Last active
December 8, 2022 18:23
-
-
Save corro/50c16c351fdd731ea1b8e61c06d49054 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
ILIAS_DIR="/var/www/ilias" | |
ILIAS_DATA_DIR="/var/iliasdata/ilias" | |
ILIAS_SETUP_IP= | |
ILIAS_UPLOAD_LIMIT="500M" | |
ILIAS_SESSION_LIFETIME="3600" | |
# Ensure dependencies are installed | |
apt-get install \ | |
mariadb-server \ | |
apache2 \ | |
php7.0 \ | |
libapache2-mod-php7.0 \ | |
libapache2-mod-xsendfile \ | |
openjdk-8-jre-headless \ | |
imagemagick \ | |
htmldoc \ | |
php7.0-cli \ | |
php7.0-mysql \ | |
php7.0-xsl \ | |
php-pear \ | |
php7.0-curl \ | |
php7.0-gd \ | |
php-apcu \ | |
php7.0-xmlrpc \ | |
php7.0-soap \ | |
php7.0-zip \ | |
php7.0-ldap \ | |
php7.0-mbstring \ | |
curl \ | |
git \ | |
mimetex \ | |
ffmpeg \ | |
node-less | |
# Set sql_mode to NO_ENGINE_SUBSTITUTION | |
sed -i '/\[mysqld\]/a sql_mode = NO_ENGINE_SUBSTITUTION' /etc/mysql/mariadb.conf.d/50-server.cnf | |
# Disable exposure of PHP version | |
sed -i 's/expose_php\s*=\s*.*$/expose_php = off/g' /etc/php/7.0/apache2/php.ini | |
# Enforce secure SSL defaults | |
cat << EOF > /etc/apache2/conf-available/secure-ssl.conf | |
<IfModule mod_ssl.c> | |
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 | |
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH | |
SSLHonorCipherOrder on | |
<IfVersion >= 2.4> | |
SSLUseStapling On | |
SSLStaplingCache shmcb:/tmp/stapling_cache(128000) | |
</IfVersion> | |
</IfModule> | |
EOF | |
# Activate secure SSL config | |
a2enconf secure-ssl | |
# Ensure hardened Apache defaults | |
cat << EOF > /etc/apache2/conf-available/security.conf | |
# | |
# Disable access to the entire file system except for the directories that | |
# are explicitly allowed later. | |
# | |
# This currently breaks the configurations that come with some web application | |
# Debian packages. | |
# | |
#<Directory /> | |
# AllowOverride None | |
# Order Deny,Allow | |
# Deny from all | |
#</Directory> | |
# Changing the following options will not really affect the security of the | |
# server, but might make attacks slightly more difficult in some cases. | |
# | |
# ServerTokens | |
# This directive configures what you return as the Server HTTP response | |
# Header. The default is 'Full' which sends information about the OS-Type | |
# and compiled in modules. | |
# Set to one of: Full | OS | Minimal | Minor | Major | Prod | |
# where Full conveys the most information, and Prod the least. | |
ServerTokens Prod | |
# | |
# Optionally add a line containing the server version and virtual host | |
# name to server-generated pages (internal error documents, FTP directory | |
# listings, mod_status and mod_info output etc., but not CGI generated | |
# documents or custom error documents). | |
# Set to "EMail" to also include a mailto: link to the ServerAdmin. | |
# Set to one of: On | Off | EMail | |
ServerSignature Off | |
# | |
# Allow TRACE method | |
# | |
# Set to "extended" to also reflect the request body (only for testing and | |
# diagnostic purposes). | |
# | |
# Set to one of: On | Off | extended | |
TraceEnable Off | |
# | |
# Forbid access to version control directories | |
# | |
# If you use version control systems in your document root, you should | |
# probably deny access to their directories. For example, for subversion: | |
# | |
#<DirectoryMatch "/\.svn"> | |
# Require all denied | |
#</DirectoryMatch> | |
# | |
# Setting this header will prevent MSIE from interpreting files as something | |
# else than declared by the content type in the HTTP headers. | |
# Requires mod_headers to be enabled. | |
# | |
#Header set X-Content-Type-Options: "nosniff" | |
# | |
# Setting this header will prevent other sites from embedding pages from this | |
# site as frames. This defends against clickjacking attacks. | |
# Requires mod_headers to be enabled. | |
# | |
#Header set X-Frame-Options: "sameorigin" | |
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet | |
EOF | |
# Activate hardened Apache defaults | |
a2enconf security | |
# Install unzip from Debian | |
curl -L -o unzip.deb \ | |
http://ftp.ch.debian.org/debian/pool/main/u/unzip/unzip_6.0-16+deb8u3_amd64.deb | |
dpkg -i unzip.deb | |
# Pin version of unzip | |
cat << EOF > /etc/apt/preferences.d/unzip | |
Package: unzip | |
Pin: version 6.0-16+deb8u3 | |
Pin-Priority: 1000 | |
EOF | |
# Install zip seperately | |
apt-get install zip | |
# Install PhantomJS | |
curl -L -o phantomjs.tar.bz2 \ | |
https://bitbucket.org/ariya/phantomjs/downloads/phantomjs-2.1.1-linux-x86_64.tar.bz2 | |
tar xf phantomjs.tar.bz2 | |
cp phantomjs-2.1.1-linux-x86_64/bin/phantomjs /usr/local/bin/phantomjs | |
# Add ilias configuration for apache | |
cat << EOF > /etc/apache2/conf-available/ilias.conf | |
<IfModule mod_xsendfile.c> | |
XSendFilePath $ILIAS_DIR | |
XSendFilePath $ILIAS_DATA_DIR | |
</IfModule> | |
<Directory $ILIAS_DIR> | |
AllowOverride All | |
Options -Indexes | |
# custom headers | |
Header always set X-Frame-Options "SAMEORIGIN" | |
Header always set X-XSS-Protection "1; mode=block" | |
Header always set X-Content-Type-Options "nosniff" | |
</Directory> | |
<Directory $ILIAS_DIR/.git> | |
Require all denied | |
</Directory> | |
<Directory $ILIAS_DIR/setup> | |
Require ip $ILIAS_SETUP_IP | |
</Directory> | |
EOF | |
# Activate ilias configuration | |
a2enconf ilias | |
# Add PHP configuration for ILIAS | |
cat << EOF > /etc/php/7.0/mods-available/ilias.ini | |
; Configuration for ILIAS php | |
; priority=99 | |
max_execution_time = 900 | |
memory_limit = 200M | |
display_errors = Off | |
post_max_size = $ILIAS_UPLOAD_LIMIT | |
upload_max_filesize = $ILIAS_UPLOAD_LIMIT | |
max_input_time = 900 | |
max_input_vars = 10000 | |
session.gc_probability = 1 | |
session.gc_divisor = 100 | |
session.gc_maxlifetime = $ILIAS_SESSION_LIFETIME | |
session.hash_function = 0 | |
error_reporting = E_ALL & ~E_NOTICE & ~E_WARNING & ~E_DEPRECATED & ~E_STRICT | |
sendmail_path = /usr/sbin/sendmail -t -i | |
apc.enabled = 1 | |
apc.shm_size = 128M | |
apc.shm_segments = 1 | |
opcache.memory_consumption = 128 | |
opcache.interned_strings_buffer = 8 | |
opcache.max_accelerated_files = 4000 | |
EOF | |
cat << EOF > /etc/php/7.0/mods-available/ilias-cli.ini | |
; Configuration for ILIAS php (CLI) | |
; priority=99 | |
memory_limit = 1000M | |
error_reporting = E_ALL & ~E_NOTICE & ~E_WARNING & ~E_DEPRECATED & ~E_STRICT | |
; Disable garbage collection due to problems with ILIAS ActiveRecords | |
zend.enable_gc = Off | |
EOF | |
# Enable PHP configuration for ILIAS (Apache) | |
phpenmod -s apache2 ilias | |
# Enable PHP configuration for ILIAS (CLI) | |
phpenmod -s cli ilias-cli | |
# Ensure ilServer service script is present (Systemd) | |
cat << EOF > /etc/systemd/system/ilServer.service | |
[Unit] | |
Description=ILIAS ilServer | |
After=syslog.target network.target | |
[Service] | |
Type=simple | |
User=www-data | |
ExecStart=/usr/bin/java \ | |
-Dfile.encoding=UTF-8 \ | |
-jar $ILIAS_DIR/Services/WebServices/RPC/lib/ilServer.jar \ | |
$ILIAS_DATA_DIR/config/ilServer.ini \ | |
start | |
[Install] | |
WantedBy=multi-user.target | |
EOF | |
# Activate apache modules | |
a2enmod cgi headers xsendfile rewrite ssl | |
# Add cron job template | |
cat << EOF > /etc/cron.d/ilias | |
USER=cron | |
PASSWORD= | |
CLIENT= | |
# Run ilias cron jobs every 10m | |
#*/10 * * * * www-data /usr/bin/php $ILIAS_DIR/cron/cron.php \$USER \$PASSWORD \$CLIENT | |
# Periodically clean up temp dir | |
#0 4 * * * root [ -d $ILIAS_DATA_DIR/\$CLIENT/temp ] && [ "\$(ls -A $ILIAS_DATA_DIR/\$CLIENT/temp/)" ] && rm -r $ILIAS_DATA_DIR/\$CLIENT/temp/* | |
EOF | |
cat << EOF > /etc/logrotate.d/ilias | |
$ILIAS_DATA_DIR/*.log { | |
daily | |
rotate 7 | |
missingok | |
compress | |
delaycompress | |
} | |
EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment