├── .gitignore
├── LICENSE
├── README.md
├── common.zip
├── docs
├── README.md
└── _config.yml
├── etc
├── cron.weekly
│ └── wo-maintenance
├── fail2ban
│ ├── filter.d
│ │ ├── ddos.conf
│ │ ├── ee-wordpress.conf
│ │ └── nginx-forbidden.conf
│ └── jail.d
│ │ ├── custom.conf
│ │ └── ddos.conf
├── mysql
│ └── my.cnf
├── nginx
│ ├── common
│ │ ├── acl.conf
│ │ ├── hsts-nosub.conf
│ │ ├── hsts.conf
│ │ ├── locations-php7.conf
│ │ ├── locations-php72.conf
│ │ ├── ocsp.conf
│ │ ├── pagespeed.conf
│ │ ├── php72.conf
│ │ ├── wpcommon-php7.conf
│ │ ├── wpcommon-php72.conf
│ │ └── wpcommon-php73.conf
│ ├── conf.d
│ │ ├── cloudflare.conf
│ │ ├── fastcgi.conf
│ │ ├── stub_status.conf
│ │ └── tweaks.conf
│ ├── mime.types
│ ├── nginx-tlsv12.conf
│ ├── nginx.conf
│ ├── proxy_params
│ └── sites-available
│ │ ├── 22222
│ │ └── default
├── ntp.conf
├── php
│ ├── 7.0
│ │ ├── cli
│ │ │ └── php.ini
│ │ └── fpm
│ │ │ ├── php.ini
│ │ │ └── pool.d
│ │ │ ├── www-sock.conf
│ │ │ └── www-two-sock.conf
│ ├── 7.1
│ │ └── fpm
│ │ │ ├── php.ini
│ │ │ └── pool.d
│ │ │ ├── www-sock.conf
│ │ │ └── www-two-sock.conf
│ ├── 7.2
│ │ ├── cli
│ │ │ └── php.ini
│ │ └── fpm
│ │ │ ├── php.ini
│ │ │ └── pool.d
│ │ │ ├── www-sock.conf
│ │ │ └── www-two-sock.conf
│ └── 7.3
│ │ ├── cli
│ │ └── php.ini
│ │ └── fpm
│ │ ├── php.ini
│ │ └── pool.d
│ │ ├── www-sock.conf
│ │ └── www-two-sock.conf
├── security
│ └── limits.conf
├── ssh
│ └── sshd_config
├── sysctl.d
│ └── 60-ubuntu-nginx-web-server.conf
└── systemd
│ ├── resolved.conf
│ └── system
│ ├── mariadb.service.d
│ └── limits.conf
│ ├── netdata.service.d
│ └── limits.conf
│ ├── nginx.service
│ └── nginx.service.d
│ └── limits.conf
└── var
└── www
├── .bashrc
└── .profile
/.gitignore:
--------------------------------------------------------------------------------
1 |
2 | \.vscode/
3 |
4 | \.history/
5 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2017 VirtuBox
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Optimized configuration for WordOps running on Ubuntu server
2 |
3 | ## Server Stack
4 |
5 | - Ubuntu 16.04/18.04 LTS
6 | - Nginx 1.17.x / 1.16.x
7 | - PHP-FPM 7.2/7.3
8 | - MariaDB 10.3
9 | - REDIS 5.0
10 | - Memcached
11 | - Fail2ban
12 | - Netdata
13 | - UFW
14 |
15 | --------------------------------------------------------------------------------
16 |
17 |   
18 |
19 | ### Info
20 |
21 | **As EasyEngine v3 will no longer receive any updates, configurations available in this repository are being updated for [WordOps](https://wordops.net/) (EEv3 fork).**
22 |
23 | We are currently contributing to WordOps project and several parts of this repository are already included in WordOps.
24 |
25 | All previous configurations are still available in the branch [easyengine-v3](https://github.com/VirtuBox/ubuntu-nginx-web-server/tree/easyengine-v3).
26 |
27 | --------------------------------------------------------------------------------
28 |
29 | - [Initial configuration](#initial-configuration)
30 |
31 | - [System update and packages cleanup](#system-update-and-packages-cleanup)
32 | - [Install useful packages](#install-useful-packages)
33 | - [Clone the repository](#clone-the-repository)
34 | - [Updating the repository](#updating-the-repository)
35 | - [Tweak Kernel & Increase open files limits](#tweak-kernel--increase-open-files-limits)
36 | - [disable transparent hugepage for redis](#disable-transparent-hugepage-for-redis)
37 |
38 | - [WordOps Setup](#wordops-setup)
39 |
40 | - [Install MariaDB 10.3](#install-mariadb-103)
41 | - [MySQL Tuning](#mysql-tuning)
42 | - [Increase MariaDB open files limits](#increase-mariadb-open-files-limits)
43 | - [Setup cronjob to optimize your MySQL databases and repair them if needed](#setup-cronjob-to-optimize-your-mysql-databases-and-repair-them-if-needed)
44 |
45 | - [Install WordOps](#install-wordops)
46 |
47 | - [enable wo bash_completion](#enable-wo-bash_completion)
48 | - [Install Nginx, php7.2, and configure WO backend](#install-nginx-php72-and-configure-wo-backend)
49 | - [Set your email instead of root@localhost](#set-your-email-instead-of-rootlocalhost)
50 | - [Install Composer - Fix phpmyadmin install issue](#install-composer---fix-phpmyadmin-install-issue)
51 | - [Allow shell for www-data for SFTP usage](#allow-shell-for-www-data-for-sftp-usage)
52 | - [Set the proper alternative for /usr/bin/php](#set-the-proper-alternative-for-usrbinphp)
53 |
54 | - [NGINX Configuration](#nginx-configuration)
55 |
56 | - [Additional Nginx configuration (/etc/nginx/conf.d)](#additional-nginx-configuration-etcnginxconfd)
57 | - [Compile last Nginx mainline release with nginx-ee](#compile-last-nginx-mainline-release-with-nginx-ee-scripthttpsgithubcomvirtuboxnginx-ee)
58 | - [Custom configurations](#custom-configurations)
59 | - [Nginx optimized configurations](#nginx-optimized-configurations-choose-one-of-them)
60 | - [Increase Nginx open files limits](#increase-nginx-open-files-limits)
61 |
62 | - [Security](#security)
63 |
64 | - [Harden SSH Security](#harden-ssh-security)
65 | - [UFW](#ufw)
66 | - [Custom jails for fail2ban](#custom-jails-for-fail2ban)
67 | - [Secure Memcached server](#secure-memcached-server)
68 |
69 | - [Optional](#optional)
70 |
71 | - [proftpd](#proftpd)
72 |
73 | - [Install proftpd](#install-proftpd)
74 | - [Adding FTP users](#adding-ftp-users)
75 |
76 | - [ee-acme-sh](#ee-acme-sh)
77 |
78 | - [netdata](#netdata)
79 |
80 | - [cht.sh (cheat)](#chtsh-cheat)
81 |
82 | - [nanorc - Improved Nano Syntax Highlighting Files](#nanorc---improved-nano-syntax-highlighting-files)
83 | - [Add WP-CLI & bash-completion for user www-data](#add-wp-cli--bash-completion-for-user-www-data)
84 |
85 | - [Cleanup previous EasyEngine v3](#cleanup-previous-easyengine-v3)
86 |
87 | - [Removing previous php versions](#removing-previous-php-versions)
88 |
89 | --------------------------------------------------------------------------------
90 |
91 | Configuration files with comments available by following the link **source**
92 |
93 | ## Initial configuration
94 |
95 | ### System update and packages cleanup
96 |
97 | ```bash
98 | apt-get update && apt-get dist-upgrade -y && apt-get autoremove --purge -y && apt-get clean
99 | ```
100 |
101 | ### Install useful packages
102 |
103 | ```bash
104 | sudo apt-get install haveged curl git unzip zip fail2ban htop nload nmon ntp gnupg gnupg2 wget pigz tree ccze mycli -y
105 | ```
106 |
107 | ### Clone the repository
108 |
109 | ```bash
110 | git clone https://github.com/VirtuBox/ubuntu-nginx-web-server.git $HOME/ubuntu-nginx-web-server
111 | ```
112 |
113 | ### Updating the repository
114 |
115 | ```bash
116 | git -C $HOME/ubuntu-nginx-web-server pull origin master
117 | ```
118 |
119 | ### Tweak Kernel & Increase open files limits
120 |
121 | Included by default in WordOps - this may not be needed anymore
122 |
123 | [source sysctl.conf](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) - [limits.conf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf)
124 |
125 | ```bash
126 | cp $HOME/ubuntu-nginx-web-server/etc/sysctl.d/60-ubuntu-nginx-web-server.conf /etc/sysctl.d/60-ubuntu-nginx-web-server.conf
127 | ```
128 |
129 | Ubuntu 16.04 LTS do not support the new tcp congestion control algorithm bbr, we will use htcp instead.
130 |
131 | ```bash
132 | # On ubuntu 18.04 LTS
133 | modprobe tcp_bbr && echo 'tcp_bbr' >> /etc/modules-load.d/bbr.conf
134 | echo -e '\nnet.ipv4.tcp_congestion_control = bbr\nnet.ipv4.tcp_notsent_lowat = 16384' >> /etc/sysctl.d/60-ubuntu-nginx-web-server.conf
135 |
136 | # On ubuntu 16.04 LTS
137 | modprobe tcp_htcp && echo 'tcp_htcp' >> /etc/modules-load.d/htcp.conf
138 | echo 'net.ipv4.tcp_congestion_control = htcp' >> /etc/sysctl.d/60-ubuntu-nginx-web-server.conf
139 | ```
140 |
141 | Then to apply the configuration :
142 |
143 | ```bash
144 | sysctl -e -p /etc/sysctl.d/60-ubuntu-nginx-web-server.conf
145 | ```
146 |
147 | Increase openfiles limits
148 |
149 | ```bash
150 | sudo bash -c 'echo -e "* hard nofile 500000\n* soft nofile 500000\nroot hard nofile 500000\nroot soft nofile 500000\n" >> /etc/security/limits.conf'
151 | ```
152 |
153 | ### disable transparent hugepage for redis
154 |
155 | ```bash
156 | echo never > /sys/kernel/mm/transparent_hugepage/enabled
157 | ```
158 |
159 | --------------------------------------------------------------------------------
160 |
161 | ## WordOps Setup
162 |
163 | ### Install MariaDB 10.3
164 |
165 | Included by default in WordOps - this may not be needed anymore
166 |
167 | Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
168 |
169 | ```bash
170 | bash <(wget -qO - https://downloads.mariadb.com/MariaDB/mariadb_repo_setup) --mariadb-server-version=10.3 --skip-maxscale -y
171 | sudo apt update && sudo apt install mariadb-server -y
172 | ```
173 |
174 | Secure MariaDB after install by running the command :
175 |
176 | ```bash
177 | mysql_secure_installation
178 | ```
179 |
180 | ### MySQL Tuning
181 |
182 | You can download my example of my.cnf, optimized for VPS with 4GB RAM. [my.cnf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/mysql/my.cnf)
183 |
184 | ```bash
185 | cp -f $HOME/ubuntu-nginx-web-server/etc/mysql/my.cnf /etc/mysql/my.cnf
186 | ```
187 |
188 | It include modification of innodb_log_file_size variable, so you need to use the following commands to apply the new configuration :
189 |
190 | ```bash
191 | sudo service mysql stop
192 |
193 | sudo mv /var/lib/mysql/ib_logfile0 /var/lib/mysql/ib_logfile0.bak
194 | sudo mv /var/lib/mysql/ib_logfile1 /var/lib/mysql/ib_logfile1.bak
195 |
196 | sudo service mysql start
197 | ```
198 |
199 | ### Increase MariaDB open files limits
200 |
201 | ```bash
202 | echo -e '[Service]\nLimitNOFILE=500000' > /etc/systemd/system/mariadb.service.d/limits.conf
203 |
204 | sudo systemctl daemon-reload
205 | sudo systemctl restart mariadb
206 | ```
207 |
208 | ### Setup cronjob to optimize your MySQL databases and repair them if needed
209 |
210 | Open the crontab editor
211 |
212 | ```bash
213 | sudo crontab -e
214 | ```
215 |
216 | Then add the following cronjob
217 |
218 | ```cronjob
219 | @weekly /usr/bin/mysqlcheck -Aos --auto-repair > /dev/null 2>&1
220 | ```
221 |
222 | ## Install WordOps
223 |
224 | ```bash
225 | # noninteractive install - you can replace $USER with your username & root@$HOSTNAME by your email
226 | sudo bash -c 'echo -e "[user]\n\tname = $USER\n\temail = root@$HOSTNAME" > $HOME/.gitconfig'
227 |
228 | wget -qO wo wops.cc && sudo bash wo
229 | ```
230 |
231 | ### enable wo bash_completion
232 |
233 | ```bash
234 | source /etc/bash_completion.d/wo_auto.rc
235 | ```
236 |
237 | ### Install Nginx, php7.2, php7.3, and configure WO backend
238 |
239 | ```bash
240 | wo stack install
241 | wo stack install --php73
242 | ```
243 |
244 | ### Set your email instead of root@localhost
245 |
246 | ```bash
247 | echo 'root: my.email@address.com' >> /etc/aliases
248 | newaliases
249 | ```
250 |
251 | ### Install Composer - Fix phpmyadmin install issue
252 |
253 | Included by default in WordOps - this may not be needed anymore
254 |
255 | ```bash
256 | cd ~/ ||exit
257 | curl -sS https://getcomposer.org/installer | php
258 | mv composer.phar /usr/bin/composer
259 |
260 | chown www-data:www-data /var/www
261 | sudo -u www-data -H composer update -d /var/www/22222/htdocs/db/pma/
262 | ```
263 |
264 | ### Allow shell for www-data for SFTP usage
265 |
266 | ```bash
267 | usermod -s /bin/bash www-data
268 | ```
269 |
270 | ## Install PHP
271 |
272 | This section has been removed because WordOps already install PHP 7.2 & PHP 7.3 by default
273 |
274 | ### Set the proper alternative for /usr/bin/php
275 |
276 | If you want to choose which version of php to use with the command `php`, you can use the command `update-alternatives`
277 |
278 | ```bash
279 | # php5.6
280 | sudo update-alternatives --install /usr/bin/php php /usr/bin/php5.6 80
281 |
282 | # php7.0
283 | sudo update-alternatives --install /usr/bin/php php /usr/bin/php7.0 80
284 |
285 | # php7.1
286 | sudo update-alternatives --install /usr/bin/php php /usr/bin/php7.1 80
287 |
288 | # php7.2
289 | sudo update-alternatives --install /usr/bin/php php /usr/bin/php7.2 80
290 |
291 | # php7.3
292 | sudo update-alternatives --install /usr/bin/php php /usr/bin/php7.3 80
293 | ```
294 |
295 | Then you can check php version with command `php -v`
296 |
297 | ## NGINX Configuration
298 |
299 | ### Additional Nginx configuration (/etc/nginx/conf.d)
300 |
301 | Included by default in WordOps - this may not be needed anymore
302 |
303 | - stub_status configuration on 127.0.0.1:80 : stub_status.conf
304 | - restore visitor real IP under Cloudflare : cloudflare.conf
305 |
306 | ```bash
307 | # copy all common nginx configurations
308 | cp -rf $HOME/ubuntu-nginx-web-server/etc/nginx/conf.d/* /etc/nginx/conf.d/
309 |
310 | # commit change with git
311 | [ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update conf.d configurations"
312 |
313 | ```
314 |
315 | ### Compile the latest Nginx release with [nginx-ee](https://github.com/VirtuBox/nginx-ee)
316 |
317 | ```bash
318 | bash <(wget -O - virtubox.net/nginx-ee || curl -sL virtubox.net/nginx-ee)
319 | ```
320 |
321 | --------------------------------------------------------------------------------
322 |
323 | ## Custom configurations
324 |
325 | ### Nginx optimized configurations
326 |
327 | Choose one of them
328 |
329 | ```bash
330 | # TLSv1.2 TLSv1.3 only (recommended)
331 | cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx.conf
332 |
333 | # TLSv1.2 only
334 | cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-tlsv12.conf
335 | ```
336 |
337 | ```bash
338 | # commit change with git
339 | [ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update nginx.conf"
340 | ```
341 |
342 | ### Nginx configuration for netdata
343 |
344 | Included by default in WordOps - this may not be needed anymore
345 |
346 | ```bash
347 | # add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
348 | cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/sites-available/22222 /etc/nginx/sites-available/22222
349 |
350 | # commit change with git
351 | [ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update 22222 configuration"
352 | ```
353 |
354 | #### Increase Nginx open files limits
355 |
356 | ```bash
357 | sudo mkdir -p /etc/systemd/system/nginx.service.d
358 | echo -e '[Service]\nLimitNOFILE=500000' > /etc/systemd/system/nginx.service.d/limits.conf
359 |
360 | sudo systemctl daemon-reload
361 | sudo systemctl restart nginx.service
362 | ```
363 |
364 | --------------------------------------------------------------------------------
365 |
366 | ## Security
367 |
368 | ### Harden SSH Security
369 |
370 | WARNING : SSH Configuration with root login allowed using SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config)
371 |
372 | ```bash
373 | cp -f $HOME/ubuntu-nginx-web-server/etc/ssh/sshd_config /etc/ssh/sshd_config
374 | ```
375 |
376 | ### UFW
377 |
378 | Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
379 |
380 | ```bash
381 | # enable ufw log - allow outgoing - deny incoming
382 | ufw logging low
383 | ufw default allow outgoing
384 | ufw default deny incoming
385 |
386 | # allow incoming traffic on SSH port
387 | CURRENT_SSH_PORT=$(grep "Port" /etc/ssh/sshd_config | awk -F " " '{print $2}')
388 | ufw allow $CURRENT_SSH_PORT
389 |
390 | # DNS - HTTP/S - FTP - NTP - RSYNC - DHCP - EE Backend
391 | ufw allow 53
392 | ufw allow http
393 | ufw allow https
394 | ufw allow 21
395 | ufw allow 123
396 | ufw allow 68
397 | ufw allow 546
398 | ufw allow 873
399 | ufw allow 22222
400 |
401 |
402 | # enable UFW
403 | echo "y" | ufw enable
404 | ```
405 |
406 | ### Custom jails for fail2ban
407 |
408 | - wordpress bruteforce
409 | - ssh
410 | - recidive (after 3 bans)
411 | - backend http auth
412 | - nginx bad bots
413 |
414 | ```bash
415 | cp -rf $HOME/ubuntu-nginx-web-server/etc/fail2ban/filter.d/* /etc/fail2ban/filter.d/
416 | cp -rf $HOME/ubuntu-nginx-web-server/etc/fail2ban/jail.d/* /etc/fail2ban/jail.d/
417 |
418 | fail2ban-client reload
419 | ```
420 |
421 | ### Secure Memcached server
422 |
423 | ```bash
424 | echo '-U 0' >> /etc/memcached.conf
425 | sudo systemctl restart memcached
426 | ```
427 |
428 | If you do not use memcached, you can safely stop it and disable it :
429 |
430 | ```bash
431 | sudo systemctl stop memcached
432 | sudo systemctl disable memcached.service
433 | ```
434 |
435 | --------------------------------------------------------------------------------
436 |
437 | ## Optional
438 |
439 | ### proftpd
440 |
441 | #### Install proftpd
442 |
443 | ```bash
444 | apt-get install proftpd -y
445 | ```
446 |
447 | secure proftpd and enable passive ports
448 |
449 | ```bash
450 | sed -i 's/# DefaultRoot/DefaultRoot/' /etc/proftpd/proftpd.conf
451 | sed -i 's/# RequireValidShell/RequireValidShell/' /etc/proftpd/proftpd.conf
452 | sed -i 's/# PassivePorts 49152 65534/PassivePorts 49000 50000/' /etc/proftpd/proftpd.conf
453 | ```
454 |
455 | restart proftpd
456 |
457 | ```bash
458 | sudo service proftpd restart
459 | ```
460 |
461 | Allow FTP ports with UFW
462 |
463 | ```bash
464 | # ftp active port
465 | sudo ufw allow 21
466 |
467 | # ftp passive ports
468 | sudo ufw allow 49000:50000/tcp
469 | ```
470 |
471 | Enable fail2ban proftpd jail
472 |
473 | ```bash
474 | echo -e '\n[proftpd]\nenabled = true\n' >> /etc/fail2ban/jail.d/custom.conf
475 |
476 | fail2ban-client reload
477 | ```
478 |
479 | #### Adding FTP users
480 |
481 | ```bash
482 | # create user without shell access in group www-data
483 | adduser --home /var/www/yourdomain.tld/ --shell /bin/false --ingroup www-data youruser
484 |
485 | # allow group read/write on website folder
486 | chmod -R g+rw /var/www/yourdomain.tld
487 | ```
488 |
489 | --------------------------------------------------------------------------------
490 |
491 | ### ee-acme-sh
492 |
493 | Included by default in WordOps - this may not be needed anymore
494 |
495 | [Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers
496 |
497 | - subdomain support
498 | - ivp6 support
499 | - wildcards certificates support
500 |
501 | ```bash
502 | wget-qO install-ee-acme.sh https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh
503 | chmod +x install-ee-acme.sh
504 | ./install-ee-acme.sh
505 |
506 | # enable acme.sh & ee-acme-sh
507 | source .bashrc
508 | ```
509 |
510 | --------------------------------------------------------------------------------
511 |
512 | ### netdata
513 |
514 | Included by default in WordOps - this may not be needed anymore
515 |
516 | [Github repository](https://github.com/firehol/netdata)
517 |
518 | ```bash
519 | # save 40-60% of netdata memory
520 | echo 1 >/sys/kernel/mm/ksm/run
521 | echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
522 |
523 | # install netdata
524 | bash <(curl -Ss https://my-netdata.io/kickstart.sh) all --dont-wait
525 |
526 | # increase open files limits for netdata
527 | sudo mkdir -p /etc/systemd/system/netdata.service.d
528 | echo -e '[Service]\nLimitNOFILE=500000' > /etc/systemd/system/netdata.service.d/limits.conf
529 |
530 | sudo systemctl daemon-reload
531 | sudo systemctl restart netdata.service
532 |
533 | # disable email notifications
534 | sudo sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /usr/lib/netdata/conf.d/health_alarm_notify.conf
535 | service netdata restart
536 | ```
537 |
538 | --------------------------------------------------------------------------------
539 |
540 | ### cht.sh (cheat)
541 |
542 | [Github repository](https://github.com/chubin/cheat.sh)
543 |
544 | ```bash
545 | curl https://cht.sh/:cht.sh > /usr/bin/cht.sh
546 | chmod +x /usr/bin/cht.sh
547 |
548 |
549 | echo "alias cheat='cht.sh'" >> $HOME/.bashrc
550 | source $HOME/.bashrc
551 | ```
552 |
553 | usage : `cheat `
554 |
555 | ```bash
556 | root@vps:~ cheat cat
557 | # cat
558 |
559 | # Print and concatenate files.
560 |
561 | # Print the contents of a file to the standard output:
562 | cat file
563 |
564 | # Concatenate several files into the target file:
565 | cat file1 file2 > target_file
566 |
567 | # Append several files into the target file:
568 | cat file1 file2 >> target_file
569 |
570 | # Number all output lines:
571 | cat -n file
572 | ```
573 |
574 | --------------------------------------------------------------------------------
575 |
576 | ### nanorc - Improved Nano Syntax Highlighting Files
577 |
578 | [Github repository](https://github.com/scopatz/nanorc)
579 |
580 | ```bash
581 | wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -qO- | sh
582 | ```
583 |
584 | --------------------------------------------------------------------------------
585 |
586 | ### Add WP-CLI & bash-completion for user www-data
587 |
588 | Included by default in WordOps - this may not be needed anymore
589 |
590 | ```bashrc
591 | # download wp-cli bash_completion
592 | wget -qO /etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash
593 |
594 | # change /var/www owner
595 | chown www-data:www-data /var/www
596 |
597 | # download .profile & .bashrc for www-data
598 | cp -f $HOME/ubuntu-nginx-web-server/var/www/.* /var/www/
599 |
600 | # set owner
601 | chown www-data:www-data /var/www/{.profile,.bashrc}
602 | ```
603 |
604 | ## Cleanup previous EasyEngine v3
605 |
606 | Included by default in WordOps - this may not be needed anymore
607 |
608 | EasyEngine migration to WordOps is now handled by the install script. The only step to finish the migration is to remove previous php versions if you don't need them anymore.
609 |
610 | ### Removing previous php versions
611 |
612 | ```bash
613 | # php5.6
614 | apt-get -y autoremove php5.6-fpm php5.6-common --purge
615 |
616 | # php7.0
617 | apt-get -y autoremove php7.0-fpm php7.0-common --purge
618 | ```
619 |
620 | Published & maintained by [VirtuBox](https://virtubox.net)
621 |
--------------------------------------------------------------------------------
/common.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/33bb4c35597e4bab298611b2e2dfc8ace5290d99/common.zip
--------------------------------------------------------------------------------
/docs/README.md:
--------------------------------------------------------------------------------
1 | # Optimized configuration for WordOps running on Ubuntu server
2 |
3 | ## Server Stack
4 |
5 | - Ubuntu 16.04/18.04 LTS
6 | - Nginx 1.17.x / 1.16.x
7 | - PHP-FPM 7.2/7.3
8 | - MariaDB 10.3
9 | - REDIS 5.0
10 | - Memcached
11 | - Fail2ban
12 | - Netdata
13 | - UFW
14 |
15 | --------------------------------------------------------------------------------
16 |
17 |   
18 |
19 | ### Info
20 |
21 | **As EasyEngine v3 will no longer receive any updates, configurations available in this repository are being updated for [WordOps](https://wordops.net/) (EEv3 fork).**
22 |
23 | We are currently contributing to WordOps project and several parts of this repository are already included in WordOps.
24 |
25 | All previous configurations are still available in the branch [easyengine-v3](https://github.com/VirtuBox/ubuntu-nginx-web-server/tree/easyengine-v3).
26 |
27 | --------------------------------------------------------------------------------
28 |
29 | - [Initial configuration](#initial-configuration)
30 |
31 | - [System update and packages cleanup](#system-update-and-packages-cleanup)
32 | - [Install useful packages](#install-useful-packages)
33 | - [Clone the repository](#clone-the-repository)
34 | - [Updating the repository](#updating-the-repository)
35 | - [Tweak Kernel & Increase open files limits](#tweak-kernel--increase-open-files-limits)
36 | - [disable transparent hugepage for redis](#disable-transparent-hugepage-for-redis)
37 |
38 | - [WordOps Setup](#wordops-setup)
39 |
40 | - [Install MariaDB 10.3](#install-mariadb-103)
41 | - [MySQL Tuning](#mysql-tuning)
42 | - [Increase MariaDB open files limits](#increase-mariadb-open-files-limits)
43 | - [Setup cronjob to optimize your MySQL databases and repair them if needed](#setup-cronjob-to-optimize-your-mysql-databases-and-repair-them-if-needed)
44 |
45 | - [Install WordOps](#install-wordops)
46 |
47 | - [enable wo bash_completion](#enable-wo-bash_completion)
48 | - [Install Nginx, php7.2, and configure WO backend](#install-nginx-php72-and-configure-wo-backend)
49 | - [Set your email instead of root@localhost](#set-your-email-instead-of-rootlocalhost)
50 | - [Install Composer - Fix phpmyadmin install issue](#install-composer---fix-phpmyadmin-install-issue)
51 | - [Allow shell for www-data for SFTP usage](#allow-shell-for-www-data-for-sftp-usage)
52 | - [Set the proper alternative for /usr/bin/php](#set-the-proper-alternative-for-usrbinphp)
53 |
54 | - [NGINX Configuration](#nginx-configuration)
55 |
56 | - [Additional Nginx configuration (/etc/nginx/conf.d)](#additional-nginx-configuration-etcnginxconfd)
57 | - [Compile last Nginx mainline release with nginx-ee](#compile-last-nginx-mainline-release-with-nginx-ee-scripthttpsgithubcomvirtuboxnginx-ee)
58 | - [Custom configurations](#custom-configurations)
59 | - [Nginx optimized configurations](#nginx-optimized-configurations-choose-one-of-them)
60 | - [Increase Nginx open files limits](#increase-nginx-open-files-limits)
61 |
62 | - [Security](#security)
63 |
64 | - [Harden SSH Security](#harden-ssh-security)
65 | - [UFW](#ufw)
66 | - [Custom jails for fail2ban](#custom-jails-for-fail2ban)
67 | - [Secure Memcached server](#secure-memcached-server)
68 |
69 | - [Optional](#optional)
70 |
71 | - [proftpd](#proftpd)
72 |
73 | - [Install proftpd](#install-proftpd)
74 | - [Adding FTP users](#adding-ftp-users)
75 |
76 | - [ee-acme-sh](#ee-acme-sh)
77 |
78 | - [netdata](#netdata)
79 |
80 | - [cht.sh (cheat)](#chtsh-cheat)
81 |
82 | - [nanorc - Improved Nano Syntax Highlighting Files](#nanorc---improved-nano-syntax-highlighting-files)
83 |
84 | - [Add WP-CLI & bash-completion for user www-data](#add-wp-cli--bash-completion-for-user-www-data)
85 |
86 | - [Cleanup previous EasyEngine v3](#cleanup-previous-easyengine-v3)
87 |
88 | - [Removing previous php versions](#removing-previous-php-versions)
89 |
90 | --------------------------------------------------------------------------------
91 |
92 | Configuration files with comments available by following the link **source**
93 |
94 | ## Initial configuration
95 |
96 | ### System update and packages cleanup
97 |
98 | ```bash
99 | apt-get update && apt-get dist-upgrade -y && apt-get autoremove --purge -y && apt-get clean
100 | ```
101 |
102 | ### Install useful packages
103 |
104 | ```bash
105 | sudo apt-get install haveged curl git unzip zip fail2ban htop nload nmon ntp gnupg gnupg2 wget pigz tree ccze mycli -y
106 | ```
107 |
108 | ### Clone the repository
109 |
110 | ```bash
111 | git clone https://github.com/VirtuBox/ubuntu-nginx-web-server.git $HOME/ubuntu-nginx-web-server
112 | ```
113 |
114 | ### Updating the repository
115 |
116 | ```bash
117 | git -C $HOME/ubuntu-nginx-web-server pull origin master
118 | ```
119 |
120 | ### Tweak Kernel & Increase open files limits
121 |
122 | Included by default in WordOps - this may not be needed anymore
123 |
124 | [source sysctl.conf](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) - [limits.conf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf)
125 |
126 | ```bash
127 | cp $HOME/ubuntu-nginx-web-server/etc/sysctl.d/60-ubuntu-nginx-web-server.conf /etc/sysctl.d/60-ubuntu-nginx-web-server.conf
128 | ```
129 |
130 | Ubuntu 16.04 LTS do not support the new tcp congestion control algorithm bbr, we will use htcp instead.
131 |
132 | ```bash
133 | # On ubuntu 18.04 LTS
134 | modprobe tcp_bbr && echo 'tcp_bbr' >> /etc/modules-load.d/bbr.conf
135 | echo -e '\nnet.ipv4.tcp_congestion_control = bbr\nnet.ipv4.tcp_notsent_lowat = 16384' >> /etc/sysctl.d/60-ubuntu-nginx-web-server.conf
136 |
137 | # On ubuntu 16.04 LTS
138 | modprobe tcp_htcp && echo 'tcp_htcp' >> /etc/modules-load.d/htcp.conf
139 | echo 'net.ipv4.tcp_congestion_control = htcp' >> /etc/sysctl.d/60-ubuntu-nginx-web-server.conf
140 | ```
141 |
142 | Then to apply the configuration :
143 |
144 | ```bash
145 | sysctl -e -p /etc/sysctl.d/60-ubuntu-nginx-web-server.conf
146 | ```
147 |
148 | Increase openfiles limits
149 |
150 | ```bash
151 | sudo bash -c 'echo -e "* hard nofile 500000\n* soft nofile 500000\nroot hard nofile 500000\nroot soft nofile 500000\n" >> /etc/security/limits.conf'
152 | ```
153 |
154 | ### disable transparent hugepage for redis
155 |
156 | ```bash
157 | echo never > /sys/kernel/mm/transparent_hugepage/enabled
158 | ```
159 |
160 | --------------------------------------------------------------------------------
161 |
162 | ## WordOps Setup
163 |
164 | ### Install MariaDB 10.3
165 |
166 | Included by default in WordOps - this may not be needed anymore
167 |
168 | Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/)
169 |
170 | ```bash
171 | bash <(wget -qO - https://downloads.mariadb.com/MariaDB/mariadb_repo_setup) --mariadb-server-version=10.3 --skip-maxscale -y
172 | sudo apt update && sudo apt install mariadb-server -y
173 | ```
174 |
175 | Secure MariaDB after install by running the command :
176 |
177 | ```bash
178 | mysql_secure_installation
179 | ```
180 |
181 | ### MySQL Tuning
182 |
183 | You can download my example of my.cnf, optimized for VPS with 4GB RAM. [my.cnf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/mysql/my.cnf)
184 |
185 | ```bash
186 | cp -f $HOME/ubuntu-nginx-web-server/etc/mysql/my.cnf /etc/mysql/my.cnf
187 | ```
188 |
189 | It include modification of innodb_log_file_size variable, so you need to use the following commands to apply the new configuration :
190 |
191 | ```bash
192 | sudo service mysql stop
193 |
194 | sudo mv /var/lib/mysql/ib_logfile0 /var/lib/mysql/ib_logfile0.bak
195 | sudo mv /var/lib/mysql/ib_logfile1 /var/lib/mysql/ib_logfile1.bak
196 |
197 | sudo service mysql start
198 | ```
199 |
200 | ### Increase MariaDB open files limits
201 |
202 | ```bash
203 | echo -e '[Service]\nLimitNOFILE=500000' > /etc/systemd/system/mariadb.service.d/limits.conf
204 |
205 | sudo systemctl daemon-reload
206 | sudo systemctl restart mariadb
207 | ```
208 |
209 | ### Setup cronjob to optimize your MySQL databases and repair them if needed
210 |
211 | Open the crontab editor
212 |
213 | ```bash
214 | sudo crontab -e
215 | ```
216 |
217 | Then add the following cronjob
218 |
219 | ```cronjob
220 | @weekly /usr/bin/mysqlcheck -Aos --auto-repair > /dev/null 2>&1
221 | ```
222 |
223 | ## Install WordOps
224 |
225 | ```bash
226 | # noninteractive install - you can replace $USER with your username & root@$HOSTNAME by your email
227 | sudo bash -c 'echo -e "[user]\n\tname = $USER\n\temail = root@$HOSTNAME" > $HOME/.gitconfig'
228 |
229 | wget -qO wo wops.cc && sudo bash wo
230 | ```
231 |
232 | ### enable wo bash_completion
233 |
234 | ```bash
235 | source /etc/bash_completion.d/wo_auto.rc
236 | ```
237 |
238 | ### Install Nginx, php7.2, php7.3, and configure WO backend
239 |
240 | ```bash
241 | wo stack install
242 | wo stack install --php73
243 | ```
244 |
245 | ### Set your email instead of root@localhost
246 |
247 | ```bash
248 | echo 'root: my.email@address.com' >> /etc/aliases
249 | newaliases
250 | ```
251 |
252 | ### Install Composer - Fix phpmyadmin install issue
253 |
254 | Included by default in WordOps - this may not be needed anymore
255 |
256 | ```bash
257 | cd ~/ ||exit
258 | curl -sS https://getcomposer.org/installer | php
259 | mv composer.phar /usr/bin/composer
260 |
261 | chown www-data:www-data /var/www
262 | sudo -u www-data -H composer update -d /var/www/22222/htdocs/db/pma/
263 | ```
264 |
265 | ### Allow shell for www-data for SFTP usage
266 |
267 | ```bash
268 | usermod -s /bin/bash www-data
269 | ```
270 |
271 | ## Install PHP
272 |
273 | This section has been removed because WordOps already install PHP 7.2 & PHP 7.3 by default
274 |
275 | ### Set the proper alternative for /usr/bin/php
276 |
277 | If you want to choose which version of php to use with the command `php`, you can use the command `update-alternatives`
278 |
279 | ```bash
280 | # php5.6
281 | sudo update-alternatives --install /usr/bin/php php /usr/bin/php5.6 80
282 |
283 | # php7.0
284 | sudo update-alternatives --install /usr/bin/php php /usr/bin/php7.0 80
285 |
286 | # php7.1
287 | sudo update-alternatives --install /usr/bin/php php /usr/bin/php7.1 80
288 |
289 | # php7.2
290 | sudo update-alternatives --install /usr/bin/php php /usr/bin/php7.2 80
291 |
292 | # php7.3
293 | sudo update-alternatives --install /usr/bin/php php /usr/bin/php7.3 80
294 | ```
295 |
296 | Then you can check php version with command `php -v`
297 |
298 | ## NGINX Configuration
299 |
300 | ### Additional Nginx configuration (/etc/nginx/conf.d)
301 |
302 | Included by default in WordOps - this may not be needed anymore
303 |
304 | - stub_status configuration on 127.0.0.1:80 : stub_status.conf
305 | - restore visitor real IP under Cloudflare : cloudflare.conf
306 |
307 | ```bash
308 | # copy all common nginx configurations
309 | cp -rf $HOME/ubuntu-nginx-web-server/etc/nginx/conf.d/* /etc/nginx/conf.d/
310 |
311 | # commit change with git
312 | [ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update conf.d configurations"
313 | ```
314 |
315 | ### Compile the latest Nginx release with [nginx-ee](https://github.com/VirtuBox/nginx-ee)
316 |
317 | ```bash
318 | bash <(wget -O - virtubox.net/nginx-ee || curl -sL virtubox.net/nginx-ee)
319 | ```
320 |
321 | --------------------------------------------------------------------------------
322 |
323 | ## Custom configurations
324 |
325 | ### Nginx optimized configurations
326 |
327 | Choose one of them
328 |
329 | ```bash
330 | # TLSv1.2 TLSv1.3 only (recommended)
331 | cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx.conf
332 |
333 | # TLSv1.2 only
334 | cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-tlsv12.conf
335 | ```
336 |
337 | ```bash
338 | # commit change with git
339 | [ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update nginx.conf"
340 | ```
341 |
342 | ### Nginx configuration for netdata
343 |
344 | Included by default in WordOps - this may not be needed anymore
345 |
346 | ```bash
347 | # add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
348 | cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/sites-available/22222 /etc/nginx/sites-available/22222
349 |
350 | # commit change with git
351 | [ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update 22222 configuration"
352 | ```
353 |
354 | #### Increase Nginx open files limits
355 |
356 | ```bash
357 | sudo mkdir -p /etc/systemd/system/nginx.service.d
358 | echo -e '[Service]\nLimitNOFILE=500000' > /etc/systemd/system/nginx.service.d/limits.conf
359 |
360 | sudo systemctl daemon-reload
361 | sudo systemctl restart nginx.service
362 | ```
363 |
364 | --------------------------------------------------------------------------------
365 |
366 | ## Security
367 |
368 | ### Harden SSH Security
369 |
370 | WARNING : SSH Configuration with root login allowed using SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config)
371 |
372 | ```bash
373 | cp -f $HOME/ubuntu-nginx-web-server/etc/ssh/sshd_config /etc/ssh/sshd_config
374 | ```
375 |
376 | ### UFW
377 |
378 | Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/)
379 |
380 | ```bash
381 | # enable ufw log - allow outgoing - deny incoming
382 | ufw logging low
383 | ufw default allow outgoing
384 | ufw default deny incoming
385 |
386 | # allow incoming traffic on SSH port
387 | CURRENT_SSH_PORT=$(grep "Port" /etc/ssh/sshd_config | awk -F " " '{print $2}')
388 | ufw allow $CURRENT_SSH_PORT
389 |
390 | # DNS - HTTP/S - FTP - NTP - RSYNC - DHCP - EE Backend
391 | ufw allow 53
392 | ufw allow http
393 | ufw allow https
394 | ufw allow 21
395 | ufw allow 123
396 | ufw allow 68
397 | ufw allow 546
398 | ufw allow 873
399 | ufw allow 22222
400 |
401 |
402 | # enable UFW
403 | echo "y" | ufw enable
404 | ```
405 |
406 | ### Custom jails for fail2ban
407 |
408 | - wordpress bruteforce
409 | - ssh
410 | - recidive (after 3 bans)
411 | - backend http auth
412 | - nginx bad bots
413 |
414 | ```bash
415 | cp -rf $HOME/ubuntu-nginx-web-server/etc/fail2ban/filter.d/* /etc/fail2ban/filter.d/
416 | cp -rf $HOME/ubuntu-nginx-web-server/etc/fail2ban/jail.d/* /etc/fail2ban/jail.d/
417 |
418 | fail2ban-client reload
419 | ```
420 |
421 | ### Secure Memcached server
422 |
423 | ```bash
424 | echo '-U 0' >> /etc/memcached.conf
425 | sudo systemctl restart memcached
426 | ```
427 |
428 | If you do not use memcached, you can safely stop it and disable it :
429 |
430 | ```bash
431 | sudo systemctl stop memcached
432 | sudo systemctl disable memcached.service
433 | ```
434 |
435 | --------------------------------------------------------------------------------
436 |
437 | ## Optional
438 |
439 | ### proftpd
440 |
441 | #### Install proftpd
442 |
443 | ```bash
444 | apt-get install proftpd -y
445 | ```
446 |
447 | secure proftpd and enable passive ports
448 |
449 | ```bash
450 | sed -i 's/# DefaultRoot/DefaultRoot/' /etc/proftpd/proftpd.conf
451 | sed -i 's/# RequireValidShell/RequireValidShell/' /etc/proftpd/proftpd.conf
452 | sed -i 's/# PassivePorts 49152 65534/PassivePorts 49000 50000/' /etc/proftpd/proftpd.conf
453 | ```
454 |
455 | restart proftpd
456 |
457 | ```bash
458 | sudo service proftpd restart
459 | ```
460 |
461 | Allow FTP ports with UFW
462 |
463 | ```bash
464 | # ftp active port
465 | sudo ufw allow 21
466 |
467 | # ftp passive ports
468 | sudo ufw allow 49000:50000/tcp
469 | ```
470 |
471 | Enable fail2ban proftpd jail
472 |
473 | ```bash
474 | echo -e '\n[proftpd]\nenabled = true\n' >> /etc/fail2ban/jail.d/custom.conf
475 |
476 | fail2ban-client reload
477 | ```
478 |
479 | #### Adding FTP users
480 |
481 | ```bash
482 | # create user without shell access in group www-data
483 | adduser --home /var/www/yourdomain.tld/ --shell /bin/false --ingroup www-data youruser
484 |
485 | # allow group read/write on website folder
486 | chmod -R g+rw /var/www/yourdomain.tld
487 | ```
488 |
489 | --------------------------------------------------------------------------------
490 |
491 | ### ee-acme-sh
492 |
493 | Included by default in WordOps - this may not be needed anymore
494 |
495 | [Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers
496 |
497 | - subdomain support
498 | - ivp6 support
499 | - wildcards certificates support
500 |
501 | ```bash
502 | wget-qO install-ee-acme.sh https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh
503 | chmod +x install-ee-acme.sh
504 | ./install-ee-acme.sh
505 |
506 | # enable acme.sh & ee-acme-sh
507 | source .bashrc
508 | ```
509 |
510 | --------------------------------------------------------------------------------
511 |
512 | ### netdata
513 |
514 | Included by default in WordOps - this may not be needed anymore
515 |
516 | [Github repository](https://github.com/firehol/netdata)
517 |
518 | ```bash
519 | # save 40-60% of netdata memory
520 | echo 1 >/sys/kernel/mm/ksm/run
521 | echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
522 |
523 | # install netdata
524 | bash <(curl -Ss https://my-netdata.io/kickstart.sh) all --dont-wait
525 |
526 | # increase open files limits for netdata
527 | sudo mkdir -p /etc/systemd/system/netdata.service.d
528 | echo -e '[Service]\nLimitNOFILE=500000' > /etc/systemd/system/netdata.service.d/limits.conf
529 |
530 | sudo systemctl daemon-reload
531 | sudo systemctl restart netdata.service
532 |
533 | # disable email notifications
534 | sudo sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /usr/lib/netdata/conf.d/health_alarm_notify.conf
535 | service netdata restart
536 | ```
537 |
538 | --------------------------------------------------------------------------------
539 |
540 | ### cht.sh (cheat)
541 |
542 | [Github repository](https://github.com/chubin/cheat.sh)
543 |
544 | ```bash
545 | curl https://cht.sh/:cht.sh > /usr/bin/cht.sh
546 | chmod +x /usr/bin/cht.sh
547 |
548 |
549 | echo "alias cheat='cht.sh'" >> $HOME/.bashrc
550 | source $HOME/.bashrc
551 | ```
552 |
553 | usage : `cheat `
554 |
555 | ```bash
556 | root@vps:~ cheat cat
557 | # cat
558 |
559 | # Print and concatenate files.
560 |
561 | # Print the contents of a file to the standard output:
562 | cat file
563 |
564 | # Concatenate several files into the target file:
565 | cat file1 file2 > target_file
566 |
567 | # Append several files into the target file:
568 | cat file1 file2 >> target_file
569 |
570 | # Number all output lines:
571 | cat -n file
572 | ```
573 |
574 | --------------------------------------------------------------------------------
575 |
576 | ### nanorc - Improved Nano Syntax Highlighting Files
577 |
578 | [Github repository](https://github.com/scopatz/nanorc)
579 |
580 | ```bash
581 | wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -qO- | sh
582 | ```
583 |
584 | --------------------------------------------------------------------------------
585 |
586 | ### Add WP-CLI & bash-completion for user www-data
587 |
588 | Included by default in WordOps - this may not be needed anymore
589 |
590 | ```bashrc
591 | # download wp-cli bash_completion
592 | wget -qO /etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash
593 |
594 | # change /var/www owner
595 | chown www-data:www-data /var/www
596 |
597 | # download .profile & .bashrc for www-data
598 | cp -f $HOME/ubuntu-nginx-web-server/var/www/.* /var/www/
599 |
600 | # set owner
601 | chown www-data:www-data /var/www/{.profile,.bashrc}
602 | ```
603 |
604 | ## Cleanup previous EasyEngine v3
605 |
606 | Included by default in WordOps - this may not be needed anymore
607 |
608 | EasyEngine migration to WordOps is now handled by the install script. The only step to finish the migration is to remove previous php versions if you don't need them anymore.
609 |
610 | ### Removing previous php versions
611 |
612 | ```bash
613 | # php5.6
614 | apt-get -y autoremove php5.6-fpm php5.6-common --purge
615 |
616 | # php7.0
617 | apt-get -y autoremove php7.0-fpm php7.0-common --purge
618 | ```
619 |
620 | Published & maintained by [VirtuBox](https://virtubox.net)
621 |
--------------------------------------------------------------------------------
/docs/_config.yml:
--------------------------------------------------------------------------------
1 | theme: jekyll-theme-cayman
--------------------------------------------------------------------------------
/etc/cron.weekly/wo-maintenance:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | # update wp-cli
4 | [ -x /usr/bin/wp ] && {
5 | /usr/bin/wp cli update --yes --allow-root
6 | } > /dev/null 2>&1
7 |
8 | # optimize mysql databases
9 | if [ -x /usr/bin/mysqlcheck ] && [ -f /root/.my.cnf ]; then
10 | /usr/bin/mysqlcheck -Aos --auto-repair > /dev/null 2>&1
11 | fi
12 |
13 |
--------------------------------------------------------------------------------
/etc/fail2ban/filter.d/ddos.conf:
--------------------------------------------------------------------------------
1 | [Definition]
2 |
3 | # Option: failregex
4 | # Notes.: Auto block short UDP.
5 | # Values: TEXT
6 | #
7 | failregex = ^.*kernel: UDP: short packet: From :.*$
8 |
9 | ignoreregex =
10 |
--------------------------------------------------------------------------------
/etc/fail2ban/filter.d/ee-wordpress.conf:
--------------------------------------------------------------------------------
1 | [Definition]
2 | failregex = ^.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200
3 | ignoreregex =
4 |
--------------------------------------------------------------------------------
/etc/fail2ban/filter.d/nginx-forbidden.conf:
--------------------------------------------------------------------------------
1 | [Definition]
2 | failregex = ^ \[error\] \d+#\d+: .* forbidden .*, client: , .*$
3 |
4 | ignoreregex =
5 |
--------------------------------------------------------------------------------
/etc/fail2ban/jail.d/custom.conf:
--------------------------------------------------------------------------------
1 | [recidive]
2 | enabled = true
3 |
4 | [nginx-http-auth]
5 | enabled = true
6 |
7 | [nginx-botsearch]
8 | enabled = true
9 |
10 | [ee-wordpress]
11 | enabled = true
12 | filter = ee-wordpress
13 | action = iptables-multiport[name="ee-wordpress", port="http,https"]
14 | logpath = /var/log/nginx/*access.log
15 | maxretry = 5
16 |
17 | [nginx-forbidden]
18 | enabled = true
19 | filter = nginx-forbidden
20 | port = http,https
21 | logpath = /var/log/nginx/*error*.log
22 | findtime = 60
23 | bantime = 6000
24 | maxretry = 3
--------------------------------------------------------------------------------
/etc/fail2ban/jail.d/ddos.conf:
--------------------------------------------------------------------------------
1 | [ddos]
2 | enabled = true
3 | port = 27015
4 | protocol = udp
5 | filter = ddos
6 | logpath = /var/log/kern.log
7 | maxretry = 3
8 | bantime = 6000
9 |
--------------------------------------------------------------------------------
/etc/mysql/my.cnf:
--------------------------------------------------------------------------------
1 | # MariaDB database server configuration file.
2 | #
3 | # You can copy this file to one of:
4 | # - "/etc/mysql/my.cnf" to set global options,
5 | # - "~/.my.cnf" to set user-specific options.
6 | #
7 | # One can use all long options that the program supports.
8 | # Run program with --help to get a list of available options and with
9 | # --print-defaults to see which it would actually understand and use.
10 | #
11 | # For explanations see
12 | # http://dev.mysql.com/doc/mysql/en/server-system-variables.html
13 |
14 | # This will be passed to all mysql clients
15 | # It has been reported that passwords should be enclosed with ticks/quotes
16 | # escpecially if they contain "#" chars...
17 | # Remember to edit /etc/mysql/debian.cnf when changing the socket location.
18 | [client]
19 | port = 3306
20 | socket = /var/run/mysqld/mysqld.sock
21 |
22 | [mysqld_safe]
23 | socket = /var/run/mysqld/mysqld.sock
24 | nice = 0
25 |
26 | [mysqld]
27 | #
28 | # * Basic Settings
29 | #
30 | user = mysql
31 | pid-file = /var/run/mysqld/mysqld.pid
32 | socket = /var/run/mysqld/mysqld.sock
33 | port = 3306
34 | basedir = /usr
35 | datadir = /var/lib/mysql
36 | tmpdir = /tmp
37 | lc_messages_dir = /usr/share/mysql
38 | lc_messages = en_US
39 | skip-external-locking
40 | performance_schema = ON
41 | #
42 | # Instead of skip-networking the default is now to listen only on
43 | # localhost which is more compatible and is not less secure.
44 | bind-address = ::ffff:127.0.0.1
45 | #
46 | # * Fine Tuning
47 | #
48 | max_connections = 100
49 | connect_timeout = 5
50 | wait_timeout = 60
51 | max_allowed_packet = 16M
52 | thread_cache_size = 128
53 | sort_buffer_size = 4M
54 | bulk_insert_buffer_size = 16M
55 | tmp_table_size = 32M
56 | max_heap_table_size = 32M
57 | #
58 | # * MyISAM
59 | #
60 | # This replaces the startup script and checks MyISAM tables if needed
61 | # the first time they are touched. On error, make copy and try a repair.
62 | myisam_recover_options = BACKUP
63 | key_buffer_size = 64M
64 | open-files-limit = 500000
65 | table_open_cache = 500000
66 | myisam_sort_buffer_size = 256M
67 | concurrent_insert = 2
68 | read_buffer_size = 2M
69 | read_rnd_buffer_size = 1M
70 | #
71 | # * Query Cache Configuration
72 | #
73 | # Cache only tiny result sets, so we can fit more in the query cache.
74 | query_cache_limit = 128K
75 | query_cache_size = 0
76 | # for more write intensive setups, set to DEMAND or OFF
77 | query_cache_type = 0
78 | #
79 | # * Logging and Replication
80 | #
81 | # Both location gets rotated by the cronjob.
82 | # Be aware that this log type is a performance killer.
83 | # As of 5.1 you can enable the log at runtime!
84 | #general_log_file = /var/log/mysql/mysql.log
85 | #general_log = 1
86 | #
87 | # Error logging goes to syslog due to /etc/mysql/conf.d/mysqld_safe_syslog.cnf.
88 | #
89 | # we do want to know about network errors and such
90 | log_warnings = 2
91 | #
92 | # Enable the slow query log to see queries with especially long duration
93 | slow_query_log = 1
94 | slow_query_log_file = /var/log/mysql/mariadb-slow.log
95 | long_query_time = 10
96 | #log_slow_rate_limit = 1000
97 | log_slow_verbosity = query_plan
98 |
99 | #log-queries-not-using-indexes
100 | #log_slow_admin_statements
101 | #
102 | # The following can be used as easy to replay backup logs or for replication.
103 | # note: if you are setting up a replication slave, see README.Debian about
104 | # other settings you may need to change.
105 | #server-id = 1
106 | #report_host = master1
107 | #auto_increment_increment = 2
108 | #auto_increment_offset = 1
109 | #log_bin = /var/log/mysql/mariadb-bin
110 | #log_bin_index = /var/log/mysql/mariadb-bin.index
111 | # not fab for performance, but safer
112 | #sync_binlog = 1
113 | #expire_logs_days = 10
114 | #max_binlog_size = 100M
115 | # slaves
116 | #relay_log = /var/log/mysql/relay-bin
117 | #relay_log_index = /var/log/mysql/relay-bin.index
118 | #relay_log_info_file = /var/log/mysql/relay-bin.info
119 | #log_slave_updates
120 | #read_only
121 | #
122 | # If applications support it, this stricter sql_mode prevents some
123 | # mistakes like inserting invalid dates etc.
124 | #sql_mode = NO_ENGINE_SUBSTITUTION,TRADITIONAL
125 | #
126 | # * InnoDB
127 | #
128 | # InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
129 | # Read the manual for more InnoDB related options. There are many!
130 | default_storage_engine = InnoDB
131 | # you can't just change log file size, requires special procedure
132 |
133 | # innodb_log_file_size = innodb_buffer_pool_size / 8
134 | innodb_log_file_size = 128M
135 | # innodb_buffer_pool_size = RAM / 2
136 | innodb_buffer_pool_size = 1G
137 | # innodb_log_buffer_size = innodb_buffer_pool_size / 4
138 | innodb_log_buffer_size = 256M
139 |
140 | innodb_file_per_table = 1
141 | innodb_open_files = 500000
142 | innodb_io_capacity = 500000
143 | innodb_flush_method = O_DIRECT
144 | #
145 | # * Security Features
146 | #
147 | # Read the manual, too, if you want chroot!
148 | # chroot = /var/lib/mysql/
149 | #
150 | # For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
151 | #
152 | # ssl-ca=/etc/mysql/cacert.pem
153 | # ssl-cert=/etc/mysql/server-cert.pem
154 | # ssl-key=/etc/mysql/server-key.pem
155 |
156 | #
157 | # * Galera-related settings
158 | #
159 | [galera]
160 | # Mandatory settings
161 | #wsrep_on=ON
162 | #wsrep_provider=
163 | #wsrep_cluster_address=
164 | #binlog_format=row
165 | #default_storage_engine=InnoDB
166 | #innodb_autoinc_lock_mode=2
167 | #
168 | # Allow server to accept connections on all interfaces.
169 | #
170 | #bind-address=0.0.0.0
171 | #
172 | # Optional setting
173 | #wsrep_slave_threads=1
174 | #innodb_flush_log_at_trx_commit=0
175 |
176 | [mysqldump]
177 | quick
178 | quote-names
179 | max_allowed_packet = 16M
180 |
181 | [mysql]
182 | #no-auto-rehash # faster start of mysql but no tab completion
183 |
184 | [isamchk]
185 | key_buffer = 16M
186 |
187 | #
188 | # * IMPORTANT: Additional settings that can override those from this file!
189 | # The files must end with '.cnf', otherwise they'll be ignored.
190 | #
191 | !include /etc/mysql/mariadb.cnf
192 | !includedir /etc/mysql/conf.d/
193 |
--------------------------------------------------------------------------------
/etc/nginx/common/acl.conf:
--------------------------------------------------------------------------------
1 | # WordOps (wo) protect locations using
2 | # HTTP authentication || IP address
3 | satisfy any;
4 | auth_basic "Restricted Area";
5 | auth_basic_user_file htpasswd-wo;
6 | # Allowed IP Address List
7 | allow 127.0.0.1;
8 | deny all;
--------------------------------------------------------------------------------
/etc/nginx/common/hsts-nosub.conf:
--------------------------------------------------------------------------------
1 | # Warning : this line enable HSTS for your subdomain (ngx_http_headers_module is required) (15768000 seconds = 6 months)
2 | add_header Strict-Transport-Security "max-age=31536000; preload";
3 |
--------------------------------------------------------------------------------
/etc/nginx/common/hsts.conf:
--------------------------------------------------------------------------------
1 | # Warning : this line enable HSTS for your domain and all subdomains (ngx_http_headers_module is required) (15768000 seconds = 6 months)
2 | add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
3 |
4 |
--------------------------------------------------------------------------------
/etc/nginx/common/locations-php7.conf:
--------------------------------------------------------------------------------
1 | # NGINX CONFIGURATION FOR COMMON LOCATION
2 | # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
3 | # Basic locations files
4 | location = /favicon.ico {
5 | try_files /favicon.ico @empty;
6 | access_log off;
7 | log_not_found off;
8 | expires max;
9 |
10 | }
11 |
12 | location @empty {
13 | empty_gif;
14 | }
15 | location = /robots.txt {
16 | # Some WordPress plugin gererate robots.txt file
17 | # Refer #340 issue
18 | try_files $uri $uri/ /index.php$is_args$args @robots;
19 | access_log off;
20 | log_not_found off;
21 | }
22 | # fallback for robots.txt with default wordpress rules
23 | location @robots {
24 | return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n";
25 | }
26 | # Cache static files
27 | location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|webm|mp3|aac|tgz|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
28 | add_header "Access-Control-Allow-Origin" "*";
29 | access_log off;
30 | log_not_found off;
31 | expires max;
32 | }
33 | # Cache css & js files
34 | location ~* \.(?:css(\.map)?|js(\.map)?)$ {
35 | add_header "Access-Control-Allow-Origin" "*";
36 | access_log off;
37 | log_not_found off;
38 | expires 30d;
39 | }
40 | # Security settings for better privacy
41 | # Deny hidden files
42 | location ~ /\.(?!well-known\/) {
43 | deny all;
44 | }
45 | # Use the directory /var/www/html to valide acme-challenge
46 | # just create the sub-directories .well-known/acme-challenge
47 | ####
48 | # sudo chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
49 | ####
50 | # location /.well-known/acme-challenge/ {
51 | # alias /var/www/html/.well-known/acme-challenge/;
52 | # }
53 | # Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
54 | location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
55 | deny all;
56 | }
57 | # Deny backup extensions & log files and return 403 forbidden
58 | location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
59 | deny all;
60 | }
61 | # common nginx configuration to block sql injection and other attacks
62 | location ~* "(eval\()" {
63 | deny all;
64 | }
65 | location ~* "(127\.0\.0\.1)" {
66 | deny all;
67 | }
68 | location ~* "([a-z0-9]{2000})" {
69 | deny all;
70 | }
71 | location ~* "(javascript\:)(.*)(\;)" {
72 | deny all;
73 | }
74 | location ~* "(base64_encode)(.*)(\()" {
75 | deny all;
76 | }
77 | location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
78 | deny all;
79 | }
80 | location ~* "(<|%3C).*script.*(>|%3)" {
81 | deny all;
82 | }
83 | location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
84 | deny all;
85 | }
86 | location ~* "(boot\.ini|etc/passwd|self/environ)" {
87 | deny all;
88 | }
89 | location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
90 | deny all;
91 | }
92 | location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
93 | deny all;
94 | }
95 | location ~* "(https?|ftp|php):/" {
96 | deny all;
97 | }
98 | location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
99 | deny all;
100 | }
101 | location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
102 | deny all;
103 | }
104 | location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
105 | deny all;
106 | }
107 | location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
108 | deny all;
109 | }
110 | location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|eval\(|self/environ)" {
111 | deny all;
112 | }
113 | location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch||webshell|config|configuration|info)\.php" {
114 | deny all;
115 | }
116 |
117 |
118 |
119 |
--------------------------------------------------------------------------------
/etc/nginx/common/locations-php72.conf:
--------------------------------------------------------------------------------
1 | # NGINX CONFIGURATION FOR COMMON LOCATION
2 | # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
3 | # Basic locations files
4 | location = /favicon.ico {
5 | try_files /favicon.ico @empty;
6 | access_log off;
7 | log_not_found off;
8 | expires max;
9 |
10 | }
11 |
12 | location @empty {
13 | empty_gif;
14 | }
15 | location = /robots.txt {
16 | # Some WordPress plugin gererate robots.txt file
17 | # Refer #340 issue
18 | try_files $uri $uri/ /index.php?$args @robots;
19 | access_log off;
20 | log_not_found off;
21 | }
22 | # fallback for robots.txt with default wordpress rules
23 | location @robots {
24 | return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n";
25 | }
26 | # Cache static files
27 | location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
28 | add_header "Access-Control-Allow-Origin" "*";
29 | access_log off;
30 | log_not_found off;
31 | expires max;
32 | }
33 | # Cache css & js files
34 | location ~* \.(?:css(\.map)?|js(\.map)?)$ {
35 | add_header "Access-Control-Allow-Origin" "*";
36 | access_log off;
37 | log_not_found off;
38 | expires 30d;
39 | }
40 | # Security settings for better privacy
41 | # Deny hidden files
42 | location ~ /\.(?!well-known\/) {
43 | deny all;
44 | }
45 | # Use the directory /var/www/html to valide acme-challenge
46 | # just create the sub-directories .well-known/acme-challenge
47 | ####
48 | # sudo chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
49 | ####
50 | # location /.well-known/acme-challenge/ {
51 | # alias /var/www/html/.well-known/acme-challenge/;
52 | # }
53 | # Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
54 | location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
55 | deny all;
56 | }
57 | # Deny backup extensions & log files and return 403 forbidden
58 | location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
59 | deny all;
60 | }
61 | # common nginx configuration to block sql injection and other attacks
62 | location ~* "(eval\()" {
63 | deny all;
64 | }
65 | location ~* "(127\.0\.0\.1)" {
66 | deny all;
67 | }
68 | location ~* "([a-z0-9]{2000})" {
69 | deny all;
70 | }
71 | location ~* "(javascript\:)(.*)(\;)" {
72 | deny all;
73 | }
74 | location ~* "(base64_encode)(.*)(\()" {
75 | deny all;
76 | }
77 | location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
78 | deny all;
79 | }
80 | location ~* "(<|%3C).*script.*(>|%3)" {
81 | deny all;
82 | }
83 | location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
84 | deny all;
85 | }
86 | location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
87 | deny all;
88 | }
89 | location ~* "(https?|ftp|php):/" {
90 | deny all;
91 | }
92 | location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
93 | deny all;
94 | }
95 | location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
96 | deny all;
97 | }
98 | location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
99 | deny all;
100 | }
101 | location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|boot\.ini|etc/passwd|eval\(|self/environ|(wp-)?config\.|cgi-|muieblack)" {
102 | deny all;
103 | }
104 | location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|configuration)\.php" {
105 | deny all;
106 | }
107 |
108 |
109 |
110 |
--------------------------------------------------------------------------------
/etc/nginx/common/ocsp.conf:
--------------------------------------------------------------------------------
1 | ##OCSP settings
2 | ssl_stapling_verify on;
3 | #ssl_trusted_certificate /etc/ssl/private/ocsp-certs.pem; # <- Add signing certs here
4 |
--------------------------------------------------------------------------------
/etc/nginx/common/pagespeed.conf:
--------------------------------------------------------------------------------
1 | pagespeed on;
2 | # Ensure requests for pagespeed optimized resources go to the pagespeed handler
3 | # and no extraneous headers get set.
4 | location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" {
5 | add_header "" "";
6 | }
7 | location ~ "^/pagespeed_static/" { }
8 | location ~ "^/ngx_pagespeed_beacon$" { }
9 | pagespeed RewriteLevel PassThrough;
10 | pagespeed EnableFilters combine_css;
11 | pagespeed EnableFilters combine_javascript;
12 | pagespeed EnableFilters rewrite_javascript;
13 | #pagespeed EnableFilters rewrite_images;
14 | #pagespeed EnableFilters defer_javascript;
15 | #pagespeed EnableFilters convert_to_webp_lossless;
16 | #pagespeed EnableFilters resize_rendered_image_dimensions;
17 | pagespeed PreserveUrlRelativity on;
18 | #pagespeed MaxCombinedCssBytes -1;
19 | pagespeed AvoidRenamingIntrospectiveJavascript on;
20 | #pagespeed MaxInlinedPreviewImagesIndex -1;
21 | pagespeed EnableFilters convert_meta_tags,extend_cache,rewrite_javascript_inline;
22 | #pagespeed Domain *.yourdomain.tld;
23 |
24 | location /ngx_pagespeed_statistics { include common/acl.conf; }
25 | location /ngx_pagespeed_global_statistics { include common/acl.conf; }
26 | location /ngx_pagespeed_message { include common/acl.conf; }
27 | location /pagespeed_console { include common/acl.conf; }
28 | location ~ ^/pagespeed_admin { include common/acl.conf; }
29 | location ~ ^/pagespeed_global_admin { include common/acl.conf; }
30 |
31 |
--------------------------------------------------------------------------------
/etc/nginx/common/php72.conf:
--------------------------------------------------------------------------------
1 | # PHP NGINX CONFIGURATION
2 | # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
3 | location / {
4 | try_files $uri $uri/ /index.php$is_args$args;
5 | }
6 | location ~ \.php$ {
7 | try_files $uri =404;
8 | include fastcgi_params;
9 | fastcgi_pass php72;
10 | }
11 |
--------------------------------------------------------------------------------
/etc/nginx/common/wpcommon-php7.conf:
--------------------------------------------------------------------------------
1 | # WordPress COMMON SETTINGS
2 | # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
3 | # Limit access to avoid brute force attack
4 | location = /wp-login.php {
5 | limit_req zone=one burst=1 nodelay;
6 | include fastcgi_params;
7 | fastcgi_pass php7;
8 | }
9 | # Disable wp-config.txt
10 | location = /wp-config.txt {
11 | deny all;
12 | access_log off;
13 | log_not_found off;
14 | }
15 | # webp rewrite rules for jpg and png images
16 | # try to load alternative image.png.webp before image.png
17 | location /wp-content/uploads {
18 | location ~ \.(png|jpe?g)$ {
19 | add_header Vary "Accept-Encoding";
20 | add_header "Access-Control-Allow-Origin" "*";
21 | add_header Cache-Control "public, no-transform";
22 | access_log off;
23 | log_not_found off;
24 | expires max;
25 | try_files $uri$webp_suffix $uri =404;
26 | }
27 | location ~ \.php$ {
28 | #Prevent Direct Access Of PHP Files From Web Browsers
29 | deny all;
30 | }
31 | }
32 | # Deny access to any files with a .php extension in the uploads directory
33 | # Works in sub-directory installs and also in multisite network
34 | # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
35 | location ~* /(?:uploads|files)/.*\.php$ {
36 | deny all;
37 | }
38 | # mitigate DoS attack CVE with WordPress script concatenation
39 | # add the following line to wp-config.php
40 | # define( 'CONCATENATE_SCRIPTS', false );
41 | location ~ \/wp-admin\/load-(scripts|styles).php {
42 | deny all;
43 | }
44 |
--------------------------------------------------------------------------------
/etc/nginx/common/wpcommon-php72.conf:
--------------------------------------------------------------------------------
1 | # WordPress COMMON SETTINGS - WO v3.9.7
2 | # DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
3 | # Limit access to avoid brute force attack
4 | location = /wp-login.php {
5 | limit_req zone=one burst=1 nodelay;
6 | include fastcgi_params;
7 | fastcgi_pass php72;
8 | }
9 | # Prevent DoS attacks on wp-cron
10 | location = /wp-cron.php {
11 | limit_req zone=two burst=1 nodelay;
12 | include fastcgi_params;
13 | fastcgi_pass php72;
14 | }
15 | # Prevent Dos attacks with xmlrpc.php
16 | location = /xmlrpc.php {
17 | limit_req zone=two burst=1 nodelay;
18 | include fastcgi_params;
19 | fastcgi_pass php72;
20 | }
21 | # Disable wp-config.txt
22 | location = /wp-config.txt {
23 | deny all;
24 | access_log off;
25 | log_not_found off;
26 | }
27 | location = /robots.txt {
28 | # Some WordPress plugin gererate robots.txt file
29 | # Refer #340 issue
30 | try_files $uri $uri/ /index.php?$args @robots;
31 | access_log off;
32 | log_not_found off;
33 | }
34 | # fallback for robots.txt with default wordpress rules
35 | location @robots {
36 | return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n";
37 | }
38 | # webp rewrite rules for jpg and png images
39 | # try to load alternative image.png.webp before image.png
40 | location /wp-content/uploads {
41 | location ~ \.(png|jpe?g)$ {
42 | add_header Vary "Accept-Encoding";
43 | more_set_headers 'Access-Control-Allow-Origin : *';
44 | add_header Cache-Control "public, no-transform";
45 | access_log off;
46 | log_not_found off;
47 | expires max;
48 | try_files $uri$webp_suffix $uri =404;
49 | }
50 | location ~* \.(php|gz|log|zip|tar|rar)$ {
51 | #Prevent Direct Access Of PHP Files & BackupsFrom Web Browsers
52 | deny all;
53 | }
54 | }
55 | # webp rewrite rules for EWWW testing image
56 | location /wp-content/plugins/ewww-image-optimizer/images {
57 | location ~ \.(png|jpe?g)$ {
58 | add_header Vary "Accept-Encoding";
59 | more_set_headers 'Access-Control-Allow-Origin : *';
60 | add_header Cache-Control "public, no-transform";
61 | access_log off;
62 | log_not_found off;
63 | expires max;
64 | try_files $uri$webp_suffix $uri =404;
65 | }
66 | location ~ \.php$ {
67 | #Prevent Direct Access Of PHP Files From Web Browsers
68 | deny all;
69 | }
70 | }
71 | # enable gzip on static assets - php files are forbidden
72 | location /wp-content/cache {
73 | # Cache css & js files
74 | location ~* \.(?:css(\.map)?|js(\.map)?|.html)$ {
75 | more_set_headers 'Access-Control-Allow-Origin : *';
76 | access_log off;
77 | log_not_found off;
78 | expires 30d;
79 | }
80 | location ~ \.php$ {
81 | #Prevent Direct Access Of PHP Files From Web Browsers
82 | deny all;
83 | }
84 | }
85 | # Deny access to any files with a .php extension in the uploads directory
86 | # Works in sub-directory installs and also in multisite network
87 | # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
88 | location ~* /(?:uploads|files)/.*\.php$ {
89 | deny all;
90 | }
91 | # mitigate DoS attack CVE with WordPress script concatenation
92 | # add the following line to wp-config.php
93 | # define( 'CONCATENATE_SCRIPTS', false );
94 | location ~ \/wp-admin\/load-(scripts|styles).php {
95 | deny all;
96 | }
97 |
--------------------------------------------------------------------------------
/etc/nginx/common/wpcommon-php73.conf:
--------------------------------------------------------------------------------
1 | # WordPress COMMON SETTINGS - WO v3.9.7
2 | # DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
3 | # Limit access to avoid brute force attack
4 | location = /wp-login.php {
5 | limit_req zone=one burst=1 nodelay;
6 | include fastcgi_params;
7 | fastcgi_pass php73;
8 | }
9 | # Prevent DoS attacks on wp-cron
10 | location = /wp-cron.php {
11 | limit_req zone=two burst=1 nodelay;
12 | include fastcgi_params;
13 | fastcgi_pass php73;
14 | }
15 | # Prevent Dos attacks with xmlrpc.php
16 | location = /xmlrpc.php {
17 | limit_req zone=two burst=1 nodelay;
18 | include fastcgi_params;
19 | fastcgi_pass php73;
20 | }
21 | # Disable wp-config.txt
22 | location = /wp-config.txt {
23 | deny all;
24 | access_log off;
25 | log_not_found off;
26 | }
27 | location = /robots.txt {
28 | # Some WordPress plugin gererate robots.txt file
29 | # Refer #340 issue
30 | try_files $uri $uri/ /index.php?$args @robots;
31 | access_log off;
32 | log_not_found off;
33 | }
34 | # fallback for robots.txt with default wordpress rules
35 | location @robots {
36 | return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n";
37 | }
38 | # webp rewrite rules for jpg and png images
39 | # try to load alternative image.png.webp before image.png
40 | location /wp-content/uploads {
41 | location ~ \.(png|jpe?g)$ {
42 | add_header Vary "Accept-Encoding";
43 | more_set_headers 'Access-Control-Allow-Origin : *';
44 | add_header Cache-Control "public, no-transform";
45 | access_log off;
46 | log_not_found off;
47 | expires max;
48 | try_files $uri$webp_suffix $uri =404;
49 | }
50 | location ~* \.(php|gz|log|zip|tar|rar)$ {
51 | #Prevent Direct Access Of PHP Files & BackupsFrom Web Browsers
52 | deny all;
53 | }
54 | }
55 | # webp rewrite rules for EWWW testing image
56 | location /wp-content/plugins/ewww-image-optimizer/images {
57 | location ~ \.(png|jpe?g)$ {
58 | add_header Vary "Accept-Encoding";
59 | more_set_headers 'Access-Control-Allow-Origin : *';
60 | add_header Cache-Control "public, no-transform";
61 | access_log off;
62 | log_not_found off;
63 | expires max;
64 | try_files $uri$webp_suffix $uri =404;
65 | }
66 | location ~ \.php$ {
67 | #Prevent Direct Access Of PHP Files From Web Browsers
68 | deny all;
69 | }
70 | }
71 | # enable gzip on static assets - php files are forbidden
72 | location /wp-content/cache {
73 | # Cache css & js files
74 | location ~* \.(?:css(\.map)?|js(\.map)?|.html)$ {
75 | more_set_headers 'Access-Control-Allow-Origin : *';
76 | access_log off;
77 | log_not_found off;
78 | expires 30d;
79 | }
80 | location ~ \.php$ {
81 | #Prevent Direct Access Of PHP Files From Web Browsers
82 | deny all;
83 | }
84 | }
85 | # Deny access to any files with a .php extension in the uploads directory
86 | # Works in sub-directory installs and also in multisite network
87 | # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
88 | location ~* /(?:uploads|files)/.*\.php$ {
89 | deny all;
90 | }
91 | # mitigate DoS attack CVE with WordPress script concatenation
92 | # add the following line to wp-config.php
93 | # define( 'CONCATENATE_SCRIPTS', false );
94 | location ~ \/wp-admin\/load-(scripts|styles).php {
95 | deny all;
96 | }
97 |
--------------------------------------------------------------------------------
/etc/nginx/conf.d/cloudflare.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # nginx-cloudflare-real-ip - restore visitor IP under Cloudflare CDN
3 | ##
4 | # Source : https://virtubox.github.io/nginx-cloudflare-real-ip/
5 |
6 | set_real_ip_from 103.21.244.0/22;
7 | set_real_ip_from 103.22.200.0/22;
8 | set_real_ip_from 103.31.4.0/22;
9 | set_real_ip_from 104.16.0.0/12;
10 | set_real_ip_from 108.162.192.0/18;
11 | set_real_ip_from 131.0.72.0/22;
12 | set_real_ip_from 141.101.64.0/18;
13 | set_real_ip_from 162.158.0.0/15;
14 | set_real_ip_from 172.64.0.0/13;
15 | set_real_ip_from 173.245.48.0/20;
16 | set_real_ip_from 188.114.96.0/20;
17 | set_real_ip_from 190.93.240.0/20;
18 | set_real_ip_from 197.234.240.0/22;
19 | set_real_ip_from 198.41.128.0/17;
20 | set_real_ip_from 2400:cb00::/32;
21 | set_real_ip_from 2405:b500::/32;
22 | set_real_ip_from 2606:4700::/32;
23 | set_real_ip_from 2803:f800::/32;
24 | set_real_ip_from 2c0f:f248::/32;
25 | set_real_ip_from 2a06:98c0::/29;
26 |
27 | real_ip_header CF-Connecting-IP;
28 |
--------------------------------------------------------------------------------
/etc/nginx/conf.d/fastcgi.conf:
--------------------------------------------------------------------------------
1 | # FastCGI cache settings
2 | fastcgi_cache_path /var/run/nginx-cache levels=1:2 keys_zone=WORDPRESS:50m inactive=60m max_size=256M;
3 | fastcgi_cache_key "$scheme$request_method$host$request_uri";
4 | fastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503;
5 | fastcgi_cache_methods GET HEAD;
6 | fastcgi_cache_valid 200 301 302 404 1h;
7 | fastcgi_buffers 256 32k;
8 | fastcgi_buffer_size 256k;
9 | fastcgi_connect_timeout 4s;
10 | fastcgi_send_timeout 120s;
11 | fastcgi_busy_buffers_size 512k;
12 | fastcgi_temp_file_write_size 512K;
13 | fastcgi_param SERVER_NAME $http_host;
14 | fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
15 | fastcgi_keep_conn on;
16 | fastcgi_intercept_errors on;
17 | fastcgi_cache_background_update on;
18 | fastcgi_cache_lock on;
19 | fastcgi_cache_lock_age 1s;
20 | fastcgi_cache_lock_timeout 3s;
21 |
22 | # uncomment the following line if you run nginx 1.15.6 or earlier
23 | # fastcgi_socket_keepalive on;
24 |
--------------------------------------------------------------------------------
/etc/nginx/conf.d/stub_status.conf:
--------------------------------------------------------------------------------
1 | upstream phpstatus {
2 | server unix:/run/php/php7.2-fpm.sock;
3 | }
4 |
5 | server {
6 | listen 127.0.0.1:80;
7 | server_name 127.0.0.1 localhost;
8 | access_log off;
9 | log_not_found off;
10 | root /var/www/html;
11 | location ~ /(stub_status|nginx_status) {
12 | stub_status on;
13 | allow 127.0.0.1;
14 | deny all;
15 | access_log off;
16 | log_not_found off;
17 | }
18 | location ~ /(status|ping) {
19 | include fastcgi_params;
20 | allow 127.0.0.1;
21 | deny all;
22 | fastcgi_pass phpstatus;
23 | access_log off;
24 | log_not_found off;
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/etc/nginx/conf.d/tweaks.conf:
--------------------------------------------------------------------------------
1 | directio 4m;
2 | directio_alignment 512;
3 | http2_max_field_size 16k;
4 | http2_max_header_size 32k;
5 |
6 | large_client_header_buffers 8 64k;
7 |
8 | open_file_cache max=50000 inactive=60s;
9 | open_file_cache_errors off;
10 | open_file_cache_min_uses 2;
11 | open_file_cache_valid 120s;
12 | open_log_file_cache max=10000 inactive=30s min_uses=2;
13 |
14 | postpone_output 1460;
15 | proxy_buffers 8 32k;
16 | proxy_buffer_size 64k;
17 |
18 |
--------------------------------------------------------------------------------
/etc/nginx/mime.types:
--------------------------------------------------------------------------------
1 |
2 | types {
3 | text/html html htm shtml;
4 | text/css css;
5 | text/xml xml;
6 | image/gif gif;
7 | image/jpeg jpeg jpg;
8 | application/javascript js;
9 | application/atom+xml atom;
10 | application/rss+xml rss;
11 |
12 | text/mathml mml;
13 | text/plain txt;
14 | text/vnd.sun.j2me.app-descriptor jad;
15 | text/vnd.wap.wml wml;
16 | text/x-component htc;
17 |
18 | image/png png;
19 | image/tiff tif tiff;
20 | image/vnd.wap.wbmp wbmp;
21 | image/x-icon ico;
22 | image/x-jng jng;
23 | image/x-ms-bmp bmp;
24 | image/svg+xml svg svgz;
25 | image/webp webp;
26 |
27 | application/font-woff woff;
28 | application/font-woff2 woff2;
29 | application/x-font-ttf ttf;
30 | application/java-archive jar war ear;
31 | application/json json;
32 | application/mac-binhex40 hqx;
33 | application/msword doc;
34 | application/pdf pdf;
35 | application/postscript ps eps ai;
36 | application/rtf rtf;
37 | application/vnd.apple.mpegurl m3u8;
38 | application/vnd.ms-excel xls;
39 | application/vnd.ms-fontobject eot;
40 | application/vnd.ms-powerpoint ppt;
41 | application/vnd.wap.wmlc wmlc;
42 | application/vnd.google-earth.kml+xml kml;
43 | application/vnd.google-earth.kmz kmz;
44 | application/x-7z-compressed 7z;
45 | application/x-cocoa cco;
46 | application/x-java-archive-diff jardiff;
47 | application/x-java-jnlp-file jnlp;
48 | application/x-makeself run;
49 | application/x-perl pl pm;
50 | application/x-pilot prc pdb;
51 | application/x-rar-compressed rar;
52 | application/x-redhat-package-manager rpm;
53 | application/x-sea sea;
54 | application/x-shockwave-flash swf;
55 | application/x-stuffit sit;
56 | application/x-tcl tcl tk;
57 | application/x-x509-ca-cert der pem crt;
58 | application/x-xpinstall xpi;
59 | application/xhtml+xml xhtml;
60 | application/xspf+xml xspf;
61 | application/zip zip;
62 |
63 | application/octet-stream bin exe dll;
64 | application/octet-stream deb;
65 | application/octet-stream dmg;
66 | application/octet-stream iso img;
67 | application/octet-stream msi msp msm;
68 |
69 | application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
70 | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
71 | application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
72 |
73 | audio/midi mid midi kar;
74 | audio/mpeg mp3;
75 | audio/ogg ogg;
76 | audio/x-m4a m4a;
77 | audio/x-realaudio ra;
78 |
79 | video/3gpp 3gpp 3gp;
80 | video/mp2t ts;
81 | video/mp4 mp4;
82 | video/mpeg mpeg mpg;
83 | video/quicktime mov;
84 | video/webm webm;
85 | video/x-flv flv;
86 | video/x-m4v m4v;
87 | video/x-mng mng;
88 | video/x-ms-asf asx asf;
89 | video/x-ms-wmv wmv;
90 | video/x-msvideo avi;
91 | }
--------------------------------------------------------------------------------
/etc/nginx/nginx-tlsv12.conf:
--------------------------------------------------------------------------------
1 | user www-data;
2 | worker_processes auto;
3 | worker_cpu_affinity auto;
4 | worker_rlimit_nofile 100000;
5 | pid /run/nginx.pid;
6 |
7 | pcre_jit on;
8 |
9 | events
10 | {
11 | multi_accept on;
12 | worker_connections 50000;
13 | accept_mutex on;
14 | use epoll;
15 | }
16 |
17 | http
18 | {
19 | ##
20 | # EasyEngine Settings
21 | ##
22 |
23 | sendfile on;
24 | sendfile_max_chunk 512k;
25 |
26 | tcp_nopush on;
27 | tcp_nodelay on;
28 |
29 | keepalive_timeout 8;
30 | keepalive_requests 500;
31 |
32 | lingering_time 20s;
33 | lingering_timeout 5s;
34 |
35 | server_tokens off;
36 | reset_timedout_connection on;
37 | add_header X-Powered-By "WordOps v3.9.4 - Optimized by VirtuBox";
38 | add_header rt-Fastcgi-Cache $upstream_cache_status;
39 |
40 | # Limit Request
41 | limit_req_status 403;
42 | limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
43 |
44 | #Simple DOS mitigation
45 | ##Max c/s by ip
46 | #limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
47 | #limit_conn limit_per_ip 80;
48 |
49 | ##Max rq/s by ip
50 | #limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
51 | #limit_req zone=allips burst=400 nodelay;
52 |
53 | # Proxy Settings
54 | # set_real_ip_from proxy-server-ip;
55 | # real_ip_header X-Forwarded-For;
56 |
57 | fastcgi_read_timeout 120s;
58 | client_max_body_size 100m;
59 |
60 | #See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
61 | aio threads;
62 |
63 | # tls dynamic records patch directive
64 | ssl_dyn_rec_enable on;
65 | ssl_dyn_rec_size_hi 4229;
66 | ssl_dyn_rec_size_lo 1369;
67 | ssl_dyn_rec_threshold 40;
68 | ssl_dyn_rec_timeout 1000;
69 |
70 | # nginx-vts-status module
71 | vhost_traffic_status_zone;
72 |
73 | resolver 8.8.8.8 1.1.1.1 valid=300s;
74 | resolver_timeout 10;
75 |
76 | ##
77 | # GeoIP module configuration, before removing comments
78 | # read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
79 | ##
80 | #geoip_country /usr/share/GeoIP/GeoIP.dat;
81 | #geoip_city /usr/share/GeoIP/GeoIPCity.dat;
82 |
83 | ##
84 | # SSL Settings
85 | ##
86 | ssl_protocols TLSv1.2;
87 | ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM';
88 | ssl_prefer_server_ciphers on;
89 | ssl_session_cache shared:SSL:50m;
90 | ssl_session_timeout 1d;
91 | ssl_session_tickets off;
92 | ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
93 |
94 | # Common security headers
95 | more_set_headers "X-Frame-Options : SAMEORIGIN";
96 | more_set_headers "X-Xss-Protection : 1; mode=block";
97 | more_set_headers "X-Content-Type-Options : nosniff";
98 | more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
99 | more_set_headers "X-Download-Options : noopen";
100 |
101 | ##
102 | # Basic Settings
103 | ##
104 | # server_names_hash_bucket_size 64;
105 | # server_name_in_redirect off;
106 |
107 | include /etc/nginx/mime.types;
108 | default_type application/octet-stream;
109 |
110 | ##
111 | # Logging Settings
112 | # access_log disabled for performance
113 | ##
114 |
115 | access_log off;
116 | error_log /var/log/nginx/error.log;
117 |
118 | # Log format Settings
119 | log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
120 | '$http_host "$request" $status $body_bytes_sent '
121 | '"$http_referer" "$http_user_agent" $server_protocol';
122 |
123 | # ipscrub settings
124 | ipscrub_period_seconds 3600;
125 |
126 | ##
127 | # Gzip Settings
128 | ##
129 | # mitigation of CRIME/BREACH attacks
130 | gzip off;
131 |
132 |
133 | ##
134 | # Brotli Settings
135 | ##
136 |
137 | brotli on;
138 | brotli_static on;
139 | brotli_buffers 16 8k;
140 | brotli_comp_level 4;
141 | brotli_types *;
142 |
143 |
144 | ##
145 | # Virtual Host Configs
146 | ##
147 | include /etc/nginx/conf.d/*.conf;
148 | include /etc/nginx/sites-enabled/*;
149 | }
150 |
151 |
152 | #mail {
153 | # # See sample authentication script at:
154 | # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
155 | #
156 | # # auth_http localhost/auth.php;
157 | # # pop3_capabilities "TOP" "USER";
158 | # # imap_capabilities "IMAP4rev1" "UIDPLUS";
159 | #
160 | # server {
161 | # listen localhost:110;
162 | # protocol pop3;
163 | # proxy on;
164 | # }
165 | #
166 | # server {
167 | # listen localhost:143;
168 | # protocol imap;
169 | # proxy on;
170 | # }
171 | #}
--------------------------------------------------------------------------------
/etc/nginx/nginx.conf:
--------------------------------------------------------------------------------
1 | user www-data;
2 | worker_processes auto;
3 | worker_cpu_affinity auto;
4 | worker_rlimit_nofile 100000;
5 | pid /run/nginx.pid;
6 |
7 | pcre_jit on;
8 |
9 | events {
10 | multi_accept on;
11 | worker_connections 50000;
12 | accept_mutex on;
13 | use epoll;
14 | }
15 |
16 | http
17 | {
18 | ##
19 | # EasyEngine Settings
20 | ##
21 |
22 | sendfile on;
23 | sendfile_max_chunk 512k;
24 |
25 | tcp_nopush on;
26 | tcp_nodelay on;
27 |
28 | keepalive_timeout 8;
29 | keepalive_requests 500;
30 | keepalive_disable msie6;
31 |
32 | lingering_time 20s;
33 | lingering_timeout 5s;
34 |
35 | server_tokens off;
36 | reset_timedout_connection on;
37 | add_header X-Powered-By "WordOps v3.9.4 - Optimized by VirtuBox";
38 | add_header rt-Fastcgi-Cache $upstream_cache_status;
39 |
40 | # Limit Request
41 | limit_req_status 403;
42 | limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
43 |
44 | ##
45 | # Simple DOS mitigation
46 | ##
47 |
48 | # Max c/s by ip
49 | #limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
50 | #limit_conn limit_per_ip 80;
51 |
52 | # Max rq/s by ip
53 | #limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
54 | #limit_req zone=allips burst=400 nodelay;
55 |
56 | # Proxy Settings
57 | # set_real_ip_from proxy-server-ip;
58 | # real_ip_header X-Forwarded-For;
59 |
60 | fastcgi_read_timeout 120s;
61 | client_max_body_size 100m;
62 |
63 | # See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
64 | aio threads;
65 |
66 | # tls dynamic records patch directive
67 | ssl_dyn_rec_enable on;
68 | ssl_dyn_rec_size_hi 4229;
69 | ssl_dyn_rec_size_lo 1369;
70 | ssl_dyn_rec_threshold 40;
71 | ssl_dyn_rec_timeout 1000;
72 |
73 | # nginx-vts-status module
74 | vhost_traffic_status_zone;
75 |
76 | # oscp settings
77 | resolver 8.8.8.8 1.1.1.1 valid=300s;
78 | resolver_timeout 10;
79 |
80 | ##
81 | # GeoIP module configuration, before removing comments
82 | # read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
83 | ##
84 | #geoip_country /usr/share/GeoIP/GeoIP.dat;
85 | #geoip_city /usr/share/GeoIP/GeoIPCity.dat;
86 |
87 | ##
88 | # SSL Settings
89 | ##
90 |
91 | # SSL Early Data
92 | ssl_early_data off;
93 |
94 | ssl_protocols TLSv1.2 TLSv1.3;
95 | ssl_ciphers 'TLS13+AESGCM+AES128:TLS13+AESGCM+AES256:TLS13+CHACHA20:EECDH+AESGCM:EECDH+CHACHA20';
96 | ssl_prefer_server_ciphers on;
97 | ssl_session_cache shared:SSL:50m;
98 | ssl_session_timeout 1d;
99 | ssl_session_tickets off;
100 | ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
101 |
102 | # Common security headers
103 | more_set_headers "X-Frame-Options : SAMEORIGIN";
104 | more_set_headers "X-Xss-Protection : 1; mode=block";
105 | more_set_headers "X-Content-Type-Options : nosniff";
106 | more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
107 | more_set_headers "X-Download-Options : noopen";
108 |
109 | ##
110 | # Basic Settings
111 | ##
112 | # server_names_hash_bucket_size 64;
113 | # server_name_in_redirect off;
114 |
115 | include /etc/nginx/mime.types;
116 | default_type application/octet-stream;
117 |
118 | ##
119 | # Logging Settings
120 | ##
121 |
122 | # disable access_log for performance
123 | access_log off;
124 | error_log /var/log/nginx/error.log;
125 |
126 | # Log format Settings - user IP hashed with the module ipscrub
127 | log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
128 | '$http_host "$request" $status $body_bytes_sent '
129 | '"$http_referer" "$http_user_agent" $server_protocol';
130 |
131 | # ipscrub settings
132 | ipscrub_period_seconds 3600;
133 |
134 | ##
135 | # Gzip Settings
136 | ##
137 | # mitigation of CRIME/BREACH attacks
138 | gzip off;
139 |
140 | ##
141 | # Brotli Settings
142 | ##
143 |
144 | brotli on;
145 | brotli_static on;
146 | brotli_buffers 16 8k;
147 | brotli_comp_level 4;
148 | brotli_types *;
149 |
150 |
151 | ##
152 | # Virtual Host Configs
153 | ##
154 | include /etc/nginx/conf.d/*.conf;
155 | include /etc/nginx/sites-enabled/*;
156 | }
157 |
158 |
159 | #mail {
160 | # # See sample authentication script at:
161 | # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
162 | #
163 | # # auth_http localhost/auth.php;
164 | # # pop3_capabilities "TOP" "USER";
165 | # # imap_capabilities "IMAP4rev1" "UIDPLUS";
166 | #
167 | # server {
168 | # listen localhost:110;
169 | # protocol pop3;
170 | # proxy on;
171 | # }
172 | #
173 | # server {
174 | # listen localhost:143;
175 | # protocol imap;
176 | # proxy on;
177 | # }
178 | #}
179 |
--------------------------------------------------------------------------------
/etc/nginx/proxy_params:
--------------------------------------------------------------------------------
1 | proxy_set_header Host $http_host;
2 | proxy_set_header X-Real-IP $remote_addr;
3 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
4 | proxy_set_header X-Forwarded-Proto $scheme;
5 |
6 | proxy_buffering on;
7 | proxy_buffer_size 128k;
8 | proxy_buffers 256 16k;
9 | proxy_busy_buffers_size 256k;
10 | proxy_temp_file_write_size 256k;
11 | proxy_max_temp_file_size 0;
12 | proxy_read_timeout 3000;
13 | proxy_send_timeout 3000;
14 |
--------------------------------------------------------------------------------
/etc/nginx/sites-available/22222:
--------------------------------------------------------------------------------
1 | # EasyEngine admin NGINX CONFIGURATION
2 | server {
3 |
4 | listen 22222 default_server ssl http2;
5 |
6 | access_log off;
7 | error_log /var/log/nginx/22222.error.log;
8 |
9 | ssl_certificate /var/www/22222/cert/22222.crt;
10 | ssl_certificate_key /var/www/22222/cert/22222.key;
11 |
12 | # Force HTTP to HTTPS
13 | error_page 497 =200 https://$host:22222$request_uri;
14 |
15 | root /var/www/22222/htdocs;
16 | index index.php index.htm index.html;
17 |
18 | # Turn on directory listing
19 | autoindex on;
20 | # HTTP Authentication on port 22222
21 | include common/acl.conf;
22 |
23 | location / {
24 | try_files $uri $uri/ /index.php$is_args$args;
25 | }
26 | # nginx-vts-status
27 | location /vts_status {
28 | vhost_traffic_status_display;
29 | vhost_traffic_status_display_format html;
30 | }
31 | # Display menu at location /fpm/status/
32 | location ~ /fpm/status/(.*) {
33 | try_files $uri =404;
34 | include fastcgi_params;
35 | fastcgi_param SCRIPT_NAME /status;
36 | fastcgi_pass $1;
37 | }
38 | location ~ \.php$ {
39 | try_files $uri =404;
40 | include fastcgi_params;
41 | fastcgi_pass php72;
42 | }
43 | location /netdata {
44 | return 301 /netdata/;
45 | }
46 | location ~ /netdata/(?.*) {
47 | proxy_redirect off;
48 | proxy_set_header Host $host;
49 | proxy_set_header X-Forwarded-Host $host;
50 | proxy_set_header X-Forwarded-Server $host;
51 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
52 | proxy_set_header Connection "keep-alive";
53 | proxy_http_version 1.1;
54 | proxy_pass_request_headers on;
55 | proxy_store off;
56 | proxy_pass http://netdata/$ndpath$is_args$args;
57 | gzip on;
58 | gzip_proxied any;
59 | gzip_types *;
60 | }
61 | }
62 |
--------------------------------------------------------------------------------
/etc/nginx/sites-available/default:
--------------------------------------------------------------------------------
1 | ##
2 | # You should look at the following URL's in order to grasp a solid understanding
3 | # of Nginx configuration files in order to fully unleash the power of Nginx.
4 | # https://www.nginx.com/resources/wiki/start/
5 | # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
6 | # https://wiki.debian.org/Nginx/DirectoryStructure
7 | #
8 | # In most cases, administrators will remove this file from sites-enabled/ and
9 | # leave it as reference inside of sites-available where it will continue to be
10 | # updated by the nginx packaging team.
11 | #
12 | # This file will automatically load configuration files provided by other
13 | # applications, such as Drupal or Wordpress. These applications will be made
14 | # available underneath a path with that package name, such as /drupal8.
15 | #
16 | # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
17 | ##
18 |
19 | # Default server configuration
20 | #
21 | server {
22 | listen 80 default_server;
23 | listen [::]:80 default_server;
24 |
25 | # SSL configuration
26 | #
27 | # listen 443 ssl default_server;
28 | # listen [::]:443 ssl default_server;
29 | #
30 | # Note: You should disable gzip for SSL traffic.
31 | # See: https://bugs.debian.org/773332
32 | #
33 | # Read up on ssl_ciphers to ensure a secure configuration.
34 | # See: https://bugs.debian.org/765782
35 | #
36 | # Self signed certs generated by the ssl-cert package
37 | # Don't use them in a production server!
38 | #
39 | # include snippets/snakeoil.conf;
40 |
41 | root /var/www/html;
42 |
43 | # Add index.php to the list if you are using PHP
44 | index index.html index.htm index.nginx-debian.html;
45 |
46 | server_name _;
47 |
48 | location / {
49 | # First attempt to serve request as file, then
50 | # as directory, then fall back to displaying a 404.
51 | try_files $uri $uri/ =404;
52 | }
53 |
54 | # pass PHP scripts to FastCGI server
55 | #
56 | #location ~ \.php$ {
57 | # include snippets/fastcgi-php.conf;
58 | #
59 | # # With php-fpm (or other unix sockets):
60 | # fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
61 | # # With php-cgi (or other tcp sockets):
62 | # fastcgi_pass 127.0.0.1:9000;
63 | #}
64 |
65 | # deny access to .htaccess files, if Apache's document root
66 | # concurs with nginx's one
67 | #
68 | #location ~ /\.ht {
69 | # deny all;
70 | #}
71 | }
72 |
73 |
74 | # Virtual Host configuration for example.com
75 | #
76 | # You can move that to a different file under sites-available/ and symlink that
77 | # to sites-enabled/ to enable it.
78 | #
79 | #server {
80 | # listen 80;
81 | # listen [::]:80;
82 | #
83 | # server_name example.com;
84 | #
85 | # root /var/www/example.com;
86 | # index index.html;
87 | #
88 | # location / {
89 | # try_files $uri $uri/ =404;
90 | # }
91 | #}
92 |
--------------------------------------------------------------------------------
/etc/ntp.conf:
--------------------------------------------------------------------------------
1 | # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
2 |
3 | driftfile /var/lib/ntp/ntp.drift
4 |
5 | # Enable this if you want statistics to be logged.
6 | #statsdir /var/log/ntpstats/
7 |
8 | statistics loopstats peerstats clockstats
9 | filegen loopstats file loopstats type day enable
10 | filegen peerstats file peerstats type day enable
11 | filegen clockstats file clockstats type day enable
12 |
13 | # Specify one or more NTP servers.
14 |
15 | # Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
16 | # on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
17 | # more information.
18 | #pool 0.ubuntu.pool.ntp.org iburst
19 | #pool 1.ubuntu.pool.ntp.org iburst
20 | #pool 2.ubuntu.pool.ntp.org iburst
21 | #pool 3.ubuntu.pool.ntp.org iburst
22 |
23 | server 0.fr.pool.ntp.org
24 | server 1.fr.pool.ntp.org
25 | server 2.fr.pool.ntp.org
26 | server 3.fr.pool.ntp.org
27 |
28 |
29 | # Use Ubuntu's ntp server as a fallback.
30 | #pool ntp.ubuntu.com
31 |
32 | # Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
33 | # details. The web page
34 | # might also be helpful.
35 | #
36 | # Note that "restrict" applies to both servers and clients, so a configuration
37 | # that might be intended to block requests from certain clients could also end
38 | # up blocking replies from your own upstream servers.
39 |
40 | # By default, exchange time with everybody, but don't allow configuration.
41 | restrict -4 default kod notrap nomodify nopeer noquery limited
42 | restrict -6 default kod notrap nomodify nopeer noquery limited
43 |
44 | # Local users may interrogate the ntp server more closely.
45 | restrict 127.0.0.1
46 | restrict ::1
47 |
48 | # Needed for adding pool entries
49 | restrict source notrap nomodify noquery
50 |
51 | # Clients from this (example!) subnet have unlimited access, but only if
52 | # cryptographically authenticated.
53 | #restrict 192.168.123.0 mask 255.255.255.0 notrust
54 |
55 |
56 | # If you want to provide time to your local subnet, change the next line.
57 | # (Again, the address is an example only.)
58 | #broadcast 192.168.123.255
59 |
60 | # If you want to listen to time broadcasts on your local subnet, de-comment the
61 | # next lines. Please do this only if you trust everybody on the network!
62 | #disable auth
63 | #broadcastclient
64 |
65 | #Changes recquired to use pps synchonisation as explained in documentation:
66 | #http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm#AEN3918
67 |
68 | #server 127.127.8.1 mode 135 prefer # Meinberg GPS167 with PPS
69 | #fudge 127.127.8.1 time1 0.0042 # relative to PPS for my hardware
70 |
71 | #server 127.127.22.1 # ATOM(PPS)
72 | #fudge 127.127.22.1 flag3 1 # enable PPS API
73 |
--------------------------------------------------------------------------------
/etc/php/7.0/cli/php.ini:
--------------------------------------------------------------------------------
1 | [PHP]
2 | engine = On
3 | short_open_tag = Off
4 | precision = 14
5 | output_buffering = 8096
6 | zlib.output_compression = Off
7 | implicit_flush = Off
8 | unserialize_callback_func =
9 | serialize_precision = 17
10 | disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,
11 | disable_classes =
12 | zend.enable_gc = On
13 | expose_php = Off
14 | max_execution_time = 1800
15 | max_input_time = 1800
16 | max_input_vars = 20000
17 | memory_limit = -1
18 | error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
19 | display_errors = Off
20 | display_startup_errors = Off
21 | log_errors = On
22 | log_errors_max_len = 1024
23 | ignore_repeated_errors = Off
24 | ignore_repeated_source = Off
25 | report_memleaks = On
26 | track_errors = Off
27 | html_errors = On
28 | variables_order = "GPCS"
29 | request_order = "GP"
30 | register_argc_argv = Off
31 | auto_globals_jit = On
32 | post_max_size = 128M
33 | auto_prepend_file =
34 | auto_append_file =
35 | default_mimetype = "text/html"
36 | default_charset = "UTF-8"
37 | doc_root =
38 | user_dir =
39 | enable_dl = Off
40 | file_uploads = On
41 | upload_max_filesize = 128M
42 | max_file_uploads = 20
43 | allow_url_fopen = On
44 | allow_url_include = Off
45 | default_socket_timeout = 60
46 |
47 | [CLI Server]
48 | cli_server.color = On
49 |
50 | [Date]
51 | date.timezone = Europe/Paris
52 |
53 | [filter]
54 |
55 | [iconv]
56 |
57 | [intl]
58 |
59 | [sqlite3]
60 |
61 | [Pcre]
62 |
63 | [Pdo]
64 |
65 | [Pdo_mysql]
66 | pdo_mysql.cache_size = 2000
67 | pdo_mysql.default_socket =
68 |
69 | [Phar]
70 |
71 | [mail function]
72 | smtp = localhost
73 | smtp_port = 25
74 | mail.add_x_header = On
75 |
76 | [SQL]
77 | sql.safe_mode = Off
78 |
79 | [ODBC]
80 | odbc.allow_persistent = On
81 | odbc.check_persistent = On
82 | odbc.max_persistent = -1
83 | odbc.max_links = -1
84 | odbc.defaultlrl = 4096
85 | odbc.defaultbinmode = 1
86 |
87 | [Interbase]
88 | ibase.allow_persistent = 1
89 | ibase.max_persistent = -1
90 | ibase.max_links = -1
91 | ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
92 | ibase.dateformat = "%Y-%m-%d"
93 | ibase.timeformat = "%H:%M:%S"
94 |
95 | [MySQLi]
96 | mysqli.max_persistent = -1
97 | mysqli.allow_persistent = On
98 | mysqli.max_links = -1
99 | mysqli.cache_size = 2000
100 | mysqli.default_port = 3306
101 | mysqli.default_socket =
102 | mysqli.default_host =
103 | mysqli.default_user =
104 | mysqli.default_pw =
105 | mysqli.reconnect = Off
106 |
107 | [mysqlnd]
108 | mysqlnd.collect_statistics = On
109 | mysqlnd.collect_memory_statistics = Off
110 |
111 | [OCI8]
112 |
113 | [OCI8]
114 |
115 | [PostgreSQL]
116 | pgsql.allow_persistent = On
117 | pgsql.auto_reset_persistent = Off
118 | pgsql.max_persistent = -1
119 | pgsql.max_links = -1
120 | pgsql.ignore_notice = 0
121 | pgsql.log_notice = 0
122 |
123 | [bcmath]
124 | bcmath.scale = 0
125 |
126 | [browscap]
127 |
128 | [Session]
129 | session.save_handler = files
130 | session.use_strict_mode = 0
131 | session.use_cookies = 1
132 | session.use_only_cookies = 1
133 | session.name = PHPSESSID
134 | session.auto_start = 0
135 | session.cookie_lifetime = 0
136 | session.cookie_path = /
137 | session.cookie_domain =
138 | session.cookie_httponly =
139 | session.serialize_handler = php
140 | session.gc_probability = 0
141 | session.gc_divisor = 1000
142 | session.gc_maxlifetime = 1440
143 | session.referer_check =
144 | session.cache_limiter = nocache
145 | session.cache_expire = 180
146 | session.use_trans_sid = 0
147 |
148 | url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
149 |
150 | [Assertion]
151 | zend.assertions = -1
152 |
153 | [COM]
154 |
155 | [mbstring]
156 |
157 | [gd]
158 |
159 | [exif]
160 |
161 | [Tidy]
162 | tidy.clean_output = Off
163 |
164 | [soap]
165 | soap.wsdl_cache_enabled = 1
166 | soap.wsdl_cache_dir = "/tmp"
167 | soap.wsdl_cache_ttl = 86400
168 | soap.wsdl_cache_limit = 5
169 |
170 | [sysvshm]
171 |
172 | [ldap]
173 | ldap.max_links = -1
174 |
175 | [mcrypt]
176 |
177 | [dba]
178 |
179 | [opcache]
180 | opcache.enable=1
181 | opcache.enable_cli=1
182 | opcache.interned_strings_buffer=8
183 | opcache.max_accelerated_files=10000
184 | opcache.memory_consumption=256
185 | opcache.save_comments=1
186 | opcache.revalidate_freq=1
187 |
188 |
189 | [curl]
190 |
191 | [openssl]
192 |
--------------------------------------------------------------------------------
/etc/php/7.0/fpm/php.ini:
--------------------------------------------------------------------------------
1 | [PHP]
2 | engine = On
3 | short_open_tag = Off
4 | precision = 14
5 | output_buffering = 8096
6 | zlib.output_compression = Off
7 | implicit_flush = Off
8 | unserialize_callback_func =
9 | serialize_precision = 17
10 | disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,
11 | disable_classes =
12 | zend.enable_gc = On
13 | expose_php = Off
14 | max_execution_time = 300
15 | max_input_time = 600
16 | max_input_vars = 10000
17 | memory_limit = 256M
18 | error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
19 | display_errors = Off
20 | display_startup_errors = Off
21 | log_errors = On
22 | log_errors_max_len = 1024
23 | ignore_repeated_errors = Off
24 | ignore_repeated_source = Off
25 | report_memleaks = On
26 | track_errors = Off
27 | html_errors = On
28 | variables_order = "GPCS"
29 | request_order = "GP"
30 | register_argc_argv = Off
31 | auto_globals_jit = On
32 | post_max_size = 128M
33 | auto_prepend_file =
34 | auto_append_file =
35 | default_mimetype = "text/html"
36 | default_charset = "UTF-8"
37 | doc_root =
38 | user_dir =
39 | enable_dl = Off
40 | file_uploads = On
41 | upload_max_filesize = 128M
42 | max_file_uploads = 20
43 | allow_url_fopen = On
44 | allow_url_include = Off
45 | default_socket_timeout = 60
46 |
47 | [CLI Server]
48 | cli_server.color = On
49 |
50 | [Date]
51 | date.timezone = Europe/Paris
52 |
53 | [filter]
54 |
55 | [iconv]
56 |
57 | [intl]
58 |
59 | [sqlite3]
60 |
61 | [Pcre]
62 |
63 | [Pdo]
64 |
65 | [Pdo_mysql]
66 | pdo_mysql.cache_size = 2000
67 | pdo_mysql.default_socket =
68 |
69 | [Phar]
70 |
71 | [mail function]
72 | smtp = localhost
73 | smtp_port = 25
74 | mail.add_x_header = On
75 |
76 | [SQL]
77 | sql.safe_mode = Off
78 |
79 | [ODBC]
80 | odbc.allow_persistent = On
81 | odbc.check_persistent = On
82 | odbc.max_persistent = -1
83 | odbc.max_links = -1
84 | odbc.defaultlrl = 4096
85 | odbc.defaultbinmode = 1
86 |
87 | [Interbase]
88 | ibase.allow_persistent = 1
89 | ibase.max_persistent = -1
90 | ibase.max_links = -1
91 | ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
92 | ibase.dateformat = "%Y-%m-%d"
93 | ibase.timeformat = "%H:%M:%S"
94 |
95 | [MySQLi]
96 | mysqli.max_persistent = -1
97 | mysqli.allow_persistent = On
98 | mysqli.max_links = -1
99 | mysqli.cache_size = 2000
100 | mysqli.default_port = 3306
101 | mysqli.default_socket =
102 | mysqli.default_host =
103 | mysqli.default_user =
104 | mysqli.default_pw =
105 | mysqli.reconnect = Off
106 |
107 | [mysqlnd]
108 | mysqlnd.collect_statistics = On
109 | mysqlnd.collect_memory_statistics = Off
110 |
111 | [OCI8]
112 |
113 | [OCI8]
114 |
115 | [PostgreSQL]
116 | pgsql.allow_persistent = On
117 | pgsql.auto_reset_persistent = Off
118 | pgsql.max_persistent = -1
119 | pgsql.max_links = -1
120 | pgsql.ignore_notice = 0
121 | pgsql.log_notice = 0
122 |
123 | [bcmath]
124 | bcmath.scale = 0
125 |
126 | [browscap]
127 |
128 | [Session]
129 | session.save_handler = files
130 | session.use_strict_mode = 0
131 | session.use_cookies = 1
132 | session.use_only_cookies = 1
133 | session.name = PHPSESSID
134 | session.auto_start = 0
135 | session.cookie_lifetime = 0
136 | session.cookie_path = /
137 | session.cookie_domain =
138 | session.cookie_httponly =
139 | session.serialize_handler = php
140 | session.gc_probability = 0
141 | session.gc_divisor = 1000
142 | session.gc_maxlifetime = 1440
143 | session.referer_check =
144 | session.cache_limiter = nocache
145 | session.cache_expire = 180
146 | session.use_trans_sid = 0
147 |
148 | url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
149 |
150 | [Assertion]
151 | zend.assertions = -1
152 |
153 | [COM]
154 |
155 | [mbstring]
156 |
157 | [gd]
158 |
159 | [exif]
160 |
161 | [Tidy]
162 | tidy.clean_output = Off
163 |
164 | [soap]
165 | soap.wsdl_cache_enabled = 1
166 | soap.wsdl_cache_dir = "/tmp"
167 | soap.wsdl_cache_ttl = 86400
168 | soap.wsdl_cache_limit = 5
169 |
170 | [sysvshm]
171 |
172 | [ldap]
173 | ldap.max_links = -1
174 |
175 | [mcrypt]
176 |
177 | [dba]
178 |
179 | [opcache]
180 | opcache.enable=1
181 | opcache.enable_cli=1
182 | opcache.interned_strings_buffer=8
183 | opcache.max_accelerated_files=10000
184 | opcache.memory_consumption=256
185 | opcache.save_comments=1
186 | opcache.revalidate_freq=60
187 | opcache.validate_timestamps=1
188 | opcache.consistency_checks=0
189 |
190 |
191 | [curl]
192 |
193 | [openssl]
194 |
--------------------------------------------------------------------------------
/etc/php/7.0/fpm/pool.d/www-sock.conf:
--------------------------------------------------------------------------------
1 | [php70-fpm-sock]
2 | user = www-data
3 | group = www-data
4 | prefix = /var/run/php
5 |
6 | listen = php70-fpm.sock
7 | listen.owner = www-data
8 | listen.group = www-data
9 | listen.mode = 0660
10 | listen.backlog = 32768
11 |
12 | chdir = /
13 | catch_workers_output = yes
14 |
15 | pm = ondemand
16 | pm.max_children = 50
17 | pm.start_servers = 20
18 | pm.min_spare_servers = 10
19 | pm.max_spare_servers = 30
20 | ping.path = /ping
21 | pm.status_path = /status
22 | pm.max_requests = 500
23 | request_terminate_timeout = 300
24 |
--------------------------------------------------------------------------------
/etc/php/7.0/fpm/pool.d/www-two-sock.conf:
--------------------------------------------------------------------------------
1 | [php70-fpm-two-sock]
2 | user = www-data
3 | group = www-data
4 | prefix = /var/run/php
5 |
6 | listen = php70-two-fpm.sock
7 | listen.owner = www-data
8 | listen.group = www-data
9 | listen.mode = 0660
10 | listen.backlog = 32768
11 |
12 | chdir = /
13 | catch_workers_output = yes
14 |
15 | pm = ondemand
16 | pm.max_children = 50
17 | pm.start_servers = 20
18 | pm.min_spare_servers = 10
19 | pm.max_spare_servers = 30
20 | ping.path = /ping
21 | pm.status_path = /status
22 | pm.max_requests = 500
23 | request_terminate_timeout = 300
24 |
--------------------------------------------------------------------------------
/etc/php/7.1/fpm/php.ini:
--------------------------------------------------------------------------------
1 | [PHP]
2 |
3 | engine = On
4 | short_open_tag = Off
5 | precision = 14
6 | output_buffering = 4096
7 | zlib.output_compression = Off
8 | implicit_flush = Off
9 | unserialize_callback_func =
10 | serialize_precision = -1
11 | disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
12 | disable_classes =
13 | zend.enable_gc = On
14 | expose_php = Off
15 | max_execution_time = 300
16 | max_input_time = 600
17 | max_input_vars = 10000
18 | memory_limit = 256M
19 | error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
20 | display_errors = Off
21 | display_startup_errors = Off
22 | log_errors = On
23 | log_errors_max_len = 1024
24 | ignore_repeated_errors = Off
25 | ignore_repeated_source = Off
26 | report_memleaks = On
27 | track_errors = Off
28 | html_errors = On
29 | variables_order = "GPCS"
30 | request_order = "GP"
31 | register_argc_argv = Off
32 | auto_globals_jit = On
33 | post_max_size = 128M
34 | auto_prepend_file =
35 | auto_append_file =
36 | default_mimetype = "text/html"
37 | default_charset = "UTF-8"
38 | doc_root =
39 | user_dir =
40 | enable_dl = Off
41 | file_uploads = On
42 | upload_max_filesize = 128M
43 | max_file_uploads = 20
44 | allow_url_fopen = On
45 | allow_url_include = Off
46 | default_socket_timeout = 60
47 |
48 | [CLI Server]
49 | cli_server.color = On
50 |
51 | [Date]
52 | date.timezone = Europe/Paris
53 |
54 | [filter]
55 |
56 | [iconv]
57 |
58 | [intl]
59 |
60 | [sqlite3]
61 |
62 | [Pcre]
63 |
64 | [Pdo]
65 |
66 | [Pdo_mysql]
67 |
68 | pdo_mysql.cache_size = 2000
69 |
70 | pdo_mysql.default_socket=
71 |
72 | [Phar]
73 |
74 | [mail function]
75 |
76 | SMTP = localhost
77 | smtp_port = 25
78 | mail.add_x_header = On
79 |
80 | [SQL]
81 |
82 | sql.safe_mode = Off
83 |
84 | [ODBC]
85 |
86 | odbc.allow_persistent = On
87 | odbc.check_persistent = On
88 | odbc.max_persistent = -1
89 | odbc.max_links = -1
90 | odbc.defaultlrl = 4096
91 | odbc.defaultbinmode = 1
92 |
93 | [Interbase]
94 |
95 | ibase.allow_persistent = 1
96 | ibase.max_persistent = -1
97 | ibase.max_links = -1
98 | ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
99 | ibase.dateformat = "%Y-%m-%d"
100 | ibase.timeformat = "%H:%M:%S"
101 |
102 | [MySQLi]
103 |
104 | mysqli.max_persistent = -1
105 | mysqli.allow_persistent = On
106 | mysqli.max_links = -1
107 | mysqli.cache_size = 2000
108 | mysqli.default_port = 3306
109 | mysqli.default_socket =
110 | mysqli.default_host =
111 | mysqli.default_user =
112 | mysqli.default_pw =
113 | mysqli.reconnect = Off
114 |
115 | [mysqlnd]
116 |
117 | mysqlnd.collect_statistics = On
118 | mysqlnd.collect_memory_statistics = Off
119 |
120 | [OCI8]
121 |
122 | [PostgreSQL]
123 |
124 | pgsql.allow_persistent = On
125 | pgsql.auto_reset_persistent = Off
126 | pgsql.max_persistent = -1
127 | pgsql.max_links = -1
128 | pgsql.ignore_notice = 0
129 | pgsql.log_notice = 0
130 |
131 | [bcmath]
132 |
133 | bcmath.scale = 0
134 |
135 | [browscap]
136 |
137 | [Session]
138 |
139 | session.save_handler = files
140 | session.use_strict_mode = 0
141 | session.use_cookies = 1
142 | session.cookie_secure = 1
143 | session.use_only_cookies = 1
144 | session.name = PHPSESSID
145 | session.auto_start = 0
146 | session.cookie_lifetime = 0
147 | session.cookie_path = /
148 | session.cookie_domain =
149 | session.cookie_httponly = 1
150 | session.serialize_handler = php
151 | session.gc_probability = 0
152 | session.gc_divisor = 1000
153 | session.gc_maxlifetime = 1440
154 | session.referer_check =
155 | session.cache_limiter = nocache
156 | session.cache_expire = 180
157 | session.use_trans_sid = 0
158 | session.sid_length = 26
159 | session.trans_sid_tags = "a=href,area=href,frame=src,form="
160 | session.sid_bits_per_character = 5
161 |
162 | [Assertion]
163 |
164 | zend.assertions = -1
165 |
166 | [COM]
167 |
168 | [mbstring]
169 |
170 | [gd]
171 |
172 | [exif]
173 |
174 | [Tidy]
175 |
176 | tidy.clean_output = Off
177 |
178 | [soap]
179 |
180 | soap.wsdl_cache_enabled=1
181 | soap.wsdl_cache_dir="/tmp"
182 | soap.wsdl_cache_ttl=86400
183 | soap.wsdl_cache_limit = 5
184 |
185 | [sysvshm]
186 |
187 | [ldap]
188 |
189 | ldap.max_links = -1
190 |
191 | [mcrypt]
192 |
193 | [dba]
194 |
195 | [opcache]
196 | opcache.enable=1
197 | opcache.enable_cli=1
198 | opcache.interned_strings_buffer=8
199 | opcache.max_accelerated_files=10000
200 | opcache.memory_consumption=256
201 | opcache.save_comments=1
202 | opcache.revalidate_freq=60
203 | opcache.validate_timestamps=1
204 | opcache.consistency_checks=0
205 |
206 | [curl]
207 |
208 | [openssl]
209 |
--------------------------------------------------------------------------------
/etc/php/7.1/fpm/pool.d/www-sock.conf:
--------------------------------------------------------------------------------
1 | [php71-fpm-sock]
2 | user = www-data
3 | group = www-data
4 | prefix = /var/run/php
5 |
6 | listen = php71-fpm.sock
7 | listen.owner = www-data
8 | listen.group = www-data
9 | listen.mode = 0660
10 | listen.backlog = 32768
11 |
12 | chdir = /
13 | catch_workers_output = yes
14 |
15 | pm = ondemand
16 | pm.max_children = 50
17 | pm.start_servers = 20
18 | pm.min_spare_servers = 10
19 | pm.max_spare_servers = 25
20 | ping.path = /ping
21 | pm.status_path = /status
22 | pm.max_requests = 500
23 | request_terminate_timeout = 300
24 |
--------------------------------------------------------------------------------
/etc/php/7.1/fpm/pool.d/www-two-sock.conf:
--------------------------------------------------------------------------------
1 | [php71-fpm-two-sock]
2 | user = www-data
3 | group = www-data
4 | prefix = /var/run/php
5 |
6 | listen = php71-two-fpm.sock
7 | listen.owner = www-data
8 | listen.group = www-data
9 | listen.mode = 0660
10 | listen.backlog = 32768
11 |
12 | chdir = /
13 | catch_workers_output = yes
14 |
15 | pm = ondemand
16 | pm.max_children = 50
17 | pm.start_servers = 20
18 | pm.min_spare_servers = 10
19 | pm.max_spare_servers = 25
20 | ping.path = /ping
21 | pm.status_path = /status
22 | pm.max_requests = 500
23 | request_terminate_timeout = 300
24 |
--------------------------------------------------------------------------------
/etc/php/7.2/cli/php.ini:
--------------------------------------------------------------------------------
1 | [PHP]
2 | engine = On
3 | short_open_tag = Off
4 | precision = 14
5 | output_buffering = 4096
6 | zlib.output_compression = Off
7 | implicit_flush = Off
8 | unserialize_callback_func =
9 | serialize_precision = -1
10 | disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
11 | disable_classes =
12 | zend.enable_gc = On
13 | expose_php = Off
14 | max_execution_time = -1
15 | max_input_vars = 20000
16 | max_input_time = 1800
17 | memory_limit = -1
18 | error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
19 | display_errors = Off
20 | display_startup_errors = Off
21 | log_errors = On
22 | log_errors_max_len = 1024
23 | ignore_repeated_errors = Off
24 | ignore_repeated_source = Off
25 | report_memleaks = On
26 | html_errors = On
27 | variables_order = "GPCS"
28 | request_order = "GP"
29 | register_argc_argv = Off
30 | auto_globals_jit = On
31 | post_max_size = 128M
32 | auto_prepend_file =
33 | auto_append_file =
34 | default_mimetype = "text/html"
35 | default_charset = "UTF-8"
36 | doc_root =
37 | user_dir =
38 | enable_dl = Off
39 | file_uploads = On
40 | upload_max_filesize = 128M
41 | max_file_uploads = 20
42 | allow_url_fopen = On
43 | allow_url_include = Off
44 | default_socket_timeout = 60
45 |
46 | [CLI Server]
47 | cli_server.color = On
48 |
49 | [Date]
50 | date.timezone = Europe/Paris
51 |
52 | [filter]
53 |
54 | [iconv]
55 |
56 | [intl]
57 |
58 | [sqlite3]
59 |
60 | [Pcre]
61 |
62 | [Pdo]
63 |
64 | [Pdo_mysql]
65 | pdo_mysql.cache_size = 2000
66 | pdo_mysql.default_socket=
67 |
68 | [Phar]
69 |
70 | [mail function]
71 | SMTP = localhost
72 | smtp_port = 25
73 | mail.add_x_header = On
74 |
75 | [ODBC]
76 | odbc.allow_persistent = On
77 | odbc.check_persistent = On
78 | odbc.max_persistent = -1
79 | odbc.max_links = -1
80 | odbc.defaultlrl = 4096
81 | odbc.defaultbinmode = 1
82 |
83 | [Interbase]
84 | ibase.allow_persistent = 1
85 | ibase.max_persistent = -1
86 | ibase.max_links = -1
87 | ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
88 | ibase.dateformat = "%Y-%m-%d"
89 | ibase.timeformat = "%H:%M:%S"
90 |
91 | [MySQLi]
92 | mysqli.max_persistent = -1
93 | mysqli.allow_persistent = On
94 | mysqli.max_links = -1
95 | mysqli.cache_size = 2000
96 | mysqli.default_port = 3306
97 | mysqli.default_socket =
98 | mysqli.default_host =
99 | mysqli.default_user =
100 | mysqli.default_pw =
101 | mysqli.reconnect = Off
102 |
103 | [mysqlnd]
104 | mysqlnd.collect_statistics = On
105 | mysqlnd.collect_memory_statistics = Off
106 |
107 | [OCI8]
108 |
109 | [PostgreSQL]
110 | pgsql.allow_persistent = On
111 | pgsql.auto_reset_persistent = Off
112 | pgsql.max_persistent = -1
113 | pgsql.max_links = -1
114 | pgsql.ignore_notice = 0
115 | pgsql.log_notice = 0
116 |
117 | [bcmath]
118 | bcmath.scale = 0
119 |
120 | [browscap]
121 |
122 | [Session]
123 | session.save_handler = files
124 | session.use_strict_mode = 0
125 | session.use_cookies = 1
126 | session.cookie_secure = 1
127 | session.use_only_cookies = 1
128 | session.name = PHPSESSID
129 | session.auto_start = 0
130 | session.cookie_lifetime = 0
131 | session.cookie_path = /
132 | session.cookie_domain =
133 | session.cookie_httponly =
134 | session.serialize_handler = php
135 | session.gc_probability = 0
136 | session.gc_divisor = 1000
137 | session.gc_maxlifetime = 1440
138 | session.referer_check =
139 | session.cache_limiter = nocache
140 | session.cache_expire = 180
141 | session.use_trans_sid = 0
142 | session.sid_length = 26
143 | session.trans_sid_tags = "a=href,area=href,frame=src,form="
144 | session.sid_bits_per_character = 5
145 |
146 | [Assertion]
147 | zend.assertions = -1
148 |
149 | [COM]
150 |
151 | [mbstring]
152 |
153 | [gd]
154 |
155 | [exif]
156 |
157 | [Tidy]
158 | tidy.clean_output = Off
159 |
160 | [soap]
161 | soap.wsdl_cache_enabled=1
162 | soap.wsdl_cache_dir="/tmp"
163 | soap.wsdl_cache_ttl=86400
164 | soap.wsdl_cache_limit = 5
165 |
166 | [sysvshm]
167 |
168 | [ldap]
169 | ldap.max_links = -1
170 |
171 | [dba]
172 |
173 | [opcache]
174 | opcache.enable=1
175 | opcache.enable_cli=1
176 | opcache.interned_strings_buffer=8
177 | opcache.max_accelerated_files=10000
178 | opcache.memory_consumption=256
179 | opcache.save_comments=1
180 | opcache.revalidate_freq=60
181 | opcache.validate_timestamps=1
182 | opcache.consistency_checks=0
183 |
184 | [curl]
185 |
186 | [openssl]
187 |
--------------------------------------------------------------------------------
/etc/php/7.2/fpm/php.ini:
--------------------------------------------------------------------------------
1 | [PHP]
2 | engine = On
3 | short_open_tag = Off
4 | precision = 14
5 | output_buffering = 4096
6 | zlib.output_compression = Off
7 | implicit_flush = Off
8 | unserialize_callback_func =
9 | serialize_precision = -1
10 | disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
11 | disable_classes =
12 | zend.enable_gc = On
13 | expose_php = Off
14 | max_execution_time = 300
15 | max_input_vars = 10000
16 | max_input_time = 600
17 | memory_limit = 256M
18 | error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
19 | display_errors = Off
20 | display_startup_errors = Off
21 | log_errors = On
22 | log_errors_max_len = 1024
23 | ignore_repeated_errors = Off
24 | ignore_repeated_source = Off
25 | report_memleaks = On
26 | html_errors = On
27 | variables_order = "GPCS"
28 | request_order = "GP"
29 | register_argc_argv = Off
30 | auto_globals_jit = On
31 | post_max_size = 128M
32 | auto_prepend_file =
33 | auto_append_file =
34 | default_mimetype = "text/html"
35 | default_charset = "UTF-8"
36 | doc_root =
37 | user_dir =
38 | enable_dl = Off
39 | file_uploads = On
40 | upload_max_filesize = 128M
41 | max_file_uploads = 20
42 | allow_url_fopen = On
43 | allow_url_include = Off
44 | default_socket_timeout = 60
45 |
46 | [CLI Server]
47 | cli_server.color = On
48 |
49 | [Date]
50 | date.timezone = Europe/Paris
51 |
52 | [filter]
53 |
54 | [iconv]
55 |
56 | [intl]
57 |
58 | [sqlite3]
59 |
60 | [Pcre]
61 |
62 | [Pdo]
63 |
64 | [Pdo_mysql]
65 | pdo_mysql.cache_size = 2000
66 | pdo_mysql.default_socket=
67 |
68 | [Phar]
69 |
70 | [mail function]
71 | SMTP = localhost
72 | smtp_port = 25
73 | mail.add_x_header = On
74 |
75 | [ODBC]
76 | odbc.allow_persistent = On
77 | odbc.check_persistent = On
78 | odbc.max_persistent = -1
79 | odbc.max_links = -1
80 | odbc.defaultlrl = 4096
81 | odbc.defaultbinmode = 1
82 |
83 | [Interbase]
84 | ibase.allow_persistent = 1
85 | ibase.max_persistent = -1
86 | ibase.max_links = -1
87 | ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
88 | ibase.dateformat = "%Y-%m-%d"
89 | ibase.timeformat = "%H:%M:%S"
90 |
91 | [MySQLi]
92 | mysqli.max_persistent = -1
93 | mysqli.allow_persistent = On
94 | mysqli.max_links = -1
95 | mysqli.cache_size = 2000
96 | mysqli.default_port = 3306
97 | mysqli.default_socket =
98 | mysqli.default_host =
99 | mysqli.default_user =
100 | mysqli.default_pw =
101 | mysqli.reconnect = Off
102 |
103 | [mysqlnd]
104 | mysqlnd.collect_statistics = On
105 | mysqlnd.collect_memory_statistics = Off
106 |
107 | [OCI8]
108 |
109 | [PostgreSQL]
110 | pgsql.allow_persistent = On
111 | pgsql.auto_reset_persistent = Off
112 | pgsql.max_persistent = -1
113 | pgsql.max_links = -1
114 | pgsql.ignore_notice = 0
115 | pgsql.log_notice = 0
116 |
117 | [bcmath]
118 | bcmath.scale = 0
119 |
120 | [browscap]
121 |
122 | [Session]
123 | session.save_handler = files
124 | session.use_strict_mode = 0
125 | session.use_cookies = 1
126 | session.cookie_secure = 1
127 | session.use_only_cookies = 1
128 | session.name = PHPSESSID
129 | session.auto_start = 0
130 | session.cookie_lifetime = 0
131 | session.cookie_path = /
132 | session.cookie_domain =
133 | session.cookie_httponly =
134 | session.serialize_handler = php
135 | session.gc_probability = 0
136 | session.gc_divisor = 1000
137 | session.gc_maxlifetime = 1440
138 | session.referer_check =
139 | session.cache_limiter = nocache
140 | session.cache_expire = 180
141 | session.use_trans_sid = 0
142 | session.sid_length = 26
143 | session.trans_sid_tags = "a=href,area=href,frame=src,form="
144 | session.sid_bits_per_character = 5
145 |
146 | [Assertion]
147 | zend.assertions = -1
148 |
149 | [COM]
150 |
151 | [mbstring]
152 |
153 | [gd]
154 |
155 | [exif]
156 |
157 | [Tidy]
158 | tidy.clean_output = Off
159 |
160 | [soap]
161 | soap.wsdl_cache_enabled=1
162 | soap.wsdl_cache_dir="/tmp"
163 | soap.wsdl_cache_ttl=86400
164 | soap.wsdl_cache_limit = 5
165 |
166 | [sysvshm]
167 |
168 | [ldap]
169 | ldap.max_links = -1
170 |
171 | [dba]
172 |
173 | [opcache]
174 | opcache.enable=1
175 | opcache.enable_cli=1
176 | opcache.interned_strings_buffer=8
177 | opcache.max_accelerated_files=10000
178 | opcache.max_wasted_percentage=10
179 | opcache.memory_consumption=256
180 | opcache.save_comments=1
181 | opcache.revalidate_freq=60
182 | opcache.validate_timestamps=1
183 | opcache.consistency_checks=0
184 |
185 |
186 | [curl]
187 |
188 | [openssl]
189 |
--------------------------------------------------------------------------------
/etc/php/7.2/fpm/pool.d/www-sock.conf:
--------------------------------------------------------------------------------
1 | [php72-fpm-sock]
2 | user = www-data
3 | group = www-data
4 | prefix = /var/run/php
5 |
6 | listen = php72-sock-fpm.sock
7 | listen.owner = www-data
8 | listen.group = www-data
9 | listen.mode = 0660
10 | listen.backlog = 32768
11 |
12 | chdir = /
13 | catch_workers_output = yes
14 |
15 | pm = ondemand
16 | pm.max_children = 50
17 | pm.start_servers = 10
18 | pm.min_spare_servers = 5
19 | pm.max_spare_servers = 25
20 | ping.path = /ping
21 | pm.status_path = /status
22 | pm.max_requests = 500
23 | request_terminate_timeout = 300
24 |
--------------------------------------------------------------------------------
/etc/php/7.2/fpm/pool.d/www-two-sock.conf:
--------------------------------------------------------------------------------
1 | [php72-fpm-two-sock]
2 | user = www-data
3 | group = www-data
4 | prefix = /var/run/php
5 |
6 | listen = php72-sock-two-fpm.sock
7 | listen.owner = www-data
8 | listen.group = www-data
9 | listen.mode = 0660
10 | listen.backlog = 32768
11 |
12 | chdir = /
13 | catch_workers_output = yes
14 |
15 | pm = ondemand
16 | pm.max_children = 50
17 | pm.start_servers = 10
18 | pm.min_spare_servers = 5
19 | pm.max_spare_servers = 25
20 | ping.path = /ping
21 | pm.status_path = /status
22 | pm.max_requests = 500
23 | request_terminate_timeout = 300
24 |
--------------------------------------------------------------------------------
/etc/php/7.3/cli/php.ini:
--------------------------------------------------------------------------------
1 | [PHP]
2 | engine = On
3 | short_open_tag = Off
4 | precision = 14
5 | output_buffering = 4096
6 | zlib.output_compression = Off
7 | implicit_flush = Off
8 | unserialize_callback_func =
9 | serialize_precision = -1
10 | disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
11 | disable_classes =
12 | zend.enable_gc = On
13 | expose_php = Off
14 | max_execution_time = 3000
15 | max_input_vars = 20000
16 | max_input_time = 3000
17 | memory_limit = -1
18 | error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
19 | display_errors = Off
20 | display_startup_errors = Off
21 | log_errors = On
22 | log_errors_max_len = 1024
23 | ignore_repeated_errors = Off
24 | ignore_repeated_source = Off
25 | report_memleaks = On
26 | html_errors = On
27 | variables_order = "GPCS"
28 | request_order = "GP"
29 | register_argc_argv = Off
30 | auto_globals_jit = On
31 | post_max_size = 128M
32 | auto_prepend_file =
33 | auto_append_file =
34 | default_mimetype = "text/html"
35 | default_charset = "UTF-8"
36 | doc_root =
37 | user_dir =
38 | enable_dl = Off
39 | file_uploads = On
40 | upload_max_filesize = 128M
41 | max_file_uploads = 20
42 | allow_url_fopen = On
43 | allow_url_include = Off
44 | default_socket_timeout = 60
45 |
46 | [CLI Server]
47 | cli_server.color = On
48 |
49 | [Date]
50 | date.timezone = UTC
51 | [filter]
52 |
53 | [iconv]
54 |
55 | [intl]
56 |
57 | [sqlite3]
58 |
59 | [Pcre]
60 |
61 | [Pdo]
62 |
63 | [Pdo_mysql]
64 | pdo_mysql.default_socket=
65 |
66 | [Phar]
67 |
68 | [mail function]
69 | SMTP = localhost
70 | smtp_port = 25
71 | mail.add_x_header = On
72 |
73 | [ODBC]
74 | odbc.allow_persistent = On
75 | odbc.check_persistent = On
76 | odbc.max_persistent = -1
77 | odbc.max_links = -1
78 | odbc.defaultlrl = 4096
79 | odbc.defaultbinmode = 1
80 |
81 | [Interbase]
82 | ibase.allow_persistent = 1
83 | ibase.max_persistent = -1
84 | ibase.max_links = -1
85 | ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
86 | ibase.dateformat = "%Y-%m-%d"
87 | ibase.timeformat = "%H:%M:%S"
88 |
89 | [MySQLi]
90 | mysqli.max_persistent = -1
91 | mysqli.allow_persistent = On
92 | mysqli.max_links = -1
93 | mysqli.default_port = 3306
94 | mysqli.default_socket =
95 | mysqli.default_host =
96 | mysqli.default_user =
97 | mysqli.default_pw =
98 | mysqli.reconnect = Off
99 |
100 | [mysqlnd]
101 | mysqlnd.collect_statistics = On
102 | mysqlnd.collect_memory_statistics = Off
103 |
104 | [OCI8]
105 |
106 | [PostgreSQL]
107 | pgsql.allow_persistent = On
108 | pgsql.auto_reset_persistent = Off
109 | pgsql.max_persistent = -1
110 | pgsql.max_links = -1
111 | pgsql.ignore_notice = 0
112 | pgsql.log_notice = 0
113 |
114 | [bcmath]
115 | bcmath.scale = 0
116 |
117 | [browscap]
118 |
119 | [Session]
120 | session.save_handler = files
121 | session.use_strict_mode = 0
122 | session.use_cookies = 1
123 | session.use_only_cookies = 1
124 | session.name = PHPSESSID
125 | session.auto_start = 0
126 | session.cookie_lifetime = 0
127 | session.cookie_path = /
128 | session.cookie_domain =
129 | session.cookie_httponly =
130 | session.cookie_samesite =
131 | session.serialize_handler = php
132 | session.gc_probability = 0
133 | session.gc_divisor = 1000
134 | session.gc_maxlifetime = 1440
135 | session.referer_check =
136 | session.cache_limiter = nocache
137 | session.cache_expire = 180
138 | session.use_trans_sid = 0
139 | session.sid_length = 26
140 | session.trans_sid_tags = "a=href,area=href,frame=src,form="
141 | session.sid_bits_per_character = 5
142 |
143 | [Assertion]
144 | zend.assertions = -1
145 |
146 | [COM]
147 |
148 | [mbstring]
149 |
150 | [gd]
151 |
152 | [exif]
153 |
154 | [Tidy]
155 | tidy.clean_output = Off
156 |
157 | [soap]
158 | soap.wsdl_cache_enabled=1
159 | soap.wsdl_cache_dir="/tmp"
160 | soap.wsdl_cache_ttl=86400
161 | soap.wsdl_cache_limit = 5
162 |
163 | [sysvshm]
164 |
165 | [ldap]
166 | ldap.max_links = -1
167 |
168 | [dba]
169 |
170 | [opcache]
171 | opcache.enable=1
172 | opcache.enable_cli=1
173 | opcache.interned_strings_buffer=8
174 | opcache.max_accelerated_files=10000
175 | opcache.max_wasted_percentage=10
176 | opcache.memory_consumption=256
177 | opcache.save_comments=1
178 | opcache.revalidate_freq=60
179 | opcache.validate_timestamps=1
180 | opcache.consistency_checks=0
181 |
182 |
183 | [curl]
184 |
185 | [openssl]
186 |
--------------------------------------------------------------------------------
/etc/php/7.3/fpm/php.ini:
--------------------------------------------------------------------------------
1 | [PHP]
2 | engine = On
3 | short_open_tag = Off
4 | precision = 14
5 | output_buffering = 4096
6 | zlib.output_compression = Off
7 | implicit_flush = Off
8 | unserialize_callback_func =
9 | serialize_precision = -1
10 | disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
11 | disable_classes =
12 | zend.enable_gc = On
13 | expose_php = Off
14 | max_execution_time = 300
15 | max_input_vars = 20000
16 | max_input_time = 600
17 | memory_limit = 256M
18 | error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
19 | display_errors = Off
20 | display_startup_errors = Off
21 | log_errors = On
22 | log_errors_max_len = 1024
23 | ignore_repeated_errors = Off
24 | ignore_repeated_source = Off
25 | report_memleaks = On
26 | html_errors = On
27 | variables_order = "GPCS"
28 | request_order = "GP"
29 | register_argc_argv = Off
30 | auto_globals_jit = On
31 | post_max_size = 128M
32 | auto_prepend_file =
33 | auto_append_file =
34 | default_mimetype = "text/html"
35 | default_charset = "UTF-8"
36 | doc_root =
37 | user_dir =
38 | enable_dl = Off
39 | file_uploads = On
40 | upload_max_filesize = 128M
41 | max_file_uploads = 20
42 | allow_url_fopen = On
43 | allow_url_include = Off
44 | default_socket_timeout = 60
45 |
46 | [CLI Server]
47 | cli_server.color = On
48 |
49 | [Date]
50 | date.timezone = UTC
51 | [filter]
52 |
53 | [iconv]
54 |
55 | [intl]
56 |
57 | [sqlite3]
58 |
59 | [Pcre]
60 |
61 | [Pdo]
62 |
63 | [Pdo_mysql]
64 | pdo_mysql.default_socket=
65 |
66 | [Phar]
67 |
68 | [mail function]
69 | SMTP = localhost
70 | smtp_port = 25
71 | mail.add_x_header = On
72 |
73 | [ODBC]
74 | odbc.allow_persistent = On
75 | odbc.check_persistent = On
76 | odbc.max_persistent = -1
77 | odbc.max_links = -1
78 | odbc.defaultlrl = 4096
79 | odbc.defaultbinmode = 1
80 |
81 | [Interbase]
82 | ibase.allow_persistent = 1
83 | ibase.max_persistent = -1
84 | ibase.max_links = -1
85 | ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
86 | ibase.dateformat = "%Y-%m-%d"
87 | ibase.timeformat = "%H:%M:%S"
88 |
89 | [MySQLi]
90 | mysqli.max_persistent = -1
91 | mysqli.allow_persistent = On
92 | mysqli.max_links = -1
93 | mysqli.default_port = 3306
94 | mysqli.default_socket =
95 | mysqli.default_host =
96 | mysqli.default_user =
97 | mysqli.default_pw =
98 | mysqli.reconnect = Off
99 |
100 | [mysqlnd]
101 | mysqlnd.collect_statistics = On
102 | mysqlnd.collect_memory_statistics = Off
103 |
104 | [OCI8]
105 |
106 | [PostgreSQL]
107 | pgsql.allow_persistent = On
108 | pgsql.auto_reset_persistent = Off
109 | pgsql.max_persistent = -1
110 | pgsql.max_links = -1
111 | pgsql.ignore_notice = 0
112 | pgsql.log_notice = 0
113 |
114 | [bcmath]
115 | bcmath.scale = 0
116 |
117 | [browscap]
118 |
119 | [Session]
120 | session.save_handler = files
121 | session.use_strict_mode = 0
122 | session.use_cookies = 1
123 | session.use_only_cookies = 1
124 | session.name = PHPSESSID
125 | session.auto_start = 0
126 | session.cookie_lifetime = 0
127 | session.cookie_path = /
128 | session.cookie_domain =
129 | session.cookie_httponly =
130 | session.cookie_samesite =
131 | session.serialize_handler = php
132 | session.gc_probability = 0
133 | session.gc_divisor = 1000
134 | session.gc_maxlifetime = 1440
135 | session.referer_check =
136 | session.cache_limiter = nocache
137 | session.cache_expire = 180
138 | session.use_trans_sid = 0
139 | session.sid_length = 26
140 | session.trans_sid_tags = "a=href,area=href,frame=src,form="
141 | session.sid_bits_per_character = 5
142 |
143 | [Assertion]
144 | zend.assertions = -1
145 |
146 | [COM]
147 |
148 | [mbstring]
149 |
150 | [gd]
151 |
152 | [exif]
153 |
154 | [Tidy]
155 | tidy.clean_output = Off
156 |
157 | [soap]
158 | soap.wsdl_cache_enabled=1
159 | soap.wsdl_cache_dir="/tmp"
160 | soap.wsdl_cache_ttl=86400
161 | soap.wsdl_cache_limit = 5
162 |
163 | [sysvshm]
164 |
165 | [ldap]
166 | ldap.max_links = -1
167 |
168 | [dba]
169 |
170 | [opcache]
171 | opcache.enable=1
172 | opcache.enable_cli=1
173 | opcache.interned_strings_buffer=8
174 | opcache.max_accelerated_files=10000
175 | opcache.max_wasted_percentage=10
176 | opcache.memory_consumption=256
177 | opcache.save_comments=1
178 | opcache.revalidate_freq=60
179 | opcache.validate_timestamps=1
180 | opcache.consistency_checks=0
181 |
182 |
183 | [curl]
184 |
185 | [openssl]
186 |
--------------------------------------------------------------------------------
/etc/php/7.3/fpm/pool.d/www-sock.conf:
--------------------------------------------------------------------------------
1 | [php73-fpm-sock]
2 | user = www-data
3 | group = www-data
4 | prefix = /var/run/php
5 |
6 | listen = php73-sock-fpm.sock
7 | listen.owner = www-data
8 | listen.group = www-data
9 | listen.mode = 0660
10 | listen.backlog = 32768
11 |
12 | chdir = /
13 | catch_workers_output = yes
14 |
15 | pm = ondemand
16 | pm.max_children = 50
17 | pm.start_servers = 10
18 | pm.min_spare_servers = 5
19 | pm.max_spare_servers = 25
20 | ping.path = /ping
21 | pm.status_path = /status
22 | pm.max_requests = 500
23 | request_terminate_timeout = 300
24 |
--------------------------------------------------------------------------------
/etc/php/7.3/fpm/pool.d/www-two-sock.conf:
--------------------------------------------------------------------------------
1 | [php73-fpm-two-sock]
2 | user = www-data
3 | group = www-data
4 | prefix = /var/run/php
5 |
6 | listen = php73-sock-two-fpm.sock
7 | listen.owner = www-data
8 | listen.group = www-data
9 | listen.mode = 0660
10 | listen.backlog = 32768
11 |
12 | chdir = /
13 | catch_workers_output = yes
14 |
15 | pm = ondemand
16 | pm.max_children = 50
17 | pm.start_servers = 10
18 | pm.min_spare_servers = 5
19 | pm.max_spare_servers = 25
20 | ping.path = /ping
21 | pm.status_path = /status
22 | pm.max_requests = 500
23 | request_terminate_timeout = 300
24 |
--------------------------------------------------------------------------------
/etc/security/limits.conf:
--------------------------------------------------------------------------------
1 | # /etc/security/limits.conf
2 | #
3 | #Each line describes a limit for a user in the form:
4 | #
5 | # -
6 | #
7 | #Where:
8 | # can be:
9 | # - a user name
10 | # - a group name, with @group syntax
11 | # - the wildcard *, for default entry
12 | # - the wildcard %, can be also used with %group syntax,
13 | # for maxlogin limit
14 | # - NOTE: group and wildcard limits are not applied to root.
15 | # To apply a limit to the root user, must be
16 | # the literal username root.
17 | #
18 | # can have the two values:
19 | # - "soft" for enforcing the soft limits
20 | # - "hard" for enforcing hard limits
21 | #
22 | #
- can be one of the following:
23 | # - core - limits the core file size (KB)
24 | # - data - max data size (KB)
25 | # - fsize - maximum filesize (KB)
26 | # - memlock - max locked-in-memory address space (KB)
27 | # - nofile - max number of open files
28 | # - rss - max resident set size (KB)
29 | # - stack - max stack size (KB)
30 | # - cpu - max CPU time (MIN)
31 | # - nproc - max number of processes
32 | # - as - address space limit (KB)
33 | # - maxlogins - max number of logins for this user
34 | # - maxsyslogins - max number of logins on the system
35 | # - priority - the priority to run user process with
36 | # - locks - max number of file locks the user can hold
37 | # - sigpending - max number of pending signals
38 | # - msgqueue - max memory used by POSIX message queues (bytes)
39 | # - nice - max nice priority allowed to raise to values: [-20, 19]
40 | # - rtprio - max realtime priority
41 | # - chroot - change root to directory (Debian-specific)
42 | #
43 | #
-
44 | #
45 |
46 | #* soft core 0
47 | #root hard core 100000
48 | #* hard rss 10000
49 | #@student hard nproc 20
50 | #@faculty soft nproc 20
51 | #@faculty hard nproc 50
52 | #ftp hard nproc 0
53 | #ftp - chroot /ftp
54 | #@student - maxlogins 4
55 |
56 | # End of file
57 | * hard nofile 500000
58 | * soft nofile 500000
59 | root hard nofile 500000
60 | root soft nofile 500000
61 |
62 |
--------------------------------------------------------------------------------
/etc/ssh/sshd_config:
--------------------------------------------------------------------------------
1 | # Use a custom port in the following range : 1024-65536
2 | Port 22
3 |
4 | #Prefer ed25519 & ECDSA keys rather than 2048 bit RSA
5 | HostKey /etc/ssh/ssh_host_rsa_key
6 | HostKey /etc/ssh/ssh_host_ecdsa_key
7 | HostKey /etc/ssh/ssh_host_ed25519_key
8 |
9 | # Allow root access with ssh keys
10 | PermitRootLogin without-password
11 |
12 | # Allow ssh access to some users only
13 | AllowUsers root ubuntu debian
14 |
15 | # allow ssh key Authentication
16 | PubkeyAuthentication yes
17 |
18 | # ssh keys path in ~/.ssh/authorized_keys
19 | AuthorizedKeysFile %h/.ssh/authorized_keys
20 |
21 | # No password or empty passwords Authentication
22 | PasswordAuthentication no
23 | PermitEmptyPasswords no
24 |
25 | # No challenge response Authentication
26 | ChallengeResponseAuthentication no
27 |
28 | UsePAM yes
29 | X11Forwarding yes
30 |
31 | #PrintMotd no
32 |
33 | # Allow client to pass locale environment variables
34 | AcceptEnv LANG LC_*
35 |
36 | # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
37 | LogLevel VERBOSE
38 |
39 | # Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
40 | Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
41 |
42 | # Host keys the client accepts - order here is honored by OpenSSH
43 | HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
44 |
45 | # use strong ciphers
46 | KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
47 | Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
48 | MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
49 |
50 | # Use kernel sandbox mechanisms where possible in unprivileged processes
51 | # Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
52 | UsePrivilegeSeparation sandbox
53 |
--------------------------------------------------------------------------------
/etc/sysctl.d/60-ubuntu-nginx-web-server.conf:
--------------------------------------------------------------------------------
1 | # Kernel sysctl configuration file for Linux
2 | #
3 | # Version 1.16 - 2018-10-23
4 | # Michiel Klaver - IT Professional
5 | # Modified by VirtuBox
6 | #
7 | # Instructions available on https://github.com/VirtuBox/ubuntu-nginx-web-server
8 | #
9 | # Sources :
10 | # https://klaver.it/linux/sysctl.conf
11 | # https://easyengine.io/tutorials/linux/sysctl-conf/
12 | #
13 | #
14 | # Credits:
15 | #
16 | # http://www.enigma.id.au/linux_tuning.txt
17 | # http://www.securityfocus.com/infocus/1729
18 | # http://fasterdata.es.net/TCP-tuning/linux.html
19 | # http://fedorahosted.org/ktune/browser/sysctl.ktune
20 | # http://www.cymru.com/Documents/ip-stack-tuning.html
21 | # http://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
22 | # http://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/index.html
23 | # http://knol.google.com/k/linux-performance-tuning-and-measurement
24 | # http://www.cyberciti.biz/faq/linux-kernel-tuning-virtual-memory-subsystem/
25 | # http://www.redbooks.ibm.com/abstracts/REDP4285.html
26 | # http://www.speedguide.net/read_articles.php?id=121
27 | # http://lartc.org/howto/lartc.kernel.obscure.html
28 | # http://en.wikipedia.org/wiki/Sysctl
29 | #
30 | # Usage
31 | # wget -O /etc/sysctl.d/60-ubuntu-nginx-web-server.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.d/60-ubuntu-nginx-web-server.conf
32 | #
33 | # sysctl -e -p /etc/sysctl.d/60-ubuntu-nginx-web-server.conf
34 | # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and sysctl.conf(5) for more details.
35 | #
36 |
37 | ###
38 | ### GENERAL SYSTEM SECURITY OPTIONS ###
39 | ###
40 |
41 | # Controls the System Request debugging functionality of the kernel
42 | kernel.sysrq = 0
43 |
44 | # Controls whether core dumps will append the PID to the core filename.
45 | # Useful for debugging multi-threaded applications.
46 | kernel.core_uses_pid = 1
47 |
48 | #Allow for more PIDs
49 | kernel.pid_max = 65535
50 |
51 | # The contents of /proc//maps and smaps files are only visible to
52 | # readers that are allowed to ptrace() the process
53 | kernel.maps_protect = 1
54 |
55 | #Enable ExecShield protection
56 | kernel.exec-shield = 1
57 | kernel.randomize_va_space = 2
58 |
59 | # Controls the maximum size of a message, in bytes
60 | kernel.msgmnb = 65535
61 |
62 | # Controls the default maxmimum size of a mesage queue
63 | kernel.msgmax = 65535
64 |
65 | # Restrict core dumps
66 | fs.suid_dumpable = 0
67 |
68 | # Hide exposed kernel pointers
69 | kernel.kptr_restrict = 1
70 |
71 | ###
72 | ### IMPROVE SYSTEM MEMORY MANAGEMENT ###
73 | ###
74 |
75 | # Increase size of file handles and inode cache
76 | fs.file-max = 209708
77 |
78 | # Do less swapping
79 | vm.swappiness = 10
80 | vm.dirty_ratio = 30
81 | vm.dirty_background_ratio = 5
82 |
83 | # specifies the minimum virtual address that a process is allowed to mmap
84 | vm.mmap_min_addr = 4096
85 |
86 | # 50% overcommitment of available memory
87 | vm.overcommit_ratio = 50
88 |
89 | # allow memory overcommit required for redis
90 | vm.overcommit_memory = 1
91 |
92 | # Set maximum amount of memory allocated to shm to 256MB
93 | kernel.shmmax = 268435456
94 | kernel.shmall = 268435456
95 |
96 | # Keep at least 64MB of free RAM space available
97 | vm.min_free_kbytes = 65535
98 |
99 | ###
100 | ### GENERAL NETWORK SECURITY OPTIONS ###
101 | ###
102 |
103 | #Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
104 | net.ipv4.tcp_syncookies = 1
105 | net.ipv4.tcp_syn_retries = 2
106 | net.ipv4.tcp_synack_retries = 2
107 | net.ipv4.tcp_max_syn_backlog = 4096
108 |
109 | # Disables IP source routing
110 | net.ipv4.conf.all.send_redirects = 0
111 | net.ipv4.conf.default.send_redirects = 0
112 | net.ipv4.conf.all.accept_source_route = 0
113 | net.ipv4.conf.default.accept_source_route = 0
114 | net.ipv6.conf.all.accept_source_route = 0
115 | net.ipv6.conf.default.accept_source_route = 0
116 |
117 | # Enable IP spoofing protection, turn on source route verification
118 | net.ipv4.conf.all.rp_filter = 1
119 | net.ipv4.conf.default.rp_filter = 1
120 |
121 | # Disable ICMP Redirect Acceptance
122 | net.ipv4.conf.all.accept_redirects = 0
123 | net.ipv4.conf.default.accept_redirects = 0
124 | net.ipv4.conf.all.secure_redirects = 0
125 | net.ipv4.conf.default.secure_redirects = 0
126 | net.ipv6.conf.all.accept_redirects = 0
127 | net.ipv6.conf.default.accept_redirects = 0
128 |
129 | # Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
130 | net.ipv4.conf.all.log_martians = 1
131 | net.ipv4.conf.default.log_martians = 1
132 |
133 | # Decrease the time default value for tcp_fin_timeout connection
134 | net.ipv4.tcp_fin_timeout = 7
135 |
136 | # Decrease the time default value for connections to keep alive
137 | net.ipv4.tcp_keepalive_time = 300
138 | net.ipv4.tcp_keepalive_probes = 5
139 | net.ipv4.tcp_keepalive_intvl = 15
140 |
141 | # Don't relay bootp
142 | net.ipv4.conf.all.bootp_relay = 0
143 |
144 | # Don't proxy arp for anyone
145 | net.ipv4.conf.all.proxy_arp = 0
146 |
147 | # Turn on the tcp_timestamps, accurate timestamp make TCP congestion control algorithms work better
148 | net.ipv4.tcp_timestamps = 1
149 |
150 | # Don't ignore directed pings
151 | net.ipv4.icmp_echo_ignore_all = 0
152 |
153 | # Enable ignoring broadcasts request
154 | net.ipv4.icmp_echo_ignore_broadcasts = 1
155 |
156 | # Enable bad error message Protection
157 | net.ipv4.icmp_ignore_bogus_error_responses = 1
158 |
159 | # Allowed local port range
160 | net.ipv4.ip_local_port_range = 16384 65535
161 |
162 | # Enable a fix for RFC1337 - time-wait assassination hazards in TCP
163 | net.ipv4.tcp_rfc1337 = 1
164 |
165 | # Do not auto-configure IPv6
166 | net.ipv6.conf.all.autoconf=0
167 | net.ipv6.conf.all.accept_ra=0
168 | net.ipv6.conf.default.autoconf=0
169 | net.ipv6.conf.default.accept_ra=0
170 | net.ipv6.conf.all.accept_ra_defrtr = 0
171 | net.ipv6.conf.default.accept_ra_defrtr = 0
172 | net.ipv6.conf.all.accept_ra_pinfo = 0
173 | net.ipv6.conf.default.accept_ra_pinfo = 0
174 |
175 | ###
176 | ### TUNING NETWORK PERFORMANCE ###
177 | ###
178 |
179 | # For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12)
180 | net.core.default_qdisc = fq
181 |
182 | # Turn on the tcp_window_scaling
183 | net.ipv4.tcp_window_scaling = 1
184 |
185 | # Increase the read-buffer space allocatable
186 | net.ipv4.tcp_rmem = 8192 87380 16777216
187 | net.ipv4.udp_rmem_min = 16384
188 | net.core.rmem_default = 262144
189 | net.core.rmem_max = 16777216
190 |
191 | # Increase the write-buffer-space allocatable
192 | net.ipv4.tcp_wmem = 8192 65536 16777216
193 | net.ipv4.udp_wmem_min = 16384
194 | net.core.wmem_default = 262144
195 | net.core.wmem_max = 16777216
196 |
197 | # Increase number of incoming connections
198 | net.core.somaxconn = 32768
199 |
200 | # Increase number of incoming connections backlog
201 | net.core.netdev_max_backlog = 16384
202 | net.core.dev_weight = 64
203 |
204 | # Increase the maximum amount of option memory buffers
205 | net.core.optmem_max = 65535
206 |
207 | # Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
208 | net.ipv4.tcp_max_tw_buckets = 1440000
209 |
210 | # try to reuse time-wait connections, but don't recycle them (recycle can break clients behind NAT)
211 | net.ipv4.tcp_tw_recycle = 0
212 | net.ipv4.tcp_tw_reuse = 1
213 |
214 | # Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory
215 | net.ipv4.tcp_max_orphans = 16384
216 | net.ipv4.tcp_orphan_retries = 0
217 |
218 | # Limit the maximum memory used to reassemble IP fragments (CVE-2018-5391)
219 | net.ipv4.ipfrag_low_thresh = 196608
220 | net.ipv6.ip6frag_low_thresh = 196608
221 | net.ipv4.ipfrag_high_thresh = 262144
222 | net.ipv6.ip6frag_high_thresh = 262144
223 |
224 |
225 | # don't cache ssthresh from previous connection
226 | net.ipv4.tcp_no_metrics_save = 1
227 | net.ipv4.tcp_moderate_rcvbuf = 1
228 |
229 | # Increase size of RPC datagram queue length
230 | net.unix.max_dgram_qlen = 50
231 |
232 | # Don't allow the arp table to become bigger than this
233 | net.ipv4.neigh.default.gc_thresh3 = 2048
234 |
235 | # Tell the gc when to become aggressive with arp table cleaning.
236 | # Adjust this based on size of the LAN. 1024 is suitable for most /24 networks
237 | net.ipv4.neigh.default.gc_thresh2 = 1024
238 |
239 | # Adjust where the gc will leave arp table alone - set to 32.
240 | net.ipv4.neigh.default.gc_thresh1 = 32
241 |
242 | # Adjust to arp table gc to clean-up more often
243 | net.ipv4.neigh.default.gc_interval = 30
244 |
245 | # Increase TCP queue length
246 | net.ipv4.neigh.default.proxy_qlen = 96
247 | net.ipv4.neigh.default.unres_qlen = 6
248 |
249 | # Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you
250 | net.ipv4.tcp_ecn = 1
251 | net.ipv4.tcp_reordering = 3
252 |
253 | # How many times to retry killing an alive TCP connection
254 | net.ipv4.tcp_retries2 = 15
255 | net.ipv4.tcp_retries1 = 3
256 |
257 | # Avoid falling back to slow start after a connection goes idle
258 | # keeps our cwnd large with the keep alive connections (kernel > 3.6)
259 | net.ipv4.tcp_slow_start_after_idle = 0
260 |
261 | # Allow the TCP fastopen flag to be used, beware some firewalls do not like TFO! (kernel > 3.7)
262 | net.ipv4.tcp_fastopen = 3
263 |
264 | # This will enusre that immediatly subsequent connections use the new values
265 | net.ipv4.route.flush = 1
266 | net.ipv6.route.flush = 1
267 |
--------------------------------------------------------------------------------
/etc/systemd/resolved.conf:
--------------------------------------------------------------------------------
1 | # This file is part of systemd.
2 | #
3 | # systemd is free software; you can redistribute it and/or modify it
4 | # under the terms of the GNU Lesser General Public License as published by
5 | # the Free Software Foundation; either version 2.1 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # Entries in this file show the compile time defaults.
9 | # You can change settings by editing this file.
10 | # Defaults can be restored by simply deleting this file.
11 | #
12 | # See resolved.conf(5) for details
13 |
14 | [Resolve]
15 | #DNS=
16 | #FallbackDNS=
17 | #Domains=
18 | #LLMNR=no
19 | #MulticastDNS=no
20 | #DNSSEC=no
21 | #Cache=yes
22 | #DNSStubListener=yes
23 | DNS=1.1.1.1 2606:4700:4700::1111 1.0.0.1
24 | FallbackDNS=8.8.8.8 2001:4860:4860::8888 8.8.4.4
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
--------------------------------------------------------------------------------
/etc/systemd/system/mariadb.service.d/limits.conf:
--------------------------------------------------------------------------------
1 | [Service]
2 | LimitNOFILE=500000
3 |
--------------------------------------------------------------------------------
/etc/systemd/system/netdata.service.d/limits.conf:
--------------------------------------------------------------------------------
1 | [Service]
2 | LimitNOFILE=30000
3 |
--------------------------------------------------------------------------------
/etc/systemd/system/nginx.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=The NGINX HTTP and reverse proxy server
3 | After=syslog.target network.target remote-fs.target nss-lookup.target
4 |
5 | [Service]
6 | Type=forking
7 | PIDFile=/run/nginx.pid
8 | ExecStartPre=/usr/sbin/nginx -t
9 | ExecStart=/usr/sbin/nginx
10 | ExecReload=/bin/kill -s HUP $MAINPID
11 | ExecStop=/bin/kill -s QUIT $MAINPID
12 | PrivateTmp=true
13 |
14 | [Install]
15 | WantedBy=multi-user.target
--------------------------------------------------------------------------------
/etc/systemd/system/nginx.service.d/limits.conf:
--------------------------------------------------------------------------------
1 | [Service]
2 | LimitNOFILE=30000
3 |
--------------------------------------------------------------------------------
/var/www/.bashrc:
--------------------------------------------------------------------------------
1 | # uncomment for a colored prompt, if the terminal has the capability; turned
2 | # off by default to not distract the user: the focus in a terminal window
3 | # should be on the output of commands, not on the prompt
4 | force_color_prompt=yes
5 |
6 | if [ -n "$force_color_prompt" ]; then
7 | if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
8 | # We have color support; assume it's compliant with Ecma-48
9 | # (ISO/IEC-6429). (Lack of such support is extremely rare, and such
10 | # a case would tend to support setf rather than setaf.)
11 | color_prompt=yes
12 | else
13 | color_prompt=
14 | fi
15 | fi
16 |
17 | if [ "$color_prompt" = yes ]; then
18 | #PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
19 | PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u\[\033[01;33m\]@\[\033[01;36m\]\h \[\033[01;33m\]\w \[\033[01;35m\]\$ \[\033[00m\]'
20 | else
21 | PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
22 | fi
23 | unset color_prompt force_color_prompt
24 |
25 | # If this is an xterm set the title to user@host:dir
26 | case "$TERM" in
27 | xterm*|rxvt*)
28 | PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
29 | ;;
30 | *)
31 | ;;
32 | esac
33 |
34 | # some more ls aliases
35 | alias ll='ls -alhF'
36 | alias la='ls -A'
37 | alias l='ls -CF'
38 |
39 | # Alias definitions.
40 | # You may want to put all your additions into a separate file like
41 | # ~/.bash_aliases, instead of adding them here directly.
42 | # See /usr/share/doc/bash-doc/examples in the bash-doc package.
43 |
44 | if [ -f ~/.bash_aliases ]; then
45 | . ~/.bash_aliases
46 | fi
47 |
48 | # enable programmable completion features (you don't need to enable
49 | # this, if it's already enabled in /etc/bash.bashrc and /etc/profile
50 | # sources /etc/bash.bashrc).
51 | if ! shopt -oq posix; then
52 | if [ -f /usr/share/bash-completion/bash_completion ]; then
53 | . /usr/share/bash-completion/bash_completion
54 | elif [ -f /etc/bash_completion ]; then
55 | . /etc/bash_completion
56 | fi
57 | fi
58 |
--------------------------------------------------------------------------------
/var/www/.profile:
--------------------------------------------------------------------------------
1 | # ~/.profile: executed by Bourne-compatible login shells.
2 |
3 | if [ "$BASH" ]; then
4 | if [ -f ~/.bashrc ]; then
5 | . ~/.bashrc
6 | fi
7 | fi
8 |
--------------------------------------------------------------------------------