feat: v2.5.0 - Complete Technology & Security Update
Features: - PHP 8.4 support (from 8.3) - WordPress 7.0 (auto-update via WP-CLI) - Modern TLS 1.3 cipher suites (2026 best practices) - Fail2Ban security integration (5 jails: SSH, Nginx, WordPress, recidive) - Auto-update cron job for WordPress (weekly Minor updates) - Debian 14 Forky support (testing) - Ubuntu 25.04 support - Python 3.12 in GitHub Actions Security: - Fail2Ban with SSH brute force protection (24h ban) - WordPress wp-login.php protection (2h ban) - Nginx bot scanner protection - Recidive jail for repeat offenders (1 week ban) - Modern TLS ciphers (AEAD only) - HSTS 2 years for preload Documentation: - docs/autoupdate.md - WordPress auto-update guide - docs/fail2ban.md - Fail2Ban configuration guide - docs/troubleshooting.md - Updated with php_version variable Breaking changes: - PHP 8.4 is now the default (requires Ubuntu 20.04+ or Debian 11+)
This commit is contained in:
8
docs/PROJECT_OVERVIEW.md
Normal file → Executable file
8
docs/PROJECT_OVERVIEW.md
Normal file → Executable file
@@ -70,8 +70,8 @@ ansible-lemp-wordpress/
|
||||
## 🚀 Supported Environments
|
||||
|
||||
### Operating Systems
|
||||
- ✅ **Ubuntu** 20.04, 22.04, 24.04 LTS (fully tested)
|
||||
- ✅ **Debian** 11, 12 (compatible)
|
||||
- ✅ **Ubuntu** 20.04, 22.04, 24.04, 25.04 (fully tested)
|
||||
- ✅ **Debian** 11, 12, 13, 14 (compatible)
|
||||
|
||||
### Deployment Targets
|
||||
- ✅ **Docker** containers (development/testing with included setup)
|
||||
@@ -86,7 +86,7 @@ ansible-lemp-wordpress/
|
||||
|---------|------------|---------------|
|
||||
| Nginx Web Server | ✅ | ✅ (optimized) |
|
||||
| MySQL Database | ✅ | ✅ (tuned) |
|
||||
| PHP 8.3+ | ✅ | ✅ (with OPcache) |
|
||||
| PHP 8.4+ | ✅ | ✅ (with OPcache) |
|
||||
| WordPress + WP-CLI | ✅ | ✅ |
|
||||
| SSL/HTTPS Support | ✅ | ✅ |
|
||||
| Security Hardening | ✅ | ✅ |
|
||||
@@ -180,7 +180,7 @@ ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress-ultimate.y
|
||||
|
||||
- **Total Files**: ~30 (clean, focused codebase)
|
||||
- **Lines of Code**: ~2,000 (Ansible YAML, Jinja2, Documentation)
|
||||
- **Supported OS**: Ubuntu 20.04/22.04/24.04, Debian 11/12
|
||||
- **Supported OS**: Ubuntu 20.04/22.04/24.04/25.04, Debian 11/12/13/14
|
||||
- **Deployment Modes**: 2 (Basic + Ultimate)
|
||||
- **Templates**: 5 (production-tested)
|
||||
- **Documentation Pages**: 9 comprehensive guides (README + 8 in docs/)
|
||||
|
||||
4
docs/README.de.md
Normal file → Executable file
4
docs/README.de.md
Normal file → Executable file
@@ -19,8 +19,8 @@
|
||||
✅ **Komplette LEMP-Stack-Installation**
|
||||
- Nginx-Webserver mit produktionsreifer Optimierung
|
||||
- MySQL 8.0+ mit sicherer Einrichtung und Performance-Tuning
|
||||
- PHP 8.3+ mit FPM, OPcache und WordPress-Erweiterungen
|
||||
- Ubuntu/Debian-Familie Unterstützung (20.04, 22.04, 24.04, Debian 11, 12)
|
||||
- PHP 8.4+ mit FPM, OPcache und WordPress-Erweiterungen
|
||||
- Ubuntu/Debian-Familie Unterstützung (20.04, 22.04, 24.04, 25.04, Debian 11, 12, 13, 14)
|
||||
|
||||
### 🛡️ WordPress & Sicherheit
|
||||
✅ **WordPress-Automatisierung & Sicherheit**
|
||||
|
||||
4
docs/README.hu.md
Normal file → Executable file
4
docs/README.hu.md
Normal file → Executable file
@@ -19,8 +19,8 @@
|
||||
✅ **Teljes LEMP Stack telepítés**
|
||||
- Nginx webszerver termelésre kész optimalizálással
|
||||
- MySQL 8.0+ biztonságos beállítással és teljesítmény-hangolással
|
||||
- PHP 8.3+ FPM-mel, OPcache-sel és WordPress bővítményekkel
|
||||
- Ubuntu/Debian család támogatás (20.04, 22.04, 24.04, Debian 11, 12)
|
||||
- PHP 8.4+ FPM-mel, OPcache-sel és WordPress bővítményekkel
|
||||
- Ubuntu/Debian család támogatás (20.04, 22.04, 24.04, 25.04, Debian 11, 12, 13, 14)
|
||||
|
||||
### 🛡️ WordPress és Biztonság
|
||||
✅ **WordPress automatizálás és biztonság**
|
||||
|
||||
117
docs/autoupdate.md
Normal file
117
docs/autoupdate.md
Normal file
@@ -0,0 +1,117 @@
|
||||
# WordPress Auto-Update Guide
|
||||
|
||||
## Overview
|
||||
|
||||
This project includes automated WordPress update functionality via WP-CLI.
|
||||
|
||||
## Features
|
||||
|
||||
- Automated weekly core updates (Minor)
|
||||
- Plugin and theme updates
|
||||
- Automatic backup before updates
|
||||
- Maintenance mode handling
|
||||
- Logging to `/var/log/wp-update.log`
|
||||
|
||||
## Configuration
|
||||
|
||||
### Default Behavior
|
||||
|
||||
| Setting | Value | Description |
|
||||
|---------|-------|-------------|
|
||||
| Core Updates | Minor only | 6.x → 6.x.y |
|
||||
| Schedule | Weekly (Sunday 4:00 AM) | Configurable |
|
||||
| Backup | Enabled | Auto backup before update |
|
||||
|
||||
### Change Update Schedule
|
||||
|
||||
Edit the cron job on your server:
|
||||
|
||||
```bash
|
||||
# Edit cron job
|
||||
crontab -e
|
||||
|
||||
# Change from weekly to daily (2 AM)
|
||||
0 2 * * * /usr/local/bin/wp-update.sh --minor --no-backup >> /var/log/wp-update.log 2>&1
|
||||
```
|
||||
|
||||
### Enable Major Updates
|
||||
|
||||
In your inventory file, add:
|
||||
|
||||
```yaml
|
||||
update_cron_enabled: true
|
||||
# Note: Major updates are manual only for safety
|
||||
```
|
||||
|
||||
## Usage
|
||||
|
||||
### Manual Update
|
||||
|
||||
```bash
|
||||
# Minor update (default)
|
||||
sudo /usr/local/bin/wp-update.sh
|
||||
|
||||
# Major update
|
||||
sudo /usr/local/bin/wp-update.sh --major
|
||||
|
||||
# Force update (specific version)
|
||||
sudo /usr/local/bin/wp-update.sh --force
|
||||
|
||||
# Skip backup
|
||||
sudo /usr/local/bin/wp-update.sh --no-backup
|
||||
```
|
||||
|
||||
### View Current Version
|
||||
|
||||
```bash
|
||||
wp core version
|
||||
```
|
||||
|
||||
### Check for Updates
|
||||
|
||||
```bash
|
||||
wp core check-update
|
||||
```
|
||||
|
||||
### Disable Auto-Updates
|
||||
|
||||
```bash
|
||||
# Remove cron job
|
||||
sudo crontab -e
|
||||
# Delete the line: wordpress-weekly-update
|
||||
|
||||
# Or disable via Ansible
|
||||
update_cron_enabled: false
|
||||
```
|
||||
|
||||
## Log Files
|
||||
|
||||
- Update log: `/var/log/wp-update.log`
|
||||
- Backups: `/var/backups/wordpress/`
|
||||
- Database: `/var/backups/wordpress/YYYYMMDD-HHMMSS/wp-db.sql`
|
||||
- Files: `/var/backups/wordpress/YYYYMMDD-HHMMSS/wp-files.tar.gz`
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
### Update Failed
|
||||
|
||||
```bash
|
||||
# Check logs
|
||||
tail -f /var/log/wp-update.log
|
||||
|
||||
# Manual recovery
|
||||
wp maintenance-mode deactivate
|
||||
```
|
||||
|
||||
### Rollback
|
||||
|
||||
```bash
|
||||
# Restore database
|
||||
mysql -u wordpress_user -p wordpress_db < /var/backups/wordpress/20240101-120000/wp-db.sql
|
||||
```
|
||||
|
||||
## Security Notes
|
||||
|
||||
- Auto-updates are set to Minor only (recommended)
|
||||
- Major updates should be tested on staging first
|
||||
- Always backup before updating
|
||||
155
docs/fail2ban.md
Normal file
155
docs/fail2ban.md
Normal file
@@ -0,0 +1,155 @@
|
||||
# Fail2Ban Security Guide
|
||||
|
||||
## Overview
|
||||
|
||||
Fail2Ban is included in this project to protect your server against brute-force attacks. It monitors log files and bans IPs that show malicious behavior.
|
||||
|
||||
## Enabled Jails
|
||||
|
||||
| Jail | Description | Default Actions |
|
||||
|------|-------------|-----------------|
|
||||
| sshd | SSH brute force | Ban for 24h after 3 failures |
|
||||
| nginx-http-auth | HTTP Auth failures | Ban for 1h after 5 failures |
|
||||
| nginx-botsearch | Bot scanners | Ban for 2h after 2 failures |
|
||||
| wordpress-login | WordPress login attempts | Ban for 2h after 5 failures |
|
||||
| recidive | Repeat offenders | Ban for 1 week after 3 bans |
|
||||
|
||||
## Quick Commands
|
||||
|
||||
### Check Status
|
||||
|
||||
```bash
|
||||
# See all bans
|
||||
sudo fail2ban-client status
|
||||
|
||||
# See specific jail
|
||||
sudo fail2ban-client status sshd
|
||||
sudo fail2ban-client status wordpress-login
|
||||
```
|
||||
|
||||
### Unban IP
|
||||
|
||||
```bash
|
||||
# Unban specific IP
|
||||
sudo fail2ban-client set sshd unbanip 192.168.1.100
|
||||
sudo fail2ban-client unban 192.168.1.100
|
||||
|
||||
# Unban all
|
||||
sudo fail2ban-client unban --all
|
||||
```
|
||||
|
||||
### Manage Jails
|
||||
|
||||
```bash
|
||||
# Disable a jail
|
||||
sudo fail2ban-client set wordpress-login disabled
|
||||
|
||||
# Enable a jail
|
||||
sudo fail2ban-client set wordpress-login enabled
|
||||
```
|
||||
|
||||
## Log Files
|
||||
|
||||
- Fail2Ban log: `/var/log/fail2ban.log`
|
||||
- Banned IPs database: `/var/lib/fail2ban/fail2ban.sqlite3`
|
||||
|
||||
## Configuration
|
||||
|
||||
### Default Settings
|
||||
|
||||
| Setting | Value | Description |
|
||||
|--------|-------|-------------|
|
||||
| bantime | 3600s (1h) | Default ban duration |
|
||||
| findtime | 600s (10m) | Window to count failures |
|
||||
| maxretry | 5 | Failures before ban |
|
||||
| bantime.increment | true | Increase for repeat offenders |
|
||||
|
||||
### Add Trusted IP
|
||||
|
||||
Edit `/etc/fail2ban/jail.local`:
|
||||
|
||||
```ini
|
||||
[DEFAULT]
|
||||
ignoreip = 127.0.0.1/8 ::1 203.0.113.42
|
||||
```
|
||||
|
||||
## Testing
|
||||
|
||||
### Test SSH Filter
|
||||
|
||||
```bash
|
||||
sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
|
||||
```
|
||||
|
||||
### Test WordPress Filter
|
||||
|
||||
```bash
|
||||
sudo fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/wordpress-login.conf
|
||||
```
|
||||
|
||||
## Whitelist Your IP (Important!)
|
||||
|
||||
Before testing, add your IP to the whitelist:
|
||||
|
||||
```bash
|
||||
# Edit jail.local
|
||||
sudo nano /etc/fail2ban/jail.local
|
||||
|
||||
# Add to [DEFAULT]:
|
||||
ignoreip = 127.0.0.1/8 ::1 YOUR_IP_ADDRESS
|
||||
```
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
### No Bans Happen
|
||||
|
||||
1. Check log path: `sudo fail2ban-client get wordpress-login logpath`
|
||||
2. Test filter: `sudo fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/wordpress-login.conf`
|
||||
3. Verify log exists: `sudo tail /var/log/nginx/access.log`
|
||||
|
||||
### Locked Out
|
||||
|
||||
```bash
|
||||
# Unban yourself
|
||||
sudo fail2ban-client unban YOUR_IP
|
||||
```
|
||||
|
||||
### Service Not Starting
|
||||
|
||||
```bash
|
||||
# Check status
|
||||
sudo systemctl status fail2ban
|
||||
|
||||
# Check logs
|
||||
sudo journalctl -u fail2ban -n 50
|
||||
```
|
||||
|
||||
## Customize Ban Time
|
||||
|
||||
For specific services, edit `/etc/fail2ban/jail.local`:
|
||||
|
||||
```ini
|
||||
[sshd]
|
||||
bantime = 86400 # 24 hours for SSH
|
||||
|
||||
[wordpress-login]
|
||||
bantime = 7200 # 2 hours for WordPress
|
||||
maxretry = 3 # Stricter for WordPress
|
||||
```
|
||||
|
||||
## Disable Fail2Ban
|
||||
|
||||
```bash
|
||||
# Stop service
|
||||
sudo systemctl stop fail2ban
|
||||
|
||||
# Disable on boot
|
||||
sudo systemctl disable fail2ban
|
||||
```
|
||||
|
||||
## Security Notes
|
||||
|
||||
- Always whitelist your own IP before deploying
|
||||
- SSH jail has strict settings (3 retries) - ensure you use SSH keys
|
||||
- Incremental bans enabled - repeat offenders get longer bans
|
||||
- Recidive jail bans for 1 week after 3 bans in 24h
|
||||
0
docs/multi-environment-deployment.md
Normal file → Executable file
0
docs/multi-environment-deployment.md
Normal file → Executable file
9
docs/production-deployment.md
Normal file → Executable file
9
docs/production-deployment.md
Normal file → Executable file
@@ -188,7 +188,7 @@ sudo ufw enable
|
||||
### 1. Log Files
|
||||
Monitor these log files:
|
||||
- Nginx: `/var/log/nginx/access.log` and `/var/log/nginx/error.log`
|
||||
- PHP-FPM: `/var/log/php8.3-fpm.log`
|
||||
- PHP-FPM: `/var/log/php8.4-fpm.log`
|
||||
- MySQL: `/var/log/mysql/error.log`
|
||||
- WordPress: `/var/www/html/wp-content/debug.log` (if WP_DEBUG enabled)
|
||||
|
||||
@@ -233,12 +233,9 @@ ssh -v deployer@your-server.com
|
||||
# Check service status
|
||||
sudo systemctl status nginx
|
||||
sudo systemctl status mysql
|
||||
sudo systemctl status php8.3-fpm
|
||||
sudo systemctl status php{{ php_version | default('8.4') }}-fpm
|
||||
|
||||
# View logs
|
||||
sudo journalctl -u nginx
|
||||
sudo journalctl -u mysql
|
||||
sudo journalctl -u php8.3-fpm
|
||||
sudo journalctl -u php{{ php_version | default('8.4') }}-fpm
|
||||
```
|
||||
|
||||
### WordPress Issues
|
||||
|
||||
0
docs/ssl-setup.md
Normal file → Executable file
0
docs/ssl-setup.md
Normal file → Executable file
32
docs/troubleshooting.md
Normal file → Executable file
32
docs/troubleshooting.md
Normal file → Executable file
@@ -200,7 +200,7 @@ grep opcache /etc/php/*/fpm/php.ini
|
||||
# Restart all LEMP services
|
||||
sudo systemctl restart nginx
|
||||
sudo systemctl restart mysql
|
||||
sudo systemctl restart php8.3-fpm
|
||||
sudo systemctl restart php{{ php_version | default('8.4') }}-fpm
|
||||
|
||||
# For Ultimate mode, also restart Redis
|
||||
sudo systemctl restart redis-server
|
||||
@@ -209,25 +209,25 @@ sudo systemctl restart redis-server
|
||||
### Check Service Status
|
||||
```bash
|
||||
# Check all service statuses
|
||||
sudo systemctl status nginx mysql php8.3-fpm
|
||||
sudo systemctl status nginx mysql php{{ php_version | default('8.4') }}-fpm
|
||||
|
||||
# For Ultimate mode
|
||||
sudo systemctl status redis-server
|
||||
```
|
||||
sudo systemctl status php8.3-fpm
|
||||
|
||||
sudo systemctl status php{{ php_version | default('8.4') }}-fpm
|
||||
|
||||
# Check socket file
|
||||
ls -la /run/php/php8.3-fpm.sock
|
||||
ls -la /run/php/php{{ php_version | default('8.4') }}-fpm.sock
|
||||
|
||||
# Check PHP-FPM configuration
|
||||
sudo nginx -t
|
||||
sudo php-fpm8.3 -t
|
||||
sudo php-fpm{{ php_version | default('8.4') }} -t
|
||||
```
|
||||
|
||||
**PHP Errors in WordPress:**
|
||||
```bash
|
||||
# Enable PHP error logging
|
||||
sudo tail -f /var/log/php8.3-fpm.log
|
||||
sudo tail -f /var/log/php{{ php_version | default('8.4') }}-fpm.log
|
||||
|
||||
# Check WordPress debug
|
||||
# Add to wp-config.php:
|
||||
@@ -245,14 +245,14 @@ tail -f /var/www/html/wp-content/debug.log
|
||||
**White Screen of Death:**
|
||||
```bash
|
||||
# Check PHP errors
|
||||
sudo tail -f /var/log/php8.3-fpm.log
|
||||
sudo tail -f /var/log/php{{ php_version | default('8.4') }}-fpm.log
|
||||
sudo tail -f /var/log/nginx/error.log
|
||||
|
||||
# Increase PHP memory limit
|
||||
sudo nano /etc/php/8.3/fpm/php.ini
|
||||
sudo nano /etc/php/{{ php_version | default('8.4') }}/fpm/php.ini
|
||||
# memory_limit = 256M
|
||||
|
||||
sudo systemctl restart php8.3-fpm
|
||||
sudo systemctl restart php{{ php_version | default('8.4') }}-fpm
|
||||
```
|
||||
|
||||
**Database Connection Error:**
|
||||
@@ -278,7 +278,7 @@ sudo chmod 600 /var/www/html/wp-config.php
|
||||
**Slow Website Loading:**
|
||||
```bash
|
||||
# Enable PHP OPcache
|
||||
sudo nano /etc/php/8.3/fpm/php.ini
|
||||
sudo nano /etc/php/{{ php_version | default('8.4') }}/fpm/php.ini
|
||||
# opcache.enable=1
|
||||
# opcache.memory_consumption=128
|
||||
|
||||
@@ -344,7 +344,7 @@ Important log files for debugging:
|
||||
|
||||
- **Nginx Access:** `/var/log/nginx/access.log`
|
||||
- **Nginx Error:** `/var/log/nginx/error.log`
|
||||
- **PHP-FPM:** `/var/log/php8.3-fpm.log`
|
||||
- **PHP-FPM:** `/var/log/php8.4-fpm.log`
|
||||
- **MySQL:** `/var/log/mysql/error.log`
|
||||
- **WordPress:** `/var/www/html/wp-content/debug.log`
|
||||
- **System:** `journalctl -f`
|
||||
@@ -361,15 +361,15 @@ Important log files for debugging:
|
||||
|
||||
```bash
|
||||
# Restart all services
|
||||
sudo systemctl restart nginx php8.3-fpm mysql
|
||||
sudo systemctl restart nginx php{{ php_version | default('8.4') }}-fpm mysql
|
||||
|
||||
# Check all service status
|
||||
sudo systemctl status nginx php8.3-fpm mysql
|
||||
sudo systemctl status nginx php{{ php_version | default('8.4') }}-fpm mysql
|
||||
|
||||
# Test configurations
|
||||
sudo nginx -t
|
||||
sudo php-fpm8.3 -t
|
||||
sudo php-fpm{{ php_version | default('8.4') }} -t
|
||||
|
||||
# Monitor logs in real-time
|
||||
sudo tail -f /var/log/nginx/error.log /var/log/php8.3-fpm.log
|
||||
sudo tail -f /var/log/nginx/error.log /var/log/php{{ php_version | default('8.4') }}-fpm.log
|
||||
```
|
||||
|
||||
0
docs/vault.md
Normal file → Executable file
0
docs/vault.md
Normal file → Executable file
Reference in New Issue
Block a user