-
-
Save codemasher/1f67c75011e53108de8dec3ae523a74d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# install ubuntu 17.10 minimal, then: | |
# as root (or sudo :P) | |
apt-get update | |
apt-get install -y linux-headers-$(uname -r) build-essential | |
apt-get -y upgrade | |
apt-get install -y build-essential software-properties-common curl dos2unix gcc libc-dev g++ git libmcrypt4 \ | |
libpcre3-dev ntp unzip make autoconf python2.7-dev python-pip re2c supervisor unattended-upgrades whois \ | |
vim libnotify-bin pv cifs-utils pkg-config | |
apt-add-repository ppa:ondrej/apache2 -y | |
apt-add-repository ppa:ondrej/php -y | |
apt-add-repository ppa:chris-lea/redis-server -y | |
apt-add-repository ppa:certbot/certbot -y | |
apt-get update | |
# libapache2-mod-php7.2 | |
apt-get install -y --allow-downgrades --allow-remove-essential --allow-change-held-packages \ | |
apache2 certbot python-certbot-apache php-pear \ | |
mysql-server postgresql sqlite3 libsqlite3-dev imagemagick redis-server memcached \ | |
php7.2-cli php7.2-fpm php7.2-dev php7.2-curl php7.2-mbstring php7.2-xml php7.2-zip php7.2-bcmath \ | |
php7.2-soap php7.2-intl php7.2-readline php7.2-memcached php7.2-mysql php7.2-gmp \ | |
php7.2-imagick php7.2-pgsql php7.2-sqlite3 php7.2-enchant php7.2-pspell | |
service apache2 stop | |
a2dismod php7.2 mpm_prefork | |
a2enmod mpm_event proxy_fcgi setenvif http2 rewrite actions alias headers | |
a2dissite 000-default | |
a2ensite <SITE_DEFAULT> | |
a2ensite <SITE_SSL> | |
phpenmod fileinfo curl mbstring xml zip bcmath soap intl readline memcached mysqli gmp imagick pdo pgsql sqlite3 | |
adduser webmaster | |
chsh -s /bin/bash webmaster |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# as webmaster | |
su webmaster | |
# Install Composer | |
sudo curl -sS https://getcomposer.org/installer | php | |
sudo mv composer.phar /usr/local/bin/composer | |
sudo printf "\nPATH=\"$(sudo su - webmaster -c 'composer config -g home 2>/dev/null')/vendor/bin:\$PATH\"\n" | tee -a /home/webmaster/.profile | |
# Install global PHPUnit | |
sudo wget -nv https://phar.phpunit.de/phpunit.phar | |
sudo chmod +x phpunit.phar | |
sudo mv phpunit.phar /usr/local/bin/phpunit | |
phpunit --version | |
# PHPMyAdmin | |
sudo wget -nv https://files.phpmyadmin.net/phpMyAdmin/4.7.7/phpMyAdmin-4.7.7-all-languages.tar.gz | |
sudo tar -xzf phpMyAdmin-4.7.7-all-languages.tar.gz && sudo mv phpMyAdmin-4.7.7-all-languages /usr/share/phpmyadmin && sudo rm phpMyAdmin-4.7.7-all-languages.tar.gz | |
cd /usr/share/phpmyadmin/ && sudo composer install --no-dev --no-interaction --prefer-dist | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# back as root | |
systemctl start php7.2-fpm | |
systemctl enable php7.2-fpm | |
service apache2 start | |
certbot certonly --must-staple --redirect --hsts --staple-ocsp --webroot -w <DIR> -d <DOMAIN> [ -w <DIR> -d <DOMAIN>] | |
systemctl status apache2.service | |
systemctl status php7.2-fpm.service | |
systemctl status certbot.service | |
# disable webmaster login | |
#chsh -s /usr/sbin/nologin webmaster |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<VirtualHost *:80> | |
ServerAdmin webmaster@localhost | |
DocumentRoot /var/www/html | |
ErrorLog ${APACHE_LOG_DIR}/error.log | |
CustomLog ${APACHE_LOG_DIR}/access.log combined | |
RewriteEngine on | |
RewriteCond %{SERVER_NAME}=<YOUR_SERVER_NAME> | |
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent] | |
</VirtualHost> | |
Alias /phpmyadmin "/usr/share/phpmyadmin/" | |
<Directory "/usr/share/phpmyadmin/"> | |
Order allow,deny | |
Allow from all | |
Require all granted | |
</Directory> | |
# PHP-FPM | |
<FilesMatch "\.php$"> | |
SetHandler "proxy:unix:/var/run/php/php7.2-fpm.sock|fcgi://localhost/" | |
</FilesMatch> | |
<Proxy "fcgi://localhost/"> | |
</Proxy> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<IfModule mod_ssl.c> | |
Include /etc/apache2/sites-ssl.conf | |
<VirtualHost *:443> | |
ServerAlias * | |
DocumentRoot /var/www | |
ServerAdmin webmaster@localhost | |
ErrorLog ${APACHE_LOG_DIR}/error.log | |
CustomLog ${APACHE_LOG_DIR}/access.log combined | |
SSLCertificateFile /etc/letsencrypt/live/<DIR>/fullchain.pem | |
SSLCertificateKeyFile /etc/letsencrypt/live/<DIR>/privkey.pem | |
Include /etc/apache2/letsencrypt-ssl-apache.conf | |
</VirtualHost> | |
<Directory /var/www> | |
AllowOverride All | |
</Directory> | |
</IfModule> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Baseline setting to Include for SSL sites | |
# in <VirtualHost *:443> | |
SSLEngine on | |
# Intermediate configuration, tweak to your needs | |
# letsencrypt | |
#SSLProtocol all -SSLv2 -SSLv3 | |
#SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA | |
# mozilla | |
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 | |
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 | |
SSLHonorCipherOrder on | |
SSLCompression off | |
SSLOptions +StrictRequire | |
SSLUseStapling on | |
SSLStaplingResponderTimeout 5 | |
SSLStaplingReturnResponderErrors off | |
# Add vhost name to log entries: | |
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined | |
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common | |
#CustomLog /var/log/apache2/access.log vhost_combined | |
#LogLevel warn | |
#ErrorLog /var/log/apache2/error.log | |
# Always ensure Cookies have "Secure" set (JAH 2012/1) | |
Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4" | |
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" | |
Header set Timing-Allow-Origin: "*" | |
Header unset ETag | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment