mirrors/vm
2
0
Fork 0
mirror of https://github.com/nextcloud/vm.git synced 2025-10-26 11:27:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Change to PHP-FPM (#591)

Browse Source
This commit is contained in:
Daniel Hansson 2018-08-09 01:23:48 +02:00 committed by GitHub
parent 38dc04ce57
commit 4acfcaab3c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
19 changed files with 432 additions and 148 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -29,11 +29,11 @@
DigitalOcean example: https://youtu.be/LlqY5Y6P9Oc
#### Minimum requirements:
* A clean Ubuntu Server 18.04.X
* A clean [Ubuntu Server 18.04.X](http://cdimage.ubuntu.com/releases/18.04/release/) using the alternative installer
* OpenSSH (preferred)
* 20 GB HDD for OS
* XX GB HDD for DATA (/mnt/ncdata)
* At least 1 vCPU and 2 GB RAM (4 GB minimum if you are running OnlyOffice)
* Absolute minimum is 1 vCPU and 2 GB RAM (4 GB minimum if you are running OnlyOffice)
* A working internet connection (the script needs it to download files and variables)
#### Recommended
@ -63,6 +63,8 @@ https://github.com/techandme/NextBerry or here https://www.techandme.se/nextberr
We call it NextBerry and it's confirmed to be working on Raspberry Pi 2 & 3.
NOTE (2018-08-01): This is not maintained anymore, but keeping the info in case someone wants to pick it up again.
## I want to test RC!
No problem! We made it simple. Run `update.sh` but abort it before it starts so that you have the latest `nextcloud_update.sh`. Then put this in your `nextcloud_update.sh` below the curl command (lib.sh) but before everything else and run it:

11
apps/adminer.sh
View File

@ -16,6 +16,9 @@ debug_mode
# Check if root
root_check
# Warn user about HTTP/2
http2_warn Adminer
# Check that the script can see the external IP (apache fails otherwise)
if [ -z "$WANIP4" ]
then
@ -38,9 +41,9 @@ sudo wget -q "http://www.adminer.org/latest.php" -O "$ADMINERDIR"/latest.php
sudo ln -s "$ADMINERDIR"/latest.php "$ADMINERDIR"/adminer.php
cat << ADMINER_CREATE > "$ADMINER_CONF"
Alias /adminer.php "$ADMINERDIR"/adminer.php
Alias /adminer.php $ADMINERDIR/adminer.php
<Directory "$ADMINERDIR">
<Directory $ADMINERDIR>
<IfModule mod_dir.c>
DirectoryIndex adminer.php
@ -56,7 +59,7 @@ ADMINER_CREATE
# Enable config
check_command a2enconf adminer.conf
if ! webserver_restart
if ! restart_webserver
then
msg_box "Apache2 could not restart...
The script will exit."
@ -68,7 +71,7 @@ http://$ADDRESS/adminer.php
You can download more plugins and get more information here:
https://www.adminer.org
Your PostgreSQL connection information can be found in $NCPATH/config/confgig.php
Your PostgreSQL connection information can be found in $NCPATH/config/config.php
In case you try to access Adminer and get 'Forbidden' you need to change the IP in:
$ADMINER_CONF"

7
apps/collabora.sh
View File

@ -76,8 +76,7 @@ check_open_port 80 "$SUBDOMAIN"
check_open_port 443 "$SUBDOMAIN"
# Install Docker
install_if_not curl
curl -fsSL get.docker.com | sh
install_docker
# Set devicemapper
check_command cp -v /lib/systemd/system/docker.service /etc/systemd/system/
@ -196,13 +195,13 @@ then
printf "Certs are generated!\n"
printf "${Color_Off}\n"
a2ensite "$SUBDOMAIN.conf"
service apache2 restart
restart_webserver
# Install Collabora App
occ_command app:install richdocuments
else
printf "${ICyan}\nIt seems like no certs were generated, please report this issue here: $ISSUES\n"
any_key "Press any key to continue... "
service apache2 restart
restart_webserver
fi
# Enable RichDocuments (Collabora App)

11
apps/fulltextsearch.sh
View File

@ -30,9 +30,9 @@ then
fi
# Check if it's a clean install
if [ -d /usr/share/elasticsearch ]
if [ -d "$RORDIR" ]
then
msg_box "It seems like /usr/share/elasticsearch already exists. Have you already run this script?
msg_box "It seems like $RORDIR already exists. Have you already run this script?
If yes, revert all the settings and try again, it must be a clean install."
exit 1
fi
@ -57,12 +57,11 @@ then
deluser --group solr
fi
#Check & install docker
# Check & install docker
install_docker
set_max_count
mkdir $RORDIR
docker pull $nc_fts
mkdir -p "$RORDIR"
docker pull "$nc_fts"
# Create configuration YML
cat << YML_CREATE > /opt/es/readonlyrest.yml

2
apps/netdata.sh
View File

@ -1,6 +1,6 @@
#!/bin/bash
# Tech and Me © - 2017, https://www.techandme.se/
# Tech and Me © - 2018, https://www.techandme.se/
echo "Installing Netdata..."

7
apps/onlyoffice.sh
View File

@ -75,8 +75,7 @@ check_open_port 80 "$SUBDOMAIN"
check_open_port 443 "$SUBDOMAIN"
# Install Docker
install_if_not curl
curl -fsSL get.docker.com | sh
install_docker
# Set devicemapper
check_command cp -v /lib/systemd/system/docker.service /etc/systemd/system/
@ -185,14 +184,14 @@ then
printf "Certs are generated!\n"
printf "${Color_Off}\n"
a2ensite "$SUBDOMAIN.conf"
service apache2 restart
restart_webserver
# Install Onlyoffice App
cd "$NC_APPS_PATH"
check_command git clone https://github.com/ONLYOFFICE/onlyoffice-owncloud.git onlyoffice
else
printf "${ICyan}\nIt seems like no certs were generated, please report this issue here: $ISSUES\n"
any_key "Press any key to continue... "
service apache2 restart
restart_webserver
fi
# Enable Onlyoffice

65
apps/previewgenerator.sh
View File

@ -1,12 +1,8 @@
#!/bin/bash
# Tech and Me © - 2018, https://www.techandme.se/
# shellcheck disable=2034,2059
true
# shellcheck source=lib.sh
PREVIEW_INSTALL=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
unset PREVIEW_INSTALL
. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
# Check for errors + debug code and abort if something isn't right
# 1 = ON
@ -14,23 +10,54 @@ unset PREVIEW_INSTALL
DEBUG=0
debug_mode
# Download and install Preview Generator
if [ ! -d "$NCPATH"/apps/previewgenerator ]
then
echo "Installing Preview Generator..."
wget -q "$PREVER_REPO/v$PREVER/$PREVER_FILE" -P "$NCPATH/apps"
tar -zxf "$NCPATH/apps/$PREVER_FILE" -C "$NCPATH/apps"
cd "$NCPATH/apps"
rm "$PREVER_FILE"
fi
# Check if root
root_check
# Enable Preview Generator
if [ -d "$NCPATH"/apps/previewgenerator ]
# Install preview generator
install_and_enable_app previewgenerator
# Run the first preview generation and add crontab
if [ -d "$NC_APPS_PATH/previewgenerator" ]
then
sudo -u www-data php "$NCPATH"/occ app:enable previewgenerator
chown -R www-data:www-data $NCPATH/apps
# Enable previews (remove the # to enable the specific preview)
occ_command config:system:set enable_previews --value=true --type=boolean
occ_command config:system:set preview_libreoffice_path --value='/usr/bin/libreoffice'
# occ_command config:system:set enabledPreviewProviders 0 --value='OC\\Preview\\PNG'
# occ_command config:system:set enabledPreviewProviders 1 --value='OC\\Preview\\JPEG'
# occ_command config:system:set enabledPreviewProviders 2 --value='OC\\Preview\\GIF'
# occ_command config:system:set enabledPreviewProviders 3 --value='OC\\Preview\\BMP'
# occ_command config:system:set enabledPreviewProviders 4 --value='OC\\Preview\\XBitmap'
# occ_command config:system:set enabledPreviewProviders 5 --value='OC\\Preview\\MarkDown'
# occ_command config:system:set enabledPreviewProviders 6 --value='OC\\Preview\\MP3'
# occ_command config:system:set enabledPreviewProviders 7 --value='OC\\Preview\\TXT'
# occ_command config:system:set enabledPreviewProviders 8 --value='OC\\Preview\\Illustrator'
# occ_command config:system:set enabledPreviewProviders 9 --value='OC\\Preview\\Movie'
# occ_command config:system:set enabledPreviewProviders 10 --value='OC\\Preview\\MSOffice2003'
# occ_command config:system:set enabledPreviewProviders 11 --value='OC\\Preview\\MSOffice2007'
# occ_command config:system:set enabledPreviewProviders 12 --value='OC\\Preview\\MSOfficeDoc'
# occ_command config:system:set enabledPreviewProviders 13 --value='OC\\Preview\\OpenDocument'
# occ_command config:system:set enabledPreviewProviders 14 --value='OC\\Preview\\PDF'
# occ_command config:system:set enabledPreviewProviders 15 --value='OC\\Preview\\Photoshop'
# occ_command config:system:set enabledPreviewProviders 16 --value='OC\\Preview\\Postscript'
# occ_command config:system:set enabledPreviewProviders 17 --value='OC\\Preview\\StarOffice'
# occ_command config:system:set enabledPreviewProviders 18 --value='OC\\Preview\\SVG'
# occ_command config:system:set enabledPreviewProviders 19 --value='OC\\Preview\\TIFF'
# occ_command config:system:set enabledPreviewProviders 20 --value='OC\\Preview\\Font'
# Set aspect ratio
occ_command config:app:set --value="32 64 1024" previewgenerator squareSizes
occ_command config:app:set --value="64 128 1024" previewgenerator widthSizes
occ_command config:app:set --value="64 256 1024" previewgenerator heightSizes
# Add crotab
crontab -u www-data -l | { cat; echo "@daily php -f $NCPATH/occ preview:pre-generate >> /var/log/previewgenerator.log"; } | crontab -u www-data -
sudo -u www-data php "$NCPATH"/occ preview:generate-all
touch /var/log/previewgenerator.log
chown www-data:www-data /var/log/previewgenerator.log
# Install needed dependencies
install_if_not ffmpeg
install_if_not libreoffice
# Pre generate everything
occ_command preview:generate-all
fi

2
apps/spreedme.sh
View File

@ -108,7 +108,7 @@ then
fi
# Restart services
service apache2 restart
restart_webserver
if ! systemctl restart snap.spreedme.spreed-webrtc.service
then
msg_box "Something is wrong, the installation did not finish correctly.

3
apps/talk.sh
View File

@ -5,7 +5,8 @@
# shellcheck disable=2034,2059
true
# shellcheck source=lib.sh
TURN_INSTALL=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
NC_UPDATE=1 && TURN_INSTALL=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
unset NC_UPDATE
unset TURN_INSTALL
# Check for errors + debug code and abort if something isn't right

17
lets-encrypt/activate-ssl.sh
View File

@ -147,6 +147,9 @@ then
ServerName $domain
### SETTINGS ###
<FilesMatch "\.php$">
SetHandler "proxy:unix:/run/php/php7.2-fpm.nextcloud.sock|fcgi://localhost"
</FilesMatch>
DocumentRoot $NCPATH
@ -163,7 +166,19 @@ then
SetEnv HOME $NCPATH
SetEnv HTTP_HOME $NCPATH
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
<Files ".ht*">
Require all denied
</Files>
# Disable HTTP TRACE method.
TraceEnable off
# Disable HTTP TRACK method.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [R=405,L]
### LOCATION OF CERT FILES ###

6
lets-encrypt/test-new-config.sh
View File

@ -19,7 +19,7 @@ a2ensite "$1"
a2dissite nextcloud_ssl_domain_self_signed.conf
a2dissite nextcloud_http_domain_self_signed.conf
a2dissite 000-default.conf
if service apache2 restart
if restart_webserver
then
msg_box "New settings works! SSL is now activated and OK!
@ -42,6 +42,8 @@ then
sudo hostnamectl set-hostname "$FQDOMAIN"
# Change /etc/hosts as well
sed -i "s|127.0.1.1.*|127.0.1.1 $FQDOMAIN $(hostname -s)|g" /etc/hosts
# And in the php-fpm pool conf
sed -i "s|env\[HOSTNAME\] = .*|env[HOSTNAME] = $(hostname -f)|g" "$PHP_POOL_DIR"/nextcloud.conf
fi
# Set trusted domains
@ -80,7 +82,7 @@ else
a2ensite nextcloud_ssl_domain_self_signed.conf
a2ensite nextcloud_http_domain_self_signed.conf
a2ensite 000-default.conf
service apache2 restart
restart_webserver
printf "${ICyan}Couldn't load new config, reverted to old settings. Self-signed SSL is OK!${Color_Off}\n"
any_key "Press any key to continue... "
exit 1

93
lib.sh
View File

@ -32,7 +32,7 @@ GATEWAY=$(route -n|grep "UG"|grep -v "UGH"|cut -f 10 -d " ")
DNS1="9.9.9.9"
DNS2="149.112.112.112"
# Repo
GITHUB_REPO="https://raw.githubusercontent.com/nextcloud/vm/master"
GITHUB_REPO="https://raw.githubusercontent.com/nextcloud/vm/php-fpm"
STATIC="$GITHUB_REPO/static"
LETS_ENC="$GITHUB_REPO/lets-encrypt"
APP="$GITHUB_REPO/apps"
@ -95,6 +95,9 @@ NC_APPS_PATH=$NCPATH/apps
SOLR_HOME=/home/$SUDO_USER/solr_install/
SOLR_JETTY=/opt/solr/server/etc/jetty-http.xml
SOLR_DSCONF=/opt/solr-$SOLR_VERSION/server/solr/configsets/data_driven_schema_configs/conf/solrconfig.xml
# PHP-FPM
PHP_INI=/etc/php/7.2/fpm/php.ini
PHP_POOL_DIR=/etc/php/7.2/fpm/pool.d
# Adminer
ADMINERDIR=/usr/share/adminer
ADMINER_CONF=/etc/apache2/conf-available/adminer.conf
@ -204,6 +207,59 @@ do
done
}
# Warn user that HTTP/2 will be disabled if installing app that use Apache2 PHP instead of PHP-FPM
# E.g: http2_warn Modsecurity
http2_warn() {
msg_box "This VM has HTTP/2 enabled by default.
If you continue with installing $1, HTTP/2 will be disabled since it's not compatible with the mpm module used by $1.
This is what Apache will say in the error.log if you enable $1 anyway:
The mpm module (prefork.c) is not supported by mod_http2.
The mpm determines how things are processed in your server.
HTTP/2 has more demands in this regard and the currently selected mpm will just not do.
This is an advisory warning. Your server will continue to work, but the HTTP/2 protocol will be inactive."
if [[ "no" == $(ask_yes_or_no "Do you really want to enable $1 anyway?") ]]
then
exit 1
fi
}
calculate_max_children() {
# Calculate max_children depending on RAM
# Tends to be between 30-50MB
average_php_memory_requirement=50
available_memory=$(awk '/MemAvailable/ {printf "%d", $2/1024}' /proc/meminfo)
export PHP_FPM_MAX_CHILDREN=$((available_memory/average_php_memory_requirement))
echo "Automatically configures PHP-FPM 'max_children'..."
if [ $PHP_FPM_MAX_CHILDREN -lt 8 ]
then
msg_box "The current max_children value available to set is $PHP_FPM_MAX_CHILDREN, and with that value PHP-FPM won't function properly.
The minimum value is 8, and the value is calculated depening on how much RAM you have left to use in the system.
The absolute minimum amount of RAM required to run the VM is 2 GB, but we recomend 4 GB.
You now have two choices:
1. Import this VM again, raise the amount of RAM with at least 1 GB, and then run this script again,
installing it in the same way as you did before.
2. Import this VM again without raising the RAM, but don't install any of the following apps:
1) Collabora
2) OnlyOffice
3) Full Text Search
This script will now exit.
The installation was not successful, sorry for the inconvenience.
If you think this is a bug, please report it to $ISSUES"
exit 1
else
echo "PHP-FPM max_children is $PHP_FPM_MAX_CHILDREN"
fi
}
test_connection() {
# Install dnsutils if not existing
if [ "$(dpkg-query -W -f='${Status}' "dnsutils" 2>/dev/null | grep -c "ok installed")" == "1" ]
@ -250,6 +306,11 @@ If you think that this is a bug, please report it to https://github.com/nextclou
fi
}
restart_webserver() {
check_command systemctl restart apache2
check_command systemctl restart php7.2-fpm.service
}
# Install certbot (Let's Encrypt)
install_certbot() {
certbot --version 2> /dev/null
@ -330,10 +391,10 @@ fi
check_distro_version() {
# Check Ubuntu version
echo "Checking server OS and version..."
if uname -a | grep -ic "bionic"
if uname -a | grep -ic "bionic" &> /dev/null
then
OS=1
elif uname -v | grep -ic "Ubuntu"
elif uname -v | grep -ic "Ubuntu" &> /dev/null
then
OS=1
fi
@ -354,11 +415,15 @@ fi
}
configure_max_upload() {
# Increase max filesize (expects that changes are made in /etc/php/7.2/apache2/php.ini)
# Increase max filesize (expects that changes are made in $PHP_INI)
# Here is a guide: https://www.techandme.se/increase-max-file-size/
sed -i 's/ php_value upload_max_filesize.*/# php_value upload_max_filesize 511M/g' "$NCPATH"/.htaccess
sed -i 's/ php_value post_max_size.*/# php_value post_max_size 511M/g' "$NCPATH"/.htaccess
sed -i 's/ php_value memory_limit.*/# php_value memory_limit 512M/g' "$NCPATH"/.htaccess
echo "Setting max_upload size in PHP..."
# Copy settings from .htaccess to user.ini. beacuse we run php-fpm. Documented here: https://docs.nextcloud.com/server/13/admin_manual/installation/source_installation.html#php-fpm-configuration-notes
cp -fv "$NCPATH/.htaccess" "$NCPATH/.user.ini"
# Do the acutal change
sed -i 's/ php_value upload_max_filesize.*/# php_value upload_max_filesize 511M/g' "$NCPATH"/.user.ini
sed -i 's/ php_value post_max_size.*/# php_value post_max_size 511M/g' "$NCPATH"/.user.ini
sed -i 's/ php_value memory_limit.*/# php_value memory_limit 512M/g' "$NCPATH"/.user.ini
}
# Check if program is installed (is_this_installed apache2)
@ -697,15 +762,11 @@ fi
}
install_docker() {
if [ "$DOCKER_INS" = "docker-ce" ] || \
[ "$DOCKER_INS" = "docker-ee" ] || \
[ "$DOCKER_INS" = "docker.io" ] ; then
echo "Docker seems to be installed, skipping..."
else
echo "Installing Docker CE..."
curl -fsSL get.docker.com -o get-docker.sh
bash get-docker.sh
rm -rf get-docker.sh
if ! docker -v &> /dev/null
then
echo "Installing Docker CE..."
install_if_not curl
curl -fsSL get.docker.com | sh
fi
}

46
nextcloud-startup-script.sh
View File

@ -221,6 +221,15 @@ chmod 750 $HTML/index.php && chown www-data:www-data $HTML/index.php
# Change 000-default to $WEB_ROOT
sed -i "s|DocumentRoot /var/www/html|DocumentRoot $HTML|g" /etc/apache2/sites-available/000-default.conf
# Make possible to see the welcome screen (without this php-fpm won't reach it)
sed -i '14i\ # http://lost.l-w.ca/0x05/apache-mod_proxy_fcgi-and-php-fpm/' /etc/apache2/sites-available/000-default.conf
sed -i '15i\ <FilesMatch "\.php$">' /etc/apache2/sites-available/000-default.conf
sed -i '16i\ <If "-f %{SCRIPT_FILENAME}">' /etc/apache2/sites-available/000-default.conf
sed -i '17i\ SetHandler "proxy:unix:/run/php/php7.2-fpm.nextcloud.sock|fcgi://localhost"' /etc/apache2/sites-available/000-default.conf
sed -i '18i\ </If>' /etc/apache2/sites-available/000-default.conf
sed -i '19i\ </FilesMatch>' /etc/apache2/sites-available/000-default.conf
sed -i '20i\ ' /etc/apache2/sites-available/000-default.conf
# Make $SCRIPTS excutable
chmod +x -R $SCRIPTS
chown root:root -R $SCRIPTS
@ -317,10 +326,11 @@ whiptail --title "Which apps do you want to install?" --checklist --separate-out
"Fail2ban" "(Extra Bruteforce protection) " OFF \
"Adminer" "(PostgreSQL GUI) " OFF \
"Netdata" "(Real-time server monitoring) " OFF \
"Collabora" "(Online editing 2GB RAM) " OFF \
"OnlyOffice" "(Online editing 4GB RAM) " OFF \
"Collabora" "(Online editing [2GB RAM]) " OFF \
"OnlyOffice" "(Online editing [4GB RAM]) " OFF \
"Passman" "(Password storage) " OFF \
"FullTextSearch" "(Elasticsearch [still in BETA]) " OFF \
"FullTextSearch" "(Elasticsearch for Nextcloud [2GB RAM]) " OFF \
"PreviewGenerator" "(Pre-generate previews) " OFF \
"Talk" "(Nextcloud Video calls and chat) " OFF \
"Spreed.ME" "(3rd-party Video calls and chat) " OFF 2>results
@ -353,7 +363,11 @@ do
FullTextSearch)
run_app_script fulltextsearch
;;
;;
PreviewGenerator)
run_app_script previewgenerator
;;
Talk)
run_app_script talk
@ -393,21 +407,16 @@ clear
# Fixes https://github.com/nextcloud/vm/issues/58
a2dismod status
service apache2 reload
restart_webserver
# Increase max filesize (expects that changes are made in /etc/php/7.0/apache2/php.ini)
# Increase max filesize (expects that changes are made in $PHP_INI)
# Here is a guide: https://www.techandme.se/increase-max-file-size/
VALUE="# php_value upload_max_filesize 513M"
if ! grep -Fxq "$VALUE" $NCPATH/.htaccess
then
sed -i 's/ php_value upload_max_filesize 513M/# php_value upload_max_filesize 511M/g' "$NCPATH"/.htaccess
sed -i 's/ php_value post_max_size 513M/# php_value post_max_size 511M/g' "$NCPATH"/.htaccess
sed -i 's/ php_value memory_limit 512M/# php_value memory_limit 512M/g' "$NCPATH"/.htaccess
fi
configure_max_upload
# Extra configurations
whiptail --title "Extra configurations" --checklist --separate-output "Choose what you want to configure\nSelect by pressing the spacebar" "$WT_HEIGHT" "$WT_WIDTH" 4 \
"Security" "(Add extra security based on this http://goo.gl/gEJHi7)" OFF \
"ModSecurity" "(Add ModSecurity for Apache2" OFF \
"Static IP" "(Set static IP in Ubuntu with netplan.io)" OFF 2>results
while read -r -u 9 choice
@ -416,6 +425,10 @@ do
"Security")
run_static_script security
;;
"ModSecurity")
run_static_script modsecurity
;;
"Static IP")
run_static_script set_static_ip
@ -427,6 +440,11 @@ do
done 9< results
rm -f results
# Calculate max_children after all apps are installed
calculate_max_children
check_command sed -i "s|pm.max_children.*|pm.max_children = $PHP_FPM_MAX_CHILDREN|g" $PHP_POOL_DIR/nextcloud.conf
restart_webserver
# Add temporary fix if needed
bash $SCRIPTS/temporary-fix.sh
rm "$SCRIPTS"/temporary-fix.sh
@ -504,8 +522,6 @@ bash $SCRIPTS/update.sh
# Cleanup 2
apt autoremove -y
apt autoclean
CLEARBOOT=$(dpkg -l linux-* | awk '/^ii/{ print $2}' | grep -v -e "$(uname -r | cut -f1,2 -d"-")" | grep -e "[0-9]" | xargs sudo apt -y purge)
echo "$CLEARBOOT"
# Success!
msg_box "Congratulations! You have successfully installed Nextcloud!

190
nextcloud_install_production.sh
View File

@ -85,6 +85,10 @@ fi
is_this_installed postgresql
is_this_installed apache2
is_this_installed php
is_this_installed php-fpm
is_this_installed php7.2-fpm
is_this_installed php7.1-fpm
is_this_installed php7.0-fpm
is_this_installed mysql-common
is_this_installed mariadb-server
@ -151,38 +155,95 @@ END
service postgresql restart
# Install Apache
check_command apt install apache2 -y
check_command apt install apache2 -y
a2enmod rewrite \
headers \
proxy \
proxy_fcgi \
setenvif \
env \
dir \
mime \
ssl \
setenvif
dir \
authz_core \
alias \
ssl
# We don't use Apache PHP (just to be sure)
a2dismod mpm_prefork
# Enable HTTP/2 server wide
echo "Enabling HTTP/2 server wide..."
cat << HTTP2_ENABLE > "$HTTP2_CONF"
<IfModule http2_module>
Protocols h2 h2c http/1.1
H2Direct on
</IfModule>
HTTP2_ENABLE
echo "$HTTP2_CONF was successfully created"
a2enmod http2
restart_webserver
# Install PHP 7.2
apt update -q4 & spinner_loading
check_command apt install -y \
libapache2-mod-php7.2 \
php7.2-common \
php7.2-fpm \
php7.2-intl \
php7.2-ldap \
php7.2-imap \
php7.2-cli \
php7.2-gd \
php7.2-pgsql \
php7.2-json \
php7.2-curl \
php7.2-xml \
php7.2-zip \
php7.2-mbstring \
php-smbclient \
php-imagick \
php7.2-soap \
php7.2-smbclient \
php7.2-imagick \
php7.2-json \
php7.2-gmp \
php7.2-bz2 \
php-pear \
libmagickcore-6.q16-3-extra
# Enable php-fpm
a2enconf php7.2-fpm
# Enable SMB client
# echo '# This enables php-smbclient' >> /etc/php/7.0/apache2/php.ini
# echo 'extension="smbclient.so"' >> /etc/php/7.0/apache2/php.ini
# Calculate max_children for php-fpm (this will be run in the end of the startup script as well)
calculate_max_children
# Set up a php-fpm pool with a unixsocket
cat << POOL_CONF > "$PHP_POOL_DIR/nextcloud.conf"
[NextCloud]
user = www-data
group = www-data
listen = /run/php/php7.2-fpm.nextcloud.sock
listen.owner = www-data
listen.group = www-data
pm = dynamic
;; max_children is set dynamically with calculate_max_children()
pm.max_children = $PHP_FPM_MAX_CHILDREN
pm.start_servers = 3
pm.min_spare_servers = 2
pm.max_spare_servers = 3
pm.max_requests = 500
env[HOSTNAME] = $(hostname -f)
env[PATH] = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
security.limit_extensions = .php
php_admin_value [cgi.fix_pathinfo] = 1
POOL_CONF
# Disable the idling example pool.
mv $PHP_POOL_DIR/www.conf $PHP_POOL_DIR/www.conf.backup
# Restart Webserver
restart_webserver
# Enable SMB client # already loaded with php-smbclient
# echo '# This enables php-smbclient' >> /etc/php/7.2/apache2/php.ini
# echo 'extension="smbclient.so"' >> /etc/php/7.2/apache2/php.ini
# Install VM-tools
install_if_not open-vm-tools
@ -228,17 +289,17 @@ crontab -u www-data -l | { cat; echo "*/15 * * * * php -f $NCPATH/cron.php >
# Change values in php.ini (increase max file size)
# max_execution_time
sed -i "s|max_execution_time =.*|max_execution_time = 3500|g" /etc/php/7.2/apache2/php.ini
sed -i "s|max_execution_time =.*|max_execution_time = 3500|g" $PHP_INI
# max_input_time
sed -i "s|max_input_time =.*|max_input_time = 3600|g" /etc/php/7.2/apache2/php.ini
sed -i "s|max_input_time =.*|max_input_time = 3600|g" $PHP_INI
# memory_limit
sed -i "s|memory_limit =.*|memory_limit = 512M|g" /etc/php/7.2/apache2/php.ini
sed -i "s|memory_limit =.*|memory_limit = 512M|g" $PHP_INI
# post_max
sed -i "s|post_max_size =.*|post_max_size = 1100M|g" /etc/php/7.2/apache2/php.ini
sed -i "s|post_max_size =.*|post_max_size = 1100M|g" $PHP_INI
# upload_max
sed -i "s|upload_max_filesize =.*|upload_max_filesize = 1000M|g" /etc/php/7.2/apache2/php.ini
sed -i "s|upload_max_filesize =.*|upload_max_filesize = 1000M|g" $PHP_INI
# Set max upload in Nextcloud .htaccess
# Set max upload in Nextcloud .user.ini
configure_max_upload
# Set SMTP mail
@ -248,7 +309,7 @@ occ_command config:system:set mail_smtpmode --value="smtp"
occ_command config:system:set log_rotate_size --value="10485760"
# Enable OPCache for PHP
# https://docs.nextcloud.com/server/12/admin_manual/configuration_server/server_tuning.html#enable-php-opcache
# https://docs.nextcloud.com/server/14/admin_manual/configuration_server/server_tuning.html#enable-php-opcache
phpenmod opcache
{
echo "# OPcache settings for Nextcloud"
@ -260,19 +321,7 @@ echo "opcache.memory_consumption=256"
echo "opcache.save_comments=1"
echo "opcache.revalidate_freq=1"
echo "opcache.validate_timestamps=1"
} >> /etc/php/7.2/apache2/php.ini
# Install preview generator
install_and_enable_app previewgenerator
# Run the first preview generation and add crontab
if [ -d "$NC_APPS_PATH/previewgenerator" ]
then
crontab -u www-data -l | { cat; echo "@daily php -f $NCPATH/occ preview:pre-generate >> /var/log/previewgenerator.log"; } | crontab -u www-data -
occ_command preview:generate-all
touch /var/log/previewgenerator.log
chown www-data:www-data /var/log/previewgenerator.log
fi
} >> $PHP_INI
# Install issuetemplate
install_and_enable_app issuetemplate
@ -280,6 +329,9 @@ install_and_enable_app issuetemplate
# Install CanIUpdate?
install_and_enable_app caniupdate
# Install PDF Viewer
install_and_enable_app files_pdfviewer
# Install Figlet
install_if_not figlet
@ -299,6 +351,10 @@ then
# ServerAlias subdomain.example.com
### SETTINGS ###
<FilesMatch "\.php$">
SetHandler "proxy:unix:/run/php/php7.2-fpm.nextcloud.sock|fcgi://localhost"
</FilesMatch>
DocumentRoot $NCPATH
<Directory $NCPATH>
@ -316,6 +372,20 @@ then
# just in case if .htaccess gets disabled
Require all denied
</Directory>
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
<Files ".ht*">
Require all denied
</Files>
# Disable HTTP TRACE method.
TraceEnable off
# Disable HTTP TRACK method.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [R=405,L]
SetEnv HOME $NCPATH
SetEnv HTTP_HOME $NCPATH
@ -340,6 +410,10 @@ then
# ServerAlias subdomain.example.com
### SETTINGS ###
<FilesMatch "\.php$">
SetHandler "proxy:unix:/run/php/php7.2-fpm.nextcloud.sock|fcgi://localhost"
</FilesMatch>
DocumentRoot $NCPATH
<Directory $NCPATH>
@ -357,6 +431,20 @@ then
# just in case if .htaccess gets disabled
Require all denied
</Directory>
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
<Files ".ht*">
Require all denied
</Files>
# Disable HTTP TRACE method.
TraceEnable off
# Disable HTTP TRACK method.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [R=405,L]
SetEnv HOME $NCPATH
SetEnv HTTP_HOME $NCPATH
@ -374,36 +462,12 @@ a2ensite nextcloud_ssl_domain_self_signed.conf
a2ensite nextcloud_http_domain_self_signed.conf
a2dissite default-ssl
# Enable HTTP/2 server wide, if user decides to
msg_box "Your official package repository does not provide an Apache2 package with HTTP/2 module included.
If you like to enable HTTP/2 nevertheless, we can upgrade your Apache2 from Ondrejs PPA:
https://launchpad.net/~ondrej/+archive/ubuntu/apache2
# Enable new config
a2ensite nextcloud_ssl_domain_self_signed.conf
a2ensite nextcloud_http_domain_self_signed.conf
a2dissite default-ssl
Enabling HTTP/2 can bring a performance advantage, but may also have some compatibility issues.
E.g. the Nextcloud Spreed video calls app does not yet work with HTTP/2 enabled."
if [[ "yes" == $(ask_yes_or_no "Do you want to enable HTTP/2 system wide?") ]]
then
# Adding PPA
add-apt-repository ppa:ondrej/apache2 -y
apt update -q4 & spinner_loading
apt upgrade apache2 -y
# Enable HTTP/2 module & protocol
cat << HTTP2_ENABLE > "$HTTP2_CONF"
<IfModule http2_module>
Protocols h2 h2c http/1.1
H2Direct on
</IfModule>
HTTP2_ENABLE
echo "$HTTP2_CONF was successfully created"
a2enmod http2
fi
# Restart Apache2 to enable new config
service apache2 restart
whiptail --title "Which apps/programs do you want to install?" --checklist --separate-output "" 10 40 3 \
whiptail --title "Install apps or software" --checklist --separate-output "Automatically configure and install selected apps or software\nDeselect by pressing the spacebar" "$WT_HEIGHT" "$WT_WIDTH" 4 \
"Calendar" " " on \
"Contacts" " " on \
"Webmin" " " on 2>results
@ -453,8 +517,6 @@ apt dist-upgrade -y
apt purge lxd -y
# Cleanup
CLEARBOOT=$(dpkg -l linux-* | awk '/^ii/{ print $2}' | grep -v -e ''"$(uname -r | cut -f1,2 -d"-")"'' | grep -e '[0-9]' | xargs sudo apt -y purge)
echo "$CLEARBOOT"
apt autoremove -y
apt autoclean
find /root "/home/$UNIXUSER" -type f \( -name '*.sh*' -o -name '*.html*' -o -name '*.tar*' -o -name '*.zip*' \) -delete

10
nextcloud_update.sh
View File

@ -333,6 +333,16 @@ occ_command config:system:set htaccess.RewriteBase --value="/"
occ_command maintenance:update:htaccess
bash "$SECURE"
# Update .user.ini in case stuff was added to .htaccess
if [ "$NCPATH/.htaccess" -nt "$NCPATH/.user.ini" ]
then
cp -fv "$NCPATH/.htaccess" "$NCPATH/.user.ini"
sed -i 's/ php_value upload_max_filesize.*/# php_value upload_max_filesize 511M/g' "$NCPATH"/.user.ini
sed -i 's/ php_value post_max_size.*/# php_value post_max_size 511M/g' "$NCPATH"/.user.ini
sed -i 's/ php_value memory_limit.*/# php_value memory_limit 512M/g' "$NCPATH"/.user.ini
restart_webserver
fi
# Repair
occ_command maintenance:repair

9
static/index.php
View File

@ -106,15 +106,16 @@
<h2>Access Nextcloud</h2>
<div class="information">
<p>Use one of the following addresses, HTTPS is preffered:
<p>Use the following address:
<h3>
<ul>
<li><a href="http://<?=$_SERVER['SERVER_NAME'];?>/nextcloud">http://<?=$_SERVER['SERVER_NAME'];?></a> (HTTP)
<li><a href="https://<?=$_SERVER['SERVER_NAME'];?>/nextcloud">https://<?=$_SERVER['SERVER_NAME'];?></a> (HTTPS)
</ul>
</h3>
<p>Note: Please accept the warning in the browser if you connect via HTTPS. It is recommended<br>
to <a href="https://www.techandme.se/publish-your-server-online" target="_blank">buy your own certificate and replace the self-signed certificate to your own.</a></p>
<p>Note: Please accept the warning in the browser if you have a self-signed certificate.<br>
It's recomended to <a href="https://www.techandme.se/publish-your-server-online" target="_blank">buy your own certificate $
<p>The easiest way to get a real SSL certificate though is to run the script included in this VM:<br>
sudo bash /var/scripts/activate-ssl.sh
<p>Note: Before you can login you have to run the setup script, as descirbed in the video above.</p>
</div>

84
static/modsecurity.sh Normal file
View File

@ -0,0 +1,84 @@
#!/bin/bash
# shellcheck disable=2034,2059
true
# shellcheck source=lib.sh
. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
# Check for errors + debug code and abort if something isn't right
# 1 = ON
# 0 = OFF
DEBUG=0
debug_mode
# Check if root
root_check
# Add modsecurity
apt update -q4 & spinner_loading
install_if_not libapache2-mod-security2
install_if_not modsecurity-crs
mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
msg_box "WARNING: Do not enable active defence if you don't know what you're doing!
For example it will break OnlyOffice, and may break other stuff as well in Nextcloud.
You can monitor the aduit log by typing this command in your shell:
tail -f /var/log/apache2/modsec_audit.log
You can disable it by typing this command in your shell:
sed -i 's/SecRuleEngine .*/SecRuleEngine DetectionOnly/g' /etc/modsecurity/modsecurity.conf
You have been warnned."
if [[ "yes" == $(ask_yes_or_no "Do you want to enable active defence?") ]]
then
sed -i 's/SecRuleEngine .*/SecRuleEngine on/g' /etc/modsecurity/modsecurity.conf
fi
cat << MODSECWHITE > "/etc/modsecurity/whitelist.conf"
<Directory $NCPATH>
# VIDEOS
SecRuleRemoveById 958291 # Range Header Checks
SecRuleRemoveById 981203 # Correlated Attack Attempt
# PDF
SecRuleRemoveById 950109 # Check URL encodings
# ADMIN (webdav)
SecRuleRemoveById 960024 # Repeatative Non-Word Chars (heuristic)
SecRuleRemoveById 981173 # SQL Injection Character Anomaly Usage
SecRuleRemoveById 981204 # Correlated Attack Attempt
SecRuleRemoveById 981243 # PHPIDS - Converted SQLI Filters
SecRuleRemoveById 981245 # PHPIDS - Converted SQLI Filters
SecRuleRemoveById 981246 # PHPIDS - Converted SQLI Filters
SecRuleRemoveById 981318 # String Termination/Statement Ending Injection Testing
SecRuleRemoveById 973332 # XSS Filters from IE
SecRuleRemoveById 973338 # XSS Filters - Category 3
SecRuleRemoveById 981143 # CSRF Protections ( TODO edit LocationMatch filter )
# COMING BACK FROM OLD SESSION
SecRuleRemoveById 970903 # Microsoft Office document properties leakage
# NOTES APP
SecRuleRemoveById 981401 # Content-Type Response Header is Missing and X-Content-Type-Options is either missing or not set to 'nosniff'
SecRuleRemoveById 200002 # Failed to parse request body
# UPLOADS ( 5 MB max excluding file size )
SecRequestBodyNoFilesLimit 5242880
# GENERAL
SecRuleRemoveById 960017 # Host header is a numeric IP address
# SAMEORIGN
SecRuleRemoveById 911100 # fpm socket
# REGISTERED WARNINGS, BUT DID NOT HAVE TO DISABLE THEM
#SecRuleRemoveById 981220 900046 981407
#SecRuleRemoveById 981222 981405 981185 981184
</Directory>
MODSECWHITE
if [ -f /etc/modsecurity/whitelist.conf ]
then
echo "ModSecurity activated!"
restart_webserver
fi

6
static/redis-server-ubuntu.sh
View File

@ -32,9 +32,9 @@ install_if_not redis-server
# touch /etc/php/7.0/mods-available/redis.ini
# echo 'extension=redis.so' > /etc/php/7.0/mods-available/redis.ini
# phpenmod redis
# Setting direct to apache2 works if 'libapache2-mod-php7.0' is installed
echo 'extension=redis.so' >> /etc/php/7.2/apache2/php.ini
service apache2 restart
# Setting direct to apache2 works
echo 'extension=redis.so' >> $PHP_INI
restart_webserver
# Prepare for adding redis configuration
sed -i "s|);||g" $NCPATH/config/config.php

5
static/security.sh
View File

@ -13,6 +13,9 @@ true
DEBUG=0
debug_mode
# Check if root
root_check
# Based on: http://www.techrepublic.com/blog/smb-technologist/secure-your-apache-server-from-ddos-slowloris-and-dns-injection-attacks/
# Protect against DDOS
@ -71,7 +74,7 @@ fi
# Enable $SPAMHAUS
sed -i "s|#MS_WhiteList /etc/spamhaus.wl|MS_WhiteList $SPAMHAUS|g" /etc/apache2/mods-enabled/spamhaus.conf
check_command service apache2 restart
restart_webserver
echo "Security added!"
sleep 3