#!/bin/sh -eux
db="$1"
-user="$2"
-sudo -u mysql mysql --batch <<-EOF
- DROP DATABASE IF EXISTS $db;
- CREATE DATABASE $db CHARACTER SET utf8 COLLATE utf8_general_ci;
- GRANT ALL PRIVILEGES ON $base.* TO '$user'@'localhost' IDENTIFIED WITH auth_socket;
- FLUSH PRIVILEGES;
+user="${2:-$1}"
+sudo -u mysql mysql --batch --verbose <<-EOF
+ CALL mysql.create_database('$db', '$user', 'localhost');
EOF
#!/bin/sh -eux
user="$1"
-sudo -u mysql mysql -u mysql --verbose --batch <<-EOF
+sudo -u mysql mysql -u mysql --batch --verbose <<-EOF
CALL mysql.create_user('$user', 'localhost');
EOF
sudo adduser "$user" mysql-data
[client]
-local-infile = 0
+#local-infile = 0
port = 3306
socket = /run/mysqld/sock/mysql
[mysqld_safe]
## DOC: http://wiki.nginx.org/HttpFastcgiModule
fastcgi_buffer_size 128k;
-fastcgi_buffers 4 256k;
+fastcgi_buffers 256 4k;
fastcgi_busy_buffers_size 256k;
fastcgi_connect_timeout 60;
fastcgi_ignore_client_abort off;
fastcgi_intercept_errors on;
+fastcgi_max_temp_file_size 2M;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_read_timeout 180;
fastcgi_send_timeout 180;
fastcgi_temp_file_write_size 256k;
+
+# vim: ft=sh
default_type application/octet-stream;
error_log /var/log/nginx/error.log warn;
error_page 403 = 404;
- fastcgi_cache_key "$request_method $scheme://$host$request_uri";
+ fastcgi_cache_key "$request_method $scheme://$http_host$request_uri";
fastcgi_cache_path /run/shm/cache/nginx/fastcgi
+ inactive=10m
+ keys_zone=microcache:2M
levels=1:2
- keys_zone=microcache:10m
- inactive=5m
- max_size=64m;
- fastcgi_cache microcache;
+ loader_files=100000
+ loader_sleep=1
+ loader_threshold=2592000000
+ max_size=64M;
+ fastcgi_temp_path /run/shm/tmp/nginx/ 1 2;
gzip on;
gzip_buffers 16 8k;
gzip_comp_level 6;
# This is useful for prepending headers before calling sendfile,
# or for throughput optimization.
types_hash_max_size 2048;
+ ## Add here all user agents that are to be blocked.
+ map $http_user_agent $bad_bot {
+ default 0;
+ libwww-perl 1;
+ ~(?i)(httrack|htmlparser|libwww) 1;
+ }
+ ## Add here all referrers that are to blocked.
+ #map $http_referer $bad_referer {
+ # default 0;
+ # ~(?i)(babes|casino|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|replica|sex|teen|webcam|zippo) 1;
+ # }
+ geo $not_local {
+ default 1;
+ 127.0.0.1 0;
+ }
+ include /etc/nginx/site.d/*/http.conf;
include /etc/nginx/site.d/*/server.conf;
}
pid /run/nginx.pid;
fastcgi_cache_valid 200 10s;
fastcgi_cache_valid 404 30m;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
- fastcgi_max_temp_file_size 2M;
fastcgi_no_cache $no_cache;
fastcgi_param GITWEB_CONFIG /etc/gitweb/gitweb.conf;
fastcgi_param PATH_INFO $uri;
-sudo adduser lhc_quest__php5 www-"$site"
+pool=lhc_quest
+sudo adduser php5_"$pool" www-"$site"
sudo adduser www-"$site"-tls www-"$site"
-~mysql/bin/createuser lhc_quest__php5
-
+~mysql/bin/createuser php5_"$pool"
+~mysql/bin/createdb php5_"$pool"
fastcgi_cache_valid 404 10m;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_index index.php;
- fastcgi_max_temp_file_size 2M;
fastcgi_no_cache $no_cache;
fastcgi_param REDIRECT_STATUS 200;
# NOTE: PHP only, required if PHP was built with --enable-force-cgi-redirect
include /etc/nginx/conf.d/ssl.conf;
ssl_certificate /etc/nginx/x509.d/lhc-stats-tls/crt.pem;
ssl_certificate_key /etc/nginx/x509.d/lhc-stats-tls/key.pem;
+
+location = /index.php {
+ ## Relay all index.php requests to fastcgi.
+ include /etc/nginx/conf.d/fastcgi.conf;
+ add_header X-Piwik-Cache $upstream_cache_status;
+ expires epoch;
+ fastcgi_cache microcache;
+ fastcgi_cache_bypass $no_cache;
+ fastcgi_cache_use_stale error timeout invalid_header updating http_500;
+ fastcgi_cache_valid 200 301 5m;
+ fastcgi_cache_valid 302 3m;
+ fastcgi_cache_valid 404 1m;
+ fastcgi_ignore_headers Cache-Control Expires;
+ fastcgi_index index.php;
+ fastcgi_no_cache $no_cache;
+ fastcgi_param REDIRECT_STATUS 200;
+
+ fastcgi_pass php5_fpm_lhc_stats;
+ }
+
+# vim: ft=sh
-sudo adduser lhc_stats__php5 www-"$site"
+pool=lhc_stats
+sudo adduser php5_"$pool" www-"$site"
sudo adduser www-"$site"-tls www-"$site"
-~mysql/bin/createuser lhc_stats__php5
-
+~mysql/bin/createuser php5_"$pool"
+~mysql/bin/createdb php5_"$pool"
--- /dev/null
+upstream php5_fpm_lhc_stats {
+ server unix:/run/php5/fpm/lhc_stats;
+ }
+
+map $request_method $no_cache {
+ # NOTE: if non GET/HEAD, don't cache.
+ default 1;
+ HEAD 0;
+ GET 0;
+ }
+map $arg_module $no_cache {
+ ## When we go through installation
+ ## or when we're on the dashboard for specific tasks.
+ Installation 1; # when invoking the installation module.
+ ~[^\&]*(?:Dashboard|Live|Goals|Admin|Manager) 1; # some tasks
+ }
+map $arg_action $no_cache {
+ ## The first installation steps don't invoke the installation module.
+ systemCheck 1;
+ databaseSetup 1;
+ }
+map $http_cookie $no_cache {
+ ## Testing for the session cookie being present.
+ ## If there is then no caching is to be done.
+ ~PIWIK_SESSID 1; # Piwik session cookie
+ }
+
+# vim: ft=sh
listen 80;
+
+location = /index.php {
+ return 302 "https://$http_host/index.php";
+ }
client_body_buffer_size 8k;
client_max_body_size 10m;
-location / {
- index index.html index.htm index.php;
+
+if ($bad_bot) {
+ return 444;
}
-location ~* ^.+.(css|gif|html|ico|jpeg|js|jpg|png|txt|xml)$ {
- access_log off;
- expires 30d;
- log_not_found off;
+#if ($bad_referer) {
+# return 444;
+# }
+
+#location ~ /\. {
+# access_log off;
+# deny all;
+# log_not_found off;
+# }
+location ~* ^.+\.(?:css|gif|jpe?g|js|png|swf)$ {
+ ## Defining the valid referers.
+ ## Disallow any usage of piwik assets if referer is non valid.
+ valid_referers none blocked
+ *.cyclocoop.org
+ *.heureux-cyclage.org
+ *.ptitvelo.net
+ *.velosenville.org;
+ if ($invalid_referer) {
+ return 444;
+ }
+
+ expires max;
+ # NOTE: Static files use the OS buffer cache.
+ open_file_cache max=500 inactive=120s;
+ open_file_cache_errors off;
+ open_file_cache_min_uses 2;
+ open_file_cache_valid 45s;
+ tcp_nodelay off;
+ }
+location = /favicon.ico {
+ ## Support for favicon. Return a 204 (No Content) if the favicon doesn't exist.
+ try_files /favicon.ico =204;
}
-location ~ /\. {
- access_log off;
- deny all;
- log_not_found off;
+location / {
+ ## Try all locations and relay to index.php as a fallback.
+ try_files $uri /index.php?$query_string;
}
-location ~ \.php$ {
+location = /piwik.php {
+ ## Relay all piwik.php requests to fastcgi.
include /etc/nginx/conf.d/fastcgi.conf;
- set $no_cache "0";
- if ($request_method !~ ^(GET|HEAD)$) {
- # NOTE: if non GET/HEAD, don't cache and mark user as uncacheable for 1 second via cookie.
- set $no_cache "1";
- }
- if ($no_cache = "1") {
- # NOTE: drop no cache cookie if need be (for some reason, add_header fails if included in prior if-block).
- add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/";
- add_header X-Microcachable "0";
- }
- if ($http_cookie ~* "_mcnc") {
- # NOTE: bypass cache if no-cache cookie is set
- set $no_cache "1";
- }
+ add_header X-Piwik-Long-Cache $upstream_cache_status;
+ expires epoch;
+ fastcgi_cache microcache;
fastcgi_cache_bypass $no_cache;
- fastcgi_cache_use_stale updating;
- fastcgi_cache_valid 200 10s;
+ fastcgi_cache_use_stale error timeout invalid_header updating http_500;
+ fastcgi_cache_valid 200 301 2h;
+ fastcgi_cache_valid 302 30m;
fastcgi_cache_valid 404 10m;
- fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
- fastcgi_index index.php;
- fastcgi_max_temp_file_size 2M;
+ fastcgi_ignore_headers Cache-Control Expires;
fastcgi_no_cache $no_cache;
fastcgi_param REDIRECT_STATUS 200;
- # NOTE: PHP only, required if PHP was built with --enable-force-cgi-redirect
- fastcgi_pass_header Cookie;
- fastcgi_pass_header Set-Cookie;
- fastcgi_split_path_info ^(.+\.php)(/.+)$;
- fastcgi_pass unix:/run/php5/fpm/lhc_stats;
+ fastcgi_pass php5_fpm_lhc_stats;
+ }
+location ~* ^.+\.php$ {
+ ## Any other attempt to access PHP files redirects to the root.
+ return 302 /;
+ }
+location ~* (?:DESIGN|(?:gpl|README|LICENSE)[^.]*|LEGALNOTICE)(?:\.txt)*$ {
+ ## Redirect to the root if attempting to access a txt file.
+ return 302 /;
+ }
+location ~* \.(?:bat|html?|git|ini|sh|svn[^.]*|txt|tpl|xml)$ {
+ ## Disallow access to several helper files.
+ return 404;
+ }
+location = /robots.txt {
+ ## No crawling of this site for bots that obey robots.txt.
+ return 200 "User-agent: *\nDisallow: /\n";
}
# vim: ft=sh
-sudo adduser lhc_www__php5 www-"$site"
+sudo adduser php5_lhc_www www-"$site"
sudo adduser www-"$site"-tls www-"$site"
fastcgi_cache_valid 404 10m;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_index index.php;
- fastcgi_max_temp_file_size 2M;
fastcgi_no_cache $no_cache;
fastcgi_param REDIRECT_STATUS 200;
# NOTE: PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_cache_valid 200 10s;
fastcgi_cache_valid 404 30m;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
- fastcgi_max_temp_file_size 2M;
fastcgi_no_cache $no_cache;
fastcgi_param SCRIPT_NAME '';
fastcgi_param SERVER_NAME $host;
# DELETE FROM mysql.user WHERE user = 'root' AND host NOT IN ('localhost', '127.0.0.1', '::1');
sudo mysql -u root --batch --verbose <<-EOF
DELETE FROM mysql.user WHERE user = 'root' and plugin = '';
+
DROP PROCEDURE IF EXISTS mysql.create_user_mysql;
DELIMITER //
CREATE PROCEDURE mysql.create_user_mysql ()
UPDATE mysql.user SET grant_priv='Y',super_priv='Y' WHERE user='mysql';
DELETE FROM mysql.db WHERE user = '';
DELETE FROM mysql.user WHERE user = '';
+
DROP PROCEDURE IF EXISTS mysql.create_user;
CREATE PROCEDURE mysql.create_user (username VARCHAR(16), hostname VARCHAR(60))
- BEGIN
- IF NOT (EXISTS (SELECT User
- FROM mysql.user
- WHERE User = username
- AND Host = hostname
- LIMIT 1))
- THEN
- SET @QUERY = CONCAT("CREATE USER ", username, "@", hostname, " IDENTIFIED WITH auth_socket");
- PREPARE stmt FROM @QUERY;
- EXECUTE stmt;
- END IF;
- END;
+ BEGIN
+ IF NOT (EXISTS (SELECT User
+ FROM mysql.user
+ WHERE User = username
+ AND Host = hostname
+ LIMIT 1))
+ THEN
+ SET @QUERY = CONCAT("CREATE USER ", username, "@", hostname, " IDENTIFIED WITH auth_socket");
+ PREPARE stmt FROM @QUERY;
+ EXECUTE stmt;
+ END IF;
+ END;
+ //
+
+ DROP PROCEDURE IF EXISTS mysql.create_database;
+ CREATE PROCEDURE mysql.create_database (dbname VARCHAR(16), username VARCHAR(16), hostname VARCHAR(60))
+ BEGIN
+ IF NOT (EXISTS (SELECT SCHEMA_NAME
+ FROM INFORMATION_SCHEMA.SCHEMATA
+ WHERE SCHEMA_NAME = dbname
+ LIMIT 1))
+ THEN
+ SET @QUERY = CONCAT("CREATE DATABASE ", dbname, " CHARACTER SET utf8 COLLATE utf8_general_ci");
+ PREPARE stmt FROM @QUERY;
+ EXECUTE stmt;
+ END IF;
+ SET @QUERY = CONCAT("GRANT ALL PRIVILEGES ON ", dbname, ".* TO ", username, "@", hostname);
+ PREPARE stmt FROM @QUERY;
+ EXECUTE stmt;
+ END;
//
+
FLUSH PRIVILEGES;
EOF
/etc/nginx/site.d/"$site"
sudo install -d -m 770 -o www -g www \
/etc/nginx/x509.d/"$site"
- test -L /home/www/pub/"$site" ||
+ sudo test -L /home/www/pub/"$site" ||
sudo install -d -m 2770 -o www-"$site" -g www-"$site" \
/home/www/pub/"$site"
sudo adduser www-data www-"$site"
sudo adduser www-data log-www-"$site"
sudo install -m 660 -o www -g www \
"$tool"/etc/nginx/site.d/"$site"/local.conf \
- /etc/nginx/site.d/"$site"/local.inc
+ /etc/nginx/site.d/"$site"/local.conf
+ test ! -e "$tool"/etc/nginx/site.d/"$site"/http.conf ||
sudo install -m 660 -o www -g www \
- "$tool"/etc/nginx/site.d/"$site"/site.conf \
- /etc/nginx/site.d/"$site"/site.inc
+ "$tool"/etc/nginx/site.d/"$site"/http.conf \
+ /etc/nginx/site.d/"$site"/http.conf
+ if test -L "$tool"/etc/nginx/site.d/"$site"/site.conf
+ then
+ sudo cp --force --preserve=links --no-dereference \
+ "$tool"/etc/nginx/site.d/"$site"/site.conf \
+ /etc/nginx/site.d/"$site"/site.conf
+ else
+ sudo install -m 660 -o www -g www \
+ "$tool"/etc/nginx/site.d/"$site"/site.conf \
+ /etc/nginx/site.d/"$site"/site.conf
+ fi
sudo install -m 660 -o www -g www /dev/stdin \
/etc/nginx/site.d/"$site"/server.conf <<-EOF
server {
- access_log /home/www/log/$site/nginx/access.log main;
- error_log /home/www/log/$site/nginx/error.log warn;
- root /home/www/pub/$site;
- include /etc/nginx/site.d/$site/local.inc;
- include /etc/nginx/site.d/$site/site.inc;
+ access_log /home/www/log/$site/nginx/access.log main;
+ error_log /home/www/log/$site/nginx/error.log warn;
+ root /home/www/pub/$site;
+ include /etc/nginx/site.d/$site/local.conf;
+ include /etc/nginx/site.d/$site/site.conf;
}
EOF
(
/run/nginx/fastcgi \
/run/shm/cache/nginx \
/run/shm/cache/nginx/fastcgi \
- /run/shm/cache/nginx/client_body
+ /run/shm/cache/nginx/client_body \
+ /run/shm/tmp/nginx
exec /usr/sbin/nginx \
-c /etc/nginx/nginx.conf \
-false ${@:+$(printf -- '-or -name %s.conf\n' "$@")} \
-printf '%f\n')
do pool=${pool%\.conf}
- rule adduser "$pool"__php5 \
+ rule adduser php5_"$pool" \
--disabled-login \
--disabled-password \
--group \
env[TEMP] = /tmp
env[TMPDIR] = /tmp
env[TMP] = /tmp
- group = ${pool}__php5
+ group = php5_$pool
#listen = 127.0.0.1:9000
listen = /run/php5/fpm/$pool
#listen.allowed_clients = 127.0.0.1
rlimit_core = unlimited
rlimit_files = 131072
slowlog = /home/www/log/php5/fpm/$pool/slow.log
- user = ${pool}__php5
+ user = php5_$pool
$(cat "$tool"/etc/php5/fpm/pool.d/"$pool".conf)
EOF
done