Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/nextcloud/vm.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/old
diff options
context:
space:
mode:
authorDaniel Hansson <github@hanssonit.se>2020-04-21 23:31:21 +0300
committerGitHub <noreply@github.com>2020-04-21 23:31:21 +0300
commit20812cdb6f514e6651ad02c3c8a474d7ad112cdd (patch)
tree368ad61236e601d9eb925520fae1eb6c3eaf33cb /old
parentc095e5733f1bfe680d39bebc25232a81b7497518 (diff)
20.04 (#1176)
Diffstat (limited to 'old')
-rw-r--r--old/modsecurity.sh98
-rw-r--r--old/ntpdate.sh23
-rw-r--r--old/spreedme.sh128
3 files changed, 249 insertions, 0 deletions
diff --git a/old/modsecurity.sh b/old/modsecurity.sh
new file mode 100644
index 00000000..31ec00a0
--- /dev/null
+++ b/old/modsecurity.sh
@@ -0,0 +1,98 @@
+#!/bin/bash
+
+# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/
+
+# shellcheck disable=2034,2059
+true
+# shellcheck source=lib.sh
+. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
+
+print_text_in_color "$ICyan" "Installing ModSecurity..."
+
+# Check for errors + debug code and abort if something isn't right
+# 1 = ON
+# 0 = OFF
+DEBUG=0
+debug_mode
+
+# Check if root
+root_check
+
+# Add modsecurity
+apt update -q4 & spinner_loading
+install_if_not libapache2-mod-security2
+install_if_not modsecurity-crs
+mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
+
+msg_box "WARNING WARNING WARNING WARNING WARNING WARNING:
+
+Do not enable active defence if you don't know what you're doing!
+It will break OnlyOffice, and it may break other stuff as well in Nextcloud as it's
+blocking access to files automatically.
+
+You can monitor the audit log by typing this command in your shell:
+tail -f /var/log/apache2/modsec_audit.log
+
+You can disable it by typing this command in your shell:
+sed -i 's/SecRuleEngine .*/SecRuleEngine DetectionOnly/g' /etc/modsecurity/modsecurity.conf
+
+YOU HAVE BEEN WARNED."
+if [[ "yes" == $(ask_yes_or_no "Do you want to enable active defence?") ]]
+then
+ sed -i 's|SecRuleEngine .*|SecRuleEngine on|g' /etc/modsecurity/modsecurity.conf
+fi
+
+cat << MODSECWHITE > "/etc/modsecurity/whitelist.conf"
+<Directory $NCPATH>
+# VIDEOS
+ SecRuleRemoveById 958291 # Range Header Checks
+ SecRuleRemoveById 981203 # Correlated Attack Attempt
+
+ # PDF
+ SecRuleRemoveById 950109 # Check URL encodings
+
+ # ADMIN (webdav)
+ SecRuleRemoveById 960024 # Repeatative Non-Word Chars (heuristic)
+ SecRuleRemoveById 981173 # SQL Injection Character Anomaly Usage
+ SecRuleRemoveById 981204 # Correlated Attack Attempt
+ SecRuleRemoveById 981243 # PHPIDS - Converted SQLI Filters
+ SecRuleRemoveById 981245 # PHPIDS - Converted SQLI Filters
+ SecRuleRemoveById 981246 # PHPIDS - Converted SQLI Filters
+ SecRuleRemoveById 981318 # String Termination/Statement Ending Injection Testing
+ SecRuleRemoveById 973332 # XSS Filters from IE
+ SecRuleRemoveById 973338 # XSS Filters - Category 3
+ SecRuleRemoveById 981143 # CSRF Protections ( TODO edit LocationMatch filter )
+
+ # COMING BACK FROM OLD SESSION
+ SecRuleRemoveById 970903 # Microsoft Office document properties leakage
+
+ # NOTES APP
+ SecRuleRemoveById 981401 # Content-Type Response Header is Missing and X-Content-Type-Options is either missing or not set to 'nosniff'
+ SecRuleRemoveById 200002 # Failed to parse request body
+
+ # UPLOADS ( 20 MB max excluding file size )
+ SecRequestBodyNoFilesLimit 20971520
+
+ # GENERAL
+ SecRuleRemoveById 960017 # Host header is a numeric IP address
+
+ # SAMEORIGN
+ SecRuleRemoveById 911100 # fpm socket
+
+ # REGISTERED WARNINGS, BUT DID NOT HAVE TO DISABLE THEM
+ #SecRuleRemoveById 981220 900046 981407
+ #SecRuleRemoveById 981222 981405 981185 981184
+</Directory>
+MODSECWHITE
+
+# Don't log in Apache2 error.log, only in a seperate log (/var/log/apache2/modsec_audit.log)
+check_command sed -i 's|SecDefaultAction "phase:1,log,auditlog,pass"|# SecDefaultAction "phase:1,log,auditlog,pass"|g' /etc/modsecurity/crs/crs-setup.conf
+check_command sed -i 's|SecDefaultAction "phase:2,log,auditlog,pass"|# SecDefaultAction "phase:2,log,auditlog,pass"|g' /etc/modsecurity/crs/crs-setup.conf
+check_command sed -i 's|# SecDefaultAction "phase:1,nolog,auditlog,pass"|SecDefaultAction "phase:1,nolog,auditlog,pass"|g' /etc/modsecurity/crs/crs-setup.conf
+check_command sed -i 's|# SecDefaultAction "phase:2,nolog,auditlog,pass"|SecDefaultAction "phase:2,nolog,auditlog,pass"|g' /etc/modsecurity/crs/crs-setup.conf
+
+if [ -f /etc/modsecurity/whitelist.conf ]
+then
+ print_text_in_color "$IGreen" "ModSecurity activated!"
+ restart_webserver
+fi
diff --git a/old/ntpdate.sh b/old/ntpdate.sh
new file mode 100644
index 00000000..43645ef3
--- /dev/null
+++ b/old/ntpdate.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/
+
+# shellcheck disable=2034,2059
+true
+# shellcheck source=lib.sh
+. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
+
+# Check for errors + debug code and abort if something isn't right
+# 1 = ON
+# 0 = OFF
+DEBUG=0
+debug_mode
+
+if network_ok
+then
+ if is_this_installed ntpdate
+ then
+ ntpdate -s 1.se.pool.ntp.org
+ fi
+fi
+exit
diff --git a/old/spreedme.sh b/old/spreedme.sh
new file mode 100644
index 00000000..2d4ffde2
--- /dev/null
+++ b/old/spreedme.sh
@@ -0,0 +1,128 @@
+#!/bin/bash
+
+# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/
+
+# shellcheck disable=2034,2059
+true
+# shellcheck source=lib.sh
+NC_UPDATE=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
+unset NC_UPDATE
+
+print_text_in_color "$ICyan" "Installing Spreed.ME..."
+
+# Check for errors + debug code and abort if something isn't right
+# 1 = ON
+# 0 = OFF
+DEBUG=0
+debug_mode
+
+# Check if root
+if ! is_root
+then
+ printf "\n${Red}Sorry, you are not root.\n${Color_Off}You must type: ${ICyan}sudo ${Color_Off}bash %s/nextcloud_install_production.sh\n" "$SCRIPTS"
+ exit 1
+fi
+
+# Check if Nextcloud exists
+root_check
+
+# Nextcloud 13 is required.
+lowest_compatible_nc 13
+
+# Install if missing
+install_if_not apache2
+install_if_not snapd
+
+# Install Nextcloud Spreed.ME Snap
+if [ -d "$SNAPDIR" ]
+then
+ print_text_in_color "$ICyan" "Spreed.ME Snap already seems to be installed and will now be re-installed..."
+ snap remove spreedme
+ rm -rf "$SNAPDIR"
+ snap install --edge spreedme
+else
+ snap install --edge spreedme
+fi
+
+# Install and activate the Spreed.ME app
+if [ -d "$NC_APPS_PATH/spreedme" ]
+then
+ # Remove
+ occ_command app:disable spreedme
+ print_text_in_color "$ICyan" "Spreed.ME app already seems to be installed and will now be re-installed..."
+ rm -R "$NC_APPS_PATH/spreedme"
+ # Reinstall
+ occ_command app:install spreedme
+else
+ occ_command app:install spreedme
+fi
+occ_command app:enable spreedme
+chown -R www-data:www-data "$NC_APPS_PATH"
+
+# Generate secret keys
+SHAREDSECRET=$(openssl rand -hex 32)
+TEMPLINK=$(openssl rand -hex 32)
+sed -i "s|sharedsecret_secret = .*|sharedsecret_secret = $SHAREDSECRET|g" "$SNAPDIR/current/server.conf"
+
+# Populate the else empty config file (uses database for content by default)
+cp "$NCPATH/apps/spreedme/config/config.php.in" "$NCPATH/apps/spreedme/config/config.php"
+
+# Place the key in the NC app config
+sed -i "s|.*SPREED_WEBRTC_SHAREDSECRET.*| const SPREED_WEBRTC_SHAREDSECRET = '$SHAREDSECRET';|g" "$NCPATH/apps/spreedme/config/config.php"
+
+# Allow to create temporary links
+sed -i "s|const OWNCLOUD_TEMPORARY_PASSWORD_LOGIN_ENABLED.*|const OWNCLOUD_TEMPORARY_PASSWORD_LOGIN_ENABLED = true;|g" "$NCPATH/apps/spreedme/config/config.php"
+
+# Set temporary links hash
+sed -i "s|const OWNCLOUD_TEMPORARY_PASSWORD_SIGNING_KEY.*|const OWNCLOUD_TEMPORARY_PASSWORD_SIGNING_KEY = '$TEMPLINK';|g" "$NCPATH/apps/spreedme/config/config.php"
+
+
+# Enable Apache mods
+a2enmod proxy \
+ proxy_wstunnel \
+ proxy_http \
+ headers
+
+# Add config to vhost
+VHOST=/etc/apache2/spreedme.conf
+if [ ! -f $VHOST ]
+then
+cat << VHOST > "$VHOST"
+<Location /webrtc>
+ ProxyPass http://127.0.0.1:8080/webrtc
+ ProxyPassReverse /webrtc
+</Location>
+
+<Location /webrtc/ws>
+ ProxyPass ws://127.0.0.1:8080/webrtc/ws
+</Location>
+
+ ProxyVia On
+ ProxyPreserveHost On
+ RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
+ # RequestHeader set X-Forwarded-Proto 'https' # Use this if you are behind a (Nginx) reverse proxy with http backends
+VHOST
+fi
+
+if ! grep -Fxq "Include $VHOST" /etc/apache2/apache2.conf
+then
+ sed -i "145i Include $VHOST" "/etc/apache2/apache2.conf"
+fi
+
+# Restart services
+restart_webserver
+if ! systemctl restart snap.spreedme.spreed-webrtc.service
+then
+msg_box "Something is wrong, the installation did not finish correctly.
+
+Please report this to $ISSUES"
+ exit 1
+else
+msg_box "Success! Spreed.ME is now installed and configured.
+
+You may have to change SPREED_WEBRTC_ORIGIN in:
+(sudo nano) $NCPATH/apps/spreedme/config/config.php"
+ exit 0
+fi
+
+exit