====== Software-Konfiguration ======
Übersicht über Shortcuts des Editors “nano”: https://www.nano-editor.org/dist/latest/cheatsheet.html
===== nginx =====
Sicherung der Standard-Konfiguration:
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
Allgemeine Einstellungen nginx:
nano /etc/nginx/nginx.conf
Folgende Einstellungen sollten hier gesetzt bzw. kontrolliert werden:
• user www-data;
• worker_processes auto;
• server_tokens off;
Komplette //nginx.conf//:
user www-data;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
server_tokens off;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
Deaktivierung der “Dummy-Webseite”:
mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf_disabled
“Selbsttest” der Konfiguration:
nginx -t
nginx neu starten:
service nginx restart
===== MariaDB =====
mysql_secure_installation für MariaDB nachinstallieren, weil in der aktuellen Version nicht mehr enthalten:
apt install mariadb-client-compat
Absicherung des Datenbanksystems:
mysql_secure_installation
Kopieren der Original-Einstellungen:
cp /etc/mysql/mariadb.conf.d/50-server.cnf /etc/mysql/mariadb.conf.d/50-server.cnf.bak
Öffnen der allgemeinen Konfiguration von MariaDB:
nano /etc/mysql/mariadb.conf.d/50-server.cnf
Fügen Sie folgende Zeilen direkt nach der Definition der Sektion [mysqld] ein:
innodb_read_only_compressed=OFF
slave_connections_needed_for_purge=0
Die komplette Datei 50-server.cnf:
#
# These groups are read by MariaDB server.
# Use it for options that only the server (but not clients) should see
# this is read by the standalone daemon and embedded servers
[server]
# this is only for the mysqld standalone daemon
[mysqld]
# Allow write access to tables with format 'compressed'
innodb_read_only_compressed=OFF
slave_connections_needed_for_purge=0
#
# * Basic Settings
#
#user = mysql
pid-file = /run/mysqld/mysqld.pid
basedir = /usr
#datadir = /var/lib/mysql
#tmpdir = /tmp
# Broken reverse DNS slows down connections considerably and name resolve is
# safe to skip if there are no "host by domain name" access grants
#skip-name-resolve
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address = 127.0.0.1
#
# * Fine Tuning
#
#key_buffer_size = 128M
#max_allowed_packet = 1G
#thread_stack = 192K
#thread_cache_size = 8
# This replaces the startup script and checks MyISAM tables if needed
# the first time they are touched
#myisam_recover_options = BACKUP
#max_connections = 100
#table_cache = 64
#
# * Logging and Replication
#
# Both location gets rotated by the cronjob.
# Be aware that this log type is a performance killer.
# Recommend only changing this at runtime for short testing periods if needed!
#general_log_file = /var/log/mysql/mysql.log
#general_log = 1
# When running under systemd, error logging goes via stdout/stderr to journald
# and when running legacy init error logging goes to syslog due to
# /etc/mysql/conf.d/mariadb.conf.d/50-mysqld_safe.cnf
# Enable this if you want to have error logging into a separate file
#log_error = /var/log/mysql/error.log
# Enable the slow query log to see queries with especially long duration
#slow_query_log_file = /var/log/mysql/mariadb-slow.log
#long_query_time = 10
#log_slow_verbosity = query_plan,explain
#log-queries-not-using-indexes
#min_examined_row_limit = 1000
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
# other settings you may need to change.
#server-id = 1
#log_bin = /var/log/mysql/mysql-bin.log
expire_logs_days = 10
#max_binlog_size = 100M
#
# * SSL/TLS
#
# For documentation, please read
# https://mariadb.com/kb/en/securing-connections-for-client-and-server/
#ssl-ca = /etc/mysql/cacert.pem
#ssl-cert = /etc/mysql/server-cert.pem
#ssl-key = /etc/mysql/server-key.pem
#require-secure-transport = on
#
# * Character sets
#
# MySQL/MariaDB default is Latin1, but in Debian we rather default to the full
# utf8 4-byte character set. See also client.cnf
character-set-server = utf8mb4
collation-server = utf8mb4_general_ci
#
# * InnoDB
#
# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
# Read the manual for more InnoDB related options. There are many!
# Most important is to give InnoDB 80 % of the system RAM for buffer use:
# https://mariadb.com/kb/en/innodb-system-variables/#innodb_buffer_pool_size
#innodb_buffer_pool_size = 8G
# this is only for embedded server
[embedded]
# This group is only read by MariaDB servers, not by MySQL.
# If you use the same .cnf file for MySQL and MariaDB,
# you can put MariaDB-only options here
[mariadb]
# This group is only read by MariaDB-10.6 servers.
# If you use the same .cnf file for MariaDB of different versions,
# use this group for options that older servers don't understand
[mariadb-11.8]
Neustarten des Datenbank-Dienstes:
service mariadb restart
===== PHP =====
Sichern der originalen Konfigurationsdateien:
cp /etc/php/8.5/fpm/pool.d/www.conf /etc/php/8.5/fpm/pool.d/www.conf.bak
cp /etc/php/8.5/cli/php.ini /etc/php/8.5/cli/php.ini.bak
cp /etc/php/8.5/fpm/php.ini /etc/php/8.5/fpm/php.ini.bak
cp /etc/php/8.5/fpm/php-fpm.conf /etc/php/8.5/fpm/php-fpm.conf.bak
Anpassen der Konfiguration des PHP-Thread-Pools mittels sed:
sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/8.5/fpm/pool.d/www.conf
sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/8.5/fpm/pool.d/www.conf
sed -i "s/;env\[TMPDIR\] = /env[TMPDIR] = /" /etc/php/8.5/fpm/pool.d/www.conf
sed -i "s/;env\[TEMP\] = /env[TEMP] = /" /etc/php/8.5/fpm/pool.d/www.conf
sed -i "s/;env\[PATH\] = /env[PATH] = /" /etc/php/8.5/fpm/pool.d/www.conf
Anpassen der FPM-Konfiguration:
sed -i "s/;cgi.fix_pathinfo=.*/cgi.fix_pathinfo=0/" /etc/php/8.5/fpm/php.ini
sed -i "s/memory_limit = 128M/memory_limit = 512M/" /etc/php/8.5/fpm/php.ini
sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/8.5/fpm/php.ini
sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/8.5/fpm/php.ini
sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=128/" /etc/php/8.5/fpm/php.ini
sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=32/" /etc/php/8.5/fpm/php.ini
sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=10000/" /etc/php/8.5/fpm/php.ini
sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=60/" /etc/php/8.5/fpm/php.ini
sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/8.5/fpm/php.ini
Anpassen der CLI-Konfiguration:
sed -i "s/;cgi.fix_pathinfo=.*/cgi.fix_pathinfo=0/" /etc/php/8.5/cli/php.ini
sed -i '$aapc.enable_cli=1' /etc/php/8.5/cli/php.ini
Neustarten des PHP-Dienstes:
service php8.5-fpm restart
===== acme.sh =====
Wechseln in den Kontext des Users “letsencrypt”:
su - letsencrypt
Let’s Encrypt als Default-Provider für TLS-Zertifikate definieren:
acme.sh --set-default-ca --server letsencrypt
Wechsel auf den normalen User:
exit
===== Redis =====
Sichern der originalen Konfiguration:
cp /etc/redis/redis.conf /etc/redis/redis.conf.bak
Öffnen der Redis-Konfiguration:
nano /etc/redis/redis.conf
Konfigurations-Einträge, damit Redis über einen Socket anstatt eines Ports erreichbar ist:
port 0
unixsocket /var/run/redis/redis-server.sock
unixsocketperm 770
Hinzufügen des Users “www-data” zur Gruppe “redis”:
usermod -a -G redis www-data
Neustart des Redis-Dienstes:
service redis-server restart
===== ufw =====
Firewall-Regeln festlegen:
ufw default deny
ufw allow 22 comment "SSH"
ufw allow 80 comment "HTTP"
ufw allow 443 comment "HTTPS"
Firewall aktivieren:
ufw enable
Regeln der Firewall anzeigen:
ufw status numbered