update for ubuntu 22.04

etc/apache2/conf-available/phpMyAdmin.conf

@@ -14,6 +14,6 @@ SetExternalAuthMethod pwauth pipe
 # this is to force the default fpm, so we don't end up trying to use a virtualhosts jailed fpm which won't work
 <Directory "/srv/www/html/phpMyAdmin">
   <FilesMatch ".+\.ph(ar|p|tml)$">
-    SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost"
+    SetHandler "proxy:unix:/run/php/php8.1-fpm.sock|fcgi://localhost"
   </FilesMatch>
 </Directory>

etc/apache2/mods-available/macro.conf

@@ -38,7 +38,7 @@
     RewriteCond %{REQUEST_URI} ^/cgi-bin/.*
     RewriteRule ^/cgi-bin/(.*) /cgi-wrap/cgiwrap/$username/$1 [PT]
     <FilesMatch ".+\.ph(ar|p|tml)$">
-      SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost"
+      SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost"
     </FilesMatch>
   </VirtualHost>
 </Macro>
@@ -51,7 +51,7 @@
     </IfDefine>
     DocumentRoot  /srv/www/$vhost/html/$subdomain
     <FilesMatch ".+\.ph(ar|p|tml)$">
-      SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost"
+      SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost"
     </FilesMatch>
   </VirtualHost>
 </Macro>
@@ -77,7 +77,7 @@
       </Location>
     </IfDefine>
     <FilesMatch ".+\.ph(ar|p|tml)$">
-      SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost"
+      SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost"
     </FilesMatch>
   </VirtualHost>
   <VirtualHost *:443>
@@ -92,7 +92,7 @@
     RewriteCond %{REQUEST_URI} ^/cgi-bin/.*
     RewriteRule ^/cgi-bin/(.*) /cgi-wrap/cgiwrap/$username/$1 [PT]
     <FilesMatch ".+\.ph(ar|p|tml)$">
-      SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost"
+      SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost"
     </FilesMatch>
     SSLEngine on
     SSLCertificateFile /etc/ssl/letsencrypt/$vhost.pem
@@ -128,7 +128,7 @@
       </Location>
     </IfDefine>
     <FilesMatch ".+\.ph(ar|p|tml)$">
-      SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost"
+      SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost"
     </FilesMatch>
   </VirtualHost>
   <VirtualHost *:443>
@@ -138,7 +138,7 @@
     </IfDefine>
     DocumentRoot  /srv/www/$vhost/html/$subdomain
     <FilesMatch ".+\.ph(ar|p|tml)$">
-      SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost"
+      SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost"
     </FilesMatch>
     SSLEngine on
     SSLCertificateFile /etc/ssl/letsencrypt/$subdomain.$vhost.pem
@@ -159,7 +159,7 @@
     RewriteCond %{REQUEST_URI} ^/cgi-bin/.*
     RewriteRule ^/cgi-bin/(.*) /cgi-wrap/cgiwrap/$username/$1 [PT]
     <FilesMatch ".+\.ph(ar|p|tml)$">
-      SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost"
+      SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost"
     </FilesMatch>
   </VirtualHost>
   <VirtualHost *:443>
@@ -186,7 +186,7 @@
     </IfDefine>
     DocumentRoot  /srv/www/$vhost/html/$subdomain
     <FilesMatch ".+\.ph(ar|p|tml)$">
-      SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost"
+      SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost"
     </FilesMatch>
   </VirtualHost>
   <VirtualHost *:443>
@@ -278,7 +278,7 @@
     RewriteCond %{REQUEST_URI} ^/cgi-bin/.*
     RewriteRule ^/cgi-bin/(.*) /cgi-wrap/cgiwrap/$username/$1 [PT]
     <FilesMatch ".+\.ph(ar|p|tml)$">
-      SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost"
+      SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost"
     </FilesMatch>
   </VirtualHost>
 </Macro>
@@ -303,7 +303,7 @@
       </Location>
     </IfDefine>
     <FilesMatch ".+\.ph(ar|p|tml)$">
-      SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost"
+      SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost"
     </FilesMatch>
   </VirtualHost>
   <VirtualHost *:443>
@@ -318,7 +318,7 @@
     RewriteCond %{REQUEST_URI} ^/cgi-bin/.*
     RewriteRule ^/cgi-bin/(.*) /cgi-wrap/cgiwrap/$username/$1 [PT]
     <FilesMatch ".+\.ph(ar|p|tml)$">
-      SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost"
+      SetHandler "proxy:unix:/run/php/php8.1-fpm-$username.sock|fcgi://localhost"
     </FilesMatch>
     SSLEngine on
     SSLCertificateFile /etc/ssl/letsencrypt/$alias.pem

etc/apache2/mods-available/ssl.conf

@@ -1,85 +0,0 @@
-<IfModule mod_ssl.c>
-
-	# Pseudo Random Number Generator (PRNG):
-	# Configure one or more sources to seed the PRNG of the SSL library.
-	# The seed data should be of good random quality.
-	# WARNING! On some platforms /dev/random blocks if not enough entropy
-	# is available. This means you then cannot use the /dev/random device
-	# because it would lead to very long connection times (as long as
-	# it requires to make more entropy available). But usually those
-	# platforms additionally provide a /dev/urandom device which doesn't
-	# block. So, if available, use this one instead. Read the mod_ssl User
-	# Manual for more details.
-	#
-	SSLRandomSeed startup builtin
-	SSLRandomSeed startup file:/dev/urandom 512
-	SSLRandomSeed connect builtin
-	SSLRandomSeed connect file:/dev/urandom 512
-
-	##
-	##  SSL Global Context
-	##
-	##  All SSL configuration in this context applies both to
-	##  the main server and all SSL-enabled virtual hosts.
-	##
-
-	#
-	#   Some MIME-types for downloading Certificates and CRLs
-	#
-	AddType application/x-x509-ca-cert .crt
-	AddType application/x-pkcs7-crl	.crl
-
-	#   Pass Phrase Dialog:
-	#   Configure the pass phrase gathering process.
-	#   The filtering dialog program (`builtin' is a internal
-	#   terminal dialog) has to provide the pass phrase on stdout.
-	SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase
-
-	#   Inter-Process Session Cache:
-	#   Configure the SSL Session Cache: First the mechanism 
-	#   to use and second the expiring timeout (in seconds).
-	#   (The mechanism dbm has known memory leaks and should not be used).
-	#SSLSessionCache		 dbm:${APACHE_RUN_DIR}/ssl_scache
-	SSLSessionCache		shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
-	SSLSessionCacheTimeout  300
-
-	#   Semaphore:
-	#   Configure the path to the mutual exclusion semaphore the
-	#   SSL engine uses internally for inter-process synchronization. 
-	#   (Disabled by default, the global Mutex directive consolidates by default
-	#   this)
-	#Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
-
-
-	#   SSL Cipher Suite:
-	#   List the ciphers that the client is permitted to negotiate. See the
-	#   ciphers(1) man page from the openssl package for list of all available
-	#   options.
-	#   Enable only secure ciphers:
-	SSLCipherSuite HIGH:!aNULL
-
-	# SSL server cipher order preference:
-	# Use server priorities for cipher algorithm choice.
-	# Clients may prefer lower grade encryption.  You should enable this
-	# option if you want to enforce stronger encryption, and can afford
-	# the CPU cost, and did not override SSLCipherSuite in a way that puts
-	# insecure ciphers first.
-	# Default: Off
-	#SSLHonorCipherOrder on
-
-	#   The protocols to enable.
-	#   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
-	#   SSL v2  is no longer supported
-	SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
-
-	#   Allow insecure renegotiation with clients which do not yet support the
-	#   secure renegotiation protocol. Default: Off
-	#SSLInsecureRenegotiation on
-
-	#   Whether to forbid non-SNI clients to access name based virtual hosts.
-	#   Default: Off
-	#SSLStrictSNIVHostCheck On
-
-</IfModule>
-
-# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

etc/varnish/default.vcl

@@ -5,15 +5,14 @@
 # builtin VCL. The builtin VCL is called when there is no explicit
 # return statement.
 #
-# See the VCL chapters in the Users Guide at https://www.varnish-cache.org/docs/
-# and https://www.varnish-cache.org/trac/wiki/VCLExamples for more examples.
+# See the VCL chapters in the Users Guide for a comprehensive documentation
+# at https://www.varnish-cache.org/docs/.
 #
 # validate config with:
 # varnishd -C -f /etc/varnish/default.vcl
-# https://varnish-cache.org/docs/6.2/
 #
-# Marker to tell the VCL compiler that this VCL has been adapted to the
-# new 4.0 format.
+# Marker to tell the VCL compiler that this VCL has been written with the
+# 4.0 or 4.1 syntax.
 vcl 4.0;
 
 import std;

install.sh

@@ -6,8 +6,8 @@ if [ "${EUID}" -ne 0 ]; then
 fi
 
 # check for Ubuntu 20.04
-if ! grep -q "Ubuntu 20.04" /etc/issue; then
-  echo "This installer is only tested on Ubuntu 20.04. If you are on a"
+if ! grep -q "Ubuntu 22.04" /etc/issue; then
+  echo "This installer is only tested on Ubuntu 22.04. If you are on a"
   echo "different version of Ubuntu or a Debian/Debian based distro"
   echo "and want to try running this installer open this script and"
   echo "comment out the exit command below this line and re-run."
@@ -32,6 +32,9 @@ fi
 
 apt-get update
 
+# modify policy-rc.d so that packages automatically start/restart/stop after install/upgrade/uninstall
+sed -i "s|exit 101|exit 0|g" /usr/sbin/policy-rc.d
+
 # install pwgen, used to create random passwords
 apt -y install pwgen
 
@@ -40,29 +43,30 @@ if [ ! -d "/etc/mysql/" ]; then
 
   MARIADBPWORD=`pwgen 12 1`
   apt -y install mariadb-client mariadb-server
-  # record the initial root password
-  echo "#[client]" > /root/.my.cnf
-  echo "#password=$MARIADBPWORD" >> /root/.my.cnf
-  echo '!include /etc/mysql/debian.cnf' >> /root/.my.cnf
-  chmod 600 /root/.my.cnf
-  mysql -e "SET PASSWORD FOR 'root'@'localhost' = PASSWORD('$MARIADBPWORD');"
-  sed -i "s|password = |password = $MARIADBPWORD|g" /etc/mysql/debian.cnf
+  # set unix_socket auth for root
+  mysql -e "GRANT ALL ON *.* TO 'root'@'localhost' IDENTIFIED VIA unix_socket WITH GRANT OPTION"
+  # create nagios user for monitoring server status only
   mysql -e "CREATE USER 'nagios'@'localhost' IDENTIFIED WITH mysql_native_password AS '';"
   mysqladmin flush-privileges
 
 fi
 
 # Apache w/ PHP
-apt -y install apache2 libapache2-mod-authnz-pam libwww-perl php-fpm php-cli php-ssh2 php-curl php-dev php-enchant php-mysql php-pear php-gd php-http php-imap php-intl php-mysql php-yaml php-propro php-pspell php-raphf php-ssh2 php-sqlite3 php-tidy php-xml php-xmlrpc php-zip php-mbstring php-imagick php-redis redis pwauth libapache2-mod-authnz-external
-## http2 handled automatically now. double check. also look in to vhost log format
+apt -y install apache2 libapache2-mod-authnz-pam libwww-perl php-fpm php-cli php-ssh2 php-curl php-dev php-enchant php-mysql php-pear php-gd php-http php-imap php-intl php-mysql php-yaml php-pspell php-raphf php-ssh2 php-sqlite3 php-tidy php-xml php-xmlrpc php-zip php-mbstring php-imagick php-redis redis pwauth libapache2-mod-authnz-external
+
+## http2 handled automatically now.
+## http2 doesn't support logio, so look in to vhost log format
+
 # force https for phpMyAdmin ??
 cp etc/apache2/conf-available/* /etc/apache2/conf-available/
 chmod 644 /etc/apache2/conf-available/*.conf
 chown root:root /etc/apache2/conf-available/*.conf
-a2enconf php7.4-fpm phpMyAdmin
+a2enconf php8.1-fpm phpMyAdmin
 cp etc/apache2/mods-available/* /etc/apache2/mods-available/
 chmod 644 /etc/apache2/mods-available/*.conf
 chown root:root /etc/apache2/mods-available/*.conf
+# enable TLSv1.2 only
+sed -i "s|SSLProtocol all -SSLv3|SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1|g" /etc/apache2/mods-available/ssl.conf
 # set vhost subodmain to domain name of server, users may want to consider changing this to a custom domain.
 vhostdomain=`hostname -d`
 sed -i "s|.example.com|.$vhostdomain|g" /etc/apache2/mods-available/macro.conf
@@ -89,22 +93,22 @@ echo '    Require all granted' >> /etc/apache2/conf-available/security.conf
 echo '</Directory>' >> /etc/apache2/conf-available/security.conf
 
 # configure php
-sed -i "s|post_max_size = 8M|post_max_size = 256M|g" /etc/php/7.4/fpm/php.ini
-sed -i "s|upload_max_filesize = 2M|upload_max_filesize = 256M|g" /etc/php/7.4/fpm/php.ini
-sed -i "s|;date.timezone =|date.timezone = 'America/Los_Angeles'|g" /etc/php/7.4/fpm/php.ini
-sed -i "s|;date.timezone =|date.timezone = 'America/Los_Angeles'|g" /etc/php/7.4/cli/php.ini
+sed -i "s|post_max_size = 8M|post_max_size = 256M|g" /etc/php/8.1/fpm/php.ini
+sed -i "s|upload_max_filesize = 2M|upload_max_filesize = 256M|g" /etc/php/8.1/fpm/php.ini
+sed -i "s|;date.timezone =|date.timezone = 'America/Los_Angeles'|g" /etc/php/8.1/fpm/php.ini
+sed -i "s|;date.timezone =|date.timezone = 'America/Los_Angeles'|g" /etc/php/8.1/cli/php.ini
 # Change Debian/Ubuntu session settings back to php defaults for compatability with user jails & php chroots
-sed -i "s|;session.save_path = \"/var/lib/php/sessions\"|session.save_path = \"/tmp\"|g" /etc/php/7.4/fpm/php.ini
-sed -i "s|;session.save_path = \"/var/lib/php/sessions\"|session.save_path = \"/tmp\"|g" /etc/php/7.4/cli/php.ini
-sed -i "s|session.gc_probability = 0|session.gc_probability = 1|g" /etc/php/7.4/fpm/php.ini
-sed -i "s|session.gc_probability = 0|session.gc_probability = 1|g" /etc/php/7.4/cli/php.ini
+sed -i "s|;session.save_path = \"/var/lib/php/sessions\"|session.save_path = \"/tmp\"|g" /etc/php/8.1/fpm/php.ini
+sed -i "s|;session.save_path = \"/var/lib/php/sessions\"|session.save_path = \"/tmp\"|g" /etc/php/8.1/cli/php.ini
+sed -i "s|session.gc_probability = 0|session.gc_probability = 1|g" /etc/php/8.1/fpm/php.ini
+sed -i "s|session.gc_probability = 0|session.gc_probability = 1|g" /etc/php/8.1/cli/php.ini
 # Configure PHP-FPM to use "ondemand"
-sed -i "s|pm = dynamic|pm = ondemand|g" /etc/php/7.4/fpm/pool.d/www.conf
+sed -i "s|pm = dynamic|pm = ondemand|g" /etc/php/8.1/fpm/pool.d/www.conf
 systemctl reload apache2
 ##   configure overrides
 #   sed -i "s|^user = www-data|user = $USERNAME|g" /etc/php/7.2/fpm/pool.d/www.conf
 #   sed -i "s|^group = www-data|group = $USERNAME|g" /etc/php/7.2/fpm/pool.d/www.conf
-systemctl reload php7.4-fpm
+systemctl reload php8.1-fpm
 
 if [ -d /srv/www ]; then
   if [ -d /var/www ]; then
@@ -146,13 +150,14 @@ chown vhost:vhost /srv/www/html/status.php
 # phpMyAdmin
 apt -y install php-bz2 php-tcpdf
 cd /usr/local/src
-wget https://files.phpmyadmin.net/phpMyAdmin/5.1.1/phpMyAdmin-5.1.1-all-languages.tar.gz
-tar zxf phpMyAdmin-5.1.1-all-languages.tar.gz
-rm -r phpMyAdmin-5.1.1-all-languages/setup/
-if [ -d "phpMyAdmin-5.1.1-all-languages/test/" ]; then
-  rm -r phpMyAdmin-5.1.1-all-languages/test/
+wget https://files.phpmyadmin.net/phpMyAdmin/5.2.0/phpMyAdmin-5.2.0-all-languages.tar.gz
+tar zxf phpMyAdmin-5.2.0-all-languages.tar.gz
+rm -r phpMyAdmin-5.2.0-all-languages/setup/
+if [ -d "phpMyAdmin-5.2.0-all-languages/test/" ]; then
+  rm -r phpMyAdmin-5.2.0-all-languages/test/
 fi
-mv phpMyAdmin-5.1.1-all-languages /srv/www/html/phpMyAdmin
+mv phpMyAdmin-5.2.0-all-languages /srv/www/html/phpMyAdmin
+cd -
 cp html/phpMyAdmin/config.inc.php /srv/www/html/phpMyAdmin/config.inc.php
 blowfish_secret=`pwgen 32 -1`
 sed -i "s|changeme|$blowfish_secret|g" /srv/www/html/phpMyAdmin/config.inc.php
@@ -162,8 +167,6 @@ chown -R vhost:vhost /srv/www/html/phpMyAdmin
 
 # jailkit
 apt -y install jailkit
-# bugfix, fixed upstream, shouldn't be needed if jailkit package gets updated
-sed -i "s/if (not config.has_key('hardlink')):/if ('hardlink' not in config):/g" /usr/sbin/jk_update
 sed -i 's|paths = ssh|paths = /usr/bin/ssh*|' /etc/jailkit/jk_init.ini
 sed -i "s|paths = perl, /usr/lib/perl, /usr/lib/perl5, /usr/share/perl, /usr/share/perl5|paths = /usr/bin/perl, /usr/lib/x86_64-linux-gnu/perl, /usr/lib/x86_64-linux-gnu/perl-base, /usr/share/perl, /usr/share/perl5|g" /etc/jailkit/jk_init.ini
 echo "" >> /etc/jailkit/jk_init.ini
@@ -186,8 +189,6 @@ echo "paths = /usr/bin/erb. /usr/bin/gem, /usr/bin/irb, /usr/bin/rdoc, /usr/bin/
 
 # varnish
 apt -y install varnish
-# systemctl disable varnish
-# service varnish stop
 cp -a etc/varnish/* /etc/varnish/
 find /etc/varnish/ -type d -exec chmod 755 {} +
 find /etc/varnish/ -type f -exec chmod 644 {} +
@@ -216,6 +217,7 @@ make
 cp mini_sendmail /usr/local/sbin
 gzip mini_sendmail.8
 cp mini_sendmail.8.gz /usr/local/share/man/man8
+cd ../vhost-stack/
 
 # install vhost scripts
 chmod 755 bin/*