#!/bin/bash if [ "${EUID}" -ne 0 ]; then echo "You must be root to run this installer." exit fi # check for Ubuntu 20.04 if ! grep -q "Ubuntu 20.04" /etc/issue; then echo "This installer is only tested on Ubuntu 20.04. If you are on a" echo "different version of Ubuntu or a Debian/Debian based distro" echo "and want to try running this installer open this script and" echo "comment out the exit command below this line and re-run." exit fi # check if install is already in place if [ -f "/usr/local/bin/vhost.sh" ]; then echo "vhost-stack is already installed, bailing out." exit fi # check for existing web server software installs if [ -d "/etc/apache2/" ] || [ -d "/etc/php/" ] || [ -d "/etc/varnish/" ]; then echo echo "WARNING: Apache, Varnish and/or PHP are already installed." echo "This installer will overwrite existing configurations." echo -e "You have five seconds to execute ctrl-c to cancel this install.\a" echo sleep 5 fi apt-get update # install pwgen, used to create random passwords apt -y install pwgen # install mariadb (mysql) if [ ! -d "/etc/mysql/" ]; then MARIADBPWORD=`pwgen 12 1` apt -y install mariadb-client mariadb-server # record the initial root password echo "#[client]" > /root/.my.cnf echo "#password=$MARIADBPWORD" >> /root/.my.cnf echo '!include /etc/mysql/debian.cnf' >> /root/.my.cnf chmod 600 /root/.my.cnf mysql -e "SET PASSWORD FOR 'root'@'localhost' = PASSWORD('$MARIADBPWORD');" sed -i "s|password = |password = $MARIADBPWORD|g" /etc/mysql/debian.cnf mysql -e "CREATE USER 'nagios'@'localhost' IDENTIFIED WITH mysql_native_password AS '';" mysqladmin flush-privileges fi # Apache w/ PHP apt -y install apache2 libapache2-mod-authnz-pam libwww-perl php-fpm php-cli php-ssh2 php-curl php-dev php-enchant php-mysql php-pear php-gd php-http php-imap php-intl php-mysql php-yaml php-propro php-pspell php-raphf php-ssh2 php-sqlite3 php-tidy php-xml php-xmlrpc php-zip php-mbstring php-imagick php-redis redis pwauth libapache2-mod-authnz-external ## http2 handled automatically now. double check. also look in to vhost log format # force https for phpMyAdmin ?? cp etc/apache2/conf-available/* /etc/apache2/conf-available/ chmod 644 /etc/apache2/conf-available/*.conf chown root:root /etc/apache2/conf-available/*.conf a2enconf php7.4-fpm phpMyAdmin cp etc/apache2/mods-available/* /etc/apache2/mods-available/ chmod 644 /etc/apache2/mods-available/*.conf chown root:root /etc/apache2/mods-available/*.conf # set vhost subodmain to domain name of server, users may want to consider changing this to a custom domain. vhostdomain=`hostname -d` sed -i "s|.example.com|.$vhostdomain|g" /etc/apache2/mods-available/macro.conf # a2enmod proxy_fcgi rewrite headers expires ssl http2 remoteip macro a2enmod cgid proxy_fcgi proxy_http rewrite headers expires ssl http2 macro # # sed -i "s|CustomLog|#CustomLog|g" /etc/apache2/sites-available/000-default.conf sed -i "s|/var/www/html|/srv/www/html|g" /etc/apache2/sites-available/000-default.conf # # sed -i "s|CustomLog|#CustomLog|g" /etc/apache2/sites-available/default-ssl.conf sed -i "s|/var/www/html|/srv/www/html|g" /etc/apache2/sites-available/default-ssl.conf ## double check this next one after getting full setup going w/ haproxy & varnish sed -i "s|%h %l %u|%a %l %u|g" /etc/apache2/apache2.conf sed -i "s|other_vhosts_access.log|access.log|" /etc/apache2/conf-available/other-vhosts-access-log.conf rm /var/log/apache2/other_vhosts_access.log # configure security echo '' >> /etc/apache2/conf-available/security.conf echo ' AllowOverride All' >> /etc/apache2/conf-available/security.conf echo ' Options Includes FollowSymLinks' >> /etc/apache2/conf-available/security.conf echo ' Require all granted' >> /etc/apache2/conf-available/security.conf echo '' >> /etc/apache2/conf-available/security.conf echo '' >> /etc/apache2/conf-available/security.conf echo ' AllowOverride None' >> /etc/apache2/conf-available/security.conf echo ' Options none' >> /etc/apache2/conf-available/security.conf echo ' Require all granted' >> /etc/apache2/conf-available/security.conf echo '' >> /etc/apache2/conf-available/security.conf # configure php sed -i "s|post_max_size = 8M|post_max_size = 256M|g" /etc/php/7.4/fpm/php.ini sed -i "s|upload_max_filesize = 2M|upload_max_filesize = 256M|g" /etc/php/7.4/fpm/php.ini sed -i "s|;date.timezone =|date.timezone = 'America/Los_Angeles'|g" /etc/php/7.4/fpm/php.ini sed -i "s|;date.timezone =|date.timezone = 'America/Los_Angeles'|g" /etc/php/7.4/cli/php.ini # Change Debian/Ubuntu session settings back to php defaults for compatability with user jails & php chroots sed -i "s|;session.save_path = \"/var/lib/php/sessions\"|session.save_path = \"/tmp\"|g" /etc/php/7.4/fpm/php.ini sed -i "s|;session.save_path = \"/var/lib/php/sessions\"|session.save_path = \"/tmp\"|g" /etc/php/7.4/cli/php.ini sed -i "s|session.gc_probability = 0|session.gc_probability = 1|g" /etc/php/7.4/fpm/php.ini sed -i "s|session.gc_probability = 0|session.gc_probability = 1|g" /etc/php/7.4/cli/php.ini # Configure PHP-FPM to use "ondemand" sed -i "s|pm = dynamic|pm = ondemand|g" /etc/php/7.4/fpm/pool.d/www.conf systemctl reload apache2 ## configure overrides # sed -i "s|^user = www-data|user = $USERNAME|g" /etc/php/7.2/fpm/pool.d/www.conf # sed -i "s|^group = www-data|group = $USERNAME|g" /etc/php/7.2/fpm/pool.d/www.conf systemctl reload php7.4-fpm if [ -d /srv/www ]; then if [ -d /var/www ]; then echo "WARNING: /srv/www & /var/www dirs both exists, skipping move of existing /var/www/ dir." fi else if [ -d /var/www ]; then mv /var/www /srv/www else install --owner=root --group=root --mode=755 --directory /srv/www fi ln -s /srv/www /var/www fi useradd --no-create-home --home-dir /srv/www --shell /usr/sbin/nologin --system --user-group vhost if [ -d /srv/www/html ]; then chown -R vhost:vhost /srv/www/html else install --owner=vhost --group=vhost --mode=755 --directory /srv/www/html fi # install status.php cp html/status.php /srv/www/html chmod 644 /srv/www/html/status.php chown vhost:vhost /srv/www/html/status.php # jailkit apt -y install jailkit # bugfix, fixed upstream, shouldn't be needed if jailkit package gets updated sed -i "s/if (not config.has_key('hardlink')):/if ('hardlink' not in config):/g" /usr/sbin/jk_update sed -i 's|paths = ssh|paths = /usr/bin/ssh*|' /etc/jailkit/jk_init.ini sed -i "s|paths = perl, /usr/lib/perl, /usr/lib/perl5, /usr/share/perl, /usr/share/perl5|paths = /usr/bin/perl, /usr/lib/x86_64-linux-gnu/perl, /usr/lib/x86_64-linux-gnu/perl-base, /usr/share/perl, /usr/share/perl5|g" /etc/jailkit/jk_init.ini echo "" >> /etc/jailkit/jk_init.ini echo "[shellstack]" >> /etc/jailkit/jk_init.ini echo "comment = full featured shell for vhost-stack jails" >> /etc/jailkit/jk_init.ini echo "paths = curl, dircolors, du, env, git, groups, mysql, mysqldump, /etc/bash_completion, /etc/bash_completion.d/, /usr/share/bash-completion/, /etc/ssl/certs/, /etc/nanorc, /usr/local/libexec/command-not-found-handle, /usr/share/nano/, /usr/share/zoneinfo/, /usr/local/bin/composer, /usr/local/bin/wp, /usr/local/sbin/mini_sendmail" >> /etc/jailkit/jk_init.ini echo "includesections = extendedshell, netutils, logbasics, apacheutils, php" >> /etc/jailkit/jk_init.ini echo "" >> /etc/jailkit/jk_init.ini echo "[php]" >> /etc/jailkit/jk_init.ini echo "comment = php-cli and all required files" >> /etc/jailkit/jk_init.ini echo "paths = /usr/bin/php*, /usr/bin/phar*, /etc/php/*/cli/, /etc/php/*/mods-available/, /usr/lib/php/, /usr/share/php/" >> /etc/jailkit/jk_init.ini echo "" >> /etc/jailkit/jk_init.ini echo "[python3]" >> /etc/jailkit/jk_init.ini echo "comment = the python3 interpreter and libraries" >> /etc/jailkit/jk_init.ini echo "paths = /usr/bin/python3, /usr/lib/python3, /usr/lib/python3.8, /usr/share/doc/python3, /usr/share/doc/python3-minimal, /usr/share/python3, /usr/share/man/man1/python3.1.gz" >> /etc/jailkit/jk_init.ini echo "" >> /etc/jailkit/jk_init.ini echo "[ruby]" >> /etc/jailkit/jk_init.ini echo "comment = the ruby interpreter and libraries" >> /etc/jailkit/jk_init.ini echo "paths = /usr/bin/erb. /usr/bin/gem, /usr/bin/irb, /usr/bin/rdoc, /usr/bin/ri, /usr/bin/ruby, /usr/share/doc/ruby, /usr/share/man/man1/ruby.1.gz, /usr/lib/ruby/, /usr/lib/x86_64-linux-gnu/ruby/" >> /etc/jailkit/jk_init.ini mkdir /usr/jails if ! [ -d "/usr/local/libexec" ]; then install --owner=root --group=root --mode=755 --directory /usr/local/libexec fi cp libexec/command-not-found-handle /usr/local/libexec/command-not-found-handle chmod 755 /usr/local/libexec/command-not-found-handle chown root:root /usr/local/libexec/command-not-found-handle if ! [ -f "/etc/fstab.jails" ]; then touch /etc/fstab.jails chmod 644 /etc/fstab.jails echo "# /etc/fstab.jails: jail bind mounts information." > /etc/fstab.jails fi # varnish apt -y install varnish # systemctl disable varnish # service varnish stop cp -a etc/varnish/* /etc/varnish/ find /etc/varnish/ -type d -exec chmod 755 {} + find /etc/varnish/ -type f -exec chmod 644 {} + chown -R root:root /etc/varnish/ ## /usr/bin/varnishncsa # install vhost scripts chmod 755 bin/* cp bin/* /usr/local/bin/ # mini_sendmail so users can send out of jails cd /usr/local/src wget http://www.acme.com/software/mini_sendmail/mini_sendmail-1.3.9.tar.gz tar zxf mini_sendmail-1.3.9.tar.gz cd mini_sendmail-1.3.9/ make cp mini_sendmail /usr/local/sbin gzip mini_sendmail.8 cp mini_sendmail.8.gz /usr/local/share/man/man8 # phpMyAdmin apt -y install php-bz2 php-tcpdf cd /usr/local/src wget https://files.phpmyadmin.net/phpMyAdmin/5.1.1/phpMyAdmin-5.1.1-all-languages.tar.gz tar zxf phpMyAdmin-5.1.1-all-languages.tar.gz rm -r phpMyAdmin-5.1.1-all-languages/setup/ if [ -d "phpMyAdmin-5.1.1-all-languages/test/" ]; then rm -r phpMyAdmin-5.1.1-all-languages/test/ fi blowfish_secret=`pwgen 32 -1` echo ' phpMyAdmin-5.1.1-all-languages/config.inc.php echo "declare(strict_types=1);" >> phpMyAdmin-5.1.1-all-languages/config.inc.php echo "\$cfg['blowfish_secret'] = '$blowfish_secret';" >> phpMyAdmin-5.1.1-all-languages/config.inc.php echo "\$i = 0;" >> phpMyAdmin-5.1.1-all-languages/config.inc.php echo "\$i++;" >> phpMyAdmin-5.1.1-all-languages/config.inc.php echo "\$cfg['Servers'][\$i]['auth_type'] = 'cookie';" >> phpMyAdmin-5.1.1-all-languages/config.inc.php echo "\$cfg['Servers'][\$i]['hide_db'] = 'information_schema|performance_schema|mysql|wsrep|vmail';" >> phpMyAdmin-5.1.1-all-languages/config.inc.php echo "\$cfg['Servers'][\$i]['host'] = '127.0.0.1';" >> phpMyAdmin-5.1.1-all-languages/config.inc.php echo "\$cfg['Servers'][\$i]['compress'] = false;" >> phpMyAdmin-5.1.1-all-languages/config.inc.php echo "\$cfg['Servers'][\$i]['AllowNoPassword'] = false;" >> phpMyAdmin-5.1.1-all-languages/config.inc.php echo "\$cfg['UploadDir'] = '';" >> phpMyAdmin-5.1.1-all-languages/config.inc.php echo "\$cfg['SaveDir'] = '';" >> phpMyAdmin-5.1.1-all-languages/config.inc.php echo "\$cfg['TempDir'] = '/tmp';" >> phpMyAdmin-5.1.1-all-languages/config.inc.php echo "\$cfg['PmaNoRelation_DisableWarning'] = true;" >> phpMyAdmin-5.1.1-all-languages/config.inc.php mv phpMyAdmin-5.1.1-all-languages /srv/www/html/phpMyAdmin find /srv/www/html/phpMyAdmin -type d -exec chmod 755 {} + find /srv/www/html/phpMyAdmin -type f -exec chmod 644 {} + chown -R vhost:vhost /srv/www/html/phpMyAdmin