From 6111ab387723e4431a735b8c7707a45162b4c2dc Mon Sep 17 00:00:00 2001 From: Edi Septriyanto Date: Sun, 14 Jul 2024 21:54:48 +0700 Subject: [PATCH 1/4] Fix memory calculation --- scripts/install_redis.sh | 6 +++--- scripts/utils.sh | 27 +++++++++++++++++++++------ 2 files changed, 24 insertions(+), 9 deletions(-) diff --git a/scripts/install_redis.sh b/scripts/install_redis.sh index c4364f2..3c2e7f5 100755 --- a/scripts/install_redis.sh +++ b/scripts/install_redis.sh @@ -143,10 +143,10 @@ function init_redis_install { local RAM_SIZE && \ RAM_SIZE=$(get_ram_size) - if [[ ${RAM_SIZE} -le 1024 ]]; then - # If machine RAM less than / equal 1GiB, set Redis max mem to 1/8 of RAM size. + if [[ ${RAM_SIZE} -le 2048 ]]; then + # If machine RAM less than / equal 2GiB, set Redis max mem to 1/8 of RAM size. local REDISMEM_SIZE=$((RAM_SIZE / 8)) - elif [[ ${RAM_SIZE} -gt 1024 && ${RAM_SIZE} -le 8192 ]]; then + elif [[ ${RAM_SIZE} -gt 2048 && ${RAM_SIZE} -le 8192 ]]; then # If machine RAM less than / equal 8GiB and greater than 2GiB, # set Redis max mem to 1/4 of RAM size. local REDISMEM_SIZE=$((RAM_SIZE / 4)) diff --git a/scripts/utils.sh b/scripts/utils.sh index 6f5853b..4e9c23d 100755 --- a/scripts/utils.sh +++ b/scripts/utils.sh @@ -340,9 +340,11 @@ function validate_fqdn() { function get_distrib_name() { if [ -f /etc/os-release ]; then # Export os-release vars. + # shellcheck disable=SC1091 . /etc/os-release # Export lsb-release vars. + # shellcheck disable=SC1091 [ -f /etc/lsb-release ] && . /etc/lsb-release # Get distribution name. @@ -361,9 +363,11 @@ function get_distrib_name() { function get_release_name() { if [ -f /etc/os-release ]; then # Export os-release vars. + # shellcheck disable=SC1091 . /etc/os-release # Export lsb-release vars. + # shellcheck disable=SC1091 [ -f /etc/lsb-release ] && . /etc/lsb-release # Get distribution name. @@ -450,9 +454,11 @@ function get_release_name() { function get_release_version() { if [ -f /etc/os-release ]; then # Export os-release vars. + # shellcheck disable=SC1091 . /etc/os-release # Export lsb-release vars. + # shellcheck disable=SC1091 [ -f /etc/lsb-release ] && . /etc/lsb-release # Get distribution release / version ID. @@ -593,12 +599,21 @@ function preflight_system_check() { # Get physical RAM size. function get_ram_size() { - local RAM_SIZE + local _RAM_SIZE + local RAM_SIZE_IN_MB # Calculate RAM size in MB. - RAM_SIZE=$(dmidecode -t 17 | awk '( /Size/ && $2 ~ /^[0-9]+$/ ) { x+=$2 } END{ print x}') + _RAM_SIZE=$(dmidecode -t 17 | awk '( /Size/ && $2 ~ /^[0-9]+$/ ) { x+=$2 } END{ print x}') - echo "${RAM_SIZE}" + # Hack for calculating RAM size in MiB. + if [[ ${_RAM_SIZE} -le 128 ]]; then + # If RAM size less than / equal 128, assume that the size is in GB. + RAM_SIZE_IN_MB=$((_RAM_SIZE * 1024)) + else + RAM_SIZE_IN_MB=$((_RAM_SIZE * 1)) + fi + + echo "${RAM_SIZE_IN_MB}" } # Create custom Swap. @@ -611,11 +626,11 @@ function create_swap() { # If machine RAM less than / equal 2GiB, set swap to 2x of RAM size. local SWAP_SIZE=$((RAM_SIZE * 2)) elif [[ ${RAM_SIZE} -gt 2048 && ${RAM_SIZE} -le 32768 ]]; then - # If machine RAM less than / equal 8GiB and greater than 2GiB, set swap equal to RAM size + 1x. + # If machine RAM less than / equal 32GiB and greater than 2GiB, set swap equal to RAM size + 1x. local SWAP_SIZE=$((4096 + (RAM_SIZE - 2048))) else - # Otherwise, set swap to max of the physical / allocated memory. - local SWAP_SIZE="${RAM_SIZE}" + # Otherwise, set swap to max of 1x of the physical / allocated memory. + local SWAP_SIZE=$((RAM_SIZE * 1)) fi echo "Creating ${SWAP_SIZE}MiB swap..." From 83939acf55b5ffd4dc72840cd01865c0880eda3e Mon Sep 17 00:00:00 2001 From: Edi Septriyanto Date: Sun, 14 Jul 2024 21:57:36 +0700 Subject: [PATCH 2/4] Fix Nginx's http2 deprecation warn issue #171 --- etc/nginx/sites-available/default-ssl | 10 ++++++---- lib/lemper-manage.sh | 6 ++++-- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/etc/nginx/sites-available/default-ssl b/etc/nginx/sites-available/default-ssl index 83cdbef..6c69834 100644 --- a/etc/nginx/sites-available/default-ssl +++ b/etc/nginx/sites-available/default-ssl @@ -1,8 +1,9 @@ # Generated by LEMPer.sh server { - listen 443 ssl http2 default_server; - listen [::]:443 ssl http2 default_server; + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + http2 on; server_name localhost.localdomain; @@ -146,8 +147,9 @@ server { ## LEMPer Web-based Administration server { - listen 8083 ssl http2; - listen [::]:8083 ssl http2; + listen 8083 ssl; + listen [::]:8083 ssl; + http2 on; server_name localhost.localdomain; diff --git a/lib/lemper-manage.sh b/lib/lemper-manage.sh index 9490f57..7aa84ff 100755 --- a/lib/lemper-manage.sh +++ b/lib/lemper-manage.sh @@ -74,6 +74,8 @@ Options: Remove virtual host configuration. -s, --enable-ssl Enable HTTP over SSL with Let's Encrypt. + -w, --enforce-non-www + Redirect www to non www host. --disable-ssl Disable HTTP over SSL. --remove-ssl @@ -494,10 +496,10 @@ function enable_ssl() { if grep -qwE "^\ listen\ (\b[0-9]{1,3}\.){3}[0-9]{1,3}\b:80" "/etc/nginx/sites-available/${DOMAIN}.conf"; then run sed -i "s/\:80/\:443\ ssl/g" "/etc/nginx/sites-available/${DOMAIN}.conf" else - run sed -i "s/listen\ 80/listen\ 443\ ssl\ http2/g" "/etc/nginx/sites-available/${DOMAIN}.conf" + run sed -i "s/listen\ 80/listen\ 443\ ssl/g" "/etc/nginx/sites-available/${DOMAIN}.conf" fi - run sed -i "s/listen\ \[::\]:80/listen\ \[::\]:443\ ssl\ http2/g" "/etc/nginx/sites-available/${DOMAIN}.conf" + run sed -i "s/listen\ \[::\]:80/listen\ \[::\]:443\ ssl/g" "/etc/nginx/sites-available/${DOMAIN}.conf" # Enable SSL configs. run sed -i "s/http2\ off/http2\ on/g" "/etc/nginx/sites-available/${DOMAIN}.conf" From 3eb0909b9a3ddc3af1dc53d939bf8d2598c711c3 Mon Sep 17 00:00:00 2001 From: Edi Septriyanto Date: Sun, 14 Jul 2024 21:58:21 +0700 Subject: [PATCH 3/4] Update CloudFlare IPs --- etc/nginx/http_cloudflare_ips | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/etc/nginx/http_cloudflare_ips b/etc/nginx/http_cloudflare_ips index e75af73..c21fde1 100644 --- a/etc/nginx/http_cloudflare_ips +++ b/etc/nginx/http_cloudflare_ips @@ -1,30 +1,30 @@ ## Designed to be included to /etc/nginx/nginx.conf http{} or server{} block # CloudFlare CDN IPv4 Subnet +set_real_ip_from 173.245.48.0/20; set_real_ip_from 103.21.244.0/22; set_real_ip_from 103.22.200.0/22; set_real_ip_from 103.31.4.0/22; -set_real_ip_from 104.16.0.0/12; -set_real_ip_from 108.162.192.0/18; -set_real_ip_from 131.0.72.0/22; set_real_ip_from 141.101.64.0/18; -set_real_ip_from 162.158.0.0/15; -set_real_ip_from 172.64.0.0/13; -set_real_ip_from 173.245.48.0/20; -set_real_ip_from 188.114.96.0/20; +set_real_ip_from 108.162.192.0/18; set_real_ip_from 190.93.240.0/20; +set_real_ip_from 188.114.96.0/20; set_real_ip_from 197.234.240.0/22; set_real_ip_from 198.41.128.0/17; -set_real_ip_from 199.27.128.0/21; +set_real_ip_from 162.158.0.0/15; +set_real_ip_from 104.16.0.0/13; +set_real_ip_from 104.24.0.0/14; +set_real_ip_from 172.64.0.0/13; +set_real_ip_from 131.0.72.0/22; # CloudFlare CDN IPv6 Subnet set_real_ip_from 2400:cb00::/32; -set_real_ip_from 2405:8100::/32; -set_real_ip_from 2405:b500::/32; set_real_ip_from 2606:4700::/32; set_real_ip_from 2803:f800::/32; -set_real_ip_from 2c0f:f248::/32; +set_real_ip_from 2405:b500::/32; +set_real_ip_from 2405:8100::/32; set_real_ip_from 2a06:98c0::/29; +set_real_ip_from 2c0f:f248::/32; # Header real_ip_header CF-Connecting-IP; From dbf06fd44dcff777a6a836490c7add4daa91cf15 Mon Sep 17 00:00:00 2001 From: Edi Septriyanto Date: Sun, 14 Jul 2024 21:59:42 +0700 Subject: [PATCH 4/4] Improve Nginx's FastCGI caching --- etc/nginx/fastcgi_cache | 4 +--- etc/nginx/includes/fastcgi.conf | 6 +++--- etc/nginx/includes/fastcgi_cache.conf | 10 +++++----- etc/nginx/includes/rules_fastcgi_cache.conf | 6 +++--- etc/nginx/includes/rules_restriction.conf | 8 ++++---- etc/nginx/includes/rules_staticfiles.conf | 4 ++-- 6 files changed, 18 insertions(+), 20 deletions(-) diff --git a/etc/nginx/fastcgi_cache b/etc/nginx/fastcgi_cache index d4ebdf4..9f1b1f7 100644 --- a/etc/nginx/fastcgi_cache +++ b/etc/nginx/fastcgi_cache @@ -1,13 +1,11 @@ ## Include this file if you want to use fastcgi_cache across many sites. # Designed to be included in /etc/nginx/nginx.conf http {} block. -fastcgi_cache_path /var/cache/nginx/fastcgi_cache levels=1:2 keys_zone=FASTCGICACHE:100m max_size=1g inactive=60m; +fastcgi_cache_path /var/cache/nginx/fastcgi_cache levels=1:2 keys_zone=LEMPERCACHE:200m max_size=10g inactive=2h; fastcgi_cache_key "$scheme$request_method$host$request_uri"; -fastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503; fastcgi_cache_revalidate on; fastcgi_cache_background_update on; - # FastCGI Log Format log_format cache '$remote_addr - $upstream_cache_status [$time_local] ' '"$request" $status $body_bytes_sent ' diff --git a/etc/nginx/includes/fastcgi.conf b/etc/nginx/includes/fastcgi.conf index 41c7634..27aa5e1 100644 --- a/etc/nginx/includes/fastcgi.conf +++ b/etc/nginx/includes/fastcgi.conf @@ -3,9 +3,9 @@ fastcgi_intercept_errors on; fastcgi_ignore_client_abort off; -fastcgi_connect_timeout 60; -fastcgi_send_timeout 90; -fastcgi_read_timeout 90; +fastcgi_connect_timeout 120s; +fastcgi_send_timeout 120s; +fastcgi_read_timeout 120s; fastcgi_buffer_size 128k; fastcgi_buffers 128 128k; fastcgi_busy_buffers_size 128k; diff --git a/etc/nginx/includes/fastcgi_cache.conf b/etc/nginx/includes/fastcgi_cache.conf index 25c23b2..7b14c68 100644 --- a/etc/nginx/includes/fastcgi_cache.conf +++ b/etc/nginx/includes/fastcgi_cache.conf @@ -1,23 +1,23 @@ ## FastCGI cache. # Designed to be included in any http, server, location block. -fastcgi_cache FASTCGICACHE; -fastcgi_cache_valid 200 301 302 60m; +fastcgi_cache LEMPERCACHE; +fastcgi_cache_valid 200 301 302 2h; fastcgi_cache_valid 404 1m; -fastcgi_cache_valid any 60m; +fastcgi_cache_valid any 2h; +fastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503; fastcgi_cache_min_uses 1; fastcgi_cache_lock on; fastcgi_cache_bypass $skip_cache $is_mobile; fastcgi_cache_bypass $http_pragma $http_authorization; - fastcgi_no_cache $skip_cache $is_mobile; fastcgi_no_cache $http_pragma $http_authorization; fastcgi_cache_purge $purge_method; # Ignore header (Added Pragma, crosscheck first) -fastcgi_ignore_headers X-Accel-Expires Expires Cache-Control Set-Cookie; +fastcgi_ignore_headers Cache-Control Expires Set-Cookie; # Header status add_header X-FastCGI-Cache $upstream_cache_status; diff --git a/etc/nginx/includes/rules_fastcgi_cache.conf b/etc/nginx/includes/rules_fastcgi_cache.conf index bce9eac..ed64781 100644 --- a/etc/nginx/includes/rules_fastcgi_cache.conf +++ b/etc/nginx/includes/rules_fastcgi_cache.conf @@ -78,14 +78,14 @@ if ($cookie_woocommerce_items_in_cart = "1") { ## Purging FastCGI cache ## # Purge uri. -location ~ /purge(/.*) { +location ~ ^/(.*)/purge { allow 127.0.0.1; #allow SERVER_IP; deny all; access_log off; log_not_found off; - fastcgi_cache_purge FASTCGICACHE "$scheme$request_method$host$1"; - #return 301 $scheme://$host$1; + fastcgi_cache_purge LEMPERCACHE "$scheme$request_method$host$1"; + return 301 $scheme://$host/$1; } ## You may add your own FastCGI cache rules here... diff --git a/etc/nginx/includes/rules_restriction.conf b/etc/nginx/includes/rules_restriction.conf index 0345a4e..646a947 100644 --- a/etc/nginx/includes/rules_restriction.conf +++ b/etc/nginx/includes/rules_restriction.conf @@ -33,8 +33,7 @@ location ~ /\.ht { } # Deny all attempts to access error and access log file. -location ~ /(error|access)\_log$ -{ +location ~ /(error|access)\_log$ { deny all; log_not_found off; return 404; @@ -93,12 +92,13 @@ location ~* /(?:uploads|files)/.*\.php$ { } # Deny access to PHP file in site files directory. -location ~ ^/sites/.*/private/ { +location ~ ^/sites/[^/]+/files/.*\.php$ { deny all; log_not_found off; return 404; } -location ~ ^/sites/[^/]+/files/.*\.php$ { + +location ~ ^/sites/.*/private/ { deny all; log_not_found off; return 404; diff --git a/etc/nginx/includes/rules_staticfiles.conf b/etc/nginx/includes/rules_staticfiles.conf index d3c1465..e7137d8 100644 --- a/etc/nginx/includes/rules_staticfiles.conf +++ b/etc/nginx/includes/rules_staticfiles.conf @@ -25,7 +25,7 @@ location ~ \.(?:atom|feed|rss|json)$ { } # Header setting for known static files. -location ~ \.(?:ogg|ogv|3gp|gif|jpeg|jpg|png|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|rtf|rtx|txt|pdf|iso)$ { +location ~ \.(?:gif|jpeg|jpg|png|webp|wmv|avi|asf|asx|ogg|ogv|3gp|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|rtf|rtx|txt|pdf|iso)$ { add_header Pragma "public"; add_header Cache-Control "public, must-revalidate, proxy-revalidate"; access_log off; @@ -52,7 +52,7 @@ location ~ \.(eot|svg|svgz|ttf|woff|woff2)$ { } # Dynamic thumbnail/resized image. -location ~ (timthumb|thumbs|image|images|img)\.php?src=.*\.(jpg|jpeg|png|gif).* { +location ~ (timthumb|thumbs|image|images|img)\.php?src=.*\.(jpg|jpeg|png|gif|webp).* { add_header Pragma "public"; add_header Cache-Control "public, must-revalidate, proxy-revalidate"; access_log off;