Skip to content

Instantly share code, notes, and snippets.

@btray77

btray77/Instructions

Forked from jonathonbyrdziak/Instructions
Last active August 29, 2015 14:01
Show Gist options
  • Save btray77/aff9197ce83807ee82a0 to your computer and use it in GitHub Desktop.
Save btray77/aff9197ce83807ee82a0 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Instructions
############################################################
# locking down the ssh system next.
# see http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/
useradd YOURNAME
passwd YOURNAME
############################################################
# some good things in this repo
# @see http://fedoraproject.org/wiki/EPEL
cd /tmp && rpm -Uph http://download.fedora.redhat.com/pub/epel/6/x86_64/epel-release-6-5.noarch.rpm
##rpm -Uvh http://mirror.webtatic.com/yum/el6/latest.rpm
sudo yum -y install yum-plugin-replace
sudo yum -y replace php-common --replace-with=php54w-common
############################################################
# make sure we're working with the latest copy of everything
# and install the LEMP stack packages
yum update
sudo yum --enablerepo=remi install nginx php-common php gd gd-devel php-mcrypt php-xml php-devel php-imap php-soap php-mbstring php-mhash php-simplexml php-dom php-gd php-pear php-pecl-imagick php-magickwand gcc curl php-curl mod_ssl pcre-devel php-pdo
############################################################
# Turning off a bunch of stuff that's not needed for this server
# and then turning on the few items that we do want.
sudo chkconfig NetworkManager off
sudo chkconfig NetworkManagerDispatcher off
sudo chkconfig anacron off
sudo chkconfig atd off
sudo chkconfig bluetooth off
sudo chkconfig cpuspeed off
sudo chkconfig cups off
sudo chkconfig gpm off
sudo chkconfig hidd off
sudo chkconfig ip6tables off
sudo chkconfig irda off
sudo chkconfig mdmonitor off
sudo chkconfig mdmpd off
sudo chkconfig pcscd off
sudo chkconfig portmap off
sudo chkconfig yum-updatesd off
sudo chkconfig smartd off
sudo chkconfig sshd on
sudo chkconfig nginx on
sudo chkconfig mysqld on
sudo service smartd stop
sudo service NetworkManager stop
sudo service NetworkManagerDispatcher stop
sudo service anacron stop
sudo service atd stop
sudo service bluetooth stop
sudo service cpuspeed stop
sudo service cups stop
sudo service gpm stop
sudo service hidd stop
sudo service ip6tables stop
sudo service irda stop
sudo service mdmonitor stop
sudo service mdmpd stop
sudo service pcscd stop
sudo service portmap stop
sudo service yum-updatesd stop
sudo service mysqld start
sudo service php-fpm start
sudo service nginx start
sudo service varnish start
sudo service vsftpd start
############################################################
# configuring the mysql server
# NOTICE: the my-huge.cnf file sets aside a lot of resources
#
#cp /etc/my.cnf /etc/my.cnf.bkp && cp /usr/share/mysql/my-huge.cnf /etc/my.cnf
#mysql_install_db
#mysqladmin -u root password SOMEPASSWORD
#
############################################################
# only if you're going to be setting up virtual hosts
# Mod Macro makes VirtualHosts a Breeze
#
#wget http://www.coelho.net/mod_macro/mod_macro-latest.tar.gz
#tar -zxvf mod_macro-latest.tar.gz
#apxs -c -i -a mod_macro-1.1.11/mod_macro.c
#
#touch /home/vhosts.conf
#
############################################################
# my mod macro scripts are also saved here. take a second and post them
# to the /etc/httpd/conf.d directory.
#
#mkdir /home/default && mkdir /home/default/logs && mkdir /home/default/web && mkdir /home/default/web/cgi-bin && mkdir /home/default/web/webroot
#
#touch /home/default/web/webroot/index.html
#
############################################################
# Installing phpmyadmin
#
#wget http://downloads.sourceforge.net/project/phpmyadmin/phpMyAdmin/3.4.5/phpMyAdmin-3.4.5-english.tar.gz?r=&ts=1318233825&use_mirror=superb-dca2
#
#tar -C /home/default/ -zxvf phpMyAdmin-3.4.5-english.tar.gz
#mv /home/default/phpMyAdmin-3.4.5-english /home/default/phpmyadmin
#
############################################################
# I use github for everything
#
#yum install git-core
#mkdir ~/.ssh && cd ~/.ssh
#ssh-keygen -t rsa -C "your_email@youremail.com"
#
############################################################
# After adding the key to your github account you can test your connection like this
#
#ssh -T git@github.com
#git config --global user.name "Firstname Lastname"
#git config --global user.email "your_email@youremail.com"
#git config --global github.user username
#git config --global github.token 0123456789yourf0123456789token
#
############################################################
# create your users default directory setup
#
#mkdir /etc/skel/www.example.com && mkdir /etc/skel/www.example.com/logs && mkdir /etc/skel/www.example.com/web && mkdir /etc/skel/www.example.com/web/cgi-bin && mkdir /etc/skel/www.example.com/web/webroot
#
#touch /etc/skel/www.example.com/web/webroot/index.php
#
############################################################
# create your users
#
#useradd production
#passwd production
#
#usermod -a -G apache production
#usermod -a -G ftp production
#
#
############################################################
# A few other packages that I like to use
# Xdebug
pear install pecl/xdebug
# IonCube
cd /tmp && wget http://downloads2.ioncube.com/loader_downloads/ioncube_loaders_lin_x86-64.tar.gz
tar -zxvf ioncube_loaders_lin_x86-64.tar.gz
cp ioncube/loader-wizard.php /home/default/web/webroot
mv ioncube /usr/src
# Paste the following line into your php.ini
# zend_extension=/usr/src/ioncube/ioncube_loader_lin_5.3.so
vi /etc/php.ini
service httpd restart
http://xxx.xxx.xxx.xxx/loader-wizard.php
rm -f /home/default/web/webroot/loader-wizard.php
# APC
pecl install apc
# add the following two lines to this file
# ; Enable APC extension module
# extension=apc.so
vi /etc/php.d/apc.ini
############################################################
# It's time to install magento
# Find the latest magento files here
# http://www.magentocommerce.com/wiki/groups/227/installing_magento_via_shell_ssh
wget http://somewhere/magento-1.2.1.2.tar.bz2
wget http://somewhere/magento-sample-data-1.2.0.tar.bz2
bunzip2 magento-1.2.1.2.tar.bz2
bunzip2 magento-sample-data-1.2.0.tar.bz2
tar xvf magento-sample-data-1.2.0.tar
tar xvf magento-1.2.1.2.tar
mv magento /var/www/html
mv catalog/ /var/www/html/magento/media/
mysqladmin create database magento
mysql magento < magento_sample_data_for_1.2.0.sql
cd /var/www/html/magento
chgrp apache app
chgrp apache downloader
chgrp apache js
chgrp apache lib
chgrp apache media
chgrp apache pkginfo
chgrp apache report
chgrp apache skin
chgrp apache var
############################################################
# Install the magento-cleanup.php script into your web directory, its safer there
# Add the following line to your crontab
# 1 1 * * * php /home/production/www.example.com/web/magento-cleanup.php
crontab -e
############################################################
# generate certificates for the web server:
openssl genrsa -des3 -out $servername.key 2048
openssl rsa -in $servername.key -out $servername.key.insecure
mv $servername.key $servername.key.secure && mv $servername.key.insecure $servername.key
openssl req -new -key $servername.key -out $servername.csr
openssl x509 -req -days 365 -in $servername.csr -signkey $servername.key -out $servername.crt
cp $servername.crt /etc/pki/tls/certs && cp $servername.csr /etc/pki/tls/certs && cp $servername.key /etc/pki/tls/private
Raw
iptables only
# Revised by Brad
# Oritinal author Jonathon byrd
# turn off until you've got it figured out, this way you can reboot and log back in
sudo chkconfig iptables off
/etc/init.d/iptables on
# allow ssh connections before you lock out everybody lol
# keep in mind if you do anything wrong, you can now just reboot
# clear all rules and start with blocking all traffic
sudo iptables -F && sudo iptables -P INPUT ACCEPT && sudo iptables -P OUTPUT ACCEPT && sudo iptables -P FORWARD ACCEPT
### Allow SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
### Allow YUM updates
sudo iptables -A OUTPUT -o eth0 -p tcp --dport 80 --match owner --uid-owner 0 --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp --dport 443 --match owner --uid-owner 0 --state NEW,ESTABLISHED -j ACCEPT
### Add your rules form the link above, here
# smtp,imap,http,https,pop3,imaps,pop3s
sudo iptables -A INPUT -i eth0 -p tcp -m multiport --dports 25,143,80,443,110,993,995 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 25,143,80,110,443,993,995 -m state --state NEW,ESTABLISHED -j ACCEPT
## allow dns
sudo iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT && sudo iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
# handling pings
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT && sudo iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
sudo iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT && sudo iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
### Allow FTP
iptables -A INPUT -p tcp -m tcp –dport 21 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp –sport 21 -m state –state ESTABLISHED -j ACCEPT
#iptables -A INPUT -p tcp -m tcp –sport 1024:65535 –dport 1024:65535 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -p tcp -m tcp –sport 1024:65535 –dport 1024:65535 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
# manage ddos attacks
sudo iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
## Implement some logging so that we know what's getting dropped
sudo iptables -N LOGGING
sudo iptables -A INPUT -j LOGGING
sudo iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
sudo iptables -A LOGGING -j DROP
# once a rule affects traffic then it is no longer managed
# so if the traffic has not been accepted, block it
sudo iptables -A INPUT -j DROP
sudo iptables -I INPUT 1 -i lo -j ACCEPT
sudo iptables -A OUTPUT -j DROP
# allow only internal port forwarding
sudo iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
sudo iptables -P FORWARD DROP
# create an iptables config file
sudo iptables-save > /root/dsl.fw
# sudo vi /etc/rc.local
## Append the following
#/sbin/iptables-restore < sudo /root/dsl.fw
/etc/init.d/iptables save
## check to see if this setting is working great.
sudo service iptables restart
## log out/in testing
sudo chkconfig iptables on
Raw
macro-vhosts-localssl.conf
#
# RedRokk Designed vhosts macro file
# www.redrokk.com
#
# Naming the vhosts here
# | Use VHostLocalSSL $user $host $alias
#
# Use VHostLocalSSL production www.redrokk.com redrokk.com
<Macro VHostLocalSSL $user $host $alias>
<VirtualHost *:443>
# Admin email, Server Name (domain name) and any aliases
ServerName $host
ServerAlias $alias
# Index file and Document Root (where the public files are located)
DocumentRoot /home/$user/$host/web/webroot/
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
LogLevel warn
ErrorLog /home/$user/$host/logs/ssl_error.log
CustomLog /home/$user/$host/logs/ssl_access.log combined
<Directory /home/$user/$host/web/webroot/>
Options All -Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
# Configuring the cgi-bin overrides
ScriptAlias /cgi-bin/ /home/$user/$host/cgi-bin/
<Location /home/$user/$host/cgi-bin>
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Location>
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.localdomain.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.localdomain.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars +FakeBasicAuth +ExportCertData +StrictRequire
</Files>
<Directory "/home/$user/$host/web/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
</Macro>
Raw
macro-vhosts-ssl.conf
#
# RedRokk Designed vhosts macro file
# www.redrokk.com
#
# Naming the vhosts here
# | Use VHostSSL $user $host $alias
#
# Use VHostSSL production www.redrokk.com redrokk.com
<Macro VHostSSL $user $host $alias>
#
# SSL Management
#
<VirtualHost *:443>
# Admin email, Server Name (domain name) and any aliases
ServerName $host
ServerAlias $alias
# Index file and Document Root (where the public files are located)
DocumentRoot /home/$user/$host/web/webroot
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
LogLevel warn
ErrorLog /home/$user/$host/logs/ssl_error.log
CustomLog /home/$user/$host/logs/ssl_access.log combined
<Directory /home/$user/$host/web/webroot/>
Options All -Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
# Configuring the cgi-bin overrides
ScriptAlias /cgi-bin/ /home/$user/$host/cgi-bin/
<Location /home/$user/$host/cgi-bin>
SSLOptions +StdEnvVars
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Location>
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/$host.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/$host.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
SSLCertificateChainFile /etc/pki/tls/certs/$host.bundle.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
SSLVerifyClient require
SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars +FakeBasicAuth +ExportCertData +StrictRequire
</Files>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
</Macro>
Raw
macro-vhosts.conf
#
# RedRokk Designed vhosts macro file
# www.redrokk.com
#
# Naming the vhosts here
# | Use VHost $user $host $alias
#
# Use VHost production www.redrokk.com redrokk.com
<Macro VHost $user $host $alias>
<VirtualHost *:80>
# Admin email, Server Name (domain name) and any aliases
ServerName $host
ServerAlias $alias
# Index file and Document Root (where the public files are located)
DocumentRoot /home/$user/$host/web/webroot/
<Directory /home/$user/$host/web/webroot/>
Options All -Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
# Custom log file locations
LogLevel warn
ErrorLog /home/$user/$host/logs/error.log
CustomLog /home/$user/$host/logs/access.log combined
# Configuring the cgi-bin overrides
ScriptAlias /cgi-bin/ /home/$user/$host/cgi-bin/
<Location /home/$user/$host/cgi-bin>
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Location>
</VirtualHost>
</Macro>
Raw
magento-cleanup.php
<?php
$basepath = dirname(__file__).'/webroot/';
$xml = simplexml_load_file($basepath.'app/etc/local.xml', NULL, LIBXML_NOCDATA);
$db['host'] = $xml->global->resources->default_setup->connection->host;
$db['name'] = $xml->global->resources->default_setup->connection->dbname;
$db['user'] = $xml->global->resources->default_setup->connection->username;
$db['pass'] = $xml->global->resources->default_setup->connection->password;
$db['pref'] = $xml->global->resources->db->table_prefix;
clean_log_tables();
clean_var_directory();
function clean_log_tables() {
global $db;
$tables = array(
'dataflow_batch_export',
'dataflow_batch_import',
'log_customer',
'log_quote',
'log_summary',
'log_summary_type',
'log_url',
'log_url_info',
'log_visitor',
'log_visitor_info',
'log_visitor_online',
'report_event'
);
mysql_connect($db['host'], $db['user'], $db['pass']) or die(mysql_error());
mysql_select_db($db['name']) or die(mysql_error());
foreach($tables as $v => $k) {
mysql_query('TRUNCATE `'.$db['pref'].$k.'`') or die(mysql_error());
}
}
function clean_var_directory() {
$dirs = array(
$basepath.'downloader/pearlib/cache/*',
$basepath.'downloader/pearlib/download/*',
$basepath.'var/cache/',
$basepath.'var/log/',
$basepath.'var/report/',
$basepath.'var/session/',
$basepath.'var/tmp/'
);
foreach($dirs as $v => $k) {
exec("rm -rf $k && mkdir $k && chmod -R 0777 $k");
}
}
Raw
vhosts-default.conf
# 5Twenty Studios Designed vhosts file
# www.5twentystudios.com
# domain: www.5twentystudios.com
# public: /home/default/web/webroot
NameVirtualHost *:80
<VirtualHost _default_:80>
# Admin email, Server Name (domain name) and any aliases
ServerName ${SERVER_ADDR}
# Index file and Document Root (where the public files are located)
DocumentRoot /home/default/web/webroot
<Directory /home/default/web/webroot/>
Options -Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
# Custom log file locations
LogLevel warn
ErrorLog /home/default/logs/error.log
CustomLog /home/default/logs/access.log combined
# Configuring the cgi-bin overrides
ScriptAlias /cgi-bin/ /home/default/web/cgi-bin/
<Location /home/default/web/cgi-bin>
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Location>
</VirtualHost>
#
# SSL Management
#
NameVirtualHost *:443
<VirtualHost _default_:443>
# Admin email, Server Name (domain name) and any aliases
ServerName ${SERVER_ADDR}
# Index file and Document Root (where the public files are located)
DocumentRoot /home/default/web/webroot
<Directory /home/default/web/webroot/>
Options -Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
# Custom log file locations
LogLevel warn
ErrorLog /home/default/logs/ssl_error.log
CustomLog /home/default/logs/ssl_access.log combined
# Configuring the cgi-bin overrides
ScriptAlias /cgi-bin/ /home/default/web/cgi-bin/
<Location /home/default/web/cgi-bin>
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Location>
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars +FakeBasicAuth +ExportCertData +StrictRequire
</Files>
<Directory "/home/default/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
<VirtualHost *:443>
# Admin email, Server Name (domain name) and any aliases
ServerName phpmyadmin.redrokk.com
# Index file and Document Root (where the public files are located)
DocumentRoot /home/default/phpmyadmin/
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
LogLevel warn
ErrorLog /home/default/logs/pma.ssl_error.log
CustomLog /home/default/logs/pma.ssl_access.log combined
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars +FakeBasicAuth +ExportCertData +StrictRequire
</Files>
<Directory "/home/default/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
#
# Load Virtual Host Files
# Normally this is where I declare all of my mod macro calls
# The rest of your Virtual Hosts should be declared after your defaults here
#
Include /home/vhosts.conf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment