Public Pastes
SHARE
TWEET

Untitled

a guest Jun 30th, 2013 58 Never
  1. #!/bin/bash
  2.  
  3. ##
  4. # KamiNuvini - kami@nuvini.com
  5. # This script does the following:
  6. # 1. Create directory for new user. This directory will have a public_html, logs and tmp folder by default.
  7. # 2. Add user, SFTP Chroot them, disallow normal SSH access. Allow PasswordAuthentication for user.
  8. # 3. Add separate PHP-FPM Pool for user.
  9. # 4. Add nginx-vhost and enable it.
  10. # 5. Setting up directory permissions.
  11. # 6. Restarting Services
  12. # Note that SFTP chrooting must be set up prior to running this script. The SFTP Chroot condition is the group
  13. # filetransfer.
  14. ##
  15.  
  16. ## Fetching Variables
  17. echo -n "Give domain name:  "
  18. read DOMAIN
  19. echo -n "Give username:  "
  20. read USER
  21.  
  22. # Homedir location, please set at least 2 levels deep for proper chrooting.
  23. HOMEDIR=/srv/www/$DOMAIN
  24.  
  25. ## 1. Creating directories
  26. mkdir -p $HOMEDIR/public_html
  27. mkdir -p $HOMEDIR/tmp
  28. mkdir -p $HOMEDIR/logs
  29.  
  30. ## 2. Creating User
  31. groupadd $USER
  32. useradd -g $USER -G filetransfer -d $HOMEDIR/ -s /usr/sbin/nologin $USER
  33. passwd $USER
  34.  
  35. ### 2.1 Allow PasswordAuthentication through SSH
  36. cat >> /etc/ssh/sshd_config  << EOL
  37. Match User $USER
  38. PasswordAuthentication yes
  39. EOL
  40.  
  41. ## 3. Adding PHP-FPM Pool
  42. cat > /etc/php5/fpm/pool.d/$DOMAIN.conf << EOL
  43. [$USER]
  44. user = $USER
  45. group = $USER
  46. listen = $HOMEDIR/tmp/php-fpm-$USER.sock
  47. listen.owner = $USER
  48. listen.group = $USER
  49. listen.mode = 0666
  50. pm = dynamic
  51. pm.max_children = 9
  52. pm.start_servers = 3
  53. pm.min_spare_servers = 2
  54. pm.max_spare_servers = 3
  55. pm.max_requests = 500
  56. chdir = /
  57. php_admin_value[open_basedir] = $HOMEDIR/public_html:$HOMEDIR/tmp:/usr/share/php5:/usr/share/php
  58. php_admin_value[disable_functions] = apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode, symlink
  59. php_flag[expose_php] = off
  60. php_value[memory_limit] = 128M
  61. php_admin_value[upload_tmp_dir] = "$HOMEDIR/tmp/"
  62. EOL
  63.  
  64. ## 4. Setting up nginx vhost
  65. cat > /etc/nginx/sites-available/$DOMAIN << EOL
  66. server
  67. {
  68.         listen 80;
  69.         listen [::]:80;
  70.         server_name $DOMAIN www.$DOMAIN;
  71.         client_max_body_size 20m;
  72.         client_body_buffer_size 128k;
  73.         access_log $HOMEDIR/logs/access.log;
  74.         error_log $HOMEDIR/logs/error.log;
  75.         root $HOMEDIR/public_html;
  76.         add_header X-Frame-Options SAMEORIGIN;
  77.  
  78.         location /
  79.         {
  80.                 index index.html index.htm index.php;
  81.                 # Enable gzip compression
  82.                 gzip_static on;
  83.         }
  84.  
  85.         location ~ /\.
  86.         {
  87.                 access_log off;
  88.                 log_not_found off;
  89.                 deny all;
  90.         }
  91.  
  92.         ## Only allow these request methods ##
  93.         if (\$request_method !~ ^(GET|HEAD|POST)$ )
  94.         {
  95.                 return 444;
  96.         }
  97.         ## Do not accept DELETE, SEARCH and other methods ##
  98.  
  99.         # Pass all .php files onto a php-fpm/php-fcgi server.
  100.         location ~ \.php$
  101.         {
  102.                 # Important, don't remove for security reasons
  103.                 try_files \$uri =404;
  104.                 fastcgi_split_path_info ^(.+\.php)(/.+)$;
  105.                 include fastcgi_params;
  106.                 fastcgi_index index.php;
  107.                 fastcgi_param SCRIPT_FILENAME $HOMEDIR/public_html\$fastcgi_script_name;
  108.                 fastcgi_pass unix:$HOMEDIR/tmp/php-fpm-$USER.sock;
  109.         }
  110. }
  111. EOL
  112.  
  113. ### 4.1 Enable the vhost
  114. ln -s /etc/nginx/sites-available/$DOMAIN /etc/nginx/sites-enabled/$DOMAIN
  115.  
  116. ## 5. Setting permissions
  117. chown -R $USER:www-data $HOMEDIR/logs/
  118. chown -R $USER:www-data $HOMEDIR/public_html/
  119. chown -R $USER:www-data $HOMEDIR/tmp
  120. chmod 0710 $HOMEDIR/logs
  121. chmod 0710 $HOMEDIR/public_html/
  122. chmod 0710 $HOMEDIR/tmp/
  123.  
  124. ## Restarting Services
  125. /etc/init.d/php5-fpm restart
  126. /etc/init.d/nginx restart
  127. /etc/init.d/ssh try-restart
RAW Paste Data
Top