install/mailsystem
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

install_postfixadmin.sh: virtual host configuration changed.

Browse Source
This commit is contained in:
Christoph 2018-03-13 18:22:02 +01:00
parent c5859c68b4
commit 5393dab11c
1 changed files with 13 additions and 339 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

352
install_postfixadmin.sh
View File

@ -1159,7 +1159,7 @@ _failed=false
cat <<EOF > ${APACHE_VHOST_DIR}/${WEBSITE_NAME}.conf 2>> $log_file
# -- $WEBSITE_NAME -- #
<VirtualHost $IPV4:80>
<VirtualHost $IPV4:80 [$IPV6]:80>
ServerAdmin $WEBMASTER_EMAIL
@ -1169,87 +1169,13 @@ cat <<EOF > ${APACHE_VHOST_DIR}/${WEBSITE_NAME}.conf 2>> $log_file
RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
# ==========
# - HTTP security Headers
# ==========
# - X-Frame-Options
# -
# - The X-Frame-Options header (RFC), or XFO header, protects your visitors
# - against clickjacking attacks. An attacker can load up an iframe on their
# - site and set your site as the source, it's quite easy:
# -
# - <iframe src="https://scotthelme.co.uk"></iframe>
# -
# - Using some crafty CSS they can hide your site in the background and create some
# - genuine looking overlays. When your visitors click on what they think is a harmless
# - link, they're actually clicking on links on your website in the background. That
# - might not seem so bad until we realise that the browser will execute those requests
# - in the context of the user, which could include them being logged in and authenticated
# - to your site!
# -
# - Troy Hunt has a great blog on 'Clickjack attack the hidden threat right in front :
# - of you':
# -
# - http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html
# -
# - Valid values include DENY meaning your site can't be framed, SAMEORIGIN which allows
# - you to frame your own site or ALLOW-FROM https://example.com/ which lets you specify
# -sites that are permitted to frame your own site.
# -
Header always set X-Frame-Options "SAMEORIGIN"
# - X-Xss-Protection
# -
# - This header is used to configure the built in reflective XSS protection found
# - in Internet Explorer, Chrome and Safari (Webkit). Valid settings for the header
# - are 0, which disables the protection, 1 which enables the protection
# - and 1; mode=block which tells the browser to block the response if it
# - detects an attack rather than sanitising the script.
# -
Header always set X-Xss-Protection "1; mode=block"
# - X-Content-Type-Options
# -
# - Nice and easy to configure, this header only has one valid value, nosniff.
# - It prevents Google Chrome and Internet Explorer from trying to mime-sniff
# - the content-type of a response away from the one being declared by the server.
# - It reduces exposure to drive-by downloads and the risks of user uploaded content
# - that, with clever naming, could be treated as a different content-type, like
# - an executable.
# -
Header always set X-Content-Type-Options "nosniff"
# - Content Security Policy
# -
# - The CSP header allows you to define a whitelist of approved sources of content
# - for your site. By restricting the assets that a browser can load for your site,
# - like js and css, CSP can act as an effective countermeasure to XSS attacks. I
# - have covered CSP in a lot more detail in my blog Content Security Policy - An
# - Introduction (https://scotthelme.co.uk/content-security-policy-an-introduction/).
# -
# - Here is a basic policy to enforce TLS on all assets and prevent
# - mixed content warnings.
# -
#
Header always set Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'"
# - Referrer-Policy
# -
# - The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header
# - field that identifies the address of the webpage (i.e. the URI or IRI) that
# - linked to the resource being requested. By checking the referrer, the new
# - webpage can see where the request originated.
# -
Header set Referrer-Policy "strict-origin-when-cross-origin
CustomLog ${APACHE_LOG_DIR}/${WEBSITE_NAME}-access.log combined
ErrorLog ${APACHE_LOG_DIR}/${WEBSITE_NAME}-error.log
</VirtualHost>
<VirtualHost $IPV4:443>
<VirtualHost $IPV4:443 [$IPV6]:443>
ServerAdmin $WEBMASTER_EMAIL
@ -1382,8 +1308,17 @@ cat <<EOF >> ${APACHE_VHOST_DIR}/${WEBSITE_NAME}.conf 2>> $log_file
# - Here is a basic policy to enforce TLS on all assets and prevent
# - mixed content warnings.
# -
#
Header always set Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'"
# - Allow Google Analytics, Google AJAX CDN and Same Origin
# - script-src 'self' www.google-analytics.com ajax.googleapis.com;
# -
# - Emmbedding Google Fonts
# - style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
# -
# - Allow YouTube Videos (iframe embedded)
# - frame-src 'self' https://www.youtube.com
# -
#Header always set Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval' ; object-src 'none'"
Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' ; img-src 'self'; connect-src 'self'; font-src 'self'; object-src 'self'; media-src 'self' ; frame-src 'self'; worker-src ${WEBSITE_NAME}:443 ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"
# - Referrer-Policy
# -
@ -1415,267 +1350,6 @@ cat <<EOF >> ${APACHE_VHOST_DIR}/${WEBSITE_NAME}.conf 2>> $log_file
</VirtualHost>
# ---
# --- IPv6
# ---
<VirtualHost [$IPV6]:80>
ServerAdmin $WEBMASTER_EMAIL
ServerName $WEBSITE_NAME
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
# ==========
# - HTTP security Headers
# ==========
# - X-Frame-Options
# -
# - The X-Frame-Options header (RFC), or XFO header, protects your visitors
# - against clickjacking attacks. An attacker can load up an iframe on their
# - site and set your site as the source, it's quite easy:
# -
# - <iframe src="https://scotthelme.co.uk"></iframe>
# -
# - Using some crafty CSS they can hide your site in the background and create some
# - genuine looking overlays. When your visitors click on what they think is a harmless
# - link, they're actually clicking on links on your website in the background. That
# - might not seem so bad until we realise that the browser will execute those requests
# - in the context of the user, which could include them being logged in and authenticated
# - to your site!
# -
# - Troy Hunt has a great blog on 'Clickjack attack the hidden threat right in front :
# - of you':
# -
# - http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html
# -
# - Valid values include DENY meaning your site can't be framed, SAMEORIGIN which allows
# - you to frame your own site or ALLOW-FROM https://example.com/ which lets you specify
# -sites that are permitted to frame your own site.
# -
Header always set X-Frame-Options "SAMEORIGIN"
# - X-Xss-Protection
# -
# - This header is used to configure the built in reflective XSS protection found
# - in Internet Explorer, Chrome and Safari (Webkit). Valid settings for the header
# - are 0, which disables the protection, 1 which enables the protection
# - and 1; mode=block which tells the browser to block the response if it
# - detects an attack rather than sanitising the script.
# -
Header always set X-Xss-Protection "1; mode=block"
# - X-Content-Type-Options
# -
# - Nice and easy to configure, this header only has one valid value, nosniff.
# - It prevents Google Chrome and Internet Explorer from trying to mime-sniff
# - the content-type of a response away from the one being declared by the server.
# - It reduces exposure to drive-by downloads and the risks of user uploaded content
# - that, with clever naming, could be treated as a different content-type, like
# - an executable.
# -
Header always set X-Content-Type-Options "nosniff"
# - Content Security Policy
# -
# - The CSP header allows you to define a whitelist of approved sources of content
# - for your site. By restricting the assets that a browser can load for your site,
# - like js and css, CSP can act as an effective countermeasure to XSS attacks. I
# - have covered CSP in a lot more detail in my blog Content Security Policy - An
# - Introduction (https://scotthelme.co.uk/content-security-policy-an-introduction/).
# -
# - Here is a basic policy to enforce TLS on all assets and prevent
# - mixed content warnings.
# -
#
Header always set Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'"
# - Referrer-Policy
# -
# - The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header
# - field that identifies the address of the webpage (i.e. the URI or IRI) that
# - linked to the resource being requested. By checking the referrer, the new
# - webpage can see where the request originated.
# -
Header set Referrer-Policy "strict-origin-when-cross-origin
CustomLog ${APACHE_LOG_DIR}/${WEBSITE_NAME}-access.log combined
ErrorLog ${APACHE_LOG_DIR}/${WEBSITE_NAME}-error.log
</VirtualHost>
<VirtualHost [$IPV6]:443>
ServerAdmin $WEBMASTER_EMAIL
ServerName $WEBSITE_NAME
EOF
if [[ $? -ne 0 ]]; then
_failed=true
fi
if [[ "$PHP_TYPE" = "mod_php" ]]; then
cat <<EOF >> ${APACHE_VHOST_DIR}/${WEBSITE_NAME}.conf 2>> $log_file
## - its allowed to overwrite by .htaccess
## -
php_value error_reporting "E_ALL & ~E_NOTICE"
## - Overwriting by .htaccess NOT allowd
## -
php_admin_value upload_tmp_dir "${WEBSITE_BASEDIR}/tmp/"
php_admin_flag log_errors on
php_admin_value error_log "${WEBSITE_BASEDIR}/logs/php_error.log"
DocumentRoot "${WEBSITE_BASEDIR}/htdocs/"
EOF
if [[ $? -ne 0 ]]; then
_failed=true
fi
elif [[ "$PHP_TYPE" = "fcgid" ]]; then
cat <<EOF >> ${APACHE_VHOST_DIR}/${WEBSITE_NAME}.conf 2>> $log_file
DocumentRoot "${WEBSITE_BASEDIR}/htdocs/"
<Directory "${WEBSITE_BASEDIR}/htdocs">
Require all granted
FCGIWrapper ${WEBSITE_BASEDIR}/conf/fcgid .php
<FilesMatch \.php$>
SetHandler fcgid-script
</FilesMatch>
Options +ExecCGI
</Directory>
EOF
if [[ $? -ne 0 ]]; then
_failed=true
fi
elif [[ "$PHP_TYPE" = "php_fpm" ]]; then
cat <<EOF >> ${APACHE_VHOST_DIR}/${WEBSITE_NAME}.conf 2>> $log_file
DocumentRoot "${WEBSITE_BASEDIR}/htdocs/"
<FilesMatch \.php$>
EOF
if $PHP_DEBIAN_INSTALLATION ; then
cat <<EOF >> ${APACHE_VHOST_DIR}/${WEBSITE_NAME}.conf 2>> $log_file
SetHandler "proxy:unix:/var/run/php$(echo $php_major_version | cut -d'.' -f1)-fpm.sock|fcgi://127.0.0.1"
EOF
else
cat <<EOF >> ${APACHE_VHOST_DIR}/${WEBSITE_NAME}.conf 2>> $log_file
SetHandler "proxy:unix:/tmp/php-${php_latest_ver}-fpm.www.sock|fcgi://127.0.0.1"
EOF
fi
cat <<EOF >> ${APACHE_VHOST_DIR}/${WEBSITE_NAME}.conf 2>> $log_file
</FilesMatch>
<IfModule dir_module>
DirectoryIndex index.php index.html
</IfModule>
EOF
if [[ $? -ne 0 ]]; then
failed=true
fi
fi
cat <<EOF >> ${APACHE_VHOST_DIR}/${WEBSITE_NAME}.conf 2>> $log_file
# ==========
# - HTTP security Headers
# ==========
# - X-Frame-Options
# -
# - The X-Frame-Options header (RFC), or XFO header, protects your visitors
# - against clickjacking attacks. An attacker can load up an iframe on their
# - site and set your site as the source, it's quite easy:
# -
# - <iframe src="https://scotthelme.co.uk"></iframe>
# -
# - Using some crafty CSS they can hide your site in the background and create some
# - genuine looking overlays. When your visitors click on what they think is a harmless
# - link, they're actually clicking on links on your website in the background. That
# - might not seem so bad until we realise that the browser will execute those requests
# - in the context of the user, which could include them being logged in and authenticated
# - to your site!
# -
# - Troy Hunt has a great blog on 'Clickjack attack the hidden threat right in front :
# - of you':
# -
# - http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html
# -
# - Valid values include DENY meaning your site can't be framed, SAMEORIGIN which allows
# - you to frame your own site or ALLOW-FROM https://example.com/ which lets you specify
# -sites that are permitted to frame your own site.
# -
Header always set X-Frame-Options "SAMEORIGIN"
# - X-Xss-Protection
# -
# - This header is used to configure the built in reflective XSS protection found
# - in Internet Explorer, Chrome and Safari (Webkit). Valid settings for the header
# - are 0, which disables the protection, 1 which enables the protection
# - and 1; mode=block which tells the browser to block the response if it
# - detects an attack rather than sanitising the script.
# -
Header always set X-Xss-Protection "1; mode=block"
# - X-Content-Type-Options
# -
# - Nice and easy to configure, this header only has one valid value, nosniff.
# - It prevents Google Chrome and Internet Explorer from trying to mime-sniff
# - the content-type of a response away from the one being declared by the server.
# - It reduces exposure to drive-by downloads and the risks of user uploaded content
# - that, with clever naming, could be treated as a different content-type, like
# - an executable.
# -
Header always set X-Content-Type-Options "nosniff"
# - Content Security Policy
# -
# - The CSP header allows you to define a whitelist of approved sources of content
# - for your site. By restricting the assets that a browser can load for your site,
# - like js and css, CSP can act as an effective countermeasure to XSS attacks. I
# - have covered CSP in a lot more detail in my blog Content Security Policy - An
# - Introduction (https://scotthelme.co.uk/content-security-policy-an-introduction/).
# -
# - Here is a basic policy to enforce TLS on all assets and prevent
# - mixed content warnings.
# -
#
Header always set Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'"
# - Referrer-Policy
# -
# - The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header
# - field that identifies the address of the webpage (i.e. the URI or IRI) that
# - linked to the resource being requested. By checking the referrer, the new
# - webpage can see where the request originated.
# -
Header set Referrer-Policy "strict-origin-when-cross-origin
# - HTTP Strict Transport Security (HSTS)
# -
# - HSTS tells a browser that the website should only be accessed through
# - a secure connection. The HSTS header will be remembered by a standard
# compliant browser for max-age seconds.
# -
# - Remember this settings for 1 year
# -
Header always set Strict-Transport-Security "max-age=31536000"
SSLEngine on
SSLCertificateFile ${APACHE_CERT_DIR}/$APACHE_SERVER_CERT
SSLCertificateKeyFile ${APACHE_CERT_DIR}/$APACHE_SERVER_KEY
$SSLCertificateChainFile
CustomLog ${APACHE_LOG_DIR}/${WEBSITE_NAME}-access.log combined
ErrorLog ${APACHE_LOG_DIR}/${WEBSITE_NAME}-error.log
</VirtualHost>
EOF
if [[ $? -ne 0 ]]; then
_failed=true