diff --git a/README.md b/README.md index 64e8463e..2822036d 100644 --- a/README.md +++ b/README.md @@ -29,11 +29,11 @@ DigitalOcean example: https://youtu.be/LlqY5Y6P9Oc #### Minimum requirements: -* A clean Ubuntu Server 18.04.X +* A clean [Ubuntu Server 18.04.X](http://cdimage.ubuntu.com/releases/18.04/release/) using the alternative installer * OpenSSH (preferred) * 20 GB HDD for OS * XX GB HDD for DATA (/mnt/ncdata) -* At least 1 vCPU and 2 GB RAM (4 GB minimum if you are running OnlyOffice) +* Absolute minimum is 1 vCPU and 2 GB RAM (4 GB minimum if you are running OnlyOffice) * A working internet connection (the script needs it to download files and variables) #### Recommended @@ -63,6 +63,8 @@ https://github.com/techandme/NextBerry or here https://www.techandme.se/nextberr We call it NextBerry and it's confirmed to be working on Raspberry Pi 2 & 3. +NOTE (2018-08-01): This is not maintained anymore, but keeping the info in case someone wants to pick it up again. + ## I want to test RC! No problem! We made it simple. Run `update.sh` but abort it before it starts so that you have the latest `nextcloud_update.sh`. Then put this in your `nextcloud_update.sh` below the curl command (lib.sh) but before everything else and run it: diff --git a/apps/adminer.sh b/apps/adminer.sh index 7708c916..a921a854 100644 --- a/apps/adminer.sh +++ b/apps/adminer.sh @@ -16,6 +16,9 @@ debug_mode # Check if root root_check +# Warn user about HTTP/2 +http2_warn Adminer + # Check that the script can see the external IP (apache fails otherwise) if [ -z "$WANIP4" ] then @@ -38,9 +41,9 @@ sudo wget -q "http://www.adminer.org/latest.php" -O "$ADMINERDIR"/latest.php sudo ln -s "$ADMINERDIR"/latest.php "$ADMINERDIR"/adminer.php cat << ADMINER_CREATE > "$ADMINER_CONF" -Alias /adminer.php "$ADMINERDIR"/adminer.php +Alias /adminer.php $ADMINERDIR/adminer.php - + DirectoryIndex adminer.php @@ -56,7 +59,7 @@ ADMINER_CREATE # Enable config check_command a2enconf adminer.conf -if ! webserver_restart +if ! restart_webserver then msg_box "Apache2 could not restart... The script will exit." @@ -68,7 +71,7 @@ http://$ADDRESS/adminer.php You can download more plugins and get more information here: https://www.adminer.org -Your PostgreSQL connection information can be found in $NCPATH/config/confgig.php +Your PostgreSQL connection information can be found in $NCPATH/config/config.php In case you try to access Adminer and get 'Forbidden' you need to change the IP in: $ADMINER_CONF" diff --git a/apps/collabora.sh b/apps/collabora.sh index c214977c..f524c8a6 100644 --- a/apps/collabora.sh +++ b/apps/collabora.sh @@ -76,8 +76,7 @@ check_open_port 80 "$SUBDOMAIN" check_open_port 443 "$SUBDOMAIN" # Install Docker -install_if_not curl -curl -fsSL get.docker.com | sh +install_docker # Set devicemapper check_command cp -v /lib/systemd/system/docker.service /etc/systemd/system/ @@ -196,13 +195,13 @@ then printf "Certs are generated!\n" printf "${Color_Off}\n" a2ensite "$SUBDOMAIN.conf" - service apache2 restart + restart_webserver # Install Collabora App occ_command app:install richdocuments else printf "${ICyan}\nIt seems like no certs were generated, please report this issue here: $ISSUES\n" any_key "Press any key to continue... " - service apache2 restart + restart_webserver fi # Enable RichDocuments (Collabora App) diff --git a/apps/fulltextsearch.sh b/apps/fulltextsearch.sh index dd44430d..7499d73a 100644 --- a/apps/fulltextsearch.sh +++ b/apps/fulltextsearch.sh @@ -30,9 +30,9 @@ then fi # Check if it's a clean install -if [ -d /usr/share/elasticsearch ] +if [ -d "$RORDIR" ] then -msg_box "It seems like /usr/share/elasticsearch already exists. Have you already run this script? +msg_box "It seems like $RORDIR already exists. Have you already run this script? If yes, revert all the settings and try again, it must be a clean install." exit 1 fi @@ -57,12 +57,11 @@ then deluser --group solr fi -#Check & install docker +# Check & install docker install_docker - set_max_count -mkdir $RORDIR -docker pull $nc_fts +mkdir -p "$RORDIR" +docker pull "$nc_fts" # Create configuration YML cat << YML_CREATE > /opt/es/readonlyrest.yml diff --git a/apps/netdata.sh b/apps/netdata.sh index faaf5327..98ea557a 100644 --- a/apps/netdata.sh +++ b/apps/netdata.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Tech and Me © - 2017, https://www.techandme.se/ +# Tech and Me © - 2018, https://www.techandme.se/ echo "Installing Netdata..." diff --git a/apps/onlyoffice.sh b/apps/onlyoffice.sh index 0fe2be78..348439ba 100644 --- a/apps/onlyoffice.sh +++ b/apps/onlyoffice.sh @@ -75,8 +75,7 @@ check_open_port 80 "$SUBDOMAIN" check_open_port 443 "$SUBDOMAIN" # Install Docker -install_if_not curl -curl -fsSL get.docker.com | sh +install_docker # Set devicemapper check_command cp -v /lib/systemd/system/docker.service /etc/systemd/system/ @@ -185,14 +184,14 @@ then printf "Certs are generated!\n" printf "${Color_Off}\n" a2ensite "$SUBDOMAIN.conf" - service apache2 restart + restart_webserver # Install Onlyoffice App cd "$NC_APPS_PATH" check_command git clone https://github.com/ONLYOFFICE/onlyoffice-owncloud.git onlyoffice else printf "${ICyan}\nIt seems like no certs were generated, please report this issue here: $ISSUES\n" any_key "Press any key to continue... " - service apache2 restart + restart_webserver fi # Enable Onlyoffice diff --git a/apps/previewgenerator.sh b/apps/previewgenerator.sh index 08ba45cb..61e4ab34 100644 --- a/apps/previewgenerator.sh +++ b/apps/previewgenerator.sh @@ -1,12 +1,8 @@ #!/bin/bash - -# Tech and Me © - 2018, https://www.techandme.se/ - # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -PREVIEW_INSTALL=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) -unset PREVIEW_INSTALL +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON @@ -14,23 +10,54 @@ unset PREVIEW_INSTALL DEBUG=0 debug_mode -# Download and install Preview Generator -if [ ! -d "$NCPATH"/apps/previewgenerator ] -then - echo "Installing Preview Generator..." - wget -q "$PREVER_REPO/v$PREVER/$PREVER_FILE" -P "$NCPATH/apps" - tar -zxf "$NCPATH/apps/$PREVER_FILE" -C "$NCPATH/apps" - cd "$NCPATH/apps" - rm "$PREVER_FILE" -fi +# Check if root +root_check -# Enable Preview Generator -if [ -d "$NCPATH"/apps/previewgenerator ] +# Install preview generator +install_and_enable_app previewgenerator + +# Run the first preview generation and add crontab +if [ -d "$NC_APPS_PATH/previewgenerator" ] then - sudo -u www-data php "$NCPATH"/occ app:enable previewgenerator - chown -R www-data:www-data $NCPATH/apps + # Enable previews (remove the # to enable the specific preview) + occ_command config:system:set enable_previews --value=true --type=boolean + occ_command config:system:set preview_libreoffice_path --value='/usr/bin/libreoffice' +# occ_command config:system:set enabledPreviewProviders 0 --value='OC\\Preview\\PNG' +# occ_command config:system:set enabledPreviewProviders 1 --value='OC\\Preview\\JPEG' +# occ_command config:system:set enabledPreviewProviders 2 --value='OC\\Preview\\GIF' +# occ_command config:system:set enabledPreviewProviders 3 --value='OC\\Preview\\BMP' +# occ_command config:system:set enabledPreviewProviders 4 --value='OC\\Preview\\XBitmap' +# occ_command config:system:set enabledPreviewProviders 5 --value='OC\\Preview\\MarkDown' +# occ_command config:system:set enabledPreviewProviders 6 --value='OC\\Preview\\MP3' +# occ_command config:system:set enabledPreviewProviders 7 --value='OC\\Preview\\TXT' +# occ_command config:system:set enabledPreviewProviders 8 --value='OC\\Preview\\Illustrator' +# occ_command config:system:set enabledPreviewProviders 9 --value='OC\\Preview\\Movie' +# occ_command config:system:set enabledPreviewProviders 10 --value='OC\\Preview\\MSOffice2003' +# occ_command config:system:set enabledPreviewProviders 11 --value='OC\\Preview\\MSOffice2007' +# occ_command config:system:set enabledPreviewProviders 12 --value='OC\\Preview\\MSOfficeDoc' +# occ_command config:system:set enabledPreviewProviders 13 --value='OC\\Preview\\OpenDocument' +# occ_command config:system:set enabledPreviewProviders 14 --value='OC\\Preview\\PDF' +# occ_command config:system:set enabledPreviewProviders 15 --value='OC\\Preview\\Photoshop' +# occ_command config:system:set enabledPreviewProviders 16 --value='OC\\Preview\\Postscript' +# occ_command config:system:set enabledPreviewProviders 17 --value='OC\\Preview\\StarOffice' +# occ_command config:system:set enabledPreviewProviders 18 --value='OC\\Preview\\SVG' +# occ_command config:system:set enabledPreviewProviders 19 --value='OC\\Preview\\TIFF' +# occ_command config:system:set enabledPreviewProviders 20 --value='OC\\Preview\\Font' + + # Set aspect ratio + occ_command config:app:set --value="32 64 1024" previewgenerator squareSizes + occ_command config:app:set --value="64 128 1024" previewgenerator widthSizes + occ_command config:app:set --value="64 256 1024" previewgenerator heightSizes + + # Add crotab crontab -u www-data -l | { cat; echo "@daily php -f $NCPATH/occ preview:pre-generate >> /var/log/previewgenerator.log"; } | crontab -u www-data - - sudo -u www-data php "$NCPATH"/occ preview:generate-all touch /var/log/previewgenerator.log chown www-data:www-data /var/log/previewgenerator.log + + # Install needed dependencies + install_if_not ffmpeg + install_if_not libreoffice + + # Pre generate everything + occ_command preview:generate-all fi diff --git a/apps/spreedme.sh b/apps/spreedme.sh index e69a804d..c103ad2c 100644 --- a/apps/spreedme.sh +++ b/apps/spreedme.sh @@ -108,7 +108,7 @@ then fi # Restart services -service apache2 restart +restart_webserver if ! systemctl restart snap.spreedme.spreed-webrtc.service then msg_box "Something is wrong, the installation did not finish correctly. diff --git a/apps/talk.sh b/apps/talk.sh index d5cffa3a..94757b0b 100644 --- a/apps/talk.sh +++ b/apps/talk.sh @@ -5,7 +5,8 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -TURN_INSTALL=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +NC_UPDATE=1 && TURN_INSTALL=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +unset NC_UPDATE unset TURN_INSTALL # Check for errors + debug code and abort if something isn't right diff --git a/lets-encrypt/activate-ssl.sh b/lets-encrypt/activate-ssl.sh index 3e0e5748..82140a1f 100644 --- a/lets-encrypt/activate-ssl.sh +++ b/lets-encrypt/activate-ssl.sh @@ -147,6 +147,9 @@ then ServerName $domain ### SETTINGS ### + + SetHandler "proxy:unix:/run/php/php7.2-fpm.nextcloud.sock|fcgi://localhost" + DocumentRoot $NCPATH @@ -163,7 +166,19 @@ then SetEnv HOME $NCPATH SetEnv HTTP_HOME $NCPATH - + + # The following lines prevent .htaccess and .htpasswd files from being + # viewed by Web clients. + + Require all denied + + + # Disable HTTP TRACE method. + TraceEnable off + # Disable HTTP TRACK method. + RewriteEngine On + RewriteCond %{REQUEST_METHOD} ^TRACK + RewriteRule .* - [R=405,L] ### LOCATION OF CERT FILES ### diff --git a/lets-encrypt/test-new-config.sh b/lets-encrypt/test-new-config.sh index c84516fc..10d59384 100644 --- a/lets-encrypt/test-new-config.sh +++ b/lets-encrypt/test-new-config.sh @@ -19,7 +19,7 @@ a2ensite "$1" a2dissite nextcloud_ssl_domain_self_signed.conf a2dissite nextcloud_http_domain_self_signed.conf a2dissite 000-default.conf -if service apache2 restart +if restart_webserver then msg_box "New settings works! SSL is now activated and OK! @@ -42,6 +42,8 @@ then sudo hostnamectl set-hostname "$FQDOMAIN" # Change /etc/hosts as well sed -i "s|127.0.1.1.*|127.0.1.1 $FQDOMAIN $(hostname -s)|g" /etc/hosts + # And in the php-fpm pool conf + sed -i "s|env\[HOSTNAME\] = .*|env[HOSTNAME] = $(hostname -f)|g" "$PHP_POOL_DIR"/nextcloud.conf fi # Set trusted domains @@ -80,7 +82,7 @@ else a2ensite nextcloud_ssl_domain_self_signed.conf a2ensite nextcloud_http_domain_self_signed.conf a2ensite 000-default.conf - service apache2 restart + restart_webserver printf "${ICyan}Couldn't load new config, reverted to old settings. Self-signed SSL is OK!${Color_Off}\n" any_key "Press any key to continue... " exit 1 diff --git a/lib.sh b/lib.sh index 33edbd1a..dccbbeed 100644 --- a/lib.sh +++ b/lib.sh @@ -32,7 +32,7 @@ GATEWAY=$(route -n|grep "UG"|grep -v "UGH"|cut -f 10 -d " ") DNS1="9.9.9.9" DNS2="149.112.112.112" # Repo -GITHUB_REPO="https://raw.githubusercontent.com/nextcloud/vm/master" +GITHUB_REPO="https://raw.githubusercontent.com/nextcloud/vm/php-fpm" STATIC="$GITHUB_REPO/static" LETS_ENC="$GITHUB_REPO/lets-encrypt" APP="$GITHUB_REPO/apps" @@ -95,6 +95,9 @@ NC_APPS_PATH=$NCPATH/apps SOLR_HOME=/home/$SUDO_USER/solr_install/ SOLR_JETTY=/opt/solr/server/etc/jetty-http.xml SOLR_DSCONF=/opt/solr-$SOLR_VERSION/server/solr/configsets/data_driven_schema_configs/conf/solrconfig.xml +# PHP-FPM +PHP_INI=/etc/php/7.2/fpm/php.ini +PHP_POOL_DIR=/etc/php/7.2/fpm/pool.d # Adminer ADMINERDIR=/usr/share/adminer ADMINER_CONF=/etc/apache2/conf-available/adminer.conf @@ -204,6 +207,59 @@ do done } +# Warn user that HTTP/2 will be disabled if installing app that use Apache2 PHP instead of PHP-FPM +# E.g: http2_warn Modsecurity +http2_warn() { +msg_box "This VM has HTTP/2 enabled by default. + +If you continue with installing $1, HTTP/2 will be disabled since it's not compatible with the mpm module used by $1. + +This is what Apache will say in the error.log if you enable $1 anyway: + +The mpm module (prefork.c) is not supported by mod_http2. +The mpm determines how things are processed in your server. +HTTP/2 has more demands in this regard and the currently selected mpm will just not do. +This is an advisory warning. Your server will continue to work, but the HTTP/2 protocol will be inactive." + +if [[ "no" == $(ask_yes_or_no "Do you really want to enable $1 anyway?") ]] +then + exit 1 +fi +} + +calculate_max_children() { +# Calculate max_children depending on RAM +# Tends to be between 30-50MB +average_php_memory_requirement=50 +available_memory=$(awk '/MemAvailable/ {printf "%d", $2/1024}' /proc/meminfo) +export PHP_FPM_MAX_CHILDREN=$((available_memory/average_php_memory_requirement)) + +echo "Automatically configures PHP-FPM 'max_children'..." +if [ $PHP_FPM_MAX_CHILDREN -lt 8 ] +then +msg_box "The current max_children value available to set is $PHP_FPM_MAX_CHILDREN, and with that value PHP-FPM won't function properly. +The minimum value is 8, and the value is calculated depening on how much RAM you have left to use in the system. + +The absolute minimum amount of RAM required to run the VM is 2 GB, but we recomend 4 GB. + +You now have two choices: +1. Import this VM again, raise the amount of RAM with at least 1 GB, and then run this script again, + installing it in the same way as you did before. +2. Import this VM again without raising the RAM, but don't install any of the following apps: + 1) Collabora + 2) OnlyOffice + 3) Full Text Search + +This script will now exit. +The installation was not successful, sorry for the inconvenience. + +If you think this is a bug, please report it to $ISSUES" +exit 1 +else + echo "PHP-FPM max_children is $PHP_FPM_MAX_CHILDREN" +fi +} + test_connection() { # Install dnsutils if not existing if [ "$(dpkg-query -W -f='${Status}' "dnsutils" 2>/dev/null | grep -c "ok installed")" == "1" ] @@ -250,6 +306,11 @@ If you think that this is a bug, please report it to https://github.com/nextclou fi } +restart_webserver() { +check_command systemctl restart apache2 +check_command systemctl restart php7.2-fpm.service +} + # Install certbot (Let's Encrypt) install_certbot() { certbot --version 2> /dev/null @@ -330,10 +391,10 @@ fi check_distro_version() { # Check Ubuntu version echo "Checking server OS and version..." -if uname -a | grep -ic "bionic" +if uname -a | grep -ic "bionic" &> /dev/null then OS=1 -elif uname -v | grep -ic "Ubuntu" +elif uname -v | grep -ic "Ubuntu" &> /dev/null then OS=1 fi @@ -354,11 +415,15 @@ fi } configure_max_upload() { -# Increase max filesize (expects that changes are made in /etc/php/7.2/apache2/php.ini) +# Increase max filesize (expects that changes are made in $PHP_INI) # Here is a guide: https://www.techandme.se/increase-max-file-size/ -sed -i 's/ php_value upload_max_filesize.*/# php_value upload_max_filesize 511M/g' "$NCPATH"/.htaccess -sed -i 's/ php_value post_max_size.*/# php_value post_max_size 511M/g' "$NCPATH"/.htaccess -sed -i 's/ php_value memory_limit.*/# php_value memory_limit 512M/g' "$NCPATH"/.htaccess +echo "Setting max_upload size in PHP..." +# Copy settings from .htaccess to user.ini. beacuse we run php-fpm. Documented here: https://docs.nextcloud.com/server/13/admin_manual/installation/source_installation.html#php-fpm-configuration-notes +cp -fv "$NCPATH/.htaccess" "$NCPATH/.user.ini" +# Do the acutal change +sed -i 's/ php_value upload_max_filesize.*/# php_value upload_max_filesize 511M/g' "$NCPATH"/.user.ini +sed -i 's/ php_value post_max_size.*/# php_value post_max_size 511M/g' "$NCPATH"/.user.ini +sed -i 's/ php_value memory_limit.*/# php_value memory_limit 512M/g' "$NCPATH"/.user.ini } # Check if program is installed (is_this_installed apache2) @@ -697,15 +762,11 @@ fi } install_docker() { -if [ "$DOCKER_INS" = "docker-ce" ] || \ -[ "$DOCKER_INS" = "docker-ee" ] || \ -[ "$DOCKER_INS" = "docker.io" ] ; then - echo "Docker seems to be installed, skipping..." -else - echo "Installing Docker CE..." - curl -fsSL get.docker.com -o get-docker.sh - bash get-docker.sh - rm -rf get-docker.sh +if ! docker -v &> /dev/null +then + echo "Installing Docker CE..." + install_if_not curl + curl -fsSL get.docker.com | sh fi } diff --git a/nextcloud-startup-script.sh b/nextcloud-startup-script.sh index 31e43aac..df0b9686 100644 --- a/nextcloud-startup-script.sh +++ b/nextcloud-startup-script.sh @@ -221,6 +221,15 @@ chmod 750 $HTML/index.php && chown www-data:www-data $HTML/index.php # Change 000-default to $WEB_ROOT sed -i "s|DocumentRoot /var/www/html|DocumentRoot $HTML|g" /etc/apache2/sites-available/000-default.conf +# Make possible to see the welcome screen (without this php-fpm won't reach it) + sed -i '14i\ # http://lost.l-w.ca/0x05/apache-mod_proxy_fcgi-and-php-fpm/' /etc/apache2/sites-available/000-default.conf + sed -i '15i\ ' /etc/apache2/sites-available/000-default.conf + sed -i '16i\ ' /etc/apache2/sites-available/000-default.conf + sed -i '17i\ SetHandler "proxy:unix:/run/php/php7.2-fpm.nextcloud.sock|fcgi://localhost"' /etc/apache2/sites-available/000-default.conf + sed -i '18i\ ' /etc/apache2/sites-available/000-default.conf + sed -i '19i\ ' /etc/apache2/sites-available/000-default.conf + sed -i '20i\ ' /etc/apache2/sites-available/000-default.conf + # Make $SCRIPTS excutable chmod +x -R $SCRIPTS chown root:root -R $SCRIPTS @@ -317,10 +326,11 @@ whiptail --title "Which apps do you want to install?" --checklist --separate-out "Fail2ban" "(Extra Bruteforce protection) " OFF \ "Adminer" "(PostgreSQL GUI) " OFF \ "Netdata" "(Real-time server monitoring) " OFF \ -"Collabora" "(Online editing 2GB RAM) " OFF \ -"OnlyOffice" "(Online editing 4GB RAM) " OFF \ +"Collabora" "(Online editing [2GB RAM]) " OFF \ +"OnlyOffice" "(Online editing [4GB RAM]) " OFF \ "Passman" "(Password storage) " OFF \ -"FullTextSearch" "(Elasticsearch [still in BETA]) " OFF \ +"FullTextSearch" "(Elasticsearch for Nextcloud [2GB RAM]) " OFF \ +"PreviewGenerator" "(Pre-generate previews) " OFF \ "Talk" "(Nextcloud Video calls and chat) " OFF \ "Spreed.ME" "(3rd-party Video calls and chat) " OFF 2>results @@ -353,7 +363,11 @@ do FullTextSearch) run_app_script fulltextsearch - ;; + ;; + + PreviewGenerator) + run_app_script previewgenerator + ;; Talk) run_app_script talk @@ -393,21 +407,16 @@ clear # Fixes https://github.com/nextcloud/vm/issues/58 a2dismod status -service apache2 reload +restart_webserver -# Increase max filesize (expects that changes are made in /etc/php/7.0/apache2/php.ini) +# Increase max filesize (expects that changes are made in $PHP_INI) # Here is a guide: https://www.techandme.se/increase-max-file-size/ -VALUE="# php_value upload_max_filesize 513M" -if ! grep -Fxq "$VALUE" $NCPATH/.htaccess -then - sed -i 's/ php_value upload_max_filesize 513M/# php_value upload_max_filesize 511M/g' "$NCPATH"/.htaccess - sed -i 's/ php_value post_max_size 513M/# php_value post_max_size 511M/g' "$NCPATH"/.htaccess - sed -i 's/ php_value memory_limit 512M/# php_value memory_limit 512M/g' "$NCPATH"/.htaccess -fi +configure_max_upload # Extra configurations whiptail --title "Extra configurations" --checklist --separate-output "Choose what you want to configure\nSelect by pressing the spacebar" "$WT_HEIGHT" "$WT_WIDTH" 4 \ "Security" "(Add extra security based on this http://goo.gl/gEJHi7)" OFF \ +"ModSecurity" "(Add ModSecurity for Apache2" OFF \ "Static IP" "(Set static IP in Ubuntu with netplan.io)" OFF 2>results while read -r -u 9 choice @@ -416,6 +425,10 @@ do "Security") run_static_script security ;; + + "ModSecurity") + run_static_script modsecurity + ;; "Static IP") run_static_script set_static_ip @@ -427,6 +440,11 @@ do done 9< results rm -f results +# Calculate max_children after all apps are installed +calculate_max_children +check_command sed -i "s|pm.max_children.*|pm.max_children = $PHP_FPM_MAX_CHILDREN|g" $PHP_POOL_DIR/nextcloud.conf +restart_webserver + # Add temporary fix if needed bash $SCRIPTS/temporary-fix.sh rm "$SCRIPTS"/temporary-fix.sh @@ -504,8 +522,6 @@ bash $SCRIPTS/update.sh # Cleanup 2 apt autoremove -y apt autoclean -CLEARBOOT=$(dpkg -l linux-* | awk '/^ii/{ print $2}' | grep -v -e "$(uname -r | cut -f1,2 -d"-")" | grep -e "[0-9]" | xargs sudo apt -y purge) -echo "$CLEARBOOT" # Success! msg_box "Congratulations! You have successfully installed Nextcloud! diff --git a/nextcloud_install_production.sh b/nextcloud_install_production.sh index d17340ad..3d87a6c5 100644 --- a/nextcloud_install_production.sh +++ b/nextcloud_install_production.sh @@ -85,6 +85,10 @@ fi is_this_installed postgresql is_this_installed apache2 is_this_installed php +is_this_installed php-fpm +is_this_installed php7.2-fpm +is_this_installed php7.1-fpm +is_this_installed php7.0-fpm is_this_installed mysql-common is_this_installed mariadb-server @@ -151,38 +155,95 @@ END service postgresql restart # Install Apache -check_command apt install apache2 -y +check_command apt install apache2 -y a2enmod rewrite \ headers \ + proxy \ + proxy_fcgi \ + setenvif \ env \ - dir \ mime \ - ssl \ - setenvif + dir \ + authz_core \ + alias \ + ssl +# We don't use Apache PHP (just to be sure) +a2dismod mpm_prefork + +# Enable HTTP/2 server wide +echo "Enabling HTTP/2 server wide..." +cat << HTTP2_ENABLE > "$HTTP2_CONF" + + Protocols h2 h2c http/1.1 + H2Direct on + +HTTP2_ENABLE +echo "$HTTP2_CONF was successfully created" +a2enmod http2 +restart_webserver + # Install PHP 7.2 apt update -q4 & spinner_loading check_command apt install -y \ - libapache2-mod-php7.2 \ - php7.2-common \ + php7.2-fpm \ php7.2-intl \ php7.2-ldap \ php7.2-imap \ - php7.2-cli \ php7.2-gd \ php7.2-pgsql \ - php7.2-json \ php7.2-curl \ php7.2-xml \ php7.2-zip \ php7.2-mbstring \ - php-smbclient \ - php-imagick \ + php7.2-soap \ + php7.2-smbclient \ + php7.2-imagick \ + php7.2-json \ + php7.2-gmp \ + php7.2-bz2 \ + php-pear \ libmagickcore-6.q16-3-extra + +# Enable php-fpm +a2enconf php7.2-fpm -# Enable SMB client -# echo '# This enables php-smbclient' >> /etc/php/7.0/apache2/php.ini -# echo 'extension="smbclient.so"' >> /etc/php/7.0/apache2/php.ini +# Calculate max_children for php-fpm (this will be run in the end of the startup script as well) +calculate_max_children + +# Set up a php-fpm pool with a unixsocket +cat << POOL_CONF > "$PHP_POOL_DIR/nextcloud.conf" +[NextCloud] +user = www-data +group = www-data +listen = /run/php/php7.2-fpm.nextcloud.sock +listen.owner = www-data +listen.group = www-data +pm = dynamic +;; max_children is set dynamically with calculate_max_children() +pm.max_children = $PHP_FPM_MAX_CHILDREN +pm.start_servers = 3 +pm.min_spare_servers = 2 +pm.max_spare_servers = 3 +pm.max_requests = 500 +env[HOSTNAME] = $(hostname -f) +env[PATH] = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin +env[TMP] = /tmp +env[TMPDIR] = /tmp +env[TEMP] = /tmp +security.limit_extensions = .php +php_admin_value [cgi.fix_pathinfo] = 1 +POOL_CONF + +# Disable the idling example pool. +mv $PHP_POOL_DIR/www.conf $PHP_POOL_DIR/www.conf.backup + +# Restart Webserver +restart_webserver + +# Enable SMB client # already loaded with php-smbclient +# echo '# This enables php-smbclient' >> /etc/php/7.2/apache2/php.ini +# echo 'extension="smbclient.so"' >> /etc/php/7.2/apache2/php.ini # Install VM-tools install_if_not open-vm-tools @@ -228,17 +289,17 @@ crontab -u www-data -l | { cat; echo "*/15 * * * * php -f $NCPATH/cron.php > # Change values in php.ini (increase max file size) # max_execution_time -sed -i "s|max_execution_time =.*|max_execution_time = 3500|g" /etc/php/7.2/apache2/php.ini +sed -i "s|max_execution_time =.*|max_execution_time = 3500|g" $PHP_INI # max_input_time -sed -i "s|max_input_time =.*|max_input_time = 3600|g" /etc/php/7.2/apache2/php.ini +sed -i "s|max_input_time =.*|max_input_time = 3600|g" $PHP_INI # memory_limit -sed -i "s|memory_limit =.*|memory_limit = 512M|g" /etc/php/7.2/apache2/php.ini +sed -i "s|memory_limit =.*|memory_limit = 512M|g" $PHP_INI # post_max -sed -i "s|post_max_size =.*|post_max_size = 1100M|g" /etc/php/7.2/apache2/php.ini +sed -i "s|post_max_size =.*|post_max_size = 1100M|g" $PHP_INI # upload_max -sed -i "s|upload_max_filesize =.*|upload_max_filesize = 1000M|g" /etc/php/7.2/apache2/php.ini +sed -i "s|upload_max_filesize =.*|upload_max_filesize = 1000M|g" $PHP_INI -# Set max upload in Nextcloud .htaccess +# Set max upload in Nextcloud .user.ini configure_max_upload # Set SMTP mail @@ -248,7 +309,7 @@ occ_command config:system:set mail_smtpmode --value="smtp" occ_command config:system:set log_rotate_size --value="10485760" # Enable OPCache for PHP -# https://docs.nextcloud.com/server/12/admin_manual/configuration_server/server_tuning.html#enable-php-opcache +# https://docs.nextcloud.com/server/14/admin_manual/configuration_server/server_tuning.html#enable-php-opcache phpenmod opcache { echo "# OPcache settings for Nextcloud" @@ -260,19 +321,7 @@ echo "opcache.memory_consumption=256" echo "opcache.save_comments=1" echo "opcache.revalidate_freq=1" echo "opcache.validate_timestamps=1" -} >> /etc/php/7.2/apache2/php.ini - -# Install preview generator -install_and_enable_app previewgenerator - -# Run the first preview generation and add crontab -if [ -d "$NC_APPS_PATH/previewgenerator" ] -then - crontab -u www-data -l | { cat; echo "@daily php -f $NCPATH/occ preview:pre-generate >> /var/log/previewgenerator.log"; } | crontab -u www-data - - occ_command preview:generate-all - touch /var/log/previewgenerator.log - chown www-data:www-data /var/log/previewgenerator.log -fi +} >> $PHP_INI # Install issuetemplate install_and_enable_app issuetemplate @@ -280,6 +329,9 @@ install_and_enable_app issuetemplate # Install CanIUpdate? install_and_enable_app caniupdate +# Install PDF Viewer +install_and_enable_app files_pdfviewer + # Install Figlet install_if_not figlet @@ -299,6 +351,10 @@ then # ServerAlias subdomain.example.com ### SETTINGS ### + + SetHandler "proxy:unix:/run/php/php7.2-fpm.nextcloud.sock|fcgi://localhost" + + DocumentRoot $NCPATH @@ -316,6 +372,20 @@ then # just in case if .htaccess gets disabled Require all denied + + # The following lines prevent .htaccess and .htpasswd files from being + # viewed by Web clients. + + Require all denied + + + # Disable HTTP TRACE method. + TraceEnable off + + # Disable HTTP TRACK method. + RewriteEngine On + RewriteCond %{REQUEST_METHOD} ^TRACK + RewriteRule .* - [R=405,L] SetEnv HOME $NCPATH SetEnv HTTP_HOME $NCPATH @@ -340,6 +410,10 @@ then # ServerAlias subdomain.example.com ### SETTINGS ### + + SetHandler "proxy:unix:/run/php/php7.2-fpm.nextcloud.sock|fcgi://localhost" + + DocumentRoot $NCPATH @@ -357,6 +431,20 @@ then # just in case if .htaccess gets disabled Require all denied + + # The following lines prevent .htaccess and .htpasswd files from being + # viewed by Web clients. + + Require all denied + + + # Disable HTTP TRACE method. + TraceEnable off + + # Disable HTTP TRACK method. + RewriteEngine On + RewriteCond %{REQUEST_METHOD} ^TRACK + RewriteRule .* - [R=405,L] SetEnv HOME $NCPATH SetEnv HTTP_HOME $NCPATH @@ -374,36 +462,12 @@ a2ensite nextcloud_ssl_domain_self_signed.conf a2ensite nextcloud_http_domain_self_signed.conf a2dissite default-ssl -# Enable HTTP/2 server wide, if user decides to -msg_box "Your official package repository does not provide an Apache2 package with HTTP/2 module included. -If you like to enable HTTP/2 nevertheless, we can upgrade your Apache2 from Ondrejs PPA: -https://launchpad.net/~ondrej/+archive/ubuntu/apache2 +# Enable new config +a2ensite nextcloud_ssl_domain_self_signed.conf +a2ensite nextcloud_http_domain_self_signed.conf +a2dissite default-ssl -Enabling HTTP/2 can bring a performance advantage, but may also have some compatibility issues. -E.g. the Nextcloud Spreed video calls app does not yet work with HTTP/2 enabled." - -if [[ "yes" == $(ask_yes_or_no "Do you want to enable HTTP/2 system wide?") ]] -then - # Adding PPA - add-apt-repository ppa:ondrej/apache2 -y - apt update -q4 & spinner_loading - apt upgrade apache2 -y - - # Enable HTTP/2 module & protocol - cat << HTTP2_ENABLE > "$HTTP2_CONF" - - Protocols h2 h2c http/1.1 - H2Direct on - -HTTP2_ENABLE - echo "$HTTP2_CONF was successfully created" - a2enmod http2 -fi - -# Restart Apache2 to enable new config -service apache2 restart - -whiptail --title "Which apps/programs do you want to install?" --checklist --separate-output "" 10 40 3 \ +whiptail --title "Install apps or software" --checklist --separate-output "Automatically configure and install selected apps or software\nDeselect by pressing the spacebar" "$WT_HEIGHT" "$WT_WIDTH" 4 \ "Calendar" " " on \ "Contacts" " " on \ "Webmin" " " on 2>results @@ -453,8 +517,6 @@ apt dist-upgrade -y apt purge lxd -y # Cleanup -CLEARBOOT=$(dpkg -l linux-* | awk '/^ii/{ print $2}' | grep -v -e ''"$(uname -r | cut -f1,2 -d"-")"'' | grep -e '[0-9]' | xargs sudo apt -y purge) -echo "$CLEARBOOT" apt autoremove -y apt autoclean find /root "/home/$UNIXUSER" -type f \( -name '*.sh*' -o -name '*.html*' -o -name '*.tar*' -o -name '*.zip*' \) -delete diff --git a/nextcloud_update.sh b/nextcloud_update.sh index 39ce9bc5..7b868303 100644 --- a/nextcloud_update.sh +++ b/nextcloud_update.sh @@ -333,6 +333,16 @@ occ_command config:system:set htaccess.RewriteBase --value="/" occ_command maintenance:update:htaccess bash "$SECURE" +# Update .user.ini in case stuff was added to .htaccess +if [ "$NCPATH/.htaccess" -nt "$NCPATH/.user.ini" ] +then + cp -fv "$NCPATH/.htaccess" "$NCPATH/.user.ini" + sed -i 's/ php_value upload_max_filesize.*/# php_value upload_max_filesize 511M/g' "$NCPATH"/.user.ini + sed -i 's/ php_value post_max_size.*/# php_value post_max_size 511M/g' "$NCPATH"/.user.ini + sed -i 's/ php_value memory_limit.*/# php_value memory_limit 512M/g' "$NCPATH"/.user.ini + restart_webserver +fi + # Repair occ_command maintenance:repair diff --git a/static/index.php b/static/index.php index 5d2108e5..704d923a 100644 --- a/static/index.php +++ b/static/index.php @@ -106,15 +106,16 @@

Access Nextcloud

-

Use one of the following addresses, HTTPS is preffered: +

Use the following address:

-

Note: Please accept the warning in the browser if you connect via HTTPS. It is recommended
- to buy your own certificate and replace the self-signed certificate to your own.

+

Note: Please accept the warning in the browser if you have a self-signed certificate.
+ It's recomended to buy your own certificate $ +

The easiest way to get a real SSL certificate though is to run the script included in this VM:
+ sudo bash /var/scripts/activate-ssl.sh

Note: Before you can login you have to run the setup script, as descirbed in the video above.

diff --git a/static/modsecurity.sh b/static/modsecurity.sh new file mode 100644 index 00000000..f8fb848d --- /dev/null +++ b/static/modsecurity.sh @@ -0,0 +1,84 @@ +#!/bin/bash +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +# Add modsecurity +apt update -q4 & spinner_loading +install_if_not libapache2-mod-security2 +install_if_not modsecurity-crs +mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf + +msg_box "WARNING: Do not enable active defence if you don't know what you're doing! +For example it will break OnlyOffice, and may break other stuff as well in Nextcloud. + +You can monitor the aduit log by typing this command in your shell: +tail -f /var/log/apache2/modsec_audit.log + +You can disable it by typing this command in your shell: +sed -i 's/SecRuleEngine .*/SecRuleEngine DetectionOnly/g' /etc/modsecurity/modsecurity.conf + +You have been warnned." +if [[ "yes" == $(ask_yes_or_no "Do you want to enable active defence?") ]] +then + sed -i 's/SecRuleEngine .*/SecRuleEngine on/g' /etc/modsecurity/modsecurity.conf +fi + +cat << MODSECWHITE > "/etc/modsecurity/whitelist.conf" + +# VIDEOS + SecRuleRemoveById 958291 # Range Header Checks + SecRuleRemoveById 981203 # Correlated Attack Attempt + + # PDF + SecRuleRemoveById 950109 # Check URL encodings + + # ADMIN (webdav) + SecRuleRemoveById 960024 # Repeatative Non-Word Chars (heuristic) + SecRuleRemoveById 981173 # SQL Injection Character Anomaly Usage + SecRuleRemoveById 981204 # Correlated Attack Attempt + SecRuleRemoveById 981243 # PHPIDS - Converted SQLI Filters + SecRuleRemoveById 981245 # PHPIDS - Converted SQLI Filters + SecRuleRemoveById 981246 # PHPIDS - Converted SQLI Filters + SecRuleRemoveById 981318 # String Termination/Statement Ending Injection Testing + SecRuleRemoveById 973332 # XSS Filters from IE + SecRuleRemoveById 973338 # XSS Filters - Category 3 + SecRuleRemoveById 981143 # CSRF Protections ( TODO edit LocationMatch filter ) + + # COMING BACK FROM OLD SESSION + SecRuleRemoveById 970903 # Microsoft Office document properties leakage + + # NOTES APP + SecRuleRemoveById 981401 # Content-Type Response Header is Missing and X-Content-Type-Options is either missing or not set to 'nosniff' + SecRuleRemoveById 200002 # Failed to parse request body + + # UPLOADS ( 5 MB max excluding file size ) + SecRequestBodyNoFilesLimit 5242880 + + # GENERAL + SecRuleRemoveById 960017 # Host header is a numeric IP address + + # SAMEORIGN + SecRuleRemoveById 911100 # fpm socket + + # REGISTERED WARNINGS, BUT DID NOT HAVE TO DISABLE THEM + #SecRuleRemoveById 981220 900046 981407 + #SecRuleRemoveById 981222 981405 981185 981184 + +MODSECWHITE + +if [ -f /etc/modsecurity/whitelist.conf ] +then + echo "ModSecurity activated!" + restart_webserver +fi diff --git a/static/redis-server-ubuntu.sh b/static/redis-server-ubuntu.sh index 380d7788..deb07c4e 100644 --- a/static/redis-server-ubuntu.sh +++ b/static/redis-server-ubuntu.sh @@ -32,9 +32,9 @@ install_if_not redis-server # touch /etc/php/7.0/mods-available/redis.ini # echo 'extension=redis.so' > /etc/php/7.0/mods-available/redis.ini # phpenmod redis -# Setting direct to apache2 works if 'libapache2-mod-php7.0' is installed -echo 'extension=redis.so' >> /etc/php/7.2/apache2/php.ini -service apache2 restart +# Setting direct to apache2 works +echo 'extension=redis.so' >> $PHP_INI +restart_webserver # Prepare for adding redis configuration sed -i "s|);||g" $NCPATH/config/config.php diff --git a/static/security.sh b/static/security.sh index 9541d6d8..c16f7f14 100644 --- a/static/security.sh +++ b/static/security.sh @@ -13,6 +13,9 @@ true DEBUG=0 debug_mode +# Check if root +root_check + # Based on: http://www.techrepublic.com/blog/smb-technologist/secure-your-apache-server-from-ddos-slowloris-and-dns-injection-attacks/ # Protect against DDOS @@ -71,7 +74,7 @@ fi # Enable $SPAMHAUS sed -i "s|#MS_WhiteList /etc/spamhaus.wl|MS_WhiteList $SPAMHAUS|g" /etc/apache2/mods-enabled/spamhaus.conf -check_command service apache2 restart +restart_webserver echo "Security added!" sleep 3