cwp-scripts/apache-updater.sh at master · emirefek/cwp-scripts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
#!/bin/bash

#if [[ `cat /etc/fstab | grep -E "tmp.*noexec"` != "" ]]; then mount -o remount,exec /tmp >/dev/null 2>&1 ; fi
cd /usr/local/src
rm -rf /usr/local/src/apache*

arch=$(uname -m)
pubip=`curl -s http://centos-webpanel.com/webpanel/main.php?app=showip`
# CONFIGURE MIRRORS HERE
version=2.4.46
opensslver=1.1.1g
apachesource="https://downloads.apache.org//httpd/httpd-$version.tar.gz"
hostname=`cat /etc/hostname`


# Dependency installer
yum -y install apr-util-devel apr-devel apr apr-util
if [ -f /usr/local/apache/conf/httpd.conf ]; then cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf-cwpsave ; fi
test -h /usr/local/src/apache-build || rm -rf /usr/local/src/apache-build
mkdir -p /usr/local/src/apache-build

# OpenSSL Upgrader
if echo -e "$(openssl version|awk '{print $2}')\n${openssl_minversion}" | sort -V | head -1 | grep -q ^${openssl_minversion}$;then
  echo "============================================="
  echo "Your OpenSSL is Up to date. Let's keep going!"
  echo "============================================="
else
  echo "============================================="
  echo "We need to update your OpenSSL for better TLS"
  echo "============================================="
  cd /usr/local/src
        rm -rf openssl-*
        wget https://www.openssl.org/source/openssl-$opensslver.tar.gz
        tar zxvf openssl-$opensslver.tar.gz
        cd openssl-*
        ./config --prefix=/usr --openssldir=/usr/lib64 shared
        make && make install
fi

cd /usr/local/src/apache-build
wget -q $apachesource
tar -xf httpd-$version.tar.gz
chown -R root:root httpd-$version/
cd httpd-$version/

# Install Patch - this are patches for version 2.4.26+
wget -q "http://dl1.centos-webpanel.com/files/apache/patch/suexec.patch"
/usr/bin/patch -p1 < suexec.patch

#rm -f /usr/local/apache/conf/httpd.conf
./configure --enable-so --prefix=/usr/local/apache --enable-unique-id --enable-ssl=shared --enable-rewrite --enable-deflate --enable-suexec --with-suexec-docroot=/home --with-suexec-caller=nobody --with-suexec-logfile=/usr/local/apache/logs/suexec_log --enable-asis --enable-filter --with-pcre --with-apr=/usr/bin/apr-1-config --with-apr-util=/usr/bin/apu-1-config --enable-headers --enable-expires --enable-proxy --enable-rewrite --enable-userdir --enable-brotli --with-brotli=/usr

configurecheck=$?
if [ $configurecheck -eq 0 ];then
        rm -f /usr/local/apache/conf/httpd.conf
fi

make clean

if [ -e "/usr/bin/nproc" ];then
        make -j `/usr/bin/nproc`
else
        make
fi
make install

mkdir /usr/local/apache/conf.d
touch /usr/local/apache/conf.d/empty.conf
# Check if lines below already added and add those if wasn't added before.
if [[ "`grep ExtendedStatus /usr/local/apache/conf/httpd.conf 2>/dev/null`" == "" ]]; then
echo "ExtendedStatus On" >> /usr/local/apache/conf/httpd.conf
echo "Include /usr/local/apache/conf/sharedip.conf" >> /usr/local/apache/conf/httpd.conf
echo "Include /usr/local/apache/conf.d/*.conf" >> /usr/local/apache/conf/httpd.conf
fi
# Check if installed nginx/varnish.
if [[ "`grep ':8181' /usr/local/apache/conf.d/vhosts.conf 2> /dev/null`" != "" ]]; then
        sed -i "s/^.*Listen 80$/Listen 8181/" /usr/local/apache/conf/httpd.conf
        sed -i "s/:80/:8181/" /usr/local/apache/conf/sharedip.conf
fi
sed -i "s|DirectoryIndex index.html|DirectoryIndex index.php index.html index.htm|g" /usr/local/apache/conf/httpd.conf
sed -i "0,/^\([[:blank:]]*\)DirectoryIndex.*$/ s//\1 DirectoryIndex index.html.var index.htm index.html index.shtml index.xhtml index.wml index.perl index.pl index.plx index.ppl index.cgi index.jsp index.js index.jp index.php4 index.php3 index.php index.phtml default.htm default.html home.htm index.php5 Default.html Default.htm home.html/" /usr/local/apache/conf/httpd.conf


cat > /usr/local/apache/conf/sharedip.conf <<EOF
<VirtualHost $pubip:80>
    ServerName $pubip
    DocumentRoot /usr/local/apache/htdocs
    ServerAdmin info@centos-webpanel.com
    <IfModule mod_suphp.c>
        suPHP_UserGroup nobody nobody
    </IfModule>
    <Proxy "*">
        <IfModule mod_security2.c>
            SecRuleEngine Off
        </IfModule>
    </Proxy>
    RewriteEngine On
    RewriteCond %{HTTP_HOST} !^$pubip\$
    RewriteCond %{HTTP_HOST} ^webmail.
    RewriteRule ^/(.*) http://%{HTTP_HOST}:2095/\$1 [P]
</VirtualHost>
<Directory "/">
        AllowOverride All
        Require all granted
</Directory>
EOF

sed -i "s|User daemon|User nobody|g" /usr/local/apache/conf/httpd.conf
sed -i "s|Group daemon|Group nobody|g" /usr/local/apache/conf/httpd.conf
sed -i "s|.*modules/libphp5.so.*||g" /usr/local/apache/conf/httpd.conf
sed -i "s|.*httpd-userdir.conf.*|Include conf/extra/httpd-userdir.conf|" /usr/local/apache/conf/httpd.conf
sed -i "s|#LoadModule userdir_module modules.*$|LoadModule userdir_module modules/mod_userdir.so|" /usr/local/apache/conf/httpd.conf
sed -i "s|#LoadModule unique_id_module modules.*$|LoadModule unique_id_module modules/mod_unique_id.so|" /usr/local/apache/conf/httpd.conf
sed -i "s|#LoadModule rewrite_module modules.*$|LoadModule rewrite_module modules/mod_rewrite.so|" /usr/local/apache/conf/httpd.conf
sed -i "s|#LoadModule proxy_module modules.*$|LoadModule proxy_module modules/mod_proxy.so|" /usr/local/apache/conf/httpd.conf
sed -i "s|#LoadModule proxy_connect_module modules.*$|LoadModule proxy_connect_module modules/mod_proxy_connect.so|" /usr/local/apache/conf/httpd.conf
sed -i "s|#LoadModule proxy_http_module modules.*$|LoadModule proxy_http_module modules/mod_proxy_http.so|" /usr/local/apache/conf/httpd.conf

mkdir -p /usr/local/apache/conf.d

cd /usr/local/apache/bin/
ldconfig

#ADDITIONAL_CONFIGURATION
if [ ! -e "/usr/local/apache/conf.d/domain-redirects.conf" ];then
cat > /usr/local/apache/conf.d/domain-redirects.conf <<EOF
RewriteEngine on
Alias /phpmyadmin /usr/local/apache/htdocs/phpMyAdmin
Alias /phpMyAdmin /usr/local/apache/htdocs/phpMyAdmin
Alias /webmail /usr/local/apache/htdocs/roundcube
Alias /WebMail /usr/local/apache/htdocs/roundcube
Alias /roundcube /usr/local/apache/htdocs/roundcube
EOF
fi

cat > /usr/local/apache/conf.d/system-redirects.conf <<EOF
Redirect permanent /phpmyadmin https://$hostname:2031/pma
Redirect permanent /phpMyAdmin https://$hostname:2031/pma
Redirect permanent /cwp https://$hostname:2083/
Redirect permanent /cwpadmin https://$hostname:2031/
Redirect permanent /webmail https://$hostname:2031/
EOF

if [[ ! -z "`grep ':8181' /usr/local/apache/conf.d/vhosts/*.conf 2> /dev/null`" ]]; then
        sed -i "s/^.*Listen 80$/Listen 8181/" /usr/local/apache/conf/httpd.conf
        sed -i "s/:80/:8181/" /usr/local/apache/conf/sharedip.conf
fi

if [[ ! -e "/usr/local/apache/conf.d/vhosts/" ]]; then
        mkdir /usr/local/apache/conf.d/vhosts/
fi

if [[ ! -e "/usr/local/apache/domlogs/" ]]; then
        mkdir /usr/local/apache/domlogs/
fi

if [ ! -e "/usr/local/apache/conf.d/vhosts.conf" ];then
       cat > /usr/local/apache/conf.d/vhosts.conf <<EOF
IncludeOptional /usr/local/apache/conf.d/vhosts/*.conf
EOF
fi

if [[ -z `grep "LogFormat.*\"%b\".*bytes" /usr/local/apache/conf/httpd.conf` ]];then
        sed -i '0,/    LogFormat/s//    LogFormat \"%b\" bytes\n&/' /usr/local/apache/conf/httpd.conf
        sed -i "s/LogFormat \"%h/LogFormat \"%a/g" /usr/local/apache/conf/httpd.conf
fi

if [[ ! -z `grep "you@example.com" /usr/local/apache/conf/httpd.conf` ]];then
        sed -i 's/you@example.com/root@localhost/g' /usr/local/apache/conf/httpd.conf
fi

# Brotli Compression Enabler #
touch /usr/local/apache/conf.d/brotli.conf
cat > /usr/local/apache/conf.d/brotli.conf <<EOF
LoadModule brotli_module modules/mod_brotli.so
<IfModule mod_brotli.c>
BrotliCompressionQuality 6
# To enable globally
AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript application/json application/x-font-ttf application/vnd.ms-fontobject image/x-icon
BrotliFilterNote Input brotli_input_info
BrotliFilterNote Output brotli_output_info
BrotliFilterNote Ratio brotli_ratio_info
LogFormat '"%r" %{brotli_output_info}n/%{brotli_input_info}n (%{brotli_ratio_info}n%%)' brotli
CustomLog "logs/brotli_log" brotli
#Don't compress content which is already compressed
SetEnvIfNoCase Request_URI \
\.(gif|jpe?g|png|swf|woff|woff2) no-brotli dont-vary
#Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary
</IfModule>
EOF

# GZip Compression Enabler #
touch /usr/local/apache/conf.d/gzip.conf
cat > /usr/local/apache/conf.d/gzip.conf <<EOF
LoadModule deflate_module modules/mod_deflate.so
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
DeflateCompressionLevel 6
	<IfModule mod_setenvif.c>
		BrowserMatch ^Mozilla/4 gzip-only-text/html
		BrowserMatch ^Mozilla/4.0[678] no-gzip
		BrowserMatch bMSIE !no-gzip !gzip-only-text/html
	</IfModule>
Header append Vary User-Agent
</IfModule>
EOF

# SSL TLS1.2-1.3 Forcer #
touch /usr/local/apache/conf.d/ssl.conf
cat > /usr/local/apache/conf.d/ssl.conf <<EOF
<IfModule !ssl_module>
LoadModule ssl_module modules/mod_ssl.so
</IfModule>
Listen 443
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLCipherSuite "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
#SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options nosniff
SSLCompression off
SSLSessionTickets Off
EOF

# SSL TLS1.2-1.3 Forcer #
touch /usr/local/apache/conf.d/apacheopt.conf
cat > /usr/local/apache/conf.d/apacheopt.conf <<EOF
ServerTokens Prod
ServerSignature Off
KeepAlive On
MaxKeepAliveRequests 500
KeepAliveTimeout 5
Header always append X-Frame-Options SAMEORIGIN
HostnameLookups Off
EOF


service httpd restart
echo "Apache Rebuild Completed"
echo
echo
#if [[ `cat /etc/fstab | grep -E "tmp.*noexec"` != "" ]]; then mount -o remount /tmp >/dev/null 2>&1 ; fi

# Add alert info into cwp
#sh /scripts/add_alert alert-info "Apache Re-Build task completed, please check the log for more details." /var/log/apache-rebuild.log
/usr/local/cwp/php71/bin/php /usr/local/cwpsrv/htdocs/resources/admin/include/libs/notifications/cli.php --level="info" --subject="Apache Re-Build INFO" --message="Apache Re-Build(upgrade) task completed, please check the log for more details. Click <a title='Apache Re-Build task LOG' href='index.php?module=file_editor&file=/var/log/apache-rebuild.log'>here</a> to check it."

test -h /usr/local/src/apache-build || rm -Rf /usr/local/src/apache-build
rm -rf /usr/local/src/apache-rebuild.sh