Last active
August 10, 2022 14:49
-
-
Save prochor666/e31d830d1a11c64a5d3cd4b23df6de74 to your computer and use it in GitHub Desktop.
Debian 10 Buster webserver installation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # wget https://gist.githubusercontent.com/... | |
| # Sanatorium webserver installer complete for Debian 10 Buster | |
| # prochor, 2020 | |
| # prochor666@gmail.com | |
| clear | |
| echo -e "\e[38;5;14m|------------------------------------------- \e[0m" | |
| echo -e "\e[38;5;14m| Sanatorium web server installer for Debian 10 Buster \e[0m" | |
| echo -e "\e[38;5;14m|------------------------------------------- \e[0m" | |
| echo -e "\e[38;5;14m| \e[0m" | |
| echo -e "\e[38;5;14m| * Git \ \e[0m" | |
| echo -e "\e[38;5;14m| * Aapache 2 \e[0m" | |
| echo -e "\e[38;5;14m| * PHP 7 \ \e[0m" | |
| echo -e "\e[38;5;14m| * MariaDB 10 \ \e[0m" | |
| echo -e "\e[38;5;14m| * Memcached \ \e[0m" | |
| echo -e "\e[38;5;14m| * Mod rewrite, Http pseudo streaming \ \e[0m" | |
| echo -e "\e[38;5;14m| * Vsftpd \ \e[0m" | |
| echo -e "\e[38;5;14m| * SSH config append! \ \e[0m" | |
| echo -e "\e[38;5;14m| * for Debian 10 Buster \e[0m" | |
| echo -e "\e[38;5;14m| \e[0m" | |
| echo -e "\e[38;5;14m| prochor666@gmail.com 7/2019 \e[0m" | |
| echo -e "\e[38;5;14m|------------------------------------------- \e[0m" | |
| echo -e " " | |
| echo -e "\e[38;5;220m ? Press any key to continue... \e[0m" | |
| read -p " " -n1 -s | |
| read -p "Type MariaDB root password (at least 4 characters): " MARIADBPASSWORD | |
| MPW=${#MARIADBPASSWORD} | |
| if [[ $MPW -lt 4 ]]; then | |
| echo -e " " | |
| echo -e "\e[91m MariaDB root password error, exiting \e[0m" | |
| echo -e " " | |
| exit 0 | |
| fi | |
| if [[ $EUID -ne 0 ]]; then | |
| echo -e " " | |
| echo -e "\e[38;5;196m ! This script must be run as root \e[0m" 1>&2 | |
| exit 1 | |
| fi | |
| export DEBIAN_FRONTEND=noninteractive | |
| # Stretch backports repository | |
| # echo "# stretch backports | |
| # deb http://ftp.debian.org/debian stretch-backports main | |
| # " >> /etc/apt/sources.list | |
| # OS update + MISC packages | |
| clear | |
| echo -e "" | |
| echo -e "\e[38;5;14m| OS update \e[0m" | |
| echo -e "\e[38;5;14m------------------------------------------- \e[0m" | |
| apt update && sudo apt -y upgrade | |
| apt install -y snmp make zip elinks | |
| # Git | |
| clear | |
| echo -e "" | |
| echo -e "\e[38;5;14m| Git \e[0m" | |
| echo -e "\e[38;5;14m------------------------------------------- \e[0m" | |
| apt install -y git | |
| # Apache 2 | |
| clear | |
| echo -e "" | |
| echo -e "\e[38;5;14m| Apache 2 \e[0m" | |
| echo -e "\e[38;5;14m------------------------------------------- \e[0m" | |
| apt install -y apache2 apache2-utils | |
| systemctl enable apache2 | |
| # Apache 2 MPM-ITK module | |
| clear | |
| echo -e "" | |
| echo -e "\e[38;5;14m| Apache 2 mpm-itk module \e[0m" | |
| echo -e "\e[38;5;14m------------------------------------------- \e[0m" | |
| apt install -y libapache2-mpm-itk | |
| a2enmod mpm_itk | |
| systemctl restart apache2 | |
| # MariaDB | |
| clear | |
| echo -e "" | |
| echo -e "\e[38;5;14m| MariaDB \e[0m" | |
| echo -e "\e[38;5;14m------------------------------------------- \e[0m" | |
| debconf-set-selections <<< "mariadb-server mysql-server/root_password password $MARIADBPASSWORD" | |
| debconf-set-selections <<< "mariadb-server mysql-server/root_password_again password $MARIADBPASSWORD" | |
| apt-get install -y mariadb-server mariadb-client | |
| mysql -uroot -pPASS -e "SET PASSWORD = PASSWORD('');" | |
| echo " | |
| [client] | |
| user=root | |
| password=\"$MARIADBPASSWORD\" | |
| [mysql] | |
| user=root | |
| password=\"$MARIADBPASSWORD\" | |
| [mysqladmin] | |
| user=root | |
| password=\"$MARIADBPASSWORD\" | |
| [mysqldump] | |
| user=root | |
| password=\"$MARIADBPASSWORD\" | |
| [mysqldiff] | |
| user=root | |
| password=\"$MARIADBPASSWORD\" | |
| " > /root/.my.cnf | |
| # Memcached | |
| clear | |
| echo -e "" | |
| echo -e "\e[38;5;14m| Memcached \e[0m" | |
| echo -e "\e[38;5;14m------------------------------------------- \e[0m" | |
| apt install -y memcached | |
| # PHP | |
| clear | |
| echo -e "" | |
| echo -e "\e[38;5;14m| PHP \e[0m" | |
| echo -e "\e[38;5;14m------------------------------------------- \e[0m" | |
| apt install -y php libphp-embed libapache2-mod-php php-all-dev | |
| # PHP Extensions | |
| clear | |
| echo -e "" | |
| echo -e "\e[38;5;14m| PHP extensions \e[0m" | |
| echo -e "\e[38;5;14m------------------------------------------- \e[0m" | |
| apt install -y php-apcu \ | |
| php-cli \ | |
| php-fpm \ | |
| php-json \ | |
| php-pdo \ | |
| php-mysql \ | |
| php-zip \ | |
| php-gd \ | |
| php-mbstring \ | |
| php-curl \ | |
| php-xml \ | |
| php-pear \ | |
| php-bcmath \ | |
| php-imagick \ | |
| php-bz2 \ | |
| php-common \ | |
| php-dba \ | |
| php-geoip \ | |
| php-igbinary \ | |
| php-imap \ | |
| php-interbase \ | |
| php-intl \ | |
| php-json \ | |
| php-ldap \ | |
| php-memcached \ | |
| php-mongodb \ | |
| php-msgpack \ | |
| php-mysql \ | |
| php-odbc \ | |
| php-opcache \ | |
| php-pgsql \ | |
| php-phpdbg \ | |
| php-pspell \ | |
| php-readline \ | |
| php-recode \ | |
| php-redis \ | |
| php-snmp \ | |
| php-soap \ | |
| php-sqlite3 \ | |
| php-ssh2 \ | |
| php-sybase \ | |
| php-tidy \ | |
| php-xml \ | |
| php-xmlrpc \ | |
| php-xsl | |
| # Mod rewrite | |
| clear | |
| echo -e "" | |
| echo -e "\e[38;5;14m| Mod rewrite \e[0m" | |
| echo -e "\e[38;5;14m------------------------------------------- \e[0m" | |
| a2enmod rewrite | |
| # H264 streaming module | |
| clear | |
| echo -e "" | |
| echo -e "\e[38;5;14m| H264 streaming module \e[0m" | |
| echo -e "\e[38;5;14m------------------------------------------- \e[0m" | |
| apt install -y apache2-dev | |
| systemctl restart apache2 | |
| wget http://h264.code-shop.com/download/apache_mod_h264_streaming-2.2.7.tar.gz | |
| tar -zxvf apache_mod_h264_streaming-2.2.7.tar.gz | |
| cd mod_h264_streaming-2.2.7 | |
| ./configure --with-apxs=`which apxs2` | |
| make | |
| make install | |
| #cp mod_h264_streaming.so /usr/lib/apache2/modules | |
| echo 'AddHandler h264-streaming.extensions .mp4' > /etc/apache2/mods-available/mod_h264_streaming.conf | |
| echo 'LoadModule h264_streaming_module /usr/lib/apache2/modules/mod_h264_streaming.so' > /etc/apache2/mods-available/mod_h264_streaming.load | |
| a2enmod mod_h264_streaming | |
| systemctl restart apache2 | |
| # FTP | |
| clear | |
| echo -e "" | |
| echo -e "\e[38;5;14m| FTP server vsftpd \e[0m" | |
| echo -e "\e[38;5;14m------------------------------------------- \e[0m" | |
| apt install -y vsftpd | |
| mkdir /etc/vsftpd-users | |
| cp /etc/vsftpd.conf /etc/vsftpd.conf.old | |
| echo "listen=NO | |
| listen_ipv6=YES | |
| anonymous_enable=NO | |
| local_enable=YES | |
| write_enable=YES | |
| local_umask=022 | |
| dirmessage_enable=YES | |
| use_localtime=YES | |
| xferlog_enable=YES | |
| connect_from_port_20=YES | |
| nopriv_user=nobody | |
| ftpd_banner=Welcome to Sanatorium FTP service. | |
| chroot_local_user=YES | |
| user_config_dir=/etc/vsftpd-users | |
| ls_recurse_enable=YES | |
| secure_chroot_dir=/var/run/vsftpd/empty | |
| pam_service_name=ftp | |
| rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem | |
| rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key | |
| ssl_enable=NO | |
| seccomp_sandbox=NO | |
| force_dot_files=YES | |
| allow_writeable_chroot=YES | |
| " > /etc/vsftpd.conf | |
| systemctl restart vsftpd | |
| # SSH | |
| clear | |
| echo -e "" | |
| echo -e "\e[38;5;14m| SSH fixes \e[0m" | |
| echo -e "\e[38;5;14m------------------------------------------- \e[0m" | |
| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.old | |
| echo " | |
| # Sanatorium SSH config | |
| # What ports, IPs and protocols we listen for | |
| Port 22 | |
| # Use these options to restrict which interfaces/protocols sshd will bind to | |
| #ListenAddress :: | |
| #ListenAddress 0.0.0.0 | |
| Protocol 2 | |
| # HostKeys for protocol version 2 | |
| HostKey /etc/ssh/ssh_host_rsa_key | |
| HostKey /etc/ssh/ssh_host_dsa_key | |
| HostKey /etc/ssh/ssh_host_ecdsa_key | |
| HostKey /etc/ssh/ssh_host_ed25519_key | |
| #Privilege Separation is turned on for security | |
| UsePrivilegeSeparation yes | |
| # Lifetime and size of ephemeral version 1 server key | |
| KeyRegenerationInterval 3600 | |
| ServerKeyBits 1024 | |
| # Logging | |
| SyslogFacility AUTH | |
| LogLevel INFO | |
| # Authentication: | |
| LoginGraceTime 120 | |
| PermitRootLogin yes | |
| StrictModes yes | |
| RSAAuthentication yes | |
| PubkeyAuthentication yes | |
| #AuthorizedKeysFile %h/.ssh/authorized_keys | |
| # Don't read the user's ~/.rhosts and ~/.shosts files | |
| IgnoreRhosts yes | |
| # For this to work you will also need host keys in /etc/ssh_known_hosts | |
| RhostsRSAAuthentication no | |
| # similar for protocol version 2 | |
| HostbasedAuthentication no | |
| # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication | |
| #IgnoreUserKnownHosts yes | |
| # To enable empty passwords, change to yes (NOT RECOMMENDED) | |
| PermitEmptyPasswords no | |
| # Change to yes to enable challenge-response passwords (beware issues with | |
| # some PAM modules and threads) | |
| ChallengeResponseAuthentication no | |
| # Change to no to disable tunnelled clear text passwords | |
| PasswordAuthentication yes | |
| # Kerberos options | |
| #KerberosAuthentication no | |
| #KerberosGetAFSToken no | |
| #KerberosOrLocalPasswd yes | |
| #KerberosTicketCleanup yes | |
| # GSSAPI options | |
| #GSSAPIAuthentication no | |
| #GSSAPICleanupCredentials yes | |
| X11Forwarding yes | |
| X11DisplayOffset 10 | |
| PrintMotd no | |
| PrintLastLog yes | |
| TCPKeepAlive yes | |
| #UseLogin no | |
| #MaxStartups 10:30:60 | |
| #Banner /etc/issue.net | |
| # Allow client to pass locale environment variables | |
| AcceptEnv LANG LC_* | |
| #Subsystem sftp /usr/lib/openssh/sftp-server | |
| Subsystem sftp internal-sftp | |
| # Set this to 'yes' to enable PAM authentication, account processing, | |
| # and session processing. If this is enabled, PAM authentication will | |
| # be allowed through the ChallengeResponseAuthentication and | |
| # PasswordAuthentication. Depending on your PAM configuration, | |
| # PAM authentication via ChallengeResponseAuthentication may bypass | |
| # the setting of "PermitRootLogin without-password". | |
| # If you just want the PAM account and session checks to run without | |
| # PAM authentication, then enable this but set PasswordAuthentication | |
| # and ChallengeResponseAuthentication to 'no'. | |
| UsePAM yes | |
| UseDNS no | |
| # SSH timeout | |
| ClientAliveInterval 30 | |
| ClientAliveCountMax 999 | |
| Match Group www-data | |
| ChrootDirectory %h | |
| ForceCommand internal-sftp | |
| AllowTcpForwarding no | |
| " > /etc/ssh/sshd_config | |
| systemctl restart sshd | |
| # Certbot / Letsencrypt | |
| clear | |
| echo -e "" | |
| echo -e "\e[38;5;14m| Letsencrypt certbot \e[0m" | |
| echo -e "\e[38;5;14m------------------------------------------- \e[0m" | |
| apt install -y python-certbot-apache | |
| CREATEGROUP=true | |
| getent group www-data > /dev/null 2>&1 && CREATEGROUP=false | |
| if $CREATEGROUP; then | |
| groupadd www-data | |
| fi | |
| echo -e "" | |
| echo -e "\e[38;5;14m| Done \e[0m" | |
| echo -e "\e[38;5;14m Run mysql_secure_installation command ---- \e[0m" | |
| echo -e "\e[38;5;14m------------------------------------------- \e[0m" | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment