Skip to content

Instantly share code, notes, and snippets.

@corro
Last active December 8, 2022 18:23
Show Gist options
  • Save corro/50c16c351fdd731ea1b8e61c06d49054 to your computer and use it in GitHub Desktop.
Save corro/50c16c351fdd731ea1b8e61c06d49054 to your computer and use it in GitHub Desktop.
#!/bin/bash
ILIAS_DIR="/var/www/ilias"
ILIAS_DATA_DIR="/var/iliasdata/ilias"
ILIAS_SETUP_IP=
ILIAS_UPLOAD_LIMIT="500M"
ILIAS_SESSION_LIFETIME="3600"
# Ensure dependencies are installed
apt-get install \
mariadb-server \
apache2 \
php7.0 \
libapache2-mod-php7.0 \
libapache2-mod-xsendfile \
openjdk-8-jre-headless \
imagemagick \
htmldoc \
php7.0-cli \
php7.0-mysql \
php7.0-xsl \
php-pear \
php7.0-curl \
php7.0-gd \
php-apcu \
php7.0-xmlrpc \
php7.0-soap \
php7.0-zip \
php7.0-ldap \
php7.0-mbstring \
curl \
git \
mimetex \
ffmpeg \
node-less
# Set sql_mode to NO_ENGINE_SUBSTITUTION
sed -i '/\[mysqld\]/a sql_mode = NO_ENGINE_SUBSTITUTION' /etc/mysql/mariadb.conf.d/50-server.cnf
# Disable exposure of PHP version
sed -i 's/expose_php\s*=\s*.*$/expose_php = off/g' /etc/php/7.0/apache2/php.ini
# Enforce secure SSL defaults
cat << EOF > /etc/apache2/conf-available/secure-ssl.conf
<IfModule mod_ssl.c>
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on
<IfVersion >= 2.4>
SSLUseStapling On
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
</IfVersion>
</IfModule>
EOF
# Activate secure SSL config
a2enconf secure-ssl
# Ensure hardened Apache defaults
cat << EOF > /etc/apache2/conf-available/security.conf
#
# Disable access to the entire file system except for the directories that
# are explicitly allowed later.
#
# This currently breaks the configurations that come with some web application
# Debian packages.
#
#<Directory />
# AllowOverride None
# Order Deny,Allow
# Deny from all
#</Directory>
# Changing the following options will not really affect the security of the
# server, but might make attacks slightly more difficult in some cases.
#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of: Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
ServerTokens Prod
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
ServerSignature Off
#
# Allow TRACE method
#
# Set to "extended" to also reflect the request body (only for testing and
# diagnostic purposes).
#
# Set to one of: On | Off | extended
TraceEnable Off
#
# Forbid access to version control directories
#
# If you use version control systems in your document root, you should
# probably deny access to their directories. For example, for subversion:
#
#<DirectoryMatch "/\.svn">
# Require all denied
#</DirectoryMatch>
#
# Setting this header will prevent MSIE from interpreting files as something
# else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled.
#
#Header set X-Content-Type-Options: "nosniff"
#
# Setting this header will prevent other sites from embedding pages from this
# site as frames. This defends against clickjacking attacks.
# Requires mod_headers to be enabled.
#
#Header set X-Frame-Options: "sameorigin"
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
EOF
# Activate hardened Apache defaults
a2enconf security
# Install unzip from Debian
curl -L -o unzip.deb \
http://ftp.ch.debian.org/debian/pool/main/u/unzip/unzip_6.0-16+deb8u3_amd64.deb
dpkg -i unzip.deb
# Pin version of unzip
cat << EOF > /etc/apt/preferences.d/unzip
Package: unzip
Pin: version 6.0-16+deb8u3
Pin-Priority: 1000
EOF
# Install zip seperately
apt-get install zip
# Install PhantomJS
curl -L -o phantomjs.tar.bz2 \
https://bitbucket.org/ariya/phantomjs/downloads/phantomjs-2.1.1-linux-x86_64.tar.bz2
tar xf phantomjs.tar.bz2
cp phantomjs-2.1.1-linux-x86_64/bin/phantomjs /usr/local/bin/phantomjs
# Add ilias configuration for apache
cat << EOF > /etc/apache2/conf-available/ilias.conf
<IfModule mod_xsendfile.c>
XSendFilePath $ILIAS_DIR
XSendFilePath $ILIAS_DATA_DIR
</IfModule>
<Directory $ILIAS_DIR>
AllowOverride All
Options -Indexes
# custom headers
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
</Directory>
<Directory $ILIAS_DIR/.git>
Require all denied
</Directory>
<Directory $ILIAS_DIR/setup>
Require ip $ILIAS_SETUP_IP
</Directory>
EOF
# Activate ilias configuration
a2enconf ilias
# Add PHP configuration for ILIAS
cat << EOF > /etc/php/7.0/mods-available/ilias.ini
; Configuration for ILIAS php
; priority=99
max_execution_time = 900
memory_limit = 200M
display_errors = Off
post_max_size = $ILIAS_UPLOAD_LIMIT
upload_max_filesize = $ILIAS_UPLOAD_LIMIT
max_input_time = 900
max_input_vars = 10000
session.gc_probability = 1
session.gc_divisor = 100
session.gc_maxlifetime = $ILIAS_SESSION_LIFETIME
session.hash_function = 0
error_reporting = E_ALL & ~E_NOTICE & ~E_WARNING & ~E_DEPRECATED & ~E_STRICT
sendmail_path = /usr/sbin/sendmail -t -i
apc.enabled = 1
apc.shm_size = 128M
apc.shm_segments = 1
opcache.memory_consumption = 128
opcache.interned_strings_buffer = 8
opcache.max_accelerated_files = 4000
EOF
cat << EOF > /etc/php/7.0/mods-available/ilias-cli.ini
; Configuration for ILIAS php (CLI)
; priority=99
memory_limit = 1000M
error_reporting = E_ALL & ~E_NOTICE & ~E_WARNING & ~E_DEPRECATED & ~E_STRICT
; Disable garbage collection due to problems with ILIAS ActiveRecords
zend.enable_gc = Off
EOF
# Enable PHP configuration for ILIAS (Apache)
phpenmod -s apache2 ilias
# Enable PHP configuration for ILIAS (CLI)
phpenmod -s cli ilias-cli
# Ensure ilServer service script is present (Systemd)
cat << EOF > /etc/systemd/system/ilServer.service
[Unit]
Description=ILIAS ilServer
After=syslog.target network.target
[Service]
Type=simple
User=www-data
ExecStart=/usr/bin/java \
-Dfile.encoding=UTF-8 \
-jar $ILIAS_DIR/Services/WebServices/RPC/lib/ilServer.jar \
$ILIAS_DATA_DIR/config/ilServer.ini \
start
[Install]
WantedBy=multi-user.target
EOF
# Activate apache modules
a2enmod cgi headers xsendfile rewrite ssl
# Add cron job template
cat << EOF > /etc/cron.d/ilias
USER=cron
PASSWORD=
CLIENT=
# Run ilias cron jobs every 10m
#*/10 * * * * www-data /usr/bin/php $ILIAS_DIR/cron/cron.php \$USER \$PASSWORD \$CLIENT
# Periodically clean up temp dir
#0 4 * * * root [ -d $ILIAS_DATA_DIR/\$CLIENT/temp ] && [ "\$(ls -A $ILIAS_DATA_DIR/\$CLIENT/temp/)" ] && rm -r $ILIAS_DATA_DIR/\$CLIENT/temp/*
EOF
cat << EOF > /etc/logrotate.d/ilias
$ILIAS_DATA_DIR/*.log {
daily
rotate 7
missingok
compress
delaycompress
}
EOF
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment