vhost-stack/install.sh

285 lines
13 KiB
Bash
Raw Normal View History

2021-04-15 13:01:17 -07:00
#!/bin/bash
if [ "${EUID}" -ne 0 ]; then
echo "You must be root to run this installer."
exit
fi
# check for Ubuntu 20.04
2022-08-29 15:32:56 -07:00
if ! grep -q "Ubuntu 22.04" /etc/issue; then
echo "This installer is only tested on Ubuntu 22.04. If you are on a"
2021-04-15 13:01:17 -07:00
echo "different version of Ubuntu or a Debian/Debian based distro"
echo "and want to try running this installer open this script and"
echo "comment out the exit command below this line and re-run."
exit
fi
# check if install is already in place
if [ -f "/usr/local/bin/vhost.sh" ]; then
echo "vhost-stack is already installed, bailing out."
exit
fi
# check for existing web server software installs
if [ -d "/etc/apache2/" ] || [ -d "/etc/php/" ] || [ -d "/etc/varnish/" ]; then
2021-04-21 11:16:46 -07:00
echo
2021-04-15 13:01:17 -07:00
echo "WARNING: Apache, Varnish and/or PHP are already installed."
echo "This installer will overwrite existing configurations."
echo -e "You have five seconds to execute ctrl-c to cancel this install.\a"
2021-04-21 11:16:46 -07:00
echo
2021-04-15 13:01:17 -07:00
sleep 5
fi
# check for dpkg lock
if lsof /var/lib/dpkg/lock-frontend ; then
echo "Could not get lock /var/lib/dpkg/lock-frontend"
echo "See output above for info on what is holding the lock."
echo "Wait for the command above to complete, then re-run this script."
exit 1
fi
2021-04-21 11:16:46 -07:00
apt-get update
# create local systemd dir
if [[ ! -d /usr/local/lib/systemd/system ]]; then
mkdir -p /usr/local/lib/systemd/system
fi
# install systemd files and reload
cp systemd/* /usr/local/lib/systemd/system/
chmod 644 /usr/local/lib/systemd/system/*
systemctl daemon-reload
2021-04-15 13:01:17 -07:00
# install pwgen, used to create random passwords
2022-08-29 15:42:27 -07:00
DEBIAN_FRONTEND=noninteractive apt-get -y install pwgen
2021-04-15 13:01:17 -07:00
# install mariadb (mysql)
if [ ! -d "/etc/mysql/" ]; then
MARIADBPWORD=`pwgen 12 1`
2022-08-29 15:42:27 -07:00
DEBIAN_FRONTEND=noninteractive apt-get -y install mariadb-client mariadb-server
2022-08-29 15:32:56 -07:00
# set unix_socket auth for root
mysql -e "GRANT ALL ON *.* TO 'root'@'localhost' IDENTIFIED VIA unix_socket WITH GRANT OPTION"
# create nagios user for monitoring server status only
2021-04-21 10:34:21 -07:00
mysql -e "CREATE USER 'nagios'@'localhost' IDENTIFIED WITH mysql_native_password AS '';"
2021-04-15 13:01:17 -07:00
mysqladmin flush-privileges
elif ! systemctl is-active --quiet mysql ; then
echo "MySQL config dir exists, but MySQL/MariaDB server is not running."
echo "Check your server config and either make sure MySQL is running"
echo "or purge MySQL/MariaDB and all related packages (e.g. mysql-common)"
echo "from the server and then re-run this installer."
exit 1
2021-04-15 13:01:17 -07:00
fi
# Apache w/ PHP
2022-09-01 15:31:39 -07:00
DEBIAN_FRONTEND=noninteractive apt-get -y install apache2 libapache2-mod-authnz-pam libwww-perl php-fpm php-cli php-bcmath php-ssh2 php-curl php-dev php-enchant php-mysql php-pear php-gd php-http php-imap php-intl php-mysql php-yaml php-pspell php-raphf php-ssh2 php-sqlite3 php-tidy php-xml php-xmlrpc php-zip php-mbstring php-imagick php-redis redis pwauth libapache2-mod-authnz-external
2022-08-29 15:32:56 -07:00
# set PHP version
PHP_MAJOR_VERSION=`php -r "echo PHP_MAJOR_VERSION;"`
PHP_MINOR_VERSION=`php -r "echo PHP_MINOR_VERSION;"`
phpVersion=$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION
2022-08-29 15:32:56 -07:00
## http2 handled automatically now.
## http2 doesn't support logio, so look in to vhost log format
fqdn=`hostname -f`
vhostdomain=`hostname -d`
cp etc/apache2/sites-available/* /etc/apache2/sites-available/
2024-04-03 15:21:53 -07:00
sed -i "s|/etc/ssl/certs/ssl-cert-snakeoil.pem|/etc/ssl/letsencrypt/$fqdn.pem|g" /etc/apache2/sites-available/*.conf
chmod 644 /etc/apache2/sites-available/*.conf
chown root:root /etc/apache2/sites-available/*.conf
sed -i "s|webmaster@localhost|webmaster@$fqdn|g" /etc/apache2/sites-available/*.conf
2021-04-15 13:01:17 -07:00
cp etc/apache2/conf-available/* /etc/apache2/conf-available/
chmod 644 /etc/apache2/conf-available/*.conf
chown root:root /etc/apache2/conf-available/*.conf
a2enconf php$phpVersion-fpm phpMyAdmin
2021-04-15 13:01:17 -07:00
cp etc/apache2/mods-available/* /etc/apache2/mods-available/
chmod 644 /etc/apache2/mods-available/*.conf
chown root:root /etc/apache2/mods-available/*.conf
2021-05-06 13:43:18 -07:00
# set vhost subodmain to domain name of server, users may want to consider changing this to a custom domain.
sed -i "s|example.com|$vhostdomain|g" /etc/apache2/mods-available/macro.conf
# a2enmod proxy_fcgi rewrite headers expires ssl http2 remoteip macro
2022-04-19 13:15:53 -07:00
a2enmod cgid proxy_fcgi proxy_http rewrite headers expires ssl http2 macro
2021-04-15 13:01:17 -07:00
# # sed -i "s|CustomLog|#CustomLog|g" /etc/apache2/sites-available/000-default.conf
sed -i "s|/var/www/html|/srv/www/html|g" /etc/apache2/sites-available/000-default.conf
# # sed -i "s|CustomLog|#CustomLog|g" /etc/apache2/sites-available/default-ssl.conf
sed -i "s|/var/www/html|/srv/www/html|g" /etc/apache2/sites-available/default-ssl.conf
## double check this next one after getting full setup going w/ haproxy & varnish
sed -i "s|%h %l %u|%a %l %u|g" /etc/apache2/apache2.conf
2021-10-02 14:54:19 -07:00
sed -i "s|other_vhosts_access.log|access.log|" /etc/apache2/conf-available/other-vhosts-access-log.conf
2021-04-15 13:01:17 -07:00
rm /var/log/apache2/other_vhosts_access.log
# configure security
echo '<Directory "/srv/www/">' >> /etc/apache2/conf-available/security.conf
echo ' AllowOverride All' >> /etc/apache2/conf-available/security.conf
echo ' Options Includes FollowSymLinks' >> /etc/apache2/conf-available/security.conf
echo ' Require all granted' >> /etc/apache2/conf-available/security.conf
echo '</Directory>' >> /etc/apache2/conf-available/security.conf
2022-04-26 15:58:13 -07:00
echo '<Directory "/usr/local/lib/cgi-wrap/">' >> /etc/apache2/conf-available/security.conf
echo ' AllowOverride None' >> /etc/apache2/conf-available/security.conf
echo ' Options None' >> /etc/apache2/conf-available/security.conf
echo ' Require all granted' >> /etc/apache2/conf-available/security.conf
2022-04-19 13:15:53 -07:00
echo '</Directory>' >> /etc/apache2/conf-available/security.conf
systemctl enable --now vhost-reload-apache.path
2022-04-19 13:15:53 -07:00
2021-04-15 13:01:17 -07:00
# configure php
sed -i "s|post_max_size = 8M|post_max_size = 256M|g" /etc/php/$phpVersion/fpm/php.ini
sed -i "s|upload_max_filesize = 2M|upload_max_filesize = 256M|g" /etc/php/$phpVersion/fpm/php.ini
sed -i "s|;date.timezone =|date.timezone = 'America/Los_Angeles'|g" /etc/php/$phpVersion/fpm/php.ini
sed -i "s|;date.timezone =|date.timezone = 'America/Los_Angeles'|g" /etc/php/$phpVersion/cli/php.ini
2021-04-15 13:01:17 -07:00
# Change Debian/Ubuntu session settings back to php defaults for compatability with user jails & php chroots
sed -i "s|;session.save_path = \"/var/lib/php/sessions\"|session.save_path = \"/tmp\"|g" /etc/php/$phpVersion/fpm/php.ini
sed -i "s|;session.save_path = \"/var/lib/php/sessions\"|session.save_path = \"/tmp\"|g" /etc/php/$phpVersion/cli/php.ini
sed -i "s|session.gc_probability = 0|session.gc_probability = 1|g" /etc/php/$phpVersion/fpm/php.ini
sed -i "s|session.gc_probability = 0|session.gc_probability = 1|g" /etc/php/$phpVersion/cli/php.ini
2021-04-15 13:01:17 -07:00
# Configure PHP-FPM to use "ondemand"
sed -i "s|pm = dynamic|pm = ondemand|g" /etc/php/$phpVersion/fpm/pool.d/www.conf
2021-04-15 13:01:17 -07:00
systemctl reload apache2
## configure overrides
# sed -i "s|^user = www-data|user = $USERNAME|g" /etc/php/7.2/fpm/pool.d/www.conf
# sed -i "s|^group = www-data|group = $USERNAME|g" /etc/php/7.2/fpm/pool.d/www.conf
systemctl reload php$phpVersion-fpm
systemctl enable --now vhost-reload-php.path
2021-04-15 13:01:17 -07:00
if [ -d /srv/www ]; then
if [ -d /var/www ]; then
echo "WARNING: /srv/www & /var/www dirs both exists, skipping move of existing /var/www/ dir."
fi
else
if [ -d /var/www ]; then
mv /var/www /srv/www
else
2021-05-06 13:43:18 -07:00
install --owner=root --group=root --mode=755 --directory /srv/www
2021-04-15 13:01:17 -07:00
fi
2021-05-06 13:43:18 -07:00
ln -s /srv/www /var/www
fi
useradd --no-create-home --home-dir /srv/www --shell /usr/sbin/nologin --system --user-group vhost
if [ -d /srv/www/html ]; then
chown -R vhost:vhost /srv/www/html
else
install --owner=vhost --group=vhost --mode=755 --directory /srv/www/html
2021-04-15 13:01:17 -07:00
fi
2022-07-19 13:18:12 -07:00
# Webalizer
2022-08-29 15:42:27 -07:00
DEBIAN_FRONTEND=noninteractive apt-get -y install webalizer
2022-07-19 13:18:12 -07:00
cp etc/logrotate.d/apache2 /etc/logrotate.d/apache2
chmod 644 /etc/logrotate.d/apache2
2022-07-19 15:56:12 -07:00
rm /etc/cron.daily/webalizer
2022-07-19 13:18:12 -07:00
rmdir /srv/www/webalizer
systemctl enable --now webalizer.timer
2022-07-19 13:18:12 -07:00
2021-04-21 10:34:21 -07:00
# install status.php
cp html/status.php /srv/www/html
chmod 644 /srv/www/html/status.php
2021-05-06 13:43:18 -07:00
chown vhost:vhost /srv/www/html/status.php
2021-04-21 10:34:21 -07:00
2022-07-19 13:18:12 -07:00
# phpMyAdmin
2022-08-29 15:42:27 -07:00
DEBIAN_FRONTEND=noninteractive apt-get -y install php-bz2 php-tcpdf
2022-07-19 13:18:12 -07:00
cd /usr/local/src
wget https://files.phpmyadmin.net/phpMyAdmin/5.2.1/phpMyAdmin-5.2.1-all-languages.tar.gz
tar zxf phpMyAdmin-5.2.1-all-languages.tar.gz
rm -r phpMyAdmin-5.2.1-all-languages/setup/
if [ -d "phpMyAdmin-5.2.1-all-languages/test/" ]; then
rm -r phpMyAdmin-5.2.1-all-languages/test/
2022-07-19 13:18:12 -07:00
fi
mv phpMyAdmin-5.2.1-all-languages /srv/www/html/phpMyAdmin
2022-08-29 15:32:56 -07:00
cd -
2022-07-19 13:18:12 -07:00
cp html/phpMyAdmin/config.inc.php /srv/www/html/phpMyAdmin/config.inc.php
blowfish_secret=`pwgen 32 -1`
sed -i "s|changeme|$blowfish_secret|g" /srv/www/html/phpMyAdmin/config.inc.php
find /srv/www/html/phpMyAdmin -type d -exec chmod 755 {} +
find /srv/www/html/phpMyAdmin -type f -exec chmod 644 {} +
chown -R vhost:vhost /srv/www/html/phpMyAdmin
2023-05-05 15:07:47 -07:00
# fail2ban
if [[ -d /etc/fail2ban/ ]]; then
chmod 644 etc/fail2ban/*/*.conf
cp -a etc/fail2ban/* /etc/fail2ban/
if systemctl is-active --quiet fail2ban ; then
systemctl restart fail2ban
fi
else
echo "NOTICE: fail2ban not installed, skipping"
fi
2021-04-15 13:01:17 -07:00
# jailkit
2022-08-29 15:42:27 -07:00
DEBIAN_FRONTEND=noninteractive apt-get -y install jailkit
2021-04-15 13:01:17 -07:00
sed -i 's|paths = ssh|paths = /usr/bin/ssh*|' /etc/jailkit/jk_init.ini
2022-04-19 13:15:53 -07:00
sed -i "s|paths = perl, /usr/lib/perl, /usr/lib/perl5, /usr/share/perl, /usr/share/perl5|paths = /usr/bin/perl, /usr/lib/x86_64-linux-gnu/perl, /usr/lib/x86_64-linux-gnu/perl-base, /usr/share/perl, /usr/share/perl5|g" /etc/jailkit/jk_init.ini
2021-04-15 13:01:17 -07:00
echo "" >> /etc/jailkit/jk_init.ini
echo "[shellstack]" >> /etc/jailkit/jk_init.ini
echo "comment = full featured shell for vhost-stack jails" >> /etc/jailkit/jk_init.ini
2023-03-03 10:42:13 -08:00
echo "paths = curl, diff, dircolors, du, env, git, groups, mysql, mysqldump, /etc/bash_completion, /etc/bash_completion.d/, /usr/share/bash-completion/, /etc/ssl/certs/, /etc/nanorc, /usr/local/libexec/command-not-found-handle, /usr/share/nano/, /usr/share/zoneinfo/, /usr/local/bin/composer, /usr/local/bin/wp, /usr/local/sbin/mini_sendmail" >> /etc/jailkit/jk_init.ini
2021-04-15 13:01:17 -07:00
echo "includesections = extendedshell, netutils, logbasics, apacheutils, php" >> /etc/jailkit/jk_init.ini
echo "" >> /etc/jailkit/jk_init.ini
echo "[php]" >> /etc/jailkit/jk_init.ini
echo "comment = php-cli and all required files" >> /etc/jailkit/jk_init.ini
echo "paths = /usr/bin/php*, /usr/bin/phar*, /etc/php/*/cli/, /etc/php/*/mods-available/, /usr/lib/php/, /usr/share/php/" >> /etc/jailkit/jk_init.ini
2022-04-19 13:15:53 -07:00
echo "" >> /etc/jailkit/jk_init.ini
echo "[python3]" >> /etc/jailkit/jk_init.ini
echo "comment = the python3 interpreter and libraries" >> /etc/jailkit/jk_init.ini
echo "paths = /usr/bin/python3, /usr/lib/python3, /usr/lib/python3.8, /usr/share/doc/python3, /usr/share/doc/python3-minimal, /usr/share/python3, /usr/share/man/man1/python3.1.gz" >> /etc/jailkit/jk_init.ini
echo "" >> /etc/jailkit/jk_init.ini
echo "[ruby]" >> /etc/jailkit/jk_init.ini
echo "comment = the ruby interpreter and libraries" >> /etc/jailkit/jk_init.ini
echo "paths = /usr/bin/erb. /usr/bin/gem, /usr/bin/irb, /usr/bin/rdoc, /usr/bin/ri, /usr/bin/ruby, /usr/share/doc/ruby, /usr/share/man/man1/ruby.1.gz, /usr/lib/ruby/, /usr/lib/x86_64-linux-gnu/ruby/" >> /etc/jailkit/jk_init.ini
2021-04-15 13:01:17 -07:00
mkdir /usr/jails
2021-04-22 13:17:36 -07:00
if ! [ -d "/usr/local/libexec" ]; then
2021-05-06 13:43:18 -07:00
install --owner=root --group=root --mode=755 --directory /usr/local/libexec
2021-04-22 13:17:36 -07:00
fi
cp libexec/command-not-found-handle /usr/local/libexec/command-not-found-handle
chmod 755 /usr/local/libexec/command-not-found-handle
chown root:root /usr/local/libexec/command-not-found-handle
2021-08-18 16:13:02 -07:00
if ! [ -f "/etc/fstab.jails" ]; then
touch /etc/fstab.jails
chmod 644 /etc/fstab.jails
echo "# /etc/fstab.jails: jail bind mounts information." > /etc/fstab.jails
fi
2022-10-20 11:45:00 -07:00
systemctl enable jail-mounts.service
systemctl enable --now vhost-reload-jailkit.path
2022-10-20 11:45:00 -07:00
# varnish
DEBIAN_FRONTEND=noninteractive apt-get -y install varnish
cp -a etc/varnish/* /etc/varnish/
find /etc/varnish/ -type d -exec chmod 755 {} +
find /etc/varnish/ -type f -exec chmod 644 {} +
chown -R root:root /etc/varnish/
systemctl enable --now vhost-reload-varnish.path
2022-10-20 11:45:00 -07:00
## /usr/bin/varnishncsa
2021-04-15 13:01:17 -07:00
# mini_sendmail so users can send out of jails
cd /usr/local/src
wget http://www.acme.com/software/mini_sendmail/mini_sendmail-1.3.9.tar.gz
2021-04-21 10:06:23 -07:00
tar zxf mini_sendmail-1.3.9.tar.gz
2021-04-15 13:01:17 -07:00
cd mini_sendmail-1.3.9/
make
cp mini_sendmail /usr/local/sbin
gzip mini_sendmail.8
cp mini_sendmail.8.gz /usr/local/share/man/man8
2022-08-29 15:32:56 -07:00
cd ../vhost-stack/
2021-04-15 13:01:17 -07:00
2022-07-19 13:18:12 -07:00
# install vhost scripts
chmod 755 bin/*
cp bin/* /usr/local/bin/
2022-07-19 13:27:19 -07:00
chmod 755 sbin/*
cp sbin/* /usr/local/sbin/
2022-07-19 13:18:12 -07:00
2022-11-16 15:10:52 -08:00
# enable http (port 80) and https (port 443) in the firewall
2022-11-17 14:43:40 -08:00
if [[ -d /etc/firewalld/ ]]; then
2022-11-16 15:10:52 -08:00
firewall-cmd --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --zone=public --add-service=https
firewall-cmd --permanent --zone=public --add-service=https
else
2023-05-05 15:07:47 -07:00
echo "NOTICE: firewalld not installed, not opening http ports in firewall."
2022-11-16 15:10:52 -08:00
fi
echo
echo "To enable the default https host install letsencrypt-tools and then run:"
echo "letsencrypt-certonly.sh -d $fqdn"
echo "a2ensite 000-default-ssl.conf"
echo "systemctl reload apache2"