diff --git a/README.md b/README.md index 7261911..83b3829 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ ## Overview -A complete LEMP stack _– Linux Ubuntu + Nginx + MariaDB (MySQL) + PHP –_ or install individual packages according to your needs. +A complete LEMP stack _– Linux Ubuntu + Nginx + MariaDB (or MySQL, you can choose) + PHP –_ or install individual packages according to your needs. **One of the most reliable configurations to host your websites and with Webinoly you can do it in just one step.** @@ -19,7 +19,7 @@ Webinoly provides a set of tools and commands that facilitate web server adminis - Unique commands to create, delete, disable sites. - Free SSL certificates for your sites with Let’s Encrypt and automatic server configuration. - HTTP/2 dramatically increases the speed of serving your content. -- PHP v8.1 and support for earlier versions if needed (8.0 and 7.4). +- PHP v8.1 and support for earlier versions if needed (8.0 and 7.4) or the newest 8.2. - FastCGI Cache and Redis Object Cache for your WordPress sites. - Install WP in any subfolder and support for external databases, multisite and domain mapping. - Reverse Proxy for any app (Java, React, Node, Angular, Vue, etc) or to use your own domain with any external file repo like S3. @@ -35,7 +35,7 @@ Webinoly provides a set of tools and commands that facilitate web server adminis ## Usage ```bash -# Install Webinoly and LEMP +# Install Webinoly and build the stack wget -qO weby qrok.es/wy && sudo bash weby # Create your first site. diff --git a/lib/bkp b/lib/bkp index 27e2057..6269f22 100644 --- a/lib/bkp +++ b/lib/bkp @@ -496,8 +496,8 @@ check_exported_conf() { [[ -n $(conf_read_exported wp-admin-auth) ]] && conf_write wp-admin-auth $(conf_read_exported wp-admin-auth) [[ -n $(conf_read_exported php-info) ]] && conf_write php-info $(conf_read_exported php-info) - [[ $(conf_read_exported header-xssp) == "false" ]] && conf_write header-xssp $(conf_read_exported header-xssp) - [[ $(conf_read_exported header-xcto) == "false" ]] && conf_write header-xcto $(conf_read_exported header-xcto) + [[ -n $(conf_read_exported header-xcto) ]] && conf_write header-xcto $(conf_read_exported header-xcto) + [[ -n $(conf_read_exported header-xssp) ]] && conf_write header-xssp $(conf_read_exported header-xssp) [[ -n $(conf_read_exported header-xfo) ]] && conf_write header-xfo $(conf_read_exported header-xfo) [[ -n $(conf_read_exported header-xfo-url) && $(conf_read_exported header-xfo) == "allow-from" ]] && conf_write header-xfo-url $(conf_read_exported header-xfo-url) [[ -n $(conf_read_exported header-referrer) ]] && conf_write header-referrer $(conf_read_exported header-referrer) diff --git a/lib/general b/lib/general index f5c2760..6842ec2 100644 --- a/lib/general +++ b/lib/general @@ -1299,7 +1299,10 @@ check_var() { # PHP opcache validate timestamps elif [[ $1 == "php-opcache-timestamps" ]]; then - [[ -n $(conf_read php-opcache-reval) && $(conf_read php-opcache-timestamps) =~ ^(0|1)$ ]] && local out=$(conf_read php-opcache-timestamps) || local out="false" + local out="false" + [[ $(conf_read php-opcache-timestamps) == "true" ]] && local out="1" + [[ $(conf_read php-opcache-timestamps) == "false" ]] && local out="0" + # PHP opcache revalidate frequency elif [[ $1 == "php-opcache-reval" ]]; then [[ -n $(conf_read php-opcache-reval) && $(conf_read php-opcache-reval) =~ ^[0-9]+$ && $(conf_read php-opcache-reval) -ge 0 ]] && local out=$(conf_read php-opcache-reval) || local out="false" diff --git a/lib/headers b/lib/headers index acc95ff..934230d 100644 --- a/lib/headers +++ b/lib/headers @@ -110,10 +110,7 @@ http_header_xcto() { http_header_xssp() { - if [[ $(conf_read header-xssp) == "false" ]]; then - sudo sed -i '/^add_header X-XSS-Protection/s/^/#/' /etc/nginx/common/headers-http.conf - echo "${gre}${dim}X-XSS-Protection Header successfully disabled!${end}" - else + if [[ $(conf_read header-xssp) == "true" ]]; then sudo sed -Ei "/^#?add_header X-XSS-Protection/d" /etc/nginx/common/headers-http.conf sudo echo "add_header X-XSS-Protection \"1; mode=block\";" >> /etc/nginx/common/headers-http.conf @@ -123,6 +120,9 @@ http_header_xssp() { echo "${red}[ERROR] Please, enter a valid option for X-XSS-Protection header!${end}" return 1 fi + else + sudo sed -i '/^add_header X-XSS-Protection/s/^/#/' /etc/nginx/common/headers-http.conf + echo "${gre}${dim}X-XSS-Protection Header successfully disabled!${end}" fi } diff --git a/lib/install b/lib/install index 5b0ec56..a308e06 100644 --- a/lib/install +++ b/lib/install @@ -402,7 +402,7 @@ php_optim() { sudo sed -i -r '/^[;]?opcache.enable_cli=/c\opcache.enable_cli=1' /etc/php/$ver/fpm/php.ini sudo sed -i -r '/^[;]?opcache.enable=/c\opcache.enable=1' /etc/php/$ver/fpm/php.ini - # Not set, unless non-empty! (hidden dynvars) + # Not set, unless non-empty! if [[ $(check_var php-opcache-timestamps) != "false" ]]; then sudo sed -i -r "/^[;]?opcache.validate_timestamps=/c\opcache.validate_timestamps=$(check_var php-opcache-timestamps)" /etc/php/$ver/fpm/php.ini fi diff --git a/templates/general/conf b/templates/general/conf index bf340aa..a79ccfd 100644 --- a/templates/general/conf +++ b/templates/general/conf @@ -283,10 +283,12 @@ # HTTP Header: X-XSS-Protection # Values: boolean (true/false) -# Default: true (X-XSS-Protection: 1; mode=block) +# Default: false +# Note: This header is no longer recommended and support will be removed very soon from Webinoly. # Note: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# Note: When true is set: (X-XSS-Protection: 1; mode=block) ########################### -#header-xssp:true +#header-xssp:false # HTTP Header: Add any other Custom Header @@ -356,6 +358,24 @@ #php-max-input-vars:5000 +# PHP OpCache Validate Timestamps +# Values: boolean (true/false) +# Default: true +# Note: When this directive is disabled, you must reset OPcache manually or by restarting the Web server for changes to the filesystem to take effect. +########################### +#php-opcache-timestamps:true + + +# PHP OpCache Revalidate Frequency +# Values: numeric int (seconds) +# Default: 2 +# Note: Raising this value can cause developers to notice that changes in PHP code not taking effect. (similar to validate timestamps) +# Note: This configuration directive is ignored if opcache.validate_timestamps is disabled. +# Note: A good value (10-15), production servers with not frequent changes in code (60). +########################### +#php-opcache-reval:2 + + # PHP Path_Info # Values: boolean (true/false) # Default: true diff --git a/templates/nginx/common/headers-http.conf b/templates/nginx/common/headers-http.conf index 1fb4086..79057ba 100644 --- a/templates/nginx/common/headers-http.conf +++ b/templates/nginx/common/headers-http.conf @@ -9,4 +9,3 @@ add_header X-Cache-Status $upstream_cache_status; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; -add_header X-XSS-Protection "1; mode=block"; diff --git a/templates/nginx/nginx.conf b/templates/nginx/nginx.conf index 78f22d2..2b36874 100644 --- a/templates/nginx/nginx.conf +++ b/templates/nginx/nginx.conf @@ -66,9 +66,9 @@ http { ssl_session_timeout 1h; ssl_session_cache shared:SSL:50m; ssl_dhparam /etc/ssl/dhparam.pem; - ssl_ecdh_curve prime256v1:secp384r1:secp521r1; - ssl_prefer_server_ciphers on; - ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256'; + ssl_ecdh_curve X25519:prime256v1:secp384r1; + ssl_prefer_server_ciphers off; + ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; ## # Logging Settings