corro/prepare_ilias_server.sh

## prepare_ilias_server.sh
#!/bin/bash
ILIAS_DIR="/var/www/ilias"
ILIAS_DATA_DIR="/var/iliasdata/ilias"
ILIAS_SETUP_IP=
ILIAS_UPLOAD_LIMIT="500M"
ILIAS_SESSION_LIFETIME="3600"

# Ensure dependencies are installed
apt-get install \
  mariadb-server \
  apache2 \
  php7.0 \
  libapache2-mod-php7.0 \
  libapache2-mod-xsendfile \
  openjdk-8-jre-headless \
  imagemagick \
  htmldoc \
  php7.0-cli \
  php7.0-mysql \
  php7.0-xsl \
  php-pear \
  php7.0-curl \
  php7.0-gd \
  php-apcu \
  php7.0-xmlrpc \
  php7.0-soap \
  php7.0-zip \
  php7.0-ldap \
  php7.0-mbstring \
  curl \
  git \
  mimetex \
  ffmpeg \
  node-less

# Set sql_mode to NO_ENGINE_SUBSTITUTION
sed -i '/\[mysqld\]/a sql_mode = NO_ENGINE_SUBSTITUTION' /etc/mysql/mariadb.conf.d/50-server.cnf

# Disable exposure of PHP version
sed -i 's/expose_php\s*=\s*.*$/expose_php = off/g' /etc/php/7.0/apache2/php.ini

# Enforce secure SSL defaults
cat << EOF > /etc/apache2/conf-available/secure-ssl.conf
<IfModule mod_ssl.c>
        SSLProtocol             All -SSLv2 -SSLv3 -TLSv1
        SSLCipherSuite          EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

        SSLHonorCipherOrder     on

        <IfVersion >= 2.4>
            SSLUseStapling On
            SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
        </IfVersion>
</IfModule>
EOF
# Activate secure SSL config
a2enconf secure-ssl

# Ensure hardened Apache defaults
cat << EOF > /etc/apache2/conf-available/security.conf
#
# Disable access to the entire file system except for the directories that
# are explicitly allowed later.
#
# This currently breaks the configurations that come with some web application
# Debian packages.
#
#<Directory />
#   AllowOverride None
#   Order Deny,Allow
#   Deny from all
#</Directory>


# Changing the following options will not really affect the security of the
# server, but might make attacks slightly more difficult in some cases.

#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
ServerTokens Prod

#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
ServerSignature Off

#
# Allow TRACE method
#
# Set to "extended" to also reflect the request body (only for testing and
# diagnostic purposes).
#
# Set to one of:  On | Off | extended
TraceEnable Off

#
# Forbid access to version control directories
#
# If you use version control systems in your document root, you should
# probably deny access to their directories. For example, for subversion:
#
#<DirectoryMatch "/\.svn">
#   Require all denied
#</DirectoryMatch>

#
# Setting this header will prevent MSIE from interpreting files as something
# else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled.
#
#Header set X-Content-Type-Options: "nosniff"

#
# Setting this header will prevent other sites from embedding pages from this
# site as frames. This defends against clickjacking attacks.
# Requires mod_headers to be enabled.
#
#Header set X-Frame-Options: "sameorigin"

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
EOF
# Activate hardened Apache defaults
a2enconf security

# Install unzip from Debian
curl -L -o unzip.deb \
  http://ftp.ch.debian.org/debian/pool/main/u/unzip/unzip_6.0-16+deb8u3_amd64.deb
dpkg -i unzip.deb

# Pin version of unzip
cat << EOF > /etc/apt/preferences.d/unzip
Package: unzip
Pin: version 6.0-16+deb8u3
Pin-Priority: 1000
EOF

# Install zip seperately
apt-get install zip

# Install PhantomJS
curl -L -o phantomjs.tar.bz2 \
  https://bitbucket.org/ariya/phantomjs/downloads/phantomjs-2.1.1-linux-x86_64.tar.bz2
tar xf phantomjs.tar.bz2
cp phantomjs-2.1.1-linux-x86_64/bin/phantomjs /usr/local/bin/phantomjs

# Add ilias configuration for apache
cat << EOF > /etc/apache2/conf-available/ilias.conf
<IfModule mod_xsendfile.c>
    XSendFilePath $ILIAS_DIR
    XSendFilePath $ILIAS_DATA_DIR
</IfModule>

<Directory $ILIAS_DIR>
    AllowOverride All
    Options -Indexes

    # custom headers
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set X-Content-Type-Options "nosniff"
</Directory>

<Directory $ILIAS_DIR/.git>
    Require all denied
</Directory>

<Directory $ILIAS_DIR/setup>
    Require ip $ILIAS_SETUP_IP
</Directory>
EOF

# Activate ilias configuration
a2enconf ilias

# Add PHP configuration for ILIAS
cat << EOF > /etc/php/7.0/mods-available/ilias.ini
; Configuration for ILIAS php
; priority=99
max_execution_time = 900
memory_limit = 200M
display_errors = Off
post_max_size = $ILIAS_UPLOAD_LIMIT
upload_max_filesize = $ILIAS_UPLOAD_LIMIT
max_input_time = 900
max_input_vars = 10000
session.gc_probability = 1
session.gc_divisor = 100
session.gc_maxlifetime = $ILIAS_SESSION_LIFETIME
session.hash_function = 0
error_reporting = E_ALL & ~E_NOTICE & ~E_WARNING & ~E_DEPRECATED & ~E_STRICT
sendmail_path = /usr/sbin/sendmail -t -i

apc.enabled = 1
apc.shm_size = 128M
apc.shm_segments = 1

opcache.memory_consumption = 128
opcache.interned_strings_buffer = 8
opcache.max_accelerated_files = 4000
EOF
cat << EOF > /etc/php/7.0/mods-available/ilias-cli.ini
; Configuration for ILIAS php (CLI)
; priority=99
memory_limit = 1000M
error_reporting = E_ALL & ~E_NOTICE & ~E_WARNING & ~E_DEPRECATED & ~E_STRICT
; Disable garbage collection due to problems with ILIAS ActiveRecords
zend.enable_gc = Off
EOF

# Enable PHP configuration for ILIAS (Apache)
phpenmod -s apache2 ilias
# Enable PHP configuration for ILIAS (CLI)
phpenmod -s cli ilias-cli

# Ensure ilServer service script is present (Systemd)
cat << EOF > /etc/systemd/system/ilServer.service
[Unit]
Description=ILIAS ilServer
After=syslog.target network.target

[Service]
Type=simple
User=www-data
ExecStart=/usr/bin/java \
    -Dfile.encoding=UTF-8 \
    -jar $ILIAS_DIR/Services/WebServices/RPC/lib/ilServer.jar \
    $ILIAS_DATA_DIR/config/ilServer.ini \
    start

[Install]
WantedBy=multi-user.target
EOF

# Activate apache modules
a2enmod cgi headers xsendfile rewrite ssl

# Add cron job template
cat << EOF > /etc/cron.d/ilias
USER=cron
PASSWORD=
CLIENT=

# Run ilias cron jobs every 10m
#*/10 * * * * www-data /usr/bin/php $ILIAS_DIR/cron/cron.php \$USER \$PASSWORD \$CLIENT

# Periodically clean up temp dir
#0 4 * * * root [ -d $ILIAS_DATA_DIR/\$CLIENT/temp ] && [ "\$(ls -A $ILIAS_DATA_DIR/\$CLIENT/temp/)" ] && rm -r $ILIAS_DATA_DIR/\$CLIENT/temp/*
EOF

cat << EOF > /etc/logrotate.d/ilias
$ILIAS_DATA_DIR/*.log {
    daily
    rotate 7
    missingok
    compress
    delaycompress
}
EOF
	#!/bin/bash
	ILIAS_DIR="/var/www/ilias"
	ILIAS_DATA_DIR="/var/iliasdata/ilias"
	ILIAS_SETUP_IP=
	ILIAS_UPLOAD_LIMIT="500M"
	ILIAS_SESSION_LIFETIME="3600"

	# Ensure dependencies are installed
	apt-get install \
	mariadb-server \
	apache2 \
	php7.0 \
	libapache2-mod-php7.0 \
	libapache2-mod-xsendfile \
	openjdk-8-jre-headless \
	imagemagick \
	htmldoc \
	php7.0-cli \
	php7.0-mysql \
	php7.0-xsl \
	php-pear \
	php7.0-curl \
	php7.0-gd \
	php-apcu \
	php7.0-xmlrpc \
	php7.0-soap \
	php7.0-zip \
	php7.0-ldap \
	php7.0-mbstring \
	curl \
	git \
	mimetex \
	ffmpeg \
	node-less

	# Set sql_mode to NO_ENGINE_SUBSTITUTION
	sed -i '/\[mysqld\]/a sql_mode = NO_ENGINE_SUBSTITUTION' /etc/mysql/mariadb.conf.d/50-server.cnf

	# Disable exposure of PHP version
	sed -i 's/expose_php\s=\s.*$/expose_php = off/g' /etc/php/7.0/apache2/php.ini

	# Enforce secure SSL defaults
	cat << EOF > /etc/apache2/conf-available/secure-ssl.conf
	<IfModule mod_ssl.c>
	SSLProtocol All -SSLv2 -SSLv3 -TLSv1
	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

	SSLHonorCipherOrder on

	<IfVersion >= 2.4>
	SSLUseStapling On
	SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
	</IfVersion>
	</IfModule>
	EOF
	# Activate secure SSL config
	a2enconf secure-ssl

	# Ensure hardened Apache defaults
	cat << EOF > /etc/apache2/conf-available/security.conf
	#
	# Disable access to the entire file system except for the directories that
	# are explicitly allowed later.
	#
	# This currently breaks the configurations that come with some web application
	# Debian packages.
	#
	#<Directory />
	# AllowOverride None
	# Order Deny,Allow
	# Deny from all
	#</Directory>


	# Changing the following options will not really affect the security of the
	# server, but might make attacks slightly more difficult in some cases.

	#
	# ServerTokens
	# This directive configures what you return as the Server HTTP response
	# Header. The default is 'Full' which sends information about the OS-Type
	# and compiled in modules.
	# Set to one of: Full \| OS \| Minimal \| Minor \| Major \| Prod
	# where Full conveys the most information, and Prod the least.
	ServerTokens Prod

	#
	# Optionally add a line containing the server version and virtual host
	# name to server-generated pages (internal error documents, FTP directory
	# listings, mod_status and mod_info output etc., but not CGI generated
	# documents or custom error documents).
	# Set to "EMail" to also include a mailto: link to the ServerAdmin.
	# Set to one of: On \| Off \| EMail
	ServerSignature Off

	#
	# Allow TRACE method
	#
	# Set to "extended" to also reflect the request body (only for testing and
	# diagnostic purposes).
	#
	# Set to one of: On \| Off \| extended
	TraceEnable Off

	#
	# Forbid access to version control directories
	#
	# If you use version control systems in your document root, you should
	# probably deny access to their directories. For example, for subversion:
	#
	#<DirectoryMatch "/\.svn">
	# Require all denied
	#</DirectoryMatch>

	#
	# Setting this header will prevent MSIE from interpreting files as something
	# else than declared by the content type in the HTTP headers.
	# Requires mod_headers to be enabled.
	#
	#Header set X-Content-Type-Options: "nosniff"

	#
	# Setting this header will prevent other sites from embedding pages from this
	# site as frames. This defends against clickjacking attacks.
	# Requires mod_headers to be enabled.
	#
	#Header set X-Frame-Options: "sameorigin"

	# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
	EOF
	# Activate hardened Apache defaults
	a2enconf security

	# Install unzip from Debian
	curl -L -o unzip.deb \
	http://ftp.ch.debian.org/debian/pool/main/u/unzip/unzip_6.0-16+deb8u3_amd64.deb
	dpkg -i unzip.deb

	# Pin version of unzip
	cat << EOF > /etc/apt/preferences.d/unzip
	Package: unzip
	Pin: version 6.0-16+deb8u3
	Pin-Priority: 1000
	EOF

	# Install zip seperately
	apt-get install zip

	# Install PhantomJS
	curl -L -o phantomjs.tar.bz2 \
	https://bitbucket.org/ariya/phantomjs/downloads/phantomjs-2.1.1-linux-x86_64.tar.bz2
	tar xf phantomjs.tar.bz2
	cp phantomjs-2.1.1-linux-x86_64/bin/phantomjs /usr/local/bin/phantomjs

	# Add ilias configuration for apache
	cat << EOF > /etc/apache2/conf-available/ilias.conf
	<IfModule mod_xsendfile.c>
	XSendFilePath $ILIAS_DIR
	XSendFilePath $ILIAS_DATA_DIR
	</IfModule>

	<Directory $ILIAS_DIR>
	AllowOverride All
	Options -Indexes

	# custom headers
	Header always set X-Frame-Options "SAMEORIGIN"
	Header always set X-XSS-Protection "1; mode=block"
	Header always set X-Content-Type-Options "nosniff"
	</Directory>

	<Directory $ILIAS_DIR/.git>
	Require all denied
	</Directory>

	<Directory $ILIAS_DIR/setup>
	Require ip $ILIAS_SETUP_IP
	</Directory>
	EOF

	# Activate ilias configuration
	a2enconf ilias

	# Add PHP configuration for ILIAS
	cat << EOF > /etc/php/7.0/mods-available/ilias.ini
	; Configuration for ILIAS php
	; priority=99
	max_execution_time = 900
	memory_limit = 200M
	display_errors = Off
	post_max_size = $ILIAS_UPLOAD_LIMIT
	upload_max_filesize = $ILIAS_UPLOAD_LIMIT
	max_input_time = 900
	max_input_vars = 10000
	session.gc_probability = 1
	session.gc_divisor = 100
	session.gc_maxlifetime = $ILIAS_SESSION_LIFETIME
	session.hash_function = 0
	error_reporting = E_ALL & ~E_NOTICE & ~E_WARNING & ~E_DEPRECATED & ~E_STRICT
	sendmail_path = /usr/sbin/sendmail -t -i

	apc.enabled = 1
	apc.shm_size = 128M
	apc.shm_segments = 1

	opcache.memory_consumption = 128
	opcache.interned_strings_buffer = 8
	opcache.max_accelerated_files = 4000
	EOF
	cat << EOF > /etc/php/7.0/mods-available/ilias-cli.ini
	; Configuration for ILIAS php (CLI)
	; priority=99
	memory_limit = 1000M
	error_reporting = E_ALL & ~E_NOTICE & ~E_WARNING & ~E_DEPRECATED & ~E_STRICT
	; Disable garbage collection due to problems with ILIAS ActiveRecords
	zend.enable_gc = Off
	EOF

	# Enable PHP configuration for ILIAS (Apache)
	phpenmod -s apache2 ilias
	# Enable PHP configuration for ILIAS (CLI)
	phpenmod -s cli ilias-cli

	# Ensure ilServer service script is present (Systemd)
	cat << EOF > /etc/systemd/system/ilServer.service
	[Unit]
	Description=ILIAS ilServer
	After=syslog.target network.target

	[Service]
	Type=simple
	User=www-data
	ExecStart=/usr/bin/java \
	-Dfile.encoding=UTF-8 \
	-jar $ILIAS_DIR/Services/WebServices/RPC/lib/ilServer.jar \
	$ILIAS_DATA_DIR/config/ilServer.ini \
	start

	[Install]
	WantedBy=multi-user.target
	EOF

	# Activate apache modules
	a2enmod cgi headers xsendfile rewrite ssl

	# Add cron job template
	cat << EOF > /etc/cron.d/ilias
	USER=cron
	PASSWORD=
	CLIENT=

	# Run ilias cron jobs every 10m
	#/10 * * * www-data /usr/bin/php $ILIAS_DIR/cron/cron.php \$USER \$PASSWORD \$CLIENT

	# Periodically clean up temp dir
	#0 4 * * * root [ -d $ILIAS_DATA_DIR/\$CLIENT/temp ] && [ "\$(ls -A $ILIAS_DATA_DIR/\$CLIENT/temp/)" ] && rm -r $ILIAS_DATA_DIR/\$CLIENT/temp/*
	EOF

	cat << EOF > /etc/logrotate.d/ilias
	$ILIAS_DATA_DIR/*.log {
	daily
	rotate 7
	missingok
	compress
	delaycompress
	}
	EOF