Skip to content

Instantly share code, notes, and snippets.

@metastable

metastable/humhub-bootstrap.sh

Created March 5, 2020 20:54
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save metastable/360d296cc92fec26167ed4cec3416f4d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save metastable/360d296cc92fec26167ed4cec3416f4d to your computer and use it in GitHub Desktop.
Download ZIP
setup script for humbug
Raw
humhub-bootstrap.sh
#!/usr/bin/sh bash
#amzn linux2 humhub
export HOST_NAME=xxxxxxxx.staging.kiwamu.work
export HUMHUB_VERSION=1.4.3
export HUMHUB_DB_NAME='humhub'
export HUMHUB_DB_USER='humhub'
export HUMHUB_DB_PASSWORD='secret_password'
echo "${HOST_NAME}" | sudo tee /etc/hostname > /dev/null
sudo localectl set-locale LANG=en_US.UTF-8
sudo timedatectl set-timezone Asia/Tokyo
echo "4. ネットワークチューニング(IPv6無効)"
echo "NETWORKING_IPV6=no" | sudo tee -a /etc/sysconfig/network > /dev/null
echo "options ipv6 disable=1" | sudo tee /etc/modprobe.d/disable-ipv6.conf > /dev/null
sudo tee /etc/sysctl.d/99-disable-ipv6.conf > /dev/null <<-'EOF'
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
EOF
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1
# for kernel 4.9+ only
sudo modprobe tcp_bbr && sudo echo 'tcp_bbr' >> /etc/modules-load.d/99-bbr.conf
sudo tee /etc/sysctl.d/99-performance.conf > /dev/null <<-'EOF'
# Kernel sysctl configuration file for Linux
#
# Version 1.14 - 2019-04-05
# Michiel Klaver - IT Professional
# http://klaver.it/linux/ for the latest version - http://klaver.it/bsd/ for a BSD variant
#
# This file should be saved as /etc/sysctl.conf and can be activated using the command:
# sysctl -e -p /etc/sysctl.conf
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and sysctl.conf(5) for more details.
#
# Tested with: Ubuntu 14.04 LTS kernel version 3.13
# Debian 7 kernel version 3.2
# CentOS 7 kernel version 3.10
#
# Intended use for dedicated server systems at high-speed networks with loads of RAM and bandwidth available
# Optimised and tuned for high-performance web/ftp/mail/dns servers with high connection-rates
# DO NOT USE at busy networks or xDSL/Cable connections where packetloss can be expected
# ----------
# Credits:
# http://www.enigma.id.au/linux_tuning.txt
# http://www.securityfocus.com/infocus/1729
# http://fasterdata.es.net/TCP-tuning/linux.html
# http://fedorahosted.org/ktune/browser/sysctl.ktune
# http://www.cymru.com/Documents/ip-stack-tuning.html
# http://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
# http://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/index.html
# http://knol.google.com/k/linux-performance-tuning-and-measurement
# http://www.cyberciti.biz/faq/linux-kernel-tuning-virtual-memory-subsystem/
# http://www.redbooks.ibm.com/abstracts/REDP4285.html
# http://www.speedguide.net/read_articles.php?id=121
# http://lartc.org/howto/lartc.kernel.obscure.html
# http://en.wikipedia.org/wiki/Sysctl
# https://blog.cloudflare.com/http-2-prioritization-with-nginx/
###
### GENERAL SYSTEM SECURITY OPTIONS ###
###
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
#Allow for more PIDs
kernel.pid_max = 65535
# The contents of /proc/<pid>/maps and smaps files are only visible to
# readers that are allowed to ptrace() the process
kernel.maps_protect = 1
#Enable ExecShield protection
kernel.exec-shield = 1
kernel.randomize_va_space = 2
# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65535
# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65535
# Restrict core dumps
fs.suid_dumpable = 0
# Hide exposed kernel pointers
kernel.kptr_restrict = 1
###
### IMPROVE SYSTEM MEMORY MANAGEMENT ###
###
# Increase size of file handles and inode cache
fs.file-max = 209708
# Do less swapping
vm.swappiness = 30
vm.dirty_ratio = 30
vm.dirty_background_ratio = 5
# specifies the minimum virtual address that a process is allowed to mmap
vm.mmap_min_addr = 4096
# 50% overcommitment of available memory
vm.overcommit_ratio = 50
vm.overcommit_memory = 0
# Set maximum amount of memory allocated to shm to 256MB
kernel.shmmax = 268435456
kernel.shmall = 268435456
# Keep at least 64MB of free RAM space available
vm.min_free_kbytes = 65535
###
### GENERAL NETWORK SECURITY OPTIONS ###
###
#Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_syn_backlog = 4096
# Disables packet forwarding
net.ipv4.ip_forward = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.default.forwarding = 0
# Disables IP source routing
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 7
# Decrease the time default value for connections to keep alive
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15
# Don't relay bootp
net.ipv4.conf.all.bootp_relay = 0
# Don't proxy arp for anyone
net.ipv4.conf.all.proxy_arp = 0
# Turn on the tcp_timestamps, accurate timestamp make TCP congestion control algorithms work better
net.ipv4.tcp_timestamps = 1
# Don't ignore directed pings
net.ipv4.icmp_echo_ignore_all = 0
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65535
# Enable a fix for RFC1337 - time-wait assassination hazards in TCP
net.ipv4.tcp_rfc1337 = 1
# Do not auto-configure IPv6
net.ipv6.conf.all.autoconf=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.autoconf=0
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.eth0.autoconf=0
net.ipv6.conf.eth0.accept_ra=0
###
### TUNING NETWORK PERFORMANCE ###
###
# Use BBR TCP congestion control and set tcp_notsent_lowat to 16384 to ensure HTTP/2 prioritization works optimally
# Do a 'modprobe tcp_bbr' first (kernel > 4.9)
# Fall-back to htcp if bbr is unavailable (older kernels)
net.ipv4.tcp_congestion_control = htcp
net.ipv4.tcp_congestion_control = bbr
net.ipv4.tcp_notsent_lowat = 16384
# For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12)
net.core.default_qdisc = fq
# Turn on the tcp_window_scaling
net.ipv4.tcp_window_scaling = 1
# Increase the read-buffer space allocatable
net.ipv4.tcp_rmem = 8192 87380 8388608
net.ipv4.udp_rmem_min = 16384
net.core.rmem_default = 262144
net.core.rmem_max = 8388608
# Increase the write-buffer-space allocatable
net.ipv4.tcp_wmem = 8192 65536 8388608
net.ipv4.udp_wmem_min = 16384
net.core.wmem_default = 262144
net.core.wmem_max = 8388608
# Increase number of incoming connections
net.core.somaxconn = 32768
# Increase number of incoming connections backlog
net.core.netdev_max_backlog = 16384
net.core.dev_weight = 64
# Increase the maximum amount of option memory buffers
net.core.optmem_max = 65535
# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
net.ipv4.tcp_max_tw_buckets = 1440000
# try to reuse time-wait connections, but don't recycle them (recycle can break clients behind NAT)
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_tw_reuse = 1
# Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory
net.ipv4.tcp_max_orphans = 16384
net.ipv4.tcp_orphan_retries = 0
# Limit the maximum memory used to reassemble IP fragments (CVE-2018-5391)
net.ipv4.ipfrag_low_thresh = 196608
net.ipv6.ip6frag_low_thresh = 196608
net.ipv4.ipfrag_high_thresh = 262144
net.ipv6.ip6frag_high_thresh = 262144
# don't cache ssthresh from previous connection
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1
# Increase size of RPC datagram queue length
net.unix.max_dgram_qlen = 50
# Don't allow the arp table to become bigger than this
net.ipv4.neigh.default.gc_thresh3 = 2048
# Tell the gc when to become aggressive with arp table cleaning.
# Adjust this based on size of the LAN. 1024 is suitable for most /24 networks
net.ipv4.neigh.default.gc_thresh2 = 1024
# Adjust where the gc will leave arp table alone - set to 32.
net.ipv4.neigh.default.gc_thresh1 = 32
# Adjust to arp table gc to clean-up more often
net.ipv4.neigh.default.gc_interval = 30
# Increase TCP queue length
net.ipv4.neigh.default.proxy_qlen = 96
net.ipv4.neigh.default.unres_qlen = 6
# Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you
net.ipv4.tcp_ecn = 1
net.ipv4.tcp_reordering = 3
# How many times to retry killing an alive TCP connection
net.ipv4.tcp_retries2 = 15
net.ipv4.tcp_retries1 = 3
# Avoid falling back to slow start after a connection goes idle
# keeps our cwnd large with the keep alive connections (kernel > 3.6)
net.ipv4.tcp_slow_start_after_idle = 0
# Allow the TCP fastopen flag to be used, beware some firewalls do not like TFO! (kernel > 3.7)
net.ipv4.tcp_fastopen = 3
# This will enusre that immediatly subsequent connections use the new values
net.ipv4.route.flush = 1
net.ipv6.route.flush = 1
EOF
sudo tee /etc/sysctl.d/99-jumbo.conf > /dev/null <<-'EOF'
# recommended for hosts with jumbo frames enabled
net.ipv4.tcp_mtu_probing = 1
EOF
sudo sysctl -p
sudo sysctl --system
echo "override_install_langs=en_US" | sudo tee -a /etc/yum.conf > /dev/null
sudo tee -a /etc/sysconfig/i18n > /dev/null <<-'EOF'
LANG="en_US.UTF-8"
LANGUAGE="en_US.UTF-8"
LC_CTYPE="en_US.UTF-8"
LC_ALL="en_US.UTF-8"
EOF
sudo tee /etc/locale.conf > /dev/null <<-'EOF'
LANG="en_US.UTF-8"
EOF
sudo tee -a /home/ec2-user/.bash_profile > /dev/null <<-'EOF'
LANG="en_US.UTF-8"
LANGUAGE="en_US.UTF-8"
LC_CTYPE="en_US.UTF-8"
export LANG
export LANGUAGE
export LC_CTYPE
EOF
source /home/ec2-user/.bash_profile
sudo yum -y install deltarpm
sudo yum -y update
sudo yum -y reinstall glibc-common
sudo localedef -v -c -i en_US -f UTF-8 en_US.UTF-8
sudo yum -y reinstall \*
sudo wget https://dl.yarnpkg.com/rpm/yarn.repo -O /etc/yum.repos.d/yarn.repo
sudo tee -a /etc/yum.repos.d/cisofy-lynis.repo <<-'EOF'
[lynis]
name=CISOfy Software - Lynis package
baseurl=https://packages.cisofy.com/community/lynis/rpm/
enabled=1
gpgkey=https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
gpgcheck=1
EOF
sudo yum-config-manager --enable amzn2-core
sudo yum-config-manager --enable yarn
sudo yum-config-manager --enable nodesource
sudo yum-config-manager --disable nodesource-source
sudo amazon-linux-extras install epel nginx1.12 php7.3 memcached1.5 redis4.0 -y
sudo yum -y makecache fast
sudo yum -y install git postfix nginx certbot python2-certbot-nginx yarn nodejs npm \
php-fpm php-cli php-devel php-pear php-intl php-mbstring php-gd php-xml php-process \
php-mbstring php-dom php-pecl-memcached php-pecl-redis php-pecl-apcu php-opcache php-mysqlnd \
php-zip php-ldap mariadb-server mariadb-libs mariadb redis memcached
sudo pecl channel-update pecl.php.net
sudo pecl config-set php_ini /etc/php.ini
sudo yum -y install gcc binutils libssh2 libssh2-devel --enablerepo=epel
sudo pecl install -f ssh2-1.2 <<<''
sudo chmod 755 /usr/lib64/php/modules/ssh2.so
sudo tee /etc/php.d/60-ssh2.ini > /dev/null <<-'EOF'
extension=ssh2.so
EOF
sudo pecl install -f xdebug
sudo chmod 755 /usr/lib64/php/modules/xdebug.so
sudo tee /etc/php.d/15-debug.ini > /dev/null <<- 'EOF'
; Enable xdebug extension module
zend_extension = /usr/lib64/php/modules/xdebug.so
xdebug.default_enable = 1
xdebug.autostart = 1
xdebug.remote_enable = 1
xdebug.remote_connect_back = 0
xdebug.remote_host = "121.101.92.213"
xdebug.remote_port = 9000
; see http://xdebug.org/docs/all_settings
EOF
# composer
sudo curl -sS https://getcomposer.org/installer | sudo php -- --install-dir=/usr/local/bin
sudo ln -sf /usr/local/bin/composer.phar /usr/local/bin/composer
# php unit
curl -sSL https://phar.phpunit.de/phpunit-8.phar -o phpunit.phar
chmod +x phpunit.phar
sudo mv phpunit.phar /usr/bin/phpunit
# postfix
sudo systemctl enable postfix
sudo systemctl start postfix
echo "9. memcachedの設定"
sudo mkdir -p /var/run/memcached
sudo chown -R memcached:memcached /var/run/memcached
sudo tee /etc/sysconfig/memcached <<-'EOF'
USER="memcached"
MAXCONN="1024"
CACHESIZE="1024"
OPTIONS="-s /var/run/memcached/memcached.sock -a 0777 -vv >> /var/log/memcached/memcached.log 2>&1"
EOF
sudo mkdir -p /var/log/memcached
sudo touch /var/log/memcached/memcached.log
sudo chown -R memcached:memcached /var/log/memcached
sudo tee /etc/logrotate.d/memcached <<-'EOF'
/var/log/memcached/*.log {
notifempty
daily
rotate 10
missingok
dateext
dateformat -%Y%m%d
copytruncate
sharedscripts
}
EOF
sudo systemctl disable memcached.service
sudo systemctl enable memcached.service
sudo systemctl start memcached.service
echo "10. redisの設定"
sudo sysctl vm.overcommit_memory=1
sudo tee -a /etc/sysctl.conf <<-'EOF'
# for redis
vm.overcommit_memory = 1
EOF
sudo tee -a /etc/redis.conf <<-'EOF'
#
# https://guides.wp-bullet.com/how-to-configure-redis-to-use-unix-socket-speed-boost/
#
# create a unix domain socket to listen on
unixsocket /var/run/redis/redis.sock
# set permissions for the socket
unixsocketperm 775
#
# https://www.linode.com/docs/databases/redis/install-and-configure-redis-on-centos-7/
#
appendonly yes
appendfsync everysec
#
# https://www.digitalocean.com/community/tutorials/how-to-install-secure-redis-centos-7
#
# It is also possible to completely kill a command by renaming it into
# an empty string:
#
rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command DEBUG ""
#
#rename-command CONFIG ""
#rename-command SHUTDOWN SHUTDOWN_MENOT
#rename-command CONFIG ASC12_CONFIG
EOF
sudo systemctl enable redis.service
sudo systemctl start redis.service
echo "11. PHPの設定"
sudo sudo groupadd web
sudo usermod -a -G web nginx
sudo usermod -a -G web ${OS_USER}
sudo mkdir /etc/php-fpm.d/attic
sudo mv /etc/php-fpm.d/*.conf /etc/php-fpm.d/attic/
sudo tee /etc/php-fpm.d/www.conf <<-'EOF'
[www]
user = nginx
group = web
listen = /var/run/php-fpm/php-fpm.sock
listen.owner = nginx
listen.group = nginx
listen.mode = 0666
pm = dynamic
pm.status_path = /status
pm.max_children = 10
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 5
pm.process_idle_timeout = 10s
pm.max_requests = 500
security.limit_extensions = .php
ping.path = /ping
ping.response = pong
slowlog = /var/log/php-fpm/www-slow.log
catch_workers_output = yes
php_flag[display_errors] = off
php_admin_value[error_log] = /var/log/php-fpm/www-error.log
php_admin_flag[log_errors] = on
php_admin_value[memory_limit] = 256M
php_admin_value[upload_max_filesize] = 32M
php_admin_value[post_max_size] = 32M
php_admin_value[output_buffering] = 0
php_admin_value[max_input_nesting_level] = 256
php_admin_value[max_input_vars] = 10000
php_admin_value[cgi.fix_pathinfo] = 0
php_value[soap.wsdl_cache_dir] = /var/lib/php/wsdlcache
;php_value[session.save_handler] = memcached
;php_value[session.save_path] = "tcp://localhost:11211"
;php_value[session.save_path] = "/var/run/memcached/memcached.sock"
php_value[session.save_handler] = redis
;php_value[session.save_path] = "tcp://localhost:6379"
php_value[session.save_path] = "/var/run/redis/redis.sock"
;php_value[soap.wsdl_cache_dir] = "/var/lib/php/wsdlcache"
;php_admin_value[sendmail_path] = "/usr/bin/env catchmail -f root@localhost.localdomain"
EOF
sudo systemctl enable php-fpm.service
sudo systemctl start php-fpm.service
echo "14. mariadbの設定"
sudo systemctl enable mariadb.service
sudo systemctl start mariadb.service
sleep 15
sudo systemctl stop mariadb.service
sudo mv /etc/my.cnf.d/server.cnf /etc/my.cnf.d/server.cnf.default
sudo tee /etc/my.cnf.d/server.cnf <<-'EOF'
[server]
socket=/var/lib/mysql/mysql.sock
character-set-server=utf8mb4
skip-character-set-client-handshake
collation-server=utf8mb4_general_ci
[mysqld]
[galera]
[embedded]
[mariadb]
EOF
sudo mv /etc/my.cnf.d/client.cnf /etc/my.cnf.d/client.cnf.default
sudo tee /etc/my.cnf.d/client.cnf <<-'EOF'
[client]
default-character-set=utf8mb4
[client-mariadb]
EOF
sudo tee /etc/my.cnf.d/mysql-clients.cnf > /dev/null << EOF
[mysql]
default-character-set=utf8mb4
[mysqldump]
force
default-character-set=utf8mb4
user=mysql
password=12qwaszx
EOF
sudo systemctl enable mariadb.service
sudo systemctl start mariadb.service
sudo tee /etc/nginx/conf.d/01-eccube.conf <<- 'EOF'
server {
listen 80;
listen [::]:80;
server_name _;
# Useful for Let's Encrypt
location /.well-known/acme-challenge/ { allow all; }
}
EOF
sudo systemctl restart nginx
sudo certbot certonly --nginx --register-unsafely-without-email --agree-tos -n -d ${HOST_NAME}
sudo echo "10. nginxの設定"
sudo mkdir -p /etc/nginx/common/
sudo mkdir -p /etc/nginx/.attic
sudo mv /etc/nginx/nginx.conf /etc/nginx/.attic/
sudo mkdir -p /etc/nginx/conf.d/.attic
sudo mv /etc/nginx/conf.d/*.conf /etc/nginx/conf.d/.attic/
mkdir -p /etc/systemd/system/nginx.service.d
tee /etc/systemd/system/httpd.service.d/ulimit.conf > /dev/null <<-'EOF'
[Service]
LimitNOFILE=100000
LimitNPROC=100000
EOF
sudo tee /etc/nginx/nginx.conf <<-'EOF'
# https://gist.github.com/denji/8359866
user nginx;
pid /var/run/nginx.pid;
# you must set worker processes based on your CPU cores, nginx does not benefit from setting more than that
worker_processes auto; #some last versions calculate it automatically
worker_cpu_affinity auto;
# number of file descriptors used for nginx
# the limit for the maximum FDs on the server is usually set by the OS.
# if you don't set FD's then OS settings will be used which is by default 2000
worker_rlimit_nofile 100000;
# only log critical errors
error_log /var/log/nginx/error.log crit;
events {
# determines how much clients will be served per worker
# max clients = worker_connections * worker_processes
# max clients is also limited by the number of socket connections available on the system (~64k)
worker_connections 4000;
# optimized to serve many clients with each thread, essential for linux -- for testing environment
use epoll;
# accept as many connections as possible, may flood worker connections if set too low -- for testing environment
multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main_ltsv 'time:$time_local\trequest_time:$request_time\turi:$uri\trequest_uri:$request_uri\t'
'remote_addr:$remote_addr\tremote_user:$remote_user\trequest_method:$request_method\t'
'server_protocol:$server_protocol\tstatus:$status\tbody_bytes_sent:$body_bytes_sent\t'
'http_referer:$http_referer\tscheme:$scheme\thttp_user_agent:$http_user_agent';
access_log /var/log/nginx/access.log main_ltsv;
# cache informations about FDs, frequently accessed files
# can boost performance, but you need to test those values
open_file_cache max=200000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
# to boost I/O on HDD we can disable access logs
access_log off;
# copies data between one FD and other from within the kernel
# faster than read() + write()
sendfile on;
# send headers in one piece, it is better than sending them one by one
tcp_nopush on;
# don't buffer data sent, good for small data bursts in real time
tcp_nodelay on;
# reduce the data that needs to be sent over network -- for testing environment
gzip on;
# gzip_static on;
gzip_min_length 10240;
gzip_comp_level 1;
gzip_vary on;
gzip_disable msie6;
gzip_proxied expired no-cache no-store private auth;
gzip_types
# text/html is always compressed by HttpGzipModule
text/css
text/ecmascript
text/javascript
text/markdown
text/xml
text/sgml
text/plain
text/x-component
application/ecmascript
application/javascript
application/x-javascript
application/json
application/xml
application/rss+xml
application/atom+xml
font/truetype
font/opentype
application/vnd.ms-fontobject
image/svg+xml;
# allow the server to close connection on non responding client, this will free up memory
reset_timedout_connection on;
# request timed out -- default 60
# client_body_timeout 10;
# if client stop responding, free up memory -- default 60
send_timeout 2;
# server will close connection after this time -- default 75
keepalive_timeout 30;
# number of requests client can make over keep-alive -- for testing environment
keepalive_requests 100000;
# just for security reason
server_tokens off;
# limit the number of connections per single IP
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
# limit the number of requests for a given session
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=5r/s;
# zone which we want to limit by upper values, we want limit whole server
server {
limit_conn conn_limit_per_ip 10;
limit_req zone=req_limit_per_ip burst=10 nodelay;
}
# if the request body size is more than the buffer size, then the entire (or partial)
# request body is written into a temporary file
client_body_buffer_size 128k;
# buffer size for reading client request header -- for testing environment
client_header_buffer_size 3m;
# maximum number and size of buffers for large headers to read from client request
large_client_header_buffers 4 256k;
# read timeout for the request body from client -- for testing environment
client_body_timeout 3m;
# how long to wait for the client to send a request header -- for testing environment
client_header_timeout 3m;
server_names_hash_bucket_size 64;
include /etc/nginx/conf.d/*.conf;
}
EOF
sudo tee /etc/nginx/conf.d/00-upstreams.conf <<-'EOF'
#
# FastCGI Cache
#
fastcgi_buffering on;
fastcgi_buffer_size 8k;
fastcgi_buffers 100 8k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_cache_path /var/cache/nginx levels=1:2 keys_zone=NGINX:15m inactive=7d max_size=1000m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";
fastcgi_cache_use_stale error timeout updating http_500 http_503;
fastcgi_temp_path /var/cache/nginx/temp 1 2;
fastcgi_connect_timeout 60;
fastcgi_read_timeout 2400;
fastcgi_send_timeout 2400;
fastcgi_cache_valid 200 2h;
fastcgi_cache_valid 302 2h;
fastcgi_cache_valid 301 4h;
fastcgi_cache_valid any 1m;
fastcgi_cache_revalidate on;
memcached_buffer_size 32k;
memcached_gzip_flag 1;
upstream php {
#this should match value of "listen" directive in php-fpm pool
server unix:/var/run/php-fpm/php-fpm.sock;
keepalive 60;
}
upstream memcached {
server unix:/var/run/memcached/memcached.sock;
keepalive 60;
}
EOF
echo "include fastcgi_params;" | sudo tee -a /etc/nginx/fastcgi.conf > /dev/null
sudo tee /etc/nginx/common/eccube.conf <<-'EOF'
#
# WordPress single site rules.
# Designed to be included in any server {} block.
#
index index.php;
#charset utf-8;
# クリックジャッキング対策
add_header X-Frame-Options SAMEORIGIN;
# XSS対策
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
# 403 Forbidden対応方法
# ページアクセスできない時シンボリックリンクが有効になっていない可能性あります、
# オプションを追加してください
disable_symlinks on from=$document_root;
# This order might seem weird - this is attempted to match last if rules below fail.
# http://wiki.nginx.org/HttpCoreModule
location / {
try_files $uri $uri/ /index.php?u=$uri&$args;
# Disable caching
add_header X-Cache-Status $upstream_cache_status;
add_header Cache-Control no-cache;
expires off;
sendfile off;
}
# Pass all .php files onto a php-fpm/php-fcgi server.
location ~ [^/]\.php(/|$) {
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
include fastcgi_params;
# This is a robust solution for path info security issue and works with cgi.fix_pathinfo = 1 in /etc/php.ini (default)
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_pass php;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_intercept_errors on;
client_max_body_size 5M;
}
location ~ /\.ht {
deny all;
}
# アクセス禁止ファイル
location ~* (?:/(?:src|app|tests|var|vendor|node_modules|codeception|bin)/.*|/(?:composer|COPYING|Procfile|app.json|gulpfile.js|package.json|package-lock.json|web.config))$ {
deny all;
}
# 画像などの静的ファイル
location ~* ^.+\.(?:mp4|ttf|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|ppt|tar|mid|midi|wav|bmp|rtf|wmv)$ {
# ログ出力の有無はお好みで
access_log off;
log_not_found off;
if (-f $request_filename) {
#ブラウザキャッシュの有効時間。ここもお好みに応じて。
expires 60m;
break;
}
}
EOF
sudo tee /etc/nginx/conf.d/01-humhub.conf << EOF
map \$http_upgrade \$connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
server_name ${HOST_NAME};
# Useful for Let's Encrypt
location /.well-known/acme-challenge/ { allow all; }
location / { return 301 https://\$host\$request_uri; }
return 404; # managed by Certbot
}
server {
listen 443 ssl http2; # managed by Certbot
listen [::]:443 ssl http2 ipv6only=on; # managed by Certbot
server_name ${HOST_NAME};
ssl_certificate /etc/letsencrypt/live/${HOST_NAME}/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/${HOST_NAME}/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
keepalive_timeout 70;
sendfile on;
client_max_body_size 0;
root /var/www/humhub;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
add_header Strict-Transport-Security "max-age=31536000";
# This order might seem weird - this is attempted to match last if rules below fail.
# http://wiki.nginx.org/HttpCoreModule
location / {
try_files \$uri \$uri/ /index.php?u=\$uri&\$args;
# Disable caching
add_header X-Cache-Status \$upstream_cache_status;
add_header Cache-Control no-cache;
expires off;
sendfile off;
}
include common/eccube.conf;
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 501 502 503 504 /50x.html;
location = /50x.html {
}
}
EOF
sudo systemctl restart nginx
sudo mkdir -p /var/www/humhub
wget https://github.com/humhub/humhub/archive/v${HUMHUB_VERSION}.tar.gz -q -O humhub-${HUMHUB_VERSION}.tar.gz
tar zxvf humhub-${HUMHUB_VERSION}.tar.gz
sudo mv humhub-${HUMHUB_VERSION}/* /var/www/humhub
cd /var/www/humhub
sudo COMPOSER_ALLOW_SUPERUSER=1 /usr/local/bin/composer install --no-ansi --no-dev --no-interaction --no-progress --no-scripts --optimize-autoloader
sudo yarn install
sudo chown -R nginx:nginx /var/www/humhub
sudo tee /var/www/humhub/create.sql > /dev/null << EOF
CREATE DATABASE ${HUMHUB_DB_NAME} CHARACTER SET utf8;
CREATE USER '${HUMHUB_DB_USER}'@'%' IDENTIFIED BY '${HUMHUB_DB_PASSWORD}';
CREATE USER '${HUMHUB_DB_USER}'@'localhost' IDENTIFIED BY '${HUMHUB_DB_PASSWORD}';
GRANT ALL PRIVILEGES ON ${HUMHUB_DB_NAME}.* TO '${HUMHUB_DB_USER}'@'%';
GRANT ALL PRIVILEGES ON ${HUMHUB_DB_NAME}.* TO '${HUMHUB_DB_USER}'@'localhost';
FLUSH PRIVILEGES;
EOF
sudo mysql -u root < /var/www/humhub/create.sql
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment