ungleich-public/__ungleich_nextcloud
6
0
Fork 0
Code Issues 1 Pull requests Projects Releases Wiki Activity

Merge branch '2-fix-security-issues-for-nextcry-ransomeware' into 'master'

Browse source 
Resolve "Fix security issues for NextCry  ransomeware"

Closes #2

See merge request ungleich-public/__ungleich_nextcloud!1
This commit is contained in:
rouxdo 2019-11-19 17:31:38 +01:00
commit f09092f466
3 changed files with 27 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
files/nextcloud.nginx
View file

@ -1,5 +1,5 @@
upstream php-handler {
server unix:/run/php/php7.0-fpm.sock;
server unix:/run/php/phpVERSION-fpm.sock;
}
server {
@ -16,7 +16,8 @@ server {
add_header Strict-Transport-Security "max-age=15768000;
includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
#add_header X-Frame-Options "SAMEORIGIN";
add_header Referrer-Policy no-referrer;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;

1
gencode-remote
View file

@ -21,7 +21,6 @@ case "$os" in
restart="systemctl restart nginx"
;;
*)
restart="systemctl restart nginx"
echo "Unsupported version $os_version of $os." >&2
exit 1
;;

25
manifest
View file

@ -29,9 +29,19 @@ os_version=$(cat "$__global/explorer/os_version")
case "$os_version" in
8*|jessie)
distribution="jessie"
packages="php7.0-common php7.0-gd php7.0-json php7.0-pgsql php7.0-curl php7.0-intl php7.0-mcrypt php7.0-imagick php7.0-zip php7.0-apcu php7.0-mbstring php7.0-xml php7.0-fpm"
phpv="7.0"
;;
9*|ascii|ascii/ceres)
distribution="stretch"
packages="php7.0-common php7.0-gd php7.0-json php7.0-pgsql php7.0-curl php7.0-intl php7.0-mcrypt php7.0-imagick php7.0-zip php7.0-apcu php7.0-mbstring php7.0-xml php7.0-fpm"
phpv="7.0"
;;
10*|beowulf|beowulf/ceres)
#packages="php7.3-common php7.3-gd php7.3-json php7.3-pgsql php7.3-curl php7.3-intl php7.3-mcrypt php-imagick php7.3-zip php-apcu php7.3-mbstring php7.3-xml php7.3-fpm"
distribution="buster"
packages="php7.3-fpm php7.3-intl php7.3-ldap php7.3-imap php7.3-gd php7.3-pgsql php7.3-curl php7.3-xml php7.3-zip php7.3-mbstring php7.3-soap php7.3-smbclient php7.3-json php7.3-gmp php7.3-bz2 php-pear"
phpv="7.3"
;;
*)
echo "Unsupported version $os_version of $os." >&2
@ -47,17 +57,19 @@ domain=$(cat "$__object/parameter/domain")
tmpdir="$__object/files"
mkdir "$tmpdir"
case "$os_version" in
8*|jessie|9*|ascii|ascii/ceres)
__apt_key_uri dotdeb --uri https://www.dotdeb.org/dotdeb.gpg
require="__apt_key_uri/dotdeb" __apt_source dotdeb --uri http://packages.dotdeb.org \
--distribution ${distribution} \
--component all
require="__apt_source/dotdeb" __apt_update_index
;;
esac
__apt_update_index
# Install packages
for package in php7.0-common php7.0-gd php7.0-json php7.0-pgsql php7.0-curl \
php7.0-intl php7.0-mcrypt php7.0-imagick \
php7.0-zip php7.0-apcu php7.0-mbstring php7.0-xml php7.0-fpm;
for package in ${packages}
do require="__apt_update_index" __package $package --state=present
done
@ -66,7 +78,7 @@ __package curl --state=present
# Configure packages
## PHP 7
require="__package/php7.0-fpm" __file /etc/php/7.0/fpm/pool.d/www.conf \
require="__package/php${phpv}-fpm" __file /etc/php/${phpv}/fpm/pool.d/www.conf \
--owner root --group root --mode 644 --source "$__type/files/fpm.conf"
@ -85,6 +97,7 @@ require="__ungleich_http_server_ssl_redirect_letsencrypt/$domain" \
### The SSL configuration
sed "s/DOMAIN/$domain/" "$__type/files/nextcloud.nginx" > "$tmpdir/nginx"
sed "s/VERSION/$phpv/" "$__type/files/nextcloud.nginx" > "$tmpdir/nginx"
require="__letsencrypt_cert/$domain __package/nginx" __file /etc/nginx/sites-enabled/nextcloud \
--owner www-data \
--group www-data \
@ -103,4 +116,4 @@ require="__package/postgresql __postgres_role/${db_user}" __postgres_database "$
# Start on boot
require="__package/postgresql" __start_on_boot postgresql
require="__package/nginx" __start_on_boot nginx
require="__package/php7.0-fpm" __start_on_boot php7.0-fpm
require="__package/php${phpv}-fpm" __start_on_boot php${phpv}-fpm