Merge pull request #46 from andreapollastri/develop

Security and AWS fix

storage/app/scripts/hostadd.sh

@@ -80,10 +80,46 @@ mkdir /home/$USER_NAME/web/$BASE_PATH
 cat > "$CONF" <<EOF
 <VirtualHost *:80>
     ServerName $DOMAIN
+
         ServerAdmin webmaster@localhost
         DocumentRoot /home/$USER_NAME/web/$BASE_PATH
-    ErrorLog /home/$USER_NAME/error.log
-    CustomLog /home/$USER_NAME/access.log combined
+        ErrorLog /home/$USER_NAME/error.log
+        CustomLog /home/$USER_NAME/access.log combined
+
+        Header always append X-Frame-Options SAMEORIGIN
+        Header set X-Content-Type-Options "nosniff"
+        Header set X-XSS-Protection "1; mode=block"
+        Header set X-Content-Security-Policy "allow 'self';"
+        Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
+        TraceEnable off
+        FileETag None
+        ServerTokens Prod
+        ServerSignature Off
+
+        <IfModule mod_deflate.c>
+            <IfModule mod_headers.c>
+                Header append Vary User-Agent env=!dont-vary
+            </IfModule>
+            AddOutputFilterByType DEFLATE text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/json
+            <IfModule mod_mime.c>
+                AddOutputFilter DEFLATE js css htm html xml
+            </IfModule>
+        </IfModule>
+
+        <IfModule mod_expires.c>
+            ExpiresActive On
+            ExpiresByType image/jpeg						"access 1 year"
+            ExpiresByType image/jpeg						"access 1 year"
+            ExpiresByType image/gif							"access 1 year"
+            ExpiresByType image/png							"access 1 year"
+            ExpiresByType text/css							"access 1 month"
+            ExpiresByType application/pdf					"access 1 month"
+            ExpiresByType text/x-javascript					"access 1 month"
+            ExpiresByType application/x-shockwave-flash		"access 1 month"
+            ExpiresByType image/x-icon 						"access 1 year"
+            ExpiresDefault 									"access 2 days"
+        </IfModule>
+
         <Directory />
                 Order allow,deny
                 Options FollowSymLinks
@@ -106,6 +142,9 @@ EOF
 HTACCESS=/home/$USER_NAME/web/$BASE_PATH/.htaccess
 sudo touch $HTACCESS
 sudo cat > "$HTACCESS" <<EOF
+### APACHE SECURITY AND CACHING ###
+
+
 <IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
@@ -114,6 +153,7 @@ RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . /index.php [L]
 </IfModule>
+#############################
 EOF
 
 

storage/app/scripts/install.sh

@@ -387,7 +387,7 @@ echo -e "\n"
 #GIT INSTALL
 sudo apt-get update
 sudo apt-get -y install git
-sudo ssh-keygen -t rsa -b 4096 -C "git@github.com" -f /cipi/github  -q -P ""
+sudo ssh-keygen -t rsa -C "git@github.com" -f /cipi/github -q -P ""
 clear
 echo "GIT installation: OK!"
 sleep 3s
@@ -410,6 +410,9 @@ sleep 3s
 echo -e "\n"
 
 #SSH AND ROOT ACCESS CONFIGURATION
+sudo rpl -i -w "#PasswordAuthentication" "PasswordAuthentication" /etc/ssh/sshd_config
+sudo rpl -i -w "# PasswordAuthentication" "PasswordAuthentication" /etc/ssh/sshd_config
+sudo rpl -i -w "PasswordAuthentication no" "PasswordAuthentication yes" /etc/ssh/sshd_config
 sudo rpl -i -w "# Port 22" "Port 22" /etc/ssh/sshd_config
 sudo rpl -i -w "#Port 22" "Port 22" /etc/ssh/sshd_config
 sudo rpl -i -w "Port 22" "Port $PORT" /etc/ssh/sshd_config