Inhaltsverzeichnis

Software-Konfiguration

Übersicht über Shortcuts des Editors “nano”: https://www.nano-editor.org/dist/latest/cheatsheet.html

nginx

Sicherung der Standard-Konfiguration:

cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak

Allgemeine Einstellungen nginx:

nano /etc/nginx/nginx.conf

Folgende Einstellungen sollten hier gesetzt bzw. kontrolliert werden:

• user www-data;
• worker_processes auto;
• server_tokens off;

Komplette nginx.conf:

user  www-data;
worker_processes  auto;
error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;
 
events {
    worker_connections  1024;
}
http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile        on;
    #tcp_nopush     on;
    keepalive_timeout  65;
    server_tokens off;
    #gzip  on;
    include /etc/nginx/conf.d/*.conf;
}

Deaktivierung der “Dummy-Webseite”:

mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf_disabled

“Selbsttest” der Konfiguration:

nginx -t

nginx neu starten:

service nginx restart

MariaDB

mysql_secure_installation für MariaDB nachinstallieren, weil in der aktuellen Version nicht mehr enthalten:

apt install mariadb-client-compat

Absicherung des Datenbanksystems:

mysql_secure_installation

Kopieren der Original-Einstellungen:

cp /etc/mysql/mariadb.conf.d/50-server.cnf /etc/mysql/mariadb.conf.d/50-server.cnf.bak

Öffnen der allgemeinen Konfiguration von MariaDB:

nano /etc/mysql/mariadb.conf.d/50-server.cnf

Fügen Sie folgende Zeilen direkt nach der Definition der Sektion [mysqld] ein:

innodb_read_only_compressed=OFF
slave_connections_needed_for_purge=0
Die komplette Datei 50-server.cnf:
#
# These groups are read by MariaDB server.
# Use it for options that only the server (but not clients) should see
# this is read by the standalone daemon and embedded servers
[server]
# this is only for the mysqld standalone daemon
[mysqld]
# Allow write access to tables with format 'compressed'
innodb_read_only_compressed=OFF
slave_connections_needed_for_purge=0
#
# * Basic Settings
#
#user                    = mysql
pid-file                = /run/mysqld/mysqld.pid
basedir                 = /usr
#datadir                 = /var/lib/mysql
#tmpdir                  = /tmp
# Broken reverse DNS slows down connections considerably and name resolve is
# safe to skip if there are no "host by domain name" access grants
#skip-name-resolve
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address            = 127.0.0.1
#
# * Fine Tuning
#
#key_buffer_size        = 128M
#max_allowed_packet     = 1G
#thread_stack           = 192K
#thread_cache_size      = 8
# This replaces the startup script and checks MyISAM tables if needed
# the first time they are touched
#myisam_recover_options = BACKUP
#max_connections        = 100
#table_cache            = 64
#
# * Logging and Replication
#
# Both location gets rotated by the cronjob.
# Be aware that this log type is a performance killer.
# Recommend only changing this at runtime for short testing periods if needed!
#general_log_file       = /var/log/mysql/mysql.log
#general_log            = 1
# When running under systemd, error logging goes via stdout/stderr to journald
# and when running legacy init error logging goes to syslog due to
# /etc/mysql/conf.d/mariadb.conf.d/50-mysqld_safe.cnf
# Enable this if you want to have error logging into a separate file
#log_error = /var/log/mysql/error.log
# Enable the slow query log to see queries with especially long duration
#slow_query_log_file    = /var/log/mysql/mariadb-slow.log
#long_query_time        = 10
#log_slow_verbosity     = query_plan,explain
#log-queries-not-using-indexes
#min_examined_row_limit = 1000
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
#       other settings you may need to change.
#server-id              = 1
#log_bin                = /var/log/mysql/mysql-bin.log
expire_logs_days        = 10
#max_binlog_size        = 100M
#
# * SSL/TLS
#
# For documentation, please read
# https://mariadb.com/kb/en/securing-connections-for-client-and-server/
#ssl-ca = /etc/mysql/cacert.pem
#ssl-cert = /etc/mysql/server-cert.pem
#ssl-key = /etc/mysql/server-key.pem
#require-secure-transport = on
#
# * Character sets
#
# MySQL/MariaDB default is Latin1, but in Debian we rather default to the full
# utf8 4-byte character set. See also client.cnf
character-set-server  = utf8mb4
collation-server      = utf8mb4_general_ci
#
# * InnoDB
#
# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
# Read the manual for more InnoDB related options. There are many!
# Most important is to give InnoDB 80 % of the system RAM for buffer use:
# https://mariadb.com/kb/en/innodb-system-variables/#innodb_buffer_pool_size
#innodb_buffer_pool_size = 8G
# this is only for embedded server
[embedded]
# This group is only read by MariaDB servers, not by MySQL.
# If you use the same .cnf file for MySQL and MariaDB,
# you can put MariaDB-only options here
[mariadb]
# This group is only read by MariaDB-10.6 servers.
# If you use the same .cnf file for MariaDB of different versions,
# use this group for options that older servers don't understand
[mariadb-11.8]

Neustarten des Datenbank-Dienstes:

service mariadb restart

PHP

Sichern der originalen Konfigurationsdateien:

cp /etc/php/8.5/fpm/pool.d/www.conf /etc/php/8.5/fpm/pool.d/www.conf.bak
cp /etc/php/8.5/cli/php.ini /etc/php/8.5/cli/php.ini.bak
cp /etc/php/8.5/fpm/php.ini /etc/php/8.5/fpm/php.ini.bak
cp /etc/php/8.5/fpm/php-fpm.conf /etc/php/8.5/fpm/php-fpm.conf.bak

Anpassen der Konfiguration des PHP-Thread-Pools mittels sed:

sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/8.5/fpm/pool.d/www.conf
sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/8.5/fpm/pool.d/www.conf
sed -i "s/;env\[TMPDIR\] = /env[TMPDIR] = /" /etc/php/8.5/fpm/pool.d/www.conf
sed -i "s/;env\[TEMP\] = /env[TEMP] = /" /etc/php/8.5/fpm/pool.d/www.conf
sed -i "s/;env\[PATH\] = /env[PATH] = /" /etc/php/8.5/fpm/pool.d/www.conf

Anpassen der FPM-Konfiguration:

sed -i "s/;cgi.fix_pathinfo=.*/cgi.fix_pathinfo=0/" /etc/php/8.5/fpm/php.ini
sed -i "s/memory_limit = 128M/memory_limit = 512M/" /etc/php/8.5/fpm/php.ini
sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/8.5/fpm/php.ini
sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/8.5/fpm/php.ini
sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=128/" /etc/php/8.5/fpm/php.ini
sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=32/" /etc/php/8.5/fpm/php.ini
sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=10000/" /etc/php/8.5/fpm/php.ini
sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=60/" /etc/php/8.5/fpm/php.ini
sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/8.5/fpm/php.ini

Anpassen der CLI-Konfiguration:

sed -i "s/;cgi.fix_pathinfo=.*/cgi.fix_pathinfo=0/" /etc/php/8.5/cli/php.ini
sed -i '$aapc.enable_cli=1' /etc/php/8.5/cli/php.ini

Neustarten des PHP-Dienstes:

service php8.5-fpm restart

acme.sh

Wechseln in den Kontext des Users “letsencrypt”:

su - letsencrypt

Let’s Encrypt als Default-Provider für TLS-Zertifikate definieren:

acme.sh --set-default-ca --server letsencrypt

Wechsel auf den normalen User:

exit

Redis

Sichern der originalen Konfiguration:

cp /etc/redis/redis.conf /etc/redis/redis.conf.bak

Öffnen der Redis-Konfiguration:

nano /etc/redis/redis.conf

Konfigurations-Einträge, damit Redis über einen Socket anstatt eines Ports erreichbar ist:

port 0 
unixsocket /var/run/redis/redis-server.sock 
unixsocketperm 770

Hinzufügen des Users “www-data” zur Gruppe “redis”:

usermod -a -G redis www-data

Neustart des Redis-Dienstes:

service redis-server restart

ufw

Firewall-Regeln festlegen:

ufw default deny
ufw allow 22 comment "SSH"
ufw allow 80 comment "HTTP"
ufw allow 443 comment "HTTPS"

Firewall aktivieren:

ufw enable

Regeln der Firewall anzeigen:

ufw status numbered