Skip to content

Commit b5aace5

Browse files
PDowneyPDowney
authored
Misc Updates
1 parent ff13460 commit b5aace5

9 files changed

Lines changed: 58 additions & 17 deletions

File tree

.github/workflows/software-version-check.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -69,11 +69,12 @@ jobs:
6969
check_version "PCRE2_VER" "$LATEST_PCRE2"
7070
7171
# OpenSSL (3.4.x series)
72-
LATEST_OPENSSL=$(curl -s https://openssl-library.org/source/ |
73-
grep -o 'openssl-3\.4\.[0-9]*\.tar\.gz' |
72+
LATEST_OPENSSL=$(curl -s https://api.github.com/repos/openssl/openssl/releases |
73+
jq -r '.[].tag_name' |
74+
grep '^openssl-3\.4\.[0-9]*$' |
7475
sort -V |
7576
tail -n 1 |
76-
sed 's/openssl-\(.*\)\.tar\.gz/\1/')
77+
sed 's/openssl-//')
7778
check_version "OPENSSL_VER" "$LATEST_OPENSSL"
7879
7980
# NGINX
@@ -173,4 +174,3 @@ jobs:
173174
labels: |
174175
automated
175176
dependencies
176-

README.md

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -17,11 +17,11 @@ EngineScript is meant to be run as the root user on a fresh VPS. Setup will remo
1717
## Default Configuration ##
1818
The default EngineScript configuration utilizes the simplified stack below. Additional information on specific software versions and sources can be found further down.
1919

20-
||||
21-
|-|-|-|
22-
|**CDN \ SSL:** Cloudflare||**Web Server:** Nginx Mainline|
23-
|**Script Processing:** PHP 8.x||**MySQL Database:** MariaDB 11.4.x|
24-
|**Object Cache:** Redis||**CMS:** WordPress|
20+
|||||
21+
|-|-|-|-|
22+
|**CDN \ SSL:** Cloudflare|-|-|**Web Server:** Nginx|
23+
|**Script Processing:** PHP|-|-|**MySQL Database:** MariaDB|
24+
|**Object Cache:** Redis|-|-|**CMS:** WordPress|
2525

2626
----------
2727

scripts/patches/nginx.patch renamed to patches/nginx/nginx.patch

File renamed without changes.

scripts/patches/nginx_io_uring.patch renamed to patches/nginx/nginx_io_uring.patch

File renamed without changes.

scripts/install/enginescript-install.sh

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -67,8 +67,10 @@ echo "Linux Version = $UBUNTU_TYPE $UBUNTU_VERSION $UBUNTU_CODENAME"
6767
echo -e "${BOLD}\nEngineScript Install Options:${NORMAL}"
6868
echo "AUTOMATIC_LOSSLESS_IMAGE_OPTIMIZATION = $AUTOMATIC_LOSSLESS_IMAGE_OPTIMIZATION"
6969
echo "ENGINESCRIPT_AUTO_UPDATE = $ENGINESCRIPT_AUTO_UPDATE"
70+
echo "ADMIN_SUBDOMAIN = $ADMIN_SUBDOMAIN"
7071
echo "INSTALL_ADMINER = $INSTALL_ADMINER"
7172
echo "INSTALL_PHPMYADMIN = $INSTALL_PHPMYADMIN"
73+
echo "NGINX_SECURE_ADMIN = $NGINX_SECURE_ADMIN"
7274
echo "SHOW_ENGINESCRIPT_HEADER = $SHOW_ENGINESCRIPT_HEADER"
7375
echo "DAILY_LOCAL_DATABASE_BACKUP = $DAILY_LOCAL_DATABASE_BACKUP"
7476
echo "HOURLY_LOCAL_DATABASE_BACKUP = $HOURLY_LOCAL_DATABASE_BACKUP"
@@ -164,6 +166,36 @@ if [ "$WP_ADMIN_PASSWORD" = PLACEHOLDER ];
164166
exit
165167
fi
166168

169+
# Check Admin Subdomain Security Configuration
170+
if [ "$ADMIN_SUBDOMAIN" = 1 ] && [ "$NGINX_SECURE_ADMIN" = 0 ]; then
171+
echo -e "\n${BOLD}WARNING: Security Configuration Issue${NORMAL}"
172+
echo "You have enabled the Admin Subdomain (ADMIN_SUBDOMAIN=1) but disabled Nginx password protection for it (NGINX_SECURE_ADMIN=0)."
173+
echo "This is insecure as it would expose tools like phpMyAdmin or Adminer publicly."
174+
echo ""
175+
while true; do
176+
read -p "Do you want to enable Nginx password protection for the admin subdomain? (y/n): " yn_secure_admin
177+
case $yn_secure_admin in
178+
[Yy]* )
179+
echo "Enabling Nginx password protection for the admin subdomain..."
180+
sed -i 's/^NGINX_SECURE_ADMIN=0/NGINX_SECURE_ADMIN=1/' /home/EngineScript/enginescript-install-options.txt
181+
NGINX_SECURE_ADMIN=1 # Update variable in current script scope
182+
echo "NGINX_SECURE_ADMIN has been set to 1 in enginescript-install-options.txt."
183+
sleep 2
184+
break
185+
;;
186+
[Nn]* )
187+
echo "Disabling the admin subdomain due to security concerns..."
188+
sed -i 's/^ADMIN_SUBDOMAIN=1/ADMIN_SUBDOMAIN=0/' /home/EngineScript/enginescript-install-options.txt
189+
ADMIN_SUBDOMAIN=0 # Update variable in current script scope
190+
echo "ADMIN_SUBDOMAIN has been set to 0 in enginescript-install-options.txt."
191+
sleep 2
192+
break
193+
;;
194+
* ) echo "Please answer yes or no.";;
195+
esac
196+
done
197+
fi
198+
167199
# Install Check
168200
source /var/log/EngineScript/install-log.txt
169201

scripts/install/nginx/nginx-patch.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@ fi
2626

2727
# Patch Nginx
2828
cd /usr/src/nginx-${NGINX_VER}
29-
patch -p1 < /usr/local/bin/enginescript/scripts/patches/nginx.patch
29+
patch -p1 < /usr/local/bin/enginescript/patches/nginx/nginx.patch
3030

3131
# Patch OpenSSL
3232
#cd /usr/src/openssl-${OPENSSL_VER}

scripts/install/openssl/openssl-install.sh

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -24,9 +24,10 @@ fi
2424

2525
# Download OpenSSL
2626
cd /usr/src
27-
wget https://www.openssl.org/source/openssl-${OPENSSL_VER}.tar.gz --no-check-certificate
27+
# Updated URL structure for GitHub releases
28+
wget "https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_VER}/openssl-${OPENSSL_VER}.tar.gz" --no-check-certificate
2829
#apt remove openssl -y
29-
tar -xvzf openssl-${OPENSSL_VER}.tar.gz
30+
tar -xvzf "openssl-${OPENSSL_VER}.tar.gz"
3031

3132
# Compile OpenSSL
3233
#cd openssl-${OPENSSL_VER}

scripts/install/ufw/ufw-cloudflare.sh

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,14 @@ fi
2525
# Add UFW Rules for Cloudflare
2626
# Credit: https://github.com/Paul-Reed/cloudflare-ufw
2727

28-
# Allow all traffic from Cloudflare IPs (no ports restriction)
29-
for cfip in `curl -sw '\n' https://www.cloudflare.com/ips-v{4,6}`; do ufw allow proto tcp from $cfip comment 'Cloudflare IP'; done
28+
echo "Adding UFW rules for Cloudflare IPs (TCP & UDP)..."
29+
# Allow all TCP and UDP traffic from Cloudflare IPs (no ports restriction)
30+
# Using brace expansion for conciseness
31+
for cfip in $(curl -s https://www.cloudflare.com/ips-v{4,6}); do
32+
ufw allow proto tcp from $cfip comment 'Cloudflare IP (TCP)' > /dev/null
33+
ufw allow proto udp from $cfip comment 'Cloudflare IP (UDP)' > /dev/null
34+
done
3035

36+
echo "Reloading UFW rules..."
3137
ufw reload > /dev/null
38+
echo "UFW rules updated for Cloudflare."

scripts/update/openssl-update.sh

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -24,9 +24,10 @@ fi
2424

2525
# Download OpenSSL
2626
cd /usr/src
27-
wget https://www.openssl.org/source/openssl-${OPENSSL_VER}.tar.gz --no-check-certificate
28-
tar -xvzf openssl-${OPENSSL_VER}.tar.gz
29-
cd openssl-${OPENSSL_VER}
27+
# Updated URL structure for GitHub releases
28+
wget "https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_VER}/openssl-${OPENSSL_VER}.tar.gz" --no-check-certificate
29+
tar -xvzf "openssl-${OPENSSL_VER}.tar.gz"
30+
cd "openssl-${OPENSSL_VER}"
3031

3132
# Compile OpenSSL
3233
chmod +x ./config

0 commit comments

Comments
 (0)