- Ubuntu 16.04/18.04 LTS
- Nginx 1.17.x / 1.16.x
- PHP-FPM 7.2/7.3
- MariaDB 10.3
- REDIS 5.0
- Memcached
- Fail2ban
- Netdata
- UFW
As EasyEngine v3 will no longer receive any updates, configurations available in this repository are being updated for WordOps (EEv3 fork).
We are currently contributing to WordOps project and several parts of this repository are already included in WordOps.
All previous configurations are still available in the branch easyengine-v3.
Configuration files with comments available by following the link source
apt-get update && apt-get dist-upgrade -y && apt-get autoremove --purge -y && apt-get cleansudo apt-get install haveged curl git unzip zip fail2ban htop nload nmon ntp gnupg gnupg2 wget pigz tree ccze mycli -ygit clone https://github.com/VirtuBox/ubuntu-nginx-web-server.git $HOME/ubuntu-nginx-web-servergit -C $HOME/ubuntu-nginx-web-server pull origin masterIncluded by default in WordOps - this may not be needed anymore
source sysctl.conf - limits.conf source
cp $HOME/ubuntu-nginx-web-server/etc/sysctl.d/60-ubuntu-nginx-web-server.conf /etc/sysctl.d/60-ubuntu-nginx-web-server.confUbuntu 16.04 LTS do not support the new tcp congestion control algorithm bbr, we will use htcp instead.
# On ubuntu 18.04 LTS
modprobe tcp_bbr && echo 'tcp_bbr' >> /etc/modules-load.d/bbr.conf
echo -e '\nnet.ipv4.tcp_congestion_control = bbr\nnet.ipv4.tcp_notsent_lowat = 16384' >> /etc/sysctl.d/60-ubuntu-nginx-web-server.conf
# On ubuntu 16.04 LTS
modprobe tcp_htcp && echo 'tcp_htcp' >> /etc/modules-load.d/htcp.conf
echo 'net.ipv4.tcp_congestion_control = htcp' >> /etc/sysctl.d/60-ubuntu-nginx-web-server.confThen to apply the configuration :
sysctl -e -p /etc/sysctl.d/60-ubuntu-nginx-web-server.confIncrease openfiles limits
sudo bash -c 'echo -e "* hard nofile 500000\n* soft nofile 500000\nroot hard nofile 500000\nroot soft nofile 500000\n" >> /etc/security/limits.conf'echo never > /sys/kernel/mm/transparent_hugepage/enabledIncluded by default in WordOps - this may not be needed anymore
Instructions available in VirtuBox Knowledgebase
bash <(wget -qO - https://downloads.mariadb.com/MariaDB/mariadb_repo_setup) --mariadb-server-version=10.3 --skip-maxscale -y
sudo apt update && sudo apt install mariadb-server -ySecure MariaDB after install by running the command :
mysql_secure_installationYou can download my example of my.cnf, optimized for VPS with 4GB RAM. my.cnf source
cp -f $HOME/ubuntu-nginx-web-server/etc/mysql/my.cnf /etc/mysql/my.cnfIt include modification of innodb_log_file_size variable, so you need to use the following commands to apply the new configuration :
sudo service mysql stop
sudo mv /var/lib/mysql/ib_logfile0 /var/lib/mysql/ib_logfile0.bak
sudo mv /var/lib/mysql/ib_logfile1 /var/lib/mysql/ib_logfile1.bak
sudo service mysql startecho -e '[Service]\nLimitNOFILE=500000' > /etc/systemd/system/mariadb.service.d/limits.conf
sudo systemctl daemon-reload
sudo systemctl restart mariadbOpen the crontab editor
sudo crontab -eThen add the following cronjob
@weekly /usr/bin/mysqlcheck -Aos --auto-repair > /dev/null 2>&1
# noninteractive install - you can replace $USER with your username & root@$HOSTNAME by your email
sudo bash -c 'echo -e "[user]\n\tname = $USER\n\temail = root@$HOSTNAME" > $HOME/.gitconfig'
wget -qO wo wops.cc && sudo bash wosource /etc/bash_completion.d/wo_auto.rcwo stack install
wo stack install --php73echo 'root: [email protected]' >> /etc/aliases
newaliasesIncluded by default in WordOps - this may not be needed anymore
cd ~/ ||exit
curl -sS https://getcomposer.org/installer | php
mv composer.phar /usr/bin/composer
chown www-data:www-data /var/www
sudo -u www-data -H composer update -d /var/www/22222/htdocs/db/pma/usermod -s /bin/bash www-dataThis section has been removed because WordOps already install PHP 7.2 & PHP 7.3 by default
If you want to choose which version of php to use with the command php, you can use the command update-alternatives
# php5.6
sudo update-alternatives --install /usr/bin/php php /usr/bin/php5.6 80
# php7.0
sudo update-alternatives --install /usr/bin/php php /usr/bin/php7.0 80
# php7.1
sudo update-alternatives --install /usr/bin/php php /usr/bin/php7.1 80
# php7.2
sudo update-alternatives --install /usr/bin/php php /usr/bin/php7.2 80
# php7.3
sudo update-alternatives --install /usr/bin/php php /usr/bin/php7.3 80Then you can check php version with command php -v
Included by default in WordOps - this may not be needed anymore
- stub_status configuration on 127.0.0.1:80 : stub_status.conf
- restore visitor real IP under Cloudflare : cloudflare.conf
# copy all common nginx configurations
cp -rf $HOME/ubuntu-nginx-web-server/etc/nginx/conf.d/* /etc/nginx/conf.d/
# commit change with git
[ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update conf.d configurations"
Compile the latest Nginx release with nginx-ee
bash <(wget -O - virtubox.net/nginx-ee || curl -sL virtubox.net/nginx-ee)Choose one of them
# TLSv1.2 TLSv1.3 only (recommended)
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx.conf
# TLSv1.2 only
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-tlsv12.conf# commit change with git
[ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update nginx.conf"Included by default in WordOps - this may not be needed anymore
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/sites-available/22222 /etc/nginx/sites-available/22222
# commit change with git
[ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update 22222 configuration"sudo mkdir -p /etc/systemd/system/nginx.service.d
echo -e '[Service]\nLimitNOFILE=500000' > /etc/systemd/system/nginx.service.d/limits.conf
sudo systemctl daemon-reload
sudo systemctl restart nginx.serviceWARNING : SSH Configuration with root login allowed using SSH keys only source
cp -f $HOME/ubuntu-nginx-web-server/etc/ssh/sshd_config /etc/ssh/sshd_configInstructions available in VirtuBox Knowledgebase
# enable ufw log - allow outgoing - deny incoming
ufw logging low
ufw default allow outgoing
ufw default deny incoming
# allow incoming traffic on SSH port
CURRENT_SSH_PORT=$(grep "Port" /etc/ssh/sshd_config | awk -F " " '{print $2}')
ufw allow $CURRENT_SSH_PORT
# DNS - HTTP/S - FTP - NTP - RSYNC - DHCP - EE Backend
ufw allow 53
ufw allow http
ufw allow https
ufw allow 21
ufw allow 123
ufw allow 68
ufw allow 546
ufw allow 873
ufw allow 22222
# enable UFW
echo "y" | ufw enable- wordpress bruteforce
- ssh
- recidive (after 3 bans)
- backend http auth
- nginx bad bots
cp -rf $HOME/ubuntu-nginx-web-server/etc/fail2ban/filter.d/* /etc/fail2ban/filter.d/
cp -rf $HOME/ubuntu-nginx-web-server/etc/fail2ban/jail.d/* /etc/fail2ban/jail.d/
fail2ban-client reloadecho '-U 0' >> /etc/memcached.conf
sudo systemctl restart memcachedIf you do not use memcached, you can safely stop it and disable it :
sudo systemctl stop memcached
sudo systemctl disable memcached.serviceapt-get install proftpd -ysecure proftpd and enable passive ports
sed -i 's/# DefaultRoot/DefaultRoot/' /etc/proftpd/proftpd.conf
sed -i 's/# RequireValidShell/RequireValidShell/' /etc/proftpd/proftpd.conf
sed -i 's/# PassivePorts 49152 65534/PassivePorts 49000 50000/' /etc/proftpd/proftpd.confrestart proftpd
sudo service proftpd restartAllow FTP ports with UFW
# ftp active port
sudo ufw allow 21
# ftp passive ports
sudo ufw allow 49000:50000/tcpEnable fail2ban proftpd jail
echo -e '\n[proftpd]\nenabled = true\n' >> /etc/fail2ban/jail.d/custom.conf
fail2ban-client reload# create user without shell access in group www-data
adduser --home /var/www/yourdomain.tld/ --shell /bin/false --ingroup www-data youruser
# allow group read/write on website folder
chmod -R g+rw /var/www/yourdomain.tldIncluded by default in WordOps - this may not be needed anymore
Github repository - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers
- subdomain support
- ivp6 support
- wildcards certificates support
wget-qO install-ee-acme.sh https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh
chmod +x install-ee-acme.sh
./install-ee-acme.sh
# enable acme.sh & ee-acme-sh
source .bashrcIncluded by default in WordOps - this may not be needed anymore
# save 40-60% of netdata memory
echo 1 >/sys/kernel/mm/ksm/run
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
# install netdata
bash <(curl -Ss https://my-netdata.io/kickstart.sh) all --dont-wait
# increase open files limits for netdata
sudo mkdir -p /etc/systemd/system/netdata.service.d
echo -e '[Service]\nLimitNOFILE=500000' > /etc/systemd/system/netdata.service.d/limits.conf
sudo systemctl daemon-reload
sudo systemctl restart netdata.service
# disable email notifications
sudo sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /usr/lib/netdata/conf.d/health_alarm_notify.conf
service netdata restartcurl https://cht.sh/:cht.sh > /usr/bin/cht.sh
chmod +x /usr/bin/cht.sh
echo "alias cheat='cht.sh'" >> $HOME/.bashrc
source $HOME/.bashrcusage : cheat <command>
root@vps:~ cheat cat
# cat
# Print and concatenate files.
# Print the contents of a file to the standard output:
cat file
# Concatenate several files into the target file:
cat file1 file2 > target_file
# Append several files into the target file:
cat file1 file2 >> target_file
# Number all output lines:
cat -n filewget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -qO- | shIncluded by default in WordOps - this may not be needed anymore
# download wp-cli bash_completion
wget -qO /etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash
# change /var/www owner
chown www-data:www-data /var/www
# download .profile & .bashrc for www-data
cp -f $HOME/ubuntu-nginx-web-server/var/www/.* /var/www/
# set owner
chown www-data:www-data /var/www/{.profile,.bashrc}
Included by default in WordOps - this may not be needed anymore
EasyEngine migration to WordOps is now handled by the install script. The only step to finish the migration is to remove previous php versions if you don't need them anymore.
# php5.6
apt-get -y autoremove php5.6-fpm php5.6-common --purge
# php7.0
apt-get -y autoremove php7.0-fpm php7.0-common --purgePublished & maintained by VirtuBox