diff --git a/Dockerfile b/Dockerfile index 6c6a316..0d7f4f2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -325,10 +325,12 @@ RUN cd /tmp \ && sed -i "s/FcgidConnectTimeout 20/FcgidMaxRequestLen 629145600\n FcgidConnectTimeout 20/" /etc/apache2/mods-available/fcgid.conf \ # fix docker nginx ips - && sed -i -e "s/\%ip\%\:\%proxy\_port\%\;/\%proxy\_port\%\;/g" /usr/local/vesta/data/templates/web/nginx/*.tpl \ - && sed -i -e "s/\%ip\%\:\%proxy\_ssl\_port\%\;/\%proxy\_ssl\_port\%\;/g" /usr/local/vesta/data/templates/web/nginx/*.stpl \ - && sed -i -e "s/\%ip\%\:\%proxy\_port\%\;/\%proxy\_port\%\;/g" /usr/local/vesta/data/templates/web/nginx/php-fpm/*.tpl \ - && sed -i -e "s/\%ip\%\:\%proxy\_ssl\_port\%\;/\%proxy\_ssl\_port\%\;/g" /usr/local/vesta/data/templates/web/nginx/php-fpm/*.stpl \ + && sed -i -e "s/\%ip\%\:\%proxy\_port\%/\%proxy\_port\%/g" /usr/local/vesta/data/templates/web/nginx/*.tpl \ + && sed -i -e "s/\%ip\%\:\%proxy\_ssl\_port\%/\%proxy\_ssl\_port\%/g" /usr/local/vesta/data/templates/web/nginx/*.stpl \ + && sed -i -e "s/\%ip\%\:\%web\_port\%/\%web\_port\%/g" /usr/local/vesta/data/templates/web/nginx/*.tpl \ + && sed -i -e "s/\%ip\%\:\%web\_ssl\_port\%/\%web\_ssl\_port\%/g" /usr/local/vesta/data/templates/web/nginx/*.stpl \ + && sed -i -e "s/\%ip\%\:\%proxy\_port\%/\%proxy\_port\%/g" /usr/local/vesta/data/templates/web/nginx/php-fpm/*.tpl \ + && sed -i -e "s/\%ip\%\:\%proxy\_ssl\_port\%/\%proxy\_ssl\_port\%/g" /usr/local/vesta/data/templates/web/nginx/php-fpm/*.stpl \ && sed -i -e "s/ include \%home\%\/\%user\%\/conf\/web\/nginx\.\%domain\%/ include \%home\%\/\%user\%\/web\/\%domain\%\/private\/*.conf;\n include \%home\%\/\%user\%\/conf\/web\/nginx\.\%domain\%/g" /usr/local/vesta/data/templates/web/nginx/*.tpl \ && sed -i -e "s/ include \%home\%\/\%user\%\/conf\/web\/nginx\.\%domain\%/ include \%home\%\/\%user\%\/web\/\%domain\%\/private\/*.conf;\n include \%home\%\/\%user\%\/conf\/web\/nginx\.\%domain\%/g" /usr/local/vesta/data/templates/web/nginx/*.stpl \ && bash /usr/local/vesta/upd/switch_rpath.sh \ @@ -348,10 +350,11 @@ RUN cd /tmp \ && sed -i -e "s/\-c \-\-inserts \-O \-x \-f/\-\-inserts \-x \-f/g" /usr/local/vesta/func/db.sh \ && sed -i -e "s/dbuser/DBUSER/g" /usr/local/vesta/func/rebuild.sh \ && sed -i -e "s/ROLE \$DBUSER/ROLE \$DBUSER WITH LOGIN/g" /usr/local/vesta/func/rebuild.sh \ + && sed -i -e "s/plsql/psql/g" /usr/local/vesta/bin/v-update-sys-rrd-pgsql \ # apache stuff && echo "\nServerName localhost\n" >> /etc/apache2/apache2.conf \ - && a2enmod headers \ + && a2enmod headers && a2dismod php7.3 && a2enmod php7.2 \ # download new auto host ssl && curl -SL https://raw.githubusercontent.com/serghey-rodin/vesta/master/bin/v-update-host-certificate --output /usr/local/vesta/bin/v-update-host-certificate \ diff --git a/rootfs/etc/fail2ban/filter.d/nginx-403.conf b/rootfs/etc/fail2ban/filter.d/nginx-403.conf new file mode 100644 index 0000000..acbf38c --- /dev/null +++ b/rootfs/etc/fail2ban/filter.d/nginx-403.conf @@ -0,0 +1,11 @@ +# Fail2Ban filter for nginx request flood +# + +[INCLUDES] + +before = common.conf + +[Definition] +failregex = ^ -.*"(GET|POST|HEAD).*HTTP.*" 403 + +ignoreregex = diff --git a/rootfs/etc/fail2ban/filter.d/nginx-404.conf b/rootfs/etc/fail2ban/filter.d/nginx-404.conf new file mode 100644 index 0000000..7952ebf --- /dev/null +++ b/rootfs/etc/fail2ban/filter.d/nginx-404.conf @@ -0,0 +1,11 @@ +# Fail2Ban filter for nginx request flood +# + +[INCLUDES] + +before = common.conf + +[Definition] +failregex = ^ -.*"(GET|POST|HEAD).*HTTP.*" 404 + +ignoreregex = diff --git a/rootfs/etc/fail2ban/filter.d/nginx-limit-req.conf b/rootfs/etc/fail2ban/filter.d/nginx-limit-req.conf index 913e65c..e928289 100644 --- a/rootfs/etc/fail2ban/filter.d/nginx-limit-req.conf +++ b/rootfs/etc/fail2ban/filter.d/nginx-limit-req.conf @@ -8,5 +8,6 @@ before = common.conf [Definition] failregex = ^ \[error\] \d+#\d+: .*limiting requests.*, client: , server: \S+, request: "POST /xmlrpc.php.*$ ^ \[error\] \d+#\d+: .*limiting requests.*, client: , server: \S+, request: .*$ + ^ \[error\] \d+#\d+: .*access forbidden by.*, client: , server: \S+, request: .*$ ignoreregex = diff --git a/rootfs/etc/fail2ban/jail.new b/rootfs/etc/fail2ban/jail.new index d8e0bc6..309fa4c 100644 --- a/rootfs/etc/fail2ban/jail.new +++ b/rootfs/etc/fail2ban/jail.new @@ -91,6 +91,27 @@ enabled = true action = vesta[name=WEB] filter = nginx-limit-req logpath = /var/log/apache2/domains/*.error.log -findtime = 60 -maxretry = 6 +# 10 flood error within 10 minutes, ban for 20 minutes +findtime = 600 +maxretry = 10 +bantime = 1200 + +[nginx-404] +enabled = false +action = vesta[name=WEB] +filter = nginx-404 +logpath = /var/log/apache2/domains/*.log +# 20 errors 404 within 2 minutes, ban for 20 minutes +findtime = 120 +maxretry = 20 +bantime = 1200 + +[nginx-403] +enabled = false +action = vesta[name=WEB] +filter = nginx-403 +logpath = /var/log/apache2/domains/*.log +# 20 errors 403 within 2 minutes, ban for 20 minutes +findtime = 120 +maxretry = 20 bantime = 1200 diff --git a/rootfs/etc/my_init.d/startup.sh b/rootfs/etc/my_init.d/startup.sh index 29ce50a..1354a3e 100755 --- a/rootfs/etc/my_init.d/startup.sh +++ b/rootfs/etc/my_init.d/startup.sh @@ -43,6 +43,9 @@ fi # make sure runit services are running across restart find /etc/service/ -name "down" -exec rm -rf {} \; +# make sure mysql log is available for fail2ban +touch /var/log/mysql/error.log + # starting Vesta if [ -f /home/admin/bin/my-startup.sh ]; then echo "[i] running /home/admin/bin/my-startup.sh" diff --git a/rootfs/etc/nginx/nginx.new b/rootfs/etc/nginx/nginx.new index 1fb7feb..14c4ede 100644 --- a/rootfs/etc/nginx/nginx.new +++ b/rootfs/etc/nginx/nginx.new @@ -119,7 +119,7 @@ http { # create bruceforce/flood rate limit - limit_req_zone $binary_remote_addr zone=flood:15m rate=5r/s; + limit_req_zone $binary_remote_addr zone=flood:15m rate=10r/m; # create fastcgi cache defaults @@ -146,15 +146,14 @@ http { # Cache bypass map $http_cookie $no_cache { default 0; - ~SESS 1; ~wordpress_logged_in 1; - ~CONCRETE5 1; ~wp-postpass 1; ~comment_author 1; } - # Pagespeed + # Pagespeed (unplugged or disable by default) + pagespeed unplugged; pagespeed FileCachePath /var/ngx_pagespeed_cache; diff --git a/rootfs/sysprepz/nginx-templates/php-fpm.stpl b/rootfs/sysprepz/nginx-templates/php-fpm.stpl index d1e0b0b..854fc19 100644 --- a/rootfs/sysprepz/nginx-templates/php-fpm.stpl +++ b/rootfs/sysprepz/nginx-templates/php-fpm.stpl @@ -35,6 +35,10 @@ server { fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; + + if ($no_cache = 1) { + pagespeed Disallow "*"; + } } error_page 403 /error/404.html; diff --git a/rootfs/sysprepz/nginx-templates/php-fpm.tpl b/rootfs/sysprepz/nginx-templates/php-fpm.tpl index e689810..f24e011 100644 --- a/rootfs/sysprepz/nginx-templates/php-fpm.tpl +++ b/rootfs/sysprepz/nginx-templates/php-fpm.tpl @@ -38,7 +38,12 @@ server { fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; + + if ($no_cache = 1) { + pagespeed Disallow "*"; + } } + error_page 403 /error/404.html; error_page 404 /error/404.html; diff --git a/rootfs/sysprepz/nginx-templates/wordpress.stpl b/rootfs/sysprepz/nginx-templates/wordpress.stpl index cd26a9d..91f0cc7 100644 --- a/rootfs/sysprepz/nginx-templates/wordpress.stpl +++ b/rootfs/sysprepz/nginx-templates/wordpress.stpl @@ -15,6 +15,7 @@ server { set $site "%docroot%"; } root $site; + pagespeed on; # captures wp-login and xmlrpc requests and set rate limit location ~ (wp-login|xmlrpc)\.php { @@ -27,6 +28,7 @@ server { fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; + pagespeed unplugged; } # only cache GET method @@ -71,9 +73,13 @@ server { fastcgi_cache fpm_%domain%; fastcgi_cache_valid 404 1m; fastcgi_cache_valid 200 45m; + + if ($no_cache = 1) { + pagespeed Disallow "*"; + } } - location ~ /\.|wp-config\.php { + location ~ /wp-config\.php { deny all; log_not_found off; access_log off; diff --git a/rootfs/sysprepz/nginx-templates/wordpress.tpl b/rootfs/sysprepz/nginx-templates/wordpress.tpl index d360581..3720364 100644 --- a/rootfs/sysprepz/nginx-templates/wordpress.tpl +++ b/rootfs/sysprepz/nginx-templates/wordpress.tpl @@ -14,6 +14,7 @@ server { set $site "%docroot%"; } root $site; + pagespeed on; # captures wp-login and xmlrpc requests and set rate limit location ~ (wp-login|xmlrpc)\.php { @@ -26,6 +27,7 @@ server { fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; + pagespeed unplugged; } # only cache GET method @@ -70,9 +72,13 @@ server { fastcgi_cache fpm_%domain%; fastcgi_cache_valid 404 1m; fastcgi_cache_valid 200 45m; + + if ($no_cache = 1) { + pagespeed Disallow "*"; + } } - location ~ /\.|wp-config\.php { + location ~ /wp-config\.php { deny all; log_not_found off; access_log off;