Merge branch '2-fix-security-issues-for-nextcry-ransomeware' into 'master'
Resolve "Fix security issues for NextCry ransomeware" Closes #2 See merge request ungleich-public/__ungleich_nextcloud!1
This commit is contained in:
commit
f09092f466
3 changed files with 27 additions and 14 deletions
|
@ -1,5 +1,5 @@
|
||||||
upstream php-handler {
|
upstream php-handler {
|
||||||
server unix:/run/php/php7.0-fpm.sock;
|
server unix:/run/php/phpVERSION-fpm.sock;
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
|
@ -16,7 +16,8 @@ server {
|
||||||
add_header Strict-Transport-Security "max-age=15768000;
|
add_header Strict-Transport-Security "max-age=15768000;
|
||||||
includeSubDomains; preload;";
|
includeSubDomains; preload;";
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header X-Content-Type-Options nosniff;
|
||||||
add_header X-Frame-Options "SAMEORIGIN";
|
#add_header X-Frame-Options "SAMEORIGIN";
|
||||||
|
add_header Referrer-Policy no-referrer;
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
add_header X-Robots-Tag none;
|
add_header X-Robots-Tag none;
|
||||||
add_header X-Download-Options noopen;
|
add_header X-Download-Options noopen;
|
||||||
|
|
|
@ -21,7 +21,6 @@ case "$os" in
|
||||||
restart="systemctl restart nginx"
|
restart="systemctl restart nginx"
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
restart="systemctl restart nginx"
|
|
||||||
echo "Unsupported version $os_version of $os." >&2
|
echo "Unsupported version $os_version of $os." >&2
|
||||||
exit 1
|
exit 1
|
||||||
;;
|
;;
|
||||||
|
|
35
manifest
35
manifest
|
@ -29,9 +29,19 @@ os_version=$(cat "$__global/explorer/os_version")
|
||||||
case "$os_version" in
|
case "$os_version" in
|
||||||
8*|jessie)
|
8*|jessie)
|
||||||
distribution="jessie"
|
distribution="jessie"
|
||||||
|
packages="php7.0-common php7.0-gd php7.0-json php7.0-pgsql php7.0-curl php7.0-intl php7.0-mcrypt php7.0-imagick php7.0-zip php7.0-apcu php7.0-mbstring php7.0-xml php7.0-fpm"
|
||||||
|
phpv="7.0"
|
||||||
;;
|
;;
|
||||||
9*|ascii|ascii/ceres)
|
9*|ascii|ascii/ceres)
|
||||||
distribution="stretch"
|
distribution="stretch"
|
||||||
|
packages="php7.0-common php7.0-gd php7.0-json php7.0-pgsql php7.0-curl php7.0-intl php7.0-mcrypt php7.0-imagick php7.0-zip php7.0-apcu php7.0-mbstring php7.0-xml php7.0-fpm"
|
||||||
|
phpv="7.0"
|
||||||
|
;;
|
||||||
|
10*|beowulf|beowulf/ceres)
|
||||||
|
#packages="php7.3-common php7.3-gd php7.3-json php7.3-pgsql php7.3-curl php7.3-intl php7.3-mcrypt php-imagick php7.3-zip php-apcu php7.3-mbstring php7.3-xml php7.3-fpm"
|
||||||
|
distribution="buster"
|
||||||
|
packages="php7.3-fpm php7.3-intl php7.3-ldap php7.3-imap php7.3-gd php7.3-pgsql php7.3-curl php7.3-xml php7.3-zip php7.3-mbstring php7.3-soap php7.3-smbclient php7.3-json php7.3-gmp php7.3-bz2 php-pear"
|
||||||
|
phpv="7.3"
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
echo "Unsupported version $os_version of $os." >&2
|
echo "Unsupported version $os_version of $os." >&2
|
||||||
|
@ -47,17 +57,19 @@ domain=$(cat "$__object/parameter/domain")
|
||||||
tmpdir="$__object/files"
|
tmpdir="$__object/files"
|
||||||
mkdir "$tmpdir"
|
mkdir "$tmpdir"
|
||||||
|
|
||||||
__apt_key_uri dotdeb --uri https://www.dotdeb.org/dotdeb.gpg
|
case "$os_version" in
|
||||||
require="__apt_key_uri/dotdeb" __apt_source dotdeb --uri http://packages.dotdeb.org \
|
8*|jessie|9*|ascii|ascii/ceres)
|
||||||
--distribution ${distribution} \
|
__apt_key_uri dotdeb --uri https://www.dotdeb.org/dotdeb.gpg
|
||||||
--component all
|
require="__apt_key_uri/dotdeb" __apt_source dotdeb --uri http://packages.dotdeb.org \
|
||||||
|
--distribution ${distribution} \
|
||||||
require="__apt_source/dotdeb" __apt_update_index
|
--component all
|
||||||
|
require="__apt_source/dotdeb" __apt_update_index
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
__apt_update_index
|
||||||
|
|
||||||
# Install packages
|
# Install packages
|
||||||
for package in php7.0-common php7.0-gd php7.0-json php7.0-pgsql php7.0-curl \
|
for package in ${packages}
|
||||||
php7.0-intl php7.0-mcrypt php7.0-imagick \
|
|
||||||
php7.0-zip php7.0-apcu php7.0-mbstring php7.0-xml php7.0-fpm;
|
|
||||||
do require="__apt_update_index" __package $package --state=present
|
do require="__apt_update_index" __package $package --state=present
|
||||||
done
|
done
|
||||||
|
|
||||||
|
@ -66,7 +78,7 @@ __package curl --state=present
|
||||||
|
|
||||||
# Configure packages
|
# Configure packages
|
||||||
## PHP 7
|
## PHP 7
|
||||||
require="__package/php7.0-fpm" __file /etc/php/7.0/fpm/pool.d/www.conf \
|
require="__package/php${phpv}-fpm" __file /etc/php/${phpv}/fpm/pool.d/www.conf \
|
||||||
--owner root --group root --mode 644 --source "$__type/files/fpm.conf"
|
--owner root --group root --mode 644 --source "$__type/files/fpm.conf"
|
||||||
|
|
||||||
|
|
||||||
|
@ -85,6 +97,7 @@ require="__ungleich_http_server_ssl_redirect_letsencrypt/$domain" \
|
||||||
|
|
||||||
### The SSL configuration
|
### The SSL configuration
|
||||||
sed "s/DOMAIN/$domain/" "$__type/files/nextcloud.nginx" > "$tmpdir/nginx"
|
sed "s/DOMAIN/$domain/" "$__type/files/nextcloud.nginx" > "$tmpdir/nginx"
|
||||||
|
sed "s/VERSION/$phpv/" "$__type/files/nextcloud.nginx" > "$tmpdir/nginx"
|
||||||
require="__letsencrypt_cert/$domain __package/nginx" __file /etc/nginx/sites-enabled/nextcloud \
|
require="__letsencrypt_cert/$domain __package/nginx" __file /etc/nginx/sites-enabled/nextcloud \
|
||||||
--owner www-data \
|
--owner www-data \
|
||||||
--group www-data \
|
--group www-data \
|
||||||
|
@ -103,4 +116,4 @@ require="__package/postgresql __postgres_role/${db_user}" __postgres_database "$
|
||||||
# Start on boot
|
# Start on boot
|
||||||
require="__package/postgresql" __start_on_boot postgresql
|
require="__package/postgresql" __start_on_boot postgresql
|
||||||
require="__package/nginx" __start_on_boot nginx
|
require="__package/nginx" __start_on_boot nginx
|
||||||
require="__package/php7.0-fpm" __start_on_boot php7.0-fpm
|
require="__package/php${phpv}-fpm" __start_on_boot php${phpv}-fpm
|
||||||
|
|
Loading…
Reference in a new issue