hhf/nextcloud_hardening
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

update

Browse source
This commit is contained in:
hhftechnologies 2024-10-21 13:51:04 +05:30
parent 9039a37761
commit 307beae924
39 changed files with 12719 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
BETA/etc/nginx/conf.d/http.conf Normal file
View file

@ -0,0 +1,20 @@
upstream php-handler {
server unix:/run/php/php8.0-fpm.sock;
}
map $arg_v $asset_immutable {
"" "";
default "immutable";
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name ihre.hhf.technology;
root /var/www;
location ^~ /.well-known/acme-challenge {
default_type text/plain;
root /var/www/letsencrypt;
}
location / {
return 301 https://$host$request_uri;
}
}

105
BETA/etc/nginx/conf.d/nextcloud.conf Normal file
View file

@ -0,0 +1,105 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ihre.hhf.technology;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_trusted_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
#ssl_certificate /etc/letsencrypt/rsa-certs/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/rsa-certs/privkey.pem;
#ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem;
#ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384';
ssl_ecdh_curve X448:secp521r1:secp384r1;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
client_max_body_size 10G;
client_body_timeout 3600s;
fastcgi_buffers 64 4K;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
add_header Permissions-Policy "interest-cohort=()";
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
fastcgi_hide_header X-Powered-By;
root /var/www/nextcloud;
index index.php index.html /index.php$request_uri;
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ^~ /apps/rainloop/app/data {
deny all;
}
location ^~ /.well-known {
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
return 301 /index.php$request_uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
location ~ \.php(?:$|/) {
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
fastcgi_connect_timeout 3600;
fastcgi_max_temp_file_size 0;
}
location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463, $asset_immutable";
expires 6M;
access_log off;
location ~ \.wasm$ {
default_type application/wasm;
}
}
location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d;
access_log off;
}
location /remote {
return 301 /remote.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
}
}

11
etc/crontab Normal file
View file

@ -0,0 +1,11 @@
# Created by running "crontab -e" as sudo user!!!
[...]
5 3 * * * /root/backup.sh > /root/backup.txt
@daily /usr/bin/journalctl --vacuum-size=2G > /dev/null 2>&1
@reboot sleep 30 && /usr/bin/systemctl enable --now notify_push
@reboot sleep 45 && /usr/bin/systemctl restart notify_push
# Optional:
# 15 3 * * 0 /usr/bin/geoipupdate && /bin/systemctl reload nginx.service > /dev/null 2>&1
# @weekly /root/renewal.sh > /var/log/renewal.log 2>&1
[...]

5
etc/fail2ban/filter.d/nextcloud.conf Normal file
View file

@ -0,0 +1,5 @@
[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"

10
etc/fail2ban/jail.d/nextcloud.local Normal file
View file

@ -0,0 +1,10 @@
[nextcloud]
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
maxretry = 5
bantime = 3600
findtime = 36000
logpath = /var/log/nextcloud/nextcloud.log

10
etc/hosts Normal file
View file

@ -0,0 +1,10 @@
127.0.0.1 localhost
# <hostname> = echo $(hostname)
127.0.1.1 <hostname>
# The following lines are desirable for IPv6 capable hosts
# <hostname> = echo $(hostname)
::1 <hostname> ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

60
etc/mysql/my.cnf Normal file
View file

@ -0,0 +1,60 @@
[client]
default-character-set = utf8mb4
port = 3306
socket = /var/run/mysqld/mysqld.sock
[mysqld_safe]
log_error=/var/log/mysql/mysql_error.log
nice = 0
socket = /var/run/mysqld/mysqld.sock
[mysqld]
# performance_schema=ON
basedir = /usr
bind-address = 127.0.0.1
binlog_format = ROW
character-set-server = utf8mb4
collation-server = utf8mb4_general_ci
datadir = /var/lib/mysql
default_storage_engine = InnoDB
expire_logs_days = 2
general_log_file = /var/log/mysql/mysql.log
innodb_buffer_pool_size = 2G
innodb_log_buffer_size = 32M
innodb_log_file_size = 512M
innodb_read_only_compressed=OFF
join_buffer_size = 2M
key_buffer_size = 512M
lc_messages_dir = /usr/share/mysql
lc_messages = en_US
log_bin = /var/log/mysql/mariadb-bin
log_bin_index = /var/log/mysql/mariadb-bin.index
log_bin_trust_function_creators = true
log_error = /var/log/mysql/mysql_error.log
log_slow_verbosity = query_plan
log_warnings = 2
long_query_time = 1
max_connections = 100
max_heap_table_size = 64M
max_allowed_packet = 1G
myisam_sort_buffer_size = 512M
port = 3306
pid-file = /var/run/mysqld/mysqld.pid
query_cache_limit = 0
query_cache_size = 0
read_buffer_size = 2M
read_rnd_buffer_size = 2M
skip-name-resolve
socket = /var/run/mysqld/mysqld.sock
sort_buffer_size = 2M
table_open_cache = 400
table_definition_cache = 800
tmp_table_size = 32M
tmpdir = /tmp
transaction_isolation = READ-COMMITTED
user = mysql
wait_timeout = 600
[mysqldump]
max_allowed_packet = 1G
quick
quote-names
[isamchk]
key_buffer = 16M

20
etc/nginx/conf.d/http.conf Normal file
View file

@ -0,0 +1,20 @@
upstream php-handler {
server unix:/run/php/php8.2-fpm.sock;
}
map $arg_v $asset_immutable {
"" "";
default "immutable";
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name ihre.hhf.technology;
root /var/www;
location ^~ /.well-known/acme-challenge {
default_type text/plain;
root /var/www/letsencrypt;
}
location / {
return 301 https://$host$request_uri;
}
}

122
etc/nginx/conf.d/nextcloud-mit-push.conf Normal file
View file

@ -0,0 +1,122 @@
limit_req_zone $binary_remote_addr zone=NextcloudRateLimit:10m rate=2r/s;
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
http2 on;
server_name ihre.hhf.technology;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_trusted_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
#ssl_certificate /etc/letsencrypt/rsa-certs/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/rsa-certs/privkey.pem;
#ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem;
#ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384';
ssl_ecdh_curve X448:secp521r1:secp384r1;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
client_max_body_size 10G;
client_body_timeout 3600s;
client_body_buffer_size 512k;
fastcgi_buffers 64 4K;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
add_header Permissions-Policy "interest-cohort=()";
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;
fastcgi_hide_header X-Powered-By;
include mime.types;
types {
text/javascript mjs;
}
root /var/www/nextcloud;
index index.php index.html /index.php$request_uri;
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ^~ /.well-known {
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
return 301 /index.php$request_uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
location ~ \.php(?:$|/) {
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
fastcgi_connect_timeout 3600;
fastcgi_max_temp_file_size 0;
}
location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463, $asset_immutable";
expires 6M;
access_log off;
location ~ \.wasm$ {
default_type application/wasm;
}
}
location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d;
access_log off;
}
location /remote {
return 301 /remote.php$request_uri;
}
location /login {
limit_req zone=NextcloudRateLimit burst=5 nodelay;
limit_req_status 429;
try_files $uri $uri/ /index.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
}
location ^~ /push/ {
proxy_pass http://127.0.0.1:7867/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}

114
etc/nginx/conf.d/nextcloud.conf Normal file
View file

@ -0,0 +1,114 @@
limit_req_zone $binary_remote_addr zone=NextcloudRateLimit:10m rate=2r/s;
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
http2 on;
server_name ihre.hhf.technology;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_trusted_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
#ssl_certificate /etc/letsencrypt/rsa-certs/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/rsa-certs/privkey.pem;
#ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem;
#ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384';
ssl_ecdh_curve X448:secp521r1:secp384r1;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
client_max_body_size 10G;
client_body_timeout 3600s;
client_body_buffer_size 512k;
fastcgi_buffers 64 4K;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
add_header Permissions-Policy "interest-cohort=()";
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;
fastcgi_hide_header X-Powered-By;
include mime.types;
types {
text/javascript mjs;
}
root /var/www/nextcloud;
index index.php index.html /index.php$request_uri;
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ^~ /.well-known {
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
return 301 /index.php$request_uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
location ~ \.php(?:$|/) {
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
fastcgi_connect_timeout 3600;
fastcgi_max_temp_file_size 0;
}
location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463, $asset_immutable";
expires 6M;
access_log off;
location ~ \.wasm$ {
default_type application/wasm;
}
}
location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d;
access_log off;
}
location /remote {
return 301 /remote.php$request_uri;
}
location /login {
limit_req zone=NextcloudRateLimit burst=5 nodelay;
limit_req_status 429;
try_files $uri $uri/ /index.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
}
}

41
etc/nginx/nginx.conf Normal file
View file

@ -0,0 +1,41 @@
user www-data;
worker_processes auto;
pid /var/run/nginx.pid;
events {
worker_connections 2048;
multi_accept on; use epoll;
}
http {
log_format criegerde escape=json
'{'
'"time_local":"$time_local",'
'"remote_addr":"$remote_addr",'
'"remote_user":"$remote_user",'
'"request":"$request",'
'"status": "$status",'
'"body_bytes_sent":"$body_bytes_sent",'
'"request_time":"$request_time",'
'"http_referrer":"$http_referer",'
'"http_user_agent":"$http_user_agent"'
'}';
server_names_hash_bucket_size 64;
access_log /var/log/nginx/access.log criegerde;
error_log /var/log/nginx/error.log warn;
#set_real_ip_from 127.0.0.1;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
send_timeout 3600;
tcp_nopush on;
tcp_nodelay on;
open_file_cache max=500 inactive=10m;
open_file_cache_errors on;
keepalive_timeout 65;
reset_timedout_connection on;
server_tokens off;
resolver 127.0.0.53 valid=30s;
resolver_timeout 5s;
include /etc/nginx/conf.d/*.conf;
}

1947
etc/php/8.0/fpm/php.ini Normal file
View file

File diff suppressed because it is too large Load diff

457
etc/php/8.0/fpm/pool.d/www.conf Normal file
View file

@ -0,0 +1,457 @@
; Start a new pool named 'www'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('www' here)
[www]
; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
user = www-data
group = www-data
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /run/php/php8.0-fpm.sock
; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions. The owner
; and group can be specified either by name or by their numeric IDs.
; Default Values: user and group are set as the running user
; mode is set to 0660
listen.owner = www-data
listen.group = www-data
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users =
;listen.acl_groups =
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1
; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool processes will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
; process.priority = -19
; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
; or group is different than the master process user. It allows to create process
; core dump and ptrace the process for the pool user.
; Default Value: no
; process.dumpable = yes
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives. With this process management, there will be
; always at least 1 children.
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that
; can be alive at the same time.
; pm.process_idle_timeout - The number of seconds after which
; an idle process will be killed.
; Note: This value is mandatory.
pm = static
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 600
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: (min_spare_servers + max_spare_servers) / 2
pm.start_servers = 300
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 200
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 400
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
pm.max_requests = 2000
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following information:
; pool - the name of the pool;
; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started;
; start since - number of seconds since FPM has started;
; accepted conn - the number of request accepted by the pool;
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; of pending connections since FPM has started;
; listen queue len - the size of the socket queue of pending connections;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes;
; max active processes - the maximum number of active processes since FPM
; has started;
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
; pool: www
; process manager: static
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 62636
; accepted conn: 190460
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
; idle processes: 4
; active processes: 11
; total processes: 15
; max active processes: 12
; max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
; http://www.foo.bar/status?full
; http://www.foo.bar/status?json&full
; http://www.foo.bar/status?html&full
; http://www.foo.bar/status?xml&full
; The Full status returns for each process:
; pid - the PID of the process;
; state - the state of the process (Idle, Running, ...);
; start time - the date and time the process has started;
; start since - the number of seconds since the process has started;
; requests - the number of requests the process has served;
; request duration - the duration in µs of the requests;
; request method - the request method (GET, POST, ...);
; request URI - the request URI with the query string;
; content length - the content length of the request (only with POST);
; user - the user (PHP_AUTH_USER) (or '-' if not set);
; script - the main script called (or '-' if not set);
; last request cpu - the %cpu the last request consumed
; it's always 0 if the process is not in Idle state
; because CPU calculation is done when the request
; processing has terminated;
; last request memory - the max amount of memory the last request consumed
; it's always 0 if the process is not in Idle state
; because memory calculation is done when the request
; processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
; ************************
; pid: 31330
; state: Running
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 63087
; requests: 12808
; request duration: 1250261
; request method: GET
; request URI: /test_mem.php?N=10000
; content length: 0
; user: -
; script: /home/fat/web/docs/php/test_mem.php
; last request cpu: 0.00
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: /usr/share/php/8.0/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status
pm.status_path = /status
; The address on which to accept FastCGI status request. This creates a new
; invisible pool that can handle requests independently. This is useful
; if the main pool is busy with long running requests because it is still possible
; to get the status before finishing the long running requests.
;
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Default Value: value of the listen option
;pm.status_listen = 127.0.0.1:9001
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong
; The access log file
; Default: not set
;access.log = log/$pool.access.log
; The access log format.
; The following syntax is allowed
; %%: the '%' character
; %C: %CPU used by the request
; it can accept the following format:
; - %{user}C for user CPU only
; - %{system}C for system CPU only
; - %{total}C for user + system CPU (default)
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{milliseconds}d
; - %{mili}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some examples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
; %l: content-length of the request (for POST request only)
; %m: request method
; %M: peak of memory allocated by PHP
; it can accept the following format:
; - %{bytes}M (default)
; - %{kilobytes}M
; - %{kilo}M
; - %{megabytes}M
; - %{mega}M
; %n: pool name
; %o: output header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
; - %{Transfert-Encoding}o
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; Depth of slow log stack trace.
; Default Value: 20
;request_slowlog_trace_depth = 20
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0
; The timeout set by 'request_terminate_timeout' ini option is not engaged after
; application calls 'fastcgi_finish_request' or when application has finished and
; shutdown functions are being called (registered via register_shutdown_function).
; This option will enable timeout limit to be applied unconditionally
; even in such cases.
; Default Value: no
;request_terminate_timeout_track_finished = no
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
;chdir = /var/www
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environment, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes
; Decorate worker output with prefix and suffix containing information about
; the child that writes to the log and if stdout or stderr is used as well as
; log level and time. This options is used only if catch_workers_output is yes.
; Settings to "no" will output data as written to the stdout or stderr.
; Default value: yes
;decorate_workers_output = no
; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr)
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M

1950
etc/php/8.1/fpm/php.ini Normal file
View file

File diff suppressed because it is too large Load diff

463
etc/php/8.1/fpm/pool.d/www.conf Normal file
View file

@ -0,0 +1,463 @@
; Start a new pool named 'www'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('www' here)
[www]
; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
user = www-data
group = www-data
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /run/php/php8.1-fpm.sock
; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions. The owner
; and group can be specified either by name or by their numeric IDs.
; Default Values: user and group are set as the running user
; mode is set to 0660
listen.owner = www-data
listen.group = www-data
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users =
;listen.acl_groups =
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1
; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool processes will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
; process.priority = -19
; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
; or group is different than the master process user. It allows to create process
; core dump and ptrace the process for the pool user.
; Default Value: no
; process.dumpable = yes
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives. With this process management, there will be
; always at least 1 children.
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; pm.max_spawn_rate - the maximum number of rate to spawn child
; processes at once.
; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that
; can be alive at the same time.
; pm.process_idle_timeout - The number of seconds after which
; an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 600
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: (min_spare_servers + max_spare_servers) / 2
pm.start_servers = 300
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 200
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 400
; The number of rate to spawn child processes at once.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
; Default Value: 32
;pm.max_spawn_rate = 32
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
pm.max_requests = 2000
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following information:
; pool - the name of the pool;
; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started;
; start since - number of seconds since FPM has started;
; accepted conn - the number of request accepted by the pool;
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; of pending connections since FPM has started;
; listen queue len - the size of the socket queue of pending connections;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes;
; max active processes - the maximum number of active processes since FPM
; has started;
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
; pool: www
; process manager: static
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 62636
; accepted conn: 190460
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
; idle processes: 4
; active processes: 11
; total processes: 15
; max active processes: 12
; max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
; http://www.foo.bar/status?full
; http://www.foo.bar/status?json&full
; http://www.foo.bar/status?html&full
; http://www.foo.bar/status?xml&full
; The Full status returns for each process:
; pid - the PID of the process;
; state - the state of the process (Idle, Running, ...);
; start time - the date and time the process has started;
; start since - the number of seconds since the process has started;
; requests - the number of requests the process has served;
; request duration - the duration in µs of the requests;
; request method - the request method (GET, POST, ...);
; request URI - the request URI with the query string;
; content length - the content length of the request (only with POST);
; user - the user (PHP_AUTH_USER) (or '-' if not set);
; script - the main script called (or '-' if not set);
; last request cpu - the %cpu the last request consumed
; it's always 0 if the process is not in Idle state
; because CPU calculation is done when the request
; processing has terminated;
; last request memory - the max amount of memory the last request consumed
; it's always 0 if the process is not in Idle state
; because memory calculation is done when the request
; processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
; ************************
; pid: 31330
; state: Running
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 63087
; requests: 12808
; request duration: 1250261
; request method: GET
; request URI: /test_mem.php?N=10000
; content length: 0
; user: -
; script: /home/fat/web/docs/php/test_mem.php
; last request cpu: 0.00
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: /usr/share/php/8.1/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status
; The address on which to accept FastCGI status request. This creates a new
; invisible pool that can handle requests independently. This is useful
; if the main pool is busy with long running requests because it is still possible
; to get the status before finishing the long running requests.
;
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Default Value: value of the listen option
;pm.status_listen = 127.0.0.1:9001
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong
; The access log file
; Default: not set
;access.log = log/$pool.access.log
; The access log format.
; The following syntax is allowed
; %%: the '%' character
; %C: %CPU used by the request
; it can accept the following format:
; - %{user}C for user CPU only
; - %{system}C for system CPU only
; - %{total}C for user + system CPU (default)
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{milliseconds}d
; - %{milli}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some examples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
; %l: content-length of the request (for POST request only)
; %m: request method
; %M: peak of memory allocated by PHP
; it can accept the following format:
; - %{bytes}M (default)
; - %{kilobytes}M
; - %{kilo}M
; - %{megabytes}M
; - %{mega}M
; %n: pool name
; %o: output header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
; - %{Transfert-Encoding}o
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; Depth of slow log stack trace.
; Default Value: 20
;request_slowlog_trace_depth = 20
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0
; The timeout set by 'request_terminate_timeout' ini option is not engaged after
; application calls 'fastcgi_finish_request' or when application has finished and
; shutdown functions are being called (registered via register_shutdown_function).
; This option will enable timeout limit to be applied unconditionally
; even in such cases.
; Default Value: no
;request_terminate_timeout_track_finished = no
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
;chdir = /var/www
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environment, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes
; Decorate worker output with prefix and suffix containing information about
; the child that writes to the log and if stdout or stderr is used as well as
; log level and time. This options is used only if catch_workers_output is yes.
; Settings to "no" will output data as written to the stdout or stderr.
; Default value: yes
;decorate_workers_output = no
; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr)
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M

1977
etc/php/8.2/fpm/php.ini Normal file
View file

File diff suppressed because it is too large Load diff

490
etc/php/8.2/fpm/pool.d/www.conf Normal file
View file

@ -0,0 +1,490 @@
; Start a new pool named 'www'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('www' here)
[www]
; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of the child processes. This can be used only if the master
; process running user is root. It is set after the child process is created.
; The user and group can be specified either by their name or by their numeric
; IDs.
; Note: If the user is root, the executable needs to be started with
; --allow-to-run-as-root option to work.
; Default Values: The user is set to master process running user by default.
; If the group is not set, the user's group is used.
user = www-data
group = www-data
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /run/php/php8.2-fpm.sock
; Set listen(2) backlog.
; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD)
;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions. The owner
; and group can be specified either by name or by their numeric IDs.
; Default Values: Owner is set to the master process running user. If the group
; is not set, the owner's group is used. Mode is set to 0660.
listen.owner = www-data
listen.group = www-data
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users =
;listen.acl_groups =
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1
; Set the associated the route table (FIB). FreeBSD only
; Default Value: -1
;listen.setfib = 1
; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool processes will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
; process.priority = -19
; Set the process dumpable flag (PR_SET_DUMPABLE prctl for Linux or
; PROC_TRACE_CTL procctl for FreeBSD) even if the process user
; or group is different than the master process user. It allows to create process
; core dump and ptrace the process for the pool user.
; Default Value: no
; process.dumpable = yes
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives. With this process management, there will be
; always at least 1 children.
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; pm.max_spawn_rate - the maximum number of rate to spawn child
; processes at once.
; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that
; can be alive at the same time.
; pm.process_idle_timeout - The number of seconds after which
; an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 200
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: (min_spare_servers + max_spare_servers) / 2
pm.start_servers = 100
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 60
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 140
; The number of rate to spawn child processes at once.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
; Default Value: 32
;pm.max_spawn_rate = 32
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
pm.max_requests = 2000
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following information:
; pool - the name of the pool;
; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started;
; start since - number of seconds since FPM has started;
; accepted conn - the number of request accepted by the pool;
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; of pending connections since FPM has started;
; listen queue len - the size of the socket queue of pending connections;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes;
; max active processes - the maximum number of active processes since FPM
; has started;
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
; pool: www
; process manager: static
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 62636
; accepted conn: 190460
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
; idle processes: 4
; active processes: 11
; total processes: 15
; max active processes: 12
; max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
; http://www.foo.bar/status?full
; http://www.foo.bar/status?json&full
; http://www.foo.bar/status?html&full
; http://www.foo.bar/status?xml&full
; The Full status returns for each process:
; pid - the PID of the process;
; state - the state of the process (Idle, Running, ...);
; start time - the date and time the process has started;
; start since - the number of seconds since the process has started;
; requests - the number of requests the process has served;
; request duration - the duration in µs of the requests;
; request method - the request method (GET, POST, ...);
; request URI - the request URI with the query string;
; content length - the content length of the request (only with POST);
; user - the user (PHP_AUTH_USER) (or '-' if not set);
; script - the main script called (or '-' if not set);
; last request cpu - the %cpu the last request consumed
; it's always 0 if the process is not in Idle state
; because CPU calculation is done when the request
; processing has terminated;
; last request memory - the max amount of memory the last request consumed
; it's always 0 if the process is not in Idle state
; because memory calculation is done when the request
; processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
; ************************
; pid: 31330
; state: Running
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 63087
; requests: 12808
; request duration: 1250261
; request method: GET
; request URI: /test_mem.php?N=10000
; content length: 0
; user: -
; script: /home/fat/web/docs/php/test_mem.php
; last request cpu: 0.00
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: /usr/share/php/8.2/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
; pm.status_path = /status
; The address on which to accept FastCGI status request. This creates a new
; invisible pool that can handle requests independently. This is useful
; if the main pool is busy with long running requests because it is still possible
; to get the status before finishing the long running requests.
;
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Default Value: value of the listen option
;pm.status_listen = 127.0.0.1:9001
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong
; The access log file
; Default: not set
;access.log = log/$pool.access.log
; The access log format.
; The following syntax is allowed
; %%: the '%' character
; %C: %CPU used by the request
; it can accept the following format:
; - %{user}C for user CPU only
; - %{system}C for system CPU only
; - %{total}C for user + system CPU (default)
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{milliseconds}d
; - %{milli}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some examples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
; %l: content-length of the request (for POST request only)
; %m: request method
; %M: peak of memory allocated by PHP
; it can accept the following format:
; - %{bytes}M (default)
; - %{kilobytes}M
; - %{kilo}M
; - %{megabytes}M
; - %{mega}M
; %n: pool name
; %o: output header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
; - %{Transfert-Encoding}o
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
; A list of request_uri values which should be filtered from the access log.
;
; As a security precuation, this setting will be ignored if:
; - the request method is not GET or HEAD; or
; - there is a request body; or
; - there are query parameters; or
; - the response code is outwith the successful range of 200 to 299
;
; Note: The paths are matched against the output of the access.format tag "%r".
; On common configurations, this may look more like SCRIPT_NAME than the
; expected pre-rewrite URI.
;
; Default Value: not set
;access.suppress_path[] = /ping
;access.suppress_path[] = /health_check.php
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; Depth of slow log stack trace.
; Default Value: 20
;request_slowlog_trace_depth = 20
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0
; The timeout set by 'request_terminate_timeout' ini option is not engaged after
; application calls 'fastcgi_finish_request' or when application has finished and
; shutdown functions are being called (registered via register_shutdown_function).
; This option will enable timeout limit to be applied unconditionally
; even in such cases.
; Default Value: no
;request_terminate_timeout_track_finished = no
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
;chdir = /var/www
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environment, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes
; Decorate worker output with prefix and suffix containing information about
; the child that writes to the log and if stdout or stderr is used as well as
; log level and time. This options is used only if catch_workers_output is yes.
; Settings to "no" will output data as written to the stdout or stderr.
; Default value: yes
;decorate_workers_output = no
; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr)
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M

12
etc/php/8.3/fpm/conf.d/20-mysqli.ini Normal file
View file

@ -0,0 +1,12 @@
; configuration for php mysql module
; priority=20
extension=mysqli.so
[mysql]
mysql.allow_local_infile=On
mysql.allow_persistent=On
mysql.cache_size=2000
mysql.max_persistent=-1
mysql.max_links=-1
mysql.default_port=3306
mysql.connect_timeout=60
mysql.trace_mode=Off

1966
etc/php/8.3/fpm/php.ini Normal file
View file

File diff suppressed because it is too large Load diff

491
etc/php/8.3/fpm/pool.d/www.conf Normal file
View file

@ -0,0 +1,491 @@
; Start a new pool named 'www'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('www' here)
[www]
; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of the child processes. This can be used only if the master
; process running user is root. It is set after the child process is created.
; The user and group can be specified either by their name or by their numeric
; IDs.
; Note: If the user is root, the executable needs to be started with
; --allow-to-run-as-root option to work.
; Default Values: The user is set to master process running user by default.
; If the group is not set, the user's group is used.
user = www-data
group = www-data
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /run/php/php8.3-fpm.sock
; Set listen(2) backlog.
; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD)
;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions. The owner
; and group can be specified either by name or by their numeric IDs.
; Default Values: Owner is set to the master process running user. If the group
; is not set, the owner's group is used. Mode is set to 0660.
listen.owner = www-data
listen.group = www-data
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users =
;listen.acl_groups =
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1
; Set the associated the route table (FIB). FreeBSD only
; Default Value: -1
;listen.setfib = 1
; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool processes will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
; process.priority = -19
; Set the process dumpable flag (PR_SET_DUMPABLE prctl for Linux or
; PROC_TRACE_CTL procctl for FreeBSD) even if the process user
; or group is different than the master process user. It allows to create process
; core dump and ptrace the process for the pool user.
; Default Value: no
; process.dumpable = yes
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives. With this process management, there will be
; always at least 1 children.
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; pm.max_spawn_rate - the maximum number of rate to spawn child
; processes at once.
; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that
; can be alive at the same time.
; pm.process_idle_timeout - The number of seconds after which
; an idle process will be killed.
; Note: This value is mandatory.
pm = ondemand
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 200
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: (min_spare_servers + max_spare_servers) / 2
pm.start_servers = 100
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 60
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 140
; The number of rate to spawn child processes at once.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
; Default Value: 32
;pm.max_spawn_rate = 32
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
pm.max_requests = 1000
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following information:
; pool - the name of the pool;
; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started;
; start since - number of seconds since FPM has started;
; accepted conn - the number of request accepted by the pool;
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; of pending connections since FPM has started;
; listen queue len - the size of the socket queue of pending connections;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes;
; max active processes - the maximum number of active processes since FPM
; has started;
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
; pool: www
; process manager: static
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 62636
; accepted conn: 190460
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
; idle processes: 4
; active processes: 11
; total processes: 15
; max active processes: 12
; max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
; http://www.foo.bar/status?full
; http://www.foo.bar/status?json&full
; http://www.foo.bar/status?html&full
; http://www.foo.bar/status?xml&full
; The Full status returns for each process:
; pid - the PID of the process;
; state - the state of the process (Idle, Running, ...);
; start time - the date and time the process has started;
; start since - the number of seconds since the process has started;
; requests - the number of requests the process has served;
; request duration - the duration in µs of the requests;
; request method - the request method (GET, POST, ...);
; request URI - the request URI with the query string;
; content length - the content length of the request (only with POST);
; user - the user (PHP_AUTH_USER) (or '-' if not set);
; script - the main script called (or '-' if not set);
; last request cpu - the %cpu the last request consumed
; it's always 0 if the process is not in Idle state
; because CPU calculation is done when the request
; processing has terminated;
; last request memory - the max amount of memory the last request consumed
; it's always 0 if the process is not in Idle state
; because memory calculation is done when the request
; processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
; ************************
; pid: 31330
; state: Running
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 63087
; requests: 12808
; request duration: 1250261
; request method: GET
; request URI: /test_mem.php?N=10000
; content length: 0
; user: -
; script: /home/fat/web/docs/php/test_mem.php
; last request cpu: 0.00
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: /usr/share/php/8.3/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status
; The address on which to accept FastCGI status request. This creates a new
; invisible pool that can handle requests independently. This is useful
; if the main pool is busy with long running requests because it is still possible
; to get the status before finishing the long running requests.
;
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Default Value: value of the listen option
;pm.status_listen = 127.0.0.1:9001
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong
; The access log file
; Default: not set
;access.log = log/$pool.access.log
; The access log format.
; The following syntax is allowed
; %%: the '%' character
; %C: %CPU used by the request
; it can accept the following format:
; - %{user}C for user CPU only
; - %{system}C for system CPU only
; - %{total}C for user + system CPU (default)
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{milliseconds}d
; - %{milli}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some examples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
; %l: content-length of the request (for POST request only)
; %m: request method
; %M: peak of memory allocated by PHP
; it can accept the following format:
; - %{bytes}M (default)
; - %{kilobytes}M
; - %{kilo}M
; - %{megabytes}M
; - %{mega}M
; %n: pool name
; %o: output header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
; - %{Transfert-Encoding}o
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
; A list of request_uri values which should be filtered from the access log.
;
; As a security precuation, this setting will be ignored if:
; - the request method is not GET or HEAD; or
; - there is a request body; or
; - there are query parameters; or
; - the response code is outwith the successful range of 200 to 299
;
; Note: The paths are matched against the output of the access.format tag "%r".
; On common configurations, this may look more like SCRIPT_NAME than the
; expected pre-rewrite URI.
;
; Default Value: not set
;access.suppress_path[] = /ping
;access.suppress_path[] = /health_check.php
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; Depth of slow log stack trace.
; Default Value: 20
;request_slowlog_trace_depth = 20
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0
; The timeout set by 'request_terminate_timeout' ini option is not engaged after
; application calls 'fastcgi_finish_request' or when application has finished and
; shutdown functions are being called (registered via register_shutdown_function).
; This option will enable timeout limit to be applied unconditionally
; even in such cases.
; Default Value: no
;request_terminate_timeout_track_finished = no
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
;chdir = /var/www
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environment, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes
; Decorate worker output with prefix and suffix containing information about
; the child that writes to the log and if stdout or stderr is used as well as
; log level and time. This options is used only if catch_workers_output is yes.
; Settings to "no" will output data as written to the stdout or stderr.
; Default value: yes
;decorate_workers_output = no
; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr)
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M

1373
etc/redis/redis.conf Normal file
View file

File diff suppressed because it is too large Load diff

37
etc/ssh/sshd_config Normal file
View file

@ -0,0 +1,37 @@
Port 23456 # « BITTE ANPASSEN!
Protocol 2
AcceptEnv LANG LC_*
AllowTcpForwarding no
AllowUsers IhrBenutzer # « BITTE ANPASSEN!
AuthenticationMethods publickey
ChallengeResponseAuthentication yes
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
HostbasedAuthentication no
IgnoreRhosts yes
IgnoreUserKnownHosts yes
LogLevel INFO
LoginGraceTime 30s
MaxAuthTries 3
MaxSessions 3
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin no
PubkeyAuthentication yes
PrintMotd no
PrintLastLog yes
Subsystem sftp /usr/lib/openssh/sftp-server
SyslogFacility AUTH
StrictModes yes
TCPKeepAlive yes
ClientAliveInterval 40
ClientAliveCountMax 360
UseDNS yes
UsePAM yes
X11Forwarding no
X11DisplayOffset 10
X11UseLocalhost no
# Match User administrator
# PasswordAuthentication yes
# AuthenticationMethods keyboard-interactive

25
etc/ssl/certs/dhparam.pem Normal file
View file

@ -0,0 +1,25 @@
-----BEGIN X9.42 DH PARAMETERS-----
MIIELAKCAgEAoc3ionWeJsG9cVU3+vHQ+pmMrlDxOFy4Ded4tWQQWyy3v8LhGDa5
SCAorJX2IZizDrKE3RKIADavqpy3aLiYRgTbz/8expOG7fVhpPuzZtj/4tuVmyKV
VBQyd8GrxCIREMW3Kh7B9PPQ1vfZx9O75SniNcvBZQWUn7pjzAx+U8pzuYojo3Fg
sLV88O0tYt0fIjPRm22868qH+Trgg0fYAAipdIvGDC+3fLRcPQCUa+xizgJYbe/a
Q3DtMe49bV/sFfkQ7hGCvdSlJ7ADrTLbdszDEt+ZrTVAWItfb+X6oYObVRwg9UVP
eEWtMptUAJxl7AG/T3pTWVizQPKdHPVnrkOB+bwp7+t+3V1OazALe7wtR87azoPt
kKMgnZy3ul6gw4fdDoFdgoE6hWbU7Iz6ilMaSSXgeHNs/1FaNU9rBcJu6h8EGeKx
bzPYhC1Y/XFfmIcdV/zLWY6/6e3XlairG7pJY6KVHaTCx26/+uvODsfTHiwqdITL
c1xu5Ookml27SsgLq0eUtesp2aE4S785hJPUa7/D5mYbUnyuwrWfgnTNxBATEfE5
FlI3EH5xmnu41f9GezmwEKXhgssbfP9sPa1gsZAVeRjxvvCELtn5GtpGlwx5M5rg
lN6Dz2+yTsiqZfcoxUgZXT/U50YAMtVB/1Tvthm+CZvQFYJ7JITZpZkCggIADwCr
vhTzuMJ7VMwrZRBjkutzBXpNO4r8NIWwFcd5X0exFMErzhm5HopgtcIv4EwgPu0u
QCVJ1KbYJ9LgUvJJZFmf9S9F1bBnBVH9lFLKhL5s1WnQ2ExGp9oV4/BGzcvXXmCK
l5RY6s4ZMU68qZ1bgQJx126BZ5uZIzPuxPpJnTy8F3S+xqqAPowkK8W7ZpKJmVL0
Uv6hcL2/9jgxVA24KTo/31voTCcINVWAqpPjiD25Sh6Q5PXLsaHlNvnpKJPOvb7b
ftGdepP3ux2retAG4yTGiNfWhjfta4tSLI4t3xBme0Xrb8vfhVVHtJGx6BDqxbCx
tnI9WirP7pmJn/lMLiw6sg94N3eFI7IN+16UkYO2J0VGWVFhraNsft9DcHweQkFe
teIrKJJxKsnNLyGalNbG6Crt6ugPhTA13ITMNJqGlUSlkAVsv55TW2KgOvHzvnLl
bfLFYiB7bG3Zrt2ZbvH11pRBySppQWQ4WvoOc5j0uiQf9TOdjH9Z97uJFwJLznDz
eN/aj5kTH0UrubIjhjCrKEPxP788Wp5ajoYEqsc/ki50esQ5NzqFRVV9wKojW92m
K/4WsuKc5wEVY2qD2MFzZaJT0Otzb/oEDkmeGwbAzJO2Ji4hWVCgdrBiK5Ra+dUP
kJ4CLLIoKK6E7uq+pPEm/gu0nKIOWeRDnpEc1uACIQDK1XsBcYmgEi2nqJKVhlmh
8gQXk7C7dQ3oiq5XBbd80Q==
-----END X9.42 DH PARAMETERS-----

69
etc/sysctl.conf Normal file
View file

@ -0,0 +1,69 @@
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
##############################################################3
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#
###################################################################
# Magic system request Key
# 0=disable, 1=enable all, >1 bitmask of sysrq functions
# See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html
# for what other values do
#kernel.sysrq=438
vm.overcommit_memory = 1

11
etc/systemd/system/notify_push.service Normal file
View file

@ -0,0 +1,11 @@
[Unit]
Description = Push daemon for Nextcloud clients
After=mariadb.service
[Service]
Environment=PORT=7867
Environment=NEXTCLOUD_URL=https://ihre.hhf.technology
ExecStart=/var/www/nextcloud/apps/notify_push/bin/x86_64/notify_push /var/www/nextcloud/config/config.php
User=www-data
[Install]
WantedBy = multi-user.target

68
skripte/borg-backup.sh Normal file
View file

@ -0,0 +1,68 @@
#!/bin/bash
export BORG_PASSPHRASE='IhrGeheimesBORG-SECRET'
export BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes
export BORG_RELOCATED_REPO_ACCESS_IS_OK=yes
startTime=$(date +%s)
currentDate=$(date --date @"$startTime" +"%Y%m%d_%H%M%S")
currentDateReadable=$(date --date @"$startTime" +"%d.%m.%Y - %H:%M:%S")
logDirectory="/backup-logs/"
logFile="${logDirectory}/${currentDate}.log"
backupDiscMount="/borgbackup/cloud"
localBackupDir="/borgbackup/cloud/temp"
borgRepository="${backupDiscMount}/daten"
borgBackupDirs="/etc/ /root/ /var/www/nextcloud/ $localBackupDir/"
nextcloudFileDir='/var/www/nextcloud'
webserverServiceName='nginx'
webserverUser='www-data'
nextcloudDatabase='Datenbankname'
dbUser='Datenbankbenutzer'
dbPassword='DatenbankPasswort'
fileNameBackupDb='nextcloud.sql'
if [ ! -d "${logDirectory}" ]
then
mkdir -p "${logDirectory}"
fi
errorecho() { cat <<< "$@" 1>&2; }
exec > >(tee -i "${logFile}")
exec 2>&1
if [ "$(id -u)" != "0" ]
then
errorecho "ERROR: This script has to be run as root!"
exit 1
fi
if [ ! -d "${localBackupDir}" ]
then
errorecho "ERROR: The local backup directory ${localBackupDir} does not exist!"
exit 1
fi
echo -e "\n###### Start des Backups: ${currentDateReadable} ######\n"
echo -e "Daten werden zusammengestellt"
dpkg --get-selections > "${localBackupDir}/software.list"
sudo -u "${webserverUser}" php ${nextcloudFileDir}/occ maintenance:mode --on
echo "nginx wird gestoppt"
systemctl stop "${webserverServiceName}"
echo "Datenbanksicherung wird erstellt"
mysqldump --single-transaction --routines -h localhost -u "${dbUser}" -p"${dbPassword}" "${nextcloudDatabase}" > "${localBackupDir}/${fileNameBackupDb}"
echo -e "\nBackup mit borgbackup"
borg create --stats \
$borgRepository::"${currentDate}" \
$localBackupDir \
$borgBackupDirs
echo
echo "nginx wird gestartet"
systemctl start "${webserverServiceName}"
sudo -u "${webserverUser}" php ${nextcloudFileDir}/occ maintenance:mode --off
rm "${localBackupDir}"/software.list
rm -r "${localBackupDir}/${fileNameBackupDb}"
borg prune --progress --stats $borgRepository --keep-within=7d --keep-weekly=4 --keep-monthly=6
endTime=$(date +%s)
endDateReadable=$(date --date @"$endTime" +"%d.%m.%Y - %H:%M:%S")
duration=$((endTime-startTime))
durationSec=$((duration % 60))
durationMin=$(((duration / 60) % 60))
durationHour=$((duration / 3600))
durationReadable=$(printf "%02d Stunden %02d Minuten %02d Sekunden" $durationHour $durationMin $durationSec)
echo -e "\n###### Ende des Backups: ${endDateReadable} (${durationReadable}) ######\n"
echo -e "Plattenbelegung:\n"
df -h ${backupDiscMount}
mail -s "Nextcloud-Backup - $(date --date @"$startTime" +"%d.%m.%Y")" -a "FROM: Ihr Name <ihre@emailadresse.de>" ihre@emailadresse.de < /Pfad/zur/Logdatei

108
skripte/borg-remote-mariadb.sh Normal file
View file

@ -0,0 +1,108 @@
#!/usr/bin/env bash
#
# Nextcloud Sicherung: Hetzner-Storagebox
# Datenbanktyp: MariaDB
#
###################################################################################################
export BORG_RSH='ssh -i /home/<user>/.ssh/id_ed25519'
# /home/<user>/.ssh/id_ed25519: Pfad zum privaten Schlüssel
export BORG_PASSPHRASE="SECRET-PASSPHRASE"
# SECRET-PASSPHRASE: Passphrase, mit dem das Repo erstellt wurde
VORNAME="Vorname"
# Vorname: Ihr Vorname
NACHNAME="Nachname"
# Nachname: Ihr Nachname
EMAIL="mail@hhf.technology"
# mail@hhf.technology: Ihre Emailadresse
NPATH="/var/www/nextcloud"
# NPATH: Pfad zur Nextlcoud-Software
WEBSERVER="nginx"
# WEBSERVER: "nginx" oder "apache2"
PHPVERSION="8.2"
# PHPVERSION: "8.3" oder "8.2" oder "8.1"
BACKUP_USER="uxxxxxx"
# BACKUP_USER: Ihr Benutzer der Hetzner Storage Box
REPOSITORY_DIR="cloud"
# REPOSITORY_DIR: Der Name des BORG-Repositories
###################################################################################################
#
# ____ ___ ____ _ _ _____ ____ _ _ _ _ ____
# / ___|_ _/ ___| | | | ____| _ \| | | | \ | |/ ___|
# \___ \| | | | |_| | _| | |_) | | | | \| | | _
# ___) | | |___| _ | |___| _ <| |_| | |\ | |_| |
# |____/___\____|_| |_|_____|_| \_\\___/|_| \_|\____|
#
#
###################################################################################################
#
# »»» Ab hier bitte keine Änderungen mehr vornehmen »»»
NEXTCLOUDDATEN=$(sudo -u www-data php $NPATH/occ config:system:get datadirectory)
NEXTCLOUDDB=$(sudo -u www-data php $NPATH/occ config:system:get dbname)
NEXTCLOUDDBUSER=$(sudo -u www-data php $NPATH/occ config:system:get dbuser)
NEXTCLOUDDBPASSWORD=$(sudo -u www-data php $NPATH/occ config:system:get dbpassword)
sudo -u www-data php $NPATH/occ maintenance:mode --on
if [ ! -d "/var/log/borg" ]; then
mkdir -p /var/log/borg
fi
if [ ! -d "/sicherung/sql" ]; then
mkdir -p /sicherung/sql
fi
mkdir -p /var/log/borg /backup/sql
LOG="/var/log/borg/$(date +%y%m%d-%H%M)-backup.log"
REPOSITORY="ssh://${BACKUP_USER}@${BACKUP_USER}.your-storagebox.de:23/./backup/${REPOSITORY_DIR}"
errorecho() { cat <<< "$@" 1>&2; }
exec > >(tee -i "${LOG}")
exec 2>&1
echo "###### Backup gestartet: $(date) ######"
echo ""
echo "Dienste werden gestoppt ..."
systemctl stop $WEBSERVER.service php$PHPVERSION-fpm.service redis-server.service
echo ""
echo "Datenbanksicherung wird erstellt ..."
mysqldump --single-transaction --routines -h localhost -u$NEXTCLOUDDBUSER -p$NEXTCLOUDDBPASSWORD -e $NEXTCLOUDDB > /sicherung/sql/nextcloud.sql
echo ""
echo "Datenbankgröße ermitteln ..."
mysql -u$NEXTCLOUDDBUSER -p$NEXTCLOUDDBPASSWORD -e "SELECT table_schema 'DB',round(sum(data_length+index_length)/1024/1024,2) 'Size (MB)' from information_schema.tables WHERE table_schema='$NEXTCLOUDDB';"
systemctl stop mariadb.service
echo ""
echo "Übertrage Dateien ..."
borg create -v --stats \
$REPOSITORY::$(date +%y%m%d-%H%M) \
/root \
/etc \
/var/www \
/home \
$NEXTCLOUDDATEN \
/sicherung/sql \
--exclude /backup \
--exclude /dev \
--exclude /proc \
--exclude /sys \
--exclude /var/run \
--exclude /run \
--exclude /lost+found \
--exclude /mnt \
--exclude /var/lib/lxcfs
echo ""
borg prune --progress --stats $REPOSITORY --keep-within=7d --keep-weekly=4 --keep-monthly=6
echo ""
echo "Dienste werden gestartet ..."
systemctl restart mariadb.service redis-server.service php$PHPVERSION-fpm.service $WEBSERVER.service
echo ""
echo "Aufräumen ..."
rm -f /sicherung/sql/nextcloud.sql
sudo -u www-data php $NPATH/occ maintenance:mode --off
echo ""
echo "###### Backup beendet: $(date) ######"
mail -s "CLOUD-Backup" -a "FROM: $VORNAME $NACHNAME <$EMAIL>" $EMAIL < $LOG
exit 0

107
skripte/borg-remote-psql.sh Normal file
View file

@ -0,0 +1,107 @@
#!/usr/bin/env bash
#
# Nextcloud Sicherung: Hetzner-Storagebox
# Datenbanktyp: postgreSQL
#
###################################################################################################
export BORG_RSH='ssh -i /home/<user>/.ssh/id_ed25519'
# /home/<user>/.ssh/id_ed25519: Pfad zum privaten Schlüssel
export BORG_PASSPHRASE="SECRET-PASSPHRASE"
# SECRET-PASSPHRASE: Passphrase, mit dem das Repo erstellt wurde
VORNAME="Vorname"
# Vorname: Ihr Vorname
NACHNAME="Nachname"
# Nachname: Ihr Nachname
EMAIL="mail@hhf.technology"
# mail@hhf.technology: Ihre Emailadresse
NPATH="/var/www/nextcloud"
# NPATH: Pfad zur Nextlcoud-Software
WEBSERVER="nginx"
# WEBSERVER: "nginx" oder "apache2"
PHPVERSION="8.2"
# PHPVERSION: "8.3" oder "8.2" oder "8.1"
BACKUP_USER="uxxxxxx"
# BACKUP_USER: Ihr Benutzer der Hetzner Storage Box
REPOSITORY_DIR="cloud"
# REPOSITORY_DIR: Der Name des BORG-Repositories
###################################################################################################
#
# ____ ___ ____ _ _ _____ ____ _ _ _ _ ____
# / ___|_ _/ ___| | | | ____| _ \| | | | \ | |/ ___|
# \___ \| | | | |_| | _| | |_) | | | | \| | | _
# ___) | | |___| _ | |___| _ <| |_| | |\ | |_| |
# |____/___\____|_| |_|_____|_| \_\\___/|_| \_|\____|
#
#
###################################################################################################
#
# »»» Ab hier bitte keine Änderungen mehr vornehmen »»»
NEXTCLOUDDATEN=$(sudo -u www-data php $NPATH/occ config:system:get datadirectory)
NEXTCLOUDDB=$(sudo -u www-data php $NPATH/occ config:system:get dbname)
NEXTCLOUDDBUSER=$(sudo -u www-data php $NPATH/occ config:system:get dbuser)
NEXTCLOUDDBPASSWORD=$(sudo -u www-data php $NPATH/occ config:system:get dbpassword)
sudo -u www-data php $NPATH/occ maintenance:mode --on
if [ ! -d "/var/log/borg" ]; then
mkdir -p /var/log/borg
fi
if [ ! -d "/sicherung/sql" ]; then
mkdir -p /sicherung/sql
fi
LOG="/var/log/borg/$(date +%y%m%d-%H%M)-backup.log"
REPOSITORY="ssh://${BACKUP_USER}@${BACKUP_USER}.your-storagebox.de:23/./backup/${REPOSITORY_DIR}"
errorecho() { cat <<< "$@" 1>&2; }
exec > >(tee -i "${LOG}")
exec 2>&1
echo "###### Backup gestartet: $(date) ######"
echo ""
echo "Dienste werden gestoppt ..."
systemctl stop $WEBSERVER.service php$PHPVERSION-fpm.service redis-server.service
echo ""
echo "Datenbanksicherung wird erstellt ..."
PGPASSWORD="$NEXTCLOUDDBPASSWORD" pg_dump $NEXTCLOUDDB -h localhost -U $NEXTCLOUDDBUSER -f /sicherung/sql/nextcloud.sql
echo ""
echo "Datenbankgröße ermitteln ..."
PGPASSWORD="$NEXTCLOUDDBPASSWORD" psql -h localhost -U $NEXTCLOUDDBUSER -c "SELECT pg_size_pretty(pg_database_size('$NEXTCLOUDDB'));" -e $NEXTCLOUDDB
systemctl stop postgresql.service
echo ""
echo "Übertrage Dateien ..."
borg create -v --stats \
$REPOSITORY::$(date +%y%m%d-%H%M) \
/root \
/etc \
/var/www \
/home \
$NEXTCLOUDDATEN \
/sicherung/sql \
--exclude /backup \
--exclude /dev \
--exclude /proc \
--exclude /sys \
--exclude /var/run \
--exclude /run \
--exclude /lost+found \
--exclude /mnt \
--exclude /var/lib/lxcfs
echo ""
borg prune --progress --stats $REPOSITORY --keep-within=7d --keep-weekly=4 --keep-monthly=6
echo ""
echo "Dienste werden gestartet ..."
systemctl restart postgresql.service redis-server.service php$PHPVERSION-fpm.service $WEBSERVER.service
echo ""
echo "Aufräumen ..."
rm -f /sicherung/sql/nextcloud.sql
sudo -u www-data php $NPATH/occ maintenance:mode --off
echo ""
echo "###### Backup beendet: $(date) ######"
mail -s "CLOUD-Backup" -a "FROM: $VORNAME $NACHNAME <$EMAIL>" $EMAIL < $LOG
exit 0

38
skripte/dbsicherung.sh Normal file
View file

@ -0,0 +1,38 @@
#!/usr/bin/env bash
#
# Nextcloud Datenbanksicherung
# Datenbanktyp: postgreSQL oder MariaDB
#
#########################################
NPATH="/var/www/nextcloud"
SPATH="/home/<user>/sicherung/sql"
SNPATH="/home/<user>/sicherung/nextcloud"
SDATE="$(date +%d.%m-%H.%M)_nextcloud.sql"
########################################
if [ ! -d $SPATH ]; then
mkdir -p $SPATH
fi
if [ ! -d $SNPATH ]; then
mkdir -p $SNPATH
fi
NEXTCLOUDDBTYPE=$(sudo -u www-data php $NPATH/occ config:system:get dbtype)
NEXTCLOUDDATEN=$(sudo -u www-data php $NPATH/occ config:system:get datadirectory)
NEXTCLOUDDB=$(sudo -u www-data php $NPATH/occ config:system:get dbname)
NEXTCLOUDDBUSER=$(sudo -u www-data php $NPATH/occ config:system:get dbuser)
NEXTCLOUDDBPASSWORD=$(sudo -u www-data php $NPATH/occ config:system:get dbpassword)
clear
echo " » Die Datenbanksicherung wird gestartet..."
if [ $NEXTCLOUDDBTYPE = "pgsql" ]; then
PGPASSWORD="$NEXTCLOUDDBPASSWORD" pg_dump $NEXTCLOUDDB -h localhost -U $NEXTCLOUDDBUSER -f $SPATH/$SDATE
else
mysqldump --single-transaction --routines -h localhost -u$NEXTCLOUDDBUSER -p$NEXTCLOUDDBPASSWORD -e $NEXTCLOUDDB > $SPATH/$SDATE
fi
echo ""
echo " » Die Datenbankgröße wird ermittelt..."
echo -e "\033[32m » $(du -sh $SPATH/$SDATE | awk '{ print $1 }')\033[0m"
echo ""
echo " » Das Nextcloudverzeichnis wird gesichert..."
echo -e "\033[32m » $(du -sh $SNPATH| awk '{ print $1 }')\033[0m"
rsync -a $NPATH/ $SNPATH
echo ""
exit 0

10
skripte/hold.sh Normal file
View file

@ -0,0 +1,10 @@
#!/bin/bash
apt-mark hold mariadb*
apt-mark hold galera*
apt-mark hold *mariadb*
apt-mark hold mysql*
apt-mark hold nginx*
apt-mark hold php8.*
apt-mark hold php*
apt-mark hold redis*
exit 0

10
skripte/permissions.sh Normal file
View file

@ -0,0 +1,10 @@
#!/bin/bash
find /var/www/ -type f -print0 | xargs -0 chmod 0640
find /var/www/ -type d -print0 | xargs -0 chmod 0750
chmod -R 775 /var/www/letsencrypt
chmod -R 770 /etc/letsencrypt
chown -R www-data:www-data /var/www /etc/letsencrypt
chown -R www-data:www-data /Pfad/zum/Cloud-Datenverzeichnis
chmod 0644 /var/www/nextcloud/.htaccess
chmod 0644 /var/www/nextcloud/.user.ini
exit 0

25
skripte/phpcalc.sh Normal file
View file

@ -0,0 +1,25 @@
#!/bin/bash
################################
# Bitte die PHP-Version angeben!
################################
phpv="8.3"
################################
AvailableRAM=$(awk '/MemAvailable/ {printf "%d", $2/1024}' /proc/meminfo)
AverageFPM=$(ps --no-headers -o 'rss,cmd' -C php-fpm$phpv | awk '{ sum+=$1 } END { printf ("%d\n", sum/NR/1024,"M") }')
FPMS=$((AvailableRAM/AverageFPM))
PMaxSS=$((FPMS*2/3))
PMinSS=$((PMaxSS/2))
PStartS=$(((PMaxSS+PMinSS)/2))
clear
echo ""
echo "Verfügbarer Speicher (RAM) = "$AvailableRAM "MB"
echo "Speicherverbrauch FPM-Prozesse = "$AverageFPM "MB"
echo ""
echo "pm.max_children = "$FPMS
echo "pm.start_servers = "$PStartS
echo "pm.min_spare_servers = "$PMinSS
echo "pm.max_spare_servers = "$PMaxSS
echo ""
echo " » https://forum.hhf.technology «"
echo ""
exit 0

6
skripte/restart.sh Normal file
View file

@ -0,0 +1,6 @@
#!/bin/bash
echo "Neustart der Nextcloud-Services..."
systemctl stop nginx.service
systemctl restart mariadb.service redis-server.service php8.1-fpm.service
systemctl start nginx.service
exit 0

10
skripte/unhold.sh Normal file
View file

@ -0,0 +1,10 @@
#!/bin/bash
apt-mark unhold mariadb*
apt-mark unhold galera*
apt-mark unhold *mariadb*
apt-mark unhold mysql*
apt-mark unhold nginx*
apt-mark unhold php8.*
apt-mark unhold php*
apt-mark unhold redis*
exit 0

33
skripte/update-coturn.sh Normal file
View file

@ -0,0 +1,33 @@
#!/bin/bash
apt update
apt upgrade -V
apt autoremove
apt autoclean
clear
echo ""
echo -n " » coturn Neustart gewünscht [y|n]?"
read answer
clear
echo ""
echo " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
echo ""
if [ "$answer" != "${answer#[YyjJ]}" ] ;then
/usr/bin/systemctl restart coturn.service
echo " » Dienste werden neu gestartet..."
else
echo " » Sie wünschen keinen Neustart des coturn-Services."
fi
echo ""
echo " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
echo ""
if [ -e /var/run/reboot-required ]; then
echo -e " »\e[1;31m ACHTUNG: ES IST EIN SERVERNEUSTART ERFORDERLICH.\033[0m"
echo ""
echo " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
else
echo -e " »\033[32m KEIN Serverneustart notwendig.\033[0m"
echo ""
echo " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
fi
echo ""
exit 0

228
skripte/update-nc-office.sh Normal file
View file

@ -0,0 +1,228 @@
#!/bin/bash
# Nextcloud-Updateskript
# --------------------------------------------------------------
# Bitte setzen Sie diese Parameter entsprechend Ihrer Nextcloud
# --------------------------------------------------------------
WEBSERVER="nginx"
# alternativ "apache2"
PHPVERSION="8.3"
# alternativ "8.1" oder "8.2"
DPATH="/var/www/nextcloud"
# alternativ "/Pfad/zur/Nextcloud-Software"
NCALIASGROUP="https://ihre.hhf.technology:443,https://ihre\\.domain\\.de:443"
# ersetzen Sie "ihre", "domain" und "de"
NCOUSERNAME="NextcloudOfficeAdmin-Benutzername"
# ersetzen Sie "NextcloudOfficeAdmin-Benutzername"
NCOUSERPWD="NextcloudOfficeAdmin-Passwort"
# ersetzen Sie "NextcloudOfficeAdmin-Passwort"
SPATH="/sicherung/sql"
SNPATH="/sicherung/nextcloud"
# Sicherungverzeichnisse angeben
# --------------------------------------------------------------
# »»» Ab hier KEINE Änderungen mehr vornehmen! «««
# --------------------------------------------------------------
if [ -f /tmp/ncupdateskript ]; then
clear
clear
echo " ++++++++++++++++++++++++++++++++++++++++++++++++++++"
echo ""
echo " » Das Updateskript ist bereits aktiv - *ABBRUCH*"
echo " » Oder wurde ein vorheriger Prozess abgebrochen?"
echo ""
echo " » "$(ls /tmp/ncupdateskript)
echo ""
echo " » Entfernen Sie ggf. die Datei mit diesem Befehl:"
echo " » sudo rm -f /tmp/ncupdateskript"
echo ""
echo " ++++++++++++++++++++++++++++++++++++++++++++++++++++"
echo ""
exit 1
fi
if [ "$USER" != "root" ]
then
clear
echo ""
echo " » KEINE ROOT-BERECHTIGUNGEN | NO ROOT PERMISSIONS"
echo ""
echo "----------------------------------------------------------"
echo " » Bitte starten Sie das Skript als root: 'sudo ./zero.sh'"
echo " » Please run this script as root using: 'sudo ./zero.sh'"
echo "----------------------------------------------------------"
echo ""
exit 1
fi
touch /tmp/ncupdateskript
clear
echo ""
echo " » Die Parameter der Nextcloud werden ermittelt..."
echo ""
NEXTCLOUDVERSION=$(sudo -u www-data php $DPATH/occ config:system:get version)
NEXTCLOUDDATEN=$(sudo -u www-data php $DPATH/occ config:system:get datadirectory)
NEXTCLOUDDBTYPE=$(sudo -u www-data php $DPATH/occ config:system:get dbtype)
NEXTCLOUDDBHOST=$(sudo -u www-data php $DPATH/occ config:system:get dbhost)
NEXTCLOUDDB=$(sudo -u www-data php $DPATH/occ config:system:get dbname)
NEXTCLOUDDBUSER=$(sudo -u www-data php $DPATH/occ config:system:get dbuser)
NEXTCLOUDDBPASSWORD=$(sudo -u www-data php $DPATH/occ config:system:get dbpassword)
NEXTCLOUDDBTYPE=$(sudo -u www-data php $DPATH/occ config:system:get dbtype)
SDATE="nextcloud.sql"
apt update
if [ $NEXTCLOUDDBTYPE = "pgsql" ]; then
apt-mark unhold pgsql*
apt-mark unhold postgresql*
else
apt-mark unhold mariadb-*
apt-mark unhold mysql-*
apt-mark unhold galera-*
fi
apt-mark unhold $WEBSERVER*
apt-mark unhold redis*
apt-mark unhold php-* php$PHPVERSION-*
apt-mark unhold elasticsearch*
apt upgrade -V
if [ $NEXTCLOUDDBTYPE = "pgsql" ]; then
apt-mark hold pgsql*
apt-mark hold postgresql*
else
apt-mark hold mariadb-*
apt-mark hold mysql-*
apt-mark hold galera-*
fi
apt-mark hold $WEBSERVER*
apt-mark hold redis*
apt-mark hold php-* php$PHPVERSION-*
apt-mark hold elasticsearch*
apt autoremove
apt autoclean
chown -R www-data:www-data $DPATH
find $DPATH/ -type d -exec chmod 750 {} \;
find $DPATH/ -type f -exec chmod 640 {} \;
if [ -d "$DPATH/apps/notify_push" ]; then
sudo chmod ug+x $DPATH/apps/notify_push/bin/x86_64/notify_push
fi
clear
echo ""
echo -n " » Soll eine DB- und Nextcloud-Dateisicherung erstellt werden [y|n]?"
read answer
if [ "$answer" != "${answer#[YyjJ]}" ];then
echo -n " » Sollen die vorherigen Sicherungen gelöscht werden [y|n]?"
read answer
if [ "$answer" != "${answer#[YyjJ]}" ];then
rm -Rf $SPATH-* $SNPATH-*
fi
if [ ! -d $SPATH-$NEXTCLOUDVERSION ]; then
mkdir -p $SPATH-$NEXTCLOUDVERSION
fi
if [ ! -d $SNPATH-$NEXTCLOUDVERSION ]; then
mkdir -p $SNPATH-$NEXTCLOUDVERSION
fi
echo ""
sudo -u www-data php $DPATH/occ maintenance:mode --on
echo ""
echo " » Die Datenbanksicherung wird gestartet..."
if [ $NEXTCLOUDDBTYPE = "pgsql" ]; then
PGPASSWORD="$NEXTCLOUDDBPASSWORD" pg_dump $NEXTCLOUDDB -h $NEXTCLOUDDBHOST -U $NEXTCLOUDDBUSER -f $SPATH-$NEXTCLOUDVERSION/$SDATE
else
mysqldump --single-transaction --routines -h $NEXTCLOUDDBHOST -u$NEXTCLOUDDBUSER -p$NEXTCLOUDDBPASSWORD -e $NEXTCLOUDDB > $SPATH-$NEXTCLOUDVERSION/$SDATE
fi
echo ""
echo " » Die Datenbankgröße wird ermittelt..."
echo -e "\033[32m » $(du -sh $SPATH-$NEXTCLOUDVERSION/$SDATE | awk '{ print $1 }')\033[0m"
echo ""
echo " » Das Nextcloudverzeichnis wird gesichert..."
rsync -a --exclude="data/" $DPATH/ $SNPATH-$NEXTCLOUDVERSION
echo -e "\033[32m » $(du -sh $SNPATH-$NEXTCLOUDVERSION | awk '{ print $1 }')\033[0m"
echo ""
sudo -u www-data php $DPATH/occ maintenance:mode --off
echo ""
fi
echo ""
echo -n " » Nextcloud Updates gewünscht [y|n]?"
read answer
if [ "$answer" != "${answer#[YyjJ]}" ] ;then
echo ""
sudo -u www-data php $DPATH/updater/updater.phar --no-backup
sudo -u www-data php $DPATH/occ status
sudo -u www-data php $DPATH/occ -V
sudo -u www-data php $DPATH/occ db:add-missing-primary-keys
sudo -u www-data php $DPATH/occ db:add-missing-indices
sudo -u www-data php $DPATH/occ db:add-missing-columns
sudo -u www-data php $DPATH/occ db:convert-filecache-bigint
sudo -u www-data php $DPATH/occ maintenance:repair --include-expensive
sudo -u www-data sed -i "s/output_buffering=.*/output_buffering=0/" $DPATH/.user.ini
clear
echo ""
echo " » Liste zu aktualisierender Apps:"
echo ""
sudo -u www-data php $DPATH/occ app:update --showonly -v
echo ""
echo -n " » Möchten Sie die Nextcloud Apps aktualisieren [y|n]?"
read answer
if [ "$answer" != "${answer#[YyjJ]}" ] ;then
sudo -u www-data php $DPATH/occ app:update --all -v
sudo -u www-data php $DPATH/occ app:list | grep -i richdocuments &> /dev/null
if [ $? -eq 0 ]; then
sudo -u www-data php $DPATH/occ richdocuments:update-empty-templates
fi
else
clear
echo " » Nextcloud Apps wurden nicht aktualisiert."
echo ""
fi
else
clear
echo " » Nextcloud wurde nicht aktualisiert/überprüft."
echo ""
fi
echo -n " » Möchten Sie den Nextcloud Office Docker Container aktualisieren [y|n]?"
read answer
if [ "$answer" != "${answer#[YyjJ]}" ]
then
docker stop NEXTCLOUDOFFICE
docker rm NEXTCLOUDOFFICE
docker image rm $(docker image ls | grep collabora/code | awk '{ print $3 }')
docker run -t -d -p 127.0.0.1:9980:9980 -e "aliasgroup1=$NCALIASGROUP" -e "username=$NCOUSERNAME" -e "password=$NCOUSERPWD" --name NEXTCLOUDOFFICE --memory="4G" --memory-swap="4G" -e "lang=de_DE" -e "dictionaries=de_DE en_GB en_US" -e "extra_params=--o:home_mode.enable=true" --restart always collabora/code
sudo -u www-data php $DPATH/occ richdocuments:update-empty-templates
else
clear
echo " » Nextcloud Office Docker Container wird nicht aktualisiert"
echo ""
fi
clear
sudo -u www-data php $DPATH/occ setupchecks
echo ""
echo " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
echo ""
echo " » Dienste werden neu gestartet..."
echo ""
dpkg -s elasticsearch &> /dev/null
if [ $? -eq 0 ]; then
echo " » Elasticsearch wird zuerst neu gestartet"
systemctl restart elasticsearch.service
else
echo " » Elasticsearch ist nicht installiert!"
fi
echo ""
if [ $NEXTCLOUDDBTYPE = "pgsql" ]; then
sudo systemctl restart postgresql.service redis-server.service php$PHPVERSION-fpm.service $WEBSERVER.service
else
sudo systemctl restart mariadb.service redis-server.service php$PHPVERSION-fpm.service $WEBSERVER.service
fi
if [ -e /var/run/reboot-required ]; then
echo -e " »\e[1;31m ACHTUNG: ES IST EIN SERVERNEUSTART ERFORDERLICH.\033[0m"
echo ""
echo " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
else
echo -e " »\033[32m KEIN Serverneustart notwendig.\033[0m"
echo ""
echo " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
fi
echo ""
rm -f /tmp/ncupdateskript
exit 0

207
skripte/update.sh Normal file
View file

@ -0,0 +1,207 @@
#!/bin/bash
# Nextcloud-Updateskript
# --------------------------------------------------------------
# Bitte setzen Sie diese Parameter entsprechend Ihrer Nextcloud
# --------------------------------------------------------------
WEBSERVER="nginx"
# alternativ "apache2"
PHPVERSION="8.3"
# alternativ "8.1" oder "8.2"
DPATH="/var/www/nextcloud"
# alternativ "/Pfad/zur/Nextcloud-Software"
SPATH="/sicherung/sql"
SNPATH="/sicherung/nextcloud"
# Sicherungverzeichnisse angeben
# --------------------------------------------------------------
# »»» Ab hier KEINE Änderungen mehr vornehmen! «««
# --------------------------------------------------------------
if [ -f /tmp/ncupdateskript ]; then
clear
clear
echo " ++++++++++++++++++++++++++++++++++++++++++++++++++++"
echo ""
echo " » Das Updateskript ist bereits aktiv - *ABBRUCH*"
echo " » Oder wurde ein vorheriger Prozess abgebrochen?"
echo ""
echo " » "$(ls /tmp/ncupdateskript)
echo ""
echo " » Entfernen Sie ggf. die Datei mit diesem Befehl:"
echo " » sudo rm -f /tmp/ncupdateskript"
echo ""
echo " ++++++++++++++++++++++++++++++++++++++++++++++++++++"
echo ""
exit 1
fi
if [ "$USER" != "root" ]
then
clear
echo ""
echo " » KEINE ROOT-BERECHTIGUNGEN | NO ROOT PERMISSIONS"
echo ""
echo "------------------------------------------------------------"
echo " » Bitte starten Sie das Skript als root: 'sudo ./update.sh'"
echo " » Please run this script as root using: 'sudo ./update.sh'"
echo "------------------------------------------------------------"
echo ""
exit 1
fi
touch /tmp/ncupdateskript
clear
echo ""
echo " » Die Parameter der Nextcloud werden ermittelt..."
echo ""
NEXTCLOUDVERSION=$(sudo -u www-data php $DPATH/occ config:system:get version)
NEXTCLOUDDATEN=$(sudo -u www-data php $DPATH/occ config:system:get datadirectory)
NEXTCLOUDDBTYPE=$(sudo -u www-data php $DPATH/occ config:system:get dbtype)
NEXTCLOUDDBHOST=$(sudo -u www-data php $DPATH/occ config:system:get dbhost)
NEXTCLOUDDB=$(sudo -u www-data php $DPATH/occ config:system:get dbname)
NEXTCLOUDDBUSER=$(sudo -u www-data php $DPATH/occ config:system:get dbuser)
NEXTCLOUDDBPASSWORD=$(sudo -u www-data php $DPATH/occ config:system:get dbpassword)
NEXTCLOUDDBTYPE=$(sudo -u www-data php $DPATH/occ config:system:get dbtype)
SDATE="nextcloud.sql"
apt update
if [ $NEXTCLOUDDBTYPE = "pgsql" ]; then
apt-mark unhold pgsql*
apt-mark unhold postgresql*
else
apt-mark unhold mariadb-*
apt-mark unhold mysql-*
apt-mark unhold galera-*
fi
apt-mark unhold $WEBSERVER*
apt-mark unhold redis*
apt-mark unhold php-* php$PHPVERSION-*
apt-mark unhold elasticsearch*
apt upgrade -V
if [ $NEXTCLOUDDBTYPE = "pgsql" ]; then
apt-mark hold pgsql*
apt-mark hold postgresql*
else
apt-mark hold mariadb-*
apt-mark hold mysql-*
apt-mark hold galera-*
fi
apt-mark hold $WEBSERVER*
apt-mark hold redis*
apt-mark hold php-* php$PHPVERSION-*
apt-mark hold elasticsearch*
apt autoremove
apt autoclean
chown -R www-data:www-data $DPATH
find $DPATH/ -type d -exec chmod 750 {} \;
find $DPATH/ -type f -exec chmod 640 {} \;
if [ -d "$DPATH/apps/notify_push" ]; then
sudo chmod ug+x $DPATH/apps/notify_push/bin/x86_64/notify_push
fi
clear
echo ""
echo -n " » Soll eine DB- und Nextcloud-Dateisicherung erstellt werden [y|n]?"
read answer
if [ "$answer" != "${answer#[YyjJ]}" ];then
echo -n " » Sollen die vorherigen Sicherungen gelöscht werden [y|n]?"
read answer
if [ "$answer" != "${answer#[YyjJ]}" ];then
rm -Rf $SPATH-* $SNPATH-*
fi
if [ ! -d $SPATH-$NEXTCLOUDVERSION ]; then
mkdir -p $SPATH-$NEXTCLOUDVERSION
fi
if [ ! -d $SPATH-$NEXTCLOUDVERSION ]; then
mkdir -p $SPATH-$NEXTCLOUDVERSION
fi
echo ""
sudo -u www-data php $DPATH/occ maintenance:mode --on
echo ""
echo " » Die Datenbanksicherung wird gestartet..."
if [ $NEXTCLOUDDBTYPE = "pgsql" ]; then
PGPASSWORD="$NEXTCLOUDDBPASSWORD" pg_dump $NEXTCLOUDDB -h $NEXTCLOUDDBHOST -U $NEXTCLOUDDBUSER -f $SPATH-$NEXTCLOUDVERSION/$SDATE
else
mysqldump --single-transaction --routines -h $NEXTCLOUDDBHOST -u$NEXTCLOUDDBUSER -p$NEXTCLOUDDBPASSWORD -e $NEXTCLOUDDB > $SPATH-$NEXTCLOUDVERSION/$SDATE
fi
echo ""
echo " » Die Datenbankgröße wird ermittelt..."
echo -e "\033[32m » $(du -sh $SPATH-$NEXTCLOUDVERSION | awk '{ print $1 }')\033[0m"
echo ""
echo " » Das Nextcloudverzeichnis wird gesichert..."
rsync -a --exclude="data/" $DPATH/ $SNPATH-$NEXTCLOUDVERSION
echo -e "\033[32m » $(du -sh $SNPATH-$NEXTCLOUDVERSION | awk '{ print $1 }')\033[0m"
echo ""
sudo -u www-data php $DPATH/occ maintenance:mode --off
echo ""
fi
echo ""
echo -n " » Nextcloud Updates gewünscht [y|n]?"
read answer
if [ "$answer" != "${answer#[YyjJ]}" ] ;then
echo ""
sudo -u www-data php $DPATH/updater/updater.phar --no-backup
sudo -u www-data php $DPATH/occ status
sudo -u www-data php $DPATH/occ -V
sudo -u www-data php $DPATH/occ db:add-missing-primary-keys
sudo -u www-data php $DPATH/occ db:add-missing-indices
sudo -u www-data php $DPATH/occ db:add-missing-columns
sudo -u www-data php $DPATH/occ db:convert-filecache-bigint
sudo -u www-data php $DPATH/occ maintenance:repair --include-expensive
sudo -u www-data sed -i "s/output_buffering=.*/output_buffering=0/" $DPATH/.user.ini
clear
echo ""
echo " » Liste zu aktualisierender Apps:"
echo ""
sudo -u www-data php $DPATH/occ app:update --showonly -v
echo ""
echo -n " » Möchten Sie die Nextcloud Apps aktualisieren [y|n]?"
read answer
if [ "$answer" != "${answer#[YyjJ]}" ] ;then
sudo -u www-data php $DPATH/occ app:update --all -v
sudo -u www-data php $DPATH/occ app:list | grep -i richdocuments &> /dev/null
if [ $? -eq 0 ]; then
sudo -u www-data php $DPATH/occ richdocuments:update-empty-templates
fi
else
clear
echo " » Nextcloud Apps wurden nicht aktualisiert."
echo ""
fi
else
clear
echo " » Nextcloud wurde nicht aktualisiert/überprüft."
echo ""
fi
clear
sudo -u www-data php $DPATH/occ setupchecks
echo ""
echo " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
echo ""
echo " » Dienste werden neu gestartet..."
echo ""
echo " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
echo ""
dpkg -s elasticsearch &> /dev/null
if [ $? -eq 0 ]; then
echo " » Elasticsearch wird zuerst neu gestartet"
systemctl restart elasticsearch.service
else
echo " » Elasticsearch ist nicht installiert!"
fi
echo ""
if [ $NEXTCLOUDDBTYPE = "pgsql" ]; then
sudo systemctl restart postgresql.service redis-server.service php$PHPVERSION-fpm.service $WEBSERVER.service
else
sudo systemctl restart mariadb.service redis-server.service php$PHPVERSION-fpm.service $WEBSERVER.service
fi
if [ -e /var/run/reboot-required ]; then
echo -e " »\e[1;31m ACHTUNG: ES IST EIN SERVERNEUSTART ERFORDERLICH.\033[0m"
echo ""
echo " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
else
echo -e " »\033[32m KEIN Serverneustart notwendig.\033[0m"
echo ""
echo " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
fi
echo ""
rm -f /tmp/ncupdateskript
exit 0

24
var/www/nextcloud/config/config.php Normal file
View file

@ -0,0 +1,24 @@
<?php
$CONFIG = array (
'passwordsalt' => 'Von+dtOJMBwPlZ9wBgMN8SFhMCmx6P',
'secret' => '8rEk97bvit2a7Wum1dADV7yfaDO1/2zSm/2VgmzSlU9GLPco',
'trusted_domains' =>
array (
0 => 'ubuntu22',
1 => 'ihre.hhf.technology',
2 => '192.168.2.178',
),
'datadirectory' => '/data',
'dbtype' => 'mysql',
'version' => '28.0.2.6',
'overwrite.cli.url' => 'https://ihre.hhf.technology',
'dbname' => 'nextcloud',
'dbhost' => 'localhost',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => 'ncdbuser',
'dbpassword' => '6f35372230429caf36e783152417a2f2',
'installed' => true,
'instanceid' => 'ocmedc101c70',
);

59
var/www/nextcloud/config/tweaks.config.php Normal file
View file

@ -0,0 +1,59 @@
$CONFIG = array (
'activity_expire_days' => 14,
'allow_local_remote_servers' => true,
'auth.bruteforce.protection.enabled' => true,
'blacklisted_files' =>
array (
0 => '.htaccess',
1 => 'Thumbs.db',
2 => 'thumbs.db',
),
'cron_log' => true,
'default_phone_region' => 'DE',
'defaultapp' => 'files,dashboard',
'enable_previews' => true,
'enabledPreviewProviders' =>
array (
0 => 'OC\Preview\PNG',
1 => 'OC\Preview\JPEG',
2 => 'OC\Preview\GIF',
3 => 'OC\Preview\BMP',
4 => 'OC\Preview\XBitmap',
5 => 'OC\Preview\Movie',
6 => 'OC\Preview\PDF',
7 => 'OC\Preview\MP3',
8 => 'OC\Preview\TXT',
9 => 'OC\Preview\MarkDown',
),
'filesystem_check_changes' => 0,
'filelocking.enabled' => 'true',
'htaccess.RewriteBase' => '/',
'integrity.check.disabled' => false,
'knowledgebaseenabled' => false,
'logfile' => '/var/log/nextcloud/nextcloud.log',
'loglevel' => 2,
'logtimezone' => 'Europe/Berlin',
'log_rotate_size' => '104857600',
'memcache.local' => '\OC\Memcache\APCu',
'memcache.locking' => '\OC\Memcache\Redis',
'overwriteprotocol' => 'https',
'preview_max_x' => 1024,
'preview_max_y' => 768,
'preview_max_scale_factor' => 1,
'profile.enabled' => false,
'redis' =>
array (
'host' => '/var/run/redis/redis-server.sock',
'port' => 0,
'password' => 'BitteAendern',
'timeout' => 0.5,
'dbindex' => 1,
),
'quota_include_external_storage' => false,
'share_folder' => '/Freigaben',
'skeletondirectory' => '',
'theme' => '',
'trashbin_retention_obligation' => 'auto, 7',
'updater.release.channel' => 'stable',
'maintenance_window_start' => 1,
);