vavrecan · October 19, 2024 19:21 · vavrecan · May 17, 2018
diff --git a/fast-webserver.sh b/fast-webserver.sh
 #!/bin/bash

 if [ "$#" -gt 0 ];
 then
  echo "using $1 as domain;"
 else
  echo -e "usage: $0 [site domain] [database name:database password]\ne.g. $0 domain.org database:password"
  exit
 fi

 if [ "$#" -eq 2 ];
 then
  # prepare database
  DATABASE_NAME="$(echo $2 | cut -d':' -f1)"
  DATABASE_PASS="$(echo $2 | cut -d':' -f2)"
  echo "creating database '$DATABASE_NAME' using password '$DATABASE_PASS'"
  if [ $(dpkg-query -W -f='${Status}' mariadb-server 2>/dev/null | grep -c "ok installed") -eq 0 ];
  then
    apt update
    apt upgrade
    apt install mariadb-server
  fi
  RESULT=`mysqlshow "$DATABASE_NAME" | grep -v Wildcard | grep -o "$DATABASE_NAME"`
  if [ "$RESULT" == "$DATABASE_NAME" ];
  then
    echo "database already exists!"
  else
    echo "ok"
    mysql --execute="CREATE DATABASE $DATABASE_NAME"
    mysql --execute="GRANT ALL PRIVILEGES ON $DATABASE_NAME.* To '$DATABSE_NAME'@'localhost' IDENTIFIED BY '$DATABASE_PASS';"
    mysql --execute="FLUSH PRIVILEGES;"
  fi
 fi

 SERVER_HOSTNAME=$1
 SERVER_PATH="/var/www/$SERVER_HOSTNAME"

 locale-gen "en_US.UTF-8"
 LC_ALL=en_US.UTF-8
 LANG=en_US.UTF-8

 # install or upgrade necessary apps
 if [ $(dpkg-query -W -f='${Status}' php8.3-fpm 2>/dev/null | grep -c "ok installed") -eq 0 ];
 then
  apt update
  apt upgrade
  apt install nginx php8.3-fpm letsencrypt mc php8.3-mysql php8.3-curl php8.3-opcache php8.3-mbstring php8.3-xml php8.3-imagick
 fi


 mkdir "$SERVER_PATH"
 echo -e "server {\n" \
 "        listen 80;\n" \
 "        listen [::]:80;\n" \
 "        access_log  off;\n" \
 "\n" \
 "        root $SERVER_PATH;\n" \
 "        server_name $SERVER_HOSTNAME;\n" \
 "\n" \
 "        location ^~ /.well-known/acme-challenge/ {\n" \
 "                default_type "text/plain";\n" \
 "                root $SERVER_PATH;\n" \
 "        }\n" \
 "\n" \
 "        location / {\n" \
 "                return 301 https://\$host\$request_uri;\n" \
 "        }\n" \
 "}\n" > "/etc/nginx/sites-available/$SERVER_HOSTNAME"
 ln -s "/etc/nginx/sites-available/$SERVER_HOSTNAME" "/etc/nginx/sites-enabled/"

 /etc/init.d/nginx reload

 letsencrypt certonly --webroot -w "$SERVER_PATH" -d "$SERVER_HOSTNAME" -d "www.$SERVER_HOSTNAME"

 if [ -f /etc/letsencrypt/live/$SERVER_HOSTNAME/fullchain.pem ]; then
  # now create https configuration
  echo -e "\n" \
  "server {\n" \
  "        listen 443 ssl http2;\n" \
  "        listen [::]:443 ssl http2;\n" \
  "\n" \
  "        ssl_certificate /etc/letsencrypt/live/$SERVER_HOSTNAME/fullchain.pem;\n" \
  "        ssl_certificate_key /etc/letsencrypt/live/$SERVER_HOSTNAME/privkey.pem;\n" \
  "\n" \
  "        root $SERVER_PATH;\n" \
  "\n" \
  "        index index.html index.htm index.php;\n" \
  "\n" \
  "        server_name $SERVER_HOSTNAME;\n" \
  "\n" \
  "        location /tmp {\n" \
  "                deny all;\n" \
  "                return 404;\n" \
  "        }\n" \
  "\n" \
  "        location /app {\n" \
  "                deny all;\n" \
  "                return 404;\n" \
  "        }\n" \
  "\n" \
  "        location / {\n" \
  "                try_files \$uri \$uri/ /index.php;\n" \
  "        }\n" \
  "\n" \
  "        location ~ \.php\$ {\n" \
  "                include snippets/fastcgi-php.conf;\n" \
  "                fastcgi_pass unix:/run/php/php8.3-fpm.sock;\n" \
  "        }\n" \
  "}" >> "/etc/nginx/sites-available/$SERVER_HOSTNAME"

  /etc/init.d/nginx reload
 fi
 chown ubuntu:www-data -R "$SERVER_PATH"

 # automate crons - manually as `sudo crontab -e` with following contents:
 # 5 8 * * 6 /usr/bin/letsencrypt renew --agree-tos >> /var/log/le-renew.log                       
 # 5 9 * * 6 /etc/init.d/nginx reload

 echo '5 8 * * 6 root /usr/bin/letsencrypt renew --agree-tos >> /var/log/le-renew.log' > /etc/cron.d/httpserver
 echo '5 9 * * 6 root /etc/init.d/nginx reload' >> /etc/cron.d/httpserver
 /etc/init.d/cron reload
diff --git a/other.txt b/other.txt
 # important for multiple unix socket connections
 # note its recommended to not use unix socket at all
 # https://serverfault.com/questions/884468/nginx-with-php-fpm-resource-temporarily-unavailable-502-error
 # sysctl net.core.somaxconn
 # echo "net.core.somaxconn=65536" >> /etc/sysctl.conf
 # sysctl -p

 # database
 apt install mariadb-server
 mysql_secure_installation

 # CREATE DATABASE data
 # GRANT ALL PRIVILEGES ON data.* To 'user'@'localhost' IDENTIFIED BY 'pass';
 # FLUSH PRIVILEGES;

 # http://linuxbsdos.com/2015/02/17/how-to-reduce-php-fpm-php5-fpm-ram-usage-by-about-50/
 # sudo nano /etc/php/7.2/fpm/pool.d/www.conf 
 [www]
 user = www-data
 group = www-data
 listen = /run/php/php7.2-fpm.sock
 listen.owner = www-data
 listen.group = www-data

 pm = ondemand
 pm.max_children = 5000
 pm.process_idle_timeout = 5s
 pm.max_requests = 5000

 #https://docs.hhvm.com/hhvm/installation/linux
 #sudo /usr/share/hhvm/install_fastcgi.sh
 #hhvm.php7.all = 1

 sudo nano /etc/nginx/nginx.conf
 http {
  # ...
  sendfile on;
  tcp_nopush on;
  tcp_nodelay on; 
  server_tokens off;
  # ...
    
 }

 #ssl A rating
 openssl dhparam 4096 -out /etc/ssl/dhparam.pem

  ssl_dhparam /etc/ssl/dhparam.pem;

  ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1;
  ssl_prefer_server_ciphers on;
  ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
  ssl_session_cache shared:TLS:2m;

  # OCSP stapling
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver 8.8.8.8;

  add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
	#!/bin/bash

	if [ "$#" -gt 0 ];
	then
	echo "using $1 as domain;"
	else
	echo -e "usage: $0 [site domain] [database name:database password]\ne.g. $0 domain.org database:password"
	exit
	fi

	if [ "$#" -eq 2 ];
	then
	# prepare database
	DATABASE_NAME="$(echo $2 \| cut -d':' -f1)"
	DATABASE_PASS="$(echo $2 \| cut -d':' -f2)"
	echo "creating database '$DATABASE_NAME' using password '$DATABASE_PASS'"
	if [ $(dpkg-query -W -f='${Status}' mariadb-server 2>/dev/null \| grep -c "ok installed") -eq 0 ];
	then
	apt update
	apt upgrade
	apt install mariadb-server
	fi
	RESULT=`mysqlshow "$DATABASE_NAME" \| grep -v Wildcard \| grep -o "$DATABASE_NAME"`
	if [ "$RESULT" == "$DATABASE_NAME" ];
	then
	echo "database already exists!"
	else
	echo "ok"
	mysql --execute="CREATE DATABASE $DATABASE_NAME"
	mysql --execute="GRANT ALL PRIVILEGES ON $DATABASE_NAME.* To '$DATABSE_NAME'@'localhost' IDENTIFIED BY '$DATABASE_PASS';"
	mysql --execute="FLUSH PRIVILEGES;"
	fi
	fi

	SERVER_HOSTNAME=$1
	SERVER_PATH="/var/www/$SERVER_HOSTNAME"

	locale-gen "en_US.UTF-8"
	LC_ALL=en_US.UTF-8
	LANG=en_US.UTF-8

	# install or upgrade necessary apps
	if [ $(dpkg-query -W -f='${Status}' php8.3-fpm 2>/dev/null \| grep -c "ok installed") -eq 0 ];
	then
	apt update
	apt upgrade
	apt install nginx php8.3-fpm letsencrypt mc php8.3-mysql php8.3-curl php8.3-opcache php8.3-mbstring php8.3-xml php8.3-imagick
	fi


	mkdir "$SERVER_PATH"
	echo -e "server {\n" \
	" listen 80;\n" \
	" listen [::]:80;\n" \
	" access_log off;\n" \
	"\n" \
	" root $SERVER_PATH;\n" \
	" server_name $SERVER_HOSTNAME;\n" \
	"\n" \
	" location ^~ /.well-known/acme-challenge/ {\n" \
	" default_type "text/plain";\n" \
	" root $SERVER_PATH;\n" \
	" }\n" \
	"\n" \
	" location / {\n" \
	" return 301 https://\$host\$request_uri;\n" \
	" }\n" \
	"}\n" > "/etc/nginx/sites-available/$SERVER_HOSTNAME"
	ln -s "/etc/nginx/sites-available/$SERVER_HOSTNAME" "/etc/nginx/sites-enabled/"

	/etc/init.d/nginx reload

	letsencrypt certonly --webroot -w "$SERVER_PATH" -d "$SERVER_HOSTNAME" -d "www.$SERVER_HOSTNAME"

	if [ -f /etc/letsencrypt/live/$SERVER_HOSTNAME/fullchain.pem ]; then
	# now create https configuration
	echo -e "\n" \
	"server {\n" \
	" listen 443 ssl http2;\n" \
	" listen [::]:443 ssl http2;\n" \
	"\n" \
	" ssl_certificate /etc/letsencrypt/live/$SERVER_HOSTNAME/fullchain.pem;\n" \
	" ssl_certificate_key /etc/letsencrypt/live/$SERVER_HOSTNAME/privkey.pem;\n" \
	"\n" \
	" root $SERVER_PATH;\n" \
	"\n" \
	" index index.html index.htm index.php;\n" \
	"\n" \
	" server_name $SERVER_HOSTNAME;\n" \
	"\n" \
	" location /tmp {\n" \
	" deny all;\n" \
	" return 404;\n" \
	" }\n" \
	"\n" \
	" location /app {\n" \
	" deny all;\n" \
	" return 404;\n" \
	" }\n" \
	"\n" \
	" location / {\n" \
	" try_files \$uri \$uri/ /index.php;\n" \
	" }\n" \
	"\n" \
	" location ~ \.php\$ {\n" \
	" include snippets/fastcgi-php.conf;\n" \
	" fastcgi_pass unix:/run/php/php8.3-fpm.sock;\n" \
	" }\n" \
	"}" >> "/etc/nginx/sites-available/$SERVER_HOSTNAME"

	/etc/init.d/nginx reload
	fi
	chown ubuntu:www-data -R "$SERVER_PATH"

	# automate crons - manually as `sudo crontab -e` with following contents:
	# 5 8 * * 6 /usr/bin/letsencrypt renew --agree-tos >> /var/log/le-renew.log
	# 5 9 * * 6 /etc/init.d/nginx reload

	echo '5 8 * * 6 root /usr/bin/letsencrypt renew --agree-tos >> /var/log/le-renew.log' > /etc/cron.d/httpserver
	echo '5 9 * * 6 root /etc/init.d/nginx reload' >> /etc/cron.d/httpserver
	/etc/init.d/cron reload
	# important for multiple unix socket connections
	# note its recommended to not use unix socket at all
	# https://serverfault.com/questions/884468/nginx-with-php-fpm-resource-temporarily-unavailable-502-error
	# sysctl net.core.somaxconn
	# echo "net.core.somaxconn=65536" >> /etc/sysctl.conf
	# sysctl -p

	# database
	apt install mariadb-server
	mysql_secure_installation

	# CREATE DATABASE data
	# GRANT ALL PRIVILEGES ON data.* To 'user'@'localhost' IDENTIFIED BY 'pass';
	# FLUSH PRIVILEGES;

	# http://linuxbsdos.com/2015/02/17/how-to-reduce-php-fpm-php5-fpm-ram-usage-by-about-50/
	# sudo nano /etc/php/7.2/fpm/pool.d/www.conf
	[www]
	user = www-data
	group = www-data
	listen = /run/php/php7.2-fpm.sock
	listen.owner = www-data
	listen.group = www-data

	pm = ondemand
	pm.max_children = 5000
	pm.process_idle_timeout = 5s
	pm.max_requests = 5000

	#https://docs.hhvm.com/hhvm/installation/linux
	#sudo /usr/share/hhvm/install_fastcgi.sh
	#hhvm.php7.all = 1

	sudo nano /etc/nginx/nginx.conf
	http {
	# ...
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	server_tokens off;
	# ...

	}

	#ssl A rating
	openssl dhparam 4096 -out /etc/ssl/dhparam.pem

	ssl_dhparam /etc/ssl/dhparam.pem;

	ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1;
	ssl_prefer_server_ciphers on;
	ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
	ssl_session_cache shared:TLS:2m;

	# OCSP stapling
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.8.8;

	add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;