Skip to content

Commit

Permalink
Merge pull request joglomedia#174 from joglomedia/2.x.x
Browse files Browse the repository at this point in the history
- Update required dependencies
- Improve Nginx installation from source, update module version, improve config, etc
- Improve Nginx fastcgi cache purging rules
- Improve PHP multiple version installation
- Add `mariadb` init script
- CLI update: improve `lemper-cli` plugins
- CLI update: improve `mysql` command
- Update Fail2ban default version to 1.1.0
- Fix `certbot` renewal cronjob
  • Loading branch information
joglomedia authored Aug 4, 2024
2 parents 0f28e99 + 43e3712 commit 8c74e82
Show file tree
Hide file tree
Showing 35 changed files with 1,043 additions and 425 deletions.
11 changes: 6 additions & 5 deletions .env.dist
Original file line number Diff line number Diff line change
Expand Up @@ -136,10 +136,11 @@ NGX_HTTP_LUA=false
# LuaJIT2 version from here https://github.com/openresty/luajit2/tags
# Lua Resty Core version from here https://github.com/openresty/lua-resty-core
# Lua Resty LRU Cache version from here https://github.com/openresty/lua-resty-lrucache
LUA_JIT_VERSION="v2.1-20220111"
LUA_NGINX_MODULE_VERSION="v0.10.20"
LUA_RESTY_CORE_VERSION="v0.1.22"
LUA_RESTY_LRUCACHE_VERSION="v0.11"
LUA_JIT_VERSION="v2.1-20240626"
LUA_RESTY_CORE_VERSION="v0.1.28"
LUA_RESTY_LRUCACHE_VERSION="v0.13"
LUA_NGINX_MODULE_VERSION="v0.10.26"
LUA_NGINX_STREAM_MODULE_VERSION="master"

NGX_HTTP_PASSENGER=false
NGX_HTTP_REDIS2=false
Expand Down Expand Up @@ -351,4 +352,4 @@ INSTALL_FAIL2BAN=false

# Available installer: repo | source.
FAIL2BAN_INSTALLER="repo"
FAIL2BAN_VERSION="1.0.2"
FAIL2BAN_VERSION="1.1.0"
4 changes: 2 additions & 2 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ jobs:
sed -i "s/FORCE_REMOVE=false/FORCE_REMOVE=true/g" .env
sed -i "s/LEMPER_ADMIN_EMAIL=\"[email protected]\"/LEMPER_ADMIN_EMAIL=\"[email protected]\"/g" .env
sed -i "s/NGINX_INSTALLER=\"source\"/NGINX_INSTALLER=\"repo\"/g" .env
sed -i "s/NGX_PAGESPEED=false/NGINX_INSTALLER=true/g" .env
sed -i "s/NGX_PAGESPEED=true/NGX_PAGESPEED=false/g" .env
sed -i "s/INSTALL_PHP_LOADER=false/INSTALL_PHP_LOADER=true/g" .env
sed -i "s/PHP_LOADER=\"none\"/PHP_LOADER=\"ioncube\"/g" .env
sed -i "s/IMAGEMAGICK_INSTALLER=\"source\"/IMAGEMAGICK_INSTALLER=\"repo\"/g" .env
Expand Down Expand Up @@ -94,7 +94,7 @@ jobs:
sed -i "s/FORCE_REMOVE=false/FORCE_REMOVE=true/g" .env
sed -i "s/LEMPER_ADMIN_EMAIL=\"[email protected]\"/LEMPER_ADMIN_EMAIL=\"[email protected]\"/g" .env
sed -i "s/NGINX_INSTALLER=\"source\"/NGINX_INSTALLER=\"repo\"/g" .env
sed -i "s/NGX_PAGESPEED=false/NGINX_INSTALLER=true/g" .env
sed -i "s/NGX_PAGESPEED=true/NGX_PAGESPEED=false/g" .env
sed -i "s/INSTALL_PHP_LOADER=false/INSTALL_PHP_LOADER=true/g" .env
sed -i "s/PHP_LOADER=\"none\"/PHP_LOADER=\"ioncube\"/g" .env
sed -i "s/IMAGEMAGICK_INSTALLER=\"source\"/IMAGEMAGICK_INSTALLER=\"repo\"/g" .env
Expand Down
9 changes: 6 additions & 3 deletions bin/lemper-cli.sh
Original file line number Diff line number Diff line change
Expand Up @@ -162,9 +162,12 @@ Usage: ${PROG_NAME} [--version] [--help]
<command> [<options>]
These are common ${PROG_NAME} commands used in various situations:
create Create new virtual host (add new domain to LEMPer stack).
db Wrapper for managing SQL database (MySQL and MariaDB).
manage Manage existing virtual host (enable, disable, delete, etc).
create Create new virtual host (add new domain to LEMPer stack).
add An aliases of 'create' sub command.
database Wrapper for managing SQL database (MySQL and MariaDB).
db An aliases of 'databases' sub command.
manage Manage existing virtual host (enable, disable, delete, etc).
mod An aliases of 'manage' sub command.
For help with each command run:
${PROG_NAME} <command> -h | --help
Expand Down
243 changes: 243 additions & 0 deletions etc/init.d/mariadb
Original file line number Diff line number Diff line change
@@ -0,0 +1,243 @@
#!/bin/bash
#
### BEGIN INIT INFO
# Provides: mariadb
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Should-Start: $network $named $time
# Should-Stop: $network $named $time
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start and stop the mysql database server daemon
# Description: Controls the main MariaDB database server daemon "mariadbd"
# and its wrapper script "mysqld_safe".
### END INIT INFO
#
set -e
set -u
${DEBIAN_SCRIPT_DEBUG:+ set -v -x}

test -x /usr/sbin/mariadbd || exit 0

. /lib/lsb/init-functions

SELF=$(cd "$(dirname $0)"; pwd -P)/$(basename $0)

if [ -f /usr/bin/mariadb-admin ]
then
MYADMIN="/usr/bin/mariadb-admin --defaults-file=/etc/mysql/debian.cnf"
elif [ -f /usr/bin/mysqladmin ]
then
MYADMIN="/usr/bin/mysqladmin --defaults-file=/etc/mysql/debian.cnf"
else
log_failure_msg "Command mariadb-admin/mysqladmin not found! This SysV init script depends on it."
exit -1
fi

if [ ! -x /usr/bin/mariadbd-safe ]
then
log_failure_msg "/usr/bin/mariadbd-safe not found or executable! This SysV init script depends on it."
exit -1
fi

# priority can be overridden and "-s" adds output to stderr
ERR_LOGGER="logger -p daemon.err -t /etc/init.d/mariadb -i"

if [ -f /etc/default/mysql ]; then
. /etc/default/mysql
fi

# Also source default/mariadb in case the installation was upgraded from
# packages originally installed from MariaDB.org repositories, which have
# had support for reading /etc/default/mariadb since March 2016.
if [ -f /etc/default/mariadb ]; then
. /etc/default/mariadb
fi

# Safeguard (relative paths, core dumps..)
cd /
umask 077

# mysqladmin likes to read /root/.my.cnf. This is usually not what I want
# as many admins e.g. only store a password without a username there and
# so break my scripts.
export HOME=/etc/mysql/

## Fetch a particular option from mysql's invocation.
#
# Usage: void mariadbd_get_param option
mariadbd_get_param() {
/usr/sbin/mariadbd --print-defaults \
| tr " " "\n" \
| grep -- "--$1" \
| tail -n 1 \
| cut -d= -f2
}

## Do some sanity checks before even trying to start mariadbd.
sanity_checks() {
# check for config file
if [ ! -r /etc/mysql/my.cnf ]; then
log_warning_msg "$0: WARNING: /etc/mysql/my.cnf cannot be read. See README.Debian.gz"
echo "WARNING: /etc/mysql/my.cnf cannot be read. See README.Debian.gz" | $ERR_LOGGER
fi

# check for diskspace shortage
datadir=`mariadbd_get_param datadir`

# If datadir location is not changed int configuration
# then it's not printed with /usr/sbin/mariadbd --print-defaults
# then we use 'sane' default.
if [ -z "$datadir" ]
then
datadir="/var/lib/mysql"
fi

# Check if there datadir location is available and
# fail if it's not
if [ ! -d "$datadir" ]
then
log_failure_msg "$0: ERROR: Can't locate MariaDB installation location $datadir"
echo "ERROR: Can't locate MariaDB installation location $datadir" | $ERR_LOGGER
exit 1
fi

# As preset blocksize of GNU df is 1024 then available bytes is $df_available_blocks * 1024
# 4096 blocks is then lower than 4 MB
df_available_blocks="$(LC_ALL=C BLOCKSIZE='' df --output=avail "$datadir" | tail -n 1)"
if [ "$df_available_blocks" -lt "4096" ]; then
log_failure_msg "$0: ERROR: The partition with $datadir is too full!"
echo "ERROR: The partition with $datadir is too full!" | $ERR_LOGGER
exit 1
fi
}

## Checks if there is a server running and if so if it is accessible.
#
# check_alive insists on a pingable server
# check_dead also fails if there is a lost mariadbd in the process list
#
# Usage: boolean mariadbd_status [check_alive|check_dead] [warn|nowarn]
mariadbd_status () {
ping_output=`$MYADMIN ping 2>&1`; ping_alive=$(( ! $? ))

ps_alive=0
pidfile=`mariadbd_get_param pid-file`
if [ -f "$pidfile" ] && ps `cat $pidfile` >/dev/null 2>&1; then ps_alive=1; fi

if [ "$1" = "check_alive" -a $ping_alive = 1 ] ||
[ "$1" = "check_dead" -a $ping_alive = 0 -a $ps_alive = 0 ]; then
return 0 # EXIT_SUCCESS
else
if [ "$2" = "warn" ]; then
echo -e "$ps_alive processes alive and '$MYADMIN ping' resulted in\n$ping_output\n" | $ERR_LOGGER -p daemon.debug
fi
return 1 # EXIT_FAILURE
fi
}

#
# main()
#

case "${1:-''}" in

'start')
sanity_checks;
# Start daemon
log_daemon_msg "Starting MariaDB database server" "mariadbd"
if mariadbd_status check_alive nowarn; then
log_progress_msg "already running"
log_end_msg 0
else
# Could be removed during boot
test -e /run/mysqld || install -m 755 -o mysql -g root -d /run/mysqld

# Start MariaDB!
/usr/bin/mariadbd-safe "${@:2}" 2>&1 >/dev/null | $ERR_LOGGER &

for i in $(seq 1 "${MYSQLD_STARTUP_TIMEOUT:-30}"); do
sleep 1
if mariadbd_status check_alive nowarn ; then break; fi
log_progress_msg "."
done
if mariadbd_status check_alive warn; then
log_end_msg 0
# Now start mysqlcheck or whatever the admin wants.
output=$(/etc/mysql/debian-start)
if [ -n "$output" ]; then
log_action_msg "$output"
fi
else
log_end_msg 1
log_failure_msg "Please take a look at the syslog"
fi
fi
;;

'stop')
# * As a passwordless mysqladmin (e.g. via ~/.my.cnf) must be possible
# at least for cron, we can rely on it here, too. (although we have
# to specify it explicit as e.g. sudo environments points to the normal
# users home and not /root)
log_daemon_msg "Stopping MariaDB database server" "mariadbd"
if ! mariadbd_status check_dead nowarn; then
set +e
shutdown_out=`$MYADMIN shutdown 2>&1`; r=$?
set -e
if [ "$r" -ne 0 ]; then
log_end_msg 1
[ "$VERBOSE" != "no" ] && log_failure_msg "Error: $shutdown_out"
log_daemon_msg "Killing MariaDB database server by signal" "mariadbd"
killall -15 mariadbd
server_down=
for i in `seq 1 600`; do
sleep 1
if mariadbd_status check_dead nowarn; then server_down=1; break; fi
done
if test -z "$server_down"; then killall -9 mariadbd; fi
fi
fi

if ! mariadbd_status check_dead warn; then
log_end_msg 1
log_failure_msg "Please stop MariaDB manually and read /usr/share/doc/mariadb-server-10.6/README.Debian.gz!"
exit -1
else
log_end_msg 0
fi
;;

'restart')
set +e; $SELF stop; set -e
shift
$SELF start "${@}"
;;

'reload'|'force-reload')
log_daemon_msg "Reloading MariaDB database server" "mariadbd"
$MYADMIN reload
log_end_msg 0
;;

'status')
if mariadbd_status check_alive nowarn; then
log_action_msg "$($MYADMIN version)"
else
log_action_msg "MariaDB is stopped."
exit 3
fi
;;

'bootstrap')
# Bootstrap the cluster, start the first node
# that initiates the cluster
log_daemon_msg "Bootstrapping the cluster" "mariadbd"
$SELF start "${@:2}" --wsrep-new-cluster
;;

*)
echo "Usage: $SELF start|stop|restart|reload|force-reload|status"
exit 1
;;
esac
18 changes: 12 additions & 6 deletions etc/nginx/fastcgi_cache
Original file line number Diff line number Diff line change
@@ -1,29 +1,34 @@
## Include this file if you want to use fastcgi_cache across many sites.
# Designed to be included in /etc/nginx/nginx.conf http {} block.

fastcgi_cache_path /var/cache/nginx/fastcgi_cache levels=1:2 keys_zone=LEMPERCACHE:200m max_size=10g inactive=2h;
# TODO: move fastcgi_cache_path to fastcgi_cache_path.config (for multi vhost cache path key).
#fastcgi_cache_path /var/cache/nginx/fastcgi_cache levels=1:2 keys_zone=LEMPERCACHE:100m max_size=1g inactive=60m use_temp_path=off;
include /etc/nginx/includes/fastcgi_cache_path.conf;

fastcgi_cache_key "$scheme$request_method$host$request_uri";
fastcgi_cache_revalidate on;
fastcgi_cache_background_update on;
fastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503;

# FastCGI Log Format
log_format cache '$remote_addr - $upstream_cache_status [$time_local] '
# FastCGI Log Format.
log_format lp_cache '$remote_addr - X-FastCGI-Cache $upstream_cache_status [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';


## Initialize default caching conditions. ##

# Purge cache for request method.
# Ref: https://github.com/nginx-modules/ngx_cache_purge?tab=readme-ov-file#uwsgi_cache_purge
map $request_method $purge_method {
default 0;
PURGE 1;
default off;
PURGE on;
}

# Skip caching for request method.
map $request_method $skip_cache {
default 0;
POST 1;
PURGE 1;
}

# Skip caching for mobile device.
Expand All @@ -39,4 +44,5 @@ map $http_user_agent $is_mobile {
map $request_method $cache_uri {
default $request_uri;
POST "null cache";
PURGE "null cache";
}
6 changes: 3 additions & 3 deletions etc/nginx/includes/fastcgi.conf
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@

fastcgi_intercept_errors on;
fastcgi_ignore_client_abort off;
fastcgi_connect_timeout 120s;
fastcgi_send_timeout 120s;
fastcgi_read_timeout 120s;
fastcgi_connect_timeout 300s;
fastcgi_send_timeout 300s;
fastcgi_read_timeout 300s;
fastcgi_buffer_size 128k;
fastcgi_buffers 128 128k;
fastcgi_busy_buffers_size 128k;
Expand Down
22 changes: 13 additions & 9 deletions etc/nginx/includes/fastcgi_cache.conf
Original file line number Diff line number Diff line change
@@ -1,11 +1,14 @@
## FastCGI cache.
# Designed to be included in any http, server, location block.
# Designed to be included in any server, location block.

# TODO: move fastcgi_cache to vhost config directly (for multi vhost cache path key).
fastcgi_cache LEMPERCACHE;
fastcgi_cache_valid 200 301 302 2h;
fastcgi_cache_valid 404 1m;
fastcgi_cache_valid any 2h;
fastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503;

fastcgi_cache_background_update on;
fastcgi_cache_valid 200 60m;
fastcgi_cache_valid 301 302 10m;
#fastcgi_cache_valid 404 10m;
fastcgi_cache_valid any 60m;
fastcgi_cache_min_uses 1;
fastcgi_cache_lock on;

Expand All @@ -14,14 +17,15 @@ fastcgi_cache_bypass $http_pragma $http_authorization;
fastcgi_no_cache $skip_cache $is_mobile;
fastcgi_no_cache $http_pragma $http_authorization;

# Ref: https://github.com/nginx-modules/ngx_cache_purge?tab=readme-ov-file#uwsgi_cache_purge
fastcgi_cache_purge $purge_method;

# Ignore header (Added Pragma, crosscheck first)
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;

# Header status
add_header X-FastCGI-Cache $upstream_cache_status;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie X-Accel-Expires Vary;

# Designed to be used with Nginx Cache Controller WP plugin
#fastcgi_pass_header "X-Accel-Redirect";
#fastcgi_pass_header "X-Accel-Expires";

# Header status
add_header X-FastCGI-Cache $upstream_cache_status;
Loading

0 comments on commit 8c74e82

Please sign in to comment.