Browse Source

config

- Nginx config improved.
- xss header removed from default.
- php opcache dynvar in conf file.
- readme updated.
Cristhian Martínez Ochoa 2 years ago
parent
commit
32a0f58c24
8 changed files with 39 additions and 17 deletions
  1. 3 3
      README.md
  2. 2 2
      lib/bkp
  3. 4 1
      lib/general
  4. 4 4
      lib/headers
  5. 1 1
      lib/install
  6. 22 2
      templates/general/conf
  7. 0 1
      templates/nginx/common/headers-http.conf
  8. 3 3
      templates/nginx/nginx.conf

+ 3 - 3
README.md

@@ -11,7 +11,7 @@
 </div>
 
 ## Overview
-A complete LEMP stack _– Linux Ubuntu + Nginx + MariaDB (MySQL) + PHP –_ or install individual packages according to your needs.
+A complete LEMP stack _– Linux Ubuntu + Nginx + MariaDB (or MySQL, you can choose) + PHP –_ or install individual packages according to your needs.
 
 **One of the most reliable configurations to host your websites and with Webinoly you can do it in just one step.**
 
@@ -19,7 +19,7 @@ Webinoly provides a set of tools and commands that facilitate web server adminis
 - Unique commands to create, delete, disable sites.
 - Free SSL certificates for your sites with Let’s Encrypt and automatic server configuration.
 - HTTP/2 dramatically increases the speed of serving your content.
-- PHP v8.1 and support for earlier versions if needed (8.0 and 7.4).
+- PHP v8.1 and support for earlier versions if needed (8.0 and 7.4) or the newest 8.2.
 - FastCGI Cache and Redis Object Cache for your WordPress sites.
 - Install WP in any subfolder and support for external databases, multisite and domain mapping.
 - Reverse Proxy for any app (Java, React, Node, Angular, Vue, etc) or to use your own domain with any external file repo like S3.
@@ -35,7 +35,7 @@ Webinoly provides a set of tools and commands that facilitate web server adminis
 ## Usage
 
 ```bash
-# Install Webinoly and LEMP
+# Install Webinoly and build the stack
 wget -qO weby qrok.es/wy && sudo bash weby
 
 # Create your first site.

+ 2 - 2
lib/bkp

@@ -496,8 +496,8 @@ check_exported_conf() {
 	[[ -n $(conf_read_exported wp-admin-auth) ]] && conf_write wp-admin-auth $(conf_read_exported wp-admin-auth)
 	[[ -n $(conf_read_exported php-info) ]] && conf_write php-info $(conf_read_exported php-info)
 
-	[[ $(conf_read_exported header-xssp) == "false" ]] && conf_write header-xssp $(conf_read_exported header-xssp)
-	[[ $(conf_read_exported header-xcto) == "false" ]] && conf_write header-xcto $(conf_read_exported header-xcto)
+	[[ -n $(conf_read_exported header-xcto) ]] && conf_write header-xcto $(conf_read_exported header-xcto)
+	[[ -n $(conf_read_exported header-xssp) ]] && conf_write header-xssp $(conf_read_exported header-xssp)
 	[[ -n $(conf_read_exported header-xfo) ]] && conf_write header-xfo $(conf_read_exported header-xfo)
 	[[ -n $(conf_read_exported header-xfo-url) && $(conf_read_exported header-xfo) == "allow-from" ]] && conf_write header-xfo-url $(conf_read_exported header-xfo-url)
 	[[ -n $(conf_read_exported header-referrer) ]] && conf_write header-referrer $(conf_read_exported header-referrer)

+ 4 - 1
lib/general

@@ -1299,7 +1299,10 @@ check_var() {
 	
 	# PHP opcache validate timestamps
 	elif [[ $1 == "php-opcache-timestamps" ]]; then
-		[[ -n $(conf_read php-opcache-reval) && $(conf_read php-opcache-timestamps) =~ ^(0|1)$ ]] && local out=$(conf_read php-opcache-timestamps) || local out="false"
+			local out="false"
+			[[ $(conf_read php-opcache-timestamps) == "true" ]] && local out="1"
+			[[ $(conf_read php-opcache-timestamps) == "false" ]] && local out="0"
+
 	# PHP opcache revalidate frequency
 	elif [[ $1 == "php-opcache-reval" ]]; then
 		[[ -n $(conf_read php-opcache-reval) && $(conf_read php-opcache-reval) =~ ^[0-9]+$ && $(conf_read php-opcache-reval) -ge 0 ]] && local out=$(conf_read php-opcache-reval) || local out="false"

+ 4 - 4
lib/headers

@@ -110,10 +110,7 @@ http_header_xcto() {
 
 
 http_header_xssp() {
-	if [[ $(conf_read header-xssp) == "false" ]]; then
-		sudo sed -i '/^add_header X-XSS-Protection/s/^/#/' /etc/nginx/common/headers-http.conf
-		echo "${gre}${dim}X-XSS-Protection Header successfully disabled!${end}"
-	else
+	if [[ $(conf_read header-xssp) == "true" ]]; then
 		sudo sed -Ei "/^#?add_header X-XSS-Protection/d" /etc/nginx/common/headers-http.conf			
 		sudo echo "add_header X-XSS-Protection \"1; mode=block\";" >> /etc/nginx/common/headers-http.conf
 	
@@ -123,6 +120,9 @@ http_header_xssp() {
 			echo "${red}[ERROR] Please, enter a valid option for X-XSS-Protection header!${end}"
 			return 1
 		fi
+	else
+		sudo sed -i '/^add_header X-XSS-Protection/s/^/#/' /etc/nginx/common/headers-http.conf
+		echo "${gre}${dim}X-XSS-Protection Header successfully disabled!${end}"
 	fi
 }
 

+ 1 - 1
lib/install

@@ -402,7 +402,7 @@ php_optim() {
 	sudo sed -i -r '/^[;]?opcache.enable_cli=/c\opcache.enable_cli=1' /etc/php/$ver/fpm/php.ini
 	sudo sed -i -r '/^[;]?opcache.enable=/c\opcache.enable=1' /etc/php/$ver/fpm/php.ini
 	
-	# Not set, unless non-empty! (hidden dynvars)
+	# Not set, unless non-empty!
 	if [[ $(check_var php-opcache-timestamps) != "false" ]]; then
 		sudo sed -i -r "/^[;]?opcache.validate_timestamps=/c\opcache.validate_timestamps=$(check_var php-opcache-timestamps)" /etc/php/$ver/fpm/php.ini
 	fi

+ 22 - 2
templates/general/conf

@@ -283,10 +283,12 @@
 
 # HTTP Header: X-XSS-Protection
 # Values: boolean (true/false)
-# Default: true (X-XSS-Protection: 1; mode=block)
+# Default: false
+# Note: This header is no longer recommended and support will be removed very soon from Webinoly.
 # Note: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+# Note: When true is set: (X-XSS-Protection: 1; mode=block)
 ###########################
-#header-xssp:true
+#header-xssp:false
 
 
 # HTTP Header: Add any other Custom Header
@@ -356,6 +358,24 @@
 #php-max-input-vars:5000
 
 
+# PHP OpCache Validate Timestamps
+# Values: boolean (true/false)
+# Default: true
+# Note: When this directive is disabled, you must reset OPcache manually or by restarting the Web server for changes to the filesystem to take effect.
+###########################
+#php-opcache-timestamps:true
+
+
+# PHP OpCache Revalidate Frequency
+# Values: numeric int (seconds)
+# Default: 2
+# Note: Raising this value can cause developers to notice that changes in PHP code not taking effect. (similar to validate timestamps)
+# Note: This configuration directive is ignored if opcache.validate_timestamps is disabled.
+# Note: A good value (10-15), production servers with not frequent changes in code (60).
+###########################
+#php-opcache-reval:2
+
+
 # PHP Path_Info
 # Values: boolean (true/false)
 # Default: true

+ 0 - 1
templates/nginx/common/headers-http.conf

@@ -9,4 +9,3 @@
 add_header X-Cache-Status $upstream_cache_status;
 add_header X-Frame-Options SAMEORIGIN;
 add_header X-Content-Type-Options nosniff;
-add_header X-XSS-Protection "1; mode=block";

+ 3 - 3
templates/nginx/nginx.conf

@@ -66,9 +66,9 @@ http {
 	ssl_session_timeout 1h;
 	ssl_session_cache shared:SSL:50m;
 	ssl_dhparam /etc/ssl/dhparam.pem;
-	ssl_ecdh_curve prime256v1:secp384r1:secp521r1;
-	ssl_prefer_server_ciphers on;
-	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256';
+	ssl_ecdh_curve X25519:prime256v1:secp384r1;
+	ssl_prefer_server_ciphers off;
+	ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
 	
 	##
 	# Logging Settings