diff options
| -rw-r--r-- | tools/conf/etc/nginx/nginx.conf | 150 | ||||
| -rw-r--r-- | tools/conf/etc/nginx/sites/default.conf | 82 | ||||
| -rw-r--r-- | tools/conf/etc/nginx/sites/drupal.conf | 129 | ||||
| -rw-r--r-- | tools/conf/etc/nginx/sites/laravel.conf | 28 | ||||
| -rw-r--r-- | tools/nginx.html | 175 | ||||
| -rw-r--r-- | tools/scripts/config-install.sh | 4 | ||||
| -rw-r--r-- | tools/scripts/install-nginx.sh | 17 | ||||
| -rw-r--r-- | tools/scripts/install-php.sh | 7 | ||||
| -rw-r--r-- | tools/scripts/iptables.sh (renamed from tools/scipts/iptables.sh) | 0 | ||||
| -rw-r--r-- | tools/scripts/replace.sh | 7 |
10 files changed, 507 insertions, 92 deletions
diff --git a/tools/conf/etc/nginx/nginx.conf b/tools/conf/etc/nginx/nginx.conf new file mode 100644 index 0000000..088a798 --- /dev/null +++ b/tools/conf/etc/nginx/nginx.conf @@ -0,0 +1,150 @@ +# +# /etc/nginx/nginx.conf - nginx server configuration +# + + +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log; + +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include mime.types; + default_type application/octet-stream; + + ## + # SSL Settings + ## + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + # ssl on; + ssl_certificate /etc/ssl/certs/nginx.crt; + ssl_certificate_key /etc/ssl/keys/nginx.key; + + #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + # '$status $body_bytes_sent "$http_referer" ' + # '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + client_body_timeout 12; + client_header_timeout 12; + send_timeout 65; + + + gzip on; + gzip_vary on; + #gzip_proxied any; + gzip_comp_level 9; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + + ## + # Virtual Host Configs + ## + server { + listen 80 default_server; + server_name _; + return 301 https://$host$request_uri; + } + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*.conf; + + #server { + # listen 80; + # server_name localhost; + # + # #charset koi8-r; + # + # location / { + # root html; + # index index.html index.htm; + # } + # + # error_page 404 /404.html; + # + # # redirect server error pages to the static page /50x.html + # # + # error_page 500 502 503 504 /50x.html; + # location = /50x.html { + # root html; + # } + # + # # proxy the PHP scripts to Apache listening on 127.0.0.1:80 + # # + # #location ~ \.php$ { + # # proxy_pass http://127.0.0.1; + # #} + # + # # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # # + # #location ~ \.php$ { + # # root html; + # # fastcgi_pass 127.0.0.1:9000; + # # fastcgi_index index.php; + # # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; + # # include fastcgi_params; + # #} + # + # # deny access to .htaccess files, if Apache's document root + # # concurs with nginx's one + # # + # #location ~ /\.ht { + # # deny all; + # #} + #} + + + # another virtual host using mix of IP-, name-, and port-based configuration + # + #server { + # listen 8000; + # listen somename:8080; + # server_name somename alias another.alias; + + # location / { + # root html; + # index index.html index.htm; + # } + #} + + + # HTTPS server + # + #server { + # listen 443 ssl; + # server_name localhost; + + # ssl_certificate cert.pem; + # ssl_certificate_key cert.key; + + # ssl_session_cache shared:SSL:1m; + # ssl_session_timeout 5m; + + # ssl_ciphers HIGH:!aNULL:!MD5; + # ssl_prefer_server_ciphers on; + + # location / { + # root html; + # index index.html index.htm; + # } + #} + +} diff --git a/tools/conf/etc/nginx/sites/default.conf b/tools/conf/etc/nginx/sites/default.conf new file mode 100644 index 0000000..95be0b7 --- /dev/null +++ b/tools/conf/etc/nginx/sites/default.conf @@ -0,0 +1,82 @@ + +server { + listen 80; + server_name localhost; + +#charset koi8-r; + + location / { + root html; + index index.html index.htm; + } + + error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root html; + } + +# proxy the PHP scripts to Apache listening on 127.0.0.1:80 +# +#location ~ \.php$ { +# proxy_pass http://127.0.0.1; +#} + +# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 +# +#location ~ \.php$ { +# root html; +# fastcgi_pass 127.0.0.1:9000; +# fastcgi_index index.php; +# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; +# include fastcgi_params; +#} + +# deny access to .htaccess files, if Apache's document root +# concurs with nginx's one +# +#location ~ /\.ht { +# deny all; +#} +} + + +# another virtual host using mix of IP-, name-, and port-based configuration +# +#server { +# listen 8000; +# listen somename:8080; +# server_name somename alias another.alias; + +# location / { +# root html; +# index index.html index.htm; +# } +#} + + +# HTTPS server +# +#server { +# listen 443 ssl; +# server_name localhost; + +# ssl_certificate cert.pem; +# ssl_certificate_key cert.key; + +# ssl_session_cache shared:SSL:1m; +# ssl_session_timeout 5m; + +# ssl_ciphers HIGH:!aNULL:!MD5; +# ssl_prefer_server_ciphers on; + +# location / { +# root html; +# index index.html index.htm; +# } +#} + + diff --git a/tools/conf/etc/nginx/sites/drupal.conf b/tools/conf/etc/nginx/sites/drupal.conf new file mode 100644 index 0000000..39b096a --- /dev/null +++ b/tools/conf/etc/nginx/sites/drupal.conf @@ -0,0 +1,129 @@ +server { + + listen 192.168.1.254:443 ssl; + listen 10.0.0.254:443 ssl; + + server_name core.privat-network.net; + + root /srv/www/drupal; ## <-- Your only path reference. + + # Enable compression, this will help if you have for instance advagg¿? module + # by serving Gzip versions of the files. + gzip_static on; + + location ~ ^/stats/(.*)$ { + alias /srv/www/stats/$1; + autoindex on; + } + + location /sysdoc { + alias /srv/www/sysdoc; + autoindex on; + } + + location /ports { + alias /var/ports/ports; + autoindex on; + } + + location /distfiles { + alias /var/ports/distfiles; + autoindex on; + } + + + location /packages { + root /var/ports/packages; + autoindex off; + } + + + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + } + + # This matters if you use drush prior to 5.x + # After 5.x backups are stored outside the Drupal install. + #location = /backup { + # deny all; + #} + + # Very rarely should these ever be accessed outside of your lan + location ~* \.(txt|log)$ { + allow 192.168.0.0/16; + deny all; + } + + location ~ \..*/.*\.php$ { + return 403; + } + + # No no for private + location ~ ^/sites/.*/private/ { + return 403; + } + + # Block access to "hidden" files and directories whose names begin with a + # period. This includes directories used by version control systems such + # as Subversion or Git to store control files. + location ~ (^|/)\. { + return 403; + } + + location / { + # This is cool because no php is touched for static content + try_files $uri @rewrite; + } + + location ~* /update.php*/.*$ { + # You have 2 options here + # For D7 and above: + # Clean URLs are handled in drupal_environment_initialize(). + rewrite ^ /update.php; + # For Drupal 6 and bwlow: + # Some modules enforce no slash (/) at the end of the URL + # Else this rewrite block wouldn't be needed (GlobalRedirect) + #rewrite ^/(.*)$ /index.php?q=$1; + } + + location @rewrite { + # You have 2 options here + # For D7 and above: + # Clean URLs are handled in drupal_environment_initialize(). + rewrite ^ /index.php; + # For Drupal 6 and bwlow: + # Some modules enforce no slash (/) at the end of the URL + # Else this rewrite block wouldn't be needed (GlobalRedirect) + #rewrite ^/(.*)$ /index.php?q=$1; + } + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename; + fastcgi_intercept_errors on; + #fastcgi_pass unix:/tmp/phpfpm.sock; + fastcgi_pass 127.0.0.1:9000; + } + + # Fighting with Styles? This little gem is amazing. + # This is for D6 + #location ~ ^/sites/.*/files/imagecache/ { + # This is for D7 and D8 + location ~ ^/sites/.*/files/styles/ { + try_files $uri @rewrite; + } + + location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { + expires max; + #log_not_found off; + } + +} diff --git a/tools/conf/etc/nginx/sites/laravel.conf b/tools/conf/etc/nginx/sites/laravel.conf new file mode 100644 index 0000000..f648f17 --- /dev/null +++ b/tools/conf/etc/nginx/sites/laravel.conf @@ -0,0 +1,28 @@ +server { + listen 443 ssl; + # listen [::]:443 ssl; + + root /srv/www/atom/public; + server_name core.privat-network.net; + + location /sysdoc { + alias /srv/www/sysdoc; + index index.html; + autoindex on; + } + + index index.php; + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + # try_files $uri /index.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + # fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_pass 127.0.0.1:9000; + } +} diff --git a/tools/nginx.html b/tools/nginx.html index 8fe632e..01c5515 100644 --- a/tools/nginx.html +++ b/tools/nginx.html @@ -7,9 +7,9 @@ <body> <a href="index.html">Tools Index</a> - <h1>1. Nginx</h1> + <h1>Nginx</h1> - <h2 id="install">1.1. Install Nginx</h2> + <h2 id="install">1. Install Nginx</h2> <pre> $ prt-get depinst nginx @@ -21,17 +21,16 @@ UID=xxxxx-xxx-xxx-xxx-xxxxxxxx /srv/www ext4 defaults,nosuid,noexec,nodev,noatime 1 2 </pre> - <p>Remove nginx user or group, system defines www user and group;</p> + <p>Add user nginx to www group;</p> <pre> - # userdel nginx - # groupdel nginx + # usermod -a -G www nginx </pre> - <p>Change default home directory of www user;</p> + <p>Change default home directory of nginx user;</p> <pre> - # usermod -m -d /srv/www www + # usermod -m -d /srv/www nginx </pre> <p>Create configuration directory's for better organization;</p> @@ -42,44 +41,11 @@ $ sudo mkdir /etc/nginx/sites </pre> - <h2 id="logs">1.2. Logs</h2> - - <pre> - $ sudo grep "login" /var/log/nginx/access.log - $ sudo grep "etc/passwd" /var/log/nginx/access.log - $ sudo egrep -i "denied|error|warn" /var/log/nginx/error.log - </pre> - - <h2 id="userdir">1.3. User Directory</h2> - - <p><a href="http://wiki.nginx.org/UserDir">Nginx Wiki UserDir</a></p> - - <pre> - location ~ ^/~(.+?)(/.*)?$ { - alias /home/$1/public_html$2; - index index.html index.htm; - autoindex on; - } - </pre> - - <p>Directories should have 644 or 664 and - files chmod 755 or 775;</p> - - <pre> - $ sudo find . -type f -print0 | xargs -0 chmod 644 - $ sudo find . -type d -print0 | xargs -0 chmod 755 - </pre> - - <h2 id="certs">1.4. Certificates</h2> + <h2 id="certs">2. Certificates</h2> <p>Certificates allow a more secure connection. Lets create self-signed certificate;</p> - <pre> - $ sudo mkdir /etc/nginx/ssl - $ sudo cd /etc/nginx/ssl - </pre> - <p>Create private key;</p> <pre> @@ -112,7 +78,7 @@ Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: - Common Name (e.g. server FQDN or YOUR name) []:c13.nark.biz.tm + Common Name (e.g. server FQDN or YOUR name) []:core.privat-network.net Email Address []: Please enter the following 'extra' attributes @@ -127,33 +93,31 @@ <pre> $ sudo openssl x509 -req -days 365 -in /etc/ssl/certs/nginx.csr -signkey /etc/ssl/keys/nginx.key -out /etc/ssl/certs/nginx.crt Signature ok - subject=/C=PT/ST=Porto/O=Internet Widgits Pty Ltd/CN=c13.nark.biz.tm + subject=/C=PT/ST=Porto/O=Internet Widgits Pty Ltd/CN=core.privat-network.net Getting Private key Enter pass phrase for /etc/ssl/keys/nginx.key: $ </pre> - <h3>Remove Password</h3> - <p>Having password is a good idea, but requires it every time nginx is restarted. To remove;</p> <pre> - $ sudo cp /etc/ssl/keys/nginx.key /etc/ssl/keys/nginx.key.org - $ sudo openssl rsa -in /etc/ssl/keys/nginx.key.org -out /etc/ssl/keys/nginx.key + $ sudo cp /etc/ssl/keys/nginx.key /etc/ssl/keys/nginx.key.pass + $ sudo openssl rsa -in /etc/ssl/keys/nginx.key.pass -out /etc/ssl/keys/nginx.key Enter pass phrase for /etc/ssl/keys/nginx.key.org: writing RSA key $ </pre> - <h2 id="nginxconf">1.5. Nginx Configuration</h2> + <h2 id="nginxconf">3. Nginx Configuration</h2> - <p><a href="http://wiki.nginx.org/Pitfalls">READ NGINX PITFALLS</a>, + <p>Read <a href="http://wiki.nginx.org/Pitfalls">nginx pitfalls</a>, for more information about optimization <a href="https://www.digitalocean.com/community/tutorials/how-to-optimize-nginx-configuration">digitalocean</a>, <p>Number of worker_processes must be equal or less than - the number of available cpu cores</p> + the number of available cpu cores. This is set to auto.</p> <pre> $ nproc @@ -172,32 +136,26 @@ <pre> # - # /etc/nginx/nginx.conf + # /etc/nginx/nginx.conf - nginx server configuration # - user www; - worker_processes 2; - error_log /var/log/nginx/error.log info; + user nginx; + worker_processes auto; + + error_log /var/log/nginx/error.log; + + pid /var/run/nginx.pid; + events { worker_connections 1024; } - http { - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - sendfile on; - #tcp_nopush on; - #keepalive_timeout 620; - keepalive_timeout 65; - client_body_timeout 12; - client_header_timeout 12; - # send_timeout 620; - send_timeout 65; + http { + include mime.types; + default_type application/octet-stream; ## # SSL Settings @@ -209,25 +167,25 @@ ssl_certificate /etc/ssl/certs/nginx.crt; ssl_certificate_key /etc/ssl/keys/nginx.key; - ## - # Logging Settings - ## #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; - access_log /var/log/nginx/access.log combined; - error_log /var/log/nginx/error.log; + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log - ## - # Gzip Settings - ## + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + client_body_timeout 12; + client_header_timeout 12; + send_timeout 65; - gzip on; - gzip_disable "msie6"; + gzip on; gzip_vary on; - gzip_proxied any; + #gzip_proxied any; gzip_comp_level 9; # gzip_buffers 16 8k; # gzip_http_version 1.1; @@ -245,40 +203,44 @@ include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*.conf; + } - # End of file </pre> + # End of file + </pre> - <h2 id="server">1.6. Server with PHP</h2> + <h2 id="server">4. Server with PHP</h2> - check <a href "../conf/etc/nginx/">configuration directory</a> - for more examples. Install php and composer that is required - by Laravel;</p> + <p>Check <a href="conf/etc/nginx/sites/">/etc/nginx/sites</a> + for more examples.</p> - <h3>1.6.1. Setup PHP</h3> + <h3>4.1. Setup PHP</h3> + + <p> Install php and setup php.ini as development mode;</p> <pre> - $ prt-get depinst php php-fpm php-gd php-pdo-pgsql composer + $ prt-get depinst php php-fpm php-gd </pre> <p>Setup php ini in development mode;<p/> <pre> - $ sudo cp /etc/php/php.ini-development php.ini + $ sudo cp /etc/php/php.ini-development /etc/php/php.ini + </pre> + + <pre> $ php --ini Configuration File (php.ini) Path: /etc/php Loaded Configuration File: /etc/php/php.ini Scan for additional .ini files in: /etc/php/conf.d Additional .ini files parsed: /etc/php/conf.d/extensions.ini, /etc/php/conf.d/pdo_pgsql.ini - - $ </pre> - <h3>1.6.2. Setup Virtual Host</h3> + <h3>4.2. Setup Virtual Host</h3> <p>Server (virtual host) with Laravel, - /etc/nginx/sites/<a href="../conf/etc/nginx/sites/laravel.conf">laravel.conf</a>;</p> + <a href="conf/etc/nginx/sites/laravel.conf">/etc/nginx/sites/laravel.conf</a>;</p> <pre> server { @@ -286,7 +248,7 @@ listen [::]:443 ssl; root /srv/www/atom/public; - server_name c13.nark.biz.tm; + server_name core.privat-network.net; index index.html index.htm index.php; charset utf-8; @@ -299,7 +261,7 @@ location = /robots.txt { access_log off; log_not_found off; } access_log off; - error_log /var/log/nginx/c13-nark-biz-tm-error.log error; + error_log /var/log/nginx/core.privat-network.net-error.log error; sendfile off; @@ -322,6 +284,35 @@ } </pre> + <h2 id="userdir">5. User Directory</h2> + + <p><a href="http://wiki.nginx.org/UserDir">Nginx Wiki UserDir</a></p> + + <pre> + location ~ ^/~(.+?)(/.*)?$ { + alias /home/$1/public_html$2; + index index.html index.htm; + autoindex on; + } + </pre> + + <p>Directories should have 644 or 664 and + files chmod 755 or 775;</p> + + <pre> + $ sudo find . -type f -print0 | xargs -0 chmod 644 + $ sudo find . -type d -print0 | xargs -0 chmod 755 + </pre> + + <h2 id="logs">6. Logs</h2> + + <pre> + $ sudo grep "login" /var/log/nginx/access.log + $ sudo grep "etc/passwd" /var/log/nginx/access.log + $ sudo egrep -i "denied|error|warn" /var/log/nginx/error.log + </pre> + + <a href="index.html">Tools Index</a> <p>This is part of the c9-doc Manual. diff --git a/tools/scripts/config-install.sh b/tools/scripts/config-install.sh new file mode 100644 index 0000000..061081f --- /dev/null +++ b/tools/scripts/config-install.sh @@ -0,0 +1,4 @@ +#!/bin/sh + +CONF_DIR="$(dirname `dirname $0`)/conf" +echo "CONF_DIR=$CONF_DIR\n" diff --git a/tools/scripts/install-nginx.sh b/tools/scripts/install-nginx.sh new file mode 100644 index 0000000..5553692 --- /dev/null +++ b/tools/scripts/install-nginx.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +. `dirname $0`/config-install.sh + +prt-get depinst nginx + +cp -R $CONF_DIR/etc/nginx/* /etc/nginx/ + +usermod -a -G www nginx +usermod -m -d /srv/www nginx + +openssl genrsa -des3 -out /etc/ssl/keys/nginx.key 2048 +openssl req -new -key /etc/ssl/keys/nginx.key -out /etc/ssl/certs/nginx.csr +openssl x509 -req -days 365 -in /etc/ssl/certs/nginx.csr -signkey /etc/ssl/keys/nginx.key + +cp /etc/ssl/keys/nginx.key /etc/ssl/keys/nginx.key.pass +openssl rsa -in /etc/ssl/keys/nginx.key.pass -out /etc/ssl/keys/nginx.key diff --git a/tools/scripts/install-php.sh b/tools/scripts/install-php.sh new file mode 100644 index 0000000..9d47ada --- /dev/null +++ b/tools/scripts/install-php.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +. `dirname $0`/config-install.sh + +prt-get depinst php php-fpm php-gd php-pdo-pgsql + +cp /etc/php/php.ini-development /etc/php/php.ini diff --git a/tools/scipts/iptables.sh b/tools/scripts/iptables.sh index 3215633..3215633 100644 --- a/tools/scipts/iptables.sh +++ b/tools/scripts/iptables.sh diff --git a/tools/scripts/replace.sh b/tools/scripts/replace.sh new file mode 100644 index 0000000..8e393f0 --- /dev/null +++ b/tools/scripts/replace.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +folder=$1 +oldstring=$2 +newstring=$3 + +grep -rl $oldstring $folder | xargs sed -i s@$oldstring@$newstring@g |