diff --git a/etc/apache2/conf-available/phpMyAdmin.conf b/etc/apache2/conf-available/phpMyAdmin.conf
index d37d90f..e6e3ed3 100644
--- a/etc/apache2/conf-available/phpMyAdmin.conf
+++ b/etc/apache2/conf-available/phpMyAdmin.conf
@@ -14,6 +14,6 @@ SetExternalAuthMethod pwauth pipe
# this is to force the default fpm, so we don't end up trying to use a virtualhosts jailed fpm which won't work
- SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost"
+ SetHandler "proxy:unix:/run/php/php8.1-fpm.sock|fcgi://localhost"
diff --git a/etc/apache2/mods-available/macro.conf b/etc/apache2/mods-available/macro.conf
index 96d80b6..2c91721 100644
--- a/etc/apache2/mods-available/macro.conf
+++ b/etc/apache2/mods-available/macro.conf
@@ -38,7 +38,7 @@
RewriteCond %{REQUEST_URI} ^/cgi-bin/.*
RewriteRule ^/cgi-bin/(.*) /cgi-wrap/cgiwrap/$username/$1 [PT]
- SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost"
+ SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost"
@@ -51,7 +51,7 @@
DocumentRoot /srv/www/$vhost/html/$subdomain
- SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost"
+ SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost"
@@ -77,7 +77,7 @@
- SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost"
+ SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost"
@@ -92,7 +92,7 @@
RewriteCond %{REQUEST_URI} ^/cgi-bin/.*
RewriteRule ^/cgi-bin/(.*) /cgi-wrap/cgiwrap/$username/$1 [PT]
- SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost"
+ SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost"
SSLEngine on
SSLCertificateFile /etc/ssl/letsencrypt/$vhost.pem
@@ -128,7 +128,7 @@
- SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost"
+ SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost"
@@ -138,7 +138,7 @@
DocumentRoot /srv/www/$vhost/html/$subdomain
- SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost"
+ SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost"
SSLEngine on
SSLCertificateFile /etc/ssl/letsencrypt/$subdomain.$vhost.pem
@@ -159,7 +159,7 @@
RewriteCond %{REQUEST_URI} ^/cgi-bin/.*
RewriteRule ^/cgi-bin/(.*) /cgi-wrap/cgiwrap/$username/$1 [PT]
- SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost"
+ SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost"
@@ -186,7 +186,7 @@
DocumentRoot /srv/www/$vhost/html/$subdomain
- SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost"
+ SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost"
@@ -278,7 +278,7 @@
RewriteCond %{REQUEST_URI} ^/cgi-bin/.*
RewriteRule ^/cgi-bin/(.*) /cgi-wrap/cgiwrap/$username/$1 [PT]
- SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost"
+ SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost"
@@ -303,7 +303,7 @@
- SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost"
+ SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost"
@@ -318,7 +318,7 @@
RewriteCond %{REQUEST_URI} ^/cgi-bin/.*
RewriteRule ^/cgi-bin/(.*) /cgi-wrap/cgiwrap/$username/$1 [PT]
- SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost"
+ SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost"
SSLEngine on
SSLCertificateFile /etc/ssl/letsencrypt/$alias.pem
diff --git a/etc/apache2/mods-available/ssl.conf b/etc/apache2/mods-available/ssl.conf
deleted file mode 100644
index 7e36463..0000000
--- a/etc/apache2/mods-available/ssl.conf
+++ /dev/null
@@ -1,85 +0,0 @@
-
-
- # Pseudo Random Number Generator (PRNG):
- # Configure one or more sources to seed the PRNG of the SSL library.
- # The seed data should be of good random quality.
- # WARNING! On some platforms /dev/random blocks if not enough entropy
- # is available. This means you then cannot use the /dev/random device
- # because it would lead to very long connection times (as long as
- # it requires to make more entropy available). But usually those
- # platforms additionally provide a /dev/urandom device which doesn't
- # block. So, if available, use this one instead. Read the mod_ssl User
- # Manual for more details.
- #
- SSLRandomSeed startup builtin
- SSLRandomSeed startup file:/dev/urandom 512
- SSLRandomSeed connect builtin
- SSLRandomSeed connect file:/dev/urandom 512
-
- ##
- ## SSL Global Context
- ##
- ## All SSL configuration in this context applies both to
- ## the main server and all SSL-enabled virtual hosts.
- ##
-
- #
- # Some MIME-types for downloading Certificates and CRLs
- #
- AddType application/x-x509-ca-cert .crt
- AddType application/x-pkcs7-crl .crl
-
- # Pass Phrase Dialog:
- # Configure the pass phrase gathering process.
- # The filtering dialog program (`builtin' is a internal
- # terminal dialog) has to provide the pass phrase on stdout.
- SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
-
- # Inter-Process Session Cache:
- # Configure the SSL Session Cache: First the mechanism
- # to use and second the expiring timeout (in seconds).
- # (The mechanism dbm has known memory leaks and should not be used).
- #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
- SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
- SSLSessionCacheTimeout 300
-
- # Semaphore:
- # Configure the path to the mutual exclusion semaphore the
- # SSL engine uses internally for inter-process synchronization.
- # (Disabled by default, the global Mutex directive consolidates by default
- # this)
- #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
-
-
- # SSL Cipher Suite:
- # List the ciphers that the client is permitted to negotiate. See the
- # ciphers(1) man page from the openssl package for list of all available
- # options.
- # Enable only secure ciphers:
- SSLCipherSuite HIGH:!aNULL
-
- # SSL server cipher order preference:
- # Use server priorities for cipher algorithm choice.
- # Clients may prefer lower grade encryption. You should enable this
- # option if you want to enforce stronger encryption, and can afford
- # the CPU cost, and did not override SSLCipherSuite in a way that puts
- # insecure ciphers first.
- # Default: Off
- #SSLHonorCipherOrder on
-
- # The protocols to enable.
- # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
- # SSL v2 is no longer supported
- SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
-
- # Allow insecure renegotiation with clients which do not yet support the
- # secure renegotiation protocol. Default: Off
- #SSLInsecureRenegotiation on
-
- # Whether to forbid non-SNI clients to access name based virtual hosts.
- # Default: Off
- #SSLStrictSNIVHostCheck On
-
-
-
-# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/etc/varnish/default.vcl b/etc/varnish/default.vcl
index e7dfdfa..753e556 100644
--- a/etc/varnish/default.vcl
+++ b/etc/varnish/default.vcl
@@ -5,15 +5,14 @@
# builtin VCL. The builtin VCL is called when there is no explicit
# return statement.
#
-# See the VCL chapters in the Users Guide at https://www.varnish-cache.org/docs/
-# and https://www.varnish-cache.org/trac/wiki/VCLExamples for more examples.
+# See the VCL chapters in the Users Guide for a comprehensive documentation
+# at https://www.varnish-cache.org/docs/.
#
# validate config with:
# varnishd -C -f /etc/varnish/default.vcl
-# https://varnish-cache.org/docs/6.2/
#
-# Marker to tell the VCL compiler that this VCL has been adapted to the
-# new 4.0 format.
+# Marker to tell the VCL compiler that this VCL has been written with the
+# 4.0 or 4.1 syntax.
vcl 4.0;
import std;
diff --git a/install.sh b/install.sh
index b135ef9..f55a442 100755
--- a/install.sh
+++ b/install.sh
@@ -6,8 +6,8 @@ if [ "${EUID}" -ne 0 ]; then
fi
# check for Ubuntu 20.04
-if ! grep -q "Ubuntu 20.04" /etc/issue; then
- echo "This installer is only tested on Ubuntu 20.04. If you are on a"
+if ! grep -q "Ubuntu 22.04" /etc/issue; then
+ echo "This installer is only tested on Ubuntu 22.04. If you are on a"
echo "different version of Ubuntu or a Debian/Debian based distro"
echo "and want to try running this installer open this script and"
echo "comment out the exit command below this line and re-run."
@@ -32,6 +32,9 @@ fi
apt-get update
+# modify policy-rc.d so that packages automatically start/restart/stop after install/upgrade/uninstall
+sed -i "s|exit 101|exit 0|g" /usr/sbin/policy-rc.d
+
# install pwgen, used to create random passwords
apt -y install pwgen
@@ -40,29 +43,30 @@ if [ ! -d "/etc/mysql/" ]; then
MARIADBPWORD=`pwgen 12 1`
apt -y install mariadb-client mariadb-server
- # record the initial root password
- echo "#[client]" > /root/.my.cnf
- echo "#password=$MARIADBPWORD" >> /root/.my.cnf
- echo '!include /etc/mysql/debian.cnf' >> /root/.my.cnf
- chmod 600 /root/.my.cnf
- mysql -e "SET PASSWORD FOR 'root'@'localhost' = PASSWORD('$MARIADBPWORD');"
- sed -i "s|password = |password = $MARIADBPWORD|g" /etc/mysql/debian.cnf
+ # set unix_socket auth for root
+ mysql -e "GRANT ALL ON *.* TO 'root'@'localhost' IDENTIFIED VIA unix_socket WITH GRANT OPTION"
+ # create nagios user for monitoring server status only
mysql -e "CREATE USER 'nagios'@'localhost' IDENTIFIED WITH mysql_native_password AS '';"
mysqladmin flush-privileges
fi
# Apache w/ PHP
-apt -y install apache2 libapache2-mod-authnz-pam libwww-perl php-fpm php-cli php-ssh2 php-curl php-dev php-enchant php-mysql php-pear php-gd php-http php-imap php-intl php-mysql php-yaml php-propro php-pspell php-raphf php-ssh2 php-sqlite3 php-tidy php-xml php-xmlrpc php-zip php-mbstring php-imagick php-redis redis pwauth libapache2-mod-authnz-external
-## http2 handled automatically now. double check. also look in to vhost log format
+apt -y install apache2 libapache2-mod-authnz-pam libwww-perl php-fpm php-cli php-ssh2 php-curl php-dev php-enchant php-mysql php-pear php-gd php-http php-imap php-intl php-mysql php-yaml php-pspell php-raphf php-ssh2 php-sqlite3 php-tidy php-xml php-xmlrpc php-zip php-mbstring php-imagick php-redis redis pwauth libapache2-mod-authnz-external
+
+## http2 handled automatically now.
+## http2 doesn't support logio, so look in to vhost log format
+
# force https for phpMyAdmin ??
cp etc/apache2/conf-available/* /etc/apache2/conf-available/
chmod 644 /etc/apache2/conf-available/*.conf
chown root:root /etc/apache2/conf-available/*.conf
-a2enconf php7.4-fpm phpMyAdmin
+a2enconf php8.1-fpm phpMyAdmin
cp etc/apache2/mods-available/* /etc/apache2/mods-available/
chmod 644 /etc/apache2/mods-available/*.conf
chown root:root /etc/apache2/mods-available/*.conf
+# enable TLSv1.2 only
+sed -i "s|SSLProtocol all -SSLv3|SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1|g" /etc/apache2/mods-available/ssl.conf
# set vhost subodmain to domain name of server, users may want to consider changing this to a custom domain.
vhostdomain=`hostname -d`
sed -i "s|.example.com|.$vhostdomain|g" /etc/apache2/mods-available/macro.conf
@@ -89,22 +93,22 @@ echo ' Require all granted' >> /etc/apache2/conf-available/security.conf
echo '' >> /etc/apache2/conf-available/security.conf
# configure php
-sed -i "s|post_max_size = 8M|post_max_size = 256M|g" /etc/php/7.4/fpm/php.ini
-sed -i "s|upload_max_filesize = 2M|upload_max_filesize = 256M|g" /etc/php/7.4/fpm/php.ini
-sed -i "s|;date.timezone =|date.timezone = 'America/Los_Angeles'|g" /etc/php/7.4/fpm/php.ini
-sed -i "s|;date.timezone =|date.timezone = 'America/Los_Angeles'|g" /etc/php/7.4/cli/php.ini
+sed -i "s|post_max_size = 8M|post_max_size = 256M|g" /etc/php/8.1/fpm/php.ini
+sed -i "s|upload_max_filesize = 2M|upload_max_filesize = 256M|g" /etc/php/8.1/fpm/php.ini
+sed -i "s|;date.timezone =|date.timezone = 'America/Los_Angeles'|g" /etc/php/8.1/fpm/php.ini
+sed -i "s|;date.timezone =|date.timezone = 'America/Los_Angeles'|g" /etc/php/8.1/cli/php.ini
# Change Debian/Ubuntu session settings back to php defaults for compatability with user jails & php chroots
-sed -i "s|;session.save_path = \"/var/lib/php/sessions\"|session.save_path = \"/tmp\"|g" /etc/php/7.4/fpm/php.ini
-sed -i "s|;session.save_path = \"/var/lib/php/sessions\"|session.save_path = \"/tmp\"|g" /etc/php/7.4/cli/php.ini
-sed -i "s|session.gc_probability = 0|session.gc_probability = 1|g" /etc/php/7.4/fpm/php.ini
-sed -i "s|session.gc_probability = 0|session.gc_probability = 1|g" /etc/php/7.4/cli/php.ini
+sed -i "s|;session.save_path = \"/var/lib/php/sessions\"|session.save_path = \"/tmp\"|g" /etc/php/8.1/fpm/php.ini
+sed -i "s|;session.save_path = \"/var/lib/php/sessions\"|session.save_path = \"/tmp\"|g" /etc/php/8.1/cli/php.ini
+sed -i "s|session.gc_probability = 0|session.gc_probability = 1|g" /etc/php/8.1/fpm/php.ini
+sed -i "s|session.gc_probability = 0|session.gc_probability = 1|g" /etc/php/8.1/cli/php.ini
# Configure PHP-FPM to use "ondemand"
-sed -i "s|pm = dynamic|pm = ondemand|g" /etc/php/7.4/fpm/pool.d/www.conf
+sed -i "s|pm = dynamic|pm = ondemand|g" /etc/php/8.1/fpm/pool.d/www.conf
systemctl reload apache2
## configure overrides
# sed -i "s|^user = www-data|user = $USERNAME|g" /etc/php/7.2/fpm/pool.d/www.conf
# sed -i "s|^group = www-data|group = $USERNAME|g" /etc/php/7.2/fpm/pool.d/www.conf
-systemctl reload php7.4-fpm
+systemctl reload php8.1-fpm
if [ -d /srv/www ]; then
if [ -d /var/www ]; then
@@ -146,13 +150,14 @@ chown vhost:vhost /srv/www/html/status.php
# phpMyAdmin
apt -y install php-bz2 php-tcpdf
cd /usr/local/src
-wget https://files.phpmyadmin.net/phpMyAdmin/5.1.1/phpMyAdmin-5.1.1-all-languages.tar.gz
-tar zxf phpMyAdmin-5.1.1-all-languages.tar.gz
-rm -r phpMyAdmin-5.1.1-all-languages/setup/
-if [ -d "phpMyAdmin-5.1.1-all-languages/test/" ]; then
- rm -r phpMyAdmin-5.1.1-all-languages/test/
+wget https://files.phpmyadmin.net/phpMyAdmin/5.2.0/phpMyAdmin-5.2.0-all-languages.tar.gz
+tar zxf phpMyAdmin-5.2.0-all-languages.tar.gz
+rm -r phpMyAdmin-5.2.0-all-languages/setup/
+if [ -d "phpMyAdmin-5.2.0-all-languages/test/" ]; then
+ rm -r phpMyAdmin-5.2.0-all-languages/test/
fi
-mv phpMyAdmin-5.1.1-all-languages /srv/www/html/phpMyAdmin
+mv phpMyAdmin-5.2.0-all-languages /srv/www/html/phpMyAdmin
+cd -
cp html/phpMyAdmin/config.inc.php /srv/www/html/phpMyAdmin/config.inc.php
blowfish_secret=`pwgen 32 -1`
sed -i "s|changeme|$blowfish_secret|g" /srv/www/html/phpMyAdmin/config.inc.php
@@ -162,8 +167,6 @@ chown -R vhost:vhost /srv/www/html/phpMyAdmin
# jailkit
apt -y install jailkit
-# bugfix, fixed upstream, shouldn't be needed if jailkit package gets updated
-sed -i "s/if (not config.has_key('hardlink')):/if ('hardlink' not in config):/g" /usr/sbin/jk_update
sed -i 's|paths = ssh|paths = /usr/bin/ssh*|' /etc/jailkit/jk_init.ini
sed -i "s|paths = perl, /usr/lib/perl, /usr/lib/perl5, /usr/share/perl, /usr/share/perl5|paths = /usr/bin/perl, /usr/lib/x86_64-linux-gnu/perl, /usr/lib/x86_64-linux-gnu/perl-base, /usr/share/perl, /usr/share/perl5|g" /etc/jailkit/jk_init.ini
echo "" >> /etc/jailkit/jk_init.ini
@@ -186,8 +189,6 @@ echo "paths = /usr/bin/erb. /usr/bin/gem, /usr/bin/irb, /usr/bin/rdoc, /usr/bin/
# varnish
apt -y install varnish
-# systemctl disable varnish
-# service varnish stop
cp -a etc/varnish/* /etc/varnish/
find /etc/varnish/ -type d -exec chmod 755 {} +
find /etc/varnish/ -type f -exec chmod 644 {} +
@@ -216,6 +217,7 @@ make
cp mini_sendmail /usr/local/sbin
gzip mini_sendmail.8
cp mini_sendmail.8.gz /usr/local/share/man/man8
+cd ../vhost-stack/
# install vhost scripts
chmod 755 bin/*