Merge pull request #143 from joglomedia/2.x.x

### Bug fixes
- Package 'python' Has No Installation Candidate #142
- Default install Ubuntu 20.04 vsftpd error #139
- Certbot Let's Encrypt is Outdated #90

### New Features
- Add Pure-FTPD FTP server install #120
- Add PHP 8.2 support
- Update default PHP to PHP 8.0
- Update Fail2ban version and improve installer
- Improve Certbot installer + self-signed SSL for local dev environment

.env.dist

@@ -71,10 +71,6 @@ SSH_PASSWORDLESS=false
 # Your RSA Public key.
 RSA_PUB_KEY="copy your ssh public rsa key here"
 
-# Hash length (bits), supported value 2048 | 4096 (take longer times)
-# length of bits used for generating RSA key / Diffie-Helman params.
-KEY_HASH_LENGTH=2048
-
 [nginx]
 INSTALL_NGINX=true
 
@@ -144,12 +140,16 @@ LUA_RESTY_LRUCACHE_VERSION="v0.11"
 NGX_HTTP_PASSENGER=false
 NGX_HTTP_REDIS2=false
 NGX_HTTP_SUBS_FILTER=true
-NGX_HTTP_UPSTREAM_FAIR=true
+NGX_HTTP_UPSTREAM_FAIR=false
 NGX_HTTP_VTS=true
 NGX_HTTP_XSLT_FILTER=true
 NGX_MAIL=true
 NGX_NCHAN=false
+
+# For Nginx latest v1.23 or greater, try using NPS v1.14.33.1-RC1 or master
+NGX_PAGESPEED_VERSION="v1.13.35.2-stable"
 NGX_PAGESPEED=false
+
 NGX_RTMP=false
 NGX_STREAM=true
 
@@ -279,9 +279,12 @@ FTP_SERVER_VERSION="latest"
 # Enable FTP over TLS.
 FTP_SSL_ENABLE=true
 
+# Enable passv mode.
+FTP_PASV_MODE=true
+
 # Range of passv ports.
 FTP_MIN_PORT=45000
-FTP_MAX_PORT=45999
+FTP_MAX_PORT=45099
 
 [dns]
 # TODO: Install DNS server.
@@ -296,9 +299,16 @@ INSTALL_SPFDKIM=true
 SENDER_DOMAIN=""
 
 [certbot]
+# Install Let's Encrypt SSL certificate is mandatory.
 INSTALL_CERTBOT=true
+
+# Path to live certificate for production server.
 HOSTNAME_CERT_PATH=""
 
+# Hash length (bits), supported value 2048 | 4096 (take longer times)
+# length of bits used for generating RSA key / Diffie-Helman params.
+KEY_HASH_LENGTH=2048
+
 [firewall]
 INSTALL_FW=true
 
@@ -312,4 +322,4 @@ INSTALL_FAIL2BAN=true
 
 # Available installer: repo | source.
 FAIL2BAN_INSTALLER="source"
-FAIL2BAN_VERSION="0.11.2"
+FAIL2BAN_VERSION="1.0.2"

.github/workflows/main.yml

@@ -61,9 +61,8 @@ jobs:
           shellcheck -s bash -x remove.sh
           shellcheck -s bash -x bin/lemper-*.sh
           shellcheck -s bash -x lib/lemper-*.sh
-          shellcheck -s bash -x scripts/helper.sh
-          shellcheck -s bash -x scripts/cleanup_server.sh
-          shellcheck -s bash -x scripts/secure_server.sh
+          shellcheck -s bash -x scripts/utils.sh
+          shellcheck -s bash -x scripts/server_*.sh
           shellcheck -s bash -x scripts/install_*.sh
           shellcheck -s bash -x scripts/remove_*.sh
       # Simple Unit Tests
@@ -72,6 +71,6 @@ jobs:
           TERM: xterm-256color
         run: |
           set -ex
-          sudo bash scripts/cleanup_server.sh
+          sudo bash scripts/server_cleanup.sh
           sudo bash scripts/install_dependencies.sh
           sudo bash shunit2/run_test.sh

.gitignore

@@ -3,6 +3,7 @@
 .env.bak
 .env.save
 .travis.yml
+dev-notes.md
 install.log
 lemper.log
 lemper_install.log

etc/nginx/fastcgi_cache

@@ -18,8 +18,8 @@ log_format cache '$remote_addr - $upstream_cache_status [$time_local] '
 
 # Purge cache for request method.
 map $request_method $purge_method {
-    PURGE 1;
     default 0;
+    PURGE 1;
 }
 
 # Skip caching for request method.

etc/nginx/fastcgi_https_map

@@ -5,3 +5,8 @@ map $scheme $server_https {
 	default off;
 	https on;
 }
+
+map $http_x_forwarded_proto $proto_https {
+	default $scheme;
+	https https;
+}

etc/nginx/fastcgi_params

@@ -3,7 +3,8 @@
 
 # Comment out HTTPS line for PHP behind SSL https.
 #fastcgi_param HTTPS on; # old pre .03 method
-#fastcgi_param HTTPS $server_https;	# new .04+ map method
+fastcgi_param HTTPS $server_https;	# new .04+ map method
+fastcgi_param HTTP_X_FORWARDED_PROTO $proto_https;
 
 # Comment out PATH_TRANSLATED line if /etc/php5/fpm/php.ini sets following:
 # cgi.fix_pathinfo=0

etc/nginx/http_proxy_ips

@@ -1,6 +1,6 @@
 ## Designed to be included to /etc/nginx/nginx.conf http{} or server{} block
 
-# Varnish HTTP Accelerator
+# HTTP Accelerator or Load Balancer.
 set_real_ip_from 127.0.0.1/32;
 
 # Header

etc/nginx/includes/compression_brotli.conf

@@ -66,9 +66,9 @@ brotli_buffers 16 8k;
 brotli_window 512k;
 
 # Up the minimum length a little to account for gzip overhead
-# this means anything smaller than 1024 bytes won't be compressed.
+# this means anything smaller than 256 bytes won't be compressed.
 # The default is 20 bytes, which is sooo tiny it's a waste to compress.
-brotli_min_length 1024;
+brotli_min_length 256;
 
 # Custom header.
 add_header X-Powered-By "LEMPer/Brotli";

etc/nginx/includes/compression_gzip.conf

@@ -79,9 +79,9 @@ gzip_vary on;
 gzip_buffers 16 8k;
 
 # Up the minimum length a little to account for gzip overhead
-# this means anything smaller than 1024 bytes won't be compressed.
+# this means anything smaller than 256 bytes won't be compressed.
 # The default is 20 bytes, which is sooo tiny it's a waste to compress.
-gzip_min_length 1024;
+gzip_min_length 256;
 
 # Custom header.
 add_header X-Powered-By "LEMPer/Gzip";

etc/nginx/includes/fastcgi_cache.conf

@@ -16,8 +16,8 @@ fastcgi_no_cache $http_pragma $http_authorization;
 
 fastcgi_cache_purge $purge_method;
 
-# Ignore header
-fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
+# Ignore header (Added Pragma, crosscheck first)
+fastcgi_ignore_headers Cache-Control Expires Pragma Set-Cookie;
 
 # Header status
 add_header X-FastCGI-Cache $upstream_cache_status;

etc/nginx/includes/ssl.conf

@@ -1,8 +1,10 @@
 # Enables SSL (deprecated on http2).
 #ssl on;
 
+# --- Common definitions for HTTPS content --- #
+
 # Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes.
-ssl_session_cache shared:LEMPer_SSL:10m; # a 1mb cache can hold about 4000 sessions
+ssl_session_cache shared:LEMPer_SSL:50m; # a 1mb cache can hold about 4000 sessions
 ssl_session_timeout 1d;
 
 # SSL buffer size was added in 1.5.9
@@ -14,25 +16,33 @@ ssl_session_tickets off;
 # Diffie-Hellman parameter for DHE ciphersuites, minimum recommendation 2048 bits.
 ssl_dhparam /etc/nginx/ssl/dhparam-2048.pem;
 
-# If you need to support older browsers (IE6) you may need to add
-# SSLv2 SSLv3 TLSv1 TLSv1.1 to the list of protocols below.
-ssl_protocols TLSv1.2 TLSv1.3;
+# --- Protocols & Ciphers [start] --- #
 
-# Enables server-side protection from BEAST attacks.
-# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
+# Maximum client support [enabled by default]
+# Supports Firefox 1, Android 2.3, Chrome 1, Edge 12, IE8 on Windows XP, Java 6, OpenSSL 0.9.8, Opera 5 & Safari 1
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
 ssl_prefer_server_ciphers on;
 
-# Ciphers set to best allow protection from Beast, while providing forwarding secrecy,
-# as defined by Mozilla (Intermediate Set) - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
-ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+# Intermediate client support [disabled by default]
+# Supports Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20 & Safari 9
+#ssl_protocols TLSv1.2 TLSv1.3;
+#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+#ssl_prefer_server_ciphers off;
+
+# Modern client support [disabled by default]
+# Supports Firefox 63, Android 10.0, Chrome 70, Edge 75, Java 11, OpenSSL 1.1.1, Opera 57 & Safari 12.1
+#ssl_protocols TLSv1.3;
+#ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+#ssl_prefer_server_ciphers off;
 
 # Specifies a curve for ECDHE ciphers, default is auto.
 ssl_ecdh_curve prime256v1:secp384r1;
 
 # Enable OCSP stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
 # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
-ssl_stapling on;
-ssl_stapling_verify on;
+#ssl_stapling on;
+#ssl_stapling_verify on;
 
 # Reduce SSL buffer size.
 ssl_buffer_size 4k; # Default = 16k
@@ -55,4 +65,4 @@ resolver_timeout 5s;
 # This header tells browsers to cache the certificate for a year and to connect exclusively via HTTPS.
 #add_header Strict-Transport-Security "max-age=31536000;" always;
 # This version tells browsers to treat all subdomains the same as this site and to load exclusively over HTTPS
-add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;";
+add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;";

etc/nginx/nginx.conf

@@ -60,6 +60,8 @@ http {
     # Optimization settings.
     aio threads;
     sendfile on;
+    # Limit the amount of data transferred in a single sendfile() call to 1MB.
+    sendfile_max_chunk 1m;
     tcp_nopush on;
     tcp_nodelay on;
     client_body_buffer_size 128k;
@@ -80,8 +82,8 @@ http {
 
     # Enable Compression.
     # gzip (default) or brotli (requires Nginx installed with brotli module).
-    # TODO: Move to per site config.
-    #include /etc/nginx/comp_gzip;
+    # Moved to per site config.
+    ##include /etc/nginx/compression_gzip;
 
     # Uncomment to enable FastCGI cache. If disabled, do not use the cached vhost setting.
     include /etc/nginx/fastcgi_cache;
@@ -91,7 +93,7 @@ http {
 
     # Upstream, ex: for Node.JS application server. 
     # TODO: Move to per site config.
-    #include /etc/nginx/upstream;
+    ##include /etc/nginx/upstream;
 
     # SSL map.
     include /etc/nginx/fastcgi_https_map;

etc/nginx/sites-available/default

@@ -11,8 +11,8 @@ server {
     #ssl_certificate_key /etc/letsencrypt/live/localhost.localdomain/privkey.pem;
     #ssl_trusted_certificate /etc/letsencrypt/live/localhost.localdomain/fullchain.pem;
 
-    access_log /var/log/nginx/localhost.access.log;
-    error_log /var/log/nginx/localhost.error.log;
+    access_log /var/log/nginx/localhost.access.log combined buffer=32k;
+    error_log /var/log/nginx/localhost.error.log error;
 
     root /usr/share/nginx/html;
     index index.php index.html index.htm;
@@ -24,15 +24,28 @@ server {
 
     include /etc/nginx/vhost/site_default.conf;
 
-    location ~ ^/(status|ping)$ {
+    # Nginx basic status monitoring.
+    location = /nginx_status {
+        stub_status;
+        allow all;
+        auth_basic "Denied";
+        auth_basic_user_file /srv/.htpasswd;
+        access_log off;
+        log_not_found off;
+    }
+
+    # PHP-FPM status monitoring.
+    location ~ ^/php-fpm_(status|ping)$ {
         include /etc/nginx/fastcgi_params;
 
-        fastcgi_pass unix:/run/php/php7.4-fpm.sock;
+        fastcgi_pass unix:/run/php/php8.0-fpm.sock;
         fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
 
         allow all;
         auth_basic "Denied";
         auth_basic_user_file /srv/.htpasswd;
+        access_log off;
+        log_not_found off;
     }
 
     location ~ \.php81$ {
@@ -46,7 +59,7 @@ server {
         fastcgi_pass unix:/run/php/php8.1-fpm.sock;
     }
 
-    location ~ \.php80$ {
+    location ~ \.(php|php80)$ {
         try_files $uri =404;
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
         fastcgi_index index.php;
@@ -56,7 +69,7 @@ server {
         fastcgi_pass unix:/run/php/php8.0-fpm.sock;
     }
 
-    location ~ \.(php|php74)$ {
+    location ~ \.php74$ {
         try_files $uri =404;
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
         fastcgi_index index.php;
@@ -132,8 +145,8 @@ server {
     index index.php index.html index.htm;
 
     # Log Settings.
-    access_log /var/log/nginx/localhost.access.log;
-    error_log /var/log/nginx/localhost.error.log;
+    access_log /var/log/nginx/localhost.access.log combined buffer=32k;
+    error_log /var/log/nginx/localhost.error.log error;
 
     location /lcp {
         try_files $uri $uri/ /index.php?$args;
@@ -161,7 +174,7 @@ server {
             # Uncomment to Enable PHP FastCGI cache.
             #include /etc/nginx/includes/fastcgi_cache.conf;
 
-            fastcgi_pass unix:/run/php/php7.4-fpm.sock;
+            fastcgi_pass unix:/run/php/php8.0-fpm.sock;
         }
     }
 
@@ -175,7 +188,7 @@ server {
         fastcgi_pass unix:/run/php/php8.1-fpm.sock;
     }
 
-    location ~ \.php80$ {
+    location ~ \.(php|php80)$ {
         try_files $uri =404;
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
         fastcgi_index index.php;
@@ -185,7 +198,7 @@ server {
         fastcgi_pass unix:/run/php/php8.0-fpm.sock;
     }
 
-    location ~ \.(php|php74)$ {
+    location ~ \.php74$ {
         try_files $uri =404;
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
         fastcgi_index index.php;

etc/openssl/ca.conf

@@ -0,0 +1,20 @@
+[ca]
+default_ca = CA_default      # The default ca section
+
+[CA_default]
+default_days = 36500        # How long to certify for
+
+[req]
+default_bits = 2048
+default_md = sha256
+distinguished_name = ca_dn
+prompt = no
+
+[ca_dn]
+C = ID
+ST = Jakarta
+L = Jakarta
+O = LEMPer
+OU = LEMPer Stack
+CN = demo.lemper.cloud
+emailAddress = [email protected]

etc/openssl/cert.conf

@@ -0,0 +1,7 @@
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = demo.lemper.cloud