Nginx+php-fpm vhost creator

Ez a csomag megkönnyíti nginx vhostok keszítését php-fpm használatával. Minden vhos külön felhasználói joggal fog futni, így megnöveli a szever biztonságát.

A csomag 2 db template file-t tartalmaz, valamint a scriptet.

nginx vhost template

vhost_template.conf


upstream phpPORT {
server 127.0.0.1:PORT;
}

server {
listen 80;
server_name DOMAIN www.DOMAIN;
access_log /var/log/nginx/DOMAIN-acc.log;
error_log /var/log/nginx/DOMAIN-err.log;
root /var/www/DOMAIN/web;
index index.php index.html;
try_files $uri $uri/ /index.php?q=$uri&$args;
location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_ {
deny all;
}
error_page 403 = 404;
location ~* wp-admin/includes { deny all; }
location ~* wp-includes/theme-compat/ { deny all; }
location ~* wp-includes/js/tinymce/langs/.*\.php { deny all; }
location /wp-content/ { internal; }
location /wp-includes/ { internal; }
location ~* wp-config.php { deny all; }
location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf)$ {
types { }
default_type text/plain;
}
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
location ~* \.(jpg|jpeg|png|gif|css|js|ico)$ {
expires max;
log_not_found off;
}
location ~ \.php$ {
try_files $uri =404;
include /etc/nginx/fastcgi_params;

fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
fastcgi_pass phpPORT;
}
location = /xmlrpc.php {
deny all;
access_log off; #to prevent from filling up the access log file
error_log off; #to prevent from filling up the error log file
}
}

php-fpm pool template

pool_template.conf

[USER]
user = USER
group = USER
listen = 127.0.0.1:PORT
pm = dynamic
pm.max_children = 10
pm.start_servers = 4
pm.min_spare_servers = 2
pm.max_spare_servers = 6
chdir = /

shell script
vhostcreate

#!/bin/bash

if [ "" == "q" ]; then
 echo Installed ports and users
 grep ^listen /etc/php5/fpm/pool.d/*| grep -v owner| grep -v group| sed -e 's/\//\:/g'| sed -e 's/\=/\:/g'| sed -e 's/\./\:/g'| awk -F":" '{print "Username: " " Port: "}'
 exit
fi

if [ "$#" -ne 2 ] || [  != "q" ]; then
 echo "Illegal number of parameters"
 echo " <user> <domain>"
 echo " <user> is sytemm user for php-fpm"
 echo " <domain> new domain"
 echo " q (list installed ports with username"
 exit
fi

if [ ${#1} -gt 13 ]; then
 echo "Username max length 13 characters"
 exit
fi

USER=$1
DOMAIN=$2

PORT=`grep ^listen /etc/php5/fpm/pool.d/*| grep -v www| awk -F"=" '{print }'| awk -F":" '{print }'| sort -r |head -1`
PORT=$((PORT+1))
echo Php-fpm port: $PORT
echo mkdir /var/www/$DOMAIN/web
cd /var/www
useradd -d /var/www/$DOMAIN/web -M -U -s /bin/false $USER
chown -R $USER:$USER $DOMAIN
cp /usr/local/vhost/pool_template.conf /usr/local/vhost/$USER.conf
rpl PORT $PORT /usr/local/vhost/$USER.conf>/dev/null
rpl USER $USER /usr/local/vhost/$USER.conf>/dev/null
cp /usr/local/vhost/vhost_template.conf /usr/local/vhost/$DOMAIN.conf

rpl PORT $PORT /usr/local/vhost/$DOMAIN.conf>/dev/null
rpl DOMAIN $DOMAIN /usr/local/vhost/$DOMAIN.conf>/dev/null
cp /usr/local/vhost/$DOMAIN.conf /etc/nginx/sites-available
cp /usr/local/vhost/$USER.conf /etc/php5/fpm/pool.d/
ln -s /etc/nginx/sites-available/$DOMAIN.conf /etc/nginx/sites-enabled

A fenti templateket az /usr/local/vhost konyvtárba kell másolni, a bash sctiptet célszerű az /usr/local/bin könyvtárba.

Ha a vhostcreate scriptet paraméter nelkül indítjuk, akkor kiírja a paraméterezési lehetősegeit.
Mivel tcp portra bindel a php-fpm (megoldhato sockettel is),így minden vhostnál növeljük egyel a tcp port számát.

Tesztelve Ubuntun.

MySQL UTF-8

Gyakran okoz problémát, hogy adatbázisunk latin1 vagy más egzotikus kódlappal lett létrehozva.
Ezzel a scripttel az adatbázis, annak táblái, valamint a mezők kódlapját tudjuk egyszerűen átállítani:

<?php
if ($argc != 4)
{
  echo $argv[0]." <USERNAME> <PASSWORD> <DATABASE>\n";
  echo "change database table and fields collation to utf8_hungarian_ci\n";
    exit(1);
}

// Configuration Section
$server = 'localhost'; //probably localhost but change if required
$username = trim($argv[1]); // get username from commandline
$password = trim($argv[2]); // get password from commandline
$database = trim($argv[3]); // get databas name from commandline
$new_charset = 'utf8'; // change to the required character set 
$new_collation = 'utf8_hungarian_ci'; // change to the required collatio
// Connect to database
$db = mysql_connect($server, $username, $password); if(!$db) die("Cannot connect to database server -".mysql_error());
$select_db = mysql_select_db($database); if (!$select_db) die("could not select $database: ".mysql_error());

// change database collation
mysql_query("ALTER DATABASE $database DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci");

// Loop through all tables changing collation
$result=mysql_query('show tables');
while($tables = mysql_fetch_array($result)) {
$table = $tables[0];
mysql_query("ALTER TABLE $table DEFAULT CHARACTER SET $new_charset COLLATE $new_collation");

// loop through each column changing collation
$columns = mysql_query("SHOW FULL COLUMNS FROM $table where collation is not null");
while($cols = mysql_fetch_array($columns)) {
$column = $cols[0];
$type = $cols[1];
mysql_query("ALTER TABLE $table MODIFY $column $type CHARACTER SET $new_charset COLLATE $new_collation");
}

print "changed collation of $table to $new_collation\n";
}
print "\n";
print "The collation of your database has been successfully changed!\n";
?>

Nagios rbl checker

Ezzel a szkriptel a legismertebb rbl adatbázisokban ellenőrizhetjük a megadott ip jelenlétét.


#!/bin/sh
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3
STATE_DEPENDENT=4

FOUND_ADRESS=0

DNSBLlist=`grep -v ^# <<!
bl.spamcop.net
cbl.abuseat.org
b.barracudacentral.org
dnsbl.sorbs.net
http.dnsbl.sorbs.net
dul.dnsbl.sorbs.net
misc.dnsbl.sorbs.net
smtp.dnsbl.sorbs.net
socks.dnsbl.sorbs.net
spam.dnsbl.sorbs.net
web.dnsbl.sorbs.net
zombie.dnsbl.sorbs.net
pbl.spamhaus.org
sbl.spamhaus.org
xbl.spamhaus.org
zen.spamhaus.org
images.rbl.msrbl.net
phishing.rbl.msrbl.net
combined.rbl.msrbl.net
phishing.rbl.msrbl.net
spam.rbl.msrbl.net
virus.rbl.msrbl.net
bl.spamcannibal.org
psbl.surriel.com
ubl.unsubscore.com
dnsbl.njabl.org
combined.njabl.org
rbl.spamlab.com
bl.deadbeef.com
dnsbl.ahbl.org
tor.ahbl.org
dyna.spamrats.com
noptr.spamrats.com
spam.spamrats.com
blackholes.five-ten-sg.com
bl.emailbasura.org
cdl.anti-spam.org.cn
dnsbl.cyberlogic.net
dnsbl.inps.de
drone.abuse.ch
spam.abuse.ch
dul.ru
korea.services.net
short.rbl.jp
virus.rbl.jp
spamrbl.imp.ch
wormrbl.imp.ch
virbl.bit.nl
rbl.suresupport.com
!`

# reverse IP address
convertIP()
{
 set `IFS=".";echo `
 echo 
}

usage()
{
 echo "Usage:  [-H] <host>] [-p]"
 echo "    -H  check Host "
 echo "    -p  print list of DNSBLs"
 exit 3
}

# Checks the IP with list of DNSBL servers
check()
{
  count=0;
  for i in $DNSBLlist
  do
    count=$(($count + 1))
    if nslookup $ip_arpa.$i | grep -q "127.0.0." ;
    then
      FOUND_ADRESS=$(($FOUND_ADRESS + 1))
      echo "DNSBL-Alarm: $ip is listed on $i"
    fi
  done
  if [ $FOUND_ADRESS -ge 1 ]
  then
    exit 1
  fi
  echo "OK - $ip not on $count DNSBLs"
  exit 0
}

case  in
  -I)
    if [ -z "" ]
    then
      echo "ip address missing"
      exit
    fi
    ip=
    ip_arpa=`convertIP $ip`
    check;;

  -p)
    for i in $DNSBLlist
    do
      echo $i
    done
    exit $STATE_WARNING
    exit;;

  --help)
    usage
    exit;;

  *)
    if [ -z "" ]
    then
      usage
    fi
    echo "unknown command: "
    exit;;
esac


Partíció írhatóságának tesztelése

Előfordul némely esetben hogy a felmountolt backup partíció csak olvashatóként csatolódik,  ezzel az egyszerű szkriptel tesztelhetjük:


#!/bin/sh
PROGPATH=`echo  | sed -e 's,[\\/][^\\/][^\\/]*$,,'`
. $PROGPATH/utils.sh
TMP=`mktemp`
if [ -f $TMP ] ; then
    echo OK;
    rm $TMP;
    exit $STATE_OK;
else
    echo ERROR;
    exit $STATE_ERROR
fi;


Backup script

Jelenleg ez a script menti valamennyi szerverünket, egy /BACKUP alá mountolt iscsi-n keresztül megosztott könyvtárba.

Letöltés

#!/bin/bash
# Ellenorizzuk hogy letezik-e a config file
if [ -f /etc/bkp.conf ]; then source /etc/bkp.conf ; else echo /etc/bkp.conf not found; exit ;fi

DATE=`date +%Y-%m-%d`
#
#stat file beallitasa, backup utan ebbe kerulnek a hibak is.
#
STATFILE=/BACKUP/stat/$HOST.stat
rm $STATFILE
touch $STATFILE
#
# Beallitjuk a mentesi konyvtarat a config file alapjan
#
BACKUPDIR=/BACKUP/$HOST/
#
# A torlendo backup beallitasa config alapjan
#
LASTDATE=`date +%Y-%m-%d --date="$DAYS days ago"`
if [ -d /$BACKUPDIR/$LASTDATE ]; then rm -rf /$BACKUPDIR/$LASTDATE ; fi
echo $HOST >>/BACKUP/backuplog/$HOST-backup.log
date >>/BACKUP/backuplog/$HOST-backup.log
mkdir /$BACKUPDIR/$DATE
MDB=$BACKUPDIR/$DATE/mysql/
if [ "$EXCLUDE" != "" ]; then
    tar -cjf /$BACKUPDIR/$DATE/backup.tar.bz2 --exclude=$EXCLUDE $DIRS
else
    tar -cjf /$BACKUPDIR/$DATE/backup.tar.bz2 $DIRS
fi
STAT=$?
echo $STAT>>/BACKUP/backuplog/$HOST-backup.log
echo FS $STAT $DATE >>$STATFILE
if [ $MYSQLBACKUP = 0 ]; then
    date >>/BACKUP/backuplog/$HOST-backup.log
    exit ;
fi
#
# backup konyvtar a mysql-nek
#
mkdir /$BACKUPDIR/$DATE/mysql/
# Db-nkent csinalunk mentest az adatbazisrol, majd betomoritjuk
STAT=0
DBS="$(mysql -u$MYSQLUSER -p$MYSQLPASSWD -Bse 'show databases')"
for db in $DBS
do
    skipdb=-1
    if [ "$EXCLUDEDB" != "" ];
    then
        for i in $EXCLUDEDB
        do
            [ "$db" == "$i" ] &amp;&amp; skipdb=1 || :
        done
    fi
    if [ "$skipdb" == "-1" ] ; then
        FILE="$MBD/$db.$HOST.$NOW.gz"
        mysqldump -u$MYSQLUSER -p$MYSQLPASSWD $db |bzip2 >$MDB/$db.sql.bz2
        STAT=$?
        echo $db $STAT>>/BACKUP/backuplog/$HOST-backup.log
        echo DB $db $STAT>>$STATFILE
fi
done
date >>/BACKUP/backuplog/$HOST-backup.log

Itt talátlható a config file:

# Ha az sql-t is menteni akarjuk , akkor az ertek 1, ha nem akkor 0
MYSQLBACKUP=1
# celszeru valos hosztnevet beallitani, ha kozpontilag mentunk, hogy konnyebben tudjuk azonositani # a mentest, ebbe az alkonyvtarba teszi a menteseket
HOST=host.name.tld
# beallithatjuk hany napig orizze a backupot
DAYS=7
# mentesre varo konyvtarak felsorolasa
DIRS="/etc /var/www /home"
# olvasasi joggal rendelkezo sql user beallitasa (ha nem mentunk db-t akkor uresen hagyhato)
MYSQLUSER=backupuser
MYSQLPASSWD=backuppass
# amennyiben nem akarunk menteni bizonyos konyvtarakat, itt felsorolhatjuk
EXCLUDE="/home/luzer /home/senki"
# ugyanezt adatbazisokkal is megtehetjuk
EXCLUDEDB="tmpdb"
# a 2 utolso parameter teljes egeszeben elhagyhato


nagios script a mentések ellenőrzésére.

#!/bin/sh
PROGPATH=`echo  | sed -e 's,[\\/][^\\/][^\\/]*$,,'`
. $PROGPATH/utils.sh
# Dátumok beállítása
DATE=`date +%Y-%m-%d`
DATE1=`date +%Y-%m-%d --date="1 days ago"`
DATE2=`date +%Y-%m-%d --date="2 days ago"`
BACKUPPATH=/BACKUP/stat/stat
if [ -f $BACKUPPATH ]; then
    EXIST=1;
else
    echo ERROR: Statfile not found!;
    exit $STATE_CRITICAL ;
fi;
LASTBK=`grep FS $BACKUPPATH | awk '{print }'`
STAT=`grep FS $BACKUPPATH | awk '{print }'`
#
# Itt beallithatjuk hany nap utan tekintjük WARNING illetve ERROR statusznak a mentas hianyat.
# Csak ERROR és WARNING eseten erdemes exit-elni, hogy lefuthasson a kovetkezo ellenorzes.
#
case  "$LASTBK" in
    $DATE)
# ma tortent mentes
    ;;

    $DATE1)
# tegnap tortent mentes
    ;;

    $DATE2)
# tegnapelott tortént mentes
    ;;
    *)
    echo "WARNING: Utolso mentes: $LASTBK";
    exit $STATE_WARNING;
    ;;
esac

case "$STAT" in
    0)
    echo "OK: Utolso mentes: $LASTBK";
    exit $STATE_OK;
    ;;
    1)
    echo "WARNING: Nyitott file-ok nem menthetoek";
    exit $STATE_WARNING;
    ;;
    *)
    echo "ERROR: Nem tortent mentes!";
    exit $STATE_CRITICAL ;
    ;;
esac