#!/bin/bash #################################################################################################### #### author: SlickStack ############################################################################ #### link: https://slickstack.io ################################################################### #### mirror: https://mirrors.slickstack.io/bash/ss-worker.txt ###################################### #### path: /var/www/ss-worker ###################################################################### #### destination: n/a (not a boilerplate) ########################################################## #### purpose: Performs SlickStack maintenance tasks and retrieves the latest ss-check file ######### #### module version: Ubuntu 22.04 LTS ############################################################## #### sourced by: ss-install, ss-update-modules ##################################################### #### bash aliases: ss worker ####################################################################### #################################################################################################### ## SS-WORKER TAKES CARE OF MANY IMPORTANT TASKS AND CRITICAL PATCHES FOR SLICKSTACK ## ## DISABLE SLICKSTACK CRON JOBS AND SS-CONFIG INTERVALS AT YOUR OWN RISK ## #################################################################################################### #### TABLE OF CONTENTS (SS-Worker) ################################################################# #################################################################################################### ## this is a brief summary of the different code snippets you will find in this script ## ## each section should be commented so you understand what is being accomplished ## ## A. Source SS-Config + SS-Functions ## B. Touch Timestamp File ## C. Message (Begin Script) ## D. Backup Active SS-Config File ## D. Retrieve Current SS-Check (Bash Script) ## E. Transfer Pilot File Settings (If Exists) ## F. Install Current SS-Constants.php Boilerplate ## G. Reset Permissions (SlickStack) ## H. Download Current Blacklist.txt File ## I. Install Default Robots.txt File (If Not Exists) ## I. Delete Object Cache Files (Conditional) ## J. Temporary Tasks (Urgent Patches) #################################################################################################### #### A. SS-Worker: Source SS-Config + SS-Functions ################################################# #################################################################################################### ## before anything else we must source the critical variables that power this script ## ## ss-config is setup during ss-install wizard but ss-functions is hardcoded ## ## source ss-config ## source /var/www/ss-config ## source ss-functions ## source /var/www/ss-functions ## BELOW THIS RELIES ON SS-CONFIG AND SS-FUNCTIONS #################################################################################################### #### B. SS-Worker: Touch Timestamp File ############################################################ #################################################################################################### ## this is a dummy timestamp file that will remember the last time this script was run ## ## it can be useful for developer reference and is sometimes used by SlickStack ## ss_touch "${TIMESTAMP_SS_WORKER}" #################################################################################################### #### C. SS-Worker: Message (Begin Script) ########################################################## #################################################################################################### ## this is a simple message that announces to the shell the purpose of this bash script ## ## it will only be seen by sudo users who manually run this script in the shell ## ss_echo "${COLOR_INFO}Running ss-worker... ${COLOR_RESET}" #################################################################################################### #### D. SS-Worker: Backup Active SS-Config File #################################################### #################################################################################################### ## this will replicate your current ss-config file (and settings) to the backups dir ## ## the oldest .bak files will be cleaned up periodically by ss-clean-files ## ## SNIPPET: ss-update-config, ss-worker ## UPDATED: 31MAY2022 ## backup ss-config ## ss_cp "${PATH_SS_CONFIG}" /var/www/backups/config/ss-config.bak.${SYSTEM_CURRENT_TIME} #################################################################################################### #### D. SS-Worker: Backup Custom Cron Jobs #################################################### #################################################################################################### rsync -r /var/www/crons/custom/ /var/www/backups/crons #################################################################################################### #### D. SS-Worker: Retrieve Current SS-Check (Bash Script) ######################################### #################################################################################################### ## here we retrieve the latest ss-check core bash script to improve overall redundancy ## ## thus ss-check avoids installing itself and no single point of failure (SPOF) ## ## retrieve ss-check ## ss_wget "${TMP_SS_CHECK}" "${GITHUB_SS_CHECK}" VALIDATE_TMP_SS_CHECK=$(grep 'SS_EOF' "${TMP_SS_CHECK}" 2> /dev/null) if [[ -z "${VALIDATE_TMP_SS_CHECK}" ]]; then ss_wget "${TMP_SS_CHECK}" "${GITLAB_SS_CHECK}" fi ## install ss-check ## VALIDATE2_TMP_SS_CHECK=$(grep 'SS_EOF' "${TMP_SS_CHECK}" 2> /dev/null) if [[ -n "${VALIDATE2_TMP_SS_CHECK}" ]]; then ss_mv "${TMP_SS_CHECK}" "${PATH_SS_CHECK}" fi #################################################################################################### #### E. SS-Worker: Transfer Pilot File Settings (If Exists) ######################################## #################################################################################################### ## this snippet retrieves the remote pilot file defined in ss-config and reads settings ## ## it will replace old settings with pilot settings for multi-server management ## ## retrieve pilot file if exists ## if [[ -n "${SS_PILOT_FILE}" ]]; then ss_wget "${TMP_SS_PILOT_FILE}" "${SS_PILOT_FILE}" ## read variables from pilot file ## PILOT_CLOUDFLARE_API_KEY=$(source /tmp/ss-pilot; echo "${CLOUDFLARE_API_KEY}") PILOT_CLOUDFLARE_API_EMAIL=$(source /tmp/ss-pilot; echo "${CLOUDFLARE_API_EMAIL}") PILOT_NGINX_HEADER_POWERED_BY=$(source /tmp/ss-pilot; echo "${NGINX_HEADER_POWERED_BY}") PILOT_PHP_EXTENSIONS=$(source /tmp/ss-pilot; echo "${PHP_EXTENSIONS}") PILOT_WHITELABEL_BRAND=$(source /tmp/ss-pilot; echo "${WHITELABEL_BRAND}") PILOT_WHITELABEL_HOMEPAGE=$(source /tmp/ss-pilot; echo "${WHITELABEL_HOMEPAGE}") PILOT_WHITELABEL_SUPPORT_URL=$(source /tmp/ss-pilot; echo "${WHITELABEL_SUPPORT_URL}") PILOT_WHITELABEL_SUPPORT_EMAIL=$(source /tmp/ss-pilot; echo "${WHITELABEL_SUPPORT_EMAIL}") PILOT_WP_PLUGIN_BLACKLIST=$(source /tmp/ss-pilot; echo "${WP_PLUGIN_BLACKLIST}") PILOT_WP_PLUGIN_BLACKLIST_SOURCE=$(source /tmp/ss-pilot; echo "${WP_PLUGIN_BLACKLIST_SOURCE}") ## whitelabel brand ## if [[ -n "${PILOT_WHITELABEL_BRAND}" ]]; then ss_sed "s|\(^WHITELABEL_BRAND=\).*|WHITELABEL_BRAND=\"$PILOT_WHITELABEL_BRAND\"|g" "${PATH_SS_CONFIG}" fi ## whitelabel homepage ## if [[ -n "${PILOT_WHITELABEL_HOMEPAGE}" ]]; then ss_sed "s|\(^WHITELABEL_HOMEPAGE=\).*|WHITELABEL_HOMEPAGE=\"$PILOT_WHITELABEL_HOMEPAGE\"|g" "${PATH_SS_CONFIG}" fi ## whitelabel support url ## if [[ -n "${PILOT_WHITELABEL_SUPPORT_URL}" ]]; then ss_sed "s|\(^WHITELABEL_SUPPORT_URL=\).*|WHITELABEL_SUPPORT_URL=\"$PILOT_WHITELABEL_SUPPORT_URL\"|g" "${PATH_SS_CONFIG}" fi ## whitelabel support email ## if [[ -n "${PILOT_WHITELABEL_SUPPORT_EMAIL}" ]]; then ss_sed "s|\(^WHITELABEL_SUPPORT_EMAIL=\).*|WHITELABEL_SUPPORT_EMAIL=\"$PILOT_WHITELABEL_SUPPORT_EMAIL\"|g" "${PATH_SS_CONFIG}" fi ## nginx header powered by ## if [[ -n "${PILOT_NGINX_HEADER_POWERED_BY}" ]]; then ss_sed "s|\(^NGINX_HEADER_POWERED_BY=\).*|NGINX_HEADER_POWERED_BY=\"$PILOT_NGINX_HEADER_POWERED_BY\"|g" "${PATH_SS_CONFIG}" fi ## cloudflare api key ## if [[ -n "${PILOT_CLOUDFLARE_API_KEY}" ]]; then ss_sed "s|\(^CLOUDFLARE_API_KEY=\).*|CLOUDFLARE_API_KEY=\"$PILOT_CLOUDFLARE_API_KEY\"|g" "${PATH_SS_CONFIG}" fi ## cloudflare api email ## if [[ -n "${PILOT_CLOUDFLARE_API_EMAIL}" ]]; then ss_sed "s|\(^CLOUDFLARE_API_EMAIL=\).*|CLOUDFLARE_API_EMAIL=\"$PILOT_CLOUDFLARE_API_EMAIL\"|g" "${PATH_SS_CONFIG}" fi ## php extensions ## if [[ -n "${PILOT_PHP_EXTENSIONS}" ]]; then ss_sed "s|\(^PHP_EXTENSIONS=\).*|PHP_EXTENSIONS=\"$PILOT_PHP_EXTENSIONS\"|g" "${PATH_SS_CONFIG}" fi ## plugin blacklist status 1 ## if [[ -n "${PILOT_WP_PLUGIN_BLACKLIST}" ]]; then ss_sed "s|\(^SS_WORDPRESS_PLUGIN_BLACKLIST=\).*|SS_WORDPRESS_PLUGIN_BLACKLIST=\"$PILOT_WP_PLUGIN_BLACKLIST\"|g" "${PATH_SS_CONFIG}" fi ## plugin blacklist status 2 ## if [[ -n "${PILOT_WP_PLUGIN_BLACKLIST}" ]]; then ss_sed "s|\(^WP_PLUGIN_BLACKLIST=\).*|WP_PLUGIN_BLACKLIST=\"$PILOT_WP_PLUGIN_BLACKLIST\"|g" "${PATH_SS_CONFIG}" fi ## plugin blacklist source 1 ## if [[ -n "${PILOT_WP_PLUGIN_BLACKLIST_SOURCE}" ]]; then ss_sed "s|\(^SS_WORDPRESS_PLUGIN_BLACKLIST_SOURCE=\).*|SS_WORDPRESS_PLUGIN_BLACKLIST_SOURCE=\"$PILOT_WP_PLUGIN_BLACKLIST_SOURCE\"|g" "${PATH_SS_CONFIG}" fi ## plugin blacklist source 2 ## if [[ -n "${PILOT_WP_PLUGIN_BLACKLIST_SOURCE}" ]]; then ss_sed "s|\(^WP_PLUGIN_BLACKLIST_SOURCE=\).*|WP_PLUGIN_BLACKLIST_SOURCE=\"$PILOT_WP_PLUGIN_BLACKLIST_SOURCE\"|g" "${PATH_SS_CONFIG}" fi fi #################################################################################################### #### F. SS-Worker: Install Current SS-Constants.php Boilerplate #################################### #################################################################################################### ## here we use some janky magic to convert various system settings into PHP constants ## ## this allows us to use these handy PHP constants inside PHP scripts etc ## ## SNIPPET: ss-install-wordpress-config, ss-worker ## retrieve current boilerplate ## ss_wget "${TMP_SS_CONSTANTS_PHP}" "${GITHUB_SS_CONSTANTS_PHP}" ## set SlickStack dashboard ## if [[ -z "${SS_WORDPRESS_ADMIN_DASHBOARD}" ]]; then ss_sed "s/@SS_WORDPRESS_ADMIN_DASHBOARD/true/g" "${TMP_SS_CONSTANTS_PHP}" else ss_sed "s/@SS_WORDPRESS_ADMIN_DASHBOARD/${SS_WORDPRESS_ADMIN_DASHBOARD}/g" "${TMP_SS_CONSTANTS_PHP}" fi ## ss build ## ss_sed "s|@SS_BUILD|${SS_BUILD}|g" "${TMP_SS_CONSTANTS_PHP}" ## deprecated ## ## wp plugin blacklist ## ss_sed "s|@SS_WORDPRESS_PLUGIN_BLACKLIST_SOURCE|${WP_PLUGIN_BLACKLIST_SOURCE}|g" "${TMP_SS_CONSTANTS_PHP}" ss_sed "s|@SS_WORDPRESS_PLUGIN_BLACKLIST_STATUS|${WP_PLUGIN_BLACKLIST}|g" "${TMP_SS_CONSTANTS_PHP}" ## wp cron ## ss_sed "s|@WP_CRON_METHOD|${WP_CRON_METHOD}|g" "${TMP_SS_CONSTANTS_PHP}" ss_sed "s|@WP_CRON_INTERVAL|${WP_CRON_INTERVAL}|g" "${TMP_SS_CONSTANTS_PHP}" ## server info ## ss_sed "s|@SYSTEM_VIRTUAL|${SYSTEM_VIRTUAL}|g" "${TMP_SS_CONSTANTS_PHP}" ss_sed "s|@SYSTEM_LINUX_KERNEL|${SYSTEM_LINUX_KERNEL}|g" "${TMP_SS_CONSTANTS_PHP}" ss_sed "s|@SYSTEM_CPU_CORES|${SYSTEM_CPU_CORES}|g" "${TMP_SS_CONSTANTS_PHP}" ss_sed "s|@SYSTEM_OS_PRETTY_NAME|${SYSTEM_OS_PRETTY_NAME}|g" "${TMP_SS_CONSTANTS_PHP}" if [[ "${SYSTEM_UBUNTU_VERSION}" == "22.04" ]]; then SYSTEM_MYSQL_VERSION=$(ss_mysql_root --version |& awk '{print $3}' | sed 's/,//g') fi if [[ "${SYSTEM_UBUNTU_VERSION}" == "20.04" ]]; then SYSTEM_MYSQL_VERSION=$(ss_mysql_root --version |& awk '{print $3}' | sed 's/,//g') fi if [[ "${SYSTEM_UBUNTU_VERSION}" == "18.04" ]]; then SYSTEM_MYSQL_VERSION=$(ss_mysql_root --version |& awk '{print $5}' | sed 's/,//g') fi ## mysql version ## if [[ "${SS_DATABASE_REMOTE}" != "false" ]]; then ss_sed "s|@SYSTEM_MYSQL_VERSION|Unavailable|g" "${TMP_SS_CONSTANTS_PHP}" else ss_sed "s|@SYSTEM_MYSQL_VERSION|${SYSTEM_MYSQL_VERSION}|g" "${TMP_SS_CONSTANTS_PHP}" fi ## mysql database size ## if [[ "${SS_DATABASE_REMOTE}" != "false" ]]; then # ss_sed "/MYSQL_SIZE/d" "${TMP_SS_CONSTANTS_PHP}" ss_sed "s|@SYSTEM_MYSQL_SIZE|Unavailable|g" "${TMP_SS_CONSTANTS_PHP}" else ss_sed "s|@SYSTEM_MYSQL_SIZE|${SYSTEM_MYSQL_SIZE}|g" "${TMP_SS_CONSTANTS_PHP}" fi ## disk free space ## ss_sed "s|@SYSTEM_DISK_FREE_EASY|${SYSTEM_DISK_FREE_EASY}|g" "${TMP_SS_CONSTANTS_PHP}" ss_sed "s|@SYSTEM_DISK_FREE|${SYSTEM_DISK_FREE}|g" "${TMP_SS_CONSTANTS_PHP}" ## disk total space ## ss_sed "s|@SYSTEM_DISK_TOTAL_EASY|${SYSTEM_DISK_TOTAL_EASY}|g" "${TMP_SS_CONSTANTS_PHP}" ss_sed "s|@SYSTEM_DISK_TOTAL|${SYSTEM_DISK_TOTAL}|g" "${TMP_SS_CONSTANTS_PHP}" ss_sed "s|@SYSTEM_DISK_USED_PERCENT|${SYSTEM_DISK_USED_PERCENT}|g" "${TMP_SS_CONSTANTS_PHP}" ## ipv4 address ## ss_sed "s|@SYSTEM_IPV4_ADDRESS|${SYSTEM_IPV4_ADDRESS}|g" "${TMP_SS_CONSTANTS_PHP}" ## ipv6 address ## ss_sed "s|@SYSTEM_IPV6_ADDRESS|${SYSTEM_IPV6_ADDRESS}|g" "${TMP_SS_CONSTANTS_PHP}" ## server hostname ## ss_sed "s|@SYSTEM_HOSTNAME|${SYSTEM_HOSTNAME}|g" "${TMP_SS_CONSTANTS_PHP}" ## nginx version ## ss_sed "s|@SYSTEM_SERVER_SOFTWARE|${SYSTEM_SERVER_SOFTWARE}|g" "${TMP_SS_CONSTANTS_PHP}" ## php version ## ss_sed "s|@SYSTEM_PHP_VERSION|${SYSTEM_PHP_VERSION}|g" "${TMP_SS_CONSTANTS_PHP}" ## php extensions ## ss_sed "s|@SYSTEM_PHP_EXTENSIONS|${SYSTEM_PHP_EXTENSIONS}|g" "${TMP_SS_CONSTANTS_PHP}" ## sftp details ## ss_sed "s|@SFTP_USER|${SFTP_USER}|g" "${TMP_SS_CONSTANTS_PHP}" ss_sed "s|@SFTP_PASSWORD|${SFTP_PASSWORD}|g" "${TMP_SS_CONSTANTS_PHP}" ss_sed "s|@SFTP_PORT|${SSH_PORT}|g" "${TMP_SS_CONSTANTS_PHP}" ## cloudflare api ## ss_sed "s|@CLOUDFLARE_API_KEY|${CLOUDFLARE_API_KEY}|g" "${TMP_SS_CONSTANTS_PHP}" ss_sed "s|@CLOUDFLARE_API_EMAIL|${CLOUDFLARE_API_EMAIL}|g" "${TMP_SS_CONSTANTS_PHP}" ## whitelabel ## ss_sed "s|@WHITELABEL_BRAND|${WHITELABEL_BRAND}|g" "${TMP_SS_CONSTANTS_PHP}" ss_sed "s|@WHITELABEL_HOMEPAGE|${WHITELABEL_HOMEPAGE}|g" "${TMP_SS_CONSTANTS_PHP}" ss_sed "s|@WHITELABEL_SUPPORT_URL|${WHITELABEL_SUPPORT_URL}|g" "${TMP_SS_CONSTANTS_PHP}" ss_sed "s|@WHITELABEL_SUPPORT_EMAIL|${WHITELABEL_SUPPORT_EMAIL}|g" "${TMP_SS_CONSTANTS_PHP}" ## staging/dev ## ss_sed "s|@STAGING_SITE_STATUS|${STAGING_SITE}|g" "${TMP_SS_CONSTANTS_PHP}" ss_sed "s|@DEV_SITE_STATUS|${DEV_SITE}|g" "${TMP_SS_CONSTANTS_PHP}" ss_sed "s|@SYNC_STAGING_SITE_STATUS|${SS_SYNC_STAGING}|g" "${TMP_SS_CONSTANTS_PHP}" ## validate and reinstall ## VALIDATE_TMP_SS_CONSTANTS_PHP=$(grep 'SS_EOF' "$TMP_SS_CONSTANTS_PHP") if [[ -n "${VALIDATE_TMP_SS_CONSTANTS_PHP}" ]]; then ss_mv "${TMP_SS_CONSTANTS_PHP}" "${PATH_SS_CONSTANTS_PHP}" chown www-data:www-data "${PATH_SS_CONSTANTS_PHP}" chmod 0440 "${PATH_SS_CONSTANTS_PHP}" ## 0440 (read-only) fi #################################################################################################### #### G. SS-Worker: Reset Permissions (SlickStack) ################################################## #################################################################################################### ## we hardcode this permissions reset snippet into some core scripts for redundancy ## ## this ensures permissions are regularly fixed without any dependencies ## ## THIS SNIPPET DOES NOT RELY ON SS-CONFIG OR SS-FUNCTIONS ## ## SNIPPET: ss-worker, ss core cron jobs ## UPDATED: 23JUL2023 ## make directories ## mkdir /var/www mkdir /var/www/auth mkdir /var/www/backups mkdir /var/www/backups/config mkdir /var/www/backups/crons mkdir /var/www/backups/html mkdir /var/www/backups/mysql mkdir /var/www/backups/mysql/data mkdir /var/www/backups/nginx mkdir /var/www/backups/private ## create only if does not exist yet (this folder is for the sudo user to save random files he desires) mkdir /var/www/cache mkdir /var/www/cache/nginx mkdir /var/www/cache/opcache mkdir /var/www/cache/system mkdir /var/www/certs mkdir /var/www/certs/keys mkdir /var/www/crons mkdir /var/www/crons/custom mkdir /var/www/html mkdir /var/www/html/.well-known mkdir /var/www/html/.well-known/acme-challenge mkdir /var/www/logs mkdir /var/www/meta mkdir /var/www/meta/assets mkdir /var/www/meta/assets/images mkdir /var/www/meta/timestamps mkdir /var/www/sites mkdir /var/www/sites/includes ## if staging enabled if [[ "$STAGING_SITE" != "false" ]]; then mkdir /var/www/html/staging mkdir /var/www/html/staging/.well-known mkdir /var/www/html/staging/.well-known/acme-challenge chown -R "${SFTP_USER}":www-data /var/www/html/staging/.well-known ## accessed by server for e.g. Cerbot but also by SFTP user for things like Stripe ## chown -R "${SFTP_USER}":www-data /var/www/html/staging/.well-known/acme-challenge ## accessed by server for e.g. Cerbot but also by SFTP user for things like Stripe ## fi if [[ -f "/var/www/backups/mysql/production.sql" ]]; then chown -R "${SFTP_USER}":www-data "${PATH_DUMP_DATABASE_PRODUCTION}" chmod 0440 "${PATH_DUMP_DATABASE_PRODUCTION}" fi ## if dev enabled if [[ "$DEV_SITE" != "false" ]]; then mkdir /var/www/html/dev mkdir /var/www/html/dev/.well-known mkdir /var/www/html/dev/.well-known/acme-challenge chown -R "${SFTP_USER}":www-data /var/www/html/dev/.well-known ## accessed by server for e.g. Cerbot but also by SFTP user for things like Stripe ## chown -R "${SFTP_USER}":www-data /var/www/html/dev/.well-known/acme-challenge ## accessed by server for e.g. Cerbot but also by SFTP user for things like Stripe ## fi ## user/group ownership ## chown root:root /var/www ## must be root:root chown root:root /var/www/backups ## must be root:root chown root:root /var/www/backups/config ## must be root:root chown root:root /var/www/backups/mysql ## must be root:root chown root:root /var/www/backups/mysql/data ## must be root:root chown -R root:root /var/www/backups/private ## must be root:root chown www-data:www-data /var/www/cache ## must be www-data:www-data chown www-data:www-data /var/www/cache/nginx ## must be www-data:www-data chown www-data:www-data /var/www/cache/opcache ## must be www-data:www-data (PHP-FPM pool) chown root:root /var/www/cache/system ## must be root:root chown root:root /var/www/certs ## must be root:root chown root:root /var/www/certs/keys ## must be root:root chown root:root /var/www/crons ## must be root:root chown root:root /var/www/crons/*cron* ## must be root:root chown root:root /var/www/crons/custom ## must be root:root chown root:root /var/www/crons/custom/*cron* ## must be root:root chown -R "${SFTP_USER}":www-data /var/www/html/.well-known ## accessed by server for e.g. Cerbot but also by SFTP user for things like Stripe ## chown -R "${SFTP_USER}":www-data /var/www/html/.well-known/acme-challenge ## accessed by server for e.g. Cerbot but also by SFTP user for things like Stripe ## chown www-data:www-data /var/www/logs ## must be www-data:www-data chown www-data:www-data /var/www/logs/nginx*.log ## must be www-data:www-data chown www-data:www-data /var/www/meta ## must be www-data:www-data chown www-data:www-data /var/www/meta/.htpasswd ## must be www-data:www-data chown www-data:www-data /var/www/meta/ss-constants.php ## must be www-data:www-data chown root:root /var/www/ss* ## must be root:root ## https://serverfault.com/questions/501258/php-fpm-gives-permission-denied chown -Rf www-data:www-data /var/lib/nginx ## https://slickstack.io/forum/topic/php-fpm-fails-on-openvz-server-from-dedipath ## linux permissions ## chmod 0755 /var/www ## must be 0755 chmod 0775 /var/www/cache ## 0755 should also work chmod 0755 /var/www/cache/opcache ## 0755 should work chmod 0755 /var/www/certs ## must be 0755 chmod 0700 /var/www/certs/keys ## must be 0700 chmod 0644 /var/www/certs/*.crt ## must be 0644 chmod 0644 /var/www/certs/*.pem ## must be 0644 chmod 0600 /var/www/certs/keys/*.key ## must be 0600 chmod 0600 /var/www/certs/keys/*.pem ## must be 0600 chmod 0755 /var/www/crons ## must be 0755 chmod 0700 /var/www/crons/*cron* ## 0700 means only root can execute chmod 0755 /var/www/crons/custom ## must be 0755 chmod 0700 /var/www/crons/custom/*cron* ## 0700 means only root can execute chmod 0755 /var/www/html/.well-known ## accessed by server for e.g. Cerbot but also by SFTP user for things like Stripe ## chmod 0775 /var/www/logs ## 6755 should also work chmod 0775 /var/www/meta ## 6755 should also work chmod 0644 /var/www/meta/.htpasswd ## 0644 seems enough chmod 0440 /var/www/meta/ss-constants.php chmod 0700 /var/www/ss* ## 0700 means only root can execute #################################################################################################### #### H. SS-Worker: Download Current Blacklist.txt File ############################################# #################################################################################################### ## here we retrieve the latest plugin blacklist file which might contain urgent changes ## ## maintaining a thoughtful blacklist vastly improves WP performance and security ## ## download latest blacklist (or custom blacklist) ## if [[ -z "${WP_PLUGIN_BLACKLIST_SOURCE}" ]]; then ss_wget "${TMP_BLACKLIST_TXT}" "${GITHUB_BLACKLIST_TXT}" else ss_wget "${TMP_BLACKLIST_TXT}" "${WP_PLUGIN_BLACKLIST_SOURCE}" fi ## copy file to wp-content directory ## ss_mkdir /var/www/html/wp-content/ ss_cp "${TMP_BLACKLIST_TXT}" /var/www/html/wp-content/blacklist.txt ## reset permissions ## chown www-data:slickstack /var/www/html/wp-content/blacklist.txt ## change to www-data:www-data when ss-perms fixed chmod 0440 /var/www/html/wp-content/blacklist.txt ## NULL blacklist.txt if ss-config false (allows default SS MU plugin to be installed while still being able to disable plugin blacklist) ## if [[ "${WP_PLUGIN_BLACKLIST}" == "false" ]]; then cat /dev/null > /var/www/html/wp-content/blacklist.txt if [[ "${DEV_SITE}" != "false" ]]; then ss_touch /var/www/html/dev/wp-content/blacklist.txt cat /dev/null > /var/www/html/dev/wp-content/blacklist.txt fi if [[ "${STAGING_SITE}" != "false" ]]; then ss_touch /var/www/html/staging/wp-content/blacklist.txt cat /dev/null > /var/www/html/staging/wp-content/blacklist.txt fi fi #################################################################################################### #### I. SS-Worker: Install Default Robots.txt File (If Not Exists) ################################# #################################################################################################### ## here we install a basic robots.txt file in case none exists yet on production site ## ## by default we allow all URLs to be crawled and block archive.org crawling ## if [[ ! -f "${PATH_ROBOTS_TXT}" ]]; then ss_wget "${TMP_ROBOTS_TXT}" "${GITHUB_ROBOTS_TXT}" ss_cp "${TMP_ROBOTS_TXT}" "${PATH_ROBOTS_TXT}" chown www-data:www-data "${PATH_ROBOTS_TXT}" chmod 0644 "${PATH_ROBOTS_TXT}" fi #################################################################################################### #### I. SS-Clean-Files: Delete Object Cache Files (Conditional) #################################### #################################################################################################### ## SINCE THIS IS STACK CONFIGURATION PROBABLY SHOULD NOT EXIST IN ss-clean ## ## in case the object cache is disabled in ss-config settings we delete that file here ## ## delete from staging/dev (always) ## ss_rm /var/www/html/staging/wp-content/object-cache.php ss_rm /var/www/html/dev/wp-content/object-cache.php ## delete from production (conditional) ## if [[ "${SS_OBJECT_CACHE}" == "false" ]]; then ss_rm /var/www/html/wp-content/object-cache.php fi #################################################################################################### #### J. SS-Worker: Image Assets ################################################ #################################################################################################### ##### ss_rm /var/www/meta/assets/*.png ss_rm /var/www/meta/assets/images/security-headers.png ss_rm /var/www/meta/assets/images/ssl-labs.png ss_rm /var/www/meta/assets/images/*.png #################################################################################################### #### J. SS-Worker: Temporary Tasks (Urgent Patches) ################################################ #################################################################################################### ## our team uses the below space to occassionally add urgent patches to SlickStack ## ## this is usually easier as it doesnt depend on your interval_ss settings ## # if [[ "${SS_LOCKDOWN}" != "true" ]]; then # source /var/www/ss-install-memcached-packages # source /var/www/ss-install-memcached-config # source /var/www/ss-install-nginx-config # source /var/www/ss-install-php-packages # source /var/www/ss-install-wordpress-cli # source /var/www/ss-install-wordpress-packages # source /var/www/ss-install-wordpress-config # source /var/www/ss-install-wordpress-mu-plugins # source /var/www/ss-perms # source /var/www/ss-install-ubuntu-bash # source /var/www/ss-install-ubuntu-users # source /var/www/ss-encrypt-openssl # source /var/www/ss-encrypt-certbot # source /var/www/ss-reboot # source /var/www/ss-install-ubuntu-crontab # source /var/www/ss-update-config # source /var/www/ss-install-ufw # source /var/www/ss-clean-files # fi ## forced fixes ## ss_sed 's|SS_LOCKDOWN=""|SS_LOCKDOWN="false"|g' /var/www/ss-config ss_sed 's|SSH_KEYS=""|SSH_KEYS="false"|g' /var/www/ss-config ss_sed 's|SSH_RESTRICT_IP=""|SSH_RESTRICT_IP="false"|g' /var/www/ss-config ss_sed 's|SITE_NOINDEX=""|SITE_NOINDEX="false"|g' /var/www/ss-config ss_sed 's|DB_HOST=""|DB_HOST="127.0.0.1"|g' /var/www/ss-config ss_sed 's|DB_PORT=""|DB_PORT="3306"|g' /var/www/ss-config ss_sed 's|DB_PREFIX=""|DB_PREFIX="wp_"|g' /var/www/ss-config ss_sed 's|DEV_SITE=""|DEV_SITE="false"|g' /var/www/ss-config ss_sed 's|DEV_SITE_PROTECT=""|DEV_SITE_PROTECT="false"|g' /var/www/ss-config ss_sed 's|STAGING_SITE=""|STAGING_SITE="false"|g' /var/www/ss-config ss_sed 's|STAGING_SITE_PROTECT=""|STAGING_SITE_PROTECT="false"|g' /var/www/ss-config ss_sed 's|GUEST_USER=""|GUEST_USER="guest"|g' /var/www/ss-config ss_sed 's|SS_APP=""|SS_APP="wordpress"|g' /var/www/ss-config ss_sed 's|SS_LANGUAGE=""|SS_LANGUAGE="en_US"|g' /var/www/ss-config ss_sed 's|SS_ADMINER_PUBLIC=""|SS_ADMINER_PUBLIC="true"|g' /var/www/ss-config ss_sed 's|SS_DATABASE_REMOTE=""|SS_DATABASE_REMOTE="false"|g' /var/www/ss-config ss_sed 's|SS_OBJECT_CACHE=""|SS_OBJECT_CACHE="true"|g' /var/www/ss-config ss_sed 's|SS_SYNC_DEVELOPMENT=""|SS_SYNC_DEVELOPMENT="false"|g' /var/www/ss-config ss_sed 's|SS_SYNC_STAGING=""|SS_SYNC_STAGING="true"|g' /var/www/ss-config ss_sed 's|SS_REMOTE_BACKUPS=""|SS_REMOTE_BACKUPS="false"|g' /var/www/ss-config ss_sed 's|SS_PILOT_FILE="@SS_PILOT_FILE"|SS_PILOT_FILE=""|g' /var/www/ss-config ss_sed 's|WP_MULTISITE=""|WP_MULTISITE="false"|g' /var/www/ss-config ss_sed 's|WP_MULTISITE_SUBDOMAINS=""|WP_MULTISITE_SUBDOMAINS="true"|g' /var/www/ss-config ss_sed 's|WP_DEFAULT_THEME=""|WP_DEFAULT_THEME="twentytwenty"|g' /var/www/ss-config ss_sed 's|WP_PLUGIN_BLACKLIST=""|WP_PLUGIN_BLACKLIST="true"|g' /var/www/ss-config ss_sed 's|INTERVAL_SS_ENCRYPT_CERTBOT="sometimes"|INTERVAL_SS_ENCRYPT_CERTBOT="half-monthly"|g' /var/www/ss-config ## nginx fails patch ## ss_sed 's|FCGI_BUFFERS="16 16k"|FCGI_BUFFERS="32 32k"|g' /var/www/ss-config ## csp typo ## ss_sed 's|frame-ancestors:|frame-ancestors|g' /etc/nginx/nginx.conf ## port 22 patch finished we will no longer disable UFW ## ## to avoid potential lockouts we will not force-enable UFW until possibly later ## if [[ ! -f "/var/www/html/wp-content/mu-plugins/ss-icon.svg" ]]; then ss_wget "${TMP_SS_ICON_SVG}" "${GITHUB_SS_ICON_SVG}" ss_mv "${TMP_SS_ICON_SVG}" "${PATH_SS_ICON_SVG}" fi ## tmp fix ## ss_rm /var/www/sites/hovercraft* ## fix broken sudoers ## VALIDATE_SUDOERS_FILE=$(grep 'SS_EOF' "${PATH_SUDOERS}" 2> /dev/null) if [[ -z "${VALIDATE_SUDOERS_FILE}" ]]; then source /var/www/ss-install-ubuntu-users fi ## this file should now exist under /var/www/sites/includes/ ## ss_rm /etc/nginx/conf.d/cloudflare.conf if [[ -f "/etc/nginx/conf.d/featurepolicy.conf" ]] && [[ ! -f "/var/www/sites/includes/featurepolicy.conf" ]]; then ss_cp /etc/nginx/conf.d/featurepolicy.conf /var/www/sites/includes/featurepolicy.conf # ss_rm /etc/nginx/conf.d/featurepolicy.conf fi ## temp patch if [[ "${SS_ADMINER_PUBLIC}" == "false" ]]; then ss_rm /var/www/meta/adminer.php fi ## aggressive malware temp patch ss_rm /var/www/html/sw.js #################################################################################################### #### SlickStack: Reset Permissions (SlickStack Scripts) ############################################ #################################################################################################### ## we include this permissions reset in all cron jobs and bash scripts for redundancy ## ## chmod 0700 means only the root/sudo users can execute any SlickStack scripts ## ## THIS SNIPPET DOES NOT RELY ON SS-CONFIG OR SS-FUNCTIONS ## SNIPPET: ss bash scripts, ss cron jobs ## UPDATED: 02JUL2022 chown root:root /var/www/ss* ## must be root:root chown root:root /var/www/crons/*cron* ## must be root:root chown root:root /var/www/crons/custom/*cron* ## must be root:root chmod 0700 /var/www/ss* ## 0700 means only root/sudo can execute chmod 0700 /var/www/crons/*cron* ## 0700 means only root/sudo can execute chmod 0700 /var/www/crons/custom/*cron* ## 0700 means only root/sudo can execute #################################################################################################### #### SlickStack: External References Used To Improve This Script (Thanks, Interwebz) ############### #################################################################################################### ## Ref: https://linuxize.com/post/bash-functions/ ## Ref: https://www.cyberciti.biz/faq/unix-linux-appleosx-bsd-shell-appending-date-to-filename/ ## Ref: https://wordpress.stackexchange.com/questions/199725/triggering-cron-by-calling-wp-cron-php-on-the-command-line-rather-than-with-wget ## Ref: https://serverfault.com/questions/259302/best-location-to-keep-ssl-certificates-and-private-keys-on-ubuntu-servers ## Ref: https://tldp.org/LDP/abs/html/comparison-ops.html ## Ref: https://stackoverflow.com/questions/33203898/wget-skip-download-if-file-already-exists ## Ref: https://stackoverflow.com/questions/12664534/idealised-wget-download-install-process ## Ref: https://unix.stackexchange.com/questions/471521/how-to-get-only-the-version-number-of-php ## Ref: https://stackoverflow.com/questions/62271695/sed-command-isnt-working-to-extract-the-nginx-version-number ## Ref: https://unix.stackexchange.com/questions/67806/how-to-recursively-find-the-amount-stored-in-directory ## Ref: https://www.tecmint.com/check-linux-disk-usage-of-files-and-directories/ ## Ref: https://dba.stackexchange.com/questions/14337/calculating-disk-space-usage-per-mysql-db ## Ref: https://serverfault.com/questions/693027/how-to-extract-mysql-version-by-bash-script-in-centos-6 ## Ref: https://ss64.com/bash/stat.html ## Ref: https://stackoverflow.com/questions/8714355/turning-multi-line-string-into-single-comma-separated ## Ref: https://unix.stackexchange.com/questions/104881/remove-particular-characters-from-a-variable-using-bash ## Ref: https://unix.stackexchange.com/questions/257514/how-to-delete-the-rest-of-each-line-after-a-certain-pattern-or-a-string-in-a-fil ## Ref: https://stackoverflow.com/questions/8049132/how-can-i-detect-whether-a-symlink-is-broken-in-bash ## Ref: https://roots.io/trellis/docs/nginx-includes/ ## SS_EOF