====== Software-Konfiguration ====== Übersicht über Shortcuts des Editors “nano”: https://www.nano-editor.org/dist/latest/cheatsheet.html ===== nginx ===== Sicherung der Standard-Konfiguration: cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak Allgemeine Einstellungen nginx: nano /etc/nginx/nginx.conf Folgende Einstellungen sollten hier gesetzt bzw. kontrolliert werden: • user www-data; • worker_processes auto; • server_tokens off; Komplette //nginx.conf//: user www-data; worker_processes auto; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; server_tokens off; #gzip on; include /etc/nginx/conf.d/*.conf; } Deaktivierung der “Dummy-Webseite”: mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf_disabled “Selbsttest” der Konfiguration: nginx -t nginx neu starten: service nginx restart ===== MariaDB ===== mysql_secure_installation für MariaDB nachinstallieren, weil in der aktuellen Version nicht mehr enthalten: apt install mariadb-client-compat Absicherung des Datenbanksystems: mysql_secure_installation Kopieren der Original-Einstellungen: cp /etc/mysql/mariadb.conf.d/50-server.cnf /etc/mysql/mariadb.conf.d/50-server.cnf.bak Öffnen der allgemeinen Konfiguration von MariaDB: nano /etc/mysql/mariadb.conf.d/50-server.cnf Fügen Sie folgende Zeilen direkt nach der Definition der Sektion [mysqld] ein: innodb_read_only_compressed=OFF slave_connections_needed_for_purge=0 Die komplette Datei 50-server.cnf: # # These groups are read by MariaDB server. # Use it for options that only the server (but not clients) should see # this is read by the standalone daemon and embedded servers [server] # this is only for the mysqld standalone daemon [mysqld] # Allow write access to tables with format 'compressed' innodb_read_only_compressed=OFF slave_connections_needed_for_purge=0 # # * Basic Settings # #user = mysql pid-file = /run/mysqld/mysqld.pid basedir = /usr #datadir = /var/lib/mysql #tmpdir = /tmp # Broken reverse DNS slows down connections considerably and name resolve is # safe to skip if there are no "host by domain name" access grants #skip-name-resolve # Instead of skip-networking the default is now to listen only on # localhost which is more compatible and is not less secure. bind-address = 127.0.0.1 # # * Fine Tuning # #key_buffer_size = 128M #max_allowed_packet = 1G #thread_stack = 192K #thread_cache_size = 8 # This replaces the startup script and checks MyISAM tables if needed # the first time they are touched #myisam_recover_options = BACKUP #max_connections = 100 #table_cache = 64 # # * Logging and Replication # # Both location gets rotated by the cronjob. # Be aware that this log type is a performance killer. # Recommend only changing this at runtime for short testing periods if needed! #general_log_file = /var/log/mysql/mysql.log #general_log = 1 # When running under systemd, error logging goes via stdout/stderr to journald # and when running legacy init error logging goes to syslog due to # /etc/mysql/conf.d/mariadb.conf.d/50-mysqld_safe.cnf # Enable this if you want to have error logging into a separate file #log_error = /var/log/mysql/error.log # Enable the slow query log to see queries with especially long duration #slow_query_log_file = /var/log/mysql/mariadb-slow.log #long_query_time = 10 #log_slow_verbosity = query_plan,explain #log-queries-not-using-indexes #min_examined_row_limit = 1000 # The following can be used as easy to replay backup logs or for replication. # note: if you are setting up a replication slave, see README.Debian about # other settings you may need to change. #server-id = 1 #log_bin = /var/log/mysql/mysql-bin.log expire_logs_days = 10 #max_binlog_size = 100M # # * SSL/TLS # # For documentation, please read # https://mariadb.com/kb/en/securing-connections-for-client-and-server/ #ssl-ca = /etc/mysql/cacert.pem #ssl-cert = /etc/mysql/server-cert.pem #ssl-key = /etc/mysql/server-key.pem #require-secure-transport = on # # * Character sets # # MySQL/MariaDB default is Latin1, but in Debian we rather default to the full # utf8 4-byte character set. See also client.cnf character-set-server = utf8mb4 collation-server = utf8mb4_general_ci # # * InnoDB # # InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/. # Read the manual for more InnoDB related options. There are many! # Most important is to give InnoDB 80 % of the system RAM for buffer use: # https://mariadb.com/kb/en/innodb-system-variables/#innodb_buffer_pool_size #innodb_buffer_pool_size = 8G # this is only for embedded server [embedded] # This group is only read by MariaDB servers, not by MySQL. # If you use the same .cnf file for MySQL and MariaDB, # you can put MariaDB-only options here [mariadb] # This group is only read by MariaDB-10.6 servers. # If you use the same .cnf file for MariaDB of different versions, # use this group for options that older servers don't understand [mariadb-11.8] Neustarten des Datenbank-Dienstes: service mariadb restart ===== PHP ===== Sichern der originalen Konfigurationsdateien: cp /etc/php/8.5/fpm/pool.d/www.conf /etc/php/8.5/fpm/pool.d/www.conf.bak cp /etc/php/8.5/cli/php.ini /etc/php/8.5/cli/php.ini.bak cp /etc/php/8.5/fpm/php.ini /etc/php/8.5/fpm/php.ini.bak cp /etc/php/8.5/fpm/php-fpm.conf /etc/php/8.5/fpm/php-fpm.conf.bak Anpassen der Konfiguration des PHP-Thread-Pools mittels sed: sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/8.5/fpm/pool.d/www.conf sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/8.5/fpm/pool.d/www.conf sed -i "s/;env\[TMPDIR\] = /env[TMPDIR] = /" /etc/php/8.5/fpm/pool.d/www.conf sed -i "s/;env\[TEMP\] = /env[TEMP] = /" /etc/php/8.5/fpm/pool.d/www.conf sed -i "s/;env\[PATH\] = /env[PATH] = /" /etc/php/8.5/fpm/pool.d/www.conf Anpassen der FPM-Konfiguration: sed -i "s/;cgi.fix_pathinfo=.*/cgi.fix_pathinfo=0/" /etc/php/8.5/fpm/php.ini sed -i "s/memory_limit = 128M/memory_limit = 512M/" /etc/php/8.5/fpm/php.ini sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/8.5/fpm/php.ini sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/8.5/fpm/php.ini sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=128/" /etc/php/8.5/fpm/php.ini sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=32/" /etc/php/8.5/fpm/php.ini sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=10000/" /etc/php/8.5/fpm/php.ini sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=60/" /etc/php/8.5/fpm/php.ini sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/8.5/fpm/php.ini Anpassen der CLI-Konfiguration: sed -i "s/;cgi.fix_pathinfo=.*/cgi.fix_pathinfo=0/" /etc/php/8.5/cli/php.ini sed -i '$aapc.enable_cli=1' /etc/php/8.5/cli/php.ini Neustarten des PHP-Dienstes: service php8.5-fpm restart ===== acme.sh ===== Wechseln in den Kontext des Users “letsencrypt”: su - letsencrypt Let’s Encrypt als Default-Provider für TLS-Zertifikate definieren: acme.sh --set-default-ca --server letsencrypt Wechsel auf den normalen User: exit ===== Redis ===== Sichern der originalen Konfiguration: cp /etc/redis/redis.conf /etc/redis/redis.conf.bak Öffnen der Redis-Konfiguration: nano /etc/redis/redis.conf Konfigurations-Einträge, damit Redis über einen Socket anstatt eines Ports erreichbar ist: port 0 unixsocket /var/run/redis/redis-server.sock unixsocketperm 770 Hinzufügen des Users “www-data” zur Gruppe “redis”: usermod -a -G redis www-data Neustart des Redis-Dienstes: service redis-server restart ===== ufw ===== Firewall-Regeln festlegen: ufw default deny ufw allow 22 comment "SSH" ufw allow 80 comment "HTTP" ufw allow 443 comment "HTTPS" Firewall aktivieren: ufw enable Regeln der Firewall anzeigen: ufw status numbered