Merge branch '2-fix-security-issues-for-nextcry-ransomeware' into 'master'

Resolve "Fix security issues for NextCry  ransomeware"

Closes #2

See merge request ungleich-public/__ungleich_nextcloud!1
This commit is contained in:
rouxdo 2019-11-19 17:31:38 +01:00
commit f09092f466
3 changed files with 27 additions and 14 deletions

View file

@ -1,5 +1,5 @@
upstream php-handler { upstream php-handler {
server unix:/run/php/php7.0-fpm.sock; server unix:/run/php/phpVERSION-fpm.sock;
} }
server { server {
@ -16,7 +16,8 @@ server {
add_header Strict-Transport-Security "max-age=15768000; add_header Strict-Transport-Security "max-age=15768000;
includeSubDomains; preload;"; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN"; #add_header X-Frame-Options "SAMEORIGIN";
add_header Referrer-Policy no-referrer;
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none; add_header X-Robots-Tag none;
add_header X-Download-Options noopen; add_header X-Download-Options noopen;

View file

@ -21,7 +21,6 @@ case "$os" in
restart="systemctl restart nginx" restart="systemctl restart nginx"
;; ;;
*) *)
restart="systemctl restart nginx"
echo "Unsupported version $os_version of $os." >&2 echo "Unsupported version $os_version of $os." >&2
exit 1 exit 1
;; ;;

View file

@ -29,9 +29,19 @@ os_version=$(cat "$__global/explorer/os_version")
case "$os_version" in case "$os_version" in
8*|jessie) 8*|jessie)
distribution="jessie" distribution="jessie"
packages="php7.0-common php7.0-gd php7.0-json php7.0-pgsql php7.0-curl php7.0-intl php7.0-mcrypt php7.0-imagick php7.0-zip php7.0-apcu php7.0-mbstring php7.0-xml php7.0-fpm"
phpv="7.0"
;; ;;
9*|ascii|ascii/ceres) 9*|ascii|ascii/ceres)
distribution="stretch" distribution="stretch"
packages="php7.0-common php7.0-gd php7.0-json php7.0-pgsql php7.0-curl php7.0-intl php7.0-mcrypt php7.0-imagick php7.0-zip php7.0-apcu php7.0-mbstring php7.0-xml php7.0-fpm"
phpv="7.0"
;;
10*|beowulf|beowulf/ceres)
#packages="php7.3-common php7.3-gd php7.3-json php7.3-pgsql php7.3-curl php7.3-intl php7.3-mcrypt php-imagick php7.3-zip php-apcu php7.3-mbstring php7.3-xml php7.3-fpm"
distribution="buster"
packages="php7.3-fpm php7.3-intl php7.3-ldap php7.3-imap php7.3-gd php7.3-pgsql php7.3-curl php7.3-xml php7.3-zip php7.3-mbstring php7.3-soap php7.3-smbclient php7.3-json php7.3-gmp php7.3-bz2 php-pear"
phpv="7.3"
;; ;;
*) *)
echo "Unsupported version $os_version of $os." >&2 echo "Unsupported version $os_version of $os." >&2
@ -47,17 +57,19 @@ domain=$(cat "$__object/parameter/domain")
tmpdir="$__object/files" tmpdir="$__object/files"
mkdir "$tmpdir" mkdir "$tmpdir"
__apt_key_uri dotdeb --uri https://www.dotdeb.org/dotdeb.gpg case "$os_version" in
require="__apt_key_uri/dotdeb" __apt_source dotdeb --uri http://packages.dotdeb.org \ 8*|jessie|9*|ascii|ascii/ceres)
--distribution ${distribution} \ __apt_key_uri dotdeb --uri https://www.dotdeb.org/dotdeb.gpg
--component all require="__apt_key_uri/dotdeb" __apt_source dotdeb --uri http://packages.dotdeb.org \
--distribution ${distribution} \
require="__apt_source/dotdeb" __apt_update_index --component all
require="__apt_source/dotdeb" __apt_update_index
;;
esac
__apt_update_index
# Install packages # Install packages
for package in php7.0-common php7.0-gd php7.0-json php7.0-pgsql php7.0-curl \ for package in ${packages}
php7.0-intl php7.0-mcrypt php7.0-imagick \
php7.0-zip php7.0-apcu php7.0-mbstring php7.0-xml php7.0-fpm;
do require="__apt_update_index" __package $package --state=present do require="__apt_update_index" __package $package --state=present
done done
@ -66,7 +78,7 @@ __package curl --state=present
# Configure packages # Configure packages
## PHP 7 ## PHP 7
require="__package/php7.0-fpm" __file /etc/php/7.0/fpm/pool.d/www.conf \ require="__package/php${phpv}-fpm" __file /etc/php/${phpv}/fpm/pool.d/www.conf \
--owner root --group root --mode 644 --source "$__type/files/fpm.conf" --owner root --group root --mode 644 --source "$__type/files/fpm.conf"
@ -85,6 +97,7 @@ require="__ungleich_http_server_ssl_redirect_letsencrypt/$domain" \
### The SSL configuration ### The SSL configuration
sed "s/DOMAIN/$domain/" "$__type/files/nextcloud.nginx" > "$tmpdir/nginx" sed "s/DOMAIN/$domain/" "$__type/files/nextcloud.nginx" > "$tmpdir/nginx"
sed "s/VERSION/$phpv/" "$__type/files/nextcloud.nginx" > "$tmpdir/nginx"
require="__letsencrypt_cert/$domain __package/nginx" __file /etc/nginx/sites-enabled/nextcloud \ require="__letsencrypt_cert/$domain __package/nginx" __file /etc/nginx/sites-enabled/nextcloud \
--owner www-data \ --owner www-data \
--group www-data \ --group www-data \
@ -103,4 +116,4 @@ require="__package/postgresql __postgres_role/${db_user}" __postgres_database "$
# Start on boot # Start on boot
require="__package/postgresql" __start_on_boot postgresql require="__package/postgresql" __start_on_boot postgresql
require="__package/nginx" __start_on_boot nginx require="__package/nginx" __start_on_boot nginx
require="__package/php7.0-fpm" __start_on_boot php7.0-fpm require="__package/php${phpv}-fpm" __start_on_boot php${phpv}-fpm