Skip to content

Commit

Permalink
Merge pull request #143 from joglomedia/2.x.x
Browse files Browse the repository at this point in the history
### Bug fixes
- Package 'python' Has No Installation Candidate #142
- Default install Ubuntu 20.04 vsftpd error #139
- Certbot Let's Encrypt is Outdated #90

### New Features
- Add Pure-FTPD FTP server install #120
- Add PHP 8.2 support
- Update default PHP to PHP 8.0
- Update Fail2ban version and improve installer
- Improve Certbot installer + self-signed SSL for local dev environment
  • Loading branch information
joglomedia authored Jan 22, 2023
2 parents 4871639 + 6cc2744 commit 4dc2693
Show file tree
Hide file tree
Showing 77 changed files with 4,478 additions and 1,209 deletions.
24 changes: 17 additions & 7 deletions .env.dist
Original file line number Diff line number Diff line change
Expand Up @@ -71,10 +71,6 @@ SSH_PASSWORDLESS=false
# Your RSA Public key.
RSA_PUB_KEY="copy your ssh public rsa key here"

# Hash length (bits), supported value 2048 | 4096 (take longer times)
# length of bits used for generating RSA key / Diffie-Helman params.
KEY_HASH_LENGTH=2048

[nginx]
INSTALL_NGINX=true

Expand Down Expand Up @@ -144,12 +140,16 @@ LUA_RESTY_LRUCACHE_VERSION="v0.11"
NGX_HTTP_PASSENGER=false
NGX_HTTP_REDIS2=false
NGX_HTTP_SUBS_FILTER=true
NGX_HTTP_UPSTREAM_FAIR=true
NGX_HTTP_UPSTREAM_FAIR=false
NGX_HTTP_VTS=true
NGX_HTTP_XSLT_FILTER=true
NGX_MAIL=true
NGX_NCHAN=false

# For Nginx latest v1.23 or greater, try using NPS v1.14.33.1-RC1 or master
NGX_PAGESPEED_VERSION="v1.13.35.2-stable"
NGX_PAGESPEED=false

NGX_RTMP=false
NGX_STREAM=true

Expand Down Expand Up @@ -279,9 +279,12 @@ FTP_SERVER_VERSION="latest"
# Enable FTP over TLS.
FTP_SSL_ENABLE=true

# Enable passv mode.
FTP_PASV_MODE=true

# Range of passv ports.
FTP_MIN_PORT=45000
FTP_MAX_PORT=45999
FTP_MAX_PORT=45099

[dns]
# TODO: Install DNS server.
Expand All @@ -296,9 +299,16 @@ INSTALL_SPFDKIM=true
SENDER_DOMAIN=""

[certbot]
# Install Let's Encrypt SSL certificate is mandatory.
INSTALL_CERTBOT=true

# Path to live certificate for production server.
HOSTNAME_CERT_PATH=""

# Hash length (bits), supported value 2048 | 4096 (take longer times)
# length of bits used for generating RSA key / Diffie-Helman params.
KEY_HASH_LENGTH=2048

[firewall]
INSTALL_FW=true

Expand All @@ -312,4 +322,4 @@ INSTALL_FAIL2BAN=true

# Available installer: repo | source.
FAIL2BAN_INSTALLER="source"
FAIL2BAN_VERSION="0.11.2"
FAIL2BAN_VERSION="1.0.2"
7 changes: 3 additions & 4 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -61,9 +61,8 @@ jobs:
shellcheck -s bash -x remove.sh
shellcheck -s bash -x bin/lemper-*.sh
shellcheck -s bash -x lib/lemper-*.sh
shellcheck -s bash -x scripts/helper.sh
shellcheck -s bash -x scripts/cleanup_server.sh
shellcheck -s bash -x scripts/secure_server.sh
shellcheck -s bash -x scripts/utils.sh
shellcheck -s bash -x scripts/server_*.sh
shellcheck -s bash -x scripts/install_*.sh
shellcheck -s bash -x scripts/remove_*.sh
# Simple Unit Tests
Expand All @@ -72,6 +71,6 @@ jobs:
TERM: xterm-256color
run: |
set -ex
sudo bash scripts/cleanup_server.sh
sudo bash scripts/server_cleanup.sh
sudo bash scripts/install_dependencies.sh
sudo bash shunit2/run_test.sh
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
.env.bak
.env.save
.travis.yml
dev-notes.md
install.log
lemper.log
lemper_install.log
Expand Down
2 changes: 1 addition & 1 deletion etc/nginx/fastcgi_cache
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,8 @@ log_format cache '$remote_addr - $upstream_cache_status [$time_local] '

# Purge cache for request method.
map $request_method $purge_method {
PURGE 1;
default 0;
PURGE 1;
}

# Skip caching for request method.
Expand Down
5 changes: 5 additions & 0 deletions etc/nginx/fastcgi_https_map
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,8 @@ map $scheme $server_https {
default off;
https on;
}

map $http_x_forwarded_proto $proto_https {
default $scheme;
https https;
}
3 changes: 2 additions & 1 deletion etc/nginx/fastcgi_params
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,8 @@

# Comment out HTTPS line for PHP behind SSL https.
#fastcgi_param HTTPS on; # old pre .03 method
#fastcgi_param HTTPS $server_https; # new .04+ map method
fastcgi_param HTTPS $server_https; # new .04+ map method
fastcgi_param HTTP_X_FORWARDED_PROTO $proto_https;

# Comment out PATH_TRANSLATED line if /etc/php5/fpm/php.ini sets following:
# cgi.fix_pathinfo=0
Expand Down
2 changes: 1 addition & 1 deletion etc/nginx/http_proxy_ips
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
## Designed to be included to /etc/nginx/nginx.conf http{} or server{} block

# Varnish HTTP Accelerator
# HTTP Accelerator or Load Balancer.
set_real_ip_from 127.0.0.1/32;

# Header
Expand Down
4 changes: 2 additions & 2 deletions etc/nginx/includes/compression_brotli.conf
Original file line number Diff line number Diff line change
Expand Up @@ -66,9 +66,9 @@ brotli_buffers 16 8k;
brotli_window 512k;

# Up the minimum length a little to account for gzip overhead
# this means anything smaller than 1024 bytes won't be compressed.
# this means anything smaller than 256 bytes won't be compressed.
# The default is 20 bytes, which is sooo tiny it's a waste to compress.
brotli_min_length 1024;
brotli_min_length 256;

# Custom header.
add_header X-Powered-By "LEMPer/Brotli";
4 changes: 2 additions & 2 deletions etc/nginx/includes/compression_gzip.conf
Original file line number Diff line number Diff line change
Expand Up @@ -79,9 +79,9 @@ gzip_vary on;
gzip_buffers 16 8k;

# Up the minimum length a little to account for gzip overhead
# this means anything smaller than 1024 bytes won't be compressed.
# this means anything smaller than 256 bytes won't be compressed.
# The default is 20 bytes, which is sooo tiny it's a waste to compress.
gzip_min_length 1024;
gzip_min_length 256;

# Custom header.
add_header X-Powered-By "LEMPer/Gzip";
4 changes: 2 additions & 2 deletions etc/nginx/includes/fastcgi_cache.conf
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@ fastcgi_no_cache $http_pragma $http_authorization;

fastcgi_cache_purge $purge_method;

# Ignore header
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
# Ignore header (Added Pragma, crosscheck first)
fastcgi_ignore_headers Cache-Control Expires Pragma Set-Cookie;

# Header status
add_header X-FastCGI-Cache $upstream_cache_status;
Expand Down
34 changes: 22 additions & 12 deletions etc/nginx/includes/ssl.conf
Original file line number Diff line number Diff line change
@@ -1,8 +1,10 @@
# Enables SSL (deprecated on http2).
#ssl on;

# --- Common definitions for HTTPS content --- #

# Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes.
ssl_session_cache shared:LEMPer_SSL:10m; # a 1mb cache can hold about 4000 sessions
ssl_session_cache shared:LEMPer_SSL:50m; # a 1mb cache can hold about 4000 sessions
ssl_session_timeout 1d;

# SSL buffer size was added in 1.5.9
Expand All @@ -14,25 +16,33 @@ ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, minimum recommendation 2048 bits.
ssl_dhparam /etc/nginx/ssl/dhparam-2048.pem;

# If you need to support older browsers (IE6) you may need to add
# SSLv2 SSLv3 TLSv1 TLSv1.1 to the list of protocols below.
ssl_protocols TLSv1.2 TLSv1.3;
# --- Protocols & Ciphers [start] --- #

# Enables server-side protection from BEAST attacks.
# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
# Maximum client support [enabled by default]
# Supports Firefox 1, Android 2.3, Chrome 1, Edge 12, IE8 on Windows XP, Java 6, OpenSSL 0.9.8, Opera 5 & Safari 1
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
ssl_prefer_server_ciphers on;

# Ciphers set to best allow protection from Beast, while providing forwarding secrecy,
# as defined by Mozilla (Intermediate Set) - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
# Intermediate client support [disabled by default]
# Supports Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20 & Safari 9
#ssl_protocols TLSv1.2 TLSv1.3;
#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
#ssl_prefer_server_ciphers off;

# Modern client support [disabled by default]
# Supports Firefox 63, Android 10.0, Chrome 70, Edge 75, Java 11, OpenSSL 1.1.1, Opera 57 & Safari 12.1
#ssl_protocols TLSv1.3;
#ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
#ssl_prefer_server_ciphers off;

# Specifies a curve for ECDHE ciphers, default is auto.
ssl_ecdh_curve prime256v1:secp384r1;

# Enable OCSP stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
# http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
ssl_stapling on;
ssl_stapling_verify on;
#ssl_stapling on;
#ssl_stapling_verify on;

# Reduce SSL buffer size.
ssl_buffer_size 4k; # Default = 16k
Expand All @@ -55,4 +65,4 @@ resolver_timeout 5s;
# This header tells browsers to cache the certificate for a year and to connect exclusively via HTTPS.
#add_header Strict-Transport-Security "max-age=31536000;" always;
# This version tells browsers to treat all subdomains the same as this site and to load exclusively over HTTPS
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;";
8 changes: 5 additions & 3 deletions etc/nginx/nginx.conf
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,8 @@ http {
# Optimization settings.
aio threads;
sendfile on;
# Limit the amount of data transferred in a single sendfile() call to 1MB.
sendfile_max_chunk 1m;
tcp_nopush on;
tcp_nodelay on;
client_body_buffer_size 128k;
Expand All @@ -80,8 +82,8 @@ http {

# Enable Compression.
# gzip (default) or brotli (requires Nginx installed with brotli module).
# TODO: Move to per site config.
#include /etc/nginx/comp_gzip;
# Moved to per site config.
##include /etc/nginx/compression_gzip;

# Uncomment to enable FastCGI cache. If disabled, do not use the cached vhost setting.
include /etc/nginx/fastcgi_cache;
Expand All @@ -91,7 +93,7 @@ http {

# Upstream, ex: for Node.JS application server.
# TODO: Move to per site config.
#include /etc/nginx/upstream;
##include /etc/nginx/upstream;

# SSL map.
include /etc/nginx/fastcgi_https_map;
Expand Down
35 changes: 24 additions & 11 deletions etc/nginx/sites-available/default
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,8 @@ server {
#ssl_certificate_key /etc/letsencrypt/live/localhost.localdomain/privkey.pem;
#ssl_trusted_certificate /etc/letsencrypt/live/localhost.localdomain/fullchain.pem;

access_log /var/log/nginx/localhost.access.log;
error_log /var/log/nginx/localhost.error.log;
access_log /var/log/nginx/localhost.access.log combined buffer=32k;
error_log /var/log/nginx/localhost.error.log error;

root /usr/share/nginx/html;
index index.php index.html index.htm;
Expand All @@ -24,15 +24,28 @@ server {

include /etc/nginx/vhost/site_default.conf;

location ~ ^/(status|ping)$ {
# Nginx basic status monitoring.
location = /nginx_status {
stub_status;
allow all;
auth_basic "Denied";
auth_basic_user_file /srv/.htpasswd;
access_log off;
log_not_found off;
}

# PHP-FPM status monitoring.
location ~ ^/php-fpm_(status|ping)$ {
include /etc/nginx/fastcgi_params;

fastcgi_pass unix:/run/php/php7.4-fpm.sock;
fastcgi_pass unix:/run/php/php8.0-fpm.sock;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;

allow all;
auth_basic "Denied";
auth_basic_user_file /srv/.htpasswd;
access_log off;
log_not_found off;
}

location ~ \.php81$ {
Expand All @@ -46,7 +59,7 @@ server {
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
}

location ~ \.php80$ {
location ~ \.(php|php80)$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
Expand All @@ -56,7 +69,7 @@ server {
fastcgi_pass unix:/run/php/php8.0-fpm.sock;
}

location ~ \.(php|php74)$ {
location ~ \.php74$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
Expand Down Expand Up @@ -132,8 +145,8 @@ server {
index index.php index.html index.htm;

# Log Settings.
access_log /var/log/nginx/localhost.access.log;
error_log /var/log/nginx/localhost.error.log;
access_log /var/log/nginx/localhost.access.log combined buffer=32k;
error_log /var/log/nginx/localhost.error.log error;

location /lcp {
try_files $uri $uri/ /index.php?$args;
Expand Down Expand Up @@ -161,7 +174,7 @@ server {
# Uncomment to Enable PHP FastCGI cache.
#include /etc/nginx/includes/fastcgi_cache.conf;

fastcgi_pass unix:/run/php/php7.4-fpm.sock;
fastcgi_pass unix:/run/php/php8.0-fpm.sock;
}
}

Expand All @@ -175,7 +188,7 @@ server {
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
}

location ~ \.php80$ {
location ~ \.(php|php80)$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
Expand All @@ -185,7 +198,7 @@ server {
fastcgi_pass unix:/run/php/php8.0-fpm.sock;
}

location ~ \.(php|php74)$ {
location ~ \.php74$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
Expand Down
20 changes: 20 additions & 0 deletions etc/openssl/ca.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
[ca]
default_ca = CA_default # The default ca section

[CA_default]
default_days = 36500 # How long to certify for

[req]
default_bits = 2048
default_md = sha256
distinguished_name = ca_dn
prompt = no

[ca_dn]
C = ID
ST = Jakarta
L = Jakarta
O = LEMPer
OU = LEMPer Stack
CN = demo.lemper.cloud
emailAddress = [email protected]
7 changes: 7 additions & 0 deletions etc/openssl/cert.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = demo.lemper.cloud
Loading

0 comments on commit 4dc2693

Please sign in to comment.