From 73c6ee381442b13a5b763c4a65409f097c0aa815 Mon Sep 17 00:00:00 2001 From: noogen Date: Mon, 29 Apr 2019 01:17:46 -0500 Subject: [PATCH 1/8] fix ssl issue --- rootfs/sysprepz/nginx-templates/wordpress.stpl | 2 +- rootfs/sysprepz/nginx-templates/wordpress.tpl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rootfs/sysprepz/nginx-templates/wordpress.stpl b/rootfs/sysprepz/nginx-templates/wordpress.stpl index cd26a9d..76d3c32 100644 --- a/rootfs/sysprepz/nginx-templates/wordpress.stpl +++ b/rootfs/sysprepz/nginx-templates/wordpress.stpl @@ -73,7 +73,7 @@ server { fastcgi_cache_valid 200 45m; } - location ~ /\.|wp-config\.php { + location ~ /wp-config\.php { deny all; log_not_found off; access_log off; diff --git a/rootfs/sysprepz/nginx-templates/wordpress.tpl b/rootfs/sysprepz/nginx-templates/wordpress.tpl index d360581..5223f09 100644 --- a/rootfs/sysprepz/nginx-templates/wordpress.tpl +++ b/rootfs/sysprepz/nginx-templates/wordpress.tpl @@ -72,7 +72,7 @@ server { fastcgi_cache_valid 200 45m; } - location ~ /\.|wp-config\.php { + location ~ /wp-config\.php { deny all; log_not_found off; access_log off; From 3c77785061d61d20fb7a625c5e85bc21c38b056a Mon Sep 17 00:00:00 2001 From: noogen Date: Mon, 29 Apr 2019 14:17:06 -0500 Subject: [PATCH 2/8] add ban for too many 403 and 404 --- rootfs/etc/fail2ban/filter.d/nginx-403.conf | 11 +++++++++++ rootfs/etc/fail2ban/filter.d/nginx-404.conf | 11 +++++++++++ rootfs/etc/fail2ban/jail.new | 18 ++++++++++++++++++ 3 files changed, 40 insertions(+) create mode 100644 rootfs/etc/fail2ban/filter.d/nginx-403.conf create mode 100644 rootfs/etc/fail2ban/filter.d/nginx-404.conf diff --git a/rootfs/etc/fail2ban/filter.d/nginx-403.conf b/rootfs/etc/fail2ban/filter.d/nginx-403.conf new file mode 100644 index 0000000..acbf38c --- /dev/null +++ b/rootfs/etc/fail2ban/filter.d/nginx-403.conf @@ -0,0 +1,11 @@ +# Fail2Ban filter for nginx request flood +# + +[INCLUDES] + +before = common.conf + +[Definition] +failregex = ^ -.*"(GET|POST|HEAD).*HTTP.*" 403 + +ignoreregex = diff --git a/rootfs/etc/fail2ban/filter.d/nginx-404.conf b/rootfs/etc/fail2ban/filter.d/nginx-404.conf new file mode 100644 index 0000000..7952ebf --- /dev/null +++ b/rootfs/etc/fail2ban/filter.d/nginx-404.conf @@ -0,0 +1,11 @@ +# Fail2Ban filter for nginx request flood +# + +[INCLUDES] + +before = common.conf + +[Definition] +failregex = ^ -.*"(GET|POST|HEAD).*HTTP.*" 404 + +ignoreregex = diff --git a/rootfs/etc/fail2ban/jail.new b/rootfs/etc/fail2ban/jail.new index d8e0bc6..a1dc302 100644 --- a/rootfs/etc/fail2ban/jail.new +++ b/rootfs/etc/fail2ban/jail.new @@ -94,3 +94,21 @@ logpath = /var/log/apache2/domains/*.error.log findtime = 60 maxretry = 6 bantime = 1200 + +[nginx-404] +enabled = false +action = vesta[name=WEB] +filter = nginx-404 +logpath = /var/log/apache2/domains/*.log +findtime = 60 +maxretry = 20 +bantime = 1200 + +[nginx-403] +enabled = false +action = vesta[name=WEB] +filter = nginx-403 +logpath = /var/log/apache2/domains/*.log +findtime = 60 +maxretry = 20 +bantime = 1200 From c87417071ed3581e8cb26824912fc8da2cd40cdf Mon Sep 17 00:00:00 2001 From: noogen Date: Tue, 30 Apr 2019 16:17:21 -0500 Subject: [PATCH 3/8] update flood security --- rootfs/etc/fail2ban/filter.d/nginx-limit-req.conf | 1 + rootfs/etc/fail2ban/jail.new | 11 +++++++---- rootfs/etc/my_init.d/startup.sh | 3 +++ rootfs/etc/nginx/nginx.new | 2 +- 4 files changed, 12 insertions(+), 5 deletions(-) diff --git a/rootfs/etc/fail2ban/filter.d/nginx-limit-req.conf b/rootfs/etc/fail2ban/filter.d/nginx-limit-req.conf index 913e65c..e928289 100644 --- a/rootfs/etc/fail2ban/filter.d/nginx-limit-req.conf +++ b/rootfs/etc/fail2ban/filter.d/nginx-limit-req.conf @@ -8,5 +8,6 @@ before = common.conf [Definition] failregex = ^ \[error\] \d+#\d+: .*limiting requests.*, client: , server: \S+, request: "POST /xmlrpc.php.*$ ^ \[error\] \d+#\d+: .*limiting requests.*, client: , server: \S+, request: .*$ + ^ \[error\] \d+#\d+: .*access forbidden by.*, client: , server: \S+, request: .*$ ignoreregex = diff --git a/rootfs/etc/fail2ban/jail.new b/rootfs/etc/fail2ban/jail.new index a1dc302..309fa4c 100644 --- a/rootfs/etc/fail2ban/jail.new +++ b/rootfs/etc/fail2ban/jail.new @@ -91,8 +91,9 @@ enabled = true action = vesta[name=WEB] filter = nginx-limit-req logpath = /var/log/apache2/domains/*.error.log -findtime = 60 -maxretry = 6 +# 10 flood error within 10 minutes, ban for 20 minutes +findtime = 600 +maxretry = 10 bantime = 1200 [nginx-404] @@ -100,7 +101,8 @@ enabled = false action = vesta[name=WEB] filter = nginx-404 logpath = /var/log/apache2/domains/*.log -findtime = 60 +# 20 errors 404 within 2 minutes, ban for 20 minutes +findtime = 120 maxretry = 20 bantime = 1200 @@ -109,6 +111,7 @@ enabled = false action = vesta[name=WEB] filter = nginx-403 logpath = /var/log/apache2/domains/*.log -findtime = 60 +# 20 errors 403 within 2 minutes, ban for 20 minutes +findtime = 120 maxretry = 20 bantime = 1200 diff --git a/rootfs/etc/my_init.d/startup.sh b/rootfs/etc/my_init.d/startup.sh index 29ce50a..1354a3e 100755 --- a/rootfs/etc/my_init.d/startup.sh +++ b/rootfs/etc/my_init.d/startup.sh @@ -43,6 +43,9 @@ fi # make sure runit services are running across restart find /etc/service/ -name "down" -exec rm -rf {} \; +# make sure mysql log is available for fail2ban +touch /var/log/mysql/error.log + # starting Vesta if [ -f /home/admin/bin/my-startup.sh ]; then echo "[i] running /home/admin/bin/my-startup.sh" diff --git a/rootfs/etc/nginx/nginx.new b/rootfs/etc/nginx/nginx.new index 1fb7feb..e24fa53 100644 --- a/rootfs/etc/nginx/nginx.new +++ b/rootfs/etc/nginx/nginx.new @@ -119,7 +119,7 @@ http { # create bruceforce/flood rate limit - limit_req_zone $binary_remote_addr zone=flood:15m rate=5r/s; + limit_req_zone $binary_remote_addr zone=flood:15m rate=10r/m; # create fastcgi cache defaults From 455236acea85e23746425c3dac0c79f2c84fb1f2 Mon Sep 17 00:00:00 2001 From: noogen Date: Wed, 1 May 2019 15:14:04 -0500 Subject: [PATCH 4/8] fix typo and update ip override --- Dockerfile | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index ffc522f..6fb3bdb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -324,10 +324,12 @@ RUN cd /tmp \ && sed -i "s/FcgidConnectTimeout 20/FcgidMaxRequestLen 629145600\n FcgidConnectTimeout 20/" /etc/apache2/mods-available/fcgid.conf \ # fix docker nginx ips - && sed -i -e "s/\%ip\%\:\%proxy\_port\%\;/\%proxy\_port\%\;/g" /usr/local/vesta/data/templates/web/nginx/*.tpl \ - && sed -i -e "s/\%ip\%\:\%proxy\_ssl\_port\%\;/\%proxy\_ssl\_port\%\;/g" /usr/local/vesta/data/templates/web/nginx/*.stpl \ - && sed -i -e "s/\%ip\%\:\%proxy\_port\%\;/\%proxy\_port\%\;/g" /usr/local/vesta/data/templates/web/nginx/php-fpm/*.tpl \ - && sed -i -e "s/\%ip\%\:\%proxy\_ssl\_port\%\;/\%proxy\_ssl\_port\%\;/g" /usr/local/vesta/data/templates/web/nginx/php-fpm/*.stpl \ + && sed -i -e "s/\%ip\%\:\%proxy\_port\%/\%proxy\_port\%/g" /usr/local/vesta/data/templates/web/nginx/*.tpl \ + && sed -i -e "s/\%ip\%\:\%proxy\_ssl\_port\%/\%proxy\_ssl\_port\%/g" /usr/local/vesta/data/templates/web/nginx/*.stpl \ + && sed -i -e "s/\%ip\%\:\%web\_port\%/\%web\_port\%/g" /usr/local/vesta/data/templates/web/nginx/*.tpl \ + && sed -i -e "s/\%ip\%\:\%web\_ssl\_port\%/\%web\_ssl\_port\%/g" /usr/local/vesta/data/templates/web/nginx/*.stpl \ + && sed -i -e "s/\%ip\%\:\%proxy\_port\%/\%proxy\_port\%/g" /usr/local/vesta/data/templates/web/nginx/php-fpm/*.tpl \ + && sed -i -e "s/\%ip\%\:\%proxy\_ssl\_port\%/\%proxy\_ssl\_port\%/g" /usr/local/vesta/data/templates/web/nginx/php-fpm/*.stpl \ && sed -i -e "s/ include \%home\%\/\%user\%\/conf\/web\/nginx\.\%domain\%/ include \%home\%\/\%user\%\/web\/\%domain\%\/private\/*.conf;\n include \%home\%\/\%user\%\/conf\/web\/nginx\.\%domain\%/g" /usr/local/vesta/data/templates/web/nginx/*.tpl \ && sed -i -e "s/ include \%home\%\/\%user\%\/conf\/web\/nginx\.\%domain\%/ include \%home\%\/\%user\%\/web\/\%domain\%\/private\/*.conf;\n include \%home\%\/\%user\%\/conf\/web\/nginx\.\%domain\%/g" /usr/local/vesta/data/templates/web/nginx/*.stpl \ && bash /usr/local/vesta/upd/switch_rpath.sh \ @@ -347,6 +349,7 @@ RUN cd /tmp \ && sed -i -e "s/\-c \-\-inserts \-O \-x \-f/\-\-inserts \-x \-f/g" /usr/local/vesta/func/db.sh \ && sed -i -e "s/dbuser/DBUSER/g" /usr/local/vesta/func/rebuild.sh \ && sed -i -e "s/ROLE \$DBUSER/ROLE \$DBUSER WITH LOGIN/g" /usr/local/vesta/func/rebuild.sh \ + && sed -i -e "s/plsql/psql/g" /usr/local/vesta/bin/v-update-sys-rrd-pgsql \ # apache stuff && echo "\nServerName localhost\n" >> /etc/apache2/apache2.conf \ From 22cf41b07e06579756751aedbbf344e1f8fa11ba Mon Sep 17 00:00:00 2001 From: noogen Date: Wed, 1 May 2019 16:26:59 -0500 Subject: [PATCH 5/8] default php 7.2 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 6fb3bdb..ebf681b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -353,7 +353,7 @@ RUN cd /tmp \ # apache stuff && echo "\nServerName localhost\n" >> /etc/apache2/apache2.conf \ - && a2enmod headers \ + && a2enmod headers && a2dismod php7.3 && a2enmod php7.3 \ # download new auto host ssl && curl -SL https://raw.githubusercontent.com/serghey-rodin/vesta/master/bin/v-update-host-certificate --output /usr/local/vesta/bin/v-update-host-certificate \ From be2f9737c6e968e0dbab367ce2d9ced2df6757ec Mon Sep 17 00:00:00 2001 From: noogen Date: Wed, 1 May 2019 16:42:32 -0500 Subject: [PATCH 6/8] fix phpxxadmin --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index ebf681b..602ca6b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -353,7 +353,7 @@ RUN cd /tmp \ # apache stuff && echo "\nServerName localhost\n" >> /etc/apache2/apache2.conf \ - && a2enmod headers && a2dismod php7.3 && a2enmod php7.3 \ + && a2enmod headers && a2dismod php7.3 && a2enmod php7.2 \ # download new auto host ssl && curl -SL https://raw.githubusercontent.com/serghey-rodin/vesta/master/bin/v-update-host-certificate --output /usr/local/vesta/bin/v-update-host-certificate \ From 53f53b9ad6a9e24aeedea102463245fb75a809a4 Mon Sep 17 00:00:00 2001 From: noogen Date: Wed, 1 May 2019 17:34:35 -0500 Subject: [PATCH 7/8] disable pagespeed cache on certain url --- rootfs/sysprepz/nginx-templates/php-fpm.stpl | 4 ++++ rootfs/sysprepz/nginx-templates/php-fpm.tpl | 5 +++++ rootfs/sysprepz/nginx-templates/wordpress.stpl | 5 +++++ rootfs/sysprepz/nginx-templates/wordpress.tpl | 5 +++++ 4 files changed, 19 insertions(+) diff --git a/rootfs/sysprepz/nginx-templates/php-fpm.stpl b/rootfs/sysprepz/nginx-templates/php-fpm.stpl index d1e0b0b..854fc19 100644 --- a/rootfs/sysprepz/nginx-templates/php-fpm.stpl +++ b/rootfs/sysprepz/nginx-templates/php-fpm.stpl @@ -35,6 +35,10 @@ server { fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; + + if ($no_cache = 1) { + pagespeed Disallow "*"; + } } error_page 403 /error/404.html; diff --git a/rootfs/sysprepz/nginx-templates/php-fpm.tpl b/rootfs/sysprepz/nginx-templates/php-fpm.tpl index e689810..f24e011 100644 --- a/rootfs/sysprepz/nginx-templates/php-fpm.tpl +++ b/rootfs/sysprepz/nginx-templates/php-fpm.tpl @@ -38,7 +38,12 @@ server { fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; + + if ($no_cache = 1) { + pagespeed Disallow "*"; + } } + error_page 403 /error/404.html; error_page 404 /error/404.html; diff --git a/rootfs/sysprepz/nginx-templates/wordpress.stpl b/rootfs/sysprepz/nginx-templates/wordpress.stpl index 76d3c32..7df4165 100644 --- a/rootfs/sysprepz/nginx-templates/wordpress.stpl +++ b/rootfs/sysprepz/nginx-templates/wordpress.stpl @@ -27,6 +27,7 @@ server { fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; + pagespeed unplugged; } # only cache GET method @@ -71,6 +72,10 @@ server { fastcgi_cache fpm_%domain%; fastcgi_cache_valid 404 1m; fastcgi_cache_valid 200 45m; + + if ($no_cache = 1) { + pagespeed Disallow "*"; + } } location ~ /wp-config\.php { diff --git a/rootfs/sysprepz/nginx-templates/wordpress.tpl b/rootfs/sysprepz/nginx-templates/wordpress.tpl index 5223f09..375ae2d 100644 --- a/rootfs/sysprepz/nginx-templates/wordpress.tpl +++ b/rootfs/sysprepz/nginx-templates/wordpress.tpl @@ -26,6 +26,7 @@ server { fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; + pagespeed unplugged; } # only cache GET method @@ -70,6 +71,10 @@ server { fastcgi_cache fpm_%domain%; fastcgi_cache_valid 404 1m; fastcgi_cache_valid 200 45m; + + if ($no_cache = 1) { + pagespeed Disallow "*"; + } } location ~ /wp-config\.php { From 240b4e58c5f6a541a6c1fe603d76674f1357a6ea Mon Sep 17 00:00:00 2001 From: noogen Date: Wed, 1 May 2019 17:51:30 -0500 Subject: [PATCH 8/8] disable pagespeed by default --- rootfs/etc/nginx/nginx.new | 5 ++--- rootfs/sysprepz/nginx-templates/wordpress.stpl | 1 + rootfs/sysprepz/nginx-templates/wordpress.tpl | 1 + 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/rootfs/etc/nginx/nginx.new b/rootfs/etc/nginx/nginx.new index e24fa53..14c4ede 100644 --- a/rootfs/etc/nginx/nginx.new +++ b/rootfs/etc/nginx/nginx.new @@ -146,15 +146,14 @@ http { # Cache bypass map $http_cookie $no_cache { default 0; - ~SESS 1; ~wordpress_logged_in 1; - ~CONCRETE5 1; ~wp-postpass 1; ~comment_author 1; } - # Pagespeed + # Pagespeed (unplugged or disable by default) + pagespeed unplugged; pagespeed FileCachePath /var/ngx_pagespeed_cache; diff --git a/rootfs/sysprepz/nginx-templates/wordpress.stpl b/rootfs/sysprepz/nginx-templates/wordpress.stpl index 7df4165..91f0cc7 100644 --- a/rootfs/sysprepz/nginx-templates/wordpress.stpl +++ b/rootfs/sysprepz/nginx-templates/wordpress.stpl @@ -15,6 +15,7 @@ server { set $site "%docroot%"; } root $site; + pagespeed on; # captures wp-login and xmlrpc requests and set rate limit location ~ (wp-login|xmlrpc)\.php { diff --git a/rootfs/sysprepz/nginx-templates/wordpress.tpl b/rootfs/sysprepz/nginx-templates/wordpress.tpl index 375ae2d..3720364 100644 --- a/rootfs/sysprepz/nginx-templates/wordpress.tpl +++ b/rootfs/sysprepz/nginx-templates/wordpress.tpl @@ -14,6 +14,7 @@ server { set $site "%docroot%"; } root $site; + pagespeed on; # captures wp-login and xmlrpc requests and set rate limit location ~ (wp-login|xmlrpc)\.php {