stack updated and improved

linux var optim improved
nginx conf improved
wp security improved
MariaDB 10.3 upgraded

lib/general

@@ -135,15 +135,15 @@ pre_install() {
 mysql_client_install() {
 	api-events_update im2
 	local osname=$(check_osname)
-	# Cases with MariaDB v10.2 support
+	# Cases with MariaDB v10.3 support
 	case "$osname" in
 		"trusty")
 			sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xcbcb082a1bb943db
-			sudo add-apt-repository "deb [arch=amd64,i386,ppc64el] http://mirrors.syringanetworks.net/mariadb/repo/10.2/ubuntu $osname main"
+			sudo add-apt-repository "deb [arch=amd64,i386,ppc64el] http://mirrors.syringanetworks.net/mariadb/repo/10.3/ubuntu $osname main"
 		;;
-		"xenial"|"zesty"|"artful"|"bionic")
+		"xenial"|"artful"|"bionic"|"cosmic")
 			sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8
-			sudo add-apt-repository "deb [arch=amd64,i386,ppc64el] http://mirrors.syringanetworks.net/mariadb/repo/10.2/ubuntu $osname main"
+			sudo add-apt-repository "deb [arch=amd64,i386,ppc64el] http://mirrors.syringanetworks.net/mariadb/repo/10.3/ubuntu $osname main"
 		;;
 	esac
 	pre_install

lib/install

@@ -3,11 +3,11 @@ source /opt/webinoly/lib/general
 
 
 app_version() { 
-	local app_ver="1.6.2"
+	local app_ver="1.7.0-beta"
 	echo $app_ver
 }
 svr_version() { 
-	local ser_ver="1.2"
+	local ser_ver="1.3"
 	echo $ser_ver
 }
 
@@ -76,51 +76,6 @@ LimitNOFILE=$nginxfd" | tee -a /etc/systemd/system/nginx.service.d/nofile_limit.
 	#echo "tmpfs    /var/run/nginx-cache   tmpfs   size=${cacheram}M,mode=0744,uid=www-data,gid=www-data   0   0" | sudo tee -a /etc/fstab
 	#sudo mount /var/run/nginx-cache
 	
-	sudo echo "# WebinolyStart - Don't delete
-fs.file-max = $newfd
-fs.nr_open=12000000
-vm.min_free_kbytes=65536
-net.core.somaxconn = 65536
-net.core.wmem_max=16777216
-net.core.rmem_max=16777216
-net.core.netdev_max_backlog=8192
-net.core.optmem_max=8192
-net.ipv4.ip_local_port_range=1024 65535
-net.ipv4.icmp_echo_ignore_broadcasts = 1
-net.ipv4.icmp_ignore_bogus_error_responses = 1
-net.ipv4.tcp_max_tw_buckets = 1440000
-net.ipv4.tcp_window_scaling = 1
-net.ipv4.tcp_max_syn_backlog = 3240000
-net.ipv4.tcp_rmem=8192 87380 16777216                                          
-net.ipv4.tcp_wmem=8192 65536 16777216
-net.ipv4.tcp_fin_timeout=10
-net.ipv4.tcp_keepalive_intvl=30
-net.ipv4.tcp_keepalive_probes=3
-net.ipv4.tcp_keepalive_time=240
-net.ipv4.tcp_sack=1
-net.ipv4.tcp_syn_retries=3
-net.ipv4.tcp_synack_retries = 2
-net.ipv4.tcp_tw_recycle = 0
-net.ipv4.tcp_tw_reuse = 0
-net.ipv4.tcp_slow_start_after_idle=0
-net.ipv4.tcp_rfc1337=1
-net.ipv4.tcp_challenge_ack_limit = 999999999
-net.ipv4.tcp_mtu_probing = 1
-net.ipv4.tcp_base_mss = 1024
-net.ipv4.conf.all.accept_redirects = 0
-net.ipv4.conf.all.accept_source_route = 0
-net.ipv4.conf.all.log_martians = 1
-net.ipv4.conf.all.rp_filter = 1
-net.ipv4.conf.all.secure_redirects = 0
-net.ipv4.conf.all.send_redirects = 0
-net.ipv4.conf.default.accept_redirects = 0
-net.ipv4.conf.default.accept_source_route = 0
-net.ipv4.conf.default.log_martians = 1
-net.ipv4.conf.default.rp_filter = 1
-net.ipv4.conf.default.secure_redirects = 0
-net.ipv4.conf.default.send_redirects = 0
-# WebinolyEnd" | tee -a /etc/sysctl.conf
-	
 	# https://www.cyberciti.biz/faq/linux-increase-the-maximum-number-of-open-files/
 	# https://ospi.fi/blog/centos-7-raise-nofile-limit-for-nginx.html
 	# https://www.masv.io/boost-nginx-connection-limits/
@@ -132,6 +87,15 @@ net.ipv4.conf.default.send_redirects = 0
 	sudo sed -i '/End of file/i \* - nofile 4096' /etc/security/limits.conf
 	sudo sed -i "/End of file/i \# WebinolyEnd" /etc/security/limits.conf
 
+	sudo cat /opt/webinoly/templates/general/sysctl >> /etc/sysctl.conf
+	# BBR is only valid in kernel > v4.9, bionic is at least 4.15
+	if [[ $(check_osname) == "bionic" ]]; then
+		sudo modprobe tcp_bbr
+	else
+		sudo sed -i '/tcp_congestion_control/s/^/#/' /etc/sysctl.conf
+		sudo sed -i '/tcp_notsent_lowat/s/^/#/' /etc/sysctl.conf
+	fi
+	
 	swap_create
 	set_timezone
 	
@@ -506,7 +470,6 @@ swap_delete() {
 		sudo swapoff -a -v > /dev/null
 		sudo rm /swapfile
 		sudo sed -i '/\/swapfile/d' /etc/fstab
-		sudo sed -i '/vm.swappiness/d' /etc/sysctl.conf
 		conf_delete swap-owner
 		api-events_update pn10
 	fi
@@ -566,9 +529,6 @@ swap_create() {
 
 			sudo sed -i "/LABEL.*/a \/swapfile none swap sw 0 0" /etc/fstab
 
-			echo 10 | sudo tee /proc/sys/vm/swappiness
-			echo vm.swappiness = 10 | sudo tee -a /etc/sysctl.conf 
-
 			# Swap created by Webinoly - so we should remove it in uninstall
 			conf_write swap-owner webinoly
 

plugins/stack

@@ -298,7 +298,11 @@ elif [[ $opt == "-html" || $opt == "-nginx" ]]; then
 	if [[ $(conf_read nginx) != "true" ]]; then
 		nginx_install
 		nginx_optim
-		[[ $arg != "-notools" ]] && nginx_tool		
+		[[ $arg != "-notools" ]] && nginx_tool
+		
+		# By default Yoast Plugin support is enabled
+		webinoly -yoast-sitemap=on
+		
 		echo ""
 		echo "${gre}Nginx has been successfully Optimized by Webinoly! ${end}"
 		echo ""

templates/general/sysctl

@@ -0,0 +1,268 @@
+
+
+# WebinolyStart - Don't delete
+# Based on Michiel Klaver kernel sysctl configuration file for Linux - http://klaver.it/linux/ (v1.13)
+
+###
+### GENERAL SYSTEM SECURITY OPTIONS ###
+###
+
+# Controls the System Request debugging functionality of the kernel
+kernel.sysrq = 0
+
+# Controls whether core dumps will append the PID to the core filename.
+# Useful for debugging multi-threaded applications.
+kernel.core_uses_pid = 1
+
+#Allow for more PIDs
+kernel.pid_max = 65535
+
+# The contents of /proc/<pid>/maps and smaps files are only visible to
+# readers that are allowed to ptrace() the process
+#kernel.maps_protect = 1
+
+#Enable ExecShield protection
+#kernel.exec-shield = 1
+kernel.randomize_va_space = 2
+
+# Controls the maximum size of a message, in bytes
+kernel.msgmnb = 65535
+
+# Controls the default maxmimum size of a mesage queue
+kernel.msgmax = 65535
+
+# Restrict core dumps
+fs.suid_dumpable = 0
+
+# Hide exposed kernel pointers
+kernel.kptr_restrict = 1
+
+
+
+###
+### IMPROVE SYSTEM MEMORY MANAGEMENT ###
+###
+
+# Increase size of file handles and inode cache
+fs.file-max = 147433
+
+# Do less swapping
+vm.swappiness = 10
+vm.dirty_ratio = 10
+vm.dirty_background_ratio = 5
+
+# specifies the minimum virtual address that a process is allowed to mmap
+vm.mmap_min_addr = 4096
+
+# 50% overcommitment of available memory
+vm.overcommit_ratio = 50
+vm.overcommit_memory = 0
+
+# Set maximum amount of memory allocated to shm to 256MB
+kernel.shmmax = 268435456
+kernel.shmall = 268435456
+
+# Keep at least 64MB of free RAM space available
+vm.min_free_kbytes = 65535
+
+
+
+###
+### GENERAL NETWORK SECURITY OPTIONS ###
+###
+
+#Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
+net.ipv4.tcp_syncookies = 1
+net.ipv4.tcp_syn_retries = 2
+net.ipv4.tcp_synack_retries = 2
+net.ipv4.tcp_max_syn_backlog = 4096
+
+# Disables packet forwarding
+net.ipv4.ip_forward = 0
+net.ipv4.conf.all.forwarding = 0
+net.ipv4.conf.default.forwarding = 0
+net.ipv6.conf.all.forwarding = 0
+net.ipv6.conf.default.forwarding = 0
+
+# Disables IP source routing
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.default.accept_source_route = 0
+net.ipv6.conf.all.accept_source_route = 0
+net.ipv6.conf.default.accept_source_route = 0
+
+# Enable IP spoofing protection, turn on source route verification
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.default.rp_filter = 1
+
+# Disable ICMP Redirect Acceptance
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.secure_redirects = 0
+net.ipv4.conf.default.secure_redirects = 0
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv6.conf.default.accept_redirects = 0
+
+# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
+net.ipv4.conf.all.log_martians = 1
+net.ipv4.conf.default.log_martians = 1
+
+# Decrease the time default value for tcp_fin_timeout connection
+net.ipv4.tcp_fin_timeout = 7
+
+# Decrease the time default value for connections to keep alive
+net.ipv4.tcp_keepalive_time = 300
+net.ipv4.tcp_keepalive_probes = 5
+net.ipv4.tcp_keepalive_intvl = 15
+
+# Don't relay bootp
+net.ipv4.conf.all.bootp_relay = 0
+
+# Don't proxy arp for anyone
+net.ipv4.conf.all.proxy_arp = 0
+
+# Turn on the tcp_timestamps, accurate timestamp make TCP congestion control algorithms work better
+net.ipv4.tcp_timestamps = 1
+
+# Don't ignore directed pings
+net.ipv4.icmp_echo_ignore_all = 0
+
+# Enable ignoring broadcasts request
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+# Enable bad error message Protection
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+# Allowed local port range
+net.ipv4.ip_local_port_range = 16384 65535
+
+# Enable a fix for RFC1337 - time-wait assassination hazards in TCP
+net.ipv4.tcp_rfc1337 = 1
+
+# Do not auto-configure IPv6
+net.ipv6.conf.all.autoconf=0
+net.ipv6.conf.all.accept_ra=0
+net.ipv6.conf.default.autoconf=0
+net.ipv6.conf.default.accept_ra=0
+net.ipv6.conf.eth0.autoconf=0
+net.ipv6.conf.eth0.accept_ra=0
+
+
+
+###
+### TUNING NETWORK PERFORMANCE ###
+###
+
+# For high-bandwidth low-latency networks, use 'bbr' congestion control (kernel > 4.9)
+# Only enabled in bionic (at least v4.15)
+# Do a 'sudo modprobe tcp_bbr' first
+net.ipv4.tcp_congestion_control = bbr
+net.ipv4.tcp_notsent_lowat = 16384
+
+# For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12)
+net.core.default_qdisc = fq
+
+# Turn on the tcp_window_scaling
+net.ipv4.tcp_window_scaling = 1
+
+# Increase the read-buffer space allocatable
+net.ipv4.tcp_rmem = 8192 87380 16777216
+net.ipv4.udp_rmem_min = 16384
+net.core.rmem_default = 262144
+net.core.rmem_max = 16777216
+
+# Increase the write-buffer-space allocatable
+net.ipv4.tcp_wmem = 8192 65536 16777216
+net.ipv4.udp_wmem_min = 16384
+net.core.wmem_default = 262144
+net.core.wmem_max = 16777216
+
+# Increase number of incoming connections
+net.core.somaxconn = 32768
+
+# Increase number of incoming connections backlog
+net.core.netdev_max_backlog = 16384
+net.core.dev_weight = 64
+
+# Increase the maximum amount of option memory buffers
+net.core.optmem_max = 65535
+
+# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
+net.ipv4.tcp_max_tw_buckets = 1440000
+
+# try to reuse time-wait connections, but don't recycle them (recycle can break clients behind NAT)
+#net.ipv4.tcp_tw_recycle = 0
+net.ipv4.tcp_tw_reuse = 1
+
+# Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory
+net.ipv4.tcp_max_orphans = 16384
+net.ipv4.tcp_orphan_retries = 0
+
+# Limit the maximum memory used to reassemble IP fragments (CVE-2018-5391)
+net.ipv4.ipfrag_low_thresh = 196608
+net.ipv6.ip6frag_low_thresh = 196608
+net.ipv4.ipfrag_high_thresh = 262144
+net.ipv6.ip6frag_high_thresh = 262144
+
+
+# don't cache ssthresh from previous connection
+net.ipv4.tcp_no_metrics_save = 1
+net.ipv4.tcp_moderate_rcvbuf = 1
+
+# Increase size of RPC datagram queue length
+net.unix.max_dgram_qlen = 50
+
+# Don't allow the arp table to become bigger than this
+net.ipv4.neigh.default.gc_thresh3 = 2048
+
+# Tell the gc when to become aggressive with arp table cleaning.
+# Adjust this based on size of the LAN. 1024 is suitable for most /24 networks
+net.ipv4.neigh.default.gc_thresh2 = 1024
+
+# Adjust where the gc will leave arp table alone - set to 32.
+net.ipv4.neigh.default.gc_thresh1 = 32
+
+# Adjust to arp table gc to clean-up more often
+net.ipv4.neigh.default.gc_interval = 30
+
+# Increase TCP queue length
+net.ipv4.neigh.default.proxy_qlen = 96
+net.ipv4.neigh.default.unres_qlen = 6
+
+# Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you
+net.ipv4.tcp_ecn = 1
+net.ipv4.tcp_reordering = 3
+
+# How many times to retry killing an alive TCP connection
+net.ipv4.tcp_retries2 = 15
+net.ipv4.tcp_retries1 = 3
+
+# Avoid falling back to slow start after a connection goes idle
+# keeps our cwnd large with the keep alive connections (kernel > 3.6)
+net.ipv4.tcp_slow_start_after_idle = 0
+
+# Allow the TCP fastopen flag to be used, beware some firewalls do not like TFO! (kernel > 3.7)
+net.ipv4.tcp_fastopen = 3
+
+# This will enusre that immediatly subsequent connections use the new values
+net.ipv4.route.flush = 1
+net.ipv6.route.flush = 1
+
+
+###
+### CUSTOM ###
+###
+
+fs.nr_open=12000000
+net.ipv4.tcp_sack=1
+net.ipv4.tcp_mtu_probing = 1
+net.ipv4.tcp_base_mss = 1024
+net.ipv4.tcp_challenge_ack_limit = 999999999
+net.ipv6.conf.default.router_solicitations = 0
+net.ipv6.conf.default.accept_ra_rtr_pref = 0
+net.ipv6.conf.default.accept_ra_pinfo = 0
+net.ipv6.conf.default.accept_ra_defrtr = 0
+net.ipv6.conf.default.dad_transmits = 0
+net.ipv6.conf.default.max_addresses = 1
+# WebinolyEnd

templates/nginx/common/php.conf

@@ -1,10 +1,10 @@
 # PHP NGINX CONFIGURATION
 # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE Webinoly
 location / {
-  try_files $uri $uri/ /index.php?$args;
+	try_files $uri $uri/ /index.php?$args $uri =404;
 }
 location ~ \.php$ {
-  try_files $uri =404;
-  include fastcgi_params;
-  fastcgi_pass php;
+	try_files $uri =404;
+	include fastcgi_params;
+	fastcgi_pass php;
 }

templates/nginx/common/wpcommon.conf

@@ -5,6 +5,7 @@
 # https://baraktawily.blogspot.com/2018/02/how-to-dos-29-of-world-wide-websites.html
 location /wp-admin {
 	location ~ /wp-admin/admin-ajax.php$ {
+		limit_req zone=wp burst=6 nodelay;
 		include fastcgi_params;
 		fastcgi_pass php;
 	}
@@ -34,21 +35,6 @@ location /wp-content/uploads/ {
 	location ~ \.php$ {
 		#Prevent Direct Access Of PHP Files From Web Browsers
 		deny all;
-}
+	}
 }
 
-# YoastSitemapStart - Yoast SEO Plugin
-	location ~ ([^/]*)sitemap(.*)\.x(m|s)l$ {
-	rewrite ^(.*)/sitemap\.xml$ $1/sitemap_index.xml permanent;
-	rewrite ^.*/([a-z]+)?-?sitemap\.xsl$ /index.php?xsl=$1 last;
-	# Rules for yoast sitemap with wp|wpsubdir|wpsubdomain
-	rewrite ^.*/sitemap_index\.xml$ /index.php?sitemap=1 last;
-	rewrite ^.*/([^/]+?)-sitemap([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;
-	# Following lines are optional. Needed for Yoast Premium.
-	rewrite ^.*/news_sitemap\.xml$ /index.php?sitemap=wpseo_news last;
-	rewrite ^.*/locations\.kml$ /index.php?sitemap=wpseo_local_kml last;
-	rewrite ^.*/geo_sitemap\.xml$ /index.php?sitemap=wpseo_local last;
-	rewrite ^.*/video-sitemap\.xsl$ /index.php?xsl=video last;
-	access_log off;
-}
-# YoastSitemapEnd

templates/nginx/common/wpfc.conf

@@ -16,7 +16,7 @@ if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|wp-.*.php|index.php|/feed/|.*sitema
 }
 
 # Don't use the cache for logged in users or recent commenter or customer with items in cart
-if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|[a-z0-9]+_items_in_cart") {
+if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|[a-z0-9]+_items_in_cart|[a-z0-9]+_cart_hash") {
 	set $skip_cache 1;
 }
 

templates/nginx/nginx.conf

@@ -32,6 +32,7 @@ http {
 	open_file_cache max=30000 inactive=1m;
 	
 	types_hash_max_size 2048;
+	server_names_hash_max_size 2048;
 	# server_names_hash_bucket_size 64;
 	# server_name_in_redirect off;
 
@@ -48,12 +49,15 @@ http {
 	##
 
 	ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+	ssl_buffer_size 4k;
+	ssl_session_tickets off;
 	ssl_session_timeout 10m;
-	ssl_session_cache shared:SSL:20m;
+	ssl_session_cache shared:SSL:50m;
 	ssl_dhparam /etc/ssl/dhparam.pem;
 	ssl_ecdh_curve prime256v1:secp384r1:secp521r1;
 	ssl_prefer_server_ciphers on;
 	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT';
+	
 
 	##
 	# Logging Settings

templates/template-site-ssl

@@ -1,6 +1,5 @@
 
 	# WebinolySSLstart
-	ssl on;
 	ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
 	ssl_stapling on;