Skip to content

Instantly share code, notes, and snippets.

@dinhkk

dinhkk/some centos config.md

Last active April 17, 2018 08:34
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dinhkk/0b2f0a13769f69e898ff35dc76b088d0 to your computer and use it in GitHub Desktop.
Save dinhkk/0b2f0a13769f69e898ff35dc76b088d0 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
some centos config.md

Install fail2ban

yum install epel-release

sudo nano /etc/fail2ban/jail.local

[DEFAULT]
# Ban hosts for one hour:
bantime = 3600
ignoreip = 127.0.0.1/8 123.31.30.162 123.31.17.79

# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport

[sshd]
enabled = true
maxretry = 5
port    = ssh
logpath = %(sshd_log)s

sudo systemctl restart fail2ban
sudo fail2ban-client status

php-fpm and nginx

  • wordpress configuration sample
server {
     
    listen 80;
    server_name bountysneakers.com;

    root /var/www/bountysneakers.com/htdocs;
    index index.html index.htm index.php;
    
    location ~* \.php$ {
        fastcgi_index   index.php;
        fastcgi_pass    127.0.0.1:9000;
        #fastcgi_pass   unix:/var/run/php-fpm/php-fpm.sock;
        include         fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
        fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;
        fastcgi_intercept_errors on;
        fastcgi_buffers 16 16k;
        fastcgi_buffer_size 32k;
    }

    access_log /var/log/nginx/bountysneakers.access.log combined; 
    error_log /var/log/nginx/bountysneakers.error.log;

    #wordpress
    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires max;
        log_not_found off;
    }

    location = /favicon.ico {
                log_not_found off;
                access_log off;
        }

    location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
    }

    location / {
            # This is cool because no php is touched for static content.
            # include the "?$args" part so non-default permalinks doesn't break when using query string
            try_files $uri $uri/ /index.php?$args;
    }

}

phalcon + supoervisor + beanstalk

  1. https://laravel.com/docs/5.6/queues#supervisor-configuration
  2. https://docs.phalconphp.com/en/3.3/queue
  3. https://laravel.com/docs/5.6/queues#supervisor-configuration

#nginx config for pimcore5

upstream php72 {
    #server unix:/var/www/php/php72.sock;
    server unix:/var/www/php/php72.sock;
}

server {
    listen 80;
    server_name pimcore5.loc;
    root /var/www/pimcore5.loc/htdocs/web;
    index index.php;

    access_log  /var/www/pimcore5.loc/logs/access.log;
    error_log   /var/www/pimcore5.loc/logs/error.log warn;

    location / {
        try_files $uri /app.php$is_args$args;
    }
    
    location ~ /(app|install)\.php(/|$) {
        fastcgi_index   index.php;
        fastcgi_pass    php72;
        #fastcgi_pass   unix:/var/run/php-fpm/php-fpm.sock;
        include         fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
        fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;
        fastcgi_intercept_errors on;
        fastcgi_buffers 16 16k;
        fastcgi_buffer_size 32k;
    }
	
	# Pimcore Head-Link Cache-Busting
    rewrite ^/cache-buster-(?:\d+)/(.*) /$1 last;

    # Stay secure
    #
    # a) don't allow PHP in folders allowing file uploads
    location ~* /var/assets/*\.php(/|$) {
        return 404;
    }
    # b) Prevent clients from accessing hidden files (starting with a dot)
    # Access to `/.well-known/` is allowed.
    # https://www.mnot.net/blog/2010/04/07/well-known
    # https://tools.ietf.org/html/rfc5785
    location ~* /\.(?!well-known/) {
        deny all;
        log_not_found off;
        access_log off;
    }
    # c) Prevent clients from accessing to backup/config/source files
    location ~* (?:\.(?:bak|conf(ig)?|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ {
        deny all;
    }

    # Some Admin Modules need this:
    # Database Admin, Server Info
    location ~* ^/admin/(adminer|external) {
        rewrite .* /app.php$is_args$args last;
    }
    
    # Thumbnails
    location ~* .*/(image|video)-thumb__\d+__.* {
        try_files /var/tmp/$1-thumbnails$request_uri /app.php;
        expires 2w;
        access_log off;
        add_header Cache-Control "public";
    }

    # Assets
    # Still use a whitelist approach to prevent each and every missing asset to go through the PHP Engine.
    location ~* (.+?)\.((?:css|js)(?:\.map)?|jpe?g|gif|png|svgz?|eps|exe|gz|zip|mp\d|ogg|ogv|webm|pdf|docx?|xlsx?|pptx?)$ {
        try_files /var/assets$uri $uri =404;
        expires 2w;
        access_log off;
        log_not_found off;
        add_header Cache-Control "public";
    }

    # Installer
    # Remove this if you don't need the web installer (anymore)
    if (-f $document_root/install.php) {
        rewrite ^/install(/?.*) /install.php$1 last;
    }
	

    # PHP-FPM Status and Ping
    location /fpm- {
        access_log off;
        include fastcgi_params;
        location /fpm-status {
            allow 127.0.0.1;
            # add additional IP's or Ranges
            deny all;
            fastcgi_pass php72;
        }
        location /fpm-ping {
            fastcgi_pass php72;
        }
    }
    # nginx Status
    # see: https://nginx.org/en/docs/http/ngx_http_stub_status_module.html
    location /nginx-status {
        allow 127.0.0.1;
        deny all;
        access_log off;
        stub_status;
    }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment