diff --git a/deployment/bare_metal/old/setup_server_online_ubuntu18.sh b/deployment/bare_metal/old/setup_server_online_ubuntu18.sh index cd0ce8ee9..e8f766424 100644 --- a/deployment/bare_metal/old/setup_server_online_ubuntu18.sh +++ b/deployment/bare_metal/old/setup_server_online_ubuntu18.sh @@ -1,128 +1,4 @@ -#!/bin/bash -echo "Start with installing necessary packets" -echo "Maria DB MySql-Server" -sudo apt update -sudo apt install -y mariadb-server -sudo mysql_secure_installation -echo "nginx and php 7.2" -sudo apt-get install -y nginx php7.2-fpm php7.2-mbstring php7.2-intl php7.2-xml php7.2-pdo php7.2-mysql -echo "firewall and fail2ban" -sudo apt-get install -y fail2ban ufw net-tools certbot python3-certbot-nginx - -echo "ufw" -sudo ufw allow http -sudo ufw allow https -sudo ufw allow ssh -sudo ufw enable - -# for installing packages for community-server -echo "Composer" -# Composer install script from https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md -cd ~ -EXPECTED_CHECKSUM="$(wget -q -O - https://composer.github.io/installer.sig)" -php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" -ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")" - -if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ] -then - echo 'ERROR: Invalid installer checksum' - rm composer-setup.php - exit 1 -fi - -php composer-setup.php --quiet -RESULT=$? -rm composer-setup.php -#exit $RESULT -echo "Composer install result: ${RESULT}" - -sudo mv composer.phar /usr/local/bin/composer - -# for compiling login server -# you can use another folder if you like, this is not the default folder for this -cd ~/ -mkdir code -cd code - - -git clone https://github.com/Kitware/CMake.git --branch v3.19.8 -cd CMake - -./bootstrap && make -j${CPU_COUNT} && sudo make install - # nginx security -echo "Additional Security for nginx" -sudo mkdir /etc/nginx/common -cd /etc/nginx/common -sudo cat << "EOF" > protect.conf -# Deny access to readme.(txt|html) or license.(txt|html) or example.(txt|html) and other common git related files -location ~* \"/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)\" { - deny all; -} -# Deny access to backup extensions & log files -location ~* \"\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$\" { - deny all; -} -# deny access to hidden files and directories -location ~ /\.(?!well-known\/) { - deny all; -} -# deny access to base64 encoded urls -location ~* \"(base64_encode)(.*)(\()\" { - deny all; -} -# deny access to url with the javascript eval() function -location ~* \"(eval\()\" { - deny all; -} -# deny access to url which include \"127.0.0.1\" -location ~* \"(127\.0\.0\.1)\" { - deny all; -} -location ~* \"(GLOBALS|REQUEST)(=|\[|%)\" { - deny all; -} -location ~* \"(<|%3C).*script.*(>|%3)\" { - deny all; -} -location ~ \"(\\|\.\.\.|\.\./|~|`|<|>|\|)\" { - deny all; -} -location ~* \"(\'|\\")(.*)(drop|insert|md5|select|union)\" { - deny all; -} -location ~* \"(https?|ftp|php):/\" { - deny all; -} -location ~* \"(=\\\'|=\\%27|/\\\'/?)\.\" { - deny all; -} -location ~ \"(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\\"\\\\")\" { - deny all; -} -location ~ \"(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)\" { - deny all; -} -location ~* \"(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|boot\.ini|etc/passwd|eval\(|self/environ|(wp-)?config\.|cgi-|muieblack)\" { - deny all; -} -location ~* \"/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|configuration)\.php\" { - deny all; -} -EOF - -sudo cat << "EOF" > protect_add_header.conf -# Prevent browsers from incorrectly detecting non-scripts as scripts -# https://infosec.mozilla.org/guidelines/web_security#x-content-type-options -add_header X-Content-Type-Options "nosniff"; - -# prevent clickjacking: https://www.owasp.org/index.php/Clickjacking -# https://geekflare.com/add-x-frame-options-nginx/ -# https://infosec.mozilla.org/guidelines/web_security#x-frame-options -add_header Content-Security-Policy "frame-ancestors 'none'"; -add_header X-Frame-Options "DENY"; -EOF - sudo cat << "EOF" > ssl.conf ## # SSL Settings @@ -158,58 +34,6 @@ sudo cat << "EOF" > ssl.conf add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; EOF -cd /etc/nginx/sites-available -sudo cp default default_original -sudo cat< default -## -# You should look at the following URL's in order to grasp a solid understanding -# of Nginx configuration files in order to fully unleash the power of Nginx. -# https://www.nginx.com/resources/wiki/start/ -# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ -# https://wiki.debian.org/Nginx/DirectoryStructure -# -# In most cases, administrators will remove this file from sites-enabled/ and -# leave it as reference inside of sites-available where it will continue to be -# updated by the nginx packaging team. -# -# This file will automatically load configuration files provided by other -# applications, such as Drupal or Wordpress. These applications will be made -# available underneath a path with that package name, such as /drupal8. -# -# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. -## - -# Default server configuration -# -server { - listen 80 default_server; - listen [::]:80 default_server; - - include /etc/nginx/common/protect.conf; - - server_name _; - - location / { - deny all; - } - - - # deny access to .htaccess files, if Apache's document root - # concurs with nginx's one - # - #location ~ /\.ht { - # deny all; - #} -} - -# catch requests with empty hosts -server { - listen 80; - server_name ""; - return 444; -} -EOF - cd /etc/nginx/conf.d sudo cat < logging.conf log_format main '$http_x_forwarded_for - $remote_user [$time_local] ' @@ -311,12 +135,4 @@ server { } EOF -sudo ln -s /etc/nginx/sites-available/phpmyadmin /etc/nginx/sites-enabled - -# certbot -#echo "Install certbot" -#sudo apt update -#sudo apt install software-properties-common -#sudo add repository universe -#sudo apt update -#sudo apt install certbot \ No newline at end of file +sudo ln -s /etc/nginx/sites-available/phpmyadmin /etc/nginx/sites-enabled \ No newline at end of file