diff --git a/lib/general b/lib/general index 00c4b73..69e1fce 100644 --- a/lib/general +++ b/lib/general @@ -135,15 +135,15 @@ pre_install() { mysql_client_install() { api-events_update im2 local osname=$(check_osname) - # Cases with MariaDB v10.2 support + # Cases with MariaDB v10.3 support case "$osname" in "trusty") sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xcbcb082a1bb943db - sudo add-apt-repository "deb [arch=amd64,i386,ppc64el] http://mirrors.syringanetworks.net/mariadb/repo/10.2/ubuntu $osname main" + sudo add-apt-repository "deb [arch=amd64,i386,ppc64el] http://mirrors.syringanetworks.net/mariadb/repo/10.3/ubuntu $osname main" ;; - "xenial"|"zesty"|"artful"|"bionic") + "xenial"|"artful"|"bionic"|"cosmic") sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8 - sudo add-apt-repository "deb [arch=amd64,i386,ppc64el] http://mirrors.syringanetworks.net/mariadb/repo/10.2/ubuntu $osname main" + sudo add-apt-repository "deb [arch=amd64,i386,ppc64el] http://mirrors.syringanetworks.net/mariadb/repo/10.3/ubuntu $osname main" ;; esac pre_install diff --git a/lib/install b/lib/install index 3e1a07a..0d2aaa9 100644 --- a/lib/install +++ b/lib/install @@ -3,11 +3,11 @@ source /opt/webinoly/lib/general app_version() { - local app_ver="1.6.2" + local app_ver="1.7.0-beta" echo $app_ver } svr_version() { - local ser_ver="1.2" + local ser_ver="1.3" echo $ser_ver } @@ -76,51 +76,6 @@ LimitNOFILE=$nginxfd" | tee -a /etc/systemd/system/nginx.service.d/nofile_limit. #echo "tmpfs /var/run/nginx-cache tmpfs size=${cacheram}M,mode=0744,uid=www-data,gid=www-data 0 0" | sudo tee -a /etc/fstab #sudo mount /var/run/nginx-cache - sudo echo "# WebinolyStart - Don't delete -fs.file-max = $newfd -fs.nr_open=12000000 -vm.min_free_kbytes=65536 -net.core.somaxconn = 65536 -net.core.wmem_max=16777216 -net.core.rmem_max=16777216 -net.core.netdev_max_backlog=8192 -net.core.optmem_max=8192 -net.ipv4.ip_local_port_range=1024 65535 -net.ipv4.icmp_echo_ignore_broadcasts = 1 -net.ipv4.icmp_ignore_bogus_error_responses = 1 -net.ipv4.tcp_max_tw_buckets = 1440000 -net.ipv4.tcp_window_scaling = 1 -net.ipv4.tcp_max_syn_backlog = 3240000 -net.ipv4.tcp_rmem=8192 87380 16777216 -net.ipv4.tcp_wmem=8192 65536 16777216 -net.ipv4.tcp_fin_timeout=10 -net.ipv4.tcp_keepalive_intvl=30 -net.ipv4.tcp_keepalive_probes=3 -net.ipv4.tcp_keepalive_time=240 -net.ipv4.tcp_sack=1 -net.ipv4.tcp_syn_retries=3 -net.ipv4.tcp_synack_retries = 2 -net.ipv4.tcp_tw_recycle = 0 -net.ipv4.tcp_tw_reuse = 0 -net.ipv4.tcp_slow_start_after_idle=0 -net.ipv4.tcp_rfc1337=1 -net.ipv4.tcp_challenge_ack_limit = 999999999 -net.ipv4.tcp_mtu_probing = 1 -net.ipv4.tcp_base_mss = 1024 -net.ipv4.conf.all.accept_redirects = 0 -net.ipv4.conf.all.accept_source_route = 0 -net.ipv4.conf.all.log_martians = 1 -net.ipv4.conf.all.rp_filter = 1 -net.ipv4.conf.all.secure_redirects = 0 -net.ipv4.conf.all.send_redirects = 0 -net.ipv4.conf.default.accept_redirects = 0 -net.ipv4.conf.default.accept_source_route = 0 -net.ipv4.conf.default.log_martians = 1 -net.ipv4.conf.default.rp_filter = 1 -net.ipv4.conf.default.secure_redirects = 0 -net.ipv4.conf.default.send_redirects = 0 -# WebinolyEnd" | tee -a /etc/sysctl.conf - # https://www.cyberciti.biz/faq/linux-increase-the-maximum-number-of-open-files/ # https://ospi.fi/blog/centos-7-raise-nofile-limit-for-nginx.html # https://www.masv.io/boost-nginx-connection-limits/ @@ -132,6 +87,15 @@ net.ipv4.conf.default.send_redirects = 0 sudo sed -i '/End of file/i \* - nofile 4096' /etc/security/limits.conf sudo sed -i "/End of file/i \# WebinolyEnd" /etc/security/limits.conf + sudo cat /opt/webinoly/templates/general/sysctl >> /etc/sysctl.conf + # BBR is only valid in kernel > v4.9, bionic is at least 4.15 + if [[ $(check_osname) == "bionic" ]]; then + sudo modprobe tcp_bbr + else + sudo sed -i '/tcp_congestion_control/s/^/#/' /etc/sysctl.conf + sudo sed -i '/tcp_notsent_lowat/s/^/#/' /etc/sysctl.conf + fi + swap_create set_timezone @@ -506,7 +470,6 @@ swap_delete() { sudo swapoff -a -v > /dev/null sudo rm /swapfile sudo sed -i '/\/swapfile/d' /etc/fstab - sudo sed -i '/vm.swappiness/d' /etc/sysctl.conf conf_delete swap-owner api-events_update pn10 fi @@ -566,9 +529,6 @@ swap_create() { sudo sed -i "/LABEL.*/a \/swapfile none swap sw 0 0" /etc/fstab - echo 10 | sudo tee /proc/sys/vm/swappiness - echo vm.swappiness = 10 | sudo tee -a /etc/sysctl.conf - # Swap created by Webinoly - so we should remove it in uninstall conf_write swap-owner webinoly diff --git a/plugins/stack b/plugins/stack index b427139..ff9fff1 100644 --- a/plugins/stack +++ b/plugins/stack @@ -298,7 +298,11 @@ elif [[ $opt == "-html" || $opt == "-nginx" ]]; then if [[ $(conf_read nginx) != "true" ]]; then nginx_install nginx_optim - [[ $arg != "-notools" ]] && nginx_tool + [[ $arg != "-notools" ]] && nginx_tool + + # By default Yoast Plugin support is enabled + webinoly -yoast-sitemap=on + echo "" echo "${gre}Nginx has been successfully Optimized by Webinoly! ${end}" echo "" diff --git a/templates/general/sysctl b/templates/general/sysctl new file mode 100644 index 0000000..92aa95d --- /dev/null +++ b/templates/general/sysctl @@ -0,0 +1,268 @@ + + +# WebinolyStart - Don't delete +# Based on Michiel Klaver kernel sysctl configuration file for Linux - http://klaver.it/linux/ (v1.13) + +### +### GENERAL SYSTEM SECURITY OPTIONS ### +### + +# Controls the System Request debugging functionality of the kernel +kernel.sysrq = 0 + +# Controls whether core dumps will append the PID to the core filename. +# Useful for debugging multi-threaded applications. +kernel.core_uses_pid = 1 + +#Allow for more PIDs +kernel.pid_max = 65535 + +# The contents of /proc//maps and smaps files are only visible to +# readers that are allowed to ptrace() the process +#kernel.maps_protect = 1 + +#Enable ExecShield protection +#kernel.exec-shield = 1 +kernel.randomize_va_space = 2 + +# Controls the maximum size of a message, in bytes +kernel.msgmnb = 65535 + +# Controls the default maxmimum size of a mesage queue +kernel.msgmax = 65535 + +# Restrict core dumps +fs.suid_dumpable = 0 + +# Hide exposed kernel pointers +kernel.kptr_restrict = 1 + + + +### +### IMPROVE SYSTEM MEMORY MANAGEMENT ### +### + +# Increase size of file handles and inode cache +fs.file-max = 147433 + +# Do less swapping +vm.swappiness = 10 +vm.dirty_ratio = 10 +vm.dirty_background_ratio = 5 + +# specifies the minimum virtual address that a process is allowed to mmap +vm.mmap_min_addr = 4096 + +# 50% overcommitment of available memory +vm.overcommit_ratio = 50 +vm.overcommit_memory = 0 + +# Set maximum amount of memory allocated to shm to 256MB +kernel.shmmax = 268435456 +kernel.shmall = 268435456 + +# Keep at least 64MB of free RAM space available +vm.min_free_kbytes = 65535 + + + +### +### GENERAL NETWORK SECURITY OPTIONS ### +### + +#Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached) +net.ipv4.tcp_syncookies = 1 +net.ipv4.tcp_syn_retries = 2 +net.ipv4.tcp_synack_retries = 2 +net.ipv4.tcp_max_syn_backlog = 4096 + +# Disables packet forwarding +net.ipv4.ip_forward = 0 +net.ipv4.conf.all.forwarding = 0 +net.ipv4.conf.default.forwarding = 0 +net.ipv6.conf.all.forwarding = 0 +net.ipv6.conf.default.forwarding = 0 + +# Disables IP source routing +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.send_redirects = 0 +net.ipv4.conf.all.accept_source_route = 0 +net.ipv4.conf.default.accept_source_route = 0 +net.ipv6.conf.all.accept_source_route = 0 +net.ipv6.conf.default.accept_source_route = 0 + +# Enable IP spoofing protection, turn on source route verification +net.ipv4.conf.all.rp_filter = 1 +net.ipv4.conf.default.rp_filter = 1 + +# Disable ICMP Redirect Acceptance +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.default.accept_redirects = 0 +net.ipv4.conf.all.secure_redirects = 0 +net.ipv4.conf.default.secure_redirects = 0 +net.ipv6.conf.all.accept_redirects = 0 +net.ipv6.conf.default.accept_redirects = 0 + +# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets +net.ipv4.conf.all.log_martians = 1 +net.ipv4.conf.default.log_martians = 1 + +# Decrease the time default value for tcp_fin_timeout connection +net.ipv4.tcp_fin_timeout = 7 + +# Decrease the time default value for connections to keep alive +net.ipv4.tcp_keepalive_time = 300 +net.ipv4.tcp_keepalive_probes = 5 +net.ipv4.tcp_keepalive_intvl = 15 + +# Don't relay bootp +net.ipv4.conf.all.bootp_relay = 0 + +# Don't proxy arp for anyone +net.ipv4.conf.all.proxy_arp = 0 + +# Turn on the tcp_timestamps, accurate timestamp make TCP congestion control algorithms work better +net.ipv4.tcp_timestamps = 1 + +# Don't ignore directed pings +net.ipv4.icmp_echo_ignore_all = 0 + +# Enable ignoring broadcasts request +net.ipv4.icmp_echo_ignore_broadcasts = 1 + +# Enable bad error message Protection +net.ipv4.icmp_ignore_bogus_error_responses = 1 + +# Allowed local port range +net.ipv4.ip_local_port_range = 16384 65535 + +# Enable a fix for RFC1337 - time-wait assassination hazards in TCP +net.ipv4.tcp_rfc1337 = 1 + +# Do not auto-configure IPv6 +net.ipv6.conf.all.autoconf=0 +net.ipv6.conf.all.accept_ra=0 +net.ipv6.conf.default.autoconf=0 +net.ipv6.conf.default.accept_ra=0 +net.ipv6.conf.eth0.autoconf=0 +net.ipv6.conf.eth0.accept_ra=0 + + + +### +### TUNING NETWORK PERFORMANCE ### +### + +# For high-bandwidth low-latency networks, use 'bbr' congestion control (kernel > 4.9) +# Only enabled in bionic (at least v4.15) +# Do a 'sudo modprobe tcp_bbr' first +net.ipv4.tcp_congestion_control = bbr +net.ipv4.tcp_notsent_lowat = 16384 + +# For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12) +net.core.default_qdisc = fq + +# Turn on the tcp_window_scaling +net.ipv4.tcp_window_scaling = 1 + +# Increase the read-buffer space allocatable +net.ipv4.tcp_rmem = 8192 87380 16777216 +net.ipv4.udp_rmem_min = 16384 +net.core.rmem_default = 262144 +net.core.rmem_max = 16777216 + +# Increase the write-buffer-space allocatable +net.ipv4.tcp_wmem = 8192 65536 16777216 +net.ipv4.udp_wmem_min = 16384 +net.core.wmem_default = 262144 +net.core.wmem_max = 16777216 + +# Increase number of incoming connections +net.core.somaxconn = 32768 + +# Increase number of incoming connections backlog +net.core.netdev_max_backlog = 16384 +net.core.dev_weight = 64 + +# Increase the maximum amount of option memory buffers +net.core.optmem_max = 65535 + +# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks +net.ipv4.tcp_max_tw_buckets = 1440000 + +# try to reuse time-wait connections, but don't recycle them (recycle can break clients behind NAT) +#net.ipv4.tcp_tw_recycle = 0 +net.ipv4.tcp_tw_reuse = 1 + +# Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory +net.ipv4.tcp_max_orphans = 16384 +net.ipv4.tcp_orphan_retries = 0 + +# Limit the maximum memory used to reassemble IP fragments (CVE-2018-5391) +net.ipv4.ipfrag_low_thresh = 196608 +net.ipv6.ip6frag_low_thresh = 196608 +net.ipv4.ipfrag_high_thresh = 262144 +net.ipv6.ip6frag_high_thresh = 262144 + + +# don't cache ssthresh from previous connection +net.ipv4.tcp_no_metrics_save = 1 +net.ipv4.tcp_moderate_rcvbuf = 1 + +# Increase size of RPC datagram queue length +net.unix.max_dgram_qlen = 50 + +# Don't allow the arp table to become bigger than this +net.ipv4.neigh.default.gc_thresh3 = 2048 + +# Tell the gc when to become aggressive with arp table cleaning. +# Adjust this based on size of the LAN. 1024 is suitable for most /24 networks +net.ipv4.neigh.default.gc_thresh2 = 1024 + +# Adjust where the gc will leave arp table alone - set to 32. +net.ipv4.neigh.default.gc_thresh1 = 32 + +# Adjust to arp table gc to clean-up more often +net.ipv4.neigh.default.gc_interval = 30 + +# Increase TCP queue length +net.ipv4.neigh.default.proxy_qlen = 96 +net.ipv4.neigh.default.unres_qlen = 6 + +# Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you +net.ipv4.tcp_ecn = 1 +net.ipv4.tcp_reordering = 3 + +# How many times to retry killing an alive TCP connection +net.ipv4.tcp_retries2 = 15 +net.ipv4.tcp_retries1 = 3 + +# Avoid falling back to slow start after a connection goes idle +# keeps our cwnd large with the keep alive connections (kernel > 3.6) +net.ipv4.tcp_slow_start_after_idle = 0 + +# Allow the TCP fastopen flag to be used, beware some firewalls do not like TFO! (kernel > 3.7) +net.ipv4.tcp_fastopen = 3 + +# This will enusre that immediatly subsequent connections use the new values +net.ipv4.route.flush = 1 +net.ipv6.route.flush = 1 + + +### +### CUSTOM ### +### + +fs.nr_open=12000000 +net.ipv4.tcp_sack=1 +net.ipv4.tcp_mtu_probing = 1 +net.ipv4.tcp_base_mss = 1024 +net.ipv4.tcp_challenge_ack_limit = 999999999 +net.ipv6.conf.default.router_solicitations = 0 +net.ipv6.conf.default.accept_ra_rtr_pref = 0 +net.ipv6.conf.default.accept_ra_pinfo = 0 +net.ipv6.conf.default.accept_ra_defrtr = 0 +net.ipv6.conf.default.dad_transmits = 0 +net.ipv6.conf.default.max_addresses = 1 +# WebinolyEnd diff --git a/templates/nginx/common/php.conf b/templates/nginx/common/php.conf index bfaef6a..27329e9 100644 --- a/templates/nginx/common/php.conf +++ b/templates/nginx/common/php.conf @@ -1,10 +1,10 @@ # PHP NGINX CONFIGURATION # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE Webinoly location / { - try_files $uri $uri/ /index.php?$args; + try_files $uri $uri/ /index.php?$args $uri =404; } location ~ \.php$ { - try_files $uri =404; - include fastcgi_params; - fastcgi_pass php; + try_files $uri =404; + include fastcgi_params; + fastcgi_pass php; } diff --git a/templates/nginx/common/wpcommon.conf b/templates/nginx/common/wpcommon.conf index fe511f7..57f39ee 100644 --- a/templates/nginx/common/wpcommon.conf +++ b/templates/nginx/common/wpcommon.conf @@ -5,6 +5,7 @@ # https://baraktawily.blogspot.com/2018/02/how-to-dos-29-of-world-wide-websites.html location /wp-admin { location ~ /wp-admin/admin-ajax.php$ { + limit_req zone=wp burst=6 nodelay; include fastcgi_params; fastcgi_pass php; } @@ -34,21 +35,6 @@ location /wp-content/uploads/ { location ~ \.php$ { #Prevent Direct Access Of PHP Files From Web Browsers deny all; -} + } } -# YoastSitemapStart - Yoast SEO Plugin - location ~ ([^/]*)sitemap(.*)\.x(m|s)l$ { - rewrite ^(.*)/sitemap\.xml$ $1/sitemap_index.xml permanent; - rewrite ^.*/([a-z]+)?-?sitemap\.xsl$ /index.php?xsl=$1 last; - # Rules for yoast sitemap with wp|wpsubdir|wpsubdomain - rewrite ^.*/sitemap_index\.xml$ /index.php?sitemap=1 last; - rewrite ^.*/([^/]+?)-sitemap([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last; - # Following lines are optional. Needed for Yoast Premium. - rewrite ^.*/news_sitemap\.xml$ /index.php?sitemap=wpseo_news last; - rewrite ^.*/locations\.kml$ /index.php?sitemap=wpseo_local_kml last; - rewrite ^.*/geo_sitemap\.xml$ /index.php?sitemap=wpseo_local last; - rewrite ^.*/video-sitemap\.xsl$ /index.php?xsl=video last; - access_log off; -} -# YoastSitemapEnd \ No newline at end of file diff --git a/templates/nginx/common/wpfc.conf b/templates/nginx/common/wpfc.conf index 8131cb4..5ae5e2e 100644 --- a/templates/nginx/common/wpfc.conf +++ b/templates/nginx/common/wpfc.conf @@ -16,7 +16,7 @@ if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|wp-.*.php|index.php|/feed/|.*sitema } # Don't use the cache for logged in users or recent commenter or customer with items in cart -if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|[a-z0-9]+_items_in_cart") { +if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|[a-z0-9]+_items_in_cart|[a-z0-9]+_cart_hash") { set $skip_cache 1; } diff --git a/templates/nginx/nginx.conf b/templates/nginx/nginx.conf index 6ac2501..a8a5cdc 100644 --- a/templates/nginx/nginx.conf +++ b/templates/nginx/nginx.conf @@ -32,6 +32,7 @@ http { open_file_cache max=30000 inactive=1m; types_hash_max_size 2048; + server_names_hash_max_size 2048; # server_names_hash_bucket_size 64; # server_name_in_redirect off; @@ -48,12 +49,15 @@ http { ## ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; + ssl_buffer_size 4k; + ssl_session_tickets off; ssl_session_timeout 10m; - ssl_session_cache shared:SSL:20m; + ssl_session_cache shared:SSL:50m; ssl_dhparam /etc/ssl/dhparam.pem; ssl_ecdh_curve prime256v1:secp384r1:secp521r1; ssl_prefer_server_ciphers on; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT'; + ## # Logging Settings diff --git a/templates/template-site-ssl b/templates/template-site-ssl index 9d4dc97..8ad1812 100644 --- a/templates/template-site-ssl +++ b/templates/template-site-ssl @@ -1,6 +1,5 @@ # WebinolySSLstart - ssl on; ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; ssl_stapling on;