mirror of
https://github.com/IT4Change/gradido.git
synced 2025-12-13 07:45:54 +00:00
reduced original script to whats left to do
This commit is contained in:
parent
f3e4bc805a
commit
2281e791b8
GPG Key ID:
DA6B843E748679C9
@ -1,128 +1,4 @@
|
||||
#!/bin/bash
|
||||
echo "Start with installing necessary packets"
|
||||
echo "Maria DB MySql-Server"
|
||||
sudo apt update
|
||||
sudo apt install -y mariadb-server
|
||||
sudo mysql_secure_installation
|
||||
echo "nginx and php 7.2"
|
||||
sudo apt-get install -y nginx php7.2-fpm php7.2-mbstring php7.2-intl php7.2-xml php7.2-pdo php7.2-mysql
|
||||
echo "firewall and fail2ban"
|
||||
sudo apt-get install -y fail2ban ufw net-tools certbot python3-certbot-nginx
|
||||
|
||||
echo "ufw"
|
||||
sudo ufw allow http
|
||||
sudo ufw allow https
|
||||
sudo ufw allow ssh
|
||||
sudo ufw enable
|
||||
|
||||
# for installing packages for community-server
|
||||
echo "Composer"
|
||||
# Composer install script from https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md
|
||||
cd ~
|
||||
EXPECTED_CHECKSUM="$(wget -q -O - https://composer.github.io/installer.sig)"
|
||||
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
|
||||
ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"
|
||||
|
||||
if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ]
|
||||
then
|
||||
echo 'ERROR: Invalid installer checksum'
|
||||
rm composer-setup.php
|
||||
exit 1
|
||||
fi
|
||||
|
||||
php composer-setup.php --quiet
|
||||
RESULT=$?
|
||||
rm composer-setup.php
|
||||
#exit $RESULT
|
||||
echo "Composer install result: ${RESULT}"
|
||||
|
||||
sudo mv composer.phar /usr/local/bin/composer
|
||||
|
||||
# for compiling login server
|
||||
# you can use another folder if you like, this is not the default folder for this
|
||||
cd ~/
|
||||
mkdir code
|
||||
cd code
|
||||
|
||||
|
||||
git clone https://github.com/Kitware/CMake.git --branch v3.19.8
|
||||
cd CMake
|
||||
|
||||
./bootstrap && make -j${CPU_COUNT} && sudo make install
|
||||
|
||||
# nginx security
|
||||
echo "Additional Security for nginx"
|
||||
sudo mkdir /etc/nginx/common
|
||||
cd /etc/nginx/common
|
||||
sudo cat << "EOF" > protect.conf
|
||||
# Deny access to readme.(txt|html) or license.(txt|html) or example.(txt|html) and other common git related files
|
||||
location ~* \"/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)\" {
|
||||
deny all;
|
||||
}
|
||||
# Deny access to backup extensions & log files
|
||||
location ~* \"\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$\" {
|
||||
deny all;
|
||||
}
|
||||
# deny access to hidden files and directories
|
||||
location ~ /\.(?!well-known\/) {
|
||||
deny all;
|
||||
}
|
||||
# deny access to base64 encoded urls
|
||||
location ~* \"(base64_encode)(.*)(\()\" {
|
||||
deny all;
|
||||
}
|
||||
# deny access to url with the javascript eval() function
|
||||
location ~* \"(eval\()\" {
|
||||
deny all;
|
||||
}
|
||||
# deny access to url which include \"127.0.0.1\"
|
||||
location ~* \"(127\.0\.0\.1)\" {
|
||||
deny all;
|
||||
}
|
||||
location ~* \"(GLOBALS|REQUEST)(=|\[|%)\" {
|
||||
deny all;
|
||||
}
|
||||
location ~* \"(<|%3C).*script.*(>|%3)\" {
|
||||
deny all;
|
||||
}
|
||||
location ~ \"(\\|\.\.\.|\.\./|~|`|<|>|\|)\" {
|
||||
deny all;
|
||||
}
|
||||
location ~* \"(\'|\\")(.*)(drop|insert|md5|select|union)\" {
|
||||
deny all;
|
||||
}
|
||||
location ~* \"(https?|ftp|php):/\" {
|
||||
deny all;
|
||||
}
|
||||
location ~* \"(=\\\'|=\\%27|/\\\'/?)\.\" {
|
||||
deny all;
|
||||
}
|
||||
location ~ \"(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\\"\\\\")\" {
|
||||
deny all;
|
||||
}
|
||||
location ~ \"(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)\" {
|
||||
deny all;
|
||||
}
|
||||
location ~* \"(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|boot\.ini|etc/passwd|eval\(|self/environ|(wp-)?config\.|cgi-|muieblack)\" {
|
||||
deny all;
|
||||
}
|
||||
location ~* \"/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|configuration)\.php\" {
|
||||
deny all;
|
||||
}
|
||||
EOF
|
||||
|
||||
sudo cat << "EOF" > protect_add_header.conf
|
||||
# Prevent browsers from incorrectly detecting non-scripts as scripts
|
||||
# https://infosec.mozilla.org/guidelines/web_security#x-content-type-options
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
|
||||
# prevent clickjacking: https://www.owasp.org/index.php/Clickjacking
|
||||
# https://geekflare.com/add-x-frame-options-nginx/
|
||||
# https://infosec.mozilla.org/guidelines/web_security#x-frame-options
|
||||
add_header Content-Security-Policy "frame-ancestors 'none'";
|
||||
add_header X-Frame-Options "DENY";
|
||||
EOF
|
||||
|
||||
sudo cat << "EOF" > ssl.conf
|
||||
##
|
||||
# SSL Settings
|
||||
@ -158,58 +34,6 @@ sudo cat << "EOF" > ssl.conf
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
|
||||
EOF
|
||||
|
||||
cd /etc/nginx/sites-available
|
||||
sudo cp default default_original
|
||||
sudo cat<<EOF > default
|
||||
##
|
||||
# You should look at the following URL's in order to grasp a solid understanding
|
||||
# of Nginx configuration files in order to fully unleash the power of Nginx.
|
||||
# https://www.nginx.com/resources/wiki/start/
|
||||
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
|
||||
# https://wiki.debian.org/Nginx/DirectoryStructure
|
||||
#
|
||||
# In most cases, administrators will remove this file from sites-enabled/ and
|
||||
# leave it as reference inside of sites-available where it will continue to be
|
||||
# updated by the nginx packaging team.
|
||||
#
|
||||
# This file will automatically load configuration files provided by other
|
||||
# applications, such as Drupal or Wordpress. These applications will be made
|
||||
# available underneath a path with that package name, such as /drupal8.
|
||||
#
|
||||
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
|
||||
##
|
||||
|
||||
# Default server configuration
|
||||
#
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
|
||||
include /etc/nginx/common/protect.conf;
|
||||
|
||||
server_name _;
|
||||
|
||||
location / {
|
||||
deny all;
|
||||
}
|
||||
|
||||
|
||||
# deny access to .htaccess files, if Apache's document root
|
||||
# concurs with nginx's one
|
||||
#
|
||||
#location ~ /\.ht {
|
||||
# deny all;
|
||||
#}
|
||||
}
|
||||
|
||||
# catch requests with empty hosts
|
||||
server {
|
||||
listen 80;
|
||||
server_name "";
|
||||
return 444;
|
||||
}
|
||||
EOF
|
||||
|
||||
cd /etc/nginx/conf.d
|
||||
sudo cat <<EOF > logging.conf
|
||||
log_format main '$http_x_forwarded_for - $remote_user [$time_local] '
|
||||
@ -311,12 +135,4 @@ server {
|
||||
}
|
||||
|
||||
EOF
|
||||
sudo ln -s /etc/nginx/sites-available/phpmyadmin /etc/nginx/sites-enabled
|
||||
|
||||
# certbot
|
||||
#echo "Install certbot"
|
||||
#sudo apt update
|
||||
#sudo apt install software-properties-common
|
||||
#sudo add repository universe
|
||||
#sudo apt update
|
||||
#sudo apt install certbot
|
||||
sudo ln -s /etc/nginx/sites-available/phpmyadmin /etc/nginx/sites-enabled
|
||||
Loading…
x
Reference in New Issue
Block a user