Merge pull request #81 from niiknow/master

Misc updates to better support wordpress.

Dockerfile

@@ -325,10 +325,12 @@ RUN cd /tmp \
     && sed -i "s/FcgidConnectTimeout 20/FcgidMaxRequestLen 629145600\n  FcgidConnectTimeout 20/" /etc/apache2/mods-available/fcgid.conf \
 
 # fix docker nginx ips
-    && sed -i -e "s/\%ip\%\:\%proxy\_port\%\;/\%proxy\_port\%\;/g" /usr/local/vesta/data/templates/web/nginx/*.tpl \
-    && sed -i -e "s/\%ip\%\:\%proxy\_ssl\_port\%\;/\%proxy\_ssl\_port\%\;/g" /usr/local/vesta/data/templates/web/nginx/*.stpl \
-    && sed -i -e "s/\%ip\%\:\%proxy\_port\%\;/\%proxy\_port\%\;/g" /usr/local/vesta/data/templates/web/nginx/php-fpm/*.tpl \
-    && sed -i -e "s/\%ip\%\:\%proxy\_ssl\_port\%\;/\%proxy\_ssl\_port\%\;/g" /usr/local/vesta/data/templates/web/nginx/php-fpm/*.stpl \
+    && sed -i -e "s/\%ip\%\:\%proxy\_port\%/\%proxy\_port\%/g" /usr/local/vesta/data/templates/web/nginx/*.tpl \
+    && sed -i -e "s/\%ip\%\:\%proxy\_ssl\_port\%/\%proxy\_ssl\_port\%/g" /usr/local/vesta/data/templates/web/nginx/*.stpl \
+    && sed -i -e "s/\%ip\%\:\%web\_port\%/\%web\_port\%/g" /usr/local/vesta/data/templates/web/nginx/*.tpl \
+    && sed -i -e "s/\%ip\%\:\%web\_ssl\_port\%/\%web\_ssl\_port\%/g" /usr/local/vesta/data/templates/web/nginx/*.stpl \
+    && sed -i -e "s/\%ip\%\:\%proxy\_port\%/\%proxy\_port\%/g" /usr/local/vesta/data/templates/web/nginx/php-fpm/*.tpl \
+    && sed -i -e "s/\%ip\%\:\%proxy\_ssl\_port\%/\%proxy\_ssl\_port\%/g" /usr/local/vesta/data/templates/web/nginx/php-fpm/*.stpl \
     && sed -i -e "s/ include \%home\%\/\%user\%\/conf\/web\/nginx\.\%domain\%/ include \%home\%\/\%user\%\/web\/\%domain\%\/private\/*.conf;\n    include \%home\%\/\%user\%\/conf\/web\/nginx\.\%domain\%/g" /usr/local/vesta/data/templates/web/nginx/*.tpl \
     && sed -i -e "s/ include \%home\%\/\%user\%\/conf\/web\/nginx\.\%domain\%/ include \%home\%\/\%user\%\/web\/\%domain\%\/private\/*.conf;\n    include \%home\%\/\%user\%\/conf\/web\/nginx\.\%domain\%/g" /usr/local/vesta/data/templates/web/nginx/*.stpl \
     && bash /usr/local/vesta/upd/switch_rpath.sh \
@@ -348,10 +350,11 @@ RUN cd /tmp \
     && sed -i -e "s/\-c \-\-inserts \-O \-x \-f/\-\-inserts \-x \-f/g" /usr/local/vesta/func/db.sh \
     && sed -i -e "s/dbuser/DBUSER/g" /usr/local/vesta/func/rebuild.sh \
     && sed -i -e "s/ROLE \$DBUSER/ROLE \$DBUSER WITH LOGIN/g" /usr/local/vesta/func/rebuild.sh \
+    && sed -i -e "s/plsql/psql/g" /usr/local/vesta/bin/v-update-sys-rrd-pgsql \
 
 # apache stuff
     && echo "\nServerName localhost\n" >> /etc/apache2/apache2.conf \
-    && a2enmod headers \
+    && a2enmod headers && a2dismod php7.3 && a2enmod php7.2 \
 
 # download new auto host ssl
     && curl -SL https://raw.githubusercontent.com/serghey-rodin/vesta/master/bin/v-update-host-certificate --output /usr/local/vesta/bin/v-update-host-certificate \

rootfs/etc/fail2ban/filter.d/nginx-403.conf

@@ -0,0 +1,11 @@
+# Fail2Ban filter for nginx request flood
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*" 403
+
+ignoreregex =

rootfs/etc/fail2ban/filter.d/nginx-404.conf

@@ -0,0 +1,11 @@
+# Fail2Ban filter for nginx request flood
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*" 404
+
+ignoreregex =

rootfs/etc/fail2ban/filter.d/nginx-limit-req.conf

@@ -8,5 +8,6 @@ before = common.conf
 [Definition]
 failregex = ^ \[error\] \d+#\d+: .*limiting requests.*, client: <HOST>, server: \S+, request: "POST /xmlrpc.php.*$
             ^ \[error\] \d+#\d+: .*limiting requests.*, client: <HOST>, server: \S+, request: .*$
+            ^ \[error\] \d+#\d+: .*access forbidden by.*, client: <HOST>, server: \S+, request: .*$
 
 ignoreregex = 

rootfs/etc/fail2ban/jail.new

@@ -91,6 +91,27 @@ enabled  = true
 action   = vesta[name=WEB]
 filter   = nginx-limit-req
 logpath  = /var/log/apache2/domains/*.error.log
-findtime = 60
-maxretry = 6
+# 10 flood error within 10 minutes, ban for 20 minutes
+findtime = 600
+maxretry = 10
+bantime  = 1200
+
+[nginx-404]
+enabled  = false
+action   = vesta[name=WEB]
+filter   = nginx-404
+logpath  = /var/log/apache2/domains/*.log
+# 20 errors 404 within 2 minutes, ban for 20 minutes
+findtime = 120
+maxretry = 20
+bantime  = 1200
+
+[nginx-403]
+enabled  = false
+action   = vesta[name=WEB]
+filter   = nginx-403
+logpath  = /var/log/apache2/domains/*.log
+# 20 errors 403 within 2 minutes, ban for 20 minutes
+findtime = 120
+maxretry = 20
 bantime  = 1200

rootfs/etc/my_init.d/startup.sh

@@ -43,6 +43,9 @@ fi
 # make sure runit services are running across restart
 find /etc/service/ -name "down" -exec rm -rf {} \;
 
+# make sure mysql log is available for fail2ban
+touch /var/log/mysql/error.log
+
 # starting Vesta
 if [ -f /home/admin/bin/my-startup.sh ]; then
     echo "[i] running /home/admin/bin/my-startup.sh"

rootfs/etc/nginx/nginx.new

@@ -119,7 +119,7 @@ http {
 
 
     # create bruceforce/flood rate limit
-    limit_req_zone              $binary_remote_addr zone=flood:15m rate=5r/s;
+    limit_req_zone              $binary_remote_addr zone=flood:15m rate=10r/m;
 
 
     # create fastcgi cache defaults
@@ -146,15 +146,14 @@ http {
     # Cache bypass
     map $http_cookie $no_cache {
         default 0;
-        ~SESS 1;
         ~wordpress_logged_in 1;
-        ~CONCRETE5 1;
         ~wp-postpass 1;
         ~comment_author 1;
     }
 
 
-    # Pagespeed
+    # Pagespeed (unplugged or disable by default)
+    pagespeed           unplugged;
     pagespeed           FileCachePath /var/ngx_pagespeed_cache;
 
 

rootfs/sysprepz/nginx-templates/php-fpm.stpl

@@ -35,6 +35,10 @@ server {
         fastcgi_index index.php;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         include fastcgi_params;
+
+        if ($no_cache = 1) {
+            pagespeed Disallow "*";
+        }
     }
 
     error_page  403 /error/404.html;

rootfs/sysprepz/nginx-templates/php-fpm.tpl

@@ -38,7 +38,12 @@ server {
         fastcgi_index index.php;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         include fastcgi_params;
+
+        if ($no_cache = 1) {
+            pagespeed Disallow "*";
+        }
     }
+
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

rootfs/sysprepz/nginx-templates/wordpress.stpl

@@ -15,6 +15,7 @@ server {
         set $site "%docroot%";
     }
     root $site;
+    pagespeed on;
 
     # captures wp-login and xmlrpc requests and set rate limit
     location ~ (wp-login|xmlrpc)\.php {
@@ -27,6 +28,7 @@ server {
         fastcgi_param           SCRIPT_FILENAME $document_root$fastcgi_script_name;
 
         include fastcgi_params;
+        pagespeed unplugged;
     }
 
     # only cache GET method
@@ -71,9 +73,13 @@ server {
         fastcgi_cache           fpm_%domain%;
         fastcgi_cache_valid     404     1m;
         fastcgi_cache_valid     200     45m;
+
+        if ($no_cache = 1) {
+            pagespeed Disallow "*";
+        }
     }
 
-    location ~ /\.|wp-config\.php { 
+    location ~ /wp-config\.php { 
         deny all;
         log_not_found off;
         access_log off;

rootfs/sysprepz/nginx-templates/wordpress.tpl

@@ -14,6 +14,7 @@ server {
         set $site "%docroot%";
     }
     root $site;
+    pagespeed on;
 
     # captures wp-login and xmlrpc requests and set rate limit
     location ~ (wp-login|xmlrpc)\.php {
@@ -26,6 +27,7 @@ server {
         fastcgi_param           SCRIPT_FILENAME $document_root$fastcgi_script_name;
 
         include fastcgi_params;
+        pagespeed unplugged;
     }
 
     # only cache GET method
@@ -70,9 +72,13 @@ server {
         fastcgi_cache           fpm_%domain%;
         fastcgi_cache_valid     404     1m;
         fastcgi_cache_valid     200     45m;
+
+        if ($no_cache = 1) {
+            pagespeed Disallow "*";
+        }
     }
 
-    location ~ /\.|wp-config\.php { 
+    location ~ /wp-config\.php { 
         deny all;
         log_not_found off;
         access_log off;