2014-06-20 01:16:38 +00:00
|
|
|
|
#!/bin/bash
|
2013-09-01 14:24:49 +00:00
|
|
|
|
# HTTP: Turn on a web server serving static files
|
|
|
|
|
#################################################
|
|
|
|
|
|
2014-06-03 11:12:38 +00:00
|
|
|
|
source setup/functions.sh # load our functions
|
2014-06-20 01:16:38 +00:00
|
|
|
|
source /etc/mailinabox.conf # load global vars
|
2014-05-01 19:13:00 +00:00
|
|
|
|
|
2014-10-05 12:40:07 +00:00
|
|
|
|
# Some Ubuntu images start off with Apache. Remove it since we
|
|
|
|
|
# will use nginx. Use autoremove to remove any Apache depenencies.
|
|
|
|
|
if [ -f /usr/sbin/apache2 ]; then
|
|
|
|
|
echo Removing apache...
|
|
|
|
|
hide_output apt-get -y purge apache2 apache2-*
|
|
|
|
|
hide_output apt-get -y --purge autoremove
|
|
|
|
|
fi
|
|
|
|
|
|
2014-10-04 21:57:26 +00:00
|
|
|
|
# Install nginx and a PHP FastCGI daemon.
|
|
|
|
|
#
|
|
|
|
|
# Turn off nginx's default website.
|
|
|
|
|
|
2015-08-19 19:58:35 +00:00
|
|
|
|
echo "Installing Nginx (web server)..."
|
2017-07-10 20:56:59 +00:00
|
|
|
|
|
2020-05-29 19:30:07 +00:00
|
|
|
|
apt_install nginx php-cli php-fpm idn2
|
2013-09-01 14:24:49 +00:00
|
|
|
|
|
2013-09-07 20:53:25 +00:00
|
|
|
|
rm -f /etc/nginx/sites-enabled/default
|
|
|
|
|
|
2014-09-26 22:01:38 +00:00
|
|
|
|
# Copy in a nginx configuration file for common and best-practices
|
|
|
|
|
# SSL settings from @konklone. Replace STORAGE_ROOT so it can find
|
|
|
|
|
# the DH params.
|
2015-09-27 17:13:11 +00:00
|
|
|
|
rm -f /etc/nginx/nginx-ssl.conf # we used to put it here
|
2014-09-26 22:01:38 +00:00
|
|
|
|
sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \
|
2015-09-27 17:13:11 +00:00
|
|
|
|
conf/nginx-ssl.conf > /etc/nginx/conf.d/ssl.conf
|
2013-09-07 20:53:25 +00:00
|
|
|
|
|
2014-07-07 11:23:31 +00:00
|
|
|
|
# Fix some nginx defaults.
|
2019-12-01 22:49:36 +00:00
|
|
|
|
#
|
2015-09-05 20:18:19 +00:00
|
|
|
|
# The server_names_hash_bucket_size seems to prevent long domain names!
|
|
|
|
|
# The default, according to nginx's docs, depends on "the size of the
|
|
|
|
|
# processor’s cache line." It could be as low as 32. We fixed it at
|
|
|
|
|
# 64 in 2014 to accommodate a long domain name (20 characters?). But
|
|
|
|
|
# even at 64, a 58-character domain name won't work (#93), so now
|
|
|
|
|
# we're going up to 128.
|
2019-12-01 22:49:36 +00:00
|
|
|
|
#
|
|
|
|
|
# Drop TLSv1.0, TLSv1.1, following the Mozilla "Intermediate" recommendations
|
|
|
|
|
# at https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.0&config=intermediate&openssl-version=1.1.1.
|
2020-04-17 21:58:29 +00:00
|
|
|
|
management/editconf.py /etc/nginx/nginx.conf -s \
|
2019-12-01 22:49:36 +00:00
|
|
|
|
server_names_hash_bucket_size="128;" \
|
|
|
|
|
ssl_protocols="TLSv1.2 TLSv1.3;"
|
2014-07-07 11:23:31 +00:00
|
|
|
|
|
2015-06-18 11:12:03 +00:00
|
|
|
|
# Tell PHP not to expose its version number in the X-Powered-By header.
|
2020-07-15 14:28:02 +00:00
|
|
|
|
management/editconf.py /etc/php/$(php_version)/fpm/php.ini -c ';' \
|
2015-06-18 11:12:03 +00:00
|
|
|
|
expose_php=Off
|
|
|
|
|
|
2015-06-30 09:31:43 +00:00
|
|
|
|
# Set PHPs default charset to UTF-8, since we use it. See #367.
|
2020-07-15 14:28:02 +00:00
|
|
|
|
management/editconf.py /etc/php/$(php_version)/fpm/php.ini -c ';' \
|
2015-06-30 09:31:43 +00:00
|
|
|
|
default_charset="UTF-8"
|
|
|
|
|
|
2019-12-01 21:13:33 +00:00
|
|
|
|
# Configure the path environment for php-fpm
|
2020-07-15 14:28:02 +00:00
|
|
|
|
management/editconf.py /etc/php/$(php_version)/fpm/pool.d/www.conf -c ';' \
|
2019-12-01 21:13:33 +00:00
|
|
|
|
env[PATH]=/usr/local/bin:/usr/bin:/bin \
|
2017-07-26 05:53:38 +00:00
|
|
|
|
|
2019-12-01 21:13:33 +00:00
|
|
|
|
# Configure php-fpm based on the amount of memory the machine has
|
|
|
|
|
# This is based on the nextcloud manual for performance tuning: https://docs.nextcloud.com/server/17/admin_manual/installation/server_tuning.html
|
|
|
|
|
# Some synchronisation issues can occur when many people access the site at once.
|
|
|
|
|
# The pm=ondemand setting is used for memory constrained machines < 2GB, this is copied over from PR: 1216
|
|
|
|
|
TOTAL_PHYSICAL_MEM=$(head -n 1 /proc/meminfo | awk '{print $2}' || /bin/true)
|
|
|
|
|
if [ $TOTAL_PHYSICAL_MEM -lt 1000000 ]
|
|
|
|
|
then
|
2020-07-15 14:28:02 +00:00
|
|
|
|
management/editconf.py /etc/php/$(php_version)/fpm/pool.d/www.conf -c ';' \
|
2019-12-01 21:13:33 +00:00
|
|
|
|
pm=ondemand \
|
|
|
|
|
pm.max_children=8 \
|
|
|
|
|
pm.start_servers=2 \
|
|
|
|
|
pm.min_spare_servers=1 \
|
|
|
|
|
pm.max_spare_servers=3
|
|
|
|
|
elif [ $TOTAL_PHYSICAL_MEM -lt 2000000 ]
|
|
|
|
|
then
|
2020-07-15 14:28:02 +00:00
|
|
|
|
management/editconf.py /etc/php/$(php_version)/fpm/pool.d/www.conf -c ';' \
|
2019-12-01 21:13:33 +00:00
|
|
|
|
pm=ondemand \
|
|
|
|
|
pm.max_children=16 \
|
|
|
|
|
pm.start_servers=4 \
|
|
|
|
|
pm.min_spare_servers=1 \
|
|
|
|
|
pm.max_spare_servers=6
|
|
|
|
|
elif [ $TOTAL_PHYSICAL_MEM -lt 3000000 ]
|
|
|
|
|
then
|
2020-07-15 14:28:02 +00:00
|
|
|
|
management/editconf.py /etc/php/$(php_version)/fpm/pool.d/www.conf -c ';' \
|
2019-12-01 21:13:33 +00:00
|
|
|
|
pm=dynamic \
|
|
|
|
|
pm.max_children=60 \
|
|
|
|
|
pm.start_servers=6 \
|
|
|
|
|
pm.min_spare_servers=3 \
|
|
|
|
|
pm.max_spare_servers=9
|
|
|
|
|
else
|
2020-07-15 14:28:02 +00:00
|
|
|
|
management/editconf.py /etc/php/$(php_version)/fpm/pool.d/www.conf -c ';' \
|
2019-12-01 21:13:33 +00:00
|
|
|
|
pm=dynamic \
|
|
|
|
|
pm.max_children=120 \
|
|
|
|
|
pm.start_servers=12 \
|
|
|
|
|
pm.min_spare_servers=6 \
|
|
|
|
|
pm.max_spare_servers=18
|
|
|
|
|
fi
|
2014-09-04 14:40:33 +00:00
|
|
|
|
|
2022-09-08 11:26:39 +00:00
|
|
|
|
# Duplicate the socket to isolate MiaB apps from user apps that happen to run php
|
2021-11-17 22:41:36 +00:00
|
|
|
|
cp /etc/php/$(php_version)/fpm/pool.d/www.conf /etc/php/$(php_version)/fpm/pool.d/miab.conf
|
|
|
|
|
|
|
|
|
|
management/editconf.py /etc/php/$(php_version)/fpm/pool.d/miab.conf -c ';' \
|
|
|
|
|
listen=/run/php/php-default.sock
|
|
|
|
|
|
|
|
|
|
sed -i 's/\[www\]/[miab]/' /etc/php/$(php_version)/fpm/pool.d/miab.conf
|
|
|
|
|
|
2014-06-20 01:16:38 +00:00
|
|
|
|
# Other nginx settings will be configured by the management service
|
|
|
|
|
# since it depends on what domains we're serving, which we don't know
|
|
|
|
|
# until mail accounts have been created.
|
|
|
|
|
|
2014-11-18 16:32:37 +00:00
|
|
|
|
# Create the iOS/OS X Mobile Configuration file which is exposed via the
|
2014-11-14 13:49:01 +00:00
|
|
|
|
# nginx configuration at /mailinabox-mobileconfig.
|
|
|
|
|
mkdir -p /var/lib/mailinabox
|
|
|
|
|
chmod a+rx /var/lib/mailinabox
|
|
|
|
|
cat conf/ios-profile.xml \
|
|
|
|
|
| sed "s/PRIMARY_HOSTNAME/$PRIMARY_HOSTNAME/" \
|
|
|
|
|
| sed "s/UUID1/$(cat /proc/sys/kernel/random/uuid)/" \
|
|
|
|
|
| sed "s/UUID2/$(cat /proc/sys/kernel/random/uuid)/" \
|
|
|
|
|
| sed "s/UUID3/$(cat /proc/sys/kernel/random/uuid)/" \
|
|
|
|
|
| sed "s/UUID4/$(cat /proc/sys/kernel/random/uuid)/" \
|
|
|
|
|
> /var/lib/mailinabox/mobileconfig.xml
|
|
|
|
|
chmod a+r /var/lib/mailinabox/mobileconfig.xml
|
|
|
|
|
|
2015-01-31 21:33:18 +00:00
|
|
|
|
# Create the Mozilla Auto-configuration file which is exposed via the
|
|
|
|
|
# nginx configuration at /.well-known/autoconfig/mail/config-v1.1.xml.
|
|
|
|
|
# The format of the file is documented at:
|
|
|
|
|
# https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat
|
|
|
|
|
# and https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration/FileFormat/HowTo.
|
|
|
|
|
cat conf/mozilla-autoconfig.xml \
|
|
|
|
|
| sed "s/PRIMARY_HOSTNAME/$PRIMARY_HOSTNAME/" \
|
|
|
|
|
> /var/lib/mailinabox/mozilla-autoconfig.xml
|
|
|
|
|
chmod a+r /var/lib/mailinabox/mozilla-autoconfig.xml
|
|
|
|
|
|
2020-05-29 19:30:07 +00:00
|
|
|
|
# Create a generic mta-sts.txt file which is exposed via the
|
|
|
|
|
# nginx configuration at /.well-known/mta-sts.txt
|
2022-09-08 11:26:39 +00:00
|
|
|
|
# more documentation is available on:
|
2020-05-29 19:30:07 +00:00
|
|
|
|
# https://www.uriports.com/blog/mta-sts-explained/
|
2021-06-27 21:24:26 +00:00
|
|
|
|
# default mode is "enforce". In /etc/mailinabox.conf change
|
|
|
|
|
# "MTA_STS_MODE=testing" which means "Messages will be delivered
|
|
|
|
|
# as though there was no failure but a report will be sent if
|
|
|
|
|
# TLS-RPT is configured" if you are not sure you want this yet. Or "none".
|
2020-05-29 19:30:07 +00:00
|
|
|
|
PUNY_PRIMARY_HOSTNAME=$(echo "$PRIMARY_HOSTNAME" | idn2)
|
|
|
|
|
cat conf/mta-sts.txt \
|
2021-06-27 21:24:26 +00:00
|
|
|
|
| sed "s/MODE/${MTA_STS_MODE}/" \
|
2020-05-29 19:30:07 +00:00
|
|
|
|
| sed "s/PRIMARY_HOSTNAME/$PUNY_PRIMARY_HOSTNAME/" \
|
|
|
|
|
> /var/lib/mailinabox/mta-sts.txt
|
|
|
|
|
chmod a+r /var/lib/mailinabox/mta-sts.txt
|
|
|
|
|
|
2013-09-08 09:55:58 +00:00
|
|
|
|
# make a default homepage
|
2014-10-04 21:57:26 +00:00
|
|
|
|
if [ -d $STORAGE_ROOT/www/static ]; then mv $STORAGE_ROOT/www/static $STORAGE_ROOT/www/default; fi # migration #NODOC
|
2014-06-20 01:16:38 +00:00
|
|
|
|
mkdir -p $STORAGE_ROOT/www/default
|
2014-06-23 19:43:19 +00:00
|
|
|
|
if [ ! -f $STORAGE_ROOT/www/default/index.html ]; then
|
2021-03-30 00:26:23 +00:00
|
|
|
|
sed "s/{{PRIMARY_HOSTNAME}}/$PRIMARY_HOSTNAME/" conf/www_default.html | sed "s#{{STORAGE_ROOT}}#$STORAGE_ROOT#" > $STORAGE_ROOT/www/default/index.html
|
2014-06-20 01:16:38 +00:00
|
|
|
|
fi
|
2014-06-23 10:53:09 +00:00
|
|
|
|
chown -R $STORAGE_USER $STORAGE_ROOT/www
|
2013-09-07 20:53:25 +00:00
|
|
|
|
|
2014-03-17 01:46:47 +00:00
|
|
|
|
# Start services.
|
2014-07-16 13:06:45 +00:00
|
|
|
|
restart_service nginx
|
2020-07-15 14:28:02 +00:00
|
|
|
|
restart_service php$(php_version)-fpm
|
2013-09-01 14:24:49 +00:00
|
|
|
|
|
2014-03-17 01:46:47 +00:00
|
|
|
|
# Open ports.
|
2014-05-01 19:35:18 +00:00
|
|
|
|
ufw_allow http
|
|
|
|
|
ufw_allow https
|
2022-06-07 10:24:12 +00:00
|
|
|
|
|
|
|
|
|
# Allow the webserver to access directories group-owned by user-data
|
2022-09-08 11:26:39 +00:00
|
|
|
|
usermod -a -G user-data www-data
|