|
@@ -903,7 +903,7 @@ Add the following:
|
903
|
903
|
# ==============================================================
|
904
|
904
|
|
905
|
905
|
# Variables
|
906
|
|
-CPU_LIMIT=30 # Maximum percentage CPU consumption by each PID
|
|
906
|
+CPU_LIMIT=50 # Maximum percentage CPU consumption by each PID
|
907
|
907
|
DAEMON_INTERVAL=1 # Daemon check interval in seconds
|
908
|
908
|
BLACK_PROCESSES_LIST= # Limit only processes defined in this variable. If variable is empty (default) all violating processes are limited.
|
909
|
909
|
WHITE_PROCESSES_LIST="cron|top|emacs|vi|vim|nano" # Limit all processes except processes defined in this variable. If variable is empty (default) all violating processes are limited.
|
|
@@ -2484,63 +2484,15 @@ Here cron is used so that if we stop one of the relevant processes and then rest
|
2484
|
2484
|
-- Tim Berners-Lee
|
2485
|
2485
|
#+END_VERSE
|
2486
|
2486
|
|
2487
|
|
-Edit the apache configuration so that it doesn't run out of memory if there are a lot of connections.
|
|
2487
|
+First install nginx and some scripts for easily enabling and disabling the web sites which we will create.
|
2488
|
2488
|
|
2489
|
2489
|
#+BEGIN_SRC: bash
|
2490
|
|
-su
|
2491
|
|
-editor /etc/apache2/apache2.conf
|
2492
|
|
-#+END_SRC
|
2493
|
|
-
|
2494
|
|
-Search for MaxClients and replace the value with 6. As an example the settings should look something like this:
|
2495
|
|
-
|
2496
|
|
-#+BEGIN_SRC: bash
|
2497
|
|
-Timeout 30
|
2498
|
|
-KeepAlive On
|
2499
|
|
-MaxKeepAliveRequests 5
|
2500
|
|
-KeepAliveTimeout 10
|
2501
|
|
-
|
2502
|
|
-<IfModule mpm_prefork_module>
|
2503
|
|
- StartServers 3
|
2504
|
|
- MinSpareServers 3
|
2505
|
|
- MaxSpareServers 5
|
2506
|
|
- MaxClients 10
|
2507
|
|
- MaxRequestsPerChild 0
|
2508
|
|
-</IfModule>
|
2509
|
|
-
|
2510
|
|
-<IfModule mpm_worker_module>
|
2511
|
|
- StartServers 1
|
2512
|
|
- MinSpareThreads 5
|
2513
|
|
- MaxSpareThreads 15
|
2514
|
|
- ThreadLimit 25
|
2515
|
|
- ThreadsPerChild 5
|
2516
|
|
- MaxClients 25
|
2517
|
|
- MaxRequestsPerChild 200
|
2518
|
|
-</IfModule>
|
2519
|
|
-
|
2520
|
|
-<IfModule mpm_event_module>
|
2521
|
|
- StartServers 1
|
2522
|
|
- MinSpareThreads 5
|
2523
|
|
- MaxSpareThreads 15
|
2524
|
|
- ThreadLimit 25
|
2525
|
|
- ThreadsPerChild 5
|
2526
|
|
- MaxClients 25
|
2527
|
|
- MaxRequestsPerChild 200
|
2528
|
|
-</IfModule>
|
2529
|
|
-#+END_SRC
|
2530
|
|
-
|
2531
|
|
-Also append the following:
|
2532
|
|
-
|
2533
|
|
-#+BEGIN_SRC: bash
|
2534
|
|
-ServerSignature Off
|
2535
|
|
-ServerTokens Prod
|
2536
|
|
-#+END_SRC
|
2537
|
|
-
|
2538
|
|
-Then save and exit. Install some extra security.
|
2539
|
|
-
|
2540
|
|
-#+BEGIN_SRC: bash
|
2541
|
|
-apt-get install libapache2-modsecurity
|
2542
|
|
-apt-get install libapache2-mod-evasive
|
2543
|
|
-#+END_SRC
|
|
2490
|
+apt-get install nginx php5-fpm git
|
|
2491
|
+cd ~/build
|
|
2492
|
+git clone https://github.com/perusio/nginx_ensite
|
|
2493
|
+cd ~/build/nginx_ensite
|
|
2494
|
+cp nginx_* /usr/sbin
|
|
2495
|
+#+END_VERSE
|
2544
|
2496
|
|
2545
|
2497
|
In the examples below replace /mydomainname.com/ with your own domain name.
|
2546
|
2498
|
|
|
@@ -2548,228 +2500,59 @@ In the examples below replace /mydomainname.com/ with your own domain name.
|
2548
|
2500
|
export HOSTNAME=mydomainname.com
|
2549
|
2501
|
mkdir /var/www/$HOSTNAME
|
2550
|
2502
|
mkdir /var/www/$HOSTNAME/htdocs
|
2551
|
|
-editor /etc/apache2/sites-available/$HOSTNAME
|
|
2503
|
+editor /etc/nginx/sites-available/$HOSTNAME
|
2552
|
2504
|
#+END_SRC
|
2553
|
2505
|
|
2554
|
|
-The Apache configuration for the site should look something like the following. Replace /mydonainname.com/ with the site domain name.
|
|
2506
|
+The configuration for the site should look something like the following. Replace /mydonainname.com/ with the site domain name.
|
2555
|
2507
|
|
2556
|
2508
|
#+BEGIN_SRC: bash
|
2557
|
|
-<VirtualHost *:80>
|
2558
|
|
- ServerAdmin myusername@mydomainname.com
|
2559
|
|
- ServerName mydomainname.com
|
2560
|
|
-
|
2561
|
|
- DocumentRoot /var/www/mydomainname.com/htdocs
|
2562
|
|
- <Directory />
|
2563
|
|
- Options FollowSymLinks
|
2564
|
|
- AllowOverride All
|
2565
|
|
- </Directory>
|
2566
|
|
- <Directory /var/www/mydomainname.com/htdocs/>
|
2567
|
|
- Options All
|
2568
|
|
- AllowOverride All
|
2569
|
|
- Order allow,deny
|
2570
|
|
- allow from all
|
2571
|
|
- LimitRequestBody 512000
|
2572
|
|
- </Directory>
|
2573
|
|
-
|
2574
|
|
- # Don't serve .php~ or .php# files created by emacs
|
2575
|
|
- <Files ~ "(^#.*#|~|\.sw[op])$">
|
2576
|
|
- Order allow,deny
|
2577
|
|
- Deny from all
|
2578
|
|
- </Files>
|
|
2509
|
+server {
|
|
2510
|
+ listen 80;
|
|
2511
|
+ root /var/www/mydomainname.com/htdocs;
|
|
2512
|
+ index index.html index.htm;
|
|
2513
|
+ server_name mydomainname.com;
|
2579
|
2514
|
|
2580
|
|
- <IfModule headers_module>
|
2581
|
|
- Header set X-Content-Type-Options nosniff
|
2582
|
|
- Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate, private"
|
2583
|
|
- Header set Pragma no-cache
|
2584
|
|
- </IfModule>
|
2585
|
|
-
|
2586
|
|
- <Files .htaccess>
|
2587
|
|
- deny from all
|
2588
|
|
- </Files>
|
2589
|
|
-
|
2590
|
|
- ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
|
2591
|
|
- <Directory "/usr/lib/cgi-bin">
|
2592
|
|
- AllowOverride All
|
2593
|
|
- Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
|
2594
|
|
- Order allow,deny
|
2595
|
|
- Allow from all
|
2596
|
|
- LimitRequestBody 512000
|
2597
|
|
- </Directory>
|
2598
|
|
-
|
2599
|
|
- ErrorLog ${APACHE_LOG_DIR}/error.log
|
2600
|
|
-
|
2601
|
|
- # Possible values include: debug, info, notice, warn, error, crit,
|
2602
|
|
- # alert, emerg.
|
2603
|
|
- LogLevel error
|
2604
|
|
-
|
2605
|
|
- CustomLog ${APACHE_LOG_DIR}/access.log combined
|
2606
|
|
-</VirtualHost>
|
2607
|
|
-
|
2608
|
|
-<IfModule mod_ssl.c>
|
2609
|
|
-<VirtualHost *:443>
|
2610
|
|
- ServerAdmin myusername@mydomainname.com
|
2611
|
|
- ServerName mydomainname.com
|
2612
|
|
-
|
2613
|
|
- DocumentRoot /var/www/mydomainname.com/htdocs
|
2614
|
|
- <Directory />
|
2615
|
|
- Options FollowSymLinks
|
2616
|
|
- AllowOverride All
|
2617
|
|
- </Directory>
|
2618
|
|
- <Directory /var/www/mydomainname.com/htdocs/>
|
2619
|
|
- Options All
|
2620
|
|
- AllowOverride All
|
2621
|
|
- Order allow,deny
|
2622
|
|
- allow from all
|
2623
|
|
- LimitRequestBody 512000
|
2624
|
|
- </Directory>
|
2625
|
|
-
|
2626
|
|
- # Don't serve .php~ or .php# files created by emacs
|
2627
|
|
- <Files ~ "(^#.*#|~|\.sw[op])$">
|
2628
|
|
- Order allow,deny
|
2629
|
|
- Deny from all
|
2630
|
|
- </Files>
|
2631
|
|
-
|
2632
|
|
- <IfModule headers_module>
|
2633
|
|
- Header set X-Content-Type-Options nosniff
|
2634
|
|
- Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate, private"
|
2635
|
|
- Header set Pragma no-cache
|
2636
|
|
- </IfModule>
|
2637
|
|
-
|
2638
|
|
- <Files .htaccess>
|
2639
|
|
- deny from all
|
2640
|
|
- </Files>
|
2641
|
|
-
|
2642
|
|
- ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
|
2643
|
|
- <Directory "/usr/lib/cgi-bin">
|
2644
|
|
- AllowOverride All
|
2645
|
|
- Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
|
2646
|
|
- Order allow,deny
|
2647
|
|
- Allow from all
|
2648
|
|
- LimitRequestBody 512000
|
2649
|
|
- </Directory>
|
2650
|
|
-
|
2651
|
|
- ErrorLog ${APACHE_LOG_DIR}/error.log
|
2652
|
|
-
|
2653
|
|
- # Possible values include: debug, info, notice, warn, error, crit,
|
2654
|
|
- # alert, emerg.
|
2655
|
|
- LogLevel error
|
2656
|
|
-
|
2657
|
|
- CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
|
2658
|
|
-
|
2659
|
|
- # SSL Engine Switch:
|
2660
|
|
- # Enable/Disable SSL for this virtual host.
|
2661
|
|
- SSLEngine on
|
2662
|
|
-
|
2663
|
|
- # A self-signed certificate
|
2664
|
|
- SSLCertificateFile /etc/ssl/certs/mydomainname.com.crt
|
2665
|
|
- SSLCertificateKeyFile /etc/ssl/private/mydomainname.com.key
|
2666
|
|
-
|
2667
|
|
- # Options based on bettercrypto.org
|
2668
|
|
- SSLProtocol All -SSLv2 -SSLv3
|
2669
|
|
- SSLHonorCipherOrder On
|
2670
|
|
- SSLCompression off
|
2671
|
|
- SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
|
2672
|
|
-
|
2673
|
|
- # Add six earth month HSTS header for all users ...
|
2674
|
|
- Header add Strict-Transport-Security "max-age=15768000"
|
2675
|
|
- # If you want to protect all subdomains , use the following header
|
2676
|
|
- # ALL subdomains HAVE TO support https if you use this !
|
2677
|
|
- # Strict-Transport-Security: max-age=15768000 ; includeSubDomains
|
2678
|
|
-
|
2679
|
|
- # SSL Engine Options:
|
2680
|
|
- # Set various options for the SSL engine.
|
2681
|
|
- # o FakeBasicAuth:
|
2682
|
|
- # Translate the client X.509 into a Basic Authorisation. This means that
|
2683
|
|
- # the standard Auth/DBMAuth methods can be used for access control. The
|
2684
|
|
- # user name is the `one line' version of the client's X.509 certificate.
|
2685
|
|
- # Note that no password is obtained from the user. Every entry in the user
|
2686
|
|
- # file needs this password: `xxj31ZMTZzkVA'.
|
2687
|
|
- # o ExportCertData:
|
2688
|
|
- # This exports two additional environment variables: SSL_CLIENT_CERT and
|
2689
|
|
- # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
|
2690
|
|
- # server (always existing) and the client (only existing when client
|
2691
|
|
- # authentication is used). This can be used to import the certificates
|
2692
|
|
- # into CGI scripts.
|
2693
|
|
- # o StdEnvVars:
|
2694
|
|
- # This exports the standard SSL/TLS related `SSL_*' environment variables.
|
2695
|
|
- # Per default this exportation is switched off for performance reasons,
|
2696
|
|
- # because the extraction step is an expensive operation and is usually
|
2697
|
|
- # useless for serving static content. So one usually enables the
|
2698
|
|
- # exportation for CGI and SSI requests only.
|
2699
|
|
- # o StrictRequire:
|
2700
|
|
- # This denies access when "SSLRequireSSL" or "SSLRequire" applied even
|
2701
|
|
- # under a "Satisfy any" situation, i.e. when it applies access is denied
|
2702
|
|
- # and no other module can change it.
|
2703
|
|
- # o OptRenegotiate:
|
2704
|
|
- # This enables optimized SSL connection renegotiation handling when SSL
|
2705
|
|
- # directives are used in per-directory context.
|
2706
|
|
- #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
|
2707
|
|
- <FilesMatch "\.(cgi|shtml|phtml|php)$">
|
2708
|
|
- SSLOptions +StdEnvVars
|
2709
|
|
- </FilesMatch>
|
2710
|
|
- <Directory /usr/lib/cgi-bin>
|
2711
|
|
- SSLOptions +StdEnvVars
|
2712
|
|
- </Directory>
|
2713
|
|
-
|
2714
|
|
- # SSL Protocol Adjustments:
|
2715
|
|
- # The safe and default but still SSL/TLS standard compliant shutdown
|
2716
|
|
- # approach is that mod_ssl sends the close notify alert but doesn't wait for
|
2717
|
|
- # the close notify alert from client. When you need a different shutdown
|
2718
|
|
- # approach you can use one of the following variables:
|
2719
|
|
- # o ssl-unclean-shutdown:
|
2720
|
|
- # This forces an unclean shutdown when the connection is closed, i.e. no
|
2721
|
|
- # SSL close notify alert is send or allowed to received. This violates
|
2722
|
|
- # the SSL/TLS standard but is needed for some brain-dead browsers. Use
|
2723
|
|
- # this when you receive I/O errors because of the standard approach where
|
2724
|
|
- # mod_ssl sends the close notify alert.
|
2725
|
|
- # o ssl-accurate-shutdown:
|
2726
|
|
- # This forces an accurate shutdown when the connection is closed, i.e. a
|
2727
|
|
- # SSL close notify alert is send and mod_ssl waits for the close notify
|
2728
|
|
- # alert of the client. This is 100% SSL/TLS standard compliant, but in
|
2729
|
|
- # practice often causes hanging connections with brain-dead browsers. Use
|
2730
|
|
- # this only for browsers where you know that their SSL implementation
|
2731
|
|
- # works correctly.
|
2732
|
|
- # Notice: Most problems of broken clients are also related to the HTTP
|
2733
|
|
- # keep-alive facility, so you usually additionally want to disable
|
2734
|
|
- # keep-alive for those clients, too. Use variable "nokeepalive" for this.
|
2735
|
|
- # Similarly, one has to force some clients to use HTTP/1.0 to workaround
|
2736
|
|
- # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
|
2737
|
|
- # "force-response-1.0" for this.
|
2738
|
|
- BrowserMatch "MSIE [2-6]" \
|
2739
|
|
- nokeepalive ssl-unclean-shutdown \
|
2740
|
|
- downgrade-1.0 force-response-1.0
|
2741
|
|
- # MSIE 7 and newer should be able to use keepalive
|
2742
|
|
- BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
|
|
2515
|
+ location / {
|
|
2516
|
+ try_files $uri $uri/ /index.html;
|
|
2517
|
+ }
|
|
2518
|
+}
|
2743
|
2519
|
|
2744
|
|
-</VirtualHost>
|
2745
|
|
-</IfModule>
|
|
2520
|
+server {
|
|
2521
|
+ listen 443;
|
|
2522
|
+ root /var/www/mydomainname.com/htdocs;
|
|
2523
|
+ index index.html index.htm;
|
|
2524
|
+ server_name mydomainname.com;
|
|
2525
|
+
|
|
2526
|
+ ssl on;
|
|
2527
|
+ ssl_certificate /etc/ssl/certs/mydomainname.com.crt;
|
|
2528
|
+ ssl_certificate_key /etc/ssl/private/mydomainname.com.key;
|
|
2529
|
+
|
|
2530
|
+ ssl_session_timeout 5m;
|
|
2531
|
+ ssl_prefer_server_ciphers on;
|
|
2532
|
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
|
|
2533
|
+ ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
|
|
2534
|
+ add_header Strict-Transport-Security max-age=15768000; # six months
|
|
2535
|
+ # use this only if all subdomains support HTTPS!
|
|
2536
|
+ # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
|
|
2537
|
+
|
|
2538
|
+ location / {
|
|
2539
|
+ try_files $uri $uri/ /index.html;
|
|
2540
|
+ }
|
|
2541
|
+}
|
2746
|
2542
|
#+END_SRC
|
2747
|
2543
|
|
2748
|
|
-Then to enable the site:
|
|
2544
|
+Save and exit. Then change the domain name.
|
2749
|
2545
|
|
2750
|
2546
|
#+BEGIN_SRC: bash
|
2751
|
|
-a2ensite
|
2752
|
|
-a2dissite default
|
2753
|
|
-a2dissite default-ssl
|
2754
|
|
-a2enmod rewrite
|
2755
|
|
-a2enmod headers
|
|
2547
|
+sed "s/mydomainname.com/$HOSTNAME/g" /etc/nginx/sites-available/$HOSTNAME > /tmp/website
|
|
2548
|
+cp -f /tmp/website /etc/nginx/sites-available/$HOSTNAME
|
2756
|
2549
|
#+END_SRC
|
2757
|
2550
|
|
2758
|
|
-Ensure that "NameVirtualHost *:443" is added to /etc/apache2/ports.conf. It should look something like the following:
|
|
2551
|
+Then to enable the site:
|
2759
|
2552
|
|
2760
|
2553
|
#+BEGIN_SRC: bash
|
2761
|
|
-NameVirtualHost *:80
|
2762
|
|
-Listen 80
|
2763
|
|
-
|
2764
|
|
-<IfModule mod_ssl.c>
|
2765
|
|
- NameVirtualHost *:443
|
2766
|
|
- Listen 443
|
2767
|
|
-</IfModule>
|
2768
|
|
-
|
2769
|
|
-<IfModule mod_gnutls.c>
|
2770
|
|
- NameVirtualHost *:443
|
2771
|
|
- Listen 443
|
2772
|
|
-</IfModule>
|
|
2554
|
+nginx_dissite default
|
|
2555
|
+nginx_ensite $HOSTNAME
|
2773
|
2556
|
#+END_SRC
|
2774
|
2557
|
|
2775
|
2558
|
Create a self-signed certificate. The passphrase isn't important and will be removed, so make it easy (such as "password").
|
|
@@ -2786,7 +2569,7 @@ Enter the following:
|
2786
|
2569
|
HOSTNAME=$1
|
2787
|
2570
|
|
2788
|
2571
|
openssl genrsa -des3 -out $HOSTNAME.key 1024
|
2789
|
|
-openssl req -new -x509 -nodes -sha1 -days 3650 -key $HOSTNAME.key -out $HOSTNAME.crt
|
|
2572
|
+openssl req -new -x509 -nodes -days 3650 -key $HOSTNAME.key -out $HOSTNAME.crt
|
2790
|
2573
|
openssl rsa -in $HOSTNAME.key -out $HOSTNAME.new.key
|
2791
|
2574
|
cp $HOSTNAME.new.key $HOSTNAME.key
|
2792
|
2575
|
rm $HOSTNAME.new.key
|
|
@@ -2794,15 +2577,14 @@ cp $HOSTNAME.key /etc/ssl/private
|
2794
|
2577
|
chmod 400 /etc/ssl/private/$HOSTNAME.key
|
2795
|
2578
|
cp $HOSTNAME.crt /etc/ssl/certs
|
2796
|
2579
|
shred -zu $HOSTNAME.key $HOSTNAME.crt
|
2797
|
|
-a2enmod ssl
|
2798
|
|
-service apache2 restart
|
|
2580
|
+/etc/init.d/nginx reload
|
2799
|
2581
|
#+END_SRC
|
2800
|
2582
|
|
2801
|
2583
|
Save and exit.
|
2802
|
2584
|
|
2803
|
2585
|
#+BEGIN_SRC: bash
|
2804
|
2586
|
chmod +x /usr/bin/makecert
|
2805
|
|
-makecert mydomainname.com
|
|
2587
|
+makecert $HOSTNAME
|
2806
|
2588
|
#+END_SRC
|
2807
|
2589
|
|
2808
|
2590
|
Enter some trivial password for the key file, such as "password". The password will be removed as part of the /makecert/ script which you just created. Note that leaving a password on the key file would mean that after a power cycle the Apache server will not be able to boot properly (it would wait indefinitely for a password to be manually entered) and would look as if it had crashed.
|
|
@@ -2812,7 +2594,7 @@ If all has gone well then there should be no warnings or errors after you run th
|
2812
|
2594
|
Also limit the amount of memory which any php scripts can use.
|
2813
|
2595
|
|
2814
|
2596
|
#+BEGIN_SRC: bash
|
2815
|
|
-editor /etc/php5/apache2/php.ini
|
|
2597
|
+editor /etc/php5/fpm/php.ini
|
2816
|
2598
|
#+END_SRC
|
2817
|
2599
|
|
2818
|
2600
|
Set the following:
|