├── LICENSE ├── README.md └── ee-nginx-setup.sh /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 VirtuBox 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Bash script to automate optimized EasyEngine v3 setup (beta) 2 | 3 | * * * 4 | 5 | ## Server Stack 6 | 7 | - Nginx 1.15.x/1.14 with [nginx-ee](https://virtubox.github.io/nginx-ee/) 8 | - PHP-FPM 7.0/7.1/7.2 9 | - MariaDB 10.1/10.2/10.3 10 | - REDIS 4.0 11 | - Fail2ban 12 | - UFW Firewall 13 | - ClamAV Antivirus 14 | - Netdata 15 | - Proftpd 16 | - Acme.sh with [ee-acme-sh](https://virtubox.github.io/ee-acme-sh/) 17 | 18 | * * * 19 | 20 | **Documentation available here : [Ubuntu-Nginx-Web-Server](https://virtubox.github.io/ubuntu-nginx-web-server/)** 21 | 22 | ### Features 23 | 24 | - Automated MariaDB server or client installation (10.1/10.2/10.3) 25 | - Linux server tweaks 26 | - [EasyEngine](https://github.com/EasyEngine/easyengine) v3.8.1 automated installation 27 | - php7.1-fpm and/or php7.2-fpm installation & configuration 28 | - Latest Nginx release compilation with [nginx-ee](https://virtubox.github.io/nginx-ee/) 29 | - UFW configuration with custom SSH port 30 | - Fail2ban Installation & Configuration 31 | - [Netdata](https://github.com/firehol/netdata/) and [EasyEngine-Dashboard](https://virtubox.github.io/easyengine-dashboard/) installation 32 | - Proftpd installation & configuration 33 | 34 | ### Compatibility 35 | 36 | - Ubuntu 16.04 LTS 37 | - Ubuntu 18.04 LTS 38 | 39 | ### Requirements 40 | 41 | - login as root 42 | - ssh connection with ssh keys 43 | - VPS or dedicated server with at least 2GB RAM (Hetzner, OVH, DigitalOcean, Linode, Vultr, Scaleway are good choices) 44 | 45 | ### Usage 46 | 47 | ```bash 48 | wget -O ee-nginx-setup.sh https://raw.githubusercontent.com/VirtuBox/ee-nginx-setup/master/ee-nginx-setup.sh 49 | chmod +x ee-nginx-setup.sh 50 | ./ee-nginx-setup.sh 51 | ``` 52 | 53 | Published & maintained by [VirtuBox](https://virtubox.net) 54 | -------------------------------------------------------------------------------- /ee-nginx-setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # ------------------------------------------------------------------------- 3 | # EE-NGINX-SETUP - automated EasyEngine server configuration script 4 | # ------------------------------------------------------------------------- 5 | # Website: https://virtubox.net 6 | # GitHub: https://github.com/VirtuBox/ee-nginx-setup 7 | # Copyright (c) 2018 VirtuBox 8 | # This script is licensed under M.I.T 9 | # ------------------------------------------------------------------------- 10 | # currently in progress, not ready to be used in production yet 11 | # ------------------------------------------------------------------------- 12 | 13 | 14 | 15 | 16 | 17 | CSI='\033[' 18 | CEND="${CSI}0m" 19 | #CRED="${CSI}1;31m" 20 | CGREEN="${CSI}1;32m" 21 | 22 | ################################## 23 | # Variables 24 | ################################## 25 | 26 | EXTPLORER_VER="2.1.10" 27 | 28 | ################################## 29 | # Check if user is root 30 | ################################## 31 | 32 | if [ "$(id -u)" != "0" ]; then 33 | echo "Error: You must be root to run this script, please use the root user to install the software." 34 | echo "" 35 | echo "Use 'sudo su - root' to login as root" 36 | exit 1 37 | fi 38 | 39 | ### Set Bins Path ### 40 | RM=/bin/rm 41 | CP=/bin/cp 42 | TAR=/bin/tar 43 | GZIP=/bin/gzip 44 | 45 | clear 46 | 47 | ################################## 48 | # Welcome 49 | ################################## 50 | 51 | echo "" 52 | echo "Welcome to ubuntu-nginx-web-server setup script." 53 | echo "" 54 | 55 | if [ -d /etc/ee ] && [ -d /etc/mysql ] && [ -d /etc/nginx ]; then 56 | echo "Previous EasyEngine install detected" 57 | EE_PREVIOUS_INSTALL=1 58 | fi 59 | 60 | if [ -d $HOME/.ssh ]; then 61 | ecdsa_keys_check=$(grep "ecdsa-sha2" -r $HOME/.ssh) 62 | rsa_keys_check=$(grep "ssh-rsa" -r $HOME/.ssh) 63 | ed25519_keys_check=$(grep "ssh-ed25519" -r $HOME/.ssh) 64 | if [ -z "$ecdsa_keys_check" ] && [ -z "$rsa_keys_check" ] && [ -z "$ed25519_keys_check" ]; then 65 | echo "This script require to use ssh keys authentification. Please make sure you have properly added your public ssh keys into .ssh/authorized_keys" 66 | exit 1 67 | fi 68 | else 69 | echo "This script require to use ssh keys authentification. Please make sure you have properly added your public ssh keys into .ssh/authorized_keys" 70 | exit 1 71 | fi 72 | 73 | ################################## 74 | # Menu 75 | ################################## 76 | echo "#####################################" 77 | echo " Warning " 78 | echo "#####################################" 79 | echo "This script will only allow ssh connection with ssh-keys" 80 | echo "Make sure you have properly installed your public key in $HOME/.ssh/authorized_keys" 81 | echo "#####################################" 82 | sleep 1 83 | if [ ! -d /etc/mysql ]; then 84 | echo "#####################################" 85 | echo "MariaDB server" 86 | echo "#####################################" 87 | echo "" 88 | echo "Do you want to install MariaDB-server ? (y/n)" 89 | while [[ $mariadb_server_install != "y" && $mariadb_server_install != "n" ]]; do 90 | read -p "Select an option [y/n]: " mariadb_server_install 91 | done 92 | if [ "$mariadb_server_install" = "n" ]; then 93 | echo "" 94 | echo "Do you want to install MariaDB-client for a remote database ? (y/n)" 95 | while [[ $mariadb_client_install != "y" && $mariadb_client_install != "n" ]]; do 96 | read -p "Select an option [y/n]: " mariadb_client_install 97 | done 98 | fi 99 | if [ "$mariadb_client_install" = "y" ]; then 100 | echo "" 101 | echo "What is the IP of your remote database ?" 102 | read -p "IP : " mariadb_remote_ip 103 | echo "" 104 | echo "What is the user of your remote database ?" 105 | read -p "User : " mariadb_remote_user 106 | echo "" 107 | echo "What is the password of your remote database ?" 108 | read -s -p "password [hidden] : " mariadb_remote_password 109 | fi 110 | if [[ "$mariadb_server_install" == "y" || "$mariadb_client_install" == "y" ]]; then 111 | echo "" 112 | echo "What version of MariaDB Client/Server do you want to install, 10.1, 10.2 or 10.3 ?" 113 | while [[ $mariadb_version_install != "10.1" && $mariadb_version_install != "10.2" && $mariadb_version_install != "10.3" ]]; do 114 | read -p "Select an option [10.1 / 10.2 / 10.3]: " mariadb_version_install 115 | done 116 | fi 117 | sleep 1 118 | fi 119 | if [ ! -d /etc/nginx ]; then 120 | echo "" 121 | echo "#####################################" 122 | echo "Nginx" 123 | echo "#####################################" 124 | echo "" 125 | echo "Do you want to compile the latest Nginx Mainline [1] or Stable [2] Release ?" 126 | while [[ $NGINX_RELEASE != "1" && $NGINX_RELEASE != "2" ]]; do 127 | read -p "Select an option [1-2]: " NGINX_RELEASE 128 | done 129 | echo "" 130 | echo "Do you want Ngx_Pagespeed ? (y/n)" 131 | while [[ $PAGESPEED != "y" && $PAGESPEED != "n" ]]; do 132 | read -p "Select an option [y/n]: " PAGESPEED 133 | done 134 | echo "" 135 | echo "Do you want NAXSI WAF (still experimental)? (y/n)" 136 | while [[ $NAXSI != "y" && $NAXSI != "n" ]]; do 137 | read -p "Select an option [y/n]: " NAXSI 138 | done 139 | echo "" 140 | echo "Do you want RTMP streaming module ?" 141 | while [[ $RTMP != "y" && $RTMP != "n" ]]; do 142 | read -p "Select an option [y/n]: " RTMP 143 | done 144 | fi 145 | sleep 1 146 | echo "" 147 | echo "#####################################" 148 | echo "PHP" 149 | echo "#####################################" 150 | if [ ! -f /etc/php/7.1/fpm/php.ini ]; then 151 | echo "Do you want php7.1-fpm ? (y/n)" 152 | while [[ $phpfpm71_install != "y" && $phpfpm71_install != "n" ]]; do 153 | read -p "Select an option [y/n]: " phpfpm71_install 154 | done 155 | echo "" 156 | fi 157 | if [ ! -f /etc/php/7.2/fpm/php.ini ]; then 158 | echo "Do you want php7.2-fpm ? (y/n)" 159 | while [[ $phpfpm72_install != "y" && $phpfpm72_install != "n" ]]; do 160 | read -p "Select an option [y/n]: " phpfpm72_install 161 | done 162 | fi 163 | if [ ! -d /etc/proftpd ]; then 164 | echo "" 165 | echo "#####################################" 166 | echo "FTP" 167 | echo "#####################################" 168 | echo "Do you want proftpd ? (y/n)" 169 | while [[ $proftpd_install != "y" && $proftpd_install != "n" ]]; do 170 | read -p "Select an option [y/n]: " proftpd_install 171 | done 172 | fi 173 | echo "" 174 | echo "#####################################" 175 | echo "Starting server setup in 5 seconds" 176 | echo "use CTRL + C if you want to cancel installation" 177 | echo "#####################################" 178 | sleep 5 179 | 180 | ################################## 181 | # Update packages 182 | ################################## 183 | 184 | echo "##########################################" 185 | echo " Updating Packages" 186 | echo "##########################################" 187 | 188 | sudo apt-get update 189 | sudo apt-get upgrade -y 190 | sudo apt-get autoremove -y --purge 191 | sudo apt-get autoclean -y 192 | 193 | ################################## 194 | # Useful packages 195 | ################################## 196 | 197 | echo "##########################################" 198 | echo " Installing useful packages" 199 | echo "##########################################" 200 | 201 | sudo apt-get install haveged curl git unzip zip fail2ban htop nload nmon tar gzip ntp gnupg gnupg2 wget pigz tree ccze mycli -y 202 | 203 | # ntp time 204 | sudo systemctl enable ntp 205 | 206 | # increase history size 207 | export HISTSIZE=10000 208 | 209 | echo "##########################################" 210 | echo " Checking required executable path" 211 | echo "##########################################" 212 | 213 | ### Make Sure Bins Exists ### 214 | verify_bins() { 215 | [ ! -x $GZIP ] && { 216 | echo "Executable $GZIP does not exists. Make sure correct path is set in $0." 217 | exit 0 218 | } 219 | [ ! -x $TAR ] && { 220 | echo "Executable $TAR does not exists. Make sure correct path is set in $0." 221 | exit 0 222 | } 223 | [ ! -x $RM ] && { 224 | echo "File $RM does not exists. Make sure correct path is set in $0." 225 | exit 0 226 | } 227 | [ ! -x $CP ] && { 228 | echo "File $CP does not exists. Make sure correct path is set in $0." 229 | exit 0 230 | } 231 | [ ! -x $MKDIR ] && { 232 | echo "File $MKDIR does not exists. Make sure correct path is set in $0." 233 | exit 0 234 | } 235 | [ ! -x $MYSQLADMIN ] && { 236 | echo "File $MYSQLADMIN does not exists. Make sure correct path is set in $0." 237 | exit 0 238 | } 239 | [ ! -x $GREP ] && { 240 | echo "File $GREP does not exists. Make sure correct path is set in $0." 241 | exit 0 242 | } 243 | [ ! -x $FIND ] && { 244 | echo "File $GREP does not exists. Make sure correct path is set in $0." 245 | exit 0 246 | } 247 | } 248 | 249 | verify_bins 250 | 251 | ################################## 252 | # clone repository 253 | ################################## 254 | echo "###########################################" 255 | echo " Cloning Ubuntu-nginx-web-server repository" 256 | echo "###########################################" 257 | 258 | if [ ! -d $HOME/ubuntu-nginx-web-server ]; then 259 | git clone https://github.com/VirtuBox/ubuntu-nginx-web-server.git $HOME/ubuntu-nginx-web-server 260 | else 261 | git -C $HOME/ubuntu-nginx-web-server pull 262 | fi 263 | 264 | ################################## 265 | # Secure SSH server 266 | ################################## 267 | 268 | # get current ssh port 269 | CURRENT_SSH_PORT=$(grep "Port" /etc/ssh/sshd_config | awk -F " " '{print $2}') 270 | 271 | # download secure sshd_config 272 | sudo cp -f $HOME/ubuntu-nginx-web-server/etc/ssh/sshd_config /etc/ssh/sshd_config 273 | 274 | # change ssh default port 275 | sudo sed -i "s/Port 22/Port $CURRENT_SSH_PORT/" /etc/ssh/sshd_config 276 | 277 | # restart ssh service 278 | sudo service ssh restart 279 | 280 | ################################## 281 | # ufw 282 | ################################## 283 | echo "##########################################" 284 | echo " Configuring ufw" 285 | echo "##########################################" 286 | 287 | if [ ! -d /etc/ufw ]; then 288 | sudo apt-get install ufw -y 289 | fi 290 | 291 | # define firewall rules 292 | 293 | sudo ufw logging low 294 | sudo ufw default allow outgoing 295 | sudo ufw default deny incoming 296 | 297 | 298 | # default ssh port 299 | sudo ufw allow 22 300 | 301 | # custom ssh port 302 | if [ "$CURRENT_SSH_PORT" != "22" ];then 303 | sudo ufw allow "$CURRENT_SSH_PORT" 304 | fi 305 | 306 | # dns 307 | sudo ufw allow 53 308 | 309 | # nginx 310 | sudo ufw allow http 311 | sudo ufw allow https 312 | 313 | # ntp 314 | sudo ufw allow 123 315 | 316 | # dhcp client 317 | sudo ufw allow 68 318 | 319 | # dhcp ipv6 client 320 | sudo ufw allow 546 321 | 322 | # rsync 323 | sudo ufw allow 873 324 | 325 | # easyengine backend 326 | sudo ufw allow 22222 327 | 328 | # optional for monitoring 329 | 330 | # SNMP UDP port 331 | #sudo ufw allow 161 332 | 333 | # Netdata web interface 334 | #sudo ufw allow 1999 335 | 336 | # Librenms linux agent 337 | #sudo ufw allow 6556 338 | 339 | # Zabbix-agent 340 | #sudo ufw allow 10050 341 | 342 | ################################## 343 | # Sysctl tweaks + open_files limits 344 | ################################## 345 | echo "##########################################" 346 | echo " Applying Linux Kernel tweaks" 347 | echo "##########################################" 348 | 349 | sudo cp -f $HOME/ubuntu-nginx-web-server/etc/sysctl.d/60-ubuntu-nginx-web-server.conf /etc/sysctl.d/60-ubuntu-nginx-web-server.conf 350 | sudo sysctl -e -p /etc/sysctl.d/60-ubuntu-nginx-web-server.conf 351 | sudo cp -f $HOME/ubuntu-nginx-web-server/etc/security/limits.conf /etc/security/limits.conf 352 | 353 | # Redis transparent_hugepage 354 | echo never >/sys/kernel/mm/transparent_hugepage/enabled 355 | 356 | # disable ip forwarding if docker is not installed 357 | if [ ! -x /usr/bin/docker ]; then 358 | 359 | echo "" >>/etc/sysctl.d/60-ubuntu-nginx-web-server.conf 360 | { 361 | echo "# Disables packet forwarding" 362 | echo "net.ipv4.ip_forward = 0" 363 | echo "net.ipv4.conf.all.forwarding = 0" 364 | echo "net.ipv4.conf.default.forwarding = 0" 365 | echo "net.ipv6.conf.all.forwarding = 0" 366 | echo "net.ipv6.conf.default.forwarding = 0" 367 | } >>/etc/sysctl.d/60-ubuntu-nginx-web-server.conf 368 | 369 | fi 370 | 371 | # additional systcl configuration with network interface name 372 | # get network interface names like eth0, ens18 or eno1 373 | # for each interface found, add the following configuration to sysctl 374 | NET_INTERFACES_WAN=$(ip -4 route get 8.8.8.8 | grep -oP "dev [^[:space:]]+ " | cut -d ' ' -f 2) 375 | echo "" >>/etc/sysctl.d/60-ubuntu-nginx-web-server.conf 376 | { 377 | echo "# do not autoconfigure IPv6 on $NET_INTERFACES_WAN" 378 | echo "net.ipv6.conf.$NET_INTERFACES_WAN.autoconf = 0" 379 | echo "net.ipv6.conf.$NET_INTERFACES_WAN.accept_ra = 0" 380 | echo "net.ipv6.conf.$NET_INTERFACES_WAN.accept_ra = 0" 381 | echo "net.ipv6.conf.$NET_INTERFACES_WAN.autoconf = 0" 382 | echo "net.ipv6.conf.$NET_INTERFACES_WAN.accept_ra_defrtr = 0" 383 | } >>/etc/sysctl.d/60-ubuntu-nginx-web-server.conf 384 | 385 | 386 | ################################## 387 | # Add MariaDB 10.3 repository 388 | ################################## 389 | 390 | if [[ "$mariadb_server_install" == "y" || "$mariadb_client_install" == "y" ]]; then 391 | if [ ! -f /etc/apt/sources.list.d/mariadb.list ]; then 392 | echo "" 393 | echo "##########################################" 394 | echo " Adding MariaDB $mariadb_version_install repository" 395 | echo "##########################################" 396 | 397 | wget -O mariadb_repo_setup https://downloads.mariadb.com/MariaDB/mariadb_repo_setup 398 | chmod +x mariadb_repo_setup 399 | ./mariadb_repo_setup --mariadb-server-version=$mariadb_version_install --skip-maxscale -y 400 | rm mariadb_repo_setup 401 | sudo apt-get update 402 | 403 | fi 404 | 405 | fi 406 | 407 | ################################## 408 | # MariaDB 10.3 install 409 | ################################## 410 | 411 | # install mariadb server non-interactive way 412 | if [ "$mariadb_server_install" = "y" ]; then 413 | if [ ! -d /etc/mysql ]; then 414 | echo "" 415 | echo "##########################################" 416 | echo " Installing MariaDB server $mariadb_version_install" 417 | echo "##########################################" 418 | 419 | # generate random password 420 | MYSQL_ROOT_PASS=$(date +%s | sha256sum | base64 | head -c 32) 421 | export DEBIAN_FRONTEND=noninteractive # to avoid prompt during installation 422 | sudo debconf-set-selections <<<"mariadb-server-${mariadb_version_install} mysql-server/root_password password ${MYSQL_ROOT_PASS}" 423 | sudo debconf-set-selections <<<"mariadb-server-${mariadb_version_install} mysql-server/root_password_again password ${MYSQL_ROOT_PASS}" 424 | # install mariadb server 425 | DEBIAN_FRONTEND=noninteractive apt-get install -qq mariadb-server # -qq implies -y --force-yes 426 | # save credentials in .my.cnf and copy it in /etc/mysql/conf.d for easyengine 427 | echo -e '[client]\nuser = root' > $HOME/.my.cnf 428 | echo "password = $MYSQL_ROOT_PASS" >>$HOME/.my.cnf 429 | cp -f $HOME/.my.cnf /etc/mysql/conf.d/my.cnf 430 | 431 | ## mysql_secure_installation non-interactive way 432 | mysql -e "GRANT ALL PRIVILEGES on *.* to 'root'@'localhost' IDENTIFIED BY '$MYSQL_ROOT_PASS' WITH GRANT OPTION;" 433 | # remove anonymous users 434 | mysql -e "DROP USER ''@'localhost'" > /dev/null 2>&1 435 | mysql -e "DROP USER ''@'$(hostname)'" > /dev/null 2>&1 436 | # remove test database 437 | mysql -e "DROP DATABASE test" > /dev/null 2>&1 438 | # flush privileges 439 | mysql -e "FLUSH PRIVILEGES" 440 | fi 441 | fi 442 | ################################## 443 | # MariaDB tweaks 444 | ################################## 445 | 446 | if [ "$mariadb_server_install" = "y" ]; then 447 | echo "##########################################" 448 | echo " Optimizing MariaDB configuration" 449 | echo "##########################################" 450 | 451 | cp -f $HOME/ubuntu-nginx-web-server/etc/mysql/my.cnf /etc/mysql/my.cnf 452 | 453 | # AVAILABLE_MEMORY=$(grep MemTotal /proc/meminfo | awk '{print $2}') 454 | # BUFFER_POOL_SIZE=$(( $AVAILABLE_MEMORY / 2000 )) 455 | # LOG_FILE_SIZE=$(( $AVAILABLE_MEMORY / 16000 )) 456 | # LOG_BUFFER_SIZE=$(( $AVAILABLE_MEMORY / 8000 )) 457 | 458 | # sudo sed -i "s/innodb_buffer_pool_size = 2G/innodb_buffer_pool_size = $BUFFER_POOL_SIZE\\M/" /etc/mysql/my.cnf 459 | # sudo sed -i "s/innodb_log_file_size = 256M/innodb_log_file_size = $LOG_FILE_SIZE\\M/" /etc/mysql/my.cnf 460 | # sudo sed -i "s/innodb_log_buffer_size = 512M/innodb_log_buffer_size = $LOG_BUFFER_SIZE\\M/" /etc/mysql/my.cnf 461 | 462 | # stop mysql service to apply new InnoDB log file size 463 | sudo service mysql stop 464 | 465 | # mv previous log file 466 | sudo mv /var/lib/mysql/ib_logfile0 /var/lib/mysql/ib_logfile0.bak 467 | sudo mv /var/lib/mysql/ib_logfile1 /var/lib/mysql/ib_logfile1.bak 468 | 469 | # increase mariadb open_files_limit 470 | cp -f $HOME/ubuntu-nginx-web-server/etc/systemd/system/mariadb.service.d/limits.conf /etc/systemd/system/mariadb.service.d/limits.conf 471 | 472 | # reload daemon 473 | systemctl daemon-reload 474 | 475 | # restart mysql 476 | service mysql start 477 | 478 | fi 479 | if [ "$mariadb_client_install" = "y" ]; then 480 | 481 | echo "installing mariadb-client" 482 | # install mariadb-client 483 | apt-get install -y mariadb-client 484 | 485 | # set mysql credentials in .my.cnf 486 | echo "[client]" >>$HOME/.my.cnf 487 | echo "host = $mariadb_remote_ip" >>$HOME/.my.cnf 488 | echo "port = 3306" >>$HOME/.my.cnf 489 | echo "user = $mariadb_remote_user" >>$HOME/.my.cnf 490 | echo "password = $mariadb_remote_password" >>$HOME/.my.cnf 491 | 492 | # copy .my.cnf in /etc/mysql/conf.d/ for easyengine 493 | cp $HOME/.my.cnf /etc/mysql/conf.d/my.cnf 494 | fi 495 | 496 | ################################## 497 | # EasyEngine automated install 498 | ################################## 499 | 500 | if [ -z "$EE_PREVIOUS_INSTALL" ]; then 501 | 502 | if [ ! -f $HOME/.gitconfig ]; then 503 | # define git username and email for non-interactive install 504 | sudo bash -c 'echo -e "[user]\n\tname = $USER\n\temail = $USER@$HOSTNAME" > $HOME/.gitconfig' 505 | fi 506 | if [ ! -x /usr/local/bin/ee ]; then 507 | echo "##########################################" 508 | echo " Installing EasyEngine" 509 | echo "##########################################" 510 | 511 | wget -O ee https://raw.githubusercontent.com/EasyEngine/easyengine/master-v3/install 512 | chmod +x ee 513 | ./ee 514 | source /etc/bash_completion.d/ee_auto.rc 515 | 516 | fi 517 | 518 | 519 | ################################## 520 | # EasyEngine stacks install 521 | ################################## 522 | 523 | if [ "$mariadb_client_install" = "y" ]; then 524 | # change MySQL host to % in case of remote MySQL server 525 | sudo sed -i 's/grant-host = localhost/grant-host = \%/' /etc/ee/ee.conf 526 | fi 527 | 528 | echo "##########################################" 529 | echo " Installing EasyEngine Stack" 530 | echo "##########################################" 531 | 532 | if [ -d /etc/mysql ]; then 533 | # install nginx, php, postfix, memcached 534 | ee stack install 535 | # install php7, redis, easyengine backend & phpredisadmin 536 | ee stack install --php7 --redis --admin --phpredisadmin 537 | else 538 | ee stack install --nginx --php -php7 --redis --wpcli 539 | fi 540 | 541 | ################################## 542 | # Fix phpmyadmin install 543 | ################################## 544 | echo "##########################################" 545 | echo " Updating phpmyadmin" 546 | echo "##########################################" 547 | 548 | # install composer 549 | cd ~/ || exit 550 | curl -sS https://getcomposer.org/installer | php 551 | mv composer.phar /usr/bin/composer 552 | 553 | # change owner of /var/www to allow composer cache 554 | chown www-data:www-data /var/www 555 | # update phpmyadmin with composer 556 | if [ -d /var/www/22222/htdocs/db/pma ]; then 557 | sudo -u www-data -H composer update -d /var/www/22222/htdocs/db/pma/ 558 | fi 559 | 560 | ################################## 561 | # Allow www-data shell access for SFTP + add .bashrc settings et completion 562 | ################################## 563 | echo "##########################################" 564 | echo " Configuring www-data shell access" 565 | echo "##########################################" 566 | 567 | # change www-data shell 568 | usermod -s /bin/bash www-data 569 | 570 | if [ ! -f /etc/bash_completion.d/wp-completion.bash ]; then 571 | # download wp-cli bash-completion 572 | sudo wget -qO /etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash 573 | fi 574 | if [ ! -f /var/www/.profile ] && [ ! -f /var/www/.bashrc ]; then 575 | # create .profile & .bashrc for www-data user 576 | cp -f $HOME/ubuntu-nginx-web-server/var/www/.profile /var/www/.profile 577 | cp -f $HOME/ubuntu-nginx-web-server/var/www/.bashrc /var/www/.bashrc 578 | 579 | # set www-data as owner 580 | sudo chown www-data:www-data /var/www/.profile 581 | sudo chown www-data:www-data /var/www/.bashrc 582 | fi 583 | 584 | # install nanorc for www-data 585 | sudo -u www-data -H curl https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh | sh 586 | fi 587 | ################################## 588 | # Install php7.1-fpm 589 | ################################## 590 | 591 | if [ "$phpfpm71_install" = "y" ]; then 592 | 593 | echo "##########################################" 594 | echo " Installing php7.1-fpm" 595 | echo "##########################################" 596 | 597 | sudo apt-get install php7.1-fpm php7.1-cli php7.1-zip php7.1-opcache php7.1-mysql php7.1-mcrypt php7.1-mbstring php7.1-json php7.1-intl \ 598 | php7.1-gd php7.1-curl php7.1-bz2 php7.1-xml php7.1-tidy php7.1-soap php7.1-bcmath -y php7.1-xsl -y 599 | 600 | # copy php7.1 config files 601 | sudo cp -rf $HOME/ubuntu-nginx-web-server/etc/php/7.1/* /etc/php/7.1/ 602 | sudo service php7.1-fpm restart 603 | 604 | # commit changes 605 | git -C /etc/php/ add /etc/php/ && git -C /etc/php/ commit -m "add php7.1 configuration" 606 | 607 | fi 608 | 609 | ################################## 610 | # Install php7.2-fpm 611 | ################################## 612 | 613 | if [ "$phpfpm72_install" = "y" ]; then 614 | echo "##########################################" 615 | echo " Installing php7.2-fpm" 616 | echo "##########################################" 617 | 618 | sudo apt-get install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd \ 619 | php7.2-curl php7.2-soap php7.2-mbstring php7.2-xsl php7.2-bcmath -y 620 | 621 | # copy php7.2 config files 622 | sudo cp -rf $HOME/ubuntu-nginx-web-server/etc/php/7.2/* /etc/php/7.2/ 623 | sudo service php7.2-fpm restart 624 | 625 | # commit changes 626 | git -C /etc/php/ add /etc/php/ && git -C /etc/php/ commit -m "add php7.2 configuration" 627 | 628 | fi 629 | 630 | ################################## 631 | # Update php7.0-fpm config 632 | ################################## 633 | echo "##########################################" 634 | echo " Configuring php7.0-fpm" 635 | echo "##########################################" 636 | 637 | if [ -d /etc/php/7.0 ]; then 638 | 639 | cp -rf $HOME/ubuntu-nginx-web-server/etc/php/7.0/* /etc/php/7.0/ 640 | 641 | fi 642 | 643 | ################################## 644 | # Compile latest nginx release from source 645 | ################################## 646 | 647 | # set nginx-ee arguments 648 | 649 | if [ $NGINX_RELEASE = "1" ]; then 650 | NGINX_BUILD_VER='--mainline' 651 | else 652 | NGINX_BUILD_VER='--stable' 653 | fi 654 | 655 | if [ $PAGESPEED = "y" ]; then 656 | BUILD_PAGESPEED='--pagespeed' 657 | else 658 | BUILD_PAGESPEED='' 659 | fi 660 | 661 | if [ $NAXSI = "y" ]; then 662 | BUILD_NAXSI='--naxsi' 663 | else 664 | BUILD_NAXSI='' 665 | fi 666 | 667 | if [ $RTMP = "y" ]; then 668 | BUILD_RTMP='--rtmp' 669 | else 670 | BUILD_RTMP='' 671 | fi 672 | 673 | echo "##########################################" 674 | echo " Compiling Nginx with nginx-ee" 675 | echo "##########################################" 676 | 677 | wget -q https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh 678 | chmod +x nginx-build.sh 679 | 680 | ./nginx-build.sh $NGINX_BUILD_VER $BUILD_PAGESPEED $BUILD_NAXSI $BUILD_RTMP 681 | 682 | ################################## 683 | # Add nginx additional conf 684 | ################################## 685 | echo "##########################################" 686 | echo " Configuring Nginx" 687 | echo "##########################################" 688 | 689 | # php7.1 & 7.2 common configurations 690 | 691 | cp -rf $HOME/ubuntu-nginx-web-server/etc/nginx/common/* /etc/nginx/common/ 692 | 693 | # commit changes 694 | git -C /etc/nginx/ add /etc/nginx/ && git -C /etc/nginx/ commit -m "update common configurations" 695 | 696 | # common nginx configurations 697 | 698 | cp -rf $HOME/ubuntu-nginx-web-server/etc/nginx/conf.d/* /etc/nginx/conf.d/ 699 | cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/proxy_params /etc/nginx/proxy_params 700 | cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/mime.types /etc/nginx/mime.types 701 | 702 | # commit changes 703 | git -C /etc/nginx/ add /etc/nginx/ && git -C /etc/nginx/ commit -m "update conf.d configurations" 704 | 705 | # optimized nginx.config 706 | cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx.conf 707 | 708 | # reduce nginx logs rotation 709 | sed -i 's/size 10M/weekly/' /etc/logrotate.d/nginx 710 | sed -i 's/rotate 52/rotate 4/' /etc/logrotate.d/nginx 711 | 712 | wget -O $HOME/nginx-cloudflare-real-ip.sh https://raw.githubusercontent.com/VirtuBox/nginx-cloudflare-real-ip/master/nginx-cloudflare-real-ip.sh 713 | chmod +x $HOME/nginx-cloudflare-real-ip.sh 714 | $HOME/nginx-cloudflare-real-ip.sh 715 | 716 | # commit changes 717 | git -C /etc/nginx/ add /etc/nginx/ && git -C /etc/nginx/ commit -m "update nginx.conf and setup cloudflare visitor real IP restore" 718 | 719 | # check nginx configuration 720 | CONF_22222=$(grep -c netdata /etc/nginx/sites-available/22222) 721 | CONF_UPSTREAM=$(grep -c netdata /etc/nginx/conf.d/upstream.conf) 722 | 723 | if [ "$CONF_22222" = "0" ]; then 724 | # add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/ 725 | sudo cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/sites-available/22222 /etc/nginx/sites-available/22222 726 | fi 727 | 728 | if [ "$CONF_UPSTREAM" = "0" ]; then 729 | # add netdata, php7.1 and php7.2 upstream 730 | sudo cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/conf.d/upstream.conf /etc/nginx/conf.d/upstream.conf 731 | fi 732 | 733 | VERIFY_NGINX_CONFIG=$(nginx -t 2>&1 | grep failed) 734 | echo "##########################################" 735 | echo "Checking Nginx configuration" 736 | echo "##########################################" 737 | if [ -z "$VERIFY_NGINX_CONFIG" ]; then 738 | echo "##########################################" 739 | echo "Reloading Nginx" 740 | echo "##########################################" 741 | sudo service nginx reload 742 | else 743 | echo "##########################################" 744 | echo "Nginx configuration is not correct" 745 | echo "##########################################" 746 | fi 747 | 748 | ################################## 749 | # Add fail2ban configurations 750 | ################################## 751 | echo "##########################################" 752 | echo " Configuring Fail2Ban" 753 | echo "##########################################" 754 | 755 | cp -rf $HOME/ubuntu-nginx-web-server/etc/fail2ban/filter.d/* /etc/fail2ban/filter.d/ 756 | cp -rf $HOME/ubuntu-nginx-web-server/etc/fail2ban/jail.d/* /etc/fail2ban/jail.d/ 757 | 758 | fail2ban-client reload 759 | 760 | ################################## 761 | # Add fail2ban configurations 762 | ################################## 763 | echo "##########################################" 764 | echo " Installing ClamAV" 765 | echo "##########################################" 766 | 767 | if [ ! -x /usr/bin/clamscan ]; then 768 | apt-get install clamav -y 769 | fi 770 | 771 | ################################## 772 | # Add fail2ban configurations 773 | ################################## 774 | echo "##########################################" 775 | echo " Updating ClamAV signature database" 776 | echo "##########################################" 777 | 778 | /etc/init.d/clamav-freshclam stop 779 | freshclam 780 | /etc/init.d/clamav-freshclam start 781 | 782 | ################################## 783 | # Install cheat & nanorc 784 | ################################## 785 | echo "##########################################" 786 | echo " Installing cheat.sh & nanorc & mysqldump script" 787 | echo "##########################################" 788 | 789 | if [ ! -x /usr/bin/cht.sh ]; then 790 | curl -s https://cht.sh/:cht.sh >/usr/bin/cht.sh 791 | chmod +x /usr/bin/cht.sh 792 | 793 | cd || exit 1 794 | echo "alias cheat='cht.sh'" >>.bashrc 795 | source $HOME/.bashrc 796 | fi 797 | 798 | wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -qO- | sh 799 | 800 | wget -qO mysqldump.sh https://github.com/VirtuBox/bash-scripts/blob/master/backup/mysqldump/mysqldump.sh 801 | chmod +x mysqldump.sh 802 | 803 | ################################## 804 | # Install ProFTPd 805 | ################################## 806 | 807 | if [ "$proftpd_install" = "y" ]; then 808 | 809 | echo "##########################################" 810 | echo " Installing Proftpd" 811 | echo "##########################################" 812 | 813 | apt-get install proftpd -y 814 | 815 | # secure proftpd and enable PassivePorts 816 | 817 | sed -i 's/# DefaultRoot/DefaultRoot/' /etc/proftpd/proftpd.conf 818 | sed -i 's/# RequireValidShell/RequireValidShell/' /etc/proftpd/proftpd.conf 819 | sed -i 's/# PassivePorts 49152 65534/PassivePorts 49000 50000/' /etc/proftpd/proftpd.conf 820 | 821 | sudo service proftpd restart 822 | 823 | if [ -d /etc/ufw ]; then 824 | # ftp active port 825 | sudo ufw allow 21 826 | # ftp passive ports 827 | sudo ufw allow 49000:50000/tcp 828 | fi 829 | 830 | if [ -d /etc/fail2ban ]; then 831 | echo -e '\n[proftpd]\nenabled = true\n' >> /etc/fail2ban/jail.d/custom.conf 832 | fail2ban-client reload 833 | 834 | fi 835 | fi 836 | ################################## 837 | # Install Netdata 838 | ################################## 839 | 840 | if [ ! -d /etc/netdata ]; then 841 | echo "##########################################" 842 | echo " Installing Netdata" 843 | echo "##########################################" 844 | 845 | ## install nedata 846 | wget -O kickstart.sh https://my-netdata.io/kickstart.sh 847 | chmod +x kickstart.sh 848 | ./kickstart.sh all --dont-wait >>/tmp/ubuntu-nginx-web-server.log 2>&1 849 | 850 | ## optimize netdata resources usage 851 | echo 1 >/sys/kernel/mm/ksm/run 852 | echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs 853 | 854 | if [ "$mariadb_server_install" = "y" ]; then 855 | mysql -e "create user 'netdata'@'localhost';" 856 | mysql -e "grant usage on *.* to 'netdata'@'localhost';" 857 | mysql -e "flush privileges;" 858 | elif [ "$mariadb_client_install" = "y" ]; then 859 | mysql -e "create user 'netdata'@'%';" 860 | mysql -e "grant usage on *.* to 'netdata'@'%';" 861 | mysql -e "flush privileges;" 862 | fi 863 | 864 | ## disable email notifigrep -cions 865 | sudo sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /usr/lib/netdata/conf.d/health_alarm_notify.conf 866 | sudo service netdata restart 867 | 868 | fi 869 | 870 | ################################## 871 | # Install EasyEngine Dashboard 872 | ################################## 873 | 874 | echo "##########################################" 875 | echo " Installing EasyEngine Dashboard" 876 | echo "##########################################" 877 | 878 | if [ ! -d /var/www/22222/htdocs/files ]; then 879 | 880 | mkdir -p /var/www/22222/htdocs/files 881 | wget -qO /var/www/22222/htdocs/files/ex.zip http://extplorer.net/attachments/download/74/eXtplorer_$EXTPLORER_VER.zip 882 | cd /var/www/22222/htdocs/files || exit 1 883 | unzip ex.zip 884 | rm ex.zip 885 | fi 886 | 887 | cd /var/www/22222 || exit 888 | 889 | ## download latest version of EasyEngine-dashboard 890 | cd /tmp || exit 891 | git clone https://github.com/VirtuBox/easyengine-dashboard.git 892 | cp -rf /tmp/easyengine-dashboard/* /var/www/22222/htdocs/ 893 | chown -R www-data:www-data /var/www/22222/htdocs 894 | 895 | ################################## 896 | # Install Acme.sh 897 | ################################## 898 | echo "##########################################" 899 | echo " Installing Acme.sh" 900 | echo "##########################################" 901 | 902 | # install acme.sh if needed 903 | echo "" 904 | echo "checking if acme.sh is already installed" 905 | echo "" 906 | if [ ! -f $HOME/.acme.sh/acme.sh ]; then 907 | echo "" 908 | 909 | echo "" 910 | wget -O - https://get.acme.sh | sh 911 | cd || exit 912 | source $HOME/.bashrc 913 | fi 914 | 915 | ################################## 916 | # Install cheat.sh 917 | ################################## 918 | 919 | if [ ! -x /usr/bin/cht.sh ]; then 920 | echo "##########################################" 921 | echo " Installing cheat.sh" 922 | echo "##########################################" 923 | 924 | curl https://cht.sh/:cht.sh > /usr/bin/cht.sh || wget -qO /usr/bin/cht.sh https://cht.sh/:cht.sh 925 | chmod +x /usr/bin/cht.sh 926 | 927 | fi 928 | 929 | ################################## 930 | # Install ee-acme-sh 931 | ################################## 932 | 933 | wget -O $HOME/install.sh https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh 934 | chmod +x $HOME/install.sh 935 | $HOME/install.sh 936 | 937 | rm $HOME/install.sh 938 | 939 | source $HOME/.bashrc 940 | 941 | ################################## 942 | # Secure EasyEngine Dashboard with Acme.sh 943 | ################################## 944 | 945 | MY_HOSTNAME=$(/bin/hostname -f) 946 | MY_IP=$(ip -4 address show ${NET_INTERFACES_WAN} | grep 'inet' | sed 's/.*inet \([0-9\.]\+\).*/\1/') 947 | MY_HOSTNAME_IP=$(/usr/bin/dig +short @8.8.8.8 "$MY_HOSTNAME") 948 | 949 | if [ "$MY_IP" = "$MY_HOSTNAME_IP" ]; then 950 | echo "##########################################" 951 | echo " Securing EasyEngine Backend" 952 | echo "##########################################" 953 | apt-get install -y socat 954 | 955 | 956 | if [ ! -d $HOME/.acme.sh/${MY_HOSTNAME}_ecc ]; then 957 | $HOME/.acme.sh/acme.sh --issue -d $MY_HOSTNAME -k ec-384 --standalone --pre-hook "service nginx stop" --post-hook "service nginx start" 958 | fi 959 | 960 | if [ -d /etc/letsencrypt/live/$MY_HOSTNAME ]; then 961 | rm -rf /etc/letsencrypt/live/$MY_HOSTNAME/* 962 | else 963 | mkdir -p /etc/letsencrypt/live/$MY_HOSTNAME 964 | fi 965 | 966 | # install the cert and reload nginx 967 | if [ -f $HOME/.acme.sh/${MY_HOSTNAME}_ecc/fullchain.cer ]; then 968 | $HOME/.acme.sh/acme.sh --install-cert -d ${MY_HOSTNAME} --ecc \ 969 | --cert-file /etc/letsencrypt/live/${MY_HOSTNAME}/cert.pem \ 970 | --key-file /etc/letsencrypt/live/${MY_HOSTNAME}/key.pem \ 971 | --fullchain-file /etc/letsencrypt/live/${MY_HOSTNAME}/fullchain.pem \ 972 | --reloadcmd "service nginx restart" 973 | fi 974 | 975 | if [ -f /etc/letsencrypt/live/${MY_HOSTNAME}/fullchain.pem ] && [ -f /etc/letsencrypt/live/${MY_HOSTNAME}/key.pem ]; then 976 | sed -i "s/ssl_certificate \\/var\\/www\\/22222\\/cert\\/22222.crt;/ssl_certificate \\/etc\\/letsencrypt\\/live\\/${MY_HOSTNAME}\\/fullchain.pem;/" /etc/nginx/sites-available/22222 977 | sed -i "s/ssl_certificate_key \\/var\\/www\\/22222\\/cert\\/22222.key;/ssl_certificate_key \\/etc\\/letsencrypt\\/live\\/${MY_HOSTNAME}\\/key.pem;/" /etc/nginx/sites-available/22222 978 | fi 979 | service nginx reload 980 | 981 | fi 982 | --------------------------------------------------------------------------------