├── Dockerfile ├── LICENSE ├── README.md ├── defaults ├── default ├── fail2ban-filters │ ├── nginx-badbots.conf │ └── nginx-http-auth.conf ├── index.html ├── jail.local ├── lerotate ├── letsencrypt.sh ├── letsencryptcron.conf ├── nginx-fpm.conf ├── nginx.conf └── nginxrotate ├── firstrun.sh └── services └── memcached └── run /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM phusion/baseimage:0.9.18 2 | 3 | MAINTAINER aptalca 4 | 5 | VOLUME ["/config"] 6 | 7 | EXPOSE 80 443 8 | 9 | ENV HOME="/root" LC_ALL="C.UTF-8" LANG="en_US.UTF-8" LANGUAGE="en_US.UTF-8" DHLEVEL="2048" ONLY_SUBDOMAINS="false" 10 | 11 | RUN export DEBCONF_NONINTERACTIVE_SEEN=true DEBIAN_FRONTEND=noninteractive && \ 12 | add-apt-repository ppa:nginx/stable && \ 13 | apt-get update && \ 14 | apt-get install -y \ 15 | git \ 16 | nano \ 17 | nginx \ 18 | openssl \ 19 | php5-fpm \ 20 | php5 \ 21 | php5-cli \ 22 | php5-mysqlnd \ 23 | php5-mcrypt \ 24 | php5-curl \ 25 | php5-gd \ 26 | php5-cgi \ 27 | php5-pgsql \ 28 | php5-memcached \ 29 | php5-sqlite \ 30 | memcached \ 31 | fail2ban && \ 32 | mkdir -p /etc/my_init.d && \ 33 | usermod -u 99 nobody && \ 34 | usermod -g 100 nobody && \ 35 | usermod -d /home nobody && \ 36 | chown -R nobody:users /home 37 | 38 | ADD firstrun.sh /etc/my_init.d/firstrun.sh 39 | ADD services/ /etc/service/ 40 | ADD defaults/ /defaults/ 41 | ADD https://dl.eff.org/certbot-auto /defaults/certbot-auto 42 | 43 | RUN chmod +x /etc/my_init.d/firstrun.sh && \ 44 | chmod +x /defaults/letsencrypt.sh && \ 45 | chmod +x /defaults/certbot-auto && \ 46 | chmod +x /etc/service/*/run && \ 47 | /defaults/certbot-auto -n -h && \ 48 | cp /defaults/nginxrotate /etc/logrotate.d/nginx && \ 49 | cp /defaults/lerotate /etc/logrotate.d/letsencrypt && \ 50 | crontab /defaults/letsencryptcron.conf && \ 51 | update-rc.d -f nginx remove && \ 52 | update-rc.d -f php5-fpm remove && \ 53 | update-rc.d -f fail2ban remove 54 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc., 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Lesser General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | {description} 294 | Copyright (C) {year} {fullname} 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License along 307 | with this program; if not, write to the Free Software Foundation, Inc., 308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 309 | 310 | Also add information on how to contact you by electronic and paper mail. 311 | 312 | If the program is interactive, make it output a short notice like this 313 | when it starts in an interactive mode: 314 | 315 | Gnomovision version 69, Copyright (C) year name of author 316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 317 | This is free software, and you are welcome to redistribute it 318 | under certain conditions; type `show c' for details. 319 | 320 | The hypothetical commands `show w' and `show c' should show the appropriate 321 | parts of the General Public License. Of course, the commands you use may 322 | be called something other than `show w' and `show c'; they could even be 323 | mouse-clicks or menu items--whatever suits your program. 324 | 325 | You should also get your employer (if you work as a programmer) or your 326 | school, if any, to sign a "copyright disclaimer" for the program, if 327 | necessary. Here is a sample; alter the names: 328 | 329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 331 | 332 | {signature of Ty Coon}, 1 April 1989 333 | Ty Coon, President of Vice 334 | 335 | This General Public License does not permit incorporating your program into 336 | proprietary programs. If your program is a subroutine library, you may 337 | consider it more useful to permit linking proprietary applications with the 338 | library. If this is what you want to do, use the GNU Lesser General 339 | Public License instead of this License. 340 | 341 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## This image has been deprecated. Please use the new image here: https://hub.docker.com/r/linuxserver/letsencrypt/ 2 | It is based on alpine, leaner, meaner and more up to date 3 | 4 | ### Nginx-Letsencrypt 5 | 6 | This container sets up an Nginx webserver with a built-in letsencrypt client that automates free SSL server certificate generation and renewal processes. 7 | 8 | #### Install On unRaid: 9 | 10 | On unRaid, install from the Community Applications and enter the app folder location, server ports and the email, the domain url and the subdomains (comma separated, no spaces) under advanced view. Note: 11 | - Make sure that the port 443 in the container is accessible from the outside of your lan. It is OK to map container's port 443 to another port on the host (ie 943) as long as your router will forward port 443 from the outside to port 943 on the host and it will end up at port 443 in the container. If this is confusing, just leave 443 mapped to 443 and forward port 443 on your router to your unraid IP. 12 | - Prior to SSL certificate creation, letsencrypt creates a temporary webserver and checks to see if it is accessible through the domain url provided for validation. Make sure that your server is reachable through your.domain.url:443 and that port 443 is forwarded on your router to the container's port 443 prior to running this docker. Otherwise letsencrypt validation will fail, and no certificates will be generated. 13 | - If you prefer your dhparams to be 4096 bits (default is 2048), add an environment variable under advanced view `DHLEVEL` that equals `4096` 14 | - If you prefer to get a certificate only for subdomains and not the url (for instance a cert that covers mail.url.com and ftp.url.com but not url.com), add an environment variable under advanced view `ONLY_SUBDOMAINS` that equals `true` 15 | 16 | 17 | #### Install On Other Platforms (like Ubuntu or Synology 5.2 DSM, etc.): 18 | 19 | On other platforms, you can run this docker with the following command: 20 | 21 | ``` 22 | docker run -d \ 23 | --privileged \ 24 | --name="Nginx-letsencrypt" \ 25 | -p 80:80 \ 26 | -p 443:443 \ 27 | -e EMAIL="youremail" \ 28 | -e URL="yourdomain.url" \ 29 | -e SUBDOMAINS="www,subdomain1,subdomain2" \ 30 | -e TZ="America/New_York" \ 31 | -v /path/to/config/:/config:rw \ 32 | aptalca/nginx-letsencrypt 33 | ``` 34 | 35 | - Replace the EMAIL variable (youremail) with the e-mail address you would like to register the SSL certificate with. 36 | - Replace the URL variable (yourdomain.url) with your server's internet domain name, without any subdomains (can also be a dynamic dns url, ie. google.com or username.duckdns.org). 37 | - Replace the SUBDOMAINS variable with your choice of subdomains (just the subdomains, comma separated, no spaces). 38 | - Replace "America/New_York" with your timezone if different. List of timezones available here: http://php.net/manual/en/timezones.php 39 | - Replace the "/path/to/config" with your choice of location. 40 | - Make sure that the port 443 in the container is accessible from the outside of your lan. It is OK to map container's port 443 to another port on the host (ie 943) as long as your router will forward port 443 from the outside to port 943 on the host and it will end up at port 443 in the container. If this is confusing, just leave the `-p 443:443` portion of the run command as is and forward port 443 on your router to your host IP. 41 | - Prior to SSL certificate creation, letsencrypt creates a temporary webserver and checks to see if it is accessible through the domain url provided for validation. Make sure that your server is reachable through your.domain.url:443 and that port 443 is forwarded on your router to the container's port 443 prior to running this docker. Otherwise letsencrypt validation will fail, and no certificates will be generated. 42 | - Fail2ban is extremely useful for preventing DDOS attacks or brute force methods that attempt to thwart htpasswd security. Default implementation includes blocking unsuccessful attempts at htpasswd based authentication. You can add more filters by modifying the `/config/nginx/jail.local` file and dropping the filter files in the `/config/nginx/fail2ban-filters` folder. Don't forget to restart the container afterwards. 43 | - OPTIONAL: If you prefer your dhparams to be 4096 bits (default is 2048), add the following to your run command: `-e DHLEVEL="4096"` 44 | - NOTE: PHP is finally fixed. Switched to using `unix:/var/run/php5-fpm.sock`. If you're updating an existing install (from prior to the 2016-04-12 build), delete your nginx-fpm.conf file, modify your default site config to utilize `unix:/var/run/php5-fpm.sock` instead of `127.0.0.1:9000` (as in here: https://github.com/aptalca/docker-webserver/blob/master/defaults/default ) and restart the container 45 | - OPTIONAL: If you'd like to generate a cert only for subdomains and not for the url (for instance a cert that covers mail.url.com and ftp.url.com but not url.com), include the following parameter in your run command: `-e ONLY_SUBDOMAINS="true"` 46 | - NOTE: This container recognizes any changes to the parameters entered. If there are changes to the url or domains, it will attempt to revoke the existing certs and generate new ones. Keep in mind that if you change them too many times, letsencrypt will throttle requests and you may be denied new certs for a period of time. Check the logs for suspected throttling. 47 | - NOTE: New version automatically creates a pfx key file with every renewal, which you can use for applications such as Emby 48 | 49 | 50 | You can access your webserver at `https://subdomain.yourdomain.url/` 51 | 52 | #### Changelog: 53 | - 2016-09-22 - Fixed deletion of symlink after failed install 54 | - 2016-08-19 - Added ability to generate certs ONLY for subdomains, without the url (many thanks to @stuwil for PR) - Greatly simplified the cert renewal process - Updated php - Added auto generated pfx private key - Added ability to change DH bit parameter without having to delete the existing file 55 | - 2016-06-18 - Log rotation fixed - Letsencrypt log moved to its own folder - Fixed missing e-mail paramater when renewing through cron 56 | - 2016-06-03 - Added ability to change url and subdomains (container will automatically recognize changes to the variables upon start, and will update the cert accordingly) - Updated nginx to 1.10.1 - Switched to using certbot, the new official letsencrypt client maintained by EFF 57 | - 2016-05-06 - Updated nginx to 1.10.0 - Updated phusion baseimage to 18 58 | - 2016-04-16 - Fixed bug with detecting fail2ban.sock, which prevented fail2ban start 59 | - 2016-04-12 - Many changes under the hood to streamline - new/renewed certs will be 4096 bits - added option for 4096 bit dhparams - no more git, only uses the single letsencrypt-auto script - all environment variables match (bash, init and cron) - fixed bug affecting multiple subdomains - finally fixed php (may have to change your site config to use "fastcgi_pass unix:/var/run/php5-fpm.sock;" as in here: https://github.com/aptalca/docker-webserver/blob/master/defaults/default ) and delete your nginx-fpm.conf file and restart 60 | - 2016-04-11 - Fixed the cron environment issue that could break script updates 61 | - 2016-04-08 - Fixed update bug (accidentally removed a line in previous update) 62 | - 2016-04-07 - Remove the git pull as the April 6th update of the auto script to ver 0.5.0 no longer needs it 63 | - 2016-04-05 - Add nightly git pull to prevent letsencrypt update errors 64 | - 2016-03-29 - Quick fix for nginx not starting 65 | - 2016-03-29 - IMPORTANT UPDATE, cron script has been fixed (wasn't getting the correct env variables), letsencrypt updates more frequently (infrequent updates could error and break cert updates), cron now runs everynight at midnight to check status and updates letsencrypt, letsencrypt log file gets appended with cron output for tracking update history 66 | - 2016-03-08 - Fixed issue with fail2ban not starting following container crash 67 | - 2016-01-15 - Added fail2ban support (Important: If updating from earlier, notice that a `--privileged` flag is added to the run command. Without it, fail2ban does not work due to inability to modify iptables) 68 | - 2016-01-05 - Fixed permissions for php-fpm and memcached (they were not starting) - Fixed silly typo causing cert renewal every 6 days instead of 60 69 | - 2016-01-03 - Updated to support multiple subdomains 70 | - 2015-12-29 - Initial Release 71 | -------------------------------------------------------------------------------- /defaults/default: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | 4 | listen 443 ssl default_server; 5 | 6 | root /config/www; 7 | index index.html index.htm index.php; 8 | 9 | server_name _; 10 | 11 | ssl_certificate /config/keys/fullchain.pem; 12 | ssl_certificate_key /config/keys/privkey.pem; 13 | ssl_dhparam /config/nginx/dhparams.pem; 14 | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; 15 | ssl_prefer_server_ciphers on; 16 | 17 | client_max_body_size 0; 18 | 19 | location / { 20 | try_files $uri $uri/ /index.html /index.php?$args =404; 21 | } 22 | 23 | location ~ \.php$ { 24 | fastcgi_split_path_info ^(.+\.php)(/.+)$; 25 | fastcgi_pass unix:/var/run/php5-fpm.sock; 26 | fastcgi_index index.php; 27 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 28 | include fastcgi_params; 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /defaults/fail2ban-filters/nginx-badbots.conf: -------------------------------------------------------------------------------- 1 | 2 | # Fail2Ban configuration file 3 | # 4 | # Regexp to catch known spambots and software alike. Please verify 5 | # that it is your intent to block IPs which were driven by 6 | # above mentioned bots. 7 | 8 | 9 | [Definition] 10 | 11 | badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider 12 | badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 \+http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots, \+http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00 13 | 14 | failregex = ^ -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$ 15 | 16 | ignoreregex = 17 | 18 | # DEV Notes: 19 | # List of bad bots fetched from http://www.user-agents.org 20 | # Generated on Thu Nov 7 14:23:35 PST 2013 by files/gen_badbots. 21 | # 22 | # Author: Yaroslav Halchenko 23 | -------------------------------------------------------------------------------- /defaults/fail2ban-filters/nginx-http-auth.conf: -------------------------------------------------------------------------------- 1 | # 2 | # Auth filter /etc/fail2ban/filter.d/nginx-auth.conf: 3 | # 4 | # Blocks IPs that fail to authenticate using basic authentication 5 | # 6 | [Definition] 7 | 8 | failregex = no user/password was provided for basic authentication.*client: 9 | user .* was not found in.*client: 10 | user .* password mismatch.*client: 11 | 12 | ignoreregex = 13 | -------------------------------------------------------------------------------- /defaults/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | Default landing page 4 | 23 | 24 | 25 |
26 |

Default Landing Page

27 |

Your webserver is working properly

28 |

You can modify the index.html file to modify this page

29 |
30 | 31 | 32 | -------------------------------------------------------------------------------- /defaults/jail.local: -------------------------------------------------------------------------------- 1 | # This is the custom version of the jail.conf for fail2ban 2 | # Feel free to modify this and add additional filters 3 | # Then you can drop the new filter conf files into the fail2ban-filters 4 | # folder and restart the container 5 | 6 | [DEFAULT] 7 | 8 | # "bantime" is the number of seconds that a host is banned. 9 | bantime = 600 10 | 11 | # A host is banned if it has generated "maxretry" during the last "findtime" 12 | # seconds. 13 | findtime = 600 14 | 15 | # "maxretry" is the number of failures before a host get banned. 16 | maxretry = 5 17 | 18 | 19 | [ssh] 20 | 21 | enabled = false 22 | 23 | 24 | [nginx-http-auth] 25 | 26 | enabled = true 27 | filter = nginx-http-auth 28 | port = http,https 29 | logpath = /config/log/nginx/error.log 30 | 31 | 32 | [nginx-badbots] 33 | 34 | enabled = true 35 | port = http,https 36 | filter = nginx-badbots 37 | logpath = /config/log/nginx/access.log 38 | maxretry = 2 39 | -------------------------------------------------------------------------------- /defaults/lerotate: -------------------------------------------------------------------------------- 1 | /config/log/letsencrypt/*.log { 2 | weekly 3 | rotate 52 4 | compress 5 | delaycompress 6 | missingok 7 | notifempty 8 | sharedscripts 9 | } 10 | -------------------------------------------------------------------------------- /defaults/letsencrypt.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo "<------------------------------------------------->" 3 | echo 4 | echo "<------------------------------------------------->" 5 | echo "cronjob running at "$(date) 6 | export HOME="/root" 7 | cd /defaults 8 | echo "Running certbot renew" 9 | ./certbot-auto -n renew --standalone --pre-hook "service nginx stop" --post-hook "service nginx start ; cd /config/keys && openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:" 10 | -------------------------------------------------------------------------------- /defaults/letsencryptcron.conf: -------------------------------------------------------------------------------- 1 | PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 2 | 3 | 0 2 * * * /defaults/letsencrypt.sh >> /config/log/letsencrypt/letsencrypt.log 2>&1 4 | -------------------------------------------------------------------------------- /defaults/nginx-fpm.conf: -------------------------------------------------------------------------------- 1 | ; Start a new pool named 'www'. 2 | ; the variable $pool can we used in any directive and will be replaced by the 3 | ; pool name ('www' here) 4 | [www] 5 | 6 | ; Per pool prefix 7 | ; It only applies on the following directives: 8 | ; - 'slowlog' 9 | ; - 'listen' (unixsocket) 10 | ; - 'chroot' 11 | ; - 'chdir' 12 | ; - 'php_values' 13 | ; - 'php_admin_values' 14 | ; When not set, the global prefix (or /usr) applies instead. 15 | ; Note: This directive can also be relative to the global prefix. 16 | ; Default Value: none 17 | ;prefix = /path/to/pools/$pool 18 | 19 | ; Unix user/group of processes 20 | ; Note: The user is mandatory. If the group is not set, the default user's group 21 | ; will be used. 22 | user = nobody 23 | group = users 24 | 25 | ; The address on which to accept FastCGI requests. 26 | ; Valid syntaxes are: 27 | ; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on 28 | ; a specific port; 29 | ; 'port' - to listen on a TCP socket to all addresses on a 30 | ; specific port; 31 | ; '/path/to/unix/socket' - to listen on a unix socket. 32 | ; Note: This value is mandatory. 33 | listen = /var/run/php5-fpm.sock 34 | 35 | ; Set listen(2) backlog. 36 | ; Default Value: 65535 (-1 on FreeBSD and OpenBSD) 37 | ;listen.backlog = 65535 38 | 39 | ; Set permissions for unix socket, if one is used. In Linux, read/write 40 | ; permissions must be set in order to allow connections from a web server. Many 41 | ; BSD-derived systems allow connections regardless of permissions. 42 | ; Default Values: user and group are set as the running user 43 | ; mode is set to 0660 44 | listen.owner = nobody 45 | listen.group = users 46 | ;listen.mode = 0660 47 | 48 | ; List of ipv4 addresses of FastCGI clients which are allowed to connect. 49 | ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original 50 | ; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address 51 | ; must be separated by a comma. If this value is left blank, connections will be 52 | ; accepted from any ip address. 53 | ; Default Value: any 54 | ;listen.allowed_clients = 127.0.0.1 55 | 56 | ; Specify the nice(2) priority to apply to the pool processes (only if set) 57 | ; The value can vary from -19 (highest priority) to 20 (lower priority) 58 | ; Note: - It will only work if the FPM master process is launched as root 59 | ; - The pool processes will inherit the master process priority 60 | ; unless it specified otherwise 61 | ; Default Value: no set 62 | ; priority = -19 63 | 64 | ; Choose how the process manager will control the number of child processes. 65 | ; Possible Values: 66 | ; static - a fixed number (pm.max_children) of child processes; 67 | ; dynamic - the number of child processes are set dynamically based on the 68 | ; following directives. With this process management, there will be 69 | ; always at least 1 children. 70 | ; pm.max_children - the maximum number of children that can 71 | ; be alive at the same time. 72 | ; pm.start_servers - the number of children created on startup. 73 | ; pm.min_spare_servers - the minimum number of children in 'idle' 74 | ; state (waiting to process). If the number 75 | ; of 'idle' processes is less than this 76 | ; number then some children will be created. 77 | ; pm.max_spare_servers - the maximum number of children in 'idle' 78 | ; state (waiting to process). If the number 79 | ; of 'idle' processes is greater than this 80 | ; number then some children will be killed. 81 | ; ondemand - no children are created at startup. Children will be forked when 82 | ; new requests will connect. The following parameter are used: 83 | ; pm.max_children - the maximum number of children that 84 | ; can be alive at the same time. 85 | ; pm.process_idle_timeout - The number of seconds after which 86 | ; an idle process will be killed. 87 | ; Note: This value is mandatory. 88 | pm = dynamic 89 | 90 | ; The number of child processes to be created when pm is set to 'static' and the 91 | ; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. 92 | ; This value sets the limit on the number of simultaneous requests that will be 93 | ; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. 94 | ; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP 95 | ; CGI. The below defaults are based on a server without much resources. Don't 96 | ; forget to tweak pm.* to fit your needs. 97 | ; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' 98 | ; Note: This value is mandatory. 99 | pm.max_children = 5 100 | 101 | ; The number of child processes created on startup. 102 | ; Note: Used only when pm is set to 'dynamic' 103 | ; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 104 | pm.start_servers = 2 105 | 106 | ; The desired minimum number of idle server processes. 107 | ; Note: Used only when pm is set to 'dynamic' 108 | ; Note: Mandatory when pm is set to 'dynamic' 109 | pm.min_spare_servers = 1 110 | 111 | ; The desired maximum number of idle server processes. 112 | ; Note: Used only when pm is set to 'dynamic' 113 | ; Note: Mandatory when pm is set to 'dynamic' 114 | pm.max_spare_servers = 3 115 | 116 | ; The number of seconds after which an idle process will be killed. 117 | ; Note: Used only when pm is set to 'ondemand' 118 | ; Default Value: 10s 119 | ;pm.process_idle_timeout = 10s; 120 | 121 | ; The number of requests each child process should execute before respawning. 122 | ; This can be useful to work around memory leaks in 3rd party libraries. For 123 | ; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. 124 | ; Default Value: 0 125 | ;pm.max_requests = 500 126 | 127 | ; The URI to view the FPM status page. If this value is not set, no URI will be 128 | ; recognized as a status page. It shows the following informations: 129 | ; pool - the name of the pool; 130 | ; process manager - static, dynamic or ondemand; 131 | ; start time - the date and time FPM has started; 132 | ; start since - number of seconds since FPM has started; 133 | ; accepted conn - the number of request accepted by the pool; 134 | ; listen queue - the number of request in the queue of pending 135 | ; connections (see backlog in listen(2)); 136 | ; max listen queue - the maximum number of requests in the queue 137 | ; of pending connections since FPM has started; 138 | ; listen queue len - the size of the socket queue of pending connections; 139 | ; idle processes - the number of idle processes; 140 | ; active processes - the number of active processes; 141 | ; total processes - the number of idle + active processes; 142 | ; max active processes - the maximum number of active processes since FPM 143 | ; has started; 144 | ; max children reached - number of times, the process limit has been reached, 145 | ; when pm tries to start more children (works only for 146 | ; pm 'dynamic' and 'ondemand'); 147 | ; Value are updated in real time. 148 | ; Example output: 149 | ; pool: www 150 | ; process manager: static 151 | ; start time: 01/Jul/2011:17:53:49 +0200 152 | ; start since: 62636 153 | ; accepted conn: 190460 154 | ; listen queue: 0 155 | ; max listen queue: 1 156 | ; listen queue len: 42 157 | ; idle processes: 4 158 | ; active processes: 11 159 | ; total processes: 15 160 | ; max active processes: 12 161 | ; max children reached: 0 162 | ; 163 | ; By default the status page output is formatted as text/plain. Passing either 164 | ; 'html', 'xml' or 'json' in the query string will return the corresponding 165 | ; output syntax. Example: 166 | ; http://www.foo.bar/status 167 | ; http://www.foo.bar/status?json 168 | ; http://www.foo.bar/status?html 169 | ; http://www.foo.bar/status?xml 170 | ; 171 | ; By default the status page only outputs short status. Passing 'full' in the 172 | ; query string will also return status for each pool process. 173 | ; Example: 174 | ; http://www.foo.bar/status?full 175 | ; http://www.foo.bar/status?json&full 176 | ; http://www.foo.bar/status?html&full 177 | ; http://www.foo.bar/status?xml&full 178 | ; The Full status returns for each process: 179 | ; pid - the PID of the process; 180 | ; state - the state of the process (Idle, Running, ...); 181 | ; start time - the date and time the process has started; 182 | ; start since - the number of seconds since the process has started; 183 | ; requests - the number of requests the process has served; 184 | ; request duration - the duration in µs of the requests; 185 | ; request method - the request method (GET, POST, ...); 186 | ; request URI - the request URI with the query string; 187 | ; content length - the content length of the request (only with POST); 188 | ; user - the user (PHP_AUTH_USER) (or '-' if not set); 189 | ; script - the main script called (or '-' if not set); 190 | ; last request cpu - the %cpu the last request consumed 191 | ; it's always 0 if the process is not in Idle state 192 | ; because CPU calculation is done when the request 193 | ; processing has terminated; 194 | ; last request memory - the max amount of memory the last request consumed 195 | ; it's always 0 if the process is not in Idle state 196 | ; because memory calculation is done when the request 197 | ; processing has terminated; 198 | ; If the process is in Idle state, then informations are related to the 199 | ; last request the process has served. Otherwise informations are related to 200 | ; the current request being served. 201 | ; Example output: 202 | ; ************************ 203 | ; pid: 31330 204 | ; state: Running 205 | ; start time: 01/Jul/2011:17:53:49 +0200 206 | ; start since: 63087 207 | ; requests: 12808 208 | ; request duration: 1250261 209 | ; request method: GET 210 | ; request URI: /test_mem.php?N=10000 211 | ; content length: 0 212 | ; user: - 213 | ; script: /home/fat/web/docs/php/test_mem.php 214 | ; last request cpu: 0.00 215 | ; last request memory: 0 216 | ; 217 | ; Note: There is a real-time FPM status monitoring sample web page available 218 | ; It's available in: ${prefix}/share/fpm/status.html 219 | ; 220 | ; Note: The value must start with a leading slash (/). The value can be 221 | ; anything, but it may not be a good idea to use the .php extension or it 222 | ; may conflict with a real PHP file. 223 | ; Default Value: not set 224 | ;pm.status_path = /status 225 | 226 | ; The ping URI to call the monitoring page of FPM. If this value is not set, no 227 | ; URI will be recognized as a ping page. This could be used to test from outside 228 | ; that FPM is alive and responding, or to 229 | ; - create a graph of FPM availability (rrd or such); 230 | ; - remove a server from a group if it is not responding (load balancing); 231 | ; - trigger alerts for the operating team (24/7). 232 | ; Note: The value must start with a leading slash (/). The value can be 233 | ; anything, but it may not be a good idea to use the .php extension or it 234 | ; may conflict with a real PHP file. 235 | ; Default Value: not set 236 | ;ping.path = /ping 237 | 238 | ; This directive may be used to customize the response of a ping request. The 239 | ; response is formatted as text/plain with a 200 response code. 240 | ; Default Value: pong 241 | ;ping.response = pong 242 | 243 | ; The access log file 244 | ; Default: not set 245 | ;access.log = log/$pool.access.log 246 | 247 | ; The access log format. 248 | ; The following syntax is allowed 249 | ; %%: the '%' character 250 | ; %C: %CPU used by the request 251 | ; it can accept the following format: 252 | ; - %{user}C for user CPU only 253 | ; - %{system}C for system CPU only 254 | ; - %{total}C for user + system CPU (default) 255 | ; %d: time taken to serve the request 256 | ; it can accept the following format: 257 | ; - %{seconds}d (default) 258 | ; - %{miliseconds}d 259 | ; - %{mili}d 260 | ; - %{microseconds}d 261 | ; - %{micro}d 262 | ; %e: an environment variable (same as $_ENV or $_SERVER) 263 | ; it must be associated with embraces to specify the name of the env 264 | ; variable. Some exemples: 265 | ; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e 266 | ; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e 267 | ; %f: script filename 268 | ; %l: content-length of the request (for POST request only) 269 | ; %m: request method 270 | ; %M: peak of memory allocated by PHP 271 | ; it can accept the following format: 272 | ; - %{bytes}M (default) 273 | ; - %{kilobytes}M 274 | ; - %{kilo}M 275 | ; - %{megabytes}M 276 | ; - %{mega}M 277 | ; %n: pool name 278 | ; %o: output header 279 | ; it must be associated with embraces to specify the name of the header: 280 | ; - %{Content-Type}o 281 | ; - %{X-Powered-By}o 282 | ; - %{Transfert-Encoding}o 283 | ; - .... 284 | ; %p: PID of the child that serviced the request 285 | ; %P: PID of the parent of the child that serviced the request 286 | ; %q: the query string 287 | ; %Q: the '?' character if query string exists 288 | ; %r: the request URI (without the query string, see %q and %Q) 289 | ; %R: remote IP address 290 | ; %s: status (response code) 291 | ; %t: server time the request was received 292 | ; it can accept a strftime(3) format: 293 | ; %d/%b/%Y:%H:%M:%S %z (default) 294 | ; %T: time the log has been written (the request has finished) 295 | ; it can accept a strftime(3) format: 296 | ; %d/%b/%Y:%H:%M:%S %z (default) 297 | ; %u: remote user 298 | ; 299 | ; Default: "%R - %u %t \"%m %r\" %s" 300 | ;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%" 301 | 302 | ; The log file for slow requests 303 | ; Default Value: not set 304 | ; Note: slowlog is mandatory if request_slowlog_timeout is set 305 | ;slowlog = log/$pool.log.slow 306 | 307 | ; The timeout for serving a single request after which a PHP backtrace will be 308 | ; dumped to the 'slowlog' file. A value of '0s' means 'off'. 309 | ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) 310 | ; Default Value: 0 311 | ;request_slowlog_timeout = 0 312 | 313 | ; The timeout for serving a single request after which the worker process will 314 | ; be killed. This option should be used when the 'max_execution_time' ini option 315 | ; does not stop script execution for some reason. A value of '0' means 'off'. 316 | ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) 317 | ; Default Value: 0 318 | ;request_terminate_timeout = 0 319 | 320 | ; Set open file descriptor rlimit. 321 | ; Default Value: system defined value 322 | ;rlimit_files = 1024 323 | 324 | ; Set max core size rlimit. 325 | ; Possible Values: 'unlimited' or an integer greater or equal to 0 326 | ; Default Value: system defined value 327 | ;rlimit_core = 0 328 | 329 | ; Chroot to this directory at the start. This value must be defined as an 330 | ; absolute path. When this value is not set, chroot is not used. 331 | ; Note: you can prefix with '$prefix' to chroot to the pool prefix or one 332 | ; of its subdirectories. If the pool prefix is not set, the global prefix 333 | ; will be used instead. 334 | ; Note: chrooting is a great security feature and should be used whenever 335 | ; possible. However, all PHP paths will be relative to the chroot 336 | ; (error_log, sessions.save_path, ...). 337 | ; Default Value: not set 338 | ;chroot = 339 | 340 | ; Chdir to this directory at the start. 341 | ; Note: relative path can be used. 342 | ; Default Value: current directory or / when chroot 343 | chdir = / 344 | 345 | ; Redirect worker stdout and stderr into main error log. If not set, stdout and 346 | ; stderr will be redirected to /dev/null according to FastCGI specs. 347 | ; Note: on highloaded environement, this can cause some delay in the page 348 | ; process time (several ms). 349 | ; Default Value: no 350 | ;catch_workers_output = yes 351 | 352 | ; Limits the extensions of the main script FPM will allow to parse. This can 353 | ; prevent configuration mistakes on the web server side. You should only limit 354 | ; FPM to .php extensions to prevent malicious users to use other extensions to 355 | ; exectute php code. 356 | ; Note: set an empty value to allow all extensions. 357 | ; Default Value: .php 358 | ;security.limit_extensions = .php .php3 .php4 .php5 359 | 360 | ; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from 361 | ; the current environment. 362 | ; Default Value: clean env 363 | ;env[HOSTNAME] = $HOSTNAME 364 | ;env[PATH] = /usr/local/bin:/usr/bin:/bin 365 | ;env[TMP] = /tmp 366 | ;env[TMPDIR] = /tmp 367 | ;env[TEMP] = /tmp 368 | 369 | ; Additional php.ini defines, specific to this pool of workers. These settings 370 | ; overwrite the values previously defined in the php.ini. The directives are the 371 | ; same as the PHP SAPI: 372 | ; php_value/php_flag - you can set classic ini defines which can 373 | ; be overwritten from PHP call 'ini_set'. 374 | ; php_admin_value/php_admin_flag - these directives won't be overwritten by 375 | ; PHP call 'ini_set' 376 | ; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. 377 | 378 | ; Defining 'extension' will load the corresponding shared extension from 379 | ; extension_dir. Defining 'disable_functions' or 'disable_classes' will not 380 | ; overwrite previously defined php.ini values, but will append the new value 381 | ; instead. 382 | 383 | ; Note: path INI options can be relative and will be expanded with the prefix 384 | ; (pool, global or /usr) 385 | 386 | ; Default Value: nothing is defined by default except the values in php.ini and 387 | ; specified at startup with the -d argument 388 | ;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com 389 | ;php_flag[display_errors] = off 390 | ;php_admin_value[error_log] = /var/log/fpm-php.www.log 391 | ;php_admin_flag[log_errors] = on 392 | ;php_admin_value[memory_limit] = 32M 393 | -------------------------------------------------------------------------------- /defaults/nginx.conf: -------------------------------------------------------------------------------- 1 | user nobody users; 2 | worker_processes 4; 3 | pid /run/nginx.pid; 4 | 5 | events { 6 | worker_connections 768; 7 | # multi_accept on; 8 | } 9 | 10 | http { 11 | 12 | ## 13 | # Basic Settings 14 | ## 15 | 16 | sendfile on; 17 | tcp_nopush on; 18 | tcp_nodelay on; 19 | keepalive_timeout 65; 20 | types_hash_max_size 2048; 21 | # server_tokens off; 22 | 23 | # server_names_hash_bucket_size 64; 24 | # server_name_in_redirect off; 25 | 26 | client_max_body_size 0; 27 | 28 | include /etc/nginx/mime.types; 29 | default_type application/octet-stream; 30 | 31 | ## 32 | # Logging Settings 33 | ## 34 | 35 | access_log /config/log/nginx/access.log; 36 | error_log /config/log/nginx/error.log; 37 | 38 | ## 39 | # Gzip Settings 40 | ## 41 | 42 | gzip on; 43 | gzip_disable "msie6"; 44 | 45 | # gzip_vary on; 46 | # gzip_proxied any; 47 | # gzip_comp_level 6; 48 | # gzip_buffers 16 8k; 49 | # gzip_http_version 1.1; 50 | # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; 51 | 52 | include /etc/nginx/conf.d/*.conf; 53 | include /config/nginx/site-confs/*; 54 | 55 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 56 | ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; 57 | ssl_prefer_server_ciphers on; 58 | ssl_session_cache shared:SSL:10m; 59 | add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; 60 | add_header X-Frame-Options SAMEORIGIN; 61 | add_header X-Content-Type-Options nosniff; 62 | add_header X-XSS-Protection "1; mode=block"; 63 | add_header X-Robots-Tag none; 64 | ssl_stapling on; # Requires nginx >= 1.3.7 65 | ssl_stapling_verify on; # Requires nginx => 1.3.7 66 | 67 | } 68 | 69 | -------------------------------------------------------------------------------- /defaults/nginxrotate: -------------------------------------------------------------------------------- 1 | /config/log/nginx/*.log { 2 | weekly 3 | missingok 4 | rotate 14 5 | compress 6 | delaycompress 7 | notifempty 8 | create 0640 www-data adm 9 | sharedscripts 10 | prerotate 11 | if [ -d /etc/logrotate.d/httpd-prerotate ]; then \ 12 | run-parts /etc/logrotate.d/httpd-prerotate; \ 13 | fi \ 14 | endscript 15 | postrotate 16 | service nginx rotate >/dev/null 2>&1 17 | endscript 18 | } 19 | -------------------------------------------------------------------------------- /firstrun.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | export HOME="/root" 4 | 5 | if [[ $(cat /etc/timezone) != $TZ ]] ; then 6 | echo "Setting the correct time" 7 | echo "$TZ" > /etc/timezone 8 | dpkg-reconfigure -f noninteractive tzdata 9 | sed -i -e "s#;date.timezone.*#date.timezone = ${TZ}#g" /etc/php5/fpm/php.ini 10 | sed -i -e "s#;date.timezone.*#date.timezone = ${TZ}#g" /etc/php5/cli/php.ini 11 | fi 12 | 13 | mkdir -p /config/nginx/site-confs /config/www /config/log/nginx /config/log/letsencrypt /config/etc/letsencrypt 14 | 15 | if [ ! -f "/config/nginx/nginx.conf" ]; then 16 | echo "Copying the default nginx.conf" 17 | cp /defaults/nginx.conf /config/nginx/nginx.conf 18 | else 19 | echo "Using existing nginx.conf" 20 | fi 21 | 22 | if [ ! -f "/config/nginx/nginx-fpm.conf" ]; then 23 | echo "Copying the default nginx-fpm.conf" 24 | cp /defaults/nginx-fpm.conf /config/nginx/nginx-fpm.conf 25 | else 26 | echo "Using existing nginx-fpm.conf" 27 | fi 28 | 29 | if [ ! -f "/config/nginx/site-confs/default" ]; then 30 | echo "Copying the default site config" 31 | cp /defaults/default /config/nginx/site-confs/default 32 | else 33 | echo "Using existing site config" 34 | fi 35 | 36 | if [[ $(find /config/www -type f | wc -l) -eq 0 ]]; then 37 | echo "Copying the default landing page" 38 | cp /defaults/index.html /config/www/index.html 39 | else 40 | echo "Using existing landing page" 41 | fi 42 | 43 | if [ ! -f "/config/nginx/jail.local" ]; then 44 | echo "Copying the default jail.local" 45 | cp /defaults/jail.local /config/nginx/jail.local 46 | else 47 | echo "Using existing jail.local" 48 | fi 49 | 50 | if [ ! -d "/config/nginx/fail2ban-filters" ]; then 51 | echo "Copying default fail2ban filters" 52 | cp -R /defaults/fail2ban-filters /config/nginx/ 53 | else 54 | echo "Using existing fail2ban filters" 55 | fi 56 | 57 | cp /config/nginx/nginx-fpm.conf /etc/php5/fpm/pool.d/www.conf 58 | cp /config/nginx/jail.local /etc/fail2ban/jail.local 59 | cp /config/nginx/fail2ban-filters/* /etc/fail2ban/filter.d/ 60 | rm -f /etc/nginx/nginx.conf 61 | ln -s /config/nginx/nginx.conf /etc/nginx/nginx.conf 62 | 63 | rm -rf /etc/letsencrypt 64 | ln -s /config/etc/letsencrypt /etc/letsencrypt 65 | rm -rf /config/keys 66 | if [ "$ONLY_SUBDOMAINS" = "true" ]; then 67 | DOMAIN="$(echo $SUBDOMAINS | tr ',' ' ' | awk '{print $1}')"."$URL" 68 | ln -s /config/etc/letsencrypt/live/"$DOMAIN" /config/keys 69 | else 70 | ln -s /config/etc/letsencrypt/live/"$URL" /config/keys 71 | fi 72 | 73 | if [ ! -f "/config/donoteditthisfile.conf" ]; then 74 | echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGDHLEVEL=\"$DHLEVEL\"" > /config/donoteditthisfile.conf 75 | fi 76 | 77 | if [ ! -z $SUBDOMAINS ]; then 78 | echo "SUBDOMAINS entered, processing" 79 | for job in $(echo $SUBDOMAINS | tr "," " "); do 80 | export SUBDOMAINS2="$SUBDOMAINS2 -d "$job"."$URL"" 81 | done 82 | if [ "$ONLY_SUBDOMAINS" = true ]; then 83 | URLS="$SUBDOMAINS2" 84 | echo "Only subdomains, no URL in cert" 85 | else 86 | URLS="-d $URL $SUBDOMAINS2" 87 | fi 88 | echo "Sub-domains processed are:" $SUBDOMAINS2 89 | else 90 | echo "No subdomains defined" 91 | URLS="-d $URL" 92 | fi 93 | 94 | . /config/donoteditthisfile.conf 95 | if [ -z $ORIGONLY_SUBDOMAINS ]; then 96 | export ORIGONLY_SUBDOMAINS="false" 97 | fi 98 | if [ -z $ORIGDHLEVEL ]; then 99 | export ORIGDHLEVEL=$DHLEVEL 100 | fi 101 | echo -e "ORIGURL=\"$ORIGURL\" ORIGSUBDOMAINS=\"$ORIGSUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ORIGONLY_SUBDOMAINS\" ORIGDHLEVEL=\"$ORIGDHLEVEL\"" > /config/donoteditthisfile.conf 102 | if [ ! $URL = $ORIGURL ] || [ ! $SUBDOMAINS = $ORIGSUBDOMAINS ] || [ ! $ONLY_SUBDOMAINS = $ORIGONLY_SUBDOMAINS ]; then 103 | echo "Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created" 104 | if [ "$ORIGONLY_SUBDOMAINS" = "true" ]; then 105 | ORIGDOMAIN="$(echo $ORIGSUBDOMAINS | tr ',' ' ' | awk '{print $1}')"."$ORIGURL" 106 | /defaults/certbot-auto revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem 107 | else 108 | /defaults/certbot-auto revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGURL"/fullchain.pem 109 | fi 110 | rm -rf /config/etc 111 | mkdir -p /config/etc/letsencrypt 112 | echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGDHLEVEL=\"$DHLEVEL\"" > /config/donoteditthisfile.conf 113 | fi 114 | 115 | if [ ! -f "/config/nginx/dhparams.pem" ]; then 116 | echo "Creating DH parameters for additional security. This may take a very long time. There will be another message once this process is completed" 117 | openssl dhparam -out /config/nginx/dhparams.pem "$DHLEVEL" 118 | echo "DH parameters successfully created - " $DHLEVEL "bits" 119 | else 120 | echo $ORIGDHLEVEL "bit DH parameters present" 121 | fi 122 | 123 | if [ ! $DHLEVEL = $ORIGDHLEVEL ]; then 124 | rm -rf /config/nginx/dhparams.pem 125 | echo "DH parameters bit setting changed. Creating new parameters. This may take a very long time. There will be another message once this process is completed" 126 | openssl dhparam -out /config/nginx/dhparams.pem "$DHLEVEL" 127 | echo "DH parameters successfully created - " $DHLEVEL "bits" 128 | echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGDHLEVEL=\"$DHLEVEL\"" > /config/donoteditthisfile.conf 129 | fi 130 | 131 | chown -R nobody:users /config 132 | chmod -R go-w /config/log 133 | 134 | if [ ! -f "/config/keys/fullchain.pem" ]; then 135 | echo "Generating new certificate" 136 | cd /defaults 137 | ./certbot-auto certonly --non-interactive --renew-by-default --standalone --standalone-supported-challenges tls-sni-01 --rsa-key-size 4096 --email $EMAIL --agree-tos $URLS 138 | cd /config/keys 139 | openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: 140 | else 141 | cd /defaults 142 | ./letsencrypt.sh 143 | fi 144 | 145 | service php5-fpm start 146 | service nginx start 147 | if [ -S "/var/run/fail2ban/fail2ban.sock" ]; then 148 | echo "fail2ban.sock found, deleting" 149 | rm /var/run/fail2ban/fail2ban.sock 150 | fi 151 | service fail2ban start 152 | -------------------------------------------------------------------------------- /services/memcached/run: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | exec /usr/bin/memcached -u nobody -v 3 | --------------------------------------------------------------------------------