Skip to content

Instantly share code, notes, and snippets.

@vavrecan

vavrecan/fast-webserver.sh

Last active October 19, 2024 19:21
Show Gist options
  • Save vavrecan/2fd2a5aec8f850c11cecd3a27918b62d to your computer and use it in GitHub Desktop.
Save vavrecan/2fd2a5aec8f850c11cecd3a27918b62d to your computer and use it in GitHub Desktop.
Download ZIP
Drop NGINX+PHP+MariaDB+LetsEncrypt
Raw
fast-webserver.sh
#!/bin/bash
if [ "$#" -gt 0 ];
then
echo "using $1 as domain;"
else
echo -e "usage: $0 [site domain] [database name:database password]\ne.g. $0 domain.org database:password"
exit
fi
if [ "$#" -eq 2 ];
then
# prepare database
DATABASE_NAME="$(echo $2 | cut -d':' -f1)"
DATABASE_PASS="$(echo $2 | cut -d':' -f2)"
echo "creating database '$DATABASE_NAME' using password '$DATABASE_PASS'"
if [ $(dpkg-query -W -f='${Status}' mariadb-server 2>/dev/null | grep -c "ok installed") -eq 0 ];
then
apt update
apt upgrade
apt install mariadb-server
fi
RESULT=`mysqlshow "$DATABASE_NAME" | grep -v Wildcard | grep -o "$DATABASE_NAME"`
if [ "$RESULT" == "$DATABASE_NAME" ];
then
echo "database already exists!"
else
echo "ok"
mysql --execute="CREATE DATABASE $DATABASE_NAME"
mysql --execute="GRANT ALL PRIVILEGES ON $DATABASE_NAME.* To '$DATABSE_NAME'@'localhost' IDENTIFIED BY '$DATABASE_PASS';"
mysql --execute="FLUSH PRIVILEGES;"
fi
fi
SERVER_HOSTNAME=$1
SERVER_PATH="/var/www/$SERVER_HOSTNAME"
locale-gen "en_US.UTF-8"
LC_ALL=en_US.UTF-8
LANG=en_US.UTF-8
# install or upgrade necessary apps
if [ $(dpkg-query -W -f='${Status}' php8.3-fpm 2>/dev/null | grep -c "ok installed") -eq 0 ];
then
apt update
apt upgrade
apt install nginx php8.3-fpm letsencrypt mc php8.3-mysql php8.3-curl php8.3-opcache php8.3-mbstring php8.3-xml php8.3-imagick
fi
mkdir "$SERVER_PATH"
echo -e "server {\n" \
" listen 80;\n" \
" listen [::]:80;\n" \
" access_log off;\n" \
"\n" \
" root $SERVER_PATH;\n" \
" server_name $SERVER_HOSTNAME;\n" \
"\n" \
" location ^~ /.well-known/acme-challenge/ {\n" \
" default_type "text/plain";\n" \
" root $SERVER_PATH;\n" \
" }\n" \
"\n" \
" location / {\n" \
" return 301 https://\$host\$request_uri;\n" \
" }\n" \
"}\n" > "/etc/nginx/sites-available/$SERVER_HOSTNAME"
ln -s "/etc/nginx/sites-available/$SERVER_HOSTNAME" "/etc/nginx/sites-enabled/"
/etc/init.d/nginx reload
letsencrypt certonly --webroot -w "$SERVER_PATH" -d "$SERVER_HOSTNAME" -d "www.$SERVER_HOSTNAME"
if [ -f /etc/letsencrypt/live/$SERVER_HOSTNAME/fullchain.pem ]; then
# now create https configuration
echo -e "\n" \
"server {\n" \
" listen 443 ssl http2;\n" \
" listen [::]:443 ssl http2;\n" \
"\n" \
" ssl_certificate /etc/letsencrypt/live/$SERVER_HOSTNAME/fullchain.pem;\n" \
" ssl_certificate_key /etc/letsencrypt/live/$SERVER_HOSTNAME/privkey.pem;\n" \
"\n" \
" root $SERVER_PATH;\n" \
"\n" \
" index index.html index.htm index.php;\n" \
"\n" \
" server_name $SERVER_HOSTNAME;\n" \
"\n" \
" location /tmp {\n" \
" deny all;\n" \
" return 404;\n" \
" }\n" \
"\n" \
" location /app {\n" \
" deny all;\n" \
" return 404;\n" \
" }\n" \
"\n" \
" location / {\n" \
" try_files \$uri \$uri/ /index.php;\n" \
" }\n" \
"\n" \
" location ~ \.php\$ {\n" \
" include snippets/fastcgi-php.conf;\n" \
" fastcgi_pass unix:/run/php/php8.3-fpm.sock;\n" \
" }\n" \
"}" >> "/etc/nginx/sites-available/$SERVER_HOSTNAME"
/etc/init.d/nginx reload
fi
chown ubuntu:www-data -R "$SERVER_PATH"
# automate crons - manually as `sudo crontab -e` with following contents:
# 5 8 * * 6 /usr/bin/letsencrypt renew --agree-tos >> /var/log/le-renew.log
# 5 9 * * 6 /etc/init.d/nginx reload
echo '5 8 * * 6 root /usr/bin/letsencrypt renew --agree-tos >> /var/log/le-renew.log' > /etc/cron.d/httpserver
echo '5 9 * * 6 root /etc/init.d/nginx reload' >> /etc/cron.d/httpserver
/etc/init.d/cron reload
Raw
other.txt
# important for multiple unix socket connections
# note its recommended to not use unix socket at all
# https://serverfault.com/questions/884468/nginx-with-php-fpm-resource-temporarily-unavailable-502-error
# sysctl net.core.somaxconn
# echo "net.core.somaxconn=65536" >> /etc/sysctl.conf
# sysctl -p
# database
apt install mariadb-server
mysql_secure_installation
# CREATE DATABASE data
# GRANT ALL PRIVILEGES ON data.* To 'user'@'localhost' IDENTIFIED BY 'pass';
# FLUSH PRIVILEGES;
# http://linuxbsdos.com/2015/02/17/how-to-reduce-php-fpm-php5-fpm-ram-usage-by-about-50/
# sudo nano /etc/php/7.2/fpm/pool.d/www.conf
[www]
user = www-data
group = www-data
listen = /run/php/php7.2-fpm.sock
listen.owner = www-data
listen.group = www-data
pm = ondemand
pm.max_children = 5000
pm.process_idle_timeout = 5s
pm.max_requests = 5000
#https://docs.hhvm.com/hhvm/installation/linux
#sudo /usr/share/hhvm/install_fastcgi.sh
#hhvm.php7.all = 1
sudo nano /etc/nginx/nginx.conf
http {
# ...
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
# ...
}
#ssl A rating
openssl dhparam 4096 -out /etc/ssl/dhparam.pem
ssl_dhparam /etc/ssl/dhparam.pem;
ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
ssl_session_cache shared:TLS:2m;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
@vavrecan
Copy link
Author

wget "https://gist.githubusercontent.com/vavrecan/2fd2a5aec8f850c11cecd3a27918b62d/raw/fast-webserver.sh"
chmod +x fast-webserver.sh

@vavrecan
Copy link
Author

disabled logging completel

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment