From fdad410e5874e21e4eedbc6d3ae46d718cf29d9f Mon Sep 17 00:00:00 2001 From: Matthew Saunders Brown Date: Mon, 29 Aug 2022 15:32:56 -0700 Subject: [PATCH] update for ubuntu 22.04 --- etc/apache2/conf-available/phpMyAdmin.conf | 2 +- etc/apache2/mods-available/macro.conf | 22 +++--- etc/apache2/mods-available/ssl.conf | 85 ---------------------- etc/varnish/default.vcl | 9 +-- install.sh | 66 +++++++++-------- 5 files changed, 50 insertions(+), 134 deletions(-) delete mode 100644 etc/apache2/mods-available/ssl.conf diff --git a/etc/apache2/conf-available/phpMyAdmin.conf b/etc/apache2/conf-available/phpMyAdmin.conf index d37d90f..e6e3ed3 100644 --- a/etc/apache2/conf-available/phpMyAdmin.conf +++ b/etc/apache2/conf-available/phpMyAdmin.conf @@ -14,6 +14,6 @@ SetExternalAuthMethod pwauth pipe # this is to force the default fpm, so we don't end up trying to use a virtualhosts jailed fpm which won't work - SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost" + SetHandler "proxy:unix:/run/php/php8.1-fpm.sock|fcgi://localhost" diff --git a/etc/apache2/mods-available/macro.conf b/etc/apache2/mods-available/macro.conf index 96d80b6..2c91721 100644 --- a/etc/apache2/mods-available/macro.conf +++ b/etc/apache2/mods-available/macro.conf @@ -38,7 +38,7 @@ RewriteCond %{REQUEST_URI} ^/cgi-bin/.* RewriteRule ^/cgi-bin/(.*) /cgi-wrap/cgiwrap/$username/$1 [PT] - SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost" + SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost" @@ -51,7 +51,7 @@ DocumentRoot /srv/www/$vhost/html/$subdomain - SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost" + SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost" @@ -77,7 +77,7 @@ - SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost" + SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost" @@ -92,7 +92,7 @@ RewriteCond %{REQUEST_URI} ^/cgi-bin/.* RewriteRule ^/cgi-bin/(.*) /cgi-wrap/cgiwrap/$username/$1 [PT] - SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost" + SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost" SSLEngine on SSLCertificateFile /etc/ssl/letsencrypt/$vhost.pem @@ -128,7 +128,7 @@ - SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost" + SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost" @@ -138,7 +138,7 @@ DocumentRoot /srv/www/$vhost/html/$subdomain - SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost" + SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost" SSLEngine on SSLCertificateFile /etc/ssl/letsencrypt/$subdomain.$vhost.pem @@ -159,7 +159,7 @@ RewriteCond %{REQUEST_URI} ^/cgi-bin/.* RewriteRule ^/cgi-bin/(.*) /cgi-wrap/cgiwrap/$username/$1 [PT] - SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost" + SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost" @@ -186,7 +186,7 @@ DocumentRoot /srv/www/$vhost/html/$subdomain - SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost" + SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost" @@ -278,7 +278,7 @@ RewriteCond %{REQUEST_URI} ^/cgi-bin/.* RewriteRule ^/cgi-bin/(.*) /cgi-wrap/cgiwrap/$username/$1 [PT] - SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost" + SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost" @@ -303,7 +303,7 @@ - SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost" + SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost" @@ -318,7 +318,7 @@ RewriteCond %{REQUEST_URI} ^/cgi-bin/.* RewriteRule ^/cgi-bin/(.*) /cgi-wrap/cgiwrap/$username/$1 [PT] - SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost" + SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost" SSLEngine on SSLCertificateFile /etc/ssl/letsencrypt/$alias.pem diff --git a/etc/apache2/mods-available/ssl.conf b/etc/apache2/mods-available/ssl.conf deleted file mode 100644 index 7e36463..0000000 --- a/etc/apache2/mods-available/ssl.conf +++ /dev/null @@ -1,85 +0,0 @@ - - - # Pseudo Random Number Generator (PRNG): - # Configure one or more sources to seed the PRNG of the SSL library. - # The seed data should be of good random quality. - # WARNING! On some platforms /dev/random blocks if not enough entropy - # is available. This means you then cannot use the /dev/random device - # because it would lead to very long connection times (as long as - # it requires to make more entropy available). But usually those - # platforms additionally provide a /dev/urandom device which doesn't - # block. So, if available, use this one instead. Read the mod_ssl User - # Manual for more details. - # - SSLRandomSeed startup builtin - SSLRandomSeed startup file:/dev/urandom 512 - SSLRandomSeed connect builtin - SSLRandomSeed connect file:/dev/urandom 512 - - ## - ## SSL Global Context - ## - ## All SSL configuration in this context applies both to - ## the main server and all SSL-enabled virtual hosts. - ## - - # - # Some MIME-types for downloading Certificates and CRLs - # - AddType application/x-x509-ca-cert .crt - AddType application/x-pkcs7-crl .crl - - # Pass Phrase Dialog: - # Configure the pass phrase gathering process. - # The filtering dialog program (`builtin' is a internal - # terminal dialog) has to provide the pass phrase on stdout. - SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase - - # Inter-Process Session Cache: - # Configure the SSL Session Cache: First the mechanism - # to use and second the expiring timeout (in seconds). - # (The mechanism dbm has known memory leaks and should not be used). - #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache - SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) - SSLSessionCacheTimeout 300 - - # Semaphore: - # Configure the path to the mutual exclusion semaphore the - # SSL engine uses internally for inter-process synchronization. - # (Disabled by default, the global Mutex directive consolidates by default - # this) - #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache - - - # SSL Cipher Suite: - # List the ciphers that the client is permitted to negotiate. See the - # ciphers(1) man page from the openssl package for list of all available - # options. - # Enable only secure ciphers: - SSLCipherSuite HIGH:!aNULL - - # SSL server cipher order preference: - # Use server priorities for cipher algorithm choice. - # Clients may prefer lower grade encryption. You should enable this - # option if you want to enforce stronger encryption, and can afford - # the CPU cost, and did not override SSLCipherSuite in a way that puts - # insecure ciphers first. - # Default: Off - #SSLHonorCipherOrder on - - # The protocols to enable. - # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2 - # SSL v2 is no longer supported - SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 - - # Allow insecure renegotiation with clients which do not yet support the - # secure renegotiation protocol. Default: Off - #SSLInsecureRenegotiation on - - # Whether to forbid non-SNI clients to access name based virtual hosts. - # Default: Off - #SSLStrictSNIVHostCheck On - - - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/etc/varnish/default.vcl b/etc/varnish/default.vcl index e7dfdfa..753e556 100644 --- a/etc/varnish/default.vcl +++ b/etc/varnish/default.vcl @@ -5,15 +5,14 @@ # builtin VCL. The builtin VCL is called when there is no explicit # return statement. # -# See the VCL chapters in the Users Guide at https://www.varnish-cache.org/docs/ -# and https://www.varnish-cache.org/trac/wiki/VCLExamples for more examples. +# See the VCL chapters in the Users Guide for a comprehensive documentation +# at https://www.varnish-cache.org/docs/. # # validate config with: # varnishd -C -f /etc/varnish/default.vcl -# https://varnish-cache.org/docs/6.2/ # -# Marker to tell the VCL compiler that this VCL has been adapted to the -# new 4.0 format. +# Marker to tell the VCL compiler that this VCL has been written with the +# 4.0 or 4.1 syntax. vcl 4.0; import std; diff --git a/install.sh b/install.sh index b135ef9..f55a442 100755 --- a/install.sh +++ b/install.sh @@ -6,8 +6,8 @@ if [ "${EUID}" -ne 0 ]; then fi # check for Ubuntu 20.04 -if ! grep -q "Ubuntu 20.04" /etc/issue; then - echo "This installer is only tested on Ubuntu 20.04. If you are on a" +if ! grep -q "Ubuntu 22.04" /etc/issue; then + echo "This installer is only tested on Ubuntu 22.04. If you are on a" echo "different version of Ubuntu or a Debian/Debian based distro" echo "and want to try running this installer open this script and" echo "comment out the exit command below this line and re-run." @@ -32,6 +32,9 @@ fi apt-get update +# modify policy-rc.d so that packages automatically start/restart/stop after install/upgrade/uninstall +sed -i "s|exit 101|exit 0|g" /usr/sbin/policy-rc.d + # install pwgen, used to create random passwords apt -y install pwgen @@ -40,29 +43,30 @@ if [ ! -d "/etc/mysql/" ]; then MARIADBPWORD=`pwgen 12 1` apt -y install mariadb-client mariadb-server - # record the initial root password - echo "#[client]" > /root/.my.cnf - echo "#password=$MARIADBPWORD" >> /root/.my.cnf - echo '!include /etc/mysql/debian.cnf' >> /root/.my.cnf - chmod 600 /root/.my.cnf - mysql -e "SET PASSWORD FOR 'root'@'localhost' = PASSWORD('$MARIADBPWORD');" - sed -i "s|password = |password = $MARIADBPWORD|g" /etc/mysql/debian.cnf + # set unix_socket auth for root + mysql -e "GRANT ALL ON *.* TO 'root'@'localhost' IDENTIFIED VIA unix_socket WITH GRANT OPTION" + # create nagios user for monitoring server status only mysql -e "CREATE USER 'nagios'@'localhost' IDENTIFIED WITH mysql_native_password AS '';" mysqladmin flush-privileges fi # Apache w/ PHP -apt -y install apache2 libapache2-mod-authnz-pam libwww-perl php-fpm php-cli php-ssh2 php-curl php-dev php-enchant php-mysql php-pear php-gd php-http php-imap php-intl php-mysql php-yaml php-propro php-pspell php-raphf php-ssh2 php-sqlite3 php-tidy php-xml php-xmlrpc php-zip php-mbstring php-imagick php-redis redis pwauth libapache2-mod-authnz-external -## http2 handled automatically now. double check. also look in to vhost log format +apt -y install apache2 libapache2-mod-authnz-pam libwww-perl php-fpm php-cli php-ssh2 php-curl php-dev php-enchant php-mysql php-pear php-gd php-http php-imap php-intl php-mysql php-yaml php-pspell php-raphf php-ssh2 php-sqlite3 php-tidy php-xml php-xmlrpc php-zip php-mbstring php-imagick php-redis redis pwauth libapache2-mod-authnz-external + +## http2 handled automatically now. +## http2 doesn't support logio, so look in to vhost log format + # force https for phpMyAdmin ?? cp etc/apache2/conf-available/* /etc/apache2/conf-available/ chmod 644 /etc/apache2/conf-available/*.conf chown root:root /etc/apache2/conf-available/*.conf -a2enconf php7.4-fpm phpMyAdmin +a2enconf php8.1-fpm phpMyAdmin cp etc/apache2/mods-available/* /etc/apache2/mods-available/ chmod 644 /etc/apache2/mods-available/*.conf chown root:root /etc/apache2/mods-available/*.conf +# enable TLSv1.2 only +sed -i "s|SSLProtocol all -SSLv3|SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1|g" /etc/apache2/mods-available/ssl.conf # set vhost subodmain to domain name of server, users may want to consider changing this to a custom domain. vhostdomain=`hostname -d` sed -i "s|.example.com|.$vhostdomain|g" /etc/apache2/mods-available/macro.conf @@ -89,22 +93,22 @@ echo ' Require all granted' >> /etc/apache2/conf-available/security.conf echo '' >> /etc/apache2/conf-available/security.conf # configure php -sed -i "s|post_max_size = 8M|post_max_size = 256M|g" /etc/php/7.4/fpm/php.ini -sed -i "s|upload_max_filesize = 2M|upload_max_filesize = 256M|g" /etc/php/7.4/fpm/php.ini -sed -i "s|;date.timezone =|date.timezone = 'America/Los_Angeles'|g" /etc/php/7.4/fpm/php.ini -sed -i "s|;date.timezone =|date.timezone = 'America/Los_Angeles'|g" /etc/php/7.4/cli/php.ini +sed -i "s|post_max_size = 8M|post_max_size = 256M|g" /etc/php/8.1/fpm/php.ini +sed -i "s|upload_max_filesize = 2M|upload_max_filesize = 256M|g" /etc/php/8.1/fpm/php.ini +sed -i "s|;date.timezone =|date.timezone = 'America/Los_Angeles'|g" /etc/php/8.1/fpm/php.ini +sed -i "s|;date.timezone =|date.timezone = 'America/Los_Angeles'|g" /etc/php/8.1/cli/php.ini # Change Debian/Ubuntu session settings back to php defaults for compatability with user jails & php chroots -sed -i "s|;session.save_path = \"/var/lib/php/sessions\"|session.save_path = \"/tmp\"|g" /etc/php/7.4/fpm/php.ini -sed -i "s|;session.save_path = \"/var/lib/php/sessions\"|session.save_path = \"/tmp\"|g" /etc/php/7.4/cli/php.ini -sed -i "s|session.gc_probability = 0|session.gc_probability = 1|g" /etc/php/7.4/fpm/php.ini -sed -i "s|session.gc_probability = 0|session.gc_probability = 1|g" /etc/php/7.4/cli/php.ini +sed -i "s|;session.save_path = \"/var/lib/php/sessions\"|session.save_path = \"/tmp\"|g" /etc/php/8.1/fpm/php.ini +sed -i "s|;session.save_path = \"/var/lib/php/sessions\"|session.save_path = \"/tmp\"|g" /etc/php/8.1/cli/php.ini +sed -i "s|session.gc_probability = 0|session.gc_probability = 1|g" /etc/php/8.1/fpm/php.ini +sed -i "s|session.gc_probability = 0|session.gc_probability = 1|g" /etc/php/8.1/cli/php.ini # Configure PHP-FPM to use "ondemand" -sed -i "s|pm = dynamic|pm = ondemand|g" /etc/php/7.4/fpm/pool.d/www.conf +sed -i "s|pm = dynamic|pm = ondemand|g" /etc/php/8.1/fpm/pool.d/www.conf systemctl reload apache2 ## configure overrides # sed -i "s|^user = www-data|user = $USERNAME|g" /etc/php/7.2/fpm/pool.d/www.conf # sed -i "s|^group = www-data|group = $USERNAME|g" /etc/php/7.2/fpm/pool.d/www.conf -systemctl reload php7.4-fpm +systemctl reload php8.1-fpm if [ -d /srv/www ]; then if [ -d /var/www ]; then @@ -146,13 +150,14 @@ chown vhost:vhost /srv/www/html/status.php # phpMyAdmin apt -y install php-bz2 php-tcpdf cd /usr/local/src -wget https://files.phpmyadmin.net/phpMyAdmin/5.1.1/phpMyAdmin-5.1.1-all-languages.tar.gz -tar zxf phpMyAdmin-5.1.1-all-languages.tar.gz -rm -r phpMyAdmin-5.1.1-all-languages/setup/ -if [ -d "phpMyAdmin-5.1.1-all-languages/test/" ]; then - rm -r phpMyAdmin-5.1.1-all-languages/test/ +wget https://files.phpmyadmin.net/phpMyAdmin/5.2.0/phpMyAdmin-5.2.0-all-languages.tar.gz +tar zxf phpMyAdmin-5.2.0-all-languages.tar.gz +rm -r phpMyAdmin-5.2.0-all-languages/setup/ +if [ -d "phpMyAdmin-5.2.0-all-languages/test/" ]; then + rm -r phpMyAdmin-5.2.0-all-languages/test/ fi -mv phpMyAdmin-5.1.1-all-languages /srv/www/html/phpMyAdmin +mv phpMyAdmin-5.2.0-all-languages /srv/www/html/phpMyAdmin +cd - cp html/phpMyAdmin/config.inc.php /srv/www/html/phpMyAdmin/config.inc.php blowfish_secret=`pwgen 32 -1` sed -i "s|changeme|$blowfish_secret|g" /srv/www/html/phpMyAdmin/config.inc.php @@ -162,8 +167,6 @@ chown -R vhost:vhost /srv/www/html/phpMyAdmin # jailkit apt -y install jailkit -# bugfix, fixed upstream, shouldn't be needed if jailkit package gets updated -sed -i "s/if (not config.has_key('hardlink')):/if ('hardlink' not in config):/g" /usr/sbin/jk_update sed -i 's|paths = ssh|paths = /usr/bin/ssh*|' /etc/jailkit/jk_init.ini sed -i "s|paths = perl, /usr/lib/perl, /usr/lib/perl5, /usr/share/perl, /usr/share/perl5|paths = /usr/bin/perl, /usr/lib/x86_64-linux-gnu/perl, /usr/lib/x86_64-linux-gnu/perl-base, /usr/share/perl, /usr/share/perl5|g" /etc/jailkit/jk_init.ini echo "" >> /etc/jailkit/jk_init.ini @@ -186,8 +189,6 @@ echo "paths = /usr/bin/erb. /usr/bin/gem, /usr/bin/irb, /usr/bin/rdoc, /usr/bin/ # varnish apt -y install varnish -# systemctl disable varnish -# service varnish stop cp -a etc/varnish/* /etc/varnish/ find /etc/varnish/ -type d -exec chmod 755 {} + find /etc/varnish/ -type f -exec chmod 644 {} + @@ -216,6 +217,7 @@ make cp mini_sendmail /usr/local/sbin gzip mini_sendmail.8 cp mini_sendmail.8.gz /usr/local/share/man/man8 +cd ../vhost-stack/ # install vhost scripts chmod 755 bin/*