From 6c5b3986209235420d3859aaac20228d24b3281a Mon Sep 17 00:00:00 2001 From: Tommy Date: Wed, 26 Jun 2024 15:27:01 -0700 Subject: [PATCH] Bug fixes & instructions for Drupal Signed-off-by: Tommy --- sample-scripts/Ubuntu-24.04-LEMP-Drupal.md | 114 +++++++++++++++++++++ sample-scripts/Ubuntu-24.04-LEMP.sh | 14 +-- 2 files changed, 122 insertions(+), 6 deletions(-) create mode 100644 sample-scripts/Ubuntu-24.04-LEMP-Drupal.md diff --git a/sample-scripts/Ubuntu-24.04-LEMP-Drupal.md b/sample-scripts/Ubuntu-24.04-LEMP-Drupal.md new file mode 100644 index 0000000..beb0589 --- /dev/null +++ b/sample-scripts/Ubuntu-24.04-LEMP-Drupal.md @@ -0,0 +1,114 @@ +# Ubuntu 24.04 LEMP Drupal + +First you need to run the following scripts: + +- https://github.com/TommyTran732/Linux-Setup-Scripts/blob/main/Ubuntu-24.04-Server.sh +- https://github.com/TommyTran732/Linux-Setup-Scripts/blob/main/sample-scripts-Ubuntu-24.04-LEMP.sh + +## Install composer + +``` +php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" +php composer-setup.php +php -r "unlink('composer-setup.php');" + +sudo chown root:root composer.phar +sudo mv composer.phar /usr/local/bin +``` + +## Setup Directory Structure + +``` +# Add unprivileged user for drupal +sudo useradd -U -m -s /bin/bash drupal + +# Make drupal directory + +sudo mkdir -p /srv/drupal +sudo chmod 755 /srv/drupal +sudo chown drupal:drupal /srv/drupal + +# Setup ACL +sudo apt install -y acl +sudo setfacl -Rdm u:nginx:rwx /srv/drupal +``` + +## Install Drupal + +Switch to the `drupal` user: + +``` +sudo su - drupal +``` + +As the drupal user, run: + +``` +cd /srv/drupal +composer create-project drupal/recommended-project drupal.yourdomain.tld +``` + +## Generate an SSL certificate + +``` +certbot certonly --nginx --no-eff-email \ + --key-type ecdsa --must-staple \ + --deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \ + --cert-name drupal.yourdomain.tld \ + -d drupal.yourdomain.tld +``` + +## NGINX configuration file + +Put the following file in `/etc/nginx/conf.d/sites_drupal.conf`: + +``` +server { + listen 443 quic reuseport; + listen 443 ssl; + listen [::]:443 quic reuseport; + listen [::]:443 ssl; + + server_name drupal.yourdomain.tld; + + ssl_certificate /etc/letsencrypt/live/drupal.yourdomain.tld/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/drupal.yourdomain.tld/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/drupal.yourdomain.tld/chain.pem; + ssl_stapling_file /var/cache/certbot-ocsp-fetcher/drupal.yourdomain.tld.der; + + include snippets/hsts.conf; + include snippets/security.conf; + include snippets/cross-origin-security.conf; + include snippets/quic.conf; + + + index index.php; + client_max_body_size 100M; + root /srv/drupal/drupal.yourdomain.tld/web; + + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + + location @rewrite { + rewrite ^/(.*)$ /index.php?q=$1; + } + + location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ { + try_files $uri @rewrite; + expires max; + log_not_found off; + } + + location ~ \.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/var/run/php/php8.3-fpm.sock; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + client_max_body_size 100M; + } + +} +``` \ No newline at end of file diff --git a/sample-scripts/Ubuntu-24.04-LEMP.sh b/sample-scripts/Ubuntu-24.04-LEMP.sh index b3aeb31..5a7c73a 100644 --- a/sample-scripts/Ubuntu-24.04-LEMP.sh +++ b/sample-scripts/Ubuntu-24.04-LEMP.sh @@ -63,19 +63,17 @@ sudo mariadb-secure-installation sudo rm -rf /etc/nginx/conf.d/default.conf -## Setup webroot for NGINX -sudo mkdir -p /srv/nginx -sudo mkdir -p /srv/nginx/.well-known/acme-challenge - ## NGINX hardening sudo mkdir -p /etc/systemd/system/nginx.service.d unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/nginx.service.d/local.conf | sudo tee /etc/systemd/system/nginx.service.d/override.conf +sudo chmod 644 /etc/systemd/system/nginx.service.d/override.conf sudo systemctl daemon-reload ## Setup certbot-ocsp-fetcher unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/certbot-ocsp-fetcher | sudo tee /usr/local/bin/certbot-ocsp-fetcher sudo chmod u+x /usr/local/bin/certbot-ocsp-fetcher sudo mkdir -p /var/cache/certbot-ocsp-fetcher/ +sudo chmod 755 /var/cache/certbot-ocsp-fetcher/ ## Setup nginx-create-session-ticket-keys unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/nginx-create-session-ticket-keys | sudo tee /usr/local/bin/nginx-create-session-ticket-keys @@ -95,6 +93,7 @@ unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/sys ## Systemd Hardening sudo mkdir -p /etc/systemd/system/nginx.service.d unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/systemd/system/nginx.service.d/override.conf | sudo tee /etc/systemd/system/nginx.service.d/override.conf +sudo chmod 644 /etc/systemd/system/nginx.service.d/override.conf sudo systemctl daemon-reload ## Enable the units @@ -106,15 +105,18 @@ sudo systemctl enable --now nginx-rotate-session-ticket-keys.timer unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/http2.conf | sudo tee /etc/nginx/conf.d/http2.conf unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/sites_default.conf | sudo tee /etc/nginx/conf.d/sites_default.conf +sudo sed -i 's/include snippets/universal_paths.conf;//g' /etc/nginx/conf.d/sites_default.conf sudo sed -i 's/ipv4_1://g' /etc/nginx/conf.d/sites_default.conf sudo sed -i 's/ipv6_1/::/g' /etc/nginx/conf.d/sites_default.conf unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/tls.conf | sudo tee /etc/nginx/conf.d/tls.conf sudo mkdir -p /etc/nginx/snippets -unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/tls.conf | sudo tee /etc/nginx/snippets/tls.conf +unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/hsts.conf | sudo tee /etc/nginx/snippets/hsts.conf unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/proxy.conf | sudo tee /etc/nginx/snippets/proxy.conf unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/quic.conf | sudo tee /etc/nginx/snippets/quic.conf unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/security.conf | sudo tee /etc/nginx/snippets/security.conf unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/cross-origin-security.conf | sudo tee /etc/nginx/snippets/cross-origin-security.conf -unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/universal_paths.conf | sudo tee /etc/nginx/snippets/universal_paths.conf +# Fix PHP permission +sudo sed -i 's/www-data/nginx/g' /etc/php/8.3/fpm/pool.d/www.sock +sudo systemctl restart php8.3-fpm \ No newline at end of file