diff options
author | Daniel Hansson <github@hanssonit.se> | 2020-07-06 22:36:59 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-07-06 22:36:59 +0300 |
commit | 7a69f992d38799c906725d602207b691a2a8f4ad (patch) | |
tree | c61804a707d89271569e4f9d5a0ced5bc841c587 /old | |
parent | 4fb19efd3d62c5091d842079f0177afc44948f8e (diff) |
Revert "[very much WIP] Official VM (#1302)" (#1311)
This reverts commit 4fb19efd3d62c5091d842079f0177afc44948f8e.
Diffstat (limited to 'old')
-rw-r--r-- | old/modsecurity.sh | 98 | ||||
-rw-r--r-- | old/ntpdate.sh | 23 | ||||
-rw-r--r-- | old/onlyoffice.sh | 221 | ||||
-rw-r--r-- | old/spreedme.sh | 128 |
4 files changed, 470 insertions, 0 deletions
diff --git a/old/modsecurity.sh b/old/modsecurity.sh new file mode 100644 index 00000000..31ec00a0 --- /dev/null +++ b/old/modsecurity.sh @@ -0,0 +1,98 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +print_text_in_color "$ICyan" "Installing ModSecurity..." + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +# Add modsecurity +apt update -q4 & spinner_loading +install_if_not libapache2-mod-security2 +install_if_not modsecurity-crs +mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf + +msg_box "WARNING WARNING WARNING WARNING WARNING WARNING: + +Do not enable active defence if you don't know what you're doing! +It will break OnlyOffice, and it may break other stuff as well in Nextcloud as it's +blocking access to files automatically. + +You can monitor the audit log by typing this command in your shell: +tail -f /var/log/apache2/modsec_audit.log + +You can disable it by typing this command in your shell: +sed -i 's/SecRuleEngine .*/SecRuleEngine DetectionOnly/g' /etc/modsecurity/modsecurity.conf + +YOU HAVE BEEN WARNED." +if [[ "yes" == $(ask_yes_or_no "Do you want to enable active defence?") ]] +then + sed -i 's|SecRuleEngine .*|SecRuleEngine on|g' /etc/modsecurity/modsecurity.conf +fi + +cat << MODSECWHITE > "/etc/modsecurity/whitelist.conf" +<Directory $NCPATH> +# VIDEOS + SecRuleRemoveById 958291 # Range Header Checks + SecRuleRemoveById 981203 # Correlated Attack Attempt + + # PDF + SecRuleRemoveById 950109 # Check URL encodings + + # ADMIN (webdav) + SecRuleRemoveById 960024 # Repeatative Non-Word Chars (heuristic) + SecRuleRemoveById 981173 # SQL Injection Character Anomaly Usage + SecRuleRemoveById 981204 # Correlated Attack Attempt + SecRuleRemoveById 981243 # PHPIDS - Converted SQLI Filters + SecRuleRemoveById 981245 # PHPIDS - Converted SQLI Filters + SecRuleRemoveById 981246 # PHPIDS - Converted SQLI Filters + SecRuleRemoveById 981318 # String Termination/Statement Ending Injection Testing + SecRuleRemoveById 973332 # XSS Filters from IE + SecRuleRemoveById 973338 # XSS Filters - Category 3 + SecRuleRemoveById 981143 # CSRF Protections ( TODO edit LocationMatch filter ) + + # COMING BACK FROM OLD SESSION + SecRuleRemoveById 970903 # Microsoft Office document properties leakage + + # NOTES APP + SecRuleRemoveById 981401 # Content-Type Response Header is Missing and X-Content-Type-Options is either missing or not set to 'nosniff' + SecRuleRemoveById 200002 # Failed to parse request body + + # UPLOADS ( 20 MB max excluding file size ) + SecRequestBodyNoFilesLimit 20971520 + + # GENERAL + SecRuleRemoveById 960017 # Host header is a numeric IP address + + # SAMEORIGN + SecRuleRemoveById 911100 # fpm socket + + # REGISTERED WARNINGS, BUT DID NOT HAVE TO DISABLE THEM + #SecRuleRemoveById 981220 900046 981407 + #SecRuleRemoveById 981222 981405 981185 981184 +</Directory> +MODSECWHITE + +# Don't log in Apache2 error.log, only in a seperate log (/var/log/apache2/modsec_audit.log) +check_command sed -i 's|SecDefaultAction "phase:1,log,auditlog,pass"|# SecDefaultAction "phase:1,log,auditlog,pass"|g' /etc/modsecurity/crs/crs-setup.conf +check_command sed -i 's|SecDefaultAction "phase:2,log,auditlog,pass"|# SecDefaultAction "phase:2,log,auditlog,pass"|g' /etc/modsecurity/crs/crs-setup.conf +check_command sed -i 's|# SecDefaultAction "phase:1,nolog,auditlog,pass"|SecDefaultAction "phase:1,nolog,auditlog,pass"|g' /etc/modsecurity/crs/crs-setup.conf +check_command sed -i 's|# SecDefaultAction "phase:2,nolog,auditlog,pass"|SecDefaultAction "phase:2,nolog,auditlog,pass"|g' /etc/modsecurity/crs/crs-setup.conf + +if [ -f /etc/modsecurity/whitelist.conf ] +then + print_text_in_color "$IGreen" "ModSecurity activated!" + restart_webserver +fi diff --git a/old/ntpdate.sh b/old/ntpdate.sh new file mode 100644 index 00000000..43645ef3 --- /dev/null +++ b/old/ntpdate.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +if network_ok +then + if is_this_installed ntpdate + then + ntpdate -s 1.se.pool.ntp.org + fi +fi +exit diff --git a/old/onlyoffice.sh b/old/onlyoffice.sh new file mode 100644 index 00000000..fcdddd11 --- /dev/null +++ b/old/onlyoffice.sh @@ -0,0 +1,221 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +NC_UPDATE=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +unset NC_UPDATE + +# OnlyOffice URL (onlyoffice.sh) +SUBDOMAIN=$(whiptail --title "T&M Hansson IT - OnlyOffice" --inputbox "OnlyOffice subdomain eg: office.yourdomain.com\n\nNOTE: This domain must be different than your Nextcloud domain. They can however be hosted on the same server, but would require seperate DNS entries." "$WT_HEIGHT" "$WT_WIDTH" 3>&1 1>&2 2>&3) +# Nextcloud Main Domain (onlyoffice.sh) +NCDOMAIN=$(whiptail --title "T&M Hansson IT - OnlyOffice" --inputbox "Nextcloud domain, make sure it looks like this: cloud\\.yourdomain\\.com" "$WT_HEIGHT" "$WT_WIDTH" cloud\\.yourdomain\\.com 3>&1 1>&2 2>&3) + +print_text_in_color "$ICyan" "Installing OnlyOffice..." + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +# Nextcloud 13 is required. +lowest_compatible_nc 13 + +# Test RAM size (2GB min) + CPUs (min 2) +ram_check 2 OnlyOffice +cpu_check 2 OnlyOffice + +# Notification +msg_box "Before you start, please make sure that port 80+443 is directly forwarded to this machine!" + +# Get the latest packages +apt update -q4 & spinner_loading + +# Check if Nextcloud is installed +print_text_in_color "$ICyan" "Checking if Nextcloud is installed..." +if ! curl -s https://"${NCDOMAIN//\\/}"/status.php | grep -q 'installed":true' +then +msg_box "It seems like Nextcloud is not installed or that you don't use https on: +${NCDOMAIN//\\/}. +Please install Nextcloud and make sure your domain is reachable, or activate SSL +on your domain to be able to run this script. +If you use the Nextcloud VM you can use the Let's Encrypt script to get SSL and activate your Nextcloud domain. +When SSL is activated, run these commands from your terminal: +sudo curl -sLO $APP/onlyoffice.sh +sudo bash onlyoffice.sh" + exit 1 +fi + +# Check if apache2 evasive-mod is enabled and disable it because of compatibility issues +if [ "$(apache2ctl -M | grep evasive)" != "" ] +then + msg_box "We noticed that 'mod_evasive' is installed which is the DDOS protection for webservices. It has comptibility issues with OnlyOffice and you can now choose to disable it." + if [[ "no" == $(ask_yes_or_no "Do you want to disable DDOS protection?") ]] + then + print_text_in_color "$ICyan" "Keeping mod_evasive active." + else + a2dismod evasive + # a2dismod mod-evasive # not needed, but existing in the Extra Security script. + apt-get purge libapache2-mod-evasive -y + systemctl restart apache2 + fi +fi + +# Check if $SUBDOMAIN exists and is reachable +print_text_in_color "$ICyan" "Checking if $SUBDOMAIN exists and is reachable..." +domain_check_200 "$SUBDOMAIN" + +# Check open ports with NMAP +check_open_port 80 "$SUBDOMAIN" +check_open_port 443 "$SUBDOMAIN" + +# Install Docker +install_docker + +# Check if OnlyOffice or Collabora is previously installed +# If yes, then stop and prune the docker container +docker_prune_this 'onlyoffice/documentserver' +docker_prune_this 'collabora/code' + +# Disable RichDocuments (Collabora App) if activated +if [ -d "$NC_APPS_PATH"/richdocuments ] +then + occ_command app:remove richdocuments +fi + +# Disable OnlyOffice (Collabora App) if activated +if [ -d "$NC_APPS_PATH"/onlyoffice ] +then + occ_command app:remove onlyoffice +fi + +# Install Onlyoffice docker +docker pull onlyoffice/documentserver:latest +docker run -i -t -d -p 127.0.0.3:9090:80 --restart always --name onlyoffice onlyoffice/documentserver + +# Licensed version +# https://helpcenter.onlyoffice.com/server/integration-edition/docker/docker-installation.aspx +# docker run -i -t -d -p 127.0.0.3:9090:80 --restart=always --name onlyoffice \ +# -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data onlyoffice/documentserver-ie + +# Install apache2 +install_if_not apache2 + +# Enable Apache2 module's +a2enmod proxy +a2enmod proxy_wstunnel +a2enmod proxy_http +a2enmod ssl + +if [ -f "$HTTPS_CONF" ] +then + a2dissite "$SUBDOMAIN.conf" + rm -f "$HTTPS_CONF" +fi + +# Create Vhost for OnlyOffice online in Apache2 +if [ ! -f "$HTTPS_CONF" ]; +then + cat << HTTPS_CREATE > "$HTTPS_CONF" +<VirtualHost *:443> + ServerName $SUBDOMAIN:443 + + SSLEngine on + ServerSignature On + SSLHonorCipherOrder on + + SSLCertificateChainFile $CERTFILES/$SUBDOMAIN/chain.pem + SSLCertificateFile $CERTFILES/$SUBDOMAIN/cert.pem + SSLCertificateKeyFile $CERTFILES/$SUBDOMAIN/privkey.pem + SSLOpenSSLConfCmd DHParameters $DHPARAMS_SUB + + SSLProtocol all -SSLv2 -SSLv3 + SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS + + LogLevel warn + CustomLog ${APACHE_LOG_DIR}/access.log combined + ErrorLog ${APACHE_LOG_DIR}/error.log + + # Just in case - see below + SSLProxyEngine On + SSLProxyVerify None + SSLProxyCheckPeerCN Off + SSLProxyCheckPeerName Off + + # contra mixed content warnings + RequestHeader set X-Forwarded-Proto "https" + + # basic proxy settings + ProxyRequests off + + ProxyPassMatch (.*)(\/websocket)$ "ws://127.0.0.3:9090/$1$2" + ProxyPass / "http://127.0.0.3:9090/" + ProxyPassReverse / "http://127.0.0.3:9090/" + + <Location /> + ProxyPassReverse / + </Location> +</VirtualHost> +HTTPS_CREATE + + if [ -f "$HTTPS_CONF" ]; + then + print_text_in_color "$IGreen" "$HTTPS_CONF was successfully created." + sleep 1 + else + print_text_in_color "$IRed" "Unable to create vhost, exiting..." + print_text_in_color "$IRed" "Please report this issue here $ISSUES" + exit 1 + fi +fi + +# Install certbot (Let's Encrypt) +install_certbot + +# Generate certs +if generate_cert "$SUBDOMAIN" +then + # Generate DHparams chifer + if [ ! -f "$DHPARAMS_SUB" ] + then + openssl dhparam -dsaparam -out "$DHPARAMS_SUB" 4096 + fi + printf "%b" "${IGreen}Certs are generated!\n${Color_Off}" + a2ensite "$SUBDOMAIN.conf" + restart_webserver + # Install OnlyOffice + occ_command app:install onlyoffice +else + print_text_in_color "$IRed" "It seems like no certs were generated, please report this issue here: $ISSUES" + any_key "Press any key to continue... " + restart_webserver +fi + +# Set config for OnlyOffice +if [ -d "$NC_APPS_PATH"/onlyoffice ] +then + occ_command config:app:set onlyoffice DocumentServerUrl --value=https://"$SUBDOMAIN/" + chown -R www-data:www-data "$NC_APPS_PATH" + occ_command config:system:set trusted_domains 3 --value="$SUBDOMAIN" +# Add prune command + { + echo "#!/bin/bash" + echo "docker system prune -a --force" + echo "exit" + } > "$SCRIPTS/dockerprune.sh" + chmod a+x "$SCRIPTS/dockerprune.sh" + crontab -u root -l | { cat; echo "@weekly $SCRIPTS/dockerprune.sh"; } | crontab -u root - + print_text_in_color "$ICyan" "Docker automatic prune job added." + service docker restart + docker restart onlyoffice + print_text_in_color "$IGreen" "OnlyOffice is now successfully installed." + any_key "Press any key to continue... " +fi + +exit diff --git a/old/spreedme.sh b/old/spreedme.sh new file mode 100644 index 00000000..2d4ffde2 --- /dev/null +++ b/old/spreedme.sh @@ -0,0 +1,128 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +NC_UPDATE=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +unset NC_UPDATE + +print_text_in_color "$ICyan" "Installing Spreed.ME..." + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +if ! is_root +then + printf "\n${Red}Sorry, you are not root.\n${Color_Off}You must type: ${ICyan}sudo ${Color_Off}bash %s/nextcloud_install_production.sh\n" "$SCRIPTS" + exit 1 +fi + +# Check if Nextcloud exists +root_check + +# Nextcloud 13 is required. +lowest_compatible_nc 13 + +# Install if missing +install_if_not apache2 +install_if_not snapd + +# Install Nextcloud Spreed.ME Snap +if [ -d "$SNAPDIR" ] +then + print_text_in_color "$ICyan" "Spreed.ME Snap already seems to be installed and will now be re-installed..." + snap remove spreedme + rm -rf "$SNAPDIR" + snap install --edge spreedme +else + snap install --edge spreedme +fi + +# Install and activate the Spreed.ME app +if [ -d "$NC_APPS_PATH/spreedme" ] +then + # Remove + occ_command app:disable spreedme + print_text_in_color "$ICyan" "Spreed.ME app already seems to be installed and will now be re-installed..." + rm -R "$NC_APPS_PATH/spreedme" + # Reinstall + occ_command app:install spreedme +else + occ_command app:install spreedme +fi +occ_command app:enable spreedme +chown -R www-data:www-data "$NC_APPS_PATH" + +# Generate secret keys +SHAREDSECRET=$(openssl rand -hex 32) +TEMPLINK=$(openssl rand -hex 32) +sed -i "s|sharedsecret_secret = .*|sharedsecret_secret = $SHAREDSECRET|g" "$SNAPDIR/current/server.conf" + +# Populate the else empty config file (uses database for content by default) +cp "$NCPATH/apps/spreedme/config/config.php.in" "$NCPATH/apps/spreedme/config/config.php" + +# Place the key in the NC app config +sed -i "s|.*SPREED_WEBRTC_SHAREDSECRET.*| const SPREED_WEBRTC_SHAREDSECRET = '$SHAREDSECRET';|g" "$NCPATH/apps/spreedme/config/config.php" + +# Allow to create temporary links +sed -i "s|const OWNCLOUD_TEMPORARY_PASSWORD_LOGIN_ENABLED.*|const OWNCLOUD_TEMPORARY_PASSWORD_LOGIN_ENABLED = true;|g" "$NCPATH/apps/spreedme/config/config.php" + +# Set temporary links hash +sed -i "s|const OWNCLOUD_TEMPORARY_PASSWORD_SIGNING_KEY.*|const OWNCLOUD_TEMPORARY_PASSWORD_SIGNING_KEY = '$TEMPLINK';|g" "$NCPATH/apps/spreedme/config/config.php" + + +# Enable Apache mods +a2enmod proxy \ + proxy_wstunnel \ + proxy_http \ + headers + +# Add config to vhost +VHOST=/etc/apache2/spreedme.conf +if [ ! -f $VHOST ] +then +cat << VHOST > "$VHOST" +<Location /webrtc> + ProxyPass http://127.0.0.1:8080/webrtc + ProxyPassReverse /webrtc +</Location> + +<Location /webrtc/ws> + ProxyPass ws://127.0.0.1:8080/webrtc/ws +</Location> + + ProxyVia On + ProxyPreserveHost On + RequestHeader set X-Forwarded-Proto 'https' env=HTTPS + # RequestHeader set X-Forwarded-Proto 'https' # Use this if you are behind a (Nginx) reverse proxy with http backends +VHOST +fi + +if ! grep -Fxq "Include $VHOST" /etc/apache2/apache2.conf +then + sed -i "145i Include $VHOST" "/etc/apache2/apache2.conf" +fi + +# Restart services +restart_webserver +if ! systemctl restart snap.spreedme.spreed-webrtc.service +then +msg_box "Something is wrong, the installation did not finish correctly. + +Please report this to $ISSUES" + exit 1 +else +msg_box "Success! Spreed.ME is now installed and configured. + +You may have to change SPREED_WEBRTC_ORIGIN in: +(sudo nano) $NCPATH/apps/spreedme/config/config.php" + exit 0 +fi + +exit |