Last active
April 6, 2016 17:36
-
-
Save zachbrowne/6113052 to your computer and use it in GitHub Desktop.
Ubuntu Server 12.04 Setup Script With Optimization of Apache/Postfix with Gmail
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
############################################################# | |
# Setup Ubuntu 12.04 32/64 Natty Web Server for WordPress # | |
# by Zach Browne - http://zachbrowne.com # | |
############################################################# | |
## Setup SSH | |
mkdir ~/.ssh/ | |
touch ~/.ssh/authorized_keys | |
echo "----YOUR-SSH-PUBLIC-KEY----" > ~/.ssh/authorized_keys | |
## Setup networking. | |
# Update, upgrade, and install basic applications. | |
aptitude update && aptitude -y safe-upgrade && aptitude -y install htop lynx dnsutils unzip byobu git-core | |
# Set up hosts file. | |
echo "server" > /etc/hostname | |
hostname -F /etc/hosts | |
sed -i '1 a\----SERVER IP----\t\----YOUR FULL FQDN----\t\----HOSTNAME----' /etc/hosts | |
# Set up interfaces file for static IP. | |
cp /etc/network/{interfaces,interfaces.bak} | |
rm /etc/network/interfaces | |
touch /etc/network/interfaces | |
cat > /etc/network/interaces <<EOF | |
auto lo | |
iface lo inet loopback | |
auto eth0 eth0:1 | |
iface eth0 inet statics | |
address ----SERVER IP---- | |
netmask 255.255.255.0 | |
gateway ----GATEWAY---- | |
iface eth0:1 inet static | |
address ----INTERNAL IP---- | |
netmask 255.255.128.0 | |
EOF | |
# Restart networking. | |
/etc/init.d/networking restart | |
# Set resolv.conf to rotate DNS | |
cp /etc/{resolv.conf,resolv.conf.bak} | |
rm /etc/resolv.conf | |
touch /etc/resolv.conf | |
cat > /etc/resolv.conf <<EOF | |
search members.linode.com | |
nameserver 72.14.188.5 | |
nameserver 72.14.179.5 | |
options rotate | |
EOF | |
# Install Bind9 to cache DNS. | |
aptitude -y install bind9 | |
cp /etc/bind/{named.conf.options,named.conf.options.bak} | |
rm /etc/bind/named.conf.options | |
touch /etc/bind/named.conf.options | |
cat > /etc/bind/named.conf.options <<EOF | |
{ | |
directory "/var/cache/bind"; | |
forwarders {69.93.127.10;65.19.178.10;75.127.96.10;207.192.70.10;109.74.194.10;}; | |
auth-nxdomain no; | |
listen-on-v6 { any; }; | |
}; | |
EOF | |
dig ----DOMAIN---- | |
sleep 3 | |
dig ----DOMAIN---- | |
## Setup Apache2, PHP-CGI, APC, MySQL, and optimize server for VPS 512MB. | |
# Install apps for WordPress optimization | |
aptitude -y install apache2 apache2-mpm-itk mysql-server fontconfig-config javascript-common libdbd-mysql-perl libdbi-perl libfontconfig1 libfreetype6 libgd2-xpm libjpeg62 libjs-cropper libjs-jquery libjs-prototype libjs-scriptaculous libnet-daemon-perl libphp-phpmailer libphp-snoopy libplrpc-perl libt1-5 libxpm4 php-gettext php5-gd tinymce ttf-dejavu-core wwwconfig-common libapache2-mod-perl2 php5-cgi php5-suhosin php-apc php5-mysql php5-curl php5-gd php5-imagick php5-mcrypt php5-common php5-pspell php5-snmp php5-xmlrpc php5-xsl imagemagick perl php-pear | |
# Enable modules | |
a2enmod actions rewrite headers expires mem_cache include | |
# Enable APC | |
echo "extension=apc.so" > /etc/php5/conf.d/apc.ini | |
# Configure PHP-CGI. | |
touch /etc/apache2/conf.d/php-cgi.conf | |
cat > /etc/apache2/init.d/php-cgi.conf <<EOF | |
ScriptAlias /local-bin /usr/bin | |
AddHandler application/x-httpd-php5 php | |
Action application/x-httpd-php5 /local-bin/php-cgi | |
EOF | |
# Add IP to ports.conf. | |
cp /etc/apache2/{ports.conf,ports.conf.bak} | |
rm /etc/apache2/ports.conf | |
touch /etc/apache2/ports.conf | |
cat > /etc/apache2/ports.conf <<EOF | |
NameVirtualHost 72.14.187.136:80 | |
Listen 80 | |
EOF | |
# Create virtual host. | |
touch /etc/apache2/sites-available/----DOMAIN---- | |
cat > /etc/apache2/sites-available/----DOMAIN---- <<EOF | |
<VirtualHost ----SERVER-IP----:80> | |
RewriteEngine On | |
ServerName ----DOMAIN---- | |
ServerAdmin www@----DOMAIN---- | |
ServerAlias www.----DOMAIN---- | |
DocumentRoot /srv/www/----DOMAIN----/public/ | |
ErrorLog /srv/www/----DOMAIN----/logs/error.log | |
CustomLog /srv/www/----DOMAIN----/logs/access.log combined | |
<IfModule mpm_itk_module> | |
AssignUserId www-data www-data | |
</IfModule> | |
</VirtualHost> | |
EOF | |
# Create robots.txt file. | |
touch /srv/www/----DOMAIN----/robots.txt | |
cat > /srv/www/----DOMAIN----/public/robots.txt <<EOF | |
User-agent: * | |
EOF | |
## Optimize server. | |
# Remove Apache server information from headers. | |
sed -i 's/ServerTokens .*/ServerTokens Prod/' /etc/apache2/conf.d/security | |
sed -i 's/ServerSignature .*/ServerSignature Off/' /etc/apache2/conf.d/security | |
# Tweak apache.conf. | |
cp /etc/apache2/{apache2.conf,apache2.conf.bak} | |
sed -i 's/\(^\s*StartServers\)\s*[0-9]*/\1 1/' /etc/apache2/apache2.conf | |
sed -i 's/\(^\s*MaxClients\)\s*[0-9]*/\1 45/' /etc/apache2/apache2.conf | |
sed -i 's/\(^\s*MinSpareThreads\)\s*[0-9]*/\1 2/' /etc/apache2/apache2.conf | |
sed -i 's/\(^\s*MaxSpareThreads\)\s*[0-9]*/\1 5/' /etc/apache2/apache2.conf | |
sed -i 's/\(^\s*ThreadLimit\)\s*[0-9]*/\1 15/' /etc/apache2/apache2.conf | |
sed -i 's/\(^\s*ThreadsPerChild\)\s*[0-9]*/\1 15/' /etc/apache2/apache2.conf | |
sed -i 's/\(^\s*MaxRequestsPerChild\)\s*[0-9]*/\1 5000/' /etc/apache2/apache2.conf | |
# Tweak php.ini. | |
phpinidir="/etc/php5/cgi/php.ini" | |
sed -i 's/^\(max_execution_time = \)[0-9]*/\1120/' $phpinidir | |
sed -i 's/^\(max_input_time = \)[0-9]*/\1300/' $phpinidir | |
sed -i 's/^\(memory_limit = \)[0-9]*M/\164M/' $phpinidir | |
sed -i 's/^\(post_max_size = \)[0-9]*M/\125M/' $phpinidir | |
sed -i 's/^\(upload_max_filesize = \)[0-9]*M/\125M/' $phpinidir | |
sed -i 's/disable_functions =/disable_functions = exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,show_source/' $phpinidir | |
# Harden sysctl.conf. | |
sed -i 's/^#net.ipv4.conf.all.accept_source_route = 0/net.ipv4.conf.all.accept_source_route = 0/' /etc/sysctl.conf | |
sed -i 's/^net.ipv4.conf.all.accept_source_route = 1/net.ipv4.conf.all.accept_source_route = 0/' /etc/sysctl.conf | |
sed -i 's/^#net.ipv6.conf.all.accept_source_route = 0/net.ipv6.conf.all.accept_source_route = 0/' /etc/sysctl.conf | |
sed -i 's/^net.ipv6.conf.all.accept_source_route = 1/net.ipv6.conf.all.accept_source_route = 0/' /etc/sysctl.conf | |
## Secure Apache2. | |
# Install mod_security & mod_evasive. | |
aptitude -y install libapache2-mod-evasive libapache-mod-security | |
apt-get -f install | |
# Install PageSpeed Apache2 Module. | |
wget https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-beta_current_amd64.deb | |
dpkg -i mod-pagespeed-*.deb | |
apt-get -f install | |
# Update public directory for Apache and security | |
chown -R www-data:www-data /srv/www/ | |
find /srv/www/ -type d -exec chmod 755 {} \; | |
find /srv/www/ -type f -exec chmod 644 {} \; | |
# Engage Apache2. | |
a2dissite default | |
a2dissite default-ssl | |
a2ensite ----DOMAIN---- | |
# Restart Apache2 | |
/etc/init.d/apache2 restart | |
## Install Postfix for use with Gmail. | |
# Install Postfix. | |
echo "postfix postfix/main_mailer_type select Internet Site" | debconf-set-selections | |
echo "postfix postfix/mailname string ----DOMAIN----" | debconf-set-selections | |
echo "postfix postfix/destinations string localhost.localdomain, localhost" | debconf-set-selections | |
aptitude -y install postfix | |
# Create main.cf file. | |
cp /etc/postfix/main.cf /etc/postfix/main.cf.bak | |
rm /etc/postfix/main.cf | |
touch /etc/postfix/main.cf | |
cat > /etc/postfix/main.cf <<EOF | |
# Main settings | |
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) | |
biff = no | |
append_dot_mydomain = no | |
readme_directory = no | |
# TLS parameters | |
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem | |
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key | |
smtpd_use_tls=no | |
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache | |
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache | |
# Host settings | |
myhostname = ----DOMAIN---- | |
alias_maps = hash:/etc/aliases | |
alias_database = hash:/etc/aliases | |
myorigin = /etc/mailname | |
mydestination = | |
relayhost = [smtp.gmail.com]:587 | |
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 | |
mailbox_size_limit = 0 | |
recipient_delimiter = + | |
inet_interfaces = loopback-only | |
default_transport = smtp | |
relay_transport = smtp | |
inet_protocols = all | |
# SASL Settings | |
smtp_use_tls=yes | |
smtp_sasl_auth_enable = yes | |
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd | |
smtp_sasl_security_options = noanonymous | |
smtp_sasl_tls_security_options = noanonymous | |
smtp_tls_CAfile = /etc/postfix/cacert.pem | |
EOF | |
# Create sasl_password file. | |
touch /etc/postfix/sasl_passwd | |
cat > /etc/postfix/sasl_passwd <<EOF | |
[smtp.gmail.com]:587 ----YOUR-GMAIL-ADDRESS----:----GMAIL PASSWORD---- | |
EOF | |
# Increase file security. | |
chmod 400 /etc/postfix/sasl_passwd | |
postmap /etc/postfix/sasl_passwd | |
touch /etc/postfix/cacert.pem | |
cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem >> /etc/postfix/cacert.pem | |
# Restart Postfix | |
/etc/init.d/postfix restart | |
## Install and configure varnish. | |
#aptitude -y install varnish libapache2-mod-rpaf | |
#Configure varnish | |
#grep -i "start=" /etc/default/varnish | wc -l | |
#sed -i 's/START=no/START=yes/' /etc/default/varnish | |
#sed -i 's/^\s*DAEMON_OPTS="-a :6081/DAEMON_OPTS="-a \*:80/' /etc/default/varnish | |
#sed -i 's/\(^\s*-s\) [^ ][^ ]*./\1 malloc,'${VARNISH_CACHE_SIZE}'"/' /etc/default/varnish | |
#Change apache and virtualhost ports to 8080 | |
#sed -i 's/72.14.187.136:80$/72.14.187.136:8080/' /etc/apache2/ports.conf | |
#sed -i 's/Listen 80$/Listen 8080/' /etc/apache2/ports.conf | |
#sed -i 's/72.14.187.136:80>$/72.14.187.136:8080>/' /etc/apache2/sites-available/zachbrowne.com | |
apache2ctl restart |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment