4 | CFLAGS ?= $(shell dpkg-buildflags --get CFLAGS) 5 | LDFLAGS ?= $(shell dpkg-buildflags --get LDFLAGS) 6 | WITH_HTTP2 := $(shell printf \ 7 | "Source: nginx\nBuild-Depends: libssl-dev (>= 1.0.1)\n" | \ 8 | dpkg-checkbuilddeps - >/dev/null 2>&1 && \ 9 | echo "--with-http_v2_module") 10 | PKGS = nginx nginx-dbg \ 11 | nginx-module-xslt nginx-module-geoip nginx-module-image-filter \ 12 | nginx-module-perl nginx-module-njs 13 | COMMON_CONFIGURE_ARGS := \ 14 | --prefix=/etc/nginx \ 15 | --sbin-path=/usr/sbin/nginx \ 16 | --modules-path=/usr/lib/nginx/modules \ 17 | --conf-path=/etc/nginx/nginx.conf \ 18 | --error-log-path=/var/log/nginx/error.log \ 19 | --http-log-path=/var/log/nginx/access.log \ 20 | --pid-path=/var/run/nginx.pid \ 21 | --lock-path=/var/run/nginx.lock \ 22 | --http-client-body-temp-path=/var/cache/nginx/client_temp \ 23 | --add-module=../../ngx_pagespeed/ngx_pagespeed-master \ 24 | --http-proxy-temp-path=/var/cache/nginx/proxy_temp \ 25 | --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \ 26 | --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \ 27 | --http-scgi-temp-path=/var/cache/nginx/scgi_temp \ 28 | --user=nginx \ 29 | --group=nginx \ 30 | --with-http_ssl_module \ 31 | --with-http_realip_module \ 32 | --with-http_addition_module \ 33 | --with-http_sub_module \ 34 | --with-http_dav_module \ 35 | --with-http_flv_module \ 36 | --with-http_mp4_module \ 37 | --with-http_gunzip_module \ 38 | --with-http_gzip_static_module \ 39 | --with-http_random_index_module \ 40 | --with-http_secure_link_module \ 41 | --with-http_stub_status_module \ 42 | --with-http_auth_request_module \ 43 | --with-http_xslt_module=dynamic \ 44 | --with-http_image_filter_module=dynamic \ 45 | --with-http_geoip_module=dynamic \ 46 | --with-http_perl_module=dynamic \ 47 | --add-dynamic-module=debian/extra/njs-1c50334fbea6/nginx \ 48 | --with-threads \ 49 | --with-stream \ 50 | --with-stream_ssl_module \ 51 | --with-http_slice_module \ 52 | --with-mail \ 53 | --with-mail_ssl_module \ 54 | --with-file-aio \ 55 | --with-ipv6 \ 56 | $(WITH_HTTP2) \ 57 | --with-cc-opt="$(CFLAGS)" \ 58 | --with-ld-opt="$(LDFLAGS)" \ 59 | --with-cc-opt=" -D_GLIBCXX_USE_CXX11_ABI=0" 60 | 61 | %: 62 | dh $@ 63 | 64 | override_dh_auto_configure: configure_debug 65 | 66 | override_dh_strip: 67 | --add-module=../../ngx_pagespeed/ngx_pagespeed-master 68 | dh_strip --dbg-package=nginx-dbg 69 | 70 | override_dh_auto_build: 71 | dh_auto_build 72 | mv objs/nginx objs/nginx-debug 73 | mv objs/ngx_http_xslt_filter_module.so objs/ngx_http_xslt_filter_module-debug.so 74 | mv objs/ngx_http_image_filter_module.so objs/ngx_http_image_filter_module-debug.so 75 | mv objs/ngx_http_geoip_module.so objs/ngx_http_geoip_module-debug.so 76 | mv objs/ngx_http_perl_module.so objs/ngx_http_perl_module-debug.so 77 | mv objs/src/http/modules/perl/blib/arch/auto/nginx/nginx.so objs/src/http/modules/perl/blib/arch/auto/nginx/nginx-debug.so 78 | mv objs/ngx_http_js_module.so objs/ngx_http_js_module-debug.so 79 | CFLAGS="" ./configure $(COMMON_CONFIGURE_ARGS) 80 | dh_auto_build 81 | 82 | configure_debug: 83 | CFLAGS="" ./configure $(COMMON_CONFIGURE_ARGS) \ 84 | --with-debug 85 | 86 | override_dh_auto_install: 87 | sed -e 's/%%PROVIDES%%/nginx/g' \ 88 | -e 's/%%DEFAULTSTART%%/2 3 4 5/g' \ 89 | -e 's/%%DEFAULTSTOP%%/0 1 6/g' \ 90 | < debian/init.d.in > debian/init.d 91 | dh_auto_install 92 | mkdir -p debian/nginx/etc/init.d debian/nginx/etc/default \ 93 | debian/nginx/usr/lib/nginx/modules 94 | sed -e 's/%%PROVIDES%%/nginx-debug/g' \ 95 | -e 's/%%DEFAULTSTART%%//g' \ 96 | -e 's/%%DEFAULTSTOP%%/0 1 2 3 4 5 6/g' \ 97 | < debian/init.d.in > debian/debug.init.d 98 | /usr/bin/install -m 755 debian/debug.init.d \ 99 | debian/nginx/etc/init.d/nginx-debug 100 | /usr/bin/install -m 644 debian/nginx-debug.default \ 101 | debian/nginx/etc/default/nginx-debug 102 | --with-cc-opt=" -D_GLIBCXX_USE_CXX11_ABI=0" 103 | /usr/bin/install -m 644 debian/nginx.conf debian/nginx/etc/nginx/ 104 | /usr/bin/install -m 644 conf/win-utf debian/nginx/etc/nginx/ 105 | /usr/bin/install -m 644 conf/koi-utf debian/nginx/etc/nginx/ 106 | /usr/bin/install -m 644 conf/koi-win debian/nginx/etc/nginx/ 107 | /usr/bin/install -m 644 conf/mime.types debian/nginx/etc/nginx/ 108 | /usr/bin/install -m 644 conf/scgi_params debian/nginx/etc/nginx/ 109 | /usr/bin/install -m 644 conf/fastcgi_params debian/nginx/etc/nginx/ 110 | /usr/bin/install -m 644 conf/uwsgi_params debian/nginx/etc/nginx/ 111 | /usr/bin/install -m 644 html/index.html \ 112 | debian/nginx/usr/share/nginx/html/ 113 | /usr/bin/install -m 644 html/50x.html \ 114 | debian/nginx/usr/share/nginx/html/ 115 | /usr/bin/install -m 644 debian/nginx.vh.default.conf \ 116 | debian/nginx/etc/nginx/conf.d/default.conf 117 | /usr/bin/install -m 755 objs/nginx debian/nginx/usr/sbin/ 118 | /usr/bin/install -m 755 objs/nginx-debug debian/nginx/usr/sbin/ 119 | cd debian/nginx/etc/nginx && /bin/ln -s \ 120 | ../../usr/lib/nginx/modules modules && cd - 121 | 122 | override_dh_gencontrol: 123 | for p in $(PKGS); do \ 124 | if [ -e debian/$$p.version ]; then \ 125 | dpkg-gencontrol -p$$p -ldebian/changelog -Tdebian/$$p.substvars -Pdebian/$$p -v`cat debian/$$p.version`~`lsb_release -cs`; \ 126 | else \ 127 | dpkg-gencontrol -p$$p -ldebian/changelog -Tdebian/$$p.substvars -Pdebian/$$p ; \ 128 | fi ; \ 129 | done 130 | 131 | override_dh_clean: 132 | dh_clean 133 | rm -f debian/*init.d 134 | -------------------------------------------------------------------------------- /developer_resources/onSave: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | ################################################################################ 3 | # 4 | # @file_name: on_save 5 | # @version: 1.0.39 6 | # @description: automated save editing 7 | # @project_name: vstacklet 8 | # 9 | # @save_tasks: 10 | # automated_versioning: true 11 | # automated_documentation: true 12 | # 13 | # @build_tasks: 14 | # automated_comment_strip: false 15 | # automated_encryption: false 16 | # 17 | # @author: Jason Matthews (JMSolo) 18 | # @author_contact: https://github.com/JMSDOnline/vstacklet 19 | # 20 | # @license: MIT License (Included in LICENSE) 21 | # Copyright (C) 2016-2022, Jason Matthews 22 | # All rights reserved. 23 | # 24 | ################################################################################ 25 | 26 | ################################################################################ 27 | # @description: loads variables for save script 28 | # @arg: $1 - file 29 | # @arg: $2 - workspace 30 | ################################################################################ 31 | load::variables() { 32 | declare -g file="${1}" 33 | declare -g filename="${file##*/}" 34 | declare -g workspace="${2}" 35 | } 36 | 37 | ################################################################################ 38 | # @description: parses variables from supplied file for post-process 39 | # @noargs 40 | ################################################################################ 41 | parse::meta_data() { 42 | declare variable value parse 43 | declare -a auto_variables 44 | if grep -q '@save_tasks' "${file}"; then 45 | declare -g type=newmeta 46 | while IFS='' read -r line; do auto_variables+=("${line}"); done < <(sed -n -e '/\@save_tasks/,/\@author:/ p' "${file}" | head -n -2 | tail -n +2 | sed -e 's/: /=/g' | tr -d "# ") 47 | for parse in "${auto_variables[@]}"; do 48 | variable=$(echo "${parse,,}" | cut -f1 -d=) 49 | value=$(echo "${parse,,}" | cut -f2 -d=) 50 | printf -v "${variable}" '%s' "${value}" >/dev/null 2>&1 51 | done 52 | elif grep -q 'Save Tasks' "${file}"; then 53 | declare -g type=oldmeta 54 | while IFS='' read -r line; do auto_variables+=("${line}"); done < <(sed -n -e '/Save\ Tasks/,/Author:/ p' "${file}" | head -n -2 | tail -n +2 | sed -e 's/: /=/g' | tr -d "# ") 55 | for parse in "${auto_variables[@]}"; do 56 | variable=$(echo "${parse,,}" | cut -f1 -d=) 57 | value=$(echo "${parse,,}" | cut -f2 -d=) 58 | printf -v "${variable}" '%s' "${value}" >/dev/null 2>&1 59 | done 60 | fi 61 | } 62 | 63 | ################################################################################ 64 | # @description: automated incrementation of necessary file version information 65 | # @noargs 66 | ################################################################################ 67 | save::versioning() { 68 | declare build version_old version_number version_split version_new 69 | build=$(curl -Iks "https://api.github.com/repos/JMSDOnline/vstacklet/commits?sha=development&per_page=1" | sed -n '/^[Ll]ink:/ s/.*"next".*page=\([0-9]*\).*"last".*/\1/p') 70 | version_new="v3.1.1.${build}" 71 | version_build="${build}" 72 | sleep 3 73 | sed -i "s/.*Version:.*/ Version: ${version_new}/g" "${workspace}/README.md" 74 | sed -i "s/.*Build:.*/ Build: ${version_build}/g" "${workspace}/README.md" 75 | if [[ ${filename} == "developer_documentation.md" ]]; then 76 | version_old=$(grep -o 'Version:.*' "${file}" | head -n 1 | cut -f2- -d: | tr -d " ") 77 | version_number=$(echo "${version_old}" | grep -Eo '[0-9]+$') 78 | version_number=$(("${version_number}" + 1)) 79 | version_split=$(echo "${version_old}" | grep -o '.*[.]') 80 | version_new="${version_split}${version_number}" 81 | sed -i "0,/.*Version.*/s/.*Version.*/ Version: ${version_new}/" "${file}" 82 | elif [[ ${automated_versioning:-} == "true" && ${type} == "newmeta" ]]; then 83 | version_old=$(grep -o '# @version.*' "${file}" | head -n 1 | cut -f2- -d: | tr -d " " | tr -d "@") 84 | version_number=$(echo "${version_old}" | grep -Eo '[0-9]+$') 85 | version_number=$(("${version_number}" + 1)) 86 | version_split=$(echo "${version_old}" | grep -o '.*[.]') 87 | version_new="${version_split}${version_number}" 88 | sed -i "0,/.*version.*/s/.*version.*/# @version: ${version_new}/" "${file}" 89 | elif [[ ${automated_versioning:-} == "true" && ${type} == "oldmeta" ]]; then 90 | version_old=$(grep -o '# File Version.*' "${file}" | head -n 1 | cut -f2- -d: | tr -d " ") 91 | version_number=$(echo "${version_old}" | grep -Eo '[0-9]+$') 92 | version_number=$(("${version_number}" + 1)) 93 | version_split=$(echo "${version_old}" | grep -o '.*[.]') 94 | version_new="${version_split}${version_number}" 95 | sed -i "0,/.*File Version.*/s/.*File Version.*/# File Version: ${version_new}/" "${file}" 96 | fi 97 | printf "%s\n" "${filename} version increased from ${version_old} to ${version_new}" 98 | } 99 | 100 | ################################################################################ 101 | # @description: automated documentation for files 102 | # @noargs 103 | ################################################################################ 104 | save::documentation() { 105 | if [[ ${automated_documentation:-} == "true" ]]; then 106 | if [[ $(head -n1 "${file}") =~ bash ]]; then 107 | declare docs 108 | docs="docs${file//${workspace//\//\\/}/}" 109 | docs="${docs//src\//}" 110 | declare markdown="${workspace}/${docs}.md" 111 | mkdir -p "${docs//${filename}/}" 112 | rm -f "${markdown}" 113 | [[ -s ${file} ]] && awk -f "${workspace}/developer_resources/doc.awk" <"${file}" >>"${markdown}" 114 | fi 115 | fi 116 | } 117 | 118 | ################################################################################ 119 | # @description: automated changelog 120 | # @noargs 121 | ################################################################################ 122 | save::changelog() { 123 | # TODO: add changelog automation 124 | : 125 | } 126 | 127 | ################################################################################ 128 | # @description: calls functions in required order 129 | ################################################################################ 130 | load::variables "$@" 131 | parse::meta_data 132 | save::versioning 133 | save::documentation 134 | #save::changelog 135 | -------------------------------------------------------------------------------- /config/hhvm/nginx/default.hhvm.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen *:{{http_port}}; 3 | listen [::]:{{http_port}}; 4 | server_name {{domain}}; 5 | 6 | access_log /var/log/vstacklet/{{domain}}.access.log; 7 | error_log /var/log/vstacklet/{{domain}}.error.log; 8 | 9 | root {{webroot}}/public; 10 | index index.html index.htm index.php; 11 | 12 | location /.well-known { 13 | alias {{webroot}}/.well-known; 14 | allow all; 15 | default_type "text/plain"; 16 | autoindex on; 17 | } 18 | 19 | # These options are for nginx caching. 20 | # Update the uri paths to match your needs. 21 | # Typically you would want to add 22 | # /wp-admin/ - Wordpress 23 | # /administrator/ - Joomla! etc... 24 | set $no_cache 0; 25 | if ($query_string) { 26 | set $no_cache 1; 27 | } 28 | if ($http_x_custom_header) { 29 | set $no_cache 0; 30 | } 31 | if ($uri ~ "/your-admin-login/" ) { 32 | set $no_cache 1; 33 | } 34 | if ($http_cookie ~ "users_login_cookie" ) { 35 | set $no_cache 1; 36 | } 37 | 38 | location ~ \.(hh|php)$ { 39 | try_files $uri =404; 40 | 41 | # These options are for nginx caching. 42 | # All cached files are stored in /etc/nginx/cache. 43 | # Uncomment if caching with Nginx is your jam! 44 | #fastcgi_cache phpcache; 45 | #fastcgi_cache_methods GET HEAD; 46 | #add_header X-Fastcgi-Cache $upstream_cache_status; 47 | #fastcgi_cache_bypass $no_cache; 48 | #fastcgi_no_cache $no_cache; 49 | #fastcgi_cache_valid 200 302 60m; 50 | #fastcgi_cache_valid 404 5m; 51 | #proxy_read_timeout 300; 52 | 53 | # These are typical nginx settings. 54 | fastcgi_split_path_info ^(.+\.php)(/.+)$; 55 | fastcgi_index index.php; 56 | include fcgi.conf; 57 | fastcgi_pass unix:/var/run/hhvm/hhvm.sock; 58 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 59 | fastcgi_read_timeout 300; 60 | fastcgi_ignore_headers X-Accel-Expires Expires Cache-Control; 61 | } 62 | 63 | # Location Profiles 64 | include server.configs/location/cache-busting.conf; 65 | include server.configs/location/cross-domain-fonts.conf; 66 | include server.configs/location/expires.conf; 67 | include server.configs/location/protect-system-files.conf; 68 | #include server.configs/location/letsencrypt.conf; 69 | 70 | # Security Profiles 71 | include server.configs/directives/cloudflare-real-ip.conf; 72 | include server.configs/directives/common-exploit-prevention.conf; 73 | include server.configs/directives/mime-type-security.conf; 74 | include server.configs/directives/reflected-xss-prevention.conf; 75 | include server.configs/directives/sec-bad-bots.conf; 76 | include server.configs/directives/sec-file-injection.conf; 77 | include server.configs/directives/sec-php-easter-eggs.conf; 78 | include server.configs/directives/server-security-options.conf; 79 | include server.configs/directives/socket-settings.conf; 80 | 81 | # WordPress Specific 82 | # include wordpress.conf; 83 | # include restrictions.conf; 84 | # We only enable this option if either W3TC is in effect on a WordPress install 85 | # Or you manage an override from your application root. 86 | # An example would be that of Admin Tools for Joomla! 87 | # include {{webroot}}/public/nginx.conf; 88 | 89 | } 90 | 91 | server { 92 | listen [::]:{{https_port}} ssl; 93 | listen *:{{https_port}} ssl; 94 | http2 on; 95 | server_name {{domain}}; 96 | 97 | access_log /var/log/vstacklet/{{domain}}.access.log; 98 | error_log /var/log/vstacklet/{{domain}}.error.log; 99 | 100 | ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; 101 | ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; 102 | root {{webroot}}/public; 103 | index index.html index.htm index.php; 104 | 105 | location /.well-known { 106 | alias {{webroot}}/.well-known; 107 | allow all; 108 | default_type "text/plain"; 109 | autoindex on; 110 | } 111 | 112 | # These options are for nginx caching. 113 | # Update the uri paths to match your needs. 114 | # Typically you would want to add 115 | # /wp-admin/ - Wordpress 116 | # /administrator/ - Joomla! etc... 117 | set $no_cache 0; 118 | if ($query_string) { 119 | set $no_cache 1; 120 | } 121 | if ($http_x_custom_header) { 122 | set $no_cache 0; 123 | } 124 | if ($uri ~ "/your-admin-login/" ) { 125 | set $no_cache 1; 126 | } 127 | if ($http_cookie ~ "users_login_cookie" ) { 128 | set $no_cache 1; 129 | } 130 | 131 | location ~ \.(hh|php)$ { 132 | try_files $uri =404; 133 | 134 | # These options are for nginx caching. 135 | # All cached files are stored in /etc/nginx/cache. 136 | # Uncomment if caching with Nginx is your jam! 137 | #fastcgi_cache phpcache; 138 | #fastcgi_cache_methods GET HEAD; 139 | #add_header X-Fastcgi-Cache $upstream_cache_status; 140 | #fastcgi_cache_bypass $no_cache; 141 | #fastcgi_no_cache $no_cache; 142 | #fastcgi_cache_valid 200 302 60m; 143 | #fastcgi_cache_valid 404 5m; 144 | #proxy_read_timeout 300; 145 | 146 | # These are typical nginx settings. 147 | fastcgi_split_path_info ^(.+\.php)(/.+)$; 148 | fastcgi_index index.php; 149 | include fcgi.conf; 150 | fastcgi_pass unix:/var/run/hhvm/hhvm.sock; 151 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 152 | fastcgi_read_timeout 300; 153 | fastcgi_ignore_headers X-Accel-Expires Expires Cache-Control; 154 | } 155 | 156 | # Location Profiles 157 | include server.configs/location/cache-busting.conf; 158 | include server.configs/location/cross-domain-fonts.conf; 159 | include server.configs/location/expires.conf; 160 | include server.configs/location/protect-system-files.conf; 161 | #include server.configs/location/letsencrypt.conf; 162 | 163 | # Security Profiles 164 | include server.configs/directives/ssl.conf; 165 | include server.configs/directives/cloudflare-real-ip.conf; 166 | include server.configs/directives/common-exploit-prevention.conf; 167 | include server.configs/directives/mime-type-security.conf; 168 | include server.configs/directives/reflected-xss-prevention.conf; 169 | include server.configs/directives/sec-bad-bots.conf; 170 | include server.configs/directives/sec-file-injection.conf; 171 | include server.configs/directives/sec-php-easter-eggs.conf; 172 | include server.configs/directives/server-security-options.conf; 173 | include server.configs/directives/socket-settings.conf; 174 | 175 | # WordPress Specific 176 | # include wordpress.conf; 177 | # include restrictions.conf; 178 | # We only enable this option if either W3TC is in effect on a WordPress install 179 | # Or you manage an override from your application root. 180 | # An example would be that of Admin Tools for Joomla! 181 | # include {{webroot}}/public/nginx.conf; 182 | 183 | } -------------------------------------------------------------------------------- /config/php7/nginx/default.php7.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen *:{{http_port}}; 3 | listen [::]:{{http_port}}; 4 | server_name {{domain}}; 5 | 6 | access_log /var/log/vstacklet/{{domain}}.access.log; 7 | error_log /var/log/vstacklet/{{domain}}.error.log; 8 | 9 | root {{webroot}}/public; 10 | index index.html index.htm index.php; 11 | 12 | location /.well-known { 13 | alias {{webroot}}/.well-known; 14 | allow all; 15 | default_type "text/plain"; 16 | autoindex on; 17 | } 18 | 19 | # These options are for nginx caching. 20 | # Update the uri paths to match your needs. 21 | # Typically you would want to add 22 | # /wp-admin/ - Wordpress 23 | # /administrator/ - Joomla! etc... 24 | set $no_cache 0; 25 | if ($query_string) { 26 | set $no_cache 1; 27 | } 28 | if ($http_x_custom_header) { 29 | set $no_cache 0; 30 | } 31 | if ($uri ~ "/your-admin-login/" ) { 32 | set $no_cache 1; 33 | } 34 | if ($http_cookie ~ "users_login_cookie" ) { 35 | set $no_cache 1; 36 | } 37 | 38 | location ~ [^/]\.php(/|$) { 39 | try_files $uri =404; 40 | 41 | # These options are for nginx caching. 42 | # All cached files are stored in /etc/nginx/cache. 43 | # Uncomment if caching with Nginx is your jam! 44 | #fastcgi_cache phpcache; 45 | #fastcgi_cache_methods GET HEAD; 46 | #add_header X-Fastcgi-Cache $upstream_cache_status; 47 | #fastcgi_cache_bypass $no_cache; 48 | #fastcgi_no_cache $no_cache; 49 | #fastcgi_cache_valid 200 302 60m; 50 | #fastcgi_cache_valid 404 5m; 51 | #proxy_read_timeout 300; 52 | 53 | # These are typical nginx settings. 54 | fastcgi_split_path_info ^(.+\.php)(/.+)$; 55 | fastcgi_index index.php; 56 | include fcgi.conf; 57 | fastcgi_pass unix:/var/run/php/php{{php}}-fpm.sock; 58 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 59 | fastcgi_read_timeout 300; 60 | fastcgi_ignore_headers X-Accel-Expires Expires Cache-Control; 61 | } 62 | 63 | # Location Profiles 64 | include server.configs/location/cache-busting.conf; 65 | include server.configs/location/cross-domain-fonts.conf; 66 | include server.configs/location/expires.conf; 67 | include server.configs/location/protect-system-files.conf; 68 | #include server.configs/location/letsencrypt.conf; 69 | 70 | # Security Profiles 71 | include server.configs/directives/cloudflare-real-ip.conf; 72 | include server.configs/directives/common-exploit-prevention.conf; 73 | include server.configs/directives/mime-type-security.conf; 74 | include server.configs/directives/reflected-xss-prevention.conf; 75 | include server.configs/directives/sec-bad-bots.conf; 76 | include server.configs/directives/sec-file-injection.conf; 77 | include server.configs/directives/sec-php-easter-eggs.conf; 78 | include server.configs/directives/server-security-options.conf; 79 | include server.configs/directives/socket-settings.conf; 80 | 81 | # WordPress Specific 82 | # include wordpress.conf; 83 | # include restrictions.conf; 84 | # We only enable this option if either W3TC is in effect on a WordPress install 85 | # Or you manage an override from your application root. 86 | # An example would be that of Admin Tools for Joomla! 87 | # include {{webroot}}/public/nginx.conf; 88 | 89 | } 90 | 91 | server { 92 | listen [::]:{{https_port}} ssl; 93 | listen *:{{https_port}} ssl; 94 | http2 on; 95 | server_name {{domain}}; 96 | 97 | access_log /var/log/vstacklet/{{domain}}.access.log; 98 | error_log /var/log/vstacklet/{{domain}}.error.log; 99 | 100 | ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; 101 | ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; 102 | root {{webroot}}/public; 103 | index index.html index.htm index.php; 104 | 105 | location /.well-known { 106 | alias {{webroot}}/.well-known; 107 | allow all; 108 | default_type "text/plain"; 109 | autoindex on; 110 | } 111 | 112 | # These options are for nginx caching. 113 | # Update the uri paths to match your needs. 114 | # Typically you would want to add 115 | # /wp-admin/ - Wordpress 116 | # /administrator/ - Joomla! etc... 117 | set $no_cache 0; 118 | if ($query_string) { 119 | set $no_cache 1; 120 | } 121 | if ($http_x_custom_header) { 122 | set $no_cache 0; 123 | } 124 | if ($uri ~ "/your-admin-login/" ) { 125 | set $no_cache 1; 126 | } 127 | if ($http_cookie ~ "users_login_cookie" ) { 128 | set $no_cache 1; 129 | } 130 | 131 | location ~ [^/]\.php(/|$) { 132 | try_files $uri =404; 133 | 134 | # These options are for nginx caching. 135 | # All cached files are stored in /etc/nginx/cache. 136 | # Uncomment if caching with Nginx is your jam! 137 | #fastcgi_cache phpcache; 138 | #fastcgi_cache_methods GET HEAD; 139 | #add_header X-Fastcgi-Cache $upstream_cache_status; 140 | #fastcgi_cache_bypass $no_cache; 141 | #fastcgi_no_cache $no_cache; 142 | #fastcgi_cache_valid 200 302 60m; 143 | #fastcgi_cache_valid 404 5m; 144 | #proxy_read_timeout 300; 145 | 146 | # These are typical nginx settings. 147 | fastcgi_split_path_info ^(.+\.php)(/.+)$; 148 | fastcgi_index index.php; 149 | include fcgi.conf; 150 | fastcgi_pass unix:/var/run/php/php{{php}}-fpm.sock; 151 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 152 | fastcgi_read_timeout 300; 153 | fastcgi_ignore_headers X-Accel-Expires Expires Cache-Control; 154 | } 155 | 156 | # Location Profiles 157 | include server.configs/location/cache-busting.conf; 158 | include server.configs/location/cross-domain-fonts.conf; 159 | include server.configs/location/expires.conf; 160 | include server.configs/location/protect-system-files.conf; 161 | #include server.configs/location/letsencrypt.conf; 162 | 163 | # Security Profiles 164 | include server.configs/directives/ssl.conf; 165 | include server.configs/directives/cloudflare-real-ip.conf; 166 | include server.configs/directives/common-exploit-prevention.conf; 167 | include server.configs/directives/mime-type-security.conf; 168 | include server.configs/directives/reflected-xss-prevention.conf; 169 | include server.configs/directives/sec-bad-bots.conf; 170 | include server.configs/directives/sec-file-injection.conf; 171 | include server.configs/directives/sec-php-easter-eggs.conf; 172 | include server.configs/directives/server-security-options.conf; 173 | include server.configs/directives/socket-settings.conf; 174 | 175 | # WordPress Specific 176 | # include wordpress.conf; 177 | # include restrictions.conf; 178 | # We only enable this option if either W3TC is in effect on a WordPress install 179 | # Or you manage an override from your application root. 180 | # An example would be that of Admin Tools for Joomla! 181 | # include {{webroot}}/public/nginx.conf; 182 | 183 | } -------------------------------------------------------------------------------- /config/php8/nginx/default.php8.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen *:{{http_port}}; 3 | listen [::]:{{http_port}}; 4 | server_name {{domain}}; 5 | 6 | access_log /var/log/vstacklet/{{domain}}.access.log; 7 | error_log /var/log/vstacklet/{{domain}}.error.log; 8 | 9 | root {{webroot}}/public; 10 | index index.html index.htm index.php; 11 | 12 | location /.well-known { 13 | alias {{webroot}}/.well-known; 14 | allow all; 15 | default_type "text/plain"; 16 | autoindex on; 17 | } 18 | 19 | # These options are for nginx caching. 20 | # Update the uri paths to match your needs. 21 | # Typically you would want to add 22 | # /wp-admin/ - Wordpress 23 | # /administrator/ - Joomla! etc... 24 | set $no_cache 0; 25 | if ($query_string) { 26 | set $no_cache 1; 27 | } 28 | if ($http_x_custom_header) { 29 | set $no_cache 0; 30 | } 31 | if ($uri ~ "/your-admin-login/" ) { 32 | set $no_cache 1; 33 | } 34 | if ($http_cookie ~ "users_login_cookie" ) { 35 | set $no_cache 1; 36 | } 37 | 38 | location ~ [^/]\.php(/|$) { 39 | try_files $uri =404; 40 | 41 | # These options are for nginx caching. 42 | # All cached files are stored in /etc/nginx/cache. 43 | # Uncomment if caching with Nginx is your jam! 44 | #fastcgi_cache phpcache; 45 | #fastcgi_cache_methods GET HEAD; 46 | #add_header X-Fastcgi-Cache $upstream_cache_status; 47 | #fastcgi_cache_bypass $no_cache; 48 | #fastcgi_no_cache $no_cache; 49 | #fastcgi_cache_valid 200 302 60m; 50 | #fastcgi_cache_valid 404 5m; 51 | #proxy_read_timeout 300; 52 | 53 | # These are typical nginx settings. 54 | fastcgi_split_path_info ^(.+\.php)(/.+)$; 55 | fastcgi_index index.php; 56 | include fcgi.conf; 57 | fastcgi_pass unix:/var/run/php/php{{php}}-fpm.sock; 58 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 59 | fastcgi_read_timeout 300; 60 | fastcgi_ignore_headers X-Accel-Expires Expires Cache-Control; 61 | } 62 | 63 | # Location Profiles 64 | include server.configs/location/cache-busting.conf; 65 | include server.configs/location/cross-domain-fonts.conf; 66 | include server.configs/location/expires.conf; 67 | include server.configs/location/protect-system-files.conf; 68 | #include server.configs/location/letsencrypt.conf; 69 | 70 | # Security Profiles 71 | include server.configs/directives/cloudflare-real-ip.conf; 72 | include server.configs/directives/common-exploit-prevention.conf; 73 | include server.configs/directives/mime-type-security.conf; 74 | include server.configs/directives/reflected-xss-prevention.conf; 75 | include server.configs/directives/sec-bad-bots.conf; 76 | include server.configs/directives/sec-file-injection.conf; 77 | include server.configs/directives/sec-php-easter-eggs.conf; 78 | include server.configs/directives/server-security-options.conf; 79 | include server.configs/directives/socket-settings.conf; 80 | 81 | # WordPress Specific 82 | # include wordpress.conf; 83 | # include restrictions.conf; 84 | # We only enable this option if either W3TC is in effect on a WordPress install 85 | # Or you manage an override from your application root. 86 | # An example would be that of Admin Tools for Joomla! 87 | # include {{webroot}}/public/nginx.conf; 88 | 89 | } 90 | 91 | server { 92 | listen [::]:{{https_port}} ssl; 93 | listen *:{{https_port}} ssl; 94 | http2 on; 95 | server_name {{domain}}; 96 | 97 | access_log /var/log/vstacklet/{{domain}}.access.log; 98 | error_log /var/log/vstacklet/{{domain}}.error.log; 99 | 100 | ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; 101 | ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; 102 | root {{webroot}}/public; 103 | index index.html index.htm index.php; 104 | 105 | location /.well-known { 106 | alias {{webroot}}/.well-known; 107 | allow all; 108 | default_type "text/plain"; 109 | autoindex on; 110 | } 111 | 112 | # These options are for nginx caching. 113 | # Update the uri paths to match your needs. 114 | # Typically you would want to add 115 | # /wp-admin/ - Wordpress 116 | # /administrator/ - Joomla! etc... 117 | set $no_cache 0; 118 | if ($query_string) { 119 | set $no_cache 1; 120 | } 121 | if ($http_x_custom_header) { 122 | set $no_cache 0; 123 | } 124 | if ($uri ~ "/your-admin-login/" ) { 125 | set $no_cache 1; 126 | } 127 | if ($http_cookie ~ "users_login_cookie" ) { 128 | set $no_cache 1; 129 | } 130 | 131 | location ~ [^/]\.php(/|$) { 132 | try_files $uri =404; 133 | 134 | # These options are for nginx caching. 135 | # All cached files are stored in /etc/nginx/cache. 136 | # Uncomment if caching with Nginx is your jam! 137 | #fastcgi_cache phpcache; 138 | #fastcgi_cache_methods GET HEAD; 139 | #add_header X-Fastcgi-Cache $upstream_cache_status; 140 | #fastcgi_cache_bypass $no_cache; 141 | #fastcgi_no_cache $no_cache; 142 | #fastcgi_cache_valid 200 302 60m; 143 | #fastcgi_cache_valid 404 5m; 144 | #proxy_read_timeout 300; 145 | 146 | # These are typical nginx settings. 147 | fastcgi_split_path_info ^(.+\.php)(/.+)$; 148 | fastcgi_index index.php; 149 | include fcgi.conf; 150 | fastcgi_pass unix:/var/run/php/php{{php}}-fpm.sock; 151 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 152 | fastcgi_read_timeout 300; 153 | fastcgi_ignore_headers X-Accel-Expires Expires Cache-Control; 154 | } 155 | 156 | # Location Profiles 157 | include server.configs/location/cache-busting.conf; 158 | include server.configs/location/cross-domain-fonts.conf; 159 | include server.configs/location/expires.conf; 160 | include server.configs/location/protect-system-files.conf; 161 | #include server.configs/location/letsencrypt.conf; 162 | 163 | # Security Profiles 164 | include server.configs/directives/ssl.conf; 165 | include server.configs/directives/cloudflare-real-ip.conf; 166 | include server.configs/directives/common-exploit-prevention.conf; 167 | include server.configs/directives/mime-type-security.conf; 168 | include server.configs/directives/reflected-xss-prevention.conf; 169 | include server.configs/directives/sec-bad-bots.conf; 170 | include server.configs/directives/sec-file-injection.conf; 171 | include server.configs/directives/sec-php-easter-eggs.conf; 172 | include server.configs/directives/server-security-options.conf; 173 | include server.configs/directives/socket-settings.conf; 174 | 175 | # WordPress Specific 176 | # include wordpress.conf; 177 | # include restrictions.conf; 178 | # We only enable this option if either W3TC is in effect on a WordPress install 179 | # Or you manage an override from your application root. 180 | # An example would be that of Admin Tools for Joomla! 181 | # include {{webroot}}/public/nginx.conf; 182 | 183 | } -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | > vStacklet is an open source project licensed using the The MIT License. 4 | > This project has been forked and completely rewritten from [Quick LEMP](https://github.com/jbradach/quick-lemp/). 5 | > Though the two are not the same and are entirely different, vStacklet has drawn inspiration from Quick LEMP and is grateful for the work that has been done. 6 | > I appreciate pull requesets as well as other types of contributions. Any contributions, suggestions, or comments are welcome! 7 | 8 | --- 9 | 10 | ## Documentation 11 | 12 | Documentation is available at: [/docs/](https://github.com/JMSDOnline/vstacklet/tree/main/docs) 13 | - :book: [vStacklet Documentation](https://github.com/JMSDOnline/vstacklet/blob/main/docs/setup/vstacklet.sh.md) 14 | - :book: [vStacklet Server Stack Documentation](https://github.com/JMSDOnline/vstacklet/blob/main/docs/setup/vstacklet-server-stack.sh.md) 15 | - :book: [vStacklet www-permissions.sh) Documentation](https://github.com/JMSDOnline/vstacklet/blob/main/docs/bin/www-permissions.sh.md) 16 | - :book: [vStacklet VS-Perms (www-permissions-standalone.sh) Documentation](https://github.com/JMSDOnline/vstacklet/blob/main/docs/bin/www-permissions-standalone.sh.md) 17 | - :book: [vStacklet VS-Backup (vs-backup) Documentation](https://github.com/JMSDOnline/vstacklet/blob/main/docs/bin/backup/vs-backup.md) 18 | - :book: [vStacklet VS-Backup (vstacklet-backup-standalone.sh) Documentation](https://github.com/JMSDOnline/vstacklet/blob/main/docs/bin/backup/vstacklet-backup-standalone.sh.md) 19 | 20 | --- 21 | 22 | ## How to Contribute to vStacklet - You want to contribute feedback, support, or general issue reporting 23 | 24 | - It's the most important step of all! [Grab the vStacklet script](https://github.com/JMSDOnline/vstacklet/tree/main#getting-started) and [run it on your system](https://github.com/JMSDOnline/vstacklet/tree/main#example). 25 | - Report script related issues or ideas for enhancements on the [issue tracker](https://github.com/JMSDOnline/vstacklet/issues). 26 | - Assist with testing on different distributions to help ensure compability. 27 | - Say thanks and/or spread the word. :heart: 28 | - "Do you accept donations?" Nope, but I do accept feedback and support. :smile: 29 | - "But I really want to donate!" Okay, you can donate to the [Electronic Frontier Foundation](https://www.eff.org/) or your favorite charity. 30 | 31 | --- 32 | 33 | ## How to Contribute to vStacklet - You want to contribute code 34 | 35 | - Fork, clone, and improve this repistory by sending a pull request when it's done. (preferrably to the `development` branch) 36 | - I use [VSCode](https://code.visualstudio.com/) for development, but you can use whatever you want. I have included a couple of extension settings in the project, as this makes my life easier. You can find more information about these extensions below. 37 | - Install the Trunk.io extension for VSCode. (See more on that below) 38 | - Setup for RunOnSave in VSCode (See below) 39 | - The project is coded with indentation of 4 spaces as tab. This is not required, but it is recommended. Worse case scenario, I will adjust the formatting when I merge your pull request. I certainly don't want to make it harder for you to contribute. 40 | 41 | ### Visual Studio Code Setup 42 | 43 | #### Extensions 44 | 45 | ##### [Run on Save](https://marketplace.visualstudio.com/items?itemName=emeraldwalk.RunOnSave) 46 | 47 | > Needed for the scripts in `developer_resources` 48 | > - RunOnSave will run the scripts in `developer_resources` to ensure that the code is formatted correctly. 49 | > - RunOnSave will additionally set the version numbers on files and the readme. 50 | > - RunOnSave will also update the documentation in the `docs` folder. These are formatted in markdown and are used to generate the documentation site. `developer_resources/doc.awk` is used to generate the documentation site with the necessary formatting. 51 | 52 | ##### [Trunk](https://marketplace.visualstudio.com/items?itemName=trunk.io) 53 | 54 | > Needed for the `.trunk/trunk.yaml` file in the root of the project. This is not required, but it is recommended. This will handle all linting/formatting/issue checking needs, it generally makes life easier. 55 | 56 |
57 | 58 | #### Visual Studio Code Settings 59 | 60 | ##### Run on Save Settings 61 | 62 | ```json 63 | "emeraldwalk.runonsave": { 64 | "commands": [ 65 | { 66 | "match": ".*", 67 | "isAsync": false, 68 | "cmd": "bash \"${workspaceFolder}/developer_resources/onSave\" \"${file}\" \"${workspaceFolder}\"" 69 | } 70 | ], 71 | } 72 | ``` 73 | 74 | ##### Trunk Settings 75 | 76 | No big setup required, just install the extension and it will do the rest. 77 | 78 |
79 | 80 | #### Windows compatibility 81 | 82 | You'll need to add your Git folder (Normally located at `C:/Program Files/Git` to your system environments, then restart vscode). After that replace `bash` with `git-bash` in the above codeblock. 83 | 84 | **This also might work:** 85 | Windows users might need to enable BASH. To do this: 86 | 1. Go to **Settings** > **Update & Security** > **For Developers**. Check the Developer Mode radio button. 87 | 2. And search for “*Windows Features*” 88 | 3. Choose “*Turn Windows features on or off*” 89 | 4. Scroll to find ***WSL***, check the box, and then install it. 90 | 5. Once done, one has to reboot to finish installing the requested changes. 91 | 6. Press Restart now. 92 | 93 |
94 | 95 | ### Coding Practices 96 | 97 | #### File Header 98 | 99 | Files should follow this example header: (Aids in proper formatting for associated documentation. example: [the docs](https://github.com/JMSDOnline/vstacklet/blob/main/docs/setup/vstacklet-server-stack.sh.md)) 100 | 101 | ```bash 102 | #!/usr/bin/env bash 103 | ################################################################################ 104 | # 105 | # @file_name: example_file 106 | # @version: 1.0.0 107 | # @description: Short file description 108 | # 109 | # @project_name: vStacklet 110 | # 111 | # @path: /path/to/example_file 112 | # 113 | # @brief: Example file brief 114 | # 115 | # @save_tasks: 116 | # automated_versioning: true|false (default: true) 117 | # automated_documentation: true|false (default: true) 118 | # 119 | # @build_tasks: 120 | # automated_comment_strip: false 121 | # automated_encryption: false 122 | # 123 | # @author: Jason Matthews (JMSDOnline), ... 124 | # @author_contact: https://github.com/JMSDOnline/vstacklet 125 | # 126 | # @license: MIT License (Included in LICENSE) 127 | # Copyright (C) 2016-2024, Jason Matthews :: vStacklet 128 | # All rights reserved. 129 | # 130 | ################################################################################ 131 | ``` 132 | 133 | This allows the post process scripts in `developer_resources` to process how each file needs to be handled. 134 | 135 | #### Function Comments 136 | 137 | Each function group should be preceded by the following header: (Aids in proper formatting for associated documentation. example: [function header in the docs](https://github.com/JMSDOnline/vstacklet/blob/main/docs/setup/vstacklet-server-stack.sh.md#vstackletcsfinstall)) 138 | 139 | ```bash 140 | ################################################################################ 141 | # @name: Function::Name 142 | # @description: Description of function 143 | # Globals: 144 | # Any variables declared that are not local. 145 | # Arguments: 146 | # Any arguments that are being passed to functions ("$@") 147 | ################################################################################ 148 | ``` 149 | 150 | This allows us to quickly see what is being modified for debugging or review purposes. 151 | 152 | #### Function Naming 153 | 154 | Functions should be named with `function_group::function_name` syntax. This makes it easier to identify where the function is being called, and what it is responsible for doing. You'll see a lot of `function_group::function_name::function_task()` throughout the vStacklet code, again, this is to keep things transparent and easy to follow as per their intended function. 155 | 156 | --- -------------------------------------------------------------------------------- /developer_resources/doc.awk: -------------------------------------------------------------------------------- 1 | #!/usr/bin/awk -f 2 | ################################################################################ 3 | # 4 | # @file_name: doc.awk 5 | # @version: 1.0.122 6 | # @description: automated documentation 7 | # @project_name: vstacklet 8 | # 9 | # @save_tasks: 10 | # automated_versioning: true 11 | # automated_documentation: false 12 | # 13 | # @author: Jason Matthews (JMSolo) 14 | # @author_contact: https://github.com/JMSDOnline/vstacklet 15 | # 16 | # @license: MIT License (Included in LICENSE) 17 | # Copyright (C) 2016-2022, Jason Matthews 18 | # All rights reserved. 19 | # 20 | ################################################################################ 21 | 22 | BEGIN { 23 | styles["empty", "from"] = ".*" 24 | styles["empty", "to"] = "" 25 | styles["h1", "from"] = ".*" 26 | styles["h1", "to"] = "# &" 27 | styles["h2", "from"] = ".*" 28 | styles["h2", "to"] = "## &" 29 | styles["h3", "from"] = ".*" 30 | styles["h3", "to"] = "### &" 31 | styles["h4", "from"] = ".*" 32 | styles["h4", "to"] = "#### &" 33 | styles["h5", "from"] = ".*" 34 | styles["h5", "to"] = "##### &" 35 | styles["hr", "from"] = ".*" 36 | styles["hr", "to"] = "---" 37 | styles["code", "from"] = ".*" 38 | styles["code", "to"] = "```&" 39 | styles["/code", "to"] = "```" 40 | styles["argN", "from"] = "^(\\$[0-9]) (\\S+)" 41 | styles["argN", "to"] = "**\\1** (\\2):" 42 | styles["arg@", "from"] = "^\\$@ (\\S+)" 43 | styles["arg@", "to"] = "**...** (\\1):" 44 | styles["optionN", "from"] = "^(\\$[0-9]) (\\S+)" 45 | styles["optionN", "to"] = "**\\1** (\\2):" 46 | styles["option@", "from"] = "^\\$@ (\\S+)" 47 | styles["option@", "to"] = "**...** (\\1):" 48 | styles["paramN", "from"] = "^(\\$[0-9]) (\\S+)" 49 | styles["paramN", "to"] = "**\\1** (\\2):" 50 | styles["param@", "from"] = "^\\$@ (\\S+)" 51 | styles["param@", "to"] = "**...** (\\1):" 52 | styles["li", "from"] = ".*" 53 | styles["li", "to"] = "- &" 54 | styles["i", "from"] = ".*" 55 | styles["i", "to"] = "*&*" 56 | styles["anchor", "from"] = ".*" 57 | styles["anchor", "to"] = "[&](#&)" 58 | styles["exitcode", "from"] = "([>!]?[0-9]{1,3}) (.*)" 59 | styles["exitcode", "to"] = "**\\1**: \\2" 60 | output_format["readme", "h1"] = "h1" 61 | output_format["readme", "h2"] = "h2" 62 | output_format["readme", "h3"] = "h3" 63 | output_format["readme", "h4"] = "h4" 64 | output_format["readme", "h5"] = "h5" 65 | } 66 | 67 | function render(type, text) { 68 | if((style,type) in output_format){ 69 | type = output_format[style,type] 70 | } 71 | return gensub( \ 72 | styles[type, "from"], 73 | styles[type, "to"], 74 | "g", 75 | text \ 76 | ) 77 | } 78 | 79 | function reset() { 80 | has_example = 0 81 | has_args = 0 82 | has_options = 0 83 | has_params = 0 84 | has_exitcode = 0 85 | has_stdout = 0 86 | has_break = 0 87 | 88 | content_brief = "" 89 | content_desc = "" 90 | content_example = "" 91 | content_args = "" 92 | content_options = "" 93 | content_params = "" 94 | content_exitcode = "" 95 | content_seealso = "" 96 | content_stdout = "" 97 | content_break = "" 98 | } 99 | 100 | /^[[:space:]]*# @internal/ { 101 | is_internal = 1 102 | } 103 | 104 | /^[[:space:]]*# @file_name/ { 105 | sub(/^[[:space:]]*# @file_name: /, "") 106 | filedoc = render("h1", $0) " - " 107 | } 108 | 109 | /^[[:space:]]*# @version/ { 110 | sub(/^[[:space:]]*# @version: /, "") 111 | filedoc = filedoc "v"$0 "\n" 112 | } 113 | 114 | #/^[[:space:]]*# @brief/ { 115 | # sub(/^[[:space:]]*# @brief:/, "") 116 | # sub(/^[[:space:]]*# /, "") 117 | # sub(/^[[:space:]]*#$/, "") 118 | # filedoc = filedoc "\n" $0 "\n" 119 | #} 120 | 121 | /^[[:space:]]*# @brief:/ { 122 | in_brief = 1 123 | 124 | reset() 125 | 126 | docblock = "" 127 | } 128 | 129 | in_brief { 130 | if (/^[^[[:space:]]*#]|^[[:space:]]*# @[^b]|^[[:space:]]*[^#]/) { 131 | if (!match(content_brief, /\n$/)) { 132 | content_brief = content_brief "\n" 133 | } 134 | in_brief = 0 135 | } else { 136 | sub(/^[[:space:]]*# @brief: /, "\n""---""\n""\n") 137 | sub(/^[[:space:]]*# /, "") 138 | sub(/^[[:space:]]*#$/, "\n""---""\n") 139 | filedoc = filedoc "\n" $0 140 | content_brief = content_brief "\n" $0 141 | } 142 | } 143 | 144 | 145 | /^[[:space:]]*# @description:/ { 146 | in_description = 1 147 | in_example = 0 148 | 149 | reset() 150 | 151 | docblock = "" 152 | } 153 | 154 | in_description { 155 | if (/^[^[[:space:]]*#]|^[[:space:]]*# @[^d]|^[[:space:]]*[^#]/) { 156 | if (!match(content_desc, /\n$/)) { 157 | content_desc = content_desc "\n" 158 | } 159 | in_description = 0 160 | } else { 161 | sub(/^[[:space:]]*# @description: /, "") 162 | sub(/^[[:space:]]*# /, "") 163 | sub(/^[[:space:]]*#$/, "") 164 | 165 | content_desc = content_desc "\n" $0 166 | } 167 | } 168 | 169 | in_example { 170 | #if (! /^[[:space:]]*# [ ]{3}/) { 171 | if (/^[^[[:space:]]*#]|^[[:space:]]*# @[^example]|^[[:space:]]*[^#]|^[[:space:]]*# [ ]{3}/) { 172 | if (!match(content_example, /\n$/)) { 173 | content_example = content_example "\n" render("/code") "\n" 174 | } 175 | in_example = 0 176 | } else { 177 | sub(/^[[:space:]]*# @example:/, "") 178 | sub(/^[[:space:]]*#/, "") 179 | sub(/^[[:space:]]*#$/, "") 180 | sub(/#$/, "") 181 | sub(/#/, "") 182 | 183 | content_example = content_example "\n" $0 184 | } 185 | } 186 | 187 | /^[[:space:]]*# @example/ { 188 | in_example = 1 189 | content_example = content_example "\n" render("h4", "examples:") "\n" 190 | sub(/^[[:space:]]*# @example:/, "") 191 | sub(/^[[:space:]]*# /, "") 192 | sub(/^[[:space:]]*#$/, "") 193 | sub(/^*#/, "") 194 | content_example = content_example "\n" render("code", "\n"$0, "bash") 195 | } 196 | 197 | /^[[:space:]]*# @arg/ { 198 | if (!has_args) { 199 | has_args = 1 200 | 201 | content_args = content_args "\n" render("h4", "arguments:") "\n\n" 202 | } 203 | 204 | sub(/^[[:space:]]*# @arg:/, "") 205 | $0 = render("argN", $0) 206 | $0 = render("arg@", $0) 207 | content_args = content_args render("li", $0) "\n" 208 | } 209 | 210 | /^[[:space:]]*# @noargs/ { 211 | content_args = content_args "\n" render("i", "function has no arguments") "\n" 212 | } 213 | 214 | /^[[:space:]]*# @option/ { 215 | if (!has_options) { 216 | has_options = 1 217 | 218 | content_options = content_options "\n" render("h4", "options:") "\n\n" 219 | } 220 | 221 | sub(/^[[:space:]]*# @option:/, "") 222 | $0 = render("optionN", $0) 223 | $0 = render("option@", $0) 224 | content_options = content_options render("li", $0) "\n" 225 | } 226 | 227 | /^[[:space:]]*# @nooptions/ { 228 | content_options = content_options "\n" render("i", "function has no options") "\n" 229 | } 230 | 231 | /^[[:space:]]*# @param/ { 232 | if (!has_params) { 233 | has_params = 1 234 | 235 | content_params = content_params "\n" render("h4", "parameters:") "\n\n" 236 | } 237 | 238 | sub(/^[[:space:]]*# @param:/, "") 239 | $0 = render("paramN", $0) 240 | $0 = render("param@", $0) 241 | content_params = content_params render("li", $0) "\n" 242 | } 243 | 244 | /^[[:space:]]*# @noparams/ { 245 | content_params = content_params "\n" render("i", "function has no parameters") "\n" 246 | } 247 | 248 | /^[[:space:]]*# @return_code/ { 249 | if (!has_exitcode) { 250 | has_exitcode = 1 251 | 252 | content_exitcode = content_exitcode "\n" render("h4", "return codes:") "\n\n" 253 | } 254 | 255 | sub(/^[[:space:]]*# @return_code: /, "") 256 | 257 | $0 = render("returncode", $0) 258 | 259 | content_exitcode = content_exitcode render("li", $0) "\n" 260 | } 261 | 262 | /^[[:space:]]*# @stdout/ { 263 | has_stdout = 1 264 | sub(/^[[:space:]]*# @stdout /, "") 265 | content_stdout = content_stdout "\n" render("h4", "stdout") 266 | content_stdout = content_stdout "\n\n" render("li", $0) "\n" 267 | } 268 | 269 | /^[[:space:]]*# @break/ { 270 | has_break = 1 271 | sub(/^[[:space:]]*# @break/, "") 272 | content_break = content_break "\n" render("hr", $0) "\n" 273 | } 274 | 275 | { 276 | docblock = content_brief content_desc content_options content_args content_params content_exitcode content_stdout content_example content_seealso content_break 277 | } 278 | 279 | /^[ \t]*(function([ \t])+)?([a-zA-Z0-9_:-]+)([ \t]*)(\(([ \t]*)\))?[ \t]*\{/ && docblock != "" && !in_example { 280 | if (is_internal) { 281 | is_internal = 0 282 | } else { 283 | func_name = gensub(\ 284 | /^[ \t]*(function([ \t])+)?([a-zA-Z0-9_:-]+)[ \t]*\(.*/, \ 285 | "\\3()", \ 286 | "g" \ 287 | ) 288 | doc = doc "\n" render("h3", func_name) "\n" docblock 289 | } 290 | 291 | docblock = "" 292 | reset() 293 | } 294 | 295 | END { 296 | if (filedoc != "") { 297 | print filedoc "\n" 298 | } 299 | print doc "\n" 300 | } -------------------------------------------------------------------------------- /docs/bin/backup/vs-backup.md: -------------------------------------------------------------------------------- 1 | # vs-backup - v3.1.1272 2 | 3 | 4 | --- 5 | 6 | vs-backup can be used on any server to backup files, directories and mysql 7 | databases, but it is designed to work with the vStacklet server stack. 8 | This script will backup your database and files. 9 | Please ensure you have read the documentation before continuing. 10 | 11 | --- 12 | 13 | - [vStacklet Documentation](https://github.com/JMSDOnline/vstacklet/blob/main/docs/setup/vstacklet.sh.md) 14 | - [vStacklet Server Stack Documentation](https://github.com/JMSDOnline/vstacklet/blob/main/docs/setup/vstacklet-server-stack.sh.md) 15 | 16 | --- 17 | 18 | This script will do the following: 19 | - Backup your database. 20 | - Backup your files. 21 | - Compress the backup files. (default: tar.gz - for files and sql.gz - for database) 22 | - Automatically encrypt the backup files. (password: set to your database password by default - `-dbpass`) 23 | - Retain the backup files based on the retention options. (default: 7 days) 24 | 25 | --- 26 | 27 | #### options: 28 | | Short | Long | Description 29 | | ----------- | -------------------------- | ------------------------------------------ 30 | | -db | --database | Backup the database. 31 | | -dbuser | --database_user | The database user. (default: pulled from `/root/.my.cnf`) 32 | | -dbpass | --database_password | The database password. (default: pulled from `/root/.my.cnf`) 33 | | -dbdbu | --database_backup_directory | The database destination backup directory. (default: `/backup/databases`) 34 | | -dbtbu | --database_temporary_directory | The database temporary backup directory. (default: `/tmp/vstacklet/backup/databases`) 35 | | -dbenc | --database_encryption | Encrypt the database backup. (default: `false`) 36 | | -dbdecrypt | --database_decryption | Decrypt the selected database backup.
[**can decrypt only**] 37 | | -dbextract | --database_extraction | Extract the selected database backup.
[**can decrypt and extract**] 38 | | -f | --files | Backup files in the web root directory. 39 | | -fdbu | --file_backup_directory | The files destination backup directory. (default: `/backup/files`) 40 | | -ftbu | --file_temporary_directory | The files temporary backup directory. (default: `/tmp/vstacklet/backup/files`) 41 | | -r | --retention | Retention options. (default: `7`) 42 | | -frpe | --file_retention_path_extension | Retention path extension for the files. (default: `.tar.gz`) 43 | | -dbrpe | --database_retention_path_extension | Retention path extension for the database. (default: `.gz` | encrypted: `.enc`) 44 | | -h | --help | Display the help menu. 45 | | -V | --version | Display the version. 46 | | -ec | --example_cron | Display an example cron job. 47 | | -cron | --cron | Run the script in cron mode.
[**only needed when running as a scheduled cron taks**]
This will skip the intro message, used with cron task.
*Not needed if using the `-cc` option.* (default: `false`) 48 | | -cc | --cron_create | Create a cron job.
This will create a cron job for the backup script. (default: `false`) 49 | 50 | --- 51 | 52 | #### examples: 53 | 54 | --- 55 | 56 | Backup a database `-db` and directory `-f`: (various options - overkill example) 57 | ```bash 58 | vs-backup -db "database" -dbuser "root" -dbpass "password" -dbenc -dbtbu "/backup/databases" -dbtbu "/tmp/vstacklet/backup/databases" -f "/var/www/html/vsapp" -fdbu "/backup/files" -ftbu "/tmp/vstacklet/backup/files" -r "7" -dbrpe "enc" -cc 59 | ``` 60 | 61 | --- 62 | 63 | Backup a database `-db` and directory `-f`: (simple example - using minimal options)

64 | **ℹ notes:** 65 | - The database user and password are pulled from `/root/.my.cnf` by default. No need to set them unless you want to. [Bonus: security] 66 | - See the default options for the rest of the options. 67 | ```bash 68 | vs-backup -db "database" -f "/var/www/html/vsapp" -r "5" -dbenc -cc 69 | ``` 70 | 71 | --- 72 | 73 | Decrypt the database backup: (decrypt only)

74 | **ℹ notes:** 75 | - decrypts the database backup only. 76 | - option to decrypt will work only if the database backup is encrypted. 77 | - dbpass is required for decryption [see: `password` in `/root/.my.cnf`] 78 | ```bash 79 | vs-backup -dbdecrypt 80 | ``` 81 | 82 | --- 83 | 84 | Extract the database backup: (can decrypt and extract)

85 | **ℹ notes:** 86 | - extracts the database backup. 87 | - decrypts the database backup if encrypted. 88 | - dbpass is required for decryption [see: `password` in `/root/.my.cnf`] 89 | - if not encrypted, it will extract the database backup. 90 | ```bash 91 | vs-backup -dbextract 92 | ``` 93 | 94 | --- 95 | 96 | 97 | 98 | ### vstacklet::environment::functions() 99 | 100 | Stage various functions for the setup environment. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/backup/vs-backup#L105-L211) 101 | 102 | --- 103 | 104 | ### vstacklet::environment::checkroot() 105 | 106 | Check if the user is root. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/backup/vs-backup#L218-L223) 107 | 108 | --- 109 | 110 | ### vstacklet::backup::updater() 111 | 112 | Update the backup script. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/backup/vs-backup#L230-L247) 113 | 114 | --- 115 | 116 | ### vstacklet::backup::variables() 117 | 118 | Set the variables for the backup. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/backup/vs-backup#L254-L409) 119 | 120 | --- 121 | 122 | ### vstacklet::backup::default::variables() 123 | 124 | The variables used in the backup script. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/backup/vs-backup#L416-L465) 125 | 126 | --- 127 | 128 | ### vstacklet::backup::main::checks() 129 | 130 | The checks used in the backup script. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/backup/vs-backup#L472-L507) 131 | 132 | --- 133 | 134 | ### vstacklet::intro() 135 | 136 | Prints the intro message. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/backup/vs-backup#L514-L531) 137 | 138 | --- 139 | 140 | ### vstacklet::backup::files() 141 | 142 | Backup the specified files. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/backup/vs-backup#L538-L582) 143 | 144 | --- 145 | 146 | ### vstacklet::backup::database() 147 | 148 | Backup a database. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/backup/vs-backup#L602-L651) 149 | 150 | **ℹ note:** This function will additionally package the database backup into a tarball 151 | and compress it on the fly, then encrypt it. The tarball will be moved to the 152 | destination directory and the temporary directory will be cleaned up. 153 | - To decrypt the tarball, use the following command example: (decrypt only) 154 | ```bash 155 | vs-backup -dbdecrypt 156 | ``` 157 | - To extract the tarball, use the following command example: (can decrypt and extract) 158 | ```bash 159 | vs-backup -dbextract 160 | ``` 161 | 162 | --- 163 | 164 | ### vstacklet::backup::retention() 165 | 166 | The retention used in the backup script. This is used to delete 167 | old backups. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/backup/vs-backup#L671-L695) 168 | 169 | **ℹ notes:** 170 | - The retention is based on the modification time of the file. 171 | - Default retention is 7 days. This can be changed by setting the `-r` variable. 172 | - example: `-r 14` would set the retention to 14 days. 173 | - The retention path options are used to exclude directories from the retention. 174 | - Default retention paths are /backup/files/ and /backup/databases/. These can 175 | be changed by setting the `-fdbu` and `-dbdbu` variables. 176 | - example: `-fdbu /backup/files/backup/` would create and set the file retention 177 | path to /backup/files/backup/. 178 | 179 | --- 180 | 181 | ### vstacklet::backup::cron::create() 182 | 183 | Create a cron job for the backup script. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/backup/vs-backup#L711-L792) 184 | 185 | **ℹ notes:** 186 | - The cron job will run daily at 12:30 AM 187 | - The cron job will be created as /etc/cron.d/vs_backup 188 | - The cron job will use the flags provided 189 | - The cron job will run the script in cron mode 190 | - The cron job will redirect the output to /dev/null 191 | - The cron job will run as root 192 | 193 | #### examples: 194 | 195 | ``` 196 | vs-backup -db "db_name" -dbuser "db_user" -dbpass "db_pass" -f "/var/www/html/vsapp/" -cc 197 | ``` 198 | 199 | --- 200 | 201 | ### vstacklet::outro() 202 | 203 | Prints the outro message. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/backup/vs-backup#L799-L804) 204 | 205 | --- 206 | 207 | ### vstacklet::backup::usage() 208 | 209 | Display the usage of the backup script. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/backup/vs-backup#L811-L896) 210 | 211 | --- 212 | 213 | ### vstacklet::backup::example_cron() 214 | 215 | Example cron job for the backup script. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/backup/vs-backup#L904-L924) 216 | 217 | #### examples: 218 | 219 | ``` 220 | vs-backup -ec 221 | ``` 222 | 223 | --- 224 | 225 | ### vstacklet::backup::version() 226 | 227 | Display the version of the backup script. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/backup/vs-backup#L931-L937) 228 | 229 | --- 230 | 231 | ### vstacklet::backup::database_decrypt() 232 | 233 | List the files in the backup directory and decrypt selected options. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/backup/vs-backup#L954-L1013) 234 | 235 | **ℹ notes:** 236 | - This function will allow you to decrypt a database backup file. 237 | - You can use the `-dbextract` option instead if you want to decrypt **and** extract the file. 238 | 239 | #### examples: 240 | 241 | ``` 242 | vs-backup -dbdecrypt 243 | ``` 244 | 245 | --- 246 | 247 | ### vstacklet::backup::database_extract() 248 | 249 | List the files in the backup directory and extract selected options. [see function](https://github.com/JMSDOnline/vstacklet/blob/main/bin/backup/vs-backup#L1025-L1137) 250 | 251 | **ℹ notes:** 252 | - This function will allow you to extract a database backup file. 253 | - This function will also decrypt the file if it is encrypted. 254 | 255 | #### examples: 256 | 257 | ``` 258 | vs-backup -dbextract 259 | ``` 260 | 261 | --- 262 | 263 | 264 | -------------------------------------------------------------------------------- /config/varnish/custom.vcl: -------------------------------------------------------------------------------- 1 | vcl 4.1; 2 | 3 | import std; 4 | import proxy; 5 | 6 | backend default { 7 | .host = "127.0.0.1"; 8 | .port = "{{varnish_port}}"; 9 | } 10 | 11 | # Add hostnames, IP addresses and subnets that are allowed to purge content 12 | acl purge { 13 | "localhost"; 14 | "127.0.0.1"; 15 | "::1"; 16 | } 17 | 18 | sub vcl_recv { 19 | # Set the redirect for http to https 20 | # This is a workaround for the fact that Varnish doesn't support 21 | # https redirects. See https://varnish-cache.org/docs/trunk/phk/ssl.html 22 | # By default, this is commented out. Uncomment if you want to force 23 | # all traffic to https. Keep in mind the redirect should already be 24 | # handled by your web server. This is just a fallback should you 25 | # want to force https at the Varnish level. 26 | # 27 | #if ((req.http.X-Forwarded-Proto && req.http.X-Forwarded-Proto != "https") || (req.http.Scheme && req.http.Scheme != "https")) { 28 | # return (synth(750)); 29 | #} elseif (!req.http.X-Forwarded-Proto && !req.http.Scheme && !proxy.is_ssl()) { 30 | # return (synth(750)); 31 | #} 32 | 33 | # Remove empty query string parameters 34 | # e.g.: www.example.com/index.html? 35 | if (req.url ~ "\?$") { 36 | set req.url = regsub(req.url, "\?$", ""); 37 | } 38 | 39 | # Remove port number from host header 40 | set req.http.Host = regsub(req.http.Host, ":[0-9]+", ""); 41 | 42 | # Sorts query string parameters alphabetically for cache normalization purposes 43 | set req.url = std.querysort(req.url); 44 | 45 | # Remove the proxy header to mitigate the httpoxy vulnerability 46 | # See https://httpoxy.org/ 47 | unset req.http.proxy; 48 | 49 | # Add X-Forwarded-Proto header when using https 50 | if (!req.http.X-Forwarded-Proto) { 51 | if(std.port(server.ip) == 443 || std.port(server.ip) == 8443) { 52 | set req.http.X-Forwarded-Proto = "https"; 53 | } else { 54 | set req.http.X-Forwarded-Proto = "http"; 55 | } 56 | } 57 | 58 | # Purge logic to remove objects from the cache. 59 | # Tailored to the Proxy Cache Purge WordPress plugin 60 | # See https://wordpress.org/plugins/varnish-http-purge/ 61 | if(req.method == "PURGE") { 62 | if(!client.ip ~ purge) { 63 | return(synth(405,"PURGE not allowed for this IP address")); 64 | } 65 | if (req.http.X-Purge-Method == "regex") { 66 | ban("obj.http.x-url ~ " + req.url + " && obj.http.x-host == " + req.http.host); 67 | return(synth(200, "Purged")); 68 | } 69 | ban("obj.http.x-url == " + req.url + " && obj.http.x-host == " + req.http.host); 70 | return(synth(200, "Purged")); 71 | } 72 | 73 | # Only handle relevant HTTP request methods 74 | if ( 75 | req.method != "GET" && 76 | req.method != "HEAD" && 77 | req.method != "PUT" && 78 | req.method != "POST" && 79 | req.method != "PATCH" && 80 | req.method != "TRACE" && 81 | req.method != "OPTIONS" && 82 | req.method != "DELETE" 83 | ) { 84 | return (pipe); 85 | } 86 | 87 | # Remove tracking query string parameters used by analytics tools 88 | if (req.url ~ "(\?|&)(utm_source|utm_medium|utm_campaign|utm_content|gclid|cx|ie|cof|siteurl)=") { 89 | set req.url = regsuball(req.url, "&(utm_source|utm_medium|utm_campaign|utm_content|gclid|cx|ie|cof|siteurl)=([A-z0-9_\-\.%25]+)", ""); 90 | set req.url = regsuball(req.url, "\?(utm_source|utm_medium|utm_campaign|utm_content|gclid|cx|ie|cof|siteurl)=([A-z0-9_\-\.%25]+)", "?"); 91 | set req.url = regsub(req.url, "\?&", "?"); 92 | set req.url = regsub(req.url, "\?$", ""); 93 | } 94 | 95 | # Only cache GET and HEAD requests 96 | if (req.method != "GET" && req.method != "HEAD") { 97 | set req.http.X-Cacheable = "NO:REQUEST-METHOD"; 98 | return(pass); 99 | } 100 | 101 | # Mark static files with the X-Static-File header, and remove any cookies 102 | # X-Static-File is also used in vcl_backend_response to identify static files 103 | if (req.url ~ "^[^?]*\.(7z|avi|bmp|bz2|css|csv|doc|docx|eot|flac|flv|gif|gz|ico|jpeg|jpg|js|less|mka|mkv|mov|mp3|mp4|mpeg|mpg|odt|ogg|ogm|opus|otf|pdf|png|ppt|pptx|rar|rtf|svg|svgz|swf|tar|tbz|tgz|ttf|txt|txz|wav|webm|webp|woff|woff2|xls|xlsx|xml|xz|zip)(\?.*)?$") { 104 | set req.http.X-Static-File = "true"; 105 | unset req.http.Cookie; 106 | return(hash); 107 | } 108 | 109 | # No caching of special URLs, logged in users and some plugins 110 | if ( 111 | req.http.Cookie ~ "wordpress_(?!test_)[a-zA-Z0-9_]+|wp-postpass|comment_author_[a-zA-Z0-9_]+|woocommerce_cart_hash|woocommerce_items_in_cart|wp_woocommerce_session_[a-zA-Z0-9]+|wordpress_logged_in_|comment_author|PHPSESSID" || 112 | req.http.Authorization || 113 | req.url ~ "add_to_cart" || 114 | req.url ~ "edd_action" || 115 | req.url ~ "nocache" || 116 | req.url ~ "^/account" || 117 | req.url ~ "^/addons" || 118 | req.url ~ "^/bb-admin" || 119 | req.url ~ "^/bb-login.php" || 120 | req.url ~ "^/bb-reset-password.php" || 121 | req.url ~ "^/cart" || 122 | req.url ~ "^/checkout" || 123 | req.url ~ "^/control.php" || 124 | req.url ~ "^/dashboard" || 125 | req.url ~ "^/download" || 126 | req.url ~ "^/downloads" || 127 | req.url ~ "^/edit-account" || 128 | req.url ~ "^/edit-profile" || 129 | req.url ~ "^/forgot-password" || 130 | req.url ~ "^/forum" || 131 | req.url ~ "^/forums" || 132 | req.url ~ "^/groups" || 133 | req.url ~ "^/login" || 134 | req.url ~ "^/logout" || 135 | req.url ~ "^/lost-password" || 136 | req.url ~ "^/my-account" || 137 | req.url ~ "^/my-profile" || 138 | req.url ~ "^/orders" || 139 | req.url ~ "^/password-reset" || 140 | req.url ~ "^/product" || 141 | req.url ~ "^/profile" || 142 | req.url ~ "^/register" || 143 | req.url ~ "^/register.php" || 144 | req.url ~ "^/server-status" || 145 | req.url ~ "^/signin" || 146 | req.url ~ "^/signup" || 147 | req.url ~ "^/stats" || 148 | req.url ~ "^/wc-api" || 149 | req.url ~ "^/wp-admin" || 150 | req.url ~ "^/wp-admin/admin-ajax.php" || 151 | req.url ~ "^/wp-admin/install.php" || 152 | req.url ~ "^/wp-comments-post.php" || 153 | req.url ~ "^/wp-cron.php" || 154 | req.url ~ "^/wp-login.php" || 155 | req.url ~ "^/wp-activate.php" || 156 | req.url ~ "^/wp-mail.php" || 157 | req.url ~ "^/wp-login.php" || 158 | req.url ~ "^\?add-to-cart=" || 159 | req.url ~ "^\?wc-api=" || 160 | req.url ~ "^/preview=" || 161 | req.url ~ "^/\.well-known/acme-challenge/" 162 | ) { 163 | set req.http.X-Cacheable = "NO:Logged in/Got Sessions"; 164 | if(req.http.X-Requested-With == "XMLHttpRequest") { 165 | set req.http.X-Cacheable = "NO:Ajax"; 166 | } 167 | return(pass); 168 | } 169 | 170 | #set req.backend_hint = default.backend(); ## Set the backend that will receive the request 171 | 172 | if (req.url ~ "(wp-login|wp-admin|wp-json|preview=true)" || ## Uncacheable WordPress URLs 173 | req.url ~ "(cart|my-account/*|checkout|wc-api/*|addons|logout|lost-password)" || ## Uncacheable WooCommerce URLs 174 | req.url ~ "(remove_item|removed_item)" || ## Uncacheable WooCommerce URLs 175 | req.url ~ "\\?add-to-cart=" || ## Uncacheable WooCommerce URLs 176 | req.url ~ "\\?wc-(api|ajax)=" || ## Uncacheable WooCommerce URLs 177 | req.http.cookie ~ "(comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_logged_in)" || ## Uncacheable WordPress cookies 178 | req.method == "POST") ## Do NOT cache POST requests 179 | { 180 | set req.http.X-Send-To-Backend = 1; ## X-Send-To-Backend is a special variable that will force the request to directly go to the backend 181 | return(pass); ## Now send off the request and stop processing 182 | } 183 | 184 | unset req.http.Cookie; # Remove all cookies 185 | 186 | # Remove any cookies left 187 | unset req.http.Cookie; ## Intentionally duplicating this line to ensure all cookies are removed 188 | return(hash); 189 | } 190 | 191 | sub vcl_hash { 192 | if(req.http.X-Forwarded-Proto) { 193 | # Create cache variations depending on the request protocol 194 | hash_data(req.http.X-Forwarded-Proto); 195 | } 196 | } 197 | 198 | sub vcl_backend_response { 199 | # Inject URL & Host header into the object for asynchronous banning purposes 200 | set beresp.http.x-url = bereq.url; 201 | set beresp.http.x-host = bereq.http.host; 202 | 203 | # If we dont get a Cache-Control header from the backend 204 | # we default to 24h cache for all objects 205 | if (!beresp.http.Cache-Control) { 206 | set beresp.ttl = 24h; 207 | set beresp.grace = 1h; 208 | set beresp.http.X-Cacheable = "YES:Forced"; 209 | } 210 | 211 | # If the file is marked as static we cache it for 1 day 212 | if (bereq.http.X-Static-File == "true") { 213 | unset beresp.http.Set-Cookie; 214 | set beresp.http.X-Cacheable = "YES:Forced"; 215 | set beresp.ttl = 1d; 216 | } 217 | 218 | # Remove the Set-Cookie header when a specific Wordfence cookie is set 219 | if (beresp.http.Set-Cookie ~ "wfvt_|wordfence_verifiedHuman") { 220 | unset beresp.http.Set-Cookie; 221 | } 222 | 223 | if (beresp.http.Set-Cookie) { 224 | set beresp.http.X-Cacheable = "NO:Got Cookies"; 225 | } elseif(beresp.http.Cache-Control ~ "private") { 226 | set beresp.http.X-Cacheable = "NO:Cache-Control=private"; 227 | } 228 | 229 | # Don't cache 404 responses 230 | if ( beresp.status == 404 ) { 231 | set beresp.ttl = 30s; 232 | } 233 | 234 | if ( beresp.http.Content-Type ~ "text" ) 235 | { 236 | set beresp.do_esi = true; ## Do ESI processing on text output. Used for geoip plugins etc. ## See https://varnish-cache.org/docs/7.4/users-guide/esi.html 237 | } 238 | 239 | if ( bereq.http.X-Send-To-Backend ) { 240 | ## Our special variable again. It is here that we stop further processing of the request. 241 | return (deliver); ## Deliver the response to the user 242 | } 243 | 244 | unset beresp.http.Cache-Control; ## Remove the Cache-Control header. We control the cache time, not WordPress. 245 | unset beresp.http.Pragma; ## Yet another cache-control header 246 | 247 | ## Set a lower TTL when caching images. HTML costs a lot more processing power than static files. 248 | if ( beresp.http.Content-Type ~ "image" ) 249 | { 250 | set beresp.ttl = 1h; ## 1 hour TTL for images 251 | } 252 | else { 253 | set beresp.ttl = 24h; ## 24 hour TTL for everything else 254 | } 255 | } 256 | 257 | sub vcl_deliver { 258 | # Debug header 259 | if(req.http.X-Cacheable) { 260 | set resp.http.X-Cacheable = req.http.X-Cacheable; 261 | } elseif(obj.uncacheable) { 262 | if(!resp.http.X-Cacheable) { 263 | set resp.http.X-Cacheable = "NO:UNCACHEABLE"; 264 | } 265 | } elseif(!resp.http.X-Cacheable) { 266 | set resp.http.X-Cacheable = "YES"; 267 | } 268 | 269 | # Add the X-Cache: HIT/MISS/BYPASS header 270 | if (obj.hits > 0) { 271 | # If we had a HIT 272 | set resp.http.X-Cache = "HIT"; 273 | } else { 274 | # If we had a MISS 275 | set resp.http.X-Cache = "MISS"; 276 | } 277 | 278 | # Bypass variable. Signifies a hardcoded bypass 279 | if (req.http.X-Send-To-Backend) 280 | { 281 | ## If we had a BYPASS 282 | set resp.http.X-Cache = "BYPASS"; 283 | } 284 | 285 | # Remove the Via: Varnish header for security reasons. 286 | # We don't want to expose that we run Varnish. 287 | unset resp.http.Via; 288 | # Remove the X-Varnish header for security reasons. 289 | # This would otherwise expose the Varnish version. 290 | unset resp.http.X-Varnish; 291 | 292 | # Cleanup of headers 293 | unset resp.http.x-url; 294 | unset resp.http.x-host; 295 | } 296 | 297 | sub vcl_synth { 298 | if (resp.status == 750) { 299 | set resp.status = 301; 300 | set resp.http.location = "https://" + req.http.Host + req.url; 301 | set resp.reason = "Moved"; 302 | return (deliver); 303 | } 304 | } -------------------------------------------------------------------------------- /config/nginx/pagespeed/wily/changelog: -------------------------------------------------------------------------------- 1 | nginx (1.9.15-1~vstacklet~wily) wily; urgency=low 2 | 3 | * 1.9.15 4 | * njs updated to 1c50334fbea6. 5 | 6 | -- Konstantin Pavlov Tue, 19 Apr 2016 20:10:00 +0300 7 | 8 | nginx (1.9.14-1~wily) wily; urgency=low 9 | 10 | * 1.9.14 11 | 12 | -- Konstantin Pavlov Tue, 04 Apr 2016 17:30:00 +0300 13 | 14 | nginx (1.9.13-1~wily) wily; urgency=low 15 | 16 | * 1.9.13 17 | * Fixed modules path 18 | * Added perl and nJScript dynamic modules subpackages 19 | 20 | -- Konstantin Pavlov Tue, 29 Mar 2016 15:50:00 +0300 21 | 22 | nginx (1.9.12-1~wily) wily; urgency=low 23 | 24 | * 1.9.12 25 | * common configure args are now in variable 26 | * xslt, image-filter and geoip dynamic modules added 27 | 28 | -- Sergey Budnevitch Tue, 24 Feb 2016 18:24:00 +0300 29 | 30 | nginx (1.9.11-1) unstable; urgency=low 31 | 32 | * 1.9.11 33 | * dynamic modules path and symlink in /etc/nginx added 34 | 35 | -- Sergey Budnevitch Tue, 09 Feb 2016 17:37:00 +0300 36 | 37 | nginx (1.9.10-1) unstable; urgency=low 38 | 39 | * 1.9.10 40 | 41 | -- Konstantin Pavlov Tue, 26 Jan 2016 14:50:00 +0300 42 | 43 | nginx (1.9.9-1) unstable; urgency=low 44 | 45 | * 1.9.9 46 | 47 | -- Konstantin Pavlov Wed, 09 Dec 2015 14:50:00 +0300 48 | 49 | nginx (1.9.8-1) unstable; urgency=low 50 | 51 | * 1.9.8 52 | * http_slice module enabled 53 | 54 | -- Konstantin Pavlov Tue, 08 Dec 2015 15:55:00 +0300 55 | 56 | nginx (1.9.7-1) unstable; urgency=low 57 | 58 | * 1.9.7 59 | 60 | -- Konstantin Pavlov Tue, 17 Nov 2015 14:50:00 +0300 61 | 62 | nginx (1.9.6-1) unstable; urgency=low 63 | 64 | * 1.9.6 65 | 66 | -- Sergey Budnevitch Tue, 27 Oct 2015 13:57:00 +0300 67 | 68 | nginx (1.9.5-1) unstable; urgency=low 69 | 70 | * 1.9.5 71 | * http_spdy module replaced with http_v2 module 72 | 73 | -- Andrei Belov Tue, 22 Sep 2015 10:30:00 +0300 74 | 75 | nginx (1.9.4-1) unstable; urgency=low 76 | 77 | * 1.9.4 78 | 79 | -- Konstantin Pavlov Tue, 18 Aug 2015 17:32:00 +0300 80 | 81 | nginx (1.9.3-1) unstable; urgency=low 82 | 83 | * 1.9.3 84 | 85 | -- Sergey Budnevitch Tue, 14 Jul 2015 14:57:00 +0300 86 | 87 | nginx (1.9.2-1) unstable; urgency=low 88 | 89 | * 1.9.2 90 | 91 | -- Sergey Budnevitch Tue, 16 Jun 2015 17:36:00 +0300 92 | 93 | nginx (1.9.1-1) unstable; urgency=low 94 | 95 | * 1.9.1 96 | 97 | -- Sergey Budnevitch Tue, 26 May 2015 16:01:00 +0300 98 | 99 | nginx (1.9.0-1) unstable; urgency=low 100 | 101 | * 1.9.0 102 | * thread pool support added 103 | * stream module added 104 | * example_ssl.conf removed 105 | 106 | -- Sergey Budnevitch Tue, 28 Apr 2015 11:29:00 +0300 107 | 108 | nginx (1.7.12-1) unstable; urgency=low 109 | 110 | * 1.7.12 111 | 112 | -- Sergey Budnevitch Tue, 07 Apr 2015 19:33:00 +0300 113 | 114 | nginx (1.7.11-1) unstable; urgency=low 115 | 116 | * 1.7.11 117 | 118 | -- Sergey Budnevitch Tue, 24 Mar 2015 18:52:00 +0300 119 | 120 | nginx (1.7.10-1) unstable; urgency=low 121 | 122 | * 1.7.10 123 | 124 | -- Sergey Budnevitch Tue, 10 Feb 2015 15:33:00 +0300 125 | 126 | nginx (1.7.9-1) unstable; urgency=low 127 | 128 | * 1.7.9 129 | * init-script now sends signal only to the PID derived from pidfile 130 | 131 | -- Sergey Budnevitch Tue, 23 Dec 2014 17:56:00 +0300 132 | 133 | nginx (1.7.8-1) unstable; urgency=low 134 | 135 | * 1.7.8 136 | * package with debug symbols added 137 | 138 | -- Sergey Budnevitch Tue, 02 Dec 2014 12:00:00 +0300 139 | 140 | nginx (1.7.7-1) unstable; urgency=low 141 | 142 | * 1.7.7 143 | 144 | -- Sergey Budnevitch Tue, 28 Oct 2014 16:35:00 +0400 145 | 146 | nginx (1.7.6-1) unstable; urgency=low 147 | 148 | * 1.7.6 149 | 150 | -- Sergey Budnevitch Tue, 30 Sep 2014 17:53:00 +0400 151 | 152 | nginx (1.7.5-1) unstable; urgency=low 153 | 154 | * 1.7.5 155 | 156 | -- Sergey Budnevitch Tue, 16 Sep 2014 13:49:00 +0400 157 | 158 | nginx (1.7.4-1) unstable; urgency=low 159 | 160 | * 1.7.4 161 | * init-script now returns 0 on stop command if nginx is not running 162 | 163 | -- Sergey Budnevitch Tue, 05 Aug 2014 14:10:00 +0400 164 | 165 | nginx (1.7.3-1) unstable; urgency=low 166 | 167 | * 1.7.3 168 | 169 | -- Sergey Budnevitch Tue, 08 Jul 2014 18:33:00 +0400 170 | 171 | nginx (1.7.2-1) unstable; urgency=low 172 | 173 | * 1.7.2 174 | 175 | -- Sergey Budnevitch Tue, 17 Jun 2014 18:18:00 +0400 176 | 177 | nginx (1.7.1-1) unstable; urgency=low 178 | 179 | * 1.7.1 180 | 181 | -- Sergey Budnevitch Tue, 27 May 2014 18:12:00 +0400 182 | 183 | nginx (1.7.0-1) unstable; urgency=low 184 | 185 | * 1.7.0 186 | 187 | -- Konstantin Pavlov Thu, 24 Apr 2014 19:30:07 +0400 188 | 189 | nginx (1.5.13-1) unstable; urgency=low 190 | 191 | * 1.5.13 192 | 193 | -- Sergey Budnevitch Tue, 08 Apr 2014 17:00:00 +0400 194 | 195 | nginx (1.5.12-1) unstable; urgency=low 196 | 197 | * 1.5.12 198 | * warning added when binary upgrade returns non-zero exit code 199 | 200 | -- Sergey Budnevitch Tue, 18 Mar 2014 16:04:01 +0400 201 | 202 | nginx (1.5.11-1) unstable; urgency=low 203 | 204 | * 1.5.11 205 | 206 | -- Sergey Budnevitch Tue, 04 Mar 2014 15:33:32 +0400 207 | 208 | nginx (1.5.10-1) unstable; urgency=low 209 | 210 | * 1.5.10 211 | 212 | -- Sergey Budnevitch Tue, 04 Feb 2014 16:12:01 +0400 213 | 214 | nginx (1.5.9-1) unstable; urgency=low 215 | 216 | * 1.5.9 217 | 218 | -- Sergey Budnevitch Wed, 22 Jan 2014 17:54:40 +0400 219 | 220 | nginx (1.5.8-1) unstable; urgency=low 221 | 222 | * 1.5.8 223 | 224 | -- Sergey Budnevitch Tue, 17 Dec 2013 18:05:32 +0400 225 | 226 | nginx (1.5.7-1) unstable; urgency=low 227 | 228 | * 1.5.7 229 | * init script now honours additional options sourced from /etc/default/nginx 230 | 231 | -- Sergey Budnevitch Tue, 19 Nov 2013 15:59:56 +0400 232 | 233 | nginx (1.5.6-1) unstable; urgency=low 234 | 235 | * 1.5.6 236 | 237 | -- Sergey Budnevitch Tue, 01 Oct 2013 16:35:33 +0400 238 | 239 | nginx (1.5.5-1) unstable; urgency=low 240 | 241 | * 1.5.5 242 | 243 | -- Andrei Belov Tue, 17 Sep 2013 17:40:00 +0400 244 | 245 | nginx (1.5.4-1) unstable; urgency=low 246 | 247 | * 1.5.4 248 | * auth request module added 249 | 250 | -- Sergey Budnevitch Tue, 27 Aug 2013 15:00:00 +0400 251 | 252 | nginx (1.5.3-1) unstable; urgency=low 253 | 254 | * 1.5.3 255 | 256 | -- Sergey Budnevitch Tue, 30 Jul 2013 13:55:04 +0400 257 | 258 | nginx (1.5.2-1) unstable; urgency=low 259 | 260 | * 1.5.2 261 | 262 | -- Sergey Budnevitch Tue, 02 Jul 2013 17:27:00 +0400 263 | 264 | nginx (1.5.1-1) unstable; urgency=low 265 | 266 | * 1.5.1 267 | * dpkg-buildflags options now passed by --with-{cc,ld}-opt 268 | 269 | -- Sergey Budnevitch Tue, 04 Jun 2013 17:45:54 +0400 270 | 271 | nginx (1.5.0-1) unstable; urgency=low 272 | 273 | * 1.5.0 274 | * fixed openssl version detection with dash as /bin/sh 275 | 276 | -- Sergey Budnevitch Tue, 06 May 2013 14:15:00 +0400 277 | 278 | nginx (1.3.16-1) unstable; urgency=low 279 | 280 | * 1.3.16 281 | 282 | -- Sergey Budnevitch Tue, 16 Apr 2013 16:44:00 +0400 283 | 284 | nginx (1.3.15-1) unstable; urgency=low 285 | 286 | * 1.3.15 287 | * gunzip module added 288 | * spdy module added if openssl version >= 1.0.1 289 | * set permissions on default log files at installation 290 | 291 | -- Sergey Budnevitch Tue, 26 Mar 2013 19:05:00 +0400 292 | 293 | nginx (1.2.7-1) unstable; urgency=low 294 | 295 | * 1.2.7 296 | * excess slash removed from --prefix 297 | 298 | -- Sergey Budnevitch Tue, 12 Feb 2013 17:45:00 +0400 299 | 300 | nginx (1.2.6-1) unstable; urgency=low 301 | 302 | * 1.2.6 303 | 304 | -- Sergey Budnevitch Tue, 11 Dec 2012 18:40:00 +0400 305 | 306 | nginx (1.2.5-1) unstable; urgency=low 307 | 308 | * 1.2.5 309 | 310 | -- Sergey Budnevitch Tue, 13 Nov 2012 15:52:57 +0400 311 | 312 | nginx (1.2.4-1) unstable; urgency=low 313 | 314 | * 1.2.4 315 | 316 | -- Sergey Budnevitch Tue, 25 Sep 2012 14:54:32 +0400 317 | 318 | nginx (1.2.3-1) unstable; urgency=low 319 | 320 | * 1.2.3 321 | 322 | -- Sergey Budnevitch Tue, 07 Aug 2012 15:51:30 +0400 323 | 324 | nginx (1.2.2-1) unstable; urgency=low 325 | 326 | * 1.2.2 327 | 328 | -- Sergey Budnevitch Tue, 03 Jul 2012 15:31:29 +0400 329 | 330 | nginx (1.2.1-1) unstable; urgency=low 331 | 332 | * 1.2.1 333 | * package provides 'httpd' (ticket #158) 334 | * upgrade action added to postinst script 335 | * minor fix in prerm 336 | 337 | -- Sergey Budnevitch Tue, 05 Jun 2012 14:41:56 +0400 338 | 339 | nginx (1.2.0-1) unstable; urgency=low 340 | 341 | * 1.2.0 342 | 343 | -- Sergey Budnevitch Mon, 23 Apr 2012 17:04:12 +0400 344 | 345 | nginx (1.0.15-1) unstable; urgency=low 346 | 347 | * 1.0.15 348 | 349 | -- Sergey Budnevitch Thu, 12 Apr 2012 16:40:00 +0400 350 | 351 | nginx (1.0.14-2) unstable; urgency=low 352 | * postinst script added to fix error on installation when another 353 | process listens on 80 port 354 | 355 | -- Sergey Budnevitch Thu, 22 Mar 2012 12:40:34 +0400 356 | 357 | nginx (1.0.14-1) unstable; urgency=low 358 | 359 | * 1.0.14 360 | 361 | -- Sergey Budnevitch Thu, 15 Mar 2012 16:47:09 +0400 362 | 363 | nginx (1.0.13-1) unstable; urgency=low 364 | 365 | * 1.0.13 366 | 367 | -- Sergey Budnevitch Mon, 05 Mar 2012 20:19:10 +0400 368 | 369 | nginx (1.0.12-1) unstable; urgency=low 370 | 371 | * 1.0.12 372 | * banner added to install script 373 | 374 | -- Sergey Budnevitch Mon, 06 Feb 2012 18:24:15 +0400 375 | 376 | nginx (1.0.11-1) unstable; urgency=low 377 | 378 | * 1.0.11 379 | * init script enhancements (thanks to Gena Makhomed) 380 | 381 | -- Sergey Budnevitch Thu, 15 Dec 2011 19:05:46 +0400 382 | 383 | nginx (1.0.10-1) unstable; urgency=low 384 | 385 | * 1.0.10 386 | 387 | -- Sergey Budnevitch Tue, 15 Nov 2011 12:55:36 +0400 388 | 389 | nginx (1.0.9-1) unstable; urgency=low 390 | 391 | * 1.0.9 392 | * nginx-debug package added 393 | 394 | -- Sergey Budnevitch Tue, 01 Nov 2011 18:54:02 +0400 395 | 396 | nginx (1.0.8-2) unstable; urgency=low 397 | 398 | * typo in configure fixed 399 | * upgrade and configtest arguments to init-script added (based on fedora one) 400 | * logrotate creates new logfiles with nginx owner 401 | 402 | -- Sergey Budnevitch Tue, 11 Oct 2011 19:49:11 +0400 403 | 404 | nginx (1.0.8-1) unstable; urgency=low 405 | 406 | * 1.0.8 407 | * built with mp4 module 408 | 409 | -- Sergey Budnevitch Sat, 01 Oct 2011 17:22:17 +0400 410 | 411 | nginx (1.0.7-1) unstable; urgency=low 412 | 413 | * 1.0.7 414 | 415 | -- Sergey Budnevitch Fri, 30 Sep 2011 18:34:17 +0400 416 | 417 | nginx (1.0.6-1) unstable; urgency=low 418 | 419 | * 1.0.6 420 | * replace "conf.d/*" config include with "conf.d/*.conf" in default nginx.conf 421 | 422 | -- Sergey Budnevitch Tue, 30 Aug 2011 19:27:16 +0400 423 | 424 | nginx (1.0.5-1) unstable; urgency=low 425 | 426 | * Initial release 427 | 428 | -- Sergey Budnevitch Thu, 11 Aug 2011 12:57:47 +0400 429 | -------------------------------------------------------------------------------- /config/nginx/pagespeed/[wip]nginx-pagespeed.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # [VStacklet Nginx+Pagespeed Compilation & Installation Script] 4 | # 5 | # GitHub: https://github.com/JMSDOnline/vstacklet 6 | # Author: Jason Matthews 7 | # URL: https://jmsolodesigns.com/code-projects/vstacklet/varnish-lemp-stack 8 | # 9 | ################################################################################# 10 | #Script Console Colors 11 | black=$(tput setaf 0); red=$(tput setaf 1); green=$(tput setaf 2); yellow=$(tput setaf 3); 12 | blue=$(tput setaf 4); magenta=$(tput setaf 5); cyan=$(tput setaf 6); white=$(tput setaf 7); 13 | on_red=$(tput setab 1); on_green=$(tput setab 2); on_yellow=$(tput setab 3); on_blue=$(tput setab 4); 14 | on_magenta=$(tput setab 5); on_cyan=$(tput setab 6); on_white=$(tput setab 7); bold=$(tput bold); 15 | dim=$(tput dim); underline=$(tput smul); reset_underline=$(tput rmul); standout=$(tput smso); 16 | reset_standout=$(tput rmso); normal=$(tput sgr0); alert=${white}${on_red}; title=${standout}; 17 | sub_title=${bold}${yellow}; repo_title=${black}${on_green}; 18 | ################################################################################# 19 | function _string() { perl -le 'print map {(a..z,A..Z,0..9)[rand 62] } 0..pop' 15 ; } 20 | 21 | # intro function (1) 22 | function _intro() { 23 | echo 24 | echo 25 | echo " [${repo_title}vstacklet${normal}] ${title} Nginx+Pagespeed Compilation & Installation Script ${normal}" 26 | echo " Configured and tested for Ubuntu 14.04, 15.10 & 16.04" 27 | echo 28 | echo 29 | 30 | echo "${green}Checking distribution ...${normal}" 31 | if [ ! -x /usr/bin/lsb_release ]; then 32 | echo 'You do not appear to be running Ubuntu.' 33 | echo 'Exiting...' 34 | exit 1 35 | fi 36 | echo "$(lsb_release -a)" 37 | echo 38 | dis="$(lsb_release -is)" 39 | rel="$(lsb_release -rs)" 40 | if [[ "${dis}" != "Ubuntu" ]]; then 41 | echo "${dis}: You do not appear to be running Ubuntu" 42 | echo 'Exiting...' 43 | exit 1 44 | elif [[ ! "${rel}" =~ ("14.04"|"15.10"|"16.04") ]]; then 45 | echo "${bold}${rel}:${normal} You do not appear to be running a supported Ubuntu release." 46 | echo 'Exiting...' 47 | exit 1 48 | fi 49 | } 50 | 51 | # check if root function (2) 52 | function _checkroot() { 53 | if [[ $EUID != 0 ]]; then 54 | echo 'This script must be run with root privileges.' 55 | echo 'Exiting...' 56 | exit 1 57 | fi 58 | echo "${green}Congrats! You're running as root. Let's continue${normal} ... " 59 | echo 60 | } 61 | 62 | # check if create log function (3) 63 | function _logcheck() { 64 | echo -ne "${bold}${yellow}Do you wish to write to a log file?${normal} (Default: ${green}${bold}Y${normal}) "; read input 65 | case $input in 66 | [yY] | [yY][Ee][Ss] | "" ) OUTTO="vstacklet-nginx.log";echo "${bold}Output is being sent to /root/vstacklet-nginx.log${normal}" ;; 67 | [nN] | [nN][Oo] ) OUTTO="/dev/null 2>&1";echo "${cyan}NO output will be logged${normal}" ;; 68 | *) OUTTO="vstacklet-nginx.log";echo "${bold}Output is being sent to /root/vstacklet-nginx.log${normal}" ;; 69 | esac 70 | echo 71 | echo "Press ${standout}${green}ENTER${normal} when you're ready to begin" ;read input 72 | echo 73 | } 74 | 75 | function _aupdate() { 76 | apt-get -y update >>"${OUTTO}" 2>&1; 77 | echo "${OK}" 78 | } 79 | 80 | # package and repo addition (a) _install common properties_ 81 | function _softcommon() { 82 | apt-get -y install software-properties-common python-software-properties apt-transport-https >>"${OUTTO}" 2>&1; 83 | echo "${OK}" 84 | #echo 85 | } 86 | 87 | # package and repo addition (b) _install softwares and packages_ 88 | function _depends() { 89 | apt-get -y install dpkg-dev build-essential zlib1g-dev libpcre3 libpcre3-dev unzip curl >>"${OUTTO}" 2>&1; 90 | echo "${OK}" 91 | #echo 92 | } 93 | 94 | # package and repo addition (c) _add signed keys_ 95 | function _keys() { 96 | curl -s http://nginx.org/keys/nginx_signing.key | apt-key add - > /dev/null 2>&1; 97 | echo "${OK}" 98 | #echo 99 | } 100 | 101 | # package and repo addition (d) _add respo sources_ 102 | function _repos() { 103 | if [[ ${rel} = "16.04" ]]; then 104 | cat >/etc/apt/sources.list.d/nginx-vstacklet.list</etc/apt/sources.list.d/nginx-vstacklet.list</etc/apt/sources.list.d/nginx-vstacklet.list<>"${OUTTO}" 2>&1; 127 | echo "${OK}" 128 | #echo 129 | } 130 | 131 | function _buildnginx() { 132 | mkdir -p ~/new/nginx_source/ 133 | cd ~/new/nginx_source/ 134 | apt-get -y source nginx >>"${OUTTO}" 2>&1; 135 | apt-get -y build-dep nginx >>"${OUTTO}" 2>&1; 136 | echo "${OK}" 137 | #echo 138 | } 139 | 140 | function _buildpagespeed() { 141 | mkdir -p ~/new/ngx_pagespeed/ 142 | cd ~/new/ngx_pagespeed/ 143 | wget --no-check-certificate https://github.com/pagespeed/ngx_pagespeed/archive/master.zip > /dev/null 2>&1; 144 | unzip master.zip > /dev/null 2>&1; 145 | cd ngx_pagespeed-master/ 146 | echo '#!/bin/bash' >> bush.sh 147 | grep wget config > bush.sh 148 | sed -i 's/echo " $ w/w/' bush.sh 149 | sed -i 's/gz"/gz/' bush.sh 150 | bash bush.sh > /dev/null 2>&1; 151 | tar -xzf *.tar.gz >>"${OUTTO}" 2>&1; 152 | 153 | cd /root/new/nginx_source/nginx-*/ 154 | if [[ "${NGVS}" = "nginx-1.10.*" ]]; then 155 | cd ~/new/ 156 | mv ~/new/ngx_pagespeed ~/new/nginx_source/nginx-*/debian/modules/ 157 | fi 158 | 159 | cd ~/new/nginx_source/nginx-*/debian/ 160 | if [[ "${rel}" = "14.04" ]]; then 161 | sed -i '22 a \ \ \ \ \ \--add-module=../../ngx_pagespeed/ngx_pagespeed-master \\' rules 162 | sed -i '61 a \ \ \ \ \ \--add-module=../../ngx_pagespeed/ngx_pagespeed-master \\' rules 163 | cd ~/new/nginx_source/nginx-*/src/core 164 | sed -i 's/"nginx\/\" NGINX_VERSION/"nginx\/\" NGINX_VERSION "~vstacklet"/g' nginx.h 165 | cd 166 | fi 167 | if [[ "${rel}" =~ ("15.04"|"15.10") ]]; then 168 | curl -s -Lo ~/new/nginx_source/nginx-*/debian/changelog https://raw.githubusercontent.com/JMSDOnline/vstacklet/development/nginx/wily/changelog 169 | curl -s -Lo ~/new/nginx_source/nginx-*/debian/rules https://raw.githubusercontent.com/JMSDOnline/vstacklet/development/nginx/wily/rules 170 | cd ~/new/nginx_source/nginx-*/src/core 171 | sed -i 's/"nginx\/\" NGINX_VERSION/"nginx\/\" NGINX_VERSION "~vstacklet"/g' nginx.h 172 | cd 173 | fi 174 | if [[ "${rel}" = "16.04" ]]; then 175 | cd /root/new/nginx_source/nginx-*/ 176 | if [[ "${NGVS}" = "nginx-1.9.15" ]]; then 177 | curl -s -Lo ~/new/nginx_source/nginx-*/debian/changelog https://raw.githubusercontent.com/JMSDOnline/vstacklet/development/nginx/wily/changelog 178 | curl -s -Lo ~/new/nginx_source/nginx-*/debian/rules https://raw.githubusercontent.com/JMSDOnline/vstacklet/development/nginx/wily/rules 179 | cd ~/new/nginx_source/nginx-*/src/core 180 | sed -i 's/"nginx\/\" NGINX_VERSION/"nginx\/\" NGINX_VERSION "~vstacklet"/g' nginx.h 181 | cd 182 | fi 183 | if [[ "${NGVS}" = "nginx-1.10.*" ]]; then 184 | curl -s -Lo ~/new/nginx_source/nginx-*/debian/rules https://raw.githubusercontent.com/JMSDOnline/vstacklet/development/nginx/xenial/rules 185 | cd ~/new/nginx_source/nginx-*/src/core 186 | sed -i 's/"nginx\/\" NGINX_VERSION/"nginx\/\" NGINX_VERSION "~vstacklet"/g' nginx.h 187 | cd 188 | fi 189 | fi 190 | echo "${OK}" 191 | #echo 192 | } 193 | 194 | function _compnginx() { 195 | cd ~/new/nginx_source/nginx-*/ 196 | dpkg-buildpackage -b >>"${OUTTO}" 2>&1; 197 | cd ~/new/nginx_source/nginx-*/ 198 | if [[ "${NGVS}" = "nginx-1.9.15" ]]; then 199 | cd ~/new/nginx_source/ 200 | dpkg -i nginx_*amd64.deb >>"${OUTTO}" 2>&1; 201 | elif [[ "${NGVS}" = "nginx-1.10.0" ]]; then 202 | cd ~/new/nginx_source/ 203 | dpkg -i nginx_*all.deb >>"${OUTTO}" 2>&1; 204 | fi 205 | echo "${OK}" 206 | #echo 207 | } 208 | 209 | # set page speed module on function 210 | function _asksetpsng() { 211 | echo -n "${bold}${yellow}Are you rebuilding over a current Nginx install?${normal} (${bold}${green}N${normal}/y): " 212 | read responce 213 | case $responce in 214 | [yY] | [yY][Ee][Ss] ) setpsng=yes ;; 215 | [nN] | [nN][Oo] | "" ) setpsng=no ;; 216 | esac 217 | echo 218 | } 219 | 220 | function _setpsng() { 221 | if [[ ${setpsng} == "yes" ]]; then 222 | mkdir -p /etc/nginx/ngx_pagespeed_cache 223 | chown -R www-data:www-data /etc/nginx/ngx_pagespeed_cache 224 | cd /etc/nginx/ 225 | echo "# Set the two variable below within your http {} block" >> nginx.conf 226 | echo "# Prefereably under the gzip module setting" >> nginx.conf 227 | echo "# pagespeed on;" >> nginx.conf 228 | echo "# pagespeed FileCachePath /etc/nginx/ngx_pagespeed_cache;" >> nginx.conf 229 | echo "${OK}" 230 | fi 231 | } 232 | 233 | function _nosetpsng() { 234 | if [[ ${setpsng} == "no" ]]; then 235 | mkdir -p /etc/nginx/ngx_pagespeed_cache 236 | chown -R www-data:www-data /etc/nginx/ngx_pagespeed_cache 237 | cd /etc/nginx/ 238 | sed -i '30i \ \ \ \ \pagespeed on;' nginx.conf 239 | sed -i '31i \ \ \ \ \pagespeed FileCachePath /etc/nginx/ngx_pagespeed_cache;' nginx.conf 240 | echo "${OK}" 241 | fi 242 | } 243 | 244 | #function _setpsng() { 245 | # mkdir -p /etc/nginx/ngx_pagespeed_cache 246 | # chown -R www-data:www-data /etc/nginx/ngx_pagespeed_cache 247 | # cd /etc/nginx/ 248 | # sed -i '30i \ \ \ \ \pagespeed on;' nginx.conf 249 | # sed -i '31i \ \ \ \ \pagespeed FileCachePath /etc/nginx/ngx_pagespeed_cache;' nginx.conf 250 | # echo "${OK}" 251 | # #echo 252 | #} 253 | 254 | function _restartservice() { 255 | service nginx restart 256 | echo "${OK}" 257 | #echo 258 | } 259 | 260 | function _psngprooftest() { 261 | PSVERIFY=$(curl -s -I -p http://localhost|grep X-Page-Speed) 262 | echo "${standout}$PSVERIFY${normal}" 263 | } 264 | 265 | 266 | clear 267 | 268 | S=$(date +%s) 269 | OK=$(echo -e "[ ${bold}${green}DONE${normal} ]") 270 | 271 | _intro 272 | _checkroot 273 | _logcheck 274 | echo -n "${bold}Running Initial System Updates${normal} ... ";_aupdate 275 | echo -n "${bold}Installing Common Software Properties${normal} ... ";_softcommon 276 | echo -n "${bold}Installing Software Packages and Dependencies${normal} ... ";_depends 277 | echo -n "${bold}Installing Required Signed Keys${normal} ... ";_keys 278 | echo -n "${bold}Sending Repo to ${yellow}sources.list.d/nginx-vstacklet.list${normal} ... ";_repos 279 | echo -n "${bold}Running System Updates against New Repos${normal} ... ";_bupdate 280 | NGVS=$(printf '%q\n' "${PWD##*/}"); 281 | echo -n "${bold}Setting Up and Building Nginx${normal} ... ";_buildnginx 282 | echo -n "${bold}Setting Up and Building Pagespeed${normal} ... ";_buildpagespeed 283 | echo -n "${bold}Compiling Nginx-full-vstacklet with Pagespeed${normal} ... ";_compnginx 284 | _asksetpsng;echo; 285 | echo -n "${bold}Creating Pagespeed Cache Directory ${yellow}[see /etc/nginx/nginx.conf]${normal} ... ";_setpsng 286 | echo -n "${bold}Creating Pagespeed Cache Directory and Enabling${normal} ... ";_nosetpsng 287 | echo -n "${bold}Restarting Nginx${normal} ... ";_restartservice 288 | echo -n "${bold}Verifying X-Page-Speed${normal} ... ";_psngprooftest 289 | 290 | exit 291 | -------------------------------------------------------------------------------- /config/nginx/server.configs/directives/sec-bad-bots.conf: -------------------------------------------------------------------------------- 1 | set $bad_ua 0; 2 | if ($http_user_agent ~ "WebBandit") { 3 | set $bad_ua 1; 4 | } 5 | if ($http_user_agent ~ "webbandit") { 6 | set $bad_ua 1; 7 | } 8 | if ($http_user_agent ~ "Acunetix") { 9 | set $bad_ua 1; 10 | } 11 | if ($http_user_agent ~ "binlar") { 12 | set $bad_ua 1; 13 | } 14 | if ($http_user_agent ~ "BlackWidow") { 15 | set $bad_ua 1; 16 | } 17 | if ($http_user_agent ~ "Bolt 0") { 18 | set $bad_ua 1; 19 | } 20 | if ($http_user_agent ~ "Bot mailto:craftbot@yahoo.com") { 21 | set $bad_ua 1; 22 | } 23 | if ($http_user_agent ~ "BOT for JCE") { 24 | set $bad_ua 1; 25 | } 26 | if ($http_user_agent ~ "casper") { 27 | set $bad_ua 1; 28 | } 29 | if ($http_user_agent ~ "checkprivacy") { 30 | set $bad_ua 1; 31 | } 32 | if ($http_user_agent ~ "ChinaClaw") { 33 | set $bad_ua 1; 34 | } 35 | if ($http_user_agent ~ "clshttp") { 36 | set $bad_ua 1; 37 | } 38 | if ($http_user_agent ~ "cmsworldmap") { 39 | set $bad_ua 1; 40 | } 41 | if ($http_user_agent ~ "comodo") { 42 | set $bad_ua 1; 43 | } 44 | if ($http_user_agent ~ "Custo") { 45 | set $bad_ua 1; 46 | } 47 | if ($http_user_agent ~ "Default Browser 0") { 48 | set $bad_ua 1; 49 | } 50 | if ($http_user_agent ~ "diavol") { 51 | set $bad_ua 1; 52 | } 53 | if ($http_user_agent ~ "DIIbot") { 54 | set $bad_ua 1; 55 | } 56 | if ($http_user_agent ~ "DISCo") { 57 | set $bad_ua 1; 58 | } 59 | if ($http_user_agent ~ "dotbot") { 60 | set $bad_ua 1; 61 | } 62 | if ($http_user_agent ~ "Download Demon") { 63 | set $bad_ua 1; 64 | } 65 | if ($http_user_agent ~ "eCatch") { 66 | set $bad_ua 1; 67 | } 68 | if ($http_user_agent ~ "EirGrabber") { 69 | set $bad_ua 1; 70 | } 71 | if ($http_user_agent ~ "EmailCollector") { 72 | set $bad_ua 1; 73 | } 74 | if ($http_user_agent ~ "EmailSiphon") { 75 | set $bad_ua 1; 76 | } 77 | if ($http_user_agent ~ "EmailWolf") { 78 | set $bad_ua 1; 79 | } 80 | if ($http_user_agent ~ "Express WebPictures") { 81 | set $bad_ua 1; 82 | } 83 | if ($http_user_agent ~ "extract") { 84 | set $bad_ua 1; 85 | } 86 | if ($http_user_agent ~ "ExtractorPro") { 87 | set $bad_ua 1; 88 | } 89 | if ($http_user_agent ~ "EyeNetIE") { 90 | set $bad_ua 1; 91 | } 92 | if ($http_user_agent ~ "feedfinder") { 93 | set $bad_ua 1; 94 | } 95 | if ($http_user_agent ~ "FHscan") { 96 | set $bad_ua 1; 97 | } 98 | if ($http_user_agent ~ "FlashGet") { 99 | set $bad_ua 1; 100 | } 101 | if ($http_user_agent ~ "flicky") { 102 | set $bad_ua 1; 103 | } 104 | if ($http_user_agent ~ "GetRight") { 105 | set $bad_ua 1; 106 | } 107 | if ($http_user_agent ~ "GetWeb!") { 108 | set $bad_ua 1; 109 | } 110 | if ($http_user_agent ~ "Go-Ahead-Got-It") { 111 | set $bad_ua 1; 112 | } 113 | if ($http_user_agent ~ "Go!Zilla") { 114 | set $bad_ua 1; 115 | } 116 | if ($http_user_agent ~ "grab") { 117 | set $bad_ua 1; 118 | } 119 | if ($http_user_agent ~ "GrabNet") { 120 | set $bad_ua 1; 121 | } 122 | if ($http_user_agent ~ "Grafula") { 123 | set $bad_ua 1; 124 | } 125 | if ($http_user_agent ~ "harvest") { 126 | set $bad_ua 1; 127 | } 128 | if ($http_user_agent ~ "HMView") { 129 | set $bad_ua 1; 130 | } 131 | if ($http_user_agent ~ "ia_archiver") { 132 | set $bad_ua 1; 133 | } 134 | if ($http_user_agent ~ "Image Stripper") { 135 | set $bad_ua 1; 136 | } 137 | if ($http_user_agent ~ "Image Sucker") { 138 | set $bad_ua 1; 139 | } 140 | if ($http_user_agent ~ "InterGET") { 141 | set $bad_ua 1; 142 | } 143 | if ($http_user_agent ~ "Internet Ninja") { 144 | set $bad_ua 1; 145 | } 146 | if ($http_user_agent ~ "InternetSeer.com") { 147 | set $bad_ua 1; 148 | } 149 | if ($http_user_agent ~ "jakarta") { 150 | set $bad_ua 1; 151 | } 152 | if ($http_user_agent ~ "Java") { 153 | set $bad_ua 1; 154 | } 155 | if ($http_user_agent ~ "JetCar") { 156 | set $bad_ua 1; 157 | } 158 | if ($http_user_agent ~ "JOC Web Spider") { 159 | set $bad_ua 1; 160 | } 161 | if ($http_user_agent ~ "kmccrew") { 162 | set $bad_ua 1; 163 | } 164 | if ($http_user_agent ~ "larbin") { 165 | set $bad_ua 1; 166 | } 167 | if ($http_user_agent ~ "LeechFTP") { 168 | set $bad_ua 1; 169 | } 170 | if ($http_user_agent ~ "libwww") { 171 | set $bad_ua 1; 172 | } 173 | if ($http_user_agent ~ "Mass Downloader") { 174 | set $bad_ua 1; 175 | } 176 | if ($http_user_agent ~ "Maxthon$") { 177 | set $bad_ua 1; 178 | } 179 | if ($http_user_agent ~ "microsoft.url") { 180 | set $bad_ua 1; 181 | } 182 | if ($http_user_agent ~ "MIDown tool") { 183 | set $bad_ua 1; 184 | } 185 | if ($http_user_agent ~ "miner") { 186 | set $bad_ua 1; 187 | } 188 | if ($http_user_agent ~ "Mister PiX") { 189 | set $bad_ua 1; 190 | } 191 | if ($http_user_agent ~ "NEWT") { 192 | set $bad_ua 1; 193 | } 194 | if ($http_user_agent ~ "MSFrontPage") { 195 | set $bad_ua 1; 196 | } 197 | if ($http_user_agent ~ "Navroad") { 198 | set $bad_ua 1; 199 | } 200 | if ($http_user_agent ~ "NearSite") { 201 | set $bad_ua 1; 202 | } 203 | if ($http_user_agent ~ "Net Vampire") { 204 | set $bad_ua 1; 205 | } 206 | if ($http_user_agent ~ "NetAnts") { 207 | set $bad_ua 1; 208 | } 209 | if ($http_user_agent ~ "NetSpider") { 210 | set $bad_ua 1; 211 | } 212 | if ($http_user_agent ~ "NetZIP") { 213 | set $bad_ua 1; 214 | } 215 | if ($http_user_agent ~ "nutch") { 216 | set $bad_ua 1; 217 | } 218 | if ($http_user_agent ~ "Octopus") { 219 | set $bad_ua 1; 220 | } 221 | if ($http_user_agent ~ "Offline Explorer") { 222 | set $bad_ua 1; 223 | } 224 | if ($http_user_agent ~ "Offline Navigator") { 225 | set $bad_ua 1; 226 | } 227 | if ($http_user_agent ~ "PageGrabber") { 228 | set $bad_ua 1; 229 | } 230 | if ($http_user_agent ~ "Papa Foto") { 231 | set $bad_ua 1; 232 | } 233 | if ($http_user_agent ~ "pavuk") { 234 | set $bad_ua 1; 235 | } 236 | if ($http_user_agent ~ "pcBrowser") { 237 | set $bad_ua 1; 238 | } 239 | if ($http_user_agent ~ "PeoplePal") { 240 | set $bad_ua 1; 241 | } 242 | if ($http_user_agent ~ "planetwork") { 243 | set $bad_ua 1; 244 | } 245 | if ($http_user_agent ~ "psbot") { 246 | set $bad_ua 1; 247 | } 248 | if ($http_user_agent ~ "purebot") { 249 | set $bad_ua 1; 250 | } 251 | if ($http_user_agent ~ "pycurl") { 252 | set $bad_ua 1; 253 | } 254 | if ($http_user_agent ~ "RealDownload") { 255 | set $bad_ua 1; 256 | } 257 | if ($http_user_agent ~ "ReGet") { 258 | set $bad_ua 1; 259 | } 260 | if ($http_user_agent ~ "Rippers 0") { 261 | set $bad_ua 1; 262 | } 263 | if ($http_user_agent ~ "SeaMonkey$") { 264 | set $bad_ua 1; 265 | } 266 | if ($http_user_agent ~ "sitecheck.internetseer.com") { 267 | set $bad_ua 1; 268 | } 269 | if ($http_user_agent ~ "SiteSnagger") { 270 | set $bad_ua 1; 271 | } 272 | if ($http_user_agent ~ "skygrid") { 273 | set $bad_ua 1; 274 | } 275 | if ($http_user_agent ~ "SmartDownload") { 276 | set $bad_ua 1; 277 | } 278 | if ($http_user_agent ~ "sucker") { 279 | set $bad_ua 1; 280 | } 281 | if ($http_user_agent ~ "SuperBot") { 282 | set $bad_ua 1; 283 | } 284 | if ($http_user_agent ~ "SuperHTTP") { 285 | set $bad_ua 1; 286 | } 287 | if ($http_user_agent ~ "Surfbot") { 288 | set $bad_ua 1; 289 | } 290 | if ($http_user_agent ~ "tAkeOut") { 291 | set $bad_ua 1; 292 | } 293 | if ($http_user_agent ~ "Teleport Pro") { 294 | set $bad_ua 1; 295 | } 296 | if ($http_user_agent ~ "Toata dragostea mea pentru diavola") { 297 | set $bad_ua 1; 298 | } 299 | if ($http_user_agent ~ "turnit") { 300 | set $bad_ua 1; 301 | } 302 | if ($http_user_agent ~ "vikspider") { 303 | set $bad_ua 1; 304 | } 305 | if ($http_user_agent ~ "VoidEYE") { 306 | set $bad_ua 1; 307 | } 308 | if ($http_user_agent ~ "Web Image Collector") { 309 | set $bad_ua 1; 310 | } 311 | if ($http_user_agent ~ "Web Sucker") { 312 | set $bad_ua 1; 313 | } 314 | if ($http_user_agent ~ "WebAuto") { 315 | set $bad_ua 1; 316 | } 317 | if ($http_user_agent ~ "WebCopier") { 318 | set $bad_ua 1; 319 | } 320 | if ($http_user_agent ~ "WebFetch") { 321 | set $bad_ua 1; 322 | } 323 | if ($http_user_agent ~ "WebGo IS") { 324 | set $bad_ua 1; 325 | } 326 | if ($http_user_agent ~ "WebLeacher") { 327 | set $bad_ua 1; 328 | } 329 | if ($http_user_agent ~ "WebReaper") { 330 | set $bad_ua 1; 331 | } 332 | if ($http_user_agent ~ "WebSauger") { 333 | set $bad_ua 1; 334 | } 335 | if ($http_user_agent ~ "Website eXtractor") { 336 | set $bad_ua 1; 337 | } 338 | if ($http_user_agent ~ "Website Quester") { 339 | set $bad_ua 1; 340 | } 341 | if ($http_user_agent ~ "WebStripper") { 342 | set $bad_ua 1; 343 | } 344 | if ($http_user_agent ~ "WebWhacker") { 345 | set $bad_ua 1; 346 | } 347 | if ($http_user_agent ~ "WebZIP") { 348 | set $bad_ua 1; 349 | } 350 | if ($http_user_agent ~ "Wget") { 351 | set $bad_ua 1; 352 | } 353 | if ($http_user_agent ~ "Widow") { 354 | set $bad_ua 1; 355 | } 356 | if ($http_user_agent ~ "WWW-Mechanize") { 357 | set $bad_ua 1; 358 | } 359 | if ($http_user_agent ~ "WWWOFFLE") { 360 | set $bad_ua 1; 361 | } 362 | if ($http_user_agent ~ "Xaldon WebSpider") { 363 | set $bad_ua 1; 364 | } 365 | if ($http_user_agent ~ "Yandex") { 366 | set $bad_ua 1; 367 | } 368 | if ($http_user_agent ~ "Zeus") { 369 | set $bad_ua 1; 370 | } 371 | if ($http_user_agent ~ "zmeu") { 372 | set $bad_ua 1; 373 | } 374 | if ($http_user_agent ~ "CazoodleBot") { 375 | set $bad_ua 1; 376 | } 377 | if ($http_user_agent ~ "discobot") { 378 | set $bad_ua 1; 379 | } 380 | if ($http_user_agent ~ "ecxi") { 381 | set $bad_ua 1; 382 | } 383 | if ($http_user_agent ~ "GT::WWW") { 384 | set $bad_ua 1; 385 | } 386 | if ($http_user_agent ~ "heritrix") { 387 | set $bad_ua 1; 388 | } 389 | if ($http_user_agent ~ "HTTP::Lite") { 390 | set $bad_ua 1; 391 | } 392 | if ($http_user_agent ~ "HTTrack") { 393 | set $bad_ua 1; 394 | } 395 | if ($http_user_agent ~ "ia_archiver") { 396 | set $bad_ua 1; 397 | } 398 | if ($http_user_agent ~ "id-search") { 399 | set $bad_ua 1; 400 | } 401 | if ($http_user_agent ~ "id-search.org") { 402 | set $bad_ua 1; 403 | } 404 | if ($http_user_agent ~ "IDBot") { 405 | set $bad_ua 1; 406 | } 407 | if ($http_user_agent ~ "Indy Library") { 408 | set $bad_ua 1; 409 | } 410 | if ($http_user_agent ~ "IRLbot") { 411 | set $bad_ua 1; 412 | } 413 | if ($http_user_agent ~ "ISC Systems iRc Search 2.1") { 414 | set $bad_ua 1; 415 | } 416 | if ($http_user_agent ~ "LinksManager.com_bot") { 417 | set $bad_ua 1; 418 | } 419 | if ($http_user_agent ~ "linkwalker") { 420 | set $bad_ua 1; 421 | } 422 | if ($http_user_agent ~ "lwp-trivial") { 423 | set $bad_ua 1; 424 | } 425 | if ($http_user_agent ~ "MFC_Tear_Sample") { 426 | set $bad_ua 1; 427 | } 428 | if ($http_user_agent ~ "Microsoft URL Control") { 429 | set $bad_ua 1; 430 | } 431 | if ($http_user_agent ~ "Missigua Locator") { 432 | set $bad_ua 1; 433 | } 434 | if ($http_user_agent ~ "panscient.com") { 435 | set $bad_ua 1; 436 | } 437 | if ($http_user_agent ~ "PECL::HTTP") { 438 | set $bad_ua 1; 439 | } 440 | if ($http_user_agent ~ "PHPCrawl") { 441 | set $bad_ua 1; 442 | } 443 | if ($http_user_agent ~ "PleaseCrawl") { 444 | set $bad_ua 1; 445 | } 446 | if ($http_user_agent ~ "SBIder") { 447 | set $bad_ua 1; 448 | } 449 | if ($http_user_agent ~ "Snoopy") { 450 | set $bad_ua 1; 451 | } 452 | if ($http_user_agent ~ "Steeler") { 453 | set $bad_ua 1; 454 | } 455 | if ($http_user_agent ~ "URI::Fetch") { 456 | set $bad_ua 1; 457 | } 458 | if ($http_user_agent ~ "urllib") { 459 | set $bad_ua 1; 460 | } 461 | if ($http_user_agent ~ "Web Sucker") { 462 | set $bad_ua 1; 463 | } 464 | if ($http_user_agent ~ "webalta") { 465 | set $bad_ua 1; 466 | } 467 | if ($http_user_agent ~ "WebCollage") { 468 | set $bad_ua 1; 469 | } 470 | if ($http_user_agent ~ "Wells Search II") { 471 | set $bad_ua 1; 472 | } 473 | if ($http_user_agent ~ "WEP Search") { 474 | set $bad_ua 1; 475 | } 476 | if ($http_user_agent ~ "zermelo") { 477 | set $bad_ua 1; 478 | } 479 | if ($http_user_agent ~ "ZyBorg") { 480 | set $bad_ua 1; 481 | } 482 | if ($http_user_agent ~ "Indy Library") { 483 | set $bad_ua 1; 484 | } 485 | if ($http_user_agent ~ "libwww-perl") { 486 | set $bad_ua 1; 487 | } 488 | if ($http_user_agent ~ "Go!Zilla") { 489 | set $bad_ua 1; 490 | } 491 | if ($http_user_agent ~ "TurnitinBot") { 492 | set $bad_ua 1; 493 | } 494 | if ($bad_ua = 1) { 495 | return 403; 496 | } -------------------------------------------------------------------------------- /config/varnish/default.vcl: -------------------------------------------------------------------------------- 1 | vcl 4.1; 2 | # Based on: https://github.com/mattiasgeniar/varnish-6.0-configuration-templates/blob/master/default.vcl 3 | 4 | import std; 5 | import directors; 6 | 7 | backend server1 { # Define one backend 8 | .host = "127.0.0.1"; # IP or Hostname of backend 9 | .port = "{{varnish_port}}"; # Port Apache or whatever is listening 10 | .max_connections = 300; # That's it 11 | 12 | .probe = { 13 | #.url = "/"; # short easy way (GET /) 14 | # We prefer to only do a HEAD / 15 | .request = 16 | "HEAD / HTTP/1.1" 17 | "Host: localhost" 18 | "Connection: close" 19 | "User-Agent: Varnish Health Probe"; 20 | 21 | .interval = 5s; # check the health of each backend every 5 seconds 22 | .timeout = 1s; # timing out after 1 second. 23 | .window = 5; # If 3 out of the last 5 polls succeeded the backend is considered healthy, otherwise it will be marked as sick 24 | .threshold = 3; 25 | } 26 | 27 | .first_byte_timeout = 300s; # How long to wait before we receive a first byte from our backend? 28 | .connect_timeout = 5s; # How long to wait for a backend connection? 29 | .between_bytes_timeout = 2s; # How long to wait between bytes received from our backend? 30 | } 31 | 32 | acl purge { 33 | # ACL we'll use later to allow purges 34 | "localhost"; 35 | "127.0.0.1"; 36 | "::1"; 37 | } 38 | 39 | sub vcl_init { 40 | # Called when VCL is loaded, before any requests pass through it. 41 | # Typically used to initialize VMODs. 42 | 43 | new vdir = directors.round_robin(); 44 | vdir.add_backend(server1); 45 | # vdir.add_backend(server...); 46 | # vdir.add_backend(servern); 47 | } 48 | 49 | sub vcl_recv { 50 | # Called at the beginning of a request, after the complete request has been received and parsed. 51 | # Its purpose is to decide whether or not to serve the request, how to do it, and, if applicable, 52 | # which backend to use. 53 | # also used to modify the request 54 | 55 | set req.backend_hint = vdir.backend(); # send all traffic to the vdir director 56 | 57 | # Normalize the header if it exists, remove the port (in case you're testing this on various TCP ports) 58 | if (req.http.Host) { 59 | set req.http.Host = regsub(req.http.Host, ":[0-9]+", ""); 60 | } 61 | 62 | # Remove the proxy header (see https://httpoxy.org/#mitigate-varnish) 63 | unset req.http.proxy; 64 | 65 | # Normalize the query arguments 66 | set req.url = std.querysort(req.url); 67 | 68 | # Allow purging 69 | if (req.method == "PURGE") { 70 | if (!client.ip ~ purge) { # purge is the ACL defined at the begining 71 | # Not from an allowed IP? Then die with an error. 72 | return (synth(405, "This IP is not allowed to send PURGE requests.")); 73 | } 74 | # If you got this stage (and didn't error out above), purge the cached result 75 | return (purge); 76 | } 77 | 78 | # Only deal with "normal" types 79 | if (req.method != "GET" && 80 | req.method != "HEAD" && 81 | req.method != "PUT" && 82 | req.method != "POST" && 83 | req.method != "TRACE" && 84 | req.method != "OPTIONS" && 85 | req.method != "PATCH" && 86 | req.method != "DELETE") { 87 | /* Non-RFC2616 or CONNECT which is weird. */ 88 | return (pipe); 89 | } 90 | 91 | # Implementing websocket support (https://www.varnish-cache.org/docs/4.0/users-guide/vcl-example-websockets.html) 92 | if (req.http.Upgrade ~ "(?i)websocket") { 93 | return (pipe); 94 | } 95 | 96 | # Only cache GET or HEAD requests. This makes sure the POST requests are always passed. 97 | if (req.method != "GET" && req.method != "HEAD") { 98 | return (pass); 99 | } 100 | 101 | # Some generic URL manipulation, useful for all templates that follow 102 | # First remove the Google Analytics added parameters, useless for our backend 103 | if (req.url ~ "(\?|&)(utm_source|utm_medium|utm_campaign|utm_content|gclid|cx|ie|cof|siteurl)=") { 104 | set req.url = regsuball(req.url, "&(utm_source|utm_medium|utm_campaign|utm_content|gclid|cx|ie|cof|siteurl)=([A-z0-9_\-\.%25]+)", ""); 105 | set req.url = regsuball(req.url, "\?(utm_source|utm_medium|utm_campaign|utm_content|gclid|cx|ie|cof|siteurl)=([A-z0-9_\-\.%25]+)", "?"); 106 | set req.url = regsub(req.url, "\?&", "?"); 107 | set req.url = regsub(req.url, "\?$", ""); 108 | } 109 | 110 | # Strip hash, server doesn't need it. 111 | if (req.url ~ "\#") { 112 | set req.url = regsub(req.url, "\#.*$", ""); 113 | } 114 | 115 | # Strip a trailing ? if it exists 116 | if (req.url ~ "\?$") { 117 | set req.url = regsub(req.url, "\?$", ""); 118 | } 119 | 120 | # Some generic cookie manipulation, useful for all templates that follow 121 | # Don't manipulate empty cookies 122 | if (req.http.Cookie !~ "^\s*$") { 123 | # Remove the "has_js" cookie 124 | set req.http.Cookie = regsuball(req.http.Cookie, "has_js=[^;]+(; )?", ""); 125 | 126 | # Remove any Google Analytics based cookies 127 | set req.http.Cookie = regsuball(req.http.Cookie, "__utm.=[^;]+(; )?", ""); 128 | set req.http.Cookie = regsuball(req.http.Cookie, "_ga=[^;]+(; )?", ""); 129 | set req.http.Cookie = regsuball(req.http.Cookie, "_gat=[^;]+(; )?", ""); 130 | set req.http.Cookie = regsuball(req.http.Cookie, "utmctr=[^;]+(; )?", ""); 131 | set req.http.Cookie = regsuball(req.http.Cookie, "utmcmd.=[^;]+(; )?", ""); 132 | set req.http.Cookie = regsuball(req.http.Cookie, "utmccn.=[^;]+(; )?", ""); 133 | 134 | # Remove DoubleClick offensive cookies 135 | set req.http.Cookie = regsuball(req.http.Cookie, "__gads=[^;]+(; )?", ""); 136 | 137 | # Remove the Quant Capital cookies (added by some plugin, all __qca) 138 | set req.http.Cookie = regsuball(req.http.Cookie, "__qc.=[^;]+(; )?", ""); 139 | 140 | # Remove the AddThis cookies 141 | set req.http.Cookie = regsuball(req.http.Cookie, "__atuv.=[^;]+(; )?", ""); 142 | 143 | # Remove a ";" prefix in the cookie if present 144 | set req.http.Cookie = regsuball(req.http.Cookie, "^;\s*", ""); 145 | } 146 | 147 | # Are there cookies left with only spaces or that are empty? 148 | if (req.http.cookie ~ "^\s*$") { 149 | unset req.http.cookie; 150 | } 151 | 152 | #if (req.http.Cache-Control ~ "(?i)no-cache") { 153 | #if (client.ip ~ purge) { 154 | # Ignore requests via proxy caches and badly behaved crawlers 155 | # like msnbot that send no-cache with every request. 156 | #if (! (req.http.Via || req.http.User-Agent ~ "(?i)bot" || req.http.X-Purge)) { 157 | #set req.hash_always_miss = true; # Doesn't seems to refresh the object in the cache 158 | #return(purge); # Couple this with restart in vcl_purge and X-Purge header to avoid loops 159 | #} 160 | #} 161 | #} 162 | 163 | # Large static files are delivered directly to the end-user without 164 | # waiting for Varnish to fully read the file first. 165 | # Varnish 4 fully supports Streaming, so set do_stream in vcl_backend_response() 166 | if (req.url ~ "^[^?]*\.(7z|avi|bz2|flac|flv|gz|mka|mkv|mov|mp3|mp4|mpeg|mpg|ogg|ogm|opus|rar|tar|tgz|tbz|txz|wav|webm|xz|zip)(\?.*)?$") { 167 | unset req.http.Cookie; 168 | return (hash); 169 | } 170 | 171 | # Remove all cookies for static files 172 | # A valid discussion could be held on this line: do you really need to cache static files that don't cause load? Only if you have memory left. 173 | # Sure, there's disk I/O, but chances are your OS will already have these files in their buffers (thus memory). 174 | # Before you blindly enable this, have a read here: https://ma.ttias.be/stop-caching-static-files/ 175 | if (req.url ~ "^[^?]*\.(7z|avi|bmp|bz2|css|csv|doc|docx|eot|flac|flv|gif|gz|ico|jpeg|jpg|js|less|mka|mkv|mov|mp3|mp4|mpeg|mpg|odt|otf|ogg|ogm|opus|pdf|png|ppt|pptx|rar|rtf|svg|svgz|swf|tar|tbz|tgz|ttf|txt|txz|wav|webm|webp|woff|woff2|xls|xlsx|xml|xz|zip)(\?.*)?$") { 176 | unset req.http.Cookie; 177 | return (hash); 178 | } 179 | 180 | # Send Surrogate-Capability headers to announce ESI support to backend 181 | set req.http.Surrogate-Capability = "key=ESI/1.0"; 182 | 183 | if (req.http.Authorization) { 184 | # Not cacheable by default 185 | return (pass); 186 | } 187 | 188 | return (hash); 189 | } 190 | 191 | sub vcl_pipe { 192 | # Called upon entering pipe mode. 193 | # In this mode, the request is passed on to the backend, and any further data from both the client 194 | # and backend is passed on unaltered until either end closes the connection. Basically, Varnish will 195 | # degrade into a simple TCP proxy, shuffling bytes back and forth. For a connection in pipe mode, 196 | # no other VCL subroutine will ever get called after vcl_pipe. 197 | 198 | # Note that only the first request to the backend will have 199 | # X-Forwarded-For set. If you use X-Forwarded-For and want to 200 | # have it set for all requests, make sure to have: 201 | # set bereq.http.connection = "close"; 202 | # here. It is not set by default as it might break some broken web 203 | # applications, like IIS with NTLM authentication. 204 | 205 | # set bereq.http.Connection = "Close"; 206 | 207 | # Implementing websocket support (https://www.varnish-cache.org/docs/4.0/users-guide/vcl-example-websockets.html) 208 | if (req.http.upgrade) { 209 | set bereq.http.upgrade = req.http.upgrade; 210 | } 211 | 212 | return (pipe); 213 | } 214 | 215 | sub vcl_pass { 216 | # Called upon entering pass mode. In this mode, the request is passed on to the backend, and the 217 | # backend's response is passed on to the client, but is not entered into the cache. Subsequent 218 | # requests submitted over the same client connection are handled normally. 219 | 220 | # return (pass); 221 | } 222 | 223 | # The data on which the hashing will take place 224 | sub vcl_hash { 225 | # Called after vcl_recv to create a hash value for the request. This is used as a key 226 | # to look up the object in Varnish. 227 | 228 | hash_data(req.url); 229 | 230 | if (req.http.host) { 231 | hash_data(req.http.host); 232 | } else { 233 | hash_data(server.ip); 234 | } 235 | 236 | # hash cookies for requests that have them 237 | if (req.http.Cookie) { 238 | hash_data(req.http.Cookie); 239 | } 240 | 241 | # Cache the HTTP vs HTTPs separately 242 | if (req.http.X-Forwarded-Proto) { 243 | hash_data(req.http.X-Forwarded-Proto); 244 | } 245 | } 246 | 247 | sub vcl_hit { 248 | # Called when a cache lookup is successful. 249 | 250 | if (obj.ttl >= 0s) { 251 | # A pure unadultered hit, deliver it 252 | return (deliver); 253 | } 254 | 255 | # https://www.varnish-cache.org/docs/trunk/users-guide/vcl-grace.html 256 | # When several clients are requesting the same page Varnish will send one request to the backend and place the others 257 | # on hold while fetching one copy from the backend. In some products this is called request coalescing and Varnish does 258 | # this automatically. 259 | # If you are serving thousands of hits per second the queue of waiting requests can get huge. There are two potential 260 | # problems - one is a thundering herd problem - suddenly releasing a thousand threads to serve content might send the 261 | # load sky high. Secondly - nobody likes to wait. To deal with this we can instruct Varnish to keep the objects in cache 262 | # beyond their TTL and to serve the waiting requests somewhat stale content. 263 | 264 | # if (!std.healthy(req.backend_hint) && (obj.ttl + obj.grace > 0s)) { 265 | # return (deliver); 266 | # } else { 267 | # return (miss); 268 | # } 269 | 270 | # We have no fresh fish. Lets look at the stale ones. 271 | if (std.healthy(req.backend_hint)) { 272 | # Backend is healthy. Limit age to 10s. 273 | if (obj.ttl + 10s > 0s) { 274 | #set req.http.grace = "normal(limited)"; 275 | return (deliver); 276 | } 277 | } else { 278 | # backend is sick - use full grace 279 | if (obj.ttl + obj.grace > 0s) { 280 | #set req.http.grace = "full"; 281 | return (deliver); 282 | } 283 | } 284 | } 285 | 286 | sub vcl_miss { 287 | # Called after a cache lookup if the requested document was not found in the cache. Its purpose 288 | # is to decide whether or not to attempt to retrieve the document from the backend, and which 289 | # backend to use. 290 | 291 | return (fetch); 292 | } 293 | 294 | # Handle the HTTP request coming from our backend 295 | sub vcl_backend_response { 296 | # Called after the response headers has been successfully retrieved from the backend. 297 | 298 | # Pause ESI request and remove Surrogate-Control header 299 | if (beresp.http.Surrogate-Control ~ "ESI/1.0") { 300 | unset beresp.http.Surrogate-Control; 301 | set beresp.do_esi = true; 302 | } 303 | 304 | # Enable cache for all static files 305 | # The same argument as the static caches from above: monitor your cache size, if you get data nuked out of it, consider giving up the static file cache. 306 | # Before you blindly enable this, have a read here: https://ma.ttias.be/stop-caching-static-files/ 307 | if (bereq.url ~ "^[^?]*\.(7z|avi|bmp|bz2|css|csv|doc|docx|eot|flac|flv|gif|gz|ico|jpeg|jpg|js|less|mka|mkv|mov|mp3|mp4|mpeg|mpg|odt|otf|ogg|ogm|opus|pdf|png|ppt|pptx|rar|rtf|svg|svgz|swf|tar|tbz|tgz|ttf|txt|txz|wav|webm|webp|woff|woff2|xls|xlsx|xml|xz|zip)(\?.*)?$") { 308 | unset beresp.http.set-cookie; 309 | } 310 | 311 | # Large static files are delivered directly to the end-user without 312 | # waiting for Varnish to fully read the file first. 313 | # Varnish 4 fully supports Streaming, so use streaming here to avoid locking. 314 | if (bereq.url ~ "^[^?]*\.(7z|avi|bz2|flac|flv|gz|mka|mkv|mov|mp3|mp4|mpeg|mpg|ogg|ogm|opus|rar|tar|tgz|tbz|txz|wav|webm|xz|zip)(\?.*)?$") { 315 | unset beresp.http.set-cookie; 316 | set beresp.do_stream = true; # Check memory usage it'll grow in fetch_chunksize blocks (128k by default) if the backend doesn't send a Content-Length header, so only enable it for big objects 317 | } 318 | 319 | # Sometimes, a 301 or 302 redirect formed via Apache's mod_rewrite can mess with the HTTP port that is being passed along. 320 | # This often happens with simple rewrite rules in a scenario where Varnish runs on :80 and Apache on :8080 on the same box. 321 | # A redirect can then often redirect the end-user to a URL on :8080, where it should be :80. 322 | # This may need finetuning on your setup. 323 | # 324 | # To prevent accidental replace, we only filter the 301/302 redirects for now. 325 | if (beresp.status == 301 || beresp.status == 302) { 326 | set beresp.http.Location = regsub(beresp.http.Location, ":[0-9]+", ""); 327 | } 328 | 329 | # Set 2min cache if unset for static files 330 | if (beresp.ttl <= 0s || beresp.http.Set-Cookie || beresp.http.Vary == "*") { 331 | set beresp.ttl = 120s; # Important, you shouldn't rely on this, SET YOUR HEADERS in the backend 332 | set beresp.uncacheable = true; 333 | return (deliver); 334 | } 335 | 336 | # Don't cache 50x responses 337 | if (beresp.status == 500 || beresp.status == 502 || beresp.status == 503 || beresp.status == 504) { 338 | return (abandon); 339 | } 340 | 341 | # Allow stale content, in case the backend goes down. 342 | # make Varnish keep all objects for 6 hours beyond their TTL 343 | set beresp.grace = 6h; 344 | 345 | return (deliver); 346 | } 347 | 348 | # The routine when we deliver the HTTP request to the user 349 | # Last chance to modify headers that are sent to the client 350 | sub vcl_deliver { 351 | # Called before a cached object is delivered to the client. 352 | 353 | if (obj.hits > 0) { # Add debug header to see if it's a HIT/MISS and the number of hits, disable when not needed 354 | set resp.http.X-Cache = "HIT"; 355 | } else { 356 | set resp.http.X-Cache = "MISS"; 357 | } 358 | 359 | # Please note that obj.hits behaviour changed in 4.0, now it counts per objecthead, not per object 360 | # and obj.hits may not be reset in some cases where bans are in use. See bug 1492 for details. 361 | # So take hits with a grain of salt 362 | set resp.http.X-Cache-Hits = obj.hits; 363 | 364 | # Remove some headers: PHP version 365 | unset resp.http.X-Powered-By; 366 | 367 | # Remove some headers: Apache version & OS 368 | unset resp.http.Server; 369 | unset resp.http.X-Drupal-Cache; 370 | unset resp.http.X-Varnish; 371 | unset resp.http.Via; 372 | unset resp.http.Link; 373 | unset resp.http.X-Generator; 374 | 375 | return (deliver); 376 | } 377 | 378 | sub vcl_purge { 379 | # Only handle actual PURGE HTTP methods, everything else is discarded 380 | if (req.method == "PURGE") { 381 | # restart request 382 | set req.http.X-Purge = "Yes"; 383 | return(restart); 384 | } 385 | } 386 | 387 | sub vcl_synth { 388 | if (resp.status == 720) { 389 | # We use this special error status 720 to force redirects with 301 (permanent) redirects 390 | # To use this, call the following from anywhere in vcl_recv: return (synth(720, "http://host/new.html")); 391 | set resp.http.Location = resp.reason; 392 | set resp.status = 301; 393 | return (deliver); 394 | } elseif (resp.status == 721) { 395 | # And we use error status 721 to force redirects with a 302 (temporary) redirect 396 | # To use this, call the following from anywhere in vcl_recv: return (synth(720, "http://host/new.html")); 397 | set resp.http.Location = resp.reason; 398 | set resp.status = 302; 399 | return (deliver); 400 | } 401 | 402 | return (deliver); 403 | } 404 | 405 | 406 | sub vcl_fini { 407 | # Called when VCL is discarded only after all requests have exited the VCL. 408 | # Typically used to clean up VMODs. 409 | 410 | return (ok); 411 | } --------------------------------------------------------------------------------