Skip to content

Latest commit

 

History

History
151 lines (134 loc) · 6.05 KB

README.md

File metadata and controls

151 lines (134 loc) · 6.05 KB

docker-openlitespeed-php

eXtremeSHOK.com Docker OpenLiteSpeed with modsecurity and pagespeed and PHP 7.4 on Ubuntu LTS

Uses the base image extremeshok/openlitespeed : https://hub.docker.com/repository/docker/extremeshok/openlitespeed

Checkout our optimized production web-server setup based on docker https://github.com/extremeshok/docker-webserver

Note all configs are optimized and designed for production usage

  • Ubuntu LTS with S6
  • Will detect and apply new ssl certs automatically (WATCHMEDO_CERTS_ENABLE)
  • cron (/etc/cron.d) enabled for scheduling tasks, run as user nobody
  • cron runs every 1 minute, and will generate a new vhost cron every 15mins if vhost_cron is enabled
  • Preinstalled IP2Location DB , updated monthly on start (IP2LOCATION-LITE-DB1.IPV6.BIN from https://lite.ip2location.com)
  • IP2Location running in Shared Memory DB Cache
  • Optimized OpenLiteSpeed configs
  • Optimised HTTP Headers for Security (Content Security Policy (CSP), Access-Control-Allow-Methods, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-DNS-Prefetch-Control, X-Frame-Options, X-XSS-Protection)
  • Optimized PHP configs
  • session, memcached, apc serializer set to igbinary
  • OpenLiteSpeed installed via github releases (always newer than the repo)
  • OpenLiteSpeed Repository used for lsphp (litespeed-php)
  • IONICE set to -10
  • Low memory usage
  • HEALTHCHECK activated
  • Graceful shutdown
  • tail modsec.log, error.log and php_error.log to stdout
  • configs located in /etc/openlitespeed/
  • php configs located in /etc/php/
  • logs located in /usr/local/lsws/logs/
  • default configs will be added if the config dir is empty
  • OWASP modsecurity rules enabled
  • Restart openlitespeed when changes to the vhost/domain.com/cert dirs are detected, ie ssl certificate is updated
  • PHP 7.4 (lsphp74)
  • Composer
  • PHPUnit
  • WP-CLI , (use comamnd wp , this will run wp-cli as the nobody user)
  • Expose php disabled
  • msmtp enabled: send email via external smtp server, requires SMTP_HOST, SMTP_USER, SMTP_PASS
  • Increased php pcre limits
  • xshok-vhost-fix-permissions, xshok-vhost-generate-cron and xshok-vhost-monitor-certs are all non-blocking (runs parallel)
  • Outputs platform information on start
  • mariadb-client (mysql command) added as this is required for wp-cli
  • vim-tiny to provide ex which allows for advanced modification of files
  • opcode caching in shared memory enabled
  • opcode file_cache saved to /var/www/vhosts/.opcache

VHOST_FIX_PERMISSIONS (enabled by default)

Fix the vhosts folder and file perssions of the vhosts html directory

  • set VHOST_FIX_PERMISSIONS to false to disable, enabled by default
  • set XS_VHOST_FIX_PERMISSIONS_FOLDERS to false to disable fixing folder permissions, enabled by default
  • set XS_VHOST_FIX_PERMISSIONS_FILES to false to disable fixing file permissions, enabled by default
  • set XS_VHOST_FIX_PERMISSIONS_FOLDERS to false to disable, enabled by default

VHOST_CRON (disabled by default)

generate cron from cron files located in vhost/cron (hourly)

  • set VHOST_CRON to true to enable, disabled by default
  • finds all vhost/cron files and places them in the /etc/cron.d/ , runs hourly
  • ignores *.readme *.disabled *.disable *.txt *.sample files
  • cron runs every 1 minute, and will generate a new vhost cron every 15mins
  • Place cron files in /var/www/vhosts/fqdn.com/cron , see example /var/www/vhosts/localhost/cron/example

VHOST_MONITOR_CERTS (enabled by default)

Gracefully restarts openlitespeed to apply certificate updates, will only restart once every 300s

  • set VHOST_MONITOR_CERTS to false to disable, enabled by default
  • monitors /var/www/vhosts/*/certs, looking for changes (only detects *.pem)

VHOST_AUTOUPDATE (enabled by default)

VHOST_AUTOUPDATE_WP (enabled by default)

Automatically update all wordpress installs (hourly)

  • searches for wordpress installs located under /var/www/vhost/fqdn.com/html
  • updates a wordpress wordpress (plugins, themes, core, core-db, woocommerce)
  • if there was an update, caches are flushed (rewrites, transient, cache, lscache)
  • Set VHOST_AUTOUPDATE to false to disable, enabled by default
  • Set VHOST_AUTOUPDATE_WP to false to disable, enabled by default
  • Set VHOST_AUTOUPDATE_DEBUG to true to enable debug output, disabled by default
  • To disable a specific wordpress install from Automatic updates, create a blank "autoupdate.disable" file in the wordpress directory (ie. directory which contains wp-config.php)

PHP options (with defaults)

  • PHP_TIMEZONE=UTC
  • PHP_MAX_TIME=300 (in seconds)
  • PHP_MAX_UPLOAD_SIZE=32 (in mbyte)
  • PHP_MEMORY_LIMIT=256 (in mbyte)
  • PHP_DISABLE_FUNCTIONS=shell_exec (set to false to disable, can use a comma separated list)

Enable PHP Error messages only (error_reporting = E_ERROR & E_RECOVERABLE_ERROR & E_CORE_ERROR & E_USER_ERROR)

  • PHP_ERRORS_ONLY=yes

Enable PHP-Redis-sessions (disabled by default)

  • PHP_REDIS_SESSIONS=yes
  • PHP_REDIS_HOST=redis
  • PHP_REDIS_PORT=6379

EXTERNAL SMTP (disabled by default), set hostname, user and pass to enable

  • PHP_SMTP_HOST=mail.yoursmtp.com
  • PHP_SMTP_PORT=587
  • PHP_SMTP_USER=[email protected]
  • PHP_SMTP_PASS=securpassword

Notes:

  • PHP74 linked to /usr/bin/php and /usr/local/lsws/fcgi-bin/lsphp

Included Modules:

  • cache
  • mod_js
  • mod_security
  • modgzip
  • modinspector
  • modpagespeed
  • modreqparser
  • uploadprogress

Included PHP Modules

  • apcu
  • curl
  • dev
  • igbinary
  • imagick
  • imap
  • intl
  • json
  • memcached
  • msgpack
  • mysql
  • opcache
  • pear
  • redis
  • sqlite3

Note: ioncube ** not supported in php7.4 **

Usage

Place files in /var/www/vhosts/fqdn.com/ , see example /var/www/vhosts/localhost/

Ports

  • 80 : http
  • 443 : httpS
  • 443/udp : quic aka http/2
  • 7080 : webadmin
  • 8088 : example

Default WebAdmin Login

To set your own password

replace container name with the container name, eg xs_openlitespeed-_1

docker exec -ti containername /bin/bash '/usr/local/lsws/admin/misc/admpass.sh'

Check the headers

curl -XGET --resolve domain.com:443:ip.ad.re.ss https://domain.com -k -I