Merge pull request #179 from joglomedia/2.x.x

2.8.x [Alpha]
joglomedia · Jan 28, 2025 · 6d1dcb0 · 6d1dcb0
2 parents 8c74e82 + 5e5b410
commit 6d1dcb0
Show file tree

Hide file tree

Showing 78 changed files with 4,117 additions and 1,392 deletions.
diff --git a/.env.dist b/.env.dist
@@ -90,9 +90,9 @@ NGINX_VERSION="stable"
 # Build with custom OpenSSL.
 NGINX_WITH_CUSTOMSSL=false
 
-# Available custom SSL version: e.g. openssl-1.1.1g, libressl-3.0.0
+# Available custom SSL version: e.g. openssl-3.1.5, openssl-3.1.5-quic1, libressl-3.9.2
 # leave empty to use stack default OpenSSL.
-NGINX_CUSTOMSSL_VERSION="openssl-1.1.1l"
+NGINX_CUSTOMSSL_VERSION="openssl-3.1.5-quic1"
 
 # Build with PCRE JIT.
 NGINX_WITH_PCRE=false
@@ -152,9 +152,9 @@ NGX_MAIL=true
 NGX_NCHAN=false
 
 # Note: Be aware that PAGESPEED is no longer being developed.
-NGX_PAGESPEED=false
+#NGX_PAGESPEED=false
 # For Nginx latest v1.23 or greater, try using NPS v1.14.33.1-RC1 or latest-stable
-NGX_PAGESPEED_VERSION="latest-stable"
+#NGX_PAGESPEED_VERSION="latest-stable"
 
 NGX_RTMP=false
 NGX_STREAM=true
@@ -173,7 +173,7 @@ PHP_VERSIONS="8.1 8.2 8.3"
 # Additional PHP modules (extensions) to install.
 # Installing multiple extension is supported, separate version by space.
 # Type only the extension name (without php*-).
-PHP_EXTENSIONS="geoip gnupg imagick igbinary json mcrypt memcache memcached msgpack sodium"
+PHP_EXTENSIONS="geoip gnupg imagick igbinary json mcrypt memcache memcached msgpack sodium xdebug"
 
 # DO NOT CHANGE
 DEFAULT_PHP_VERSION="8.2"
@@ -246,6 +246,7 @@ INSTALL_POSTGRES=false
 # Postgres version (only type the major version number).
 POSTGRES_VERSION="15"
 
+POSTGRES_PORT=5432
 POSTGRES_PGDATA="/var/lib/postgresql/data"
 
 # Default Postgres user.

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -48,9 +48,9 @@ jobs:
           sudo apt-get install -q -y bash curl
           sudo curl -sSL -o /usr/local/bin/shunit2 https://raw.githubusercontent.com/kward/shunit2/master/shunit2
           sudo chmod +x /usr/local/bin/shunit2
-          sudo curl -sSLO https://github.com/koalaman/shellcheck/releases/download/v0.8.0/shellcheck-v0.8.0.linux.x86_64.tar.xz
-          sudo tar -xf shellcheck-v0.8.0.linux.x86_64.tar.xz
-          sudo mv shellcheck-v0.8.0/shellcheck /usr/local/bin/
+          sudo curl -sSLO https://github.com/koalaman/shellcheck/releases/download/v0.10.0/shellcheck-v0.10.0.linux.x86_64.tar.xz
+          sudo tar -xf shellcheck-v0.10.0.linux.x86_64.tar.xz
+          sudo mv shellcheck-v0.10.0/shellcheck /usr/local/bin/
           sudo chmod +x /usr/local/bin/shellcheck
       # Shellcheck Tests
       - name: Run shellcheck testing
@@ -114,9 +114,9 @@ jobs:
           sudo apt-get install -q -y bash curl
           sudo curl -sSL -o /usr/local/bin/shunit2 https://raw.githubusercontent.com/kward/shunit2/master/shunit2
           sudo chmod +x /usr/local/bin/shunit2
-          sudo curl -sSLO https://github.com/koalaman/shellcheck/releases/download/v0.8.0/shellcheck-v0.8.0.linux.x86_64.tar.xz
-          sudo tar -xf shellcheck-v0.8.0.linux.x86_64.tar.xz
-          sudo mv shellcheck-v0.8.0/shellcheck /usr/local/bin/
+          sudo curl -sSLO https://github.com/koalaman/shellcheck/releases/download/v0.10.0/shellcheck-v0.10.0.linux.x86_64.tar.xz
+          sudo tar -xf shellcheck-v0.10.0.linux.x86_64.tar.xz
+          sudo mv shellcheck-v0.10.0/shellcheck /usr/local/bin/
           sudo chmod +x /usr/local/bin/shellcheck
       # Shellcheck Tests
       - name: Run shellcheck testing

diff --git a/.travis.yml b/.travis.yml
diff --git a/README.md b/README.md
@@ -20,11 +20,10 @@ LEMPer stands for Linux, Engine-X (Nginx), MariaDB and PHP installer written in
 ## Features
 
 * Nginx - A high performance web server and a reverse proxy server.
-  * Community package from [Ondrej repo](https://launchpad.net/~ondrej/+archive/ubuntu/nginx) or @eilandert's [MyGuard repo](https://deb.myguard.nl/nginx-modules/) with built-in PageSpeed module.
+  * Community package from [Ondrej repo](https://launchpad.net/~ondrej/+archive/ubuntu/nginx) or @eilandert's [MyGuard repo](https://deb.myguard.nl/nginx-modules/) with built-in modules.
   * Custom build from [source](https://github.com/nginx/nginx) featured with :
     * [Brotli module](https://github.com/google/ngx_brotli.git) an alternative compression to Gzip
     * [Lua Nginx module](https://github.com/openresty/lua-nginx-module) with LuaJIT 2 library
-    * [PageSpeed module](https://github.com/apache/incubator-pagespeed-ngx) an automatic PageSpeed optimization
     * FastCGI [cache purge module](https://github.com/nginx-modules/ngx_cache_purge.git) for atomic cache purging
     * Customizable SSL library: OpenSSL (default), LibreSSL, and BoringSSL
     * and much more useful 3rd-party modules.
@@ -35,13 +34,14 @@ LEMPer stands for Linux, Engine-X (Nginx), MariaDB and PHP installer written in
   * Get an A+ grade on several SSL Security Test ([Qualys SSL Labs](https://www.ssllabs.com/ssltest/analyze.html?d=masedi.net), [ImmuniWeb](https://www.immuniweb.com/ssl/?id=bVrykFnK), and Wormly).
 * PHP - Most used language that [powers 78.9% of all websites](https://w3techs.com/technologies/details/pl-php) around the universe.
   * Community package from [Ondrej's PHP repository](https://launchpad.net/~ondrej/+archive/ubuntu/php).
-  * Multiple PHP versions ~7.1 [EOL]~, ~7.2 [EOL]~, ~7.3 [EOL]~, ~7.4 [EOL]~, ~8.0 [EOL]~, 8.1 [SFO], 8.2 [Stable], 8.3 [Latest].
+  * Multiple PHP versions ~7.1 [EOL]~, ~7.2 [EOL]~, ~7.3 [EOL]~, ~7.4 [EOL]~, ~8.0 [EOL]~, 8.1 [SFO], 8.2 [SFO], 8.3 [Stable], 8.4 [Latest].
   * Run PHP as user who own the file (Multi-user isolation via FPM pool).
   * Feel the faster Nginx with secure multi-user environment like a top-notch shared hosting.
   * Supported PHP Framework and CMS:
     * Vanilla PHP: default,
     * Framework: codeigniter, laravel, lumen, phalcon, symfony,
-    * CMS: drupal, mautic, roundcube, sendy, wordpress, wordpress-ms (multi-site), and
+    * Content Management: drupal, wordpress, wordpress-ms (multi-site),
+    * Web Application: mautic, owncloud, roundcube, sendy, and
     * more coming soon.
   * PHP Zend OPcache.
   * PHP Loader, ionCube & SourceGuardian.
@@ -115,19 +115,19 @@ lemper-cli site add --help
 Example, enable SSL
 
 ```bash
-sudo lemper-cli manage --enable-ssl example.test
+sudo lemper-cli site mod --enable-ssl example.test
 ```
 
 Example, enable FastCGI cache
 
 ```bash
-sudo lemper-cli manage --enable-fastcgi-cache example.test
+sudo lemper-cli site mod --enable-fastcgi-cache example.test
 ```
 
 For more info
 
 ```bash
-sudo lemper-cli manage --help
+sudo lemper-cli site mod --help
 ```
 
 ##### for more help
@@ -136,7 +136,7 @@ sudo lemper-cli manage --help
 sudo lemper-cli help
 ```
 
-Note: LEMPer CLI automagically add a new PHP-FPM user's pool configuration if it doesn't exists. You must add the user account first.
+Note: LEMPer CLI automagically create new PHP-FPM user's pool configuration if it doesn't exists. You must add the user account first.
 
 ### Web-based Administration
 

diff --git a/bin/lemper-cli.sh b/bin/lemper-cli.sh
@@ -20,16 +20,57 @@
 set -e -o pipefail
 
 # Version control.
-PROG_NAME=$(basename "$0")
-PROG_VER="2.x.x"
+export PROG_NAME && PROG_NAME=$(basename "$0")
+export PROG_VERSION && PROG_VERSION="2.x.x"
 
 # Test mode.
 DRYRUN=false
 
+# Make sure only root can run this script.
+function requires_root() {
+    if [[ "$(id -u)" -ne 0 ]]; then
+        if ! hash sudo 2>/dev/null; then
+            echo "${PROG_NAME} command must be run as 'root' or with sudo."
+            exit 1
+        else
+            #echo "Switching to root user to run this script."
+            sudo -E "$0" "$@"
+            exit 0
+        fi
+    fi
+}
+
+requires_root "$@"
+
+# Export LEMPer Stack configuration.
+if [[ -f "/etc/lemper/lemper.conf" ]]; then
+    # Clean environemnt first.
+    # shellcheck source=/etc/lemper/lemper.conf
+    # shellcheck disable=SC2046
+    unset $(grep -v '^#' /etc/lemper/lemper.conf | grep -v '^\[' | sed -E 's/(.*)=.*/\1/' | xargs)
+
+    # shellcheck source=/etc/lemper/lemper.conf
+    # shellcheck disable=SC1094
+    # shellcheck disable=SC1091
+    source <(grep -v '^#' /etc/lemper/lemper.conf | grep -v '^\[' | sed -E 's|^(.+)=(.*)$|: ${\1=\2}; export \1|g')
+else
+    echo "LEMPer Stack configuration required, but the file doesn't exist."
+    echo "It should be created during installation process and placed under '/etc/lemper/lemper.conf'."
+    exit 1
+fi
+
+# Set default variables.
+LEMPER_USERNAME=${LEMPER_USERNAME:-"lemper"}
+LEMPER_PASSWORD=${LEMPER_PASSWORD:-""}
+MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD:-""}
+
+# Set CLI plugins directory.
+CLI_PLUGINS_DIR="/etc/lemper/cli-plugins"
+
 # Color decorator.
-RED=91
-GREEN=92
-YELLOW=93
+RED=31
+GREEN=32
+YELLOW=33
 
 ##
 # Helper Functions.
@@ -108,54 +149,13 @@ function run() {
     fi
 }
 
-# Make sure only root can run this script.
-function requires_root() {
-    if [[ "$(id -u)" -ne 0 ]]; then
-        if ! hash sudo 2>/dev/null; then
-            echo "${PROG_NAME} command must be run as 'root' or with sudo."
-            exit 1
-        else
-            #echo "Switching to root user to run this script."
-            sudo -E "$0" "$@"
-            exit 0
-        fi
-    fi
-}
-
-requires_root "$@"
-
-# Export LEMPer Stack configuration.
-if [[ -f "/etc/lemper/lemper.conf" ]]; then
-    # Clean environemnt first.
-    # shellcheck source=/etc/lemper/lemper.conf
-    # shellcheck disable=SC2046
-    unset $(grep -v '^#' /etc/lemper/lemper.conf | grep -v '^\[' | sed -E 's/(.*)=.*/\1/' | xargs)
-
-    # shellcheck source=/etc/lemper/lemper.conf
-    # shellcheck disable=SC1094
-    # shellcheck disable=SC1091
-    source <(grep -v '^#' /etc/lemper/lemper.conf | grep -v '^\[' | sed -E 's|^(.+)=(.*)$|: ${\1=\2}; export \1|g')
-else
-    echo "LEMPer Stack configuration required, but the file doesn't exist."
-    echo "It should be created during installation process and placed under '/etc/lemper/lemper.conf'."
-    exit 1
-fi
-
-# Set default variables.
-LEMPER_USERNAME=${LEMPER_USERNAME:-"lemper"}
-LEMPER_PASSWORD=${LEMPER_PASSWORD:-""}
-MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD:-""}
-
-# Set CLI plugins directory.
-CLI_PLUGINS_DIR="/etc/lemper/cli-plugins"
-
 ## 
 # Show usage
 # output to STDERR.
 ##
 function cmd_help() {
     cat <<- EOL
-${PROG_NAME} ${PROG_VER}
+${PROG_NAME} ${PROG_VERSION}
 Command line management tool for LEMPer Stack.
 
 Usage: ${PROG_NAME} [--version] [--help]
@@ -172,13 +172,16 @@ These are common ${PROG_NAME} commands used in various situations:
 For help with each command run:
 ${PROG_NAME} <command> -h | --help
 EOL
+
+exit 0
 }
 
 ## 
 # Show version.
 ##
 function cmd_version() {
-    echo "${PROG_NAME} version ${PROG_VER}"
+    echo "${PROG_NAME} version ${PROG_VERSION}"
+    exit 0
 }
 
 ##
@@ -193,21 +196,18 @@ function init_lemper_cli() {
         case "${CMD}" in
             help | -h | --help)
                 cmd_help
-                exit 0
             ;;
             version | -v | --version)
                 cmd_version
-                exit 0
             ;;
             *)
                 if [[ -x "${CLI_PLUGINS_DIR}/lemper-${CMD}" ]]; then
                     # Source the plugin executable file.
                     # shellcheck disable=SC1090
                     . "${CLI_PLUGINS_DIR}/lemper-${CMD}" "$@"
-                    exit 0
                 else
-                    echo "${PROG_NAME}: '${CMD}' is not ${PROG_NAME} command"
-                    echo "See '${PROG_NAME} --help' for more information"
+                    echo "${PROG_NAME}: '${CMD}' is not valid command."
+                    echo "See '${PROG_NAME} --help' for more information."
                     exit 1
                 fi
             ;;

diff --git a/etc/fail2ban/filter.d/wordpress.conf b/etc/fail2ban/filter.d/wordpress.conf
@@ -1,7 +1,6 @@
 [Definition]
 
-failregex = ^<HOST> .* "POST .*wp-login.php
-            ^<HOST> .* "POST .*xmlrpc.php
+failregex = ^<HOST>.* "POST .*(wp-login.php|xmlrpc.php)([/\?#\\].*)? HTTP/.*" 200|401
             ^<HOST> .* "GET .*" 404 .*
 
 ignoreregex =
diff --git a/etc/logrotate.d/nginx b/etc/logrotate.d/nginx
@@ -1,6 +1,6 @@
 /var/log/nginx/*.log /home/*/logs/nginx/*_log {
     daily
-    rotate 3
+    rotate 14
     compress
     delaycompress
     missingok

diff --git a/etc/nginx/includes/naxsi.rules b/etc/nginx/includes/naxsi.rules
@@ -0,0 +1,20 @@
+# Sample rules file for default vhost.
+
+#LearningMode;
+SecRulesEnabled;
+#SecRulesDisabled;
+LibInjectionSql;
+LibInjectionXss;
+
+DeniedUrl "/RequestDenied";
+
+## Check rules
+CheckRule "$SQL >= 8" BLOCK; # SQL injection action (unrelated to libinjection)
+CheckRule "$XSS >= 8" BLOCK; # XSS action (unrelated to libinjection)
+CheckRule "$RFI >= 8" BLOCK; # Remote File Inclusion action
+CheckRule "$UWA >= 8" BLOCK; # Unwanted Access action
+CheckRule "$EVADE >= 8" BLOCK; # Evade action (some tools may try to avoid detection).
+CheckRule "$UPLOAD >= 5" BLOCK; # Malicious upload action
+CheckRule "$TRAVERSAL >= 5" BLOCK; # Traversal access action
+CheckRule "$LIBINJECTION_XSS >= 8" BLOCK; # libinjection XSS action
+CheckRule "$LIBINJECTION_SQL >= 8" BLOCK; # libinjection SQLi action