From 597c96f2dd887535888616fbe6d1d95476616fb3 Mon Sep 17 00:00:00 2001 From: Jeremy Davis Date: Wed, 20 May 2026 10:35:09 +1000 Subject: [PATCH 01/13] Configure adminer specific logging for all supported webservers - consistant log location regardless --- conf/adminer | 9 ++++++++- conf/adminer-lighttpd | 1 + overlays/adminer/etc/adminer/apache.conf | 3 +++ overlays/adminer/etc/adminer/lighttpd.conf | 6 ++++++ overlays/adminer/etc/adminer/nginx.conf | 4 +++- 5 files changed, 21 insertions(+), 2 deletions(-) diff --git a/conf/adminer b/conf/adminer index 3df8d007..347bf947 100755 --- a/conf/adminer +++ b/conf/adminer @@ -10,7 +10,14 @@ ln -sf $ADMINER_DIR/designs/nette/adminer.css $STATIC_DIR/default.css ln -sf /etc/adminer/adminer.css /usr/share/adminer/adminer/adminer.css -# ensure www-data has read access to php files in /etc/adminer +# Ensure www-data has read access to php files in /etc/adminer chown root:www-data /etc/adminer /etc/adminer/tkl-*.php /etc/adminer/adminer.css chmod 755 /etc/adminer chmod 644 /etc/adminer/tkl-*.php /etc/adminer/adminer.css + +# Set up custom Adminer specific logging (config in relevant webserver vhosts) +mkdir -p /var/log/adminer +touch /var/log/adminer/{access.log,error.log} +chown -R root:adm /var/log/adminer +chmod 755 /var/log/adminer +chmod 644 /var/log/adminer/*.log diff --git a/conf/adminer-lighttpd b/conf/adminer-lighttpd index 588cd4a2..bb3f47dc 100755 --- a/conf/adminer-lighttpd +++ b/conf/adminer-lighttpd @@ -6,3 +6,4 @@ sed -i 's|^[[:space:]]*#([[:space:]]*"mod_redirect".*)|\1|' /etc/lighttpd/lightt # Link conf file to available-sites, and enable it ln -s /etc/adminer/lighttpd.conf /etc/lighttpd/conf-available/50-adminer.conf lighty-enable-mod adminer || true +lighty-enable-mod accesslog diff --git a/overlays/adminer/etc/adminer/apache.conf b/overlays/adminer/etc/adminer/apache.conf index 3e170e6f..2500e7ba 100644 --- a/overlays/adminer/etc/adminer/apache.conf +++ b/overlays/adminer/etc/adminer/apache.conf @@ -6,6 +6,9 @@ Alias /adminer/static /usr/share/adminer/adminer/static Alias /externals /usr/share/adminer/externals Alias /editor /usr/share/adminer/editor + + CustomLog /var/log/adminer/access.log combined + ErrorLog /var/log/adminer/error.log diff --git a/overlays/adminer/etc/adminer/lighttpd.conf b/overlays/adminer/etc/adminer/lighttpd.conf index 8d483033..4b41e7eb 100644 --- a/overlays/adminer/etc/adminer/lighttpd.conf +++ b/overlays/adminer/etc/adminer/lighttpd.conf @@ -29,6 +29,9 @@ $SERVER["socket"] == "0.0.0.0:12322" { server.document-root = "/usr/share/adminer/adminer/" alias.url = alias_redirects follow-symlink = "enable" + + accesslog.filename = "/var/log/adminer/access.log" + server.errorlog = "/var/log/adminer/error.log" } # IPv6 @@ -37,4 +40,7 @@ $SERVER["socket"] == "[::]:12322" { server.document-root = "/usr/share/adminer/adminer/" alias.url = alias_redirects follow-symlink = "enable" + + accesslog.filename = "/var/log/adminer/access.log" + server.errorlog = "/var/log/adminer/error.log" } diff --git a/overlays/adminer/etc/adminer/nginx.conf b/overlays/adminer/etc/adminer/nginx.conf index 53915003..f3ae57be 100644 --- a/overlays/adminer/etc/adminer/nginx.conf +++ b/overlays/adminer/etc/adminer/nginx.conf @@ -5,7 +5,9 @@ server { listen [::]:12322 ssl; include /etc/nginx/snippets/ssl.conf; root /usr/share/adminer/adminer/; - error_log /var/log/nginx/adminer-error.log; + + access_log /var/log/adminer/access.log; + error_log /var/log/adminer/error.log; location / { index tkl-index.php index.php; From 1b17ee56ebf193c73c55eee54a86d1f5ac0aa5d9 Mon Sep 17 00:00:00 2001 From: Jeremy Davis Date: Wed, 20 May 2026 10:36:15 +1000 Subject: [PATCH 02/13] Rotate Adminer log files (webserver agnostic) --- overlays/adminer/etc/logrotate.d/adminer | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 overlays/adminer/etc/logrotate.d/adminer diff --git a/overlays/adminer/etc/logrotate.d/adminer b/overlays/adminer/etc/logrotate.d/adminer new file mode 100644 index 00000000..479404e0 --- /dev/null +++ b/overlays/adminer/etc/logrotate.d/adminer @@ -0,0 +1,23 @@ +/var/log/adminer/access.log +/var/log/adminer/error.log { + weekly + rotate 4 + compress + missingok + notifempty + sharedscripts + postrotate + # Apache + if systemctl is-active --quiet apache2; then + systemctl reload apache2 + fi + # Nginx + if systemctl is-active --quiet nginx; then + systemctl reload nginx + fi + # Lighttpd + if systemctl is-active --quiet lighttpd; then + systemctl reload lighttpd + fi + endscript +} From 3cdceb43413b4553dec0e6969d351f39a7ef69f8 Mon Sep 17 00:00:00 2001 From: Jeremy Davis Date: Wed, 20 May 2026 10:37:57 +1000 Subject: [PATCH 03/13] Add Adminer fail2ban conf --- conf/adminer | 11 +++++++++++ .../adminer/etc/fail2ban/filter.d/adminer-auth.conf | 12 ++++++++++++ 2 files changed, 23 insertions(+) create mode 100644 overlays/adminer/etc/fail2ban/filter.d/adminer-auth.conf diff --git a/conf/adminer b/conf/adminer index 347bf947..c30f6d9e 100755 --- a/conf/adminer +++ b/conf/adminer @@ -21,3 +21,14 @@ touch /var/log/adminer/{access.log,error.log} chown -R root:adm /var/log/adminer chmod 755 /var/log/adminer chmod 644 /var/log/adminer/*.log + +# Configure fail2ban protection for Adminer +cat >> /etc/fail2ban/jail.local < .* "POST /adminer\.php.*" (200|302) .*$ + +ignoreregex = From f93c0b809eed274e9b2a37509ba29205e87f320b Mon Sep 17 00:00:00 2001 From: Jeremy Davis Date: Wed, 20 May 2026 16:54:22 +1000 Subject: [PATCH 04/13] Bugfix sed command (extended regex without '-E') --- conf/adminer-lighttpd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/adminer-lighttpd b/conf/adminer-lighttpd index bb3f47dc..2fbaefb7 100755 --- a/conf/adminer-lighttpd +++ b/conf/adminer-lighttpd @@ -1,7 +1,7 @@ #!/bin/bash -ex # Ensure redirection is enabled -sed -i 's|^[[:space:]]*#([[:space:]]*"mod_redirect".*)|\1|' /etc/lighttpd/lighttpd.conf +sed -Ei 's|^[[:space:]]*#([[:space:]]*"mod_redirect".*)|\1|' /etc/lighttpd/lighttpd.conf # Link conf file to available-sites, and enable it ln -s /etc/adminer/lighttpd.conf /etc/lighttpd/conf-available/50-adminer.conf From 7ef3a85dd5397d28ae84b1ac2c74eb71d231d2c5 Mon Sep 17 00:00:00 2001 From: Jeremy Davis Date: Fri, 22 May 2026 12:48:29 +1000 Subject: [PATCH 05/13] Remove redundant bugfix --- conf/turnkey.d/fail2ban-fixes | 22 ---------------------- 1 file changed, 22 deletions(-) diff --git a/conf/turnkey.d/fail2ban-fixes b/conf/turnkey.d/fail2ban-fixes index 83612bc0..c961bc37 100755 --- a/conf/turnkey.d/fail2ban-fixes +++ b/conf/turnkey.d/fail2ban-fixes @@ -8,28 +8,6 @@ if ! grep -q '^allowipv6' $CONF; then sed -i '\|^\[Definition\]|a \\nallowipv6 = auto' $CONF fi -# ensure that fail2ban blocks known users with incorrect key - see Debian -# Bug #1038779 - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038779 - -cat > fail2ban.patch <(?P\S+)|(?:(?! from ).)*? from %(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$) - # consider failed publickey for valid users too (don't need RE, see cmnfailed): --cmnfailre-failed-pub-any = -+cmnfailre-failed-pub-any = ^Failed publickey for (?P\S+)|(?:(?! from ).)*? from %(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$) - # same as invalid, but consider failed publickey for valid users too, just as no failure (helper to get IP and user-name only, see cmnfailed): --cmnfailre-failed-pub-nofail = -+cmnfailre-failed-pub-nofail = - # don't consider failed publickey as failures (don't need RE, see cmnfailed): - cmnfailre-failed-pub-ignore = - -EOF -git apply fail2ban.patch -rm fail2ban.patch - cat > /etc/cron.weekly/fail2ban < Date: Fri, 22 May 2026 12:51:27 +1000 Subject: [PATCH 06/13] Remove another redundant bugfix --- conf/turnkey.d/fail2ban-fixes | 8 -------- 1 file changed, 8 deletions(-) diff --git a/conf/turnkey.d/fail2ban-fixes b/conf/turnkey.d/fail2ban-fixes index c961bc37..7398cea4 100755 --- a/conf/turnkey.d/fail2ban-fixes +++ b/conf/turnkey.d/fail2ban-fixes @@ -1,13 +1,5 @@ #!/bin/bash -e -# explictly allow ipv6 - see Debian bug #1024305: -# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305 - -CONF=/etc/fail2ban/fail2ban.conf -if ! grep -q '^allowipv6' $CONF; then - sed -i '\|^\[Definition\]|a \\nallowipv6 = auto' $CONF -fi - cat > /etc/cron.weekly/fail2ban < Date: Fri, 22 May 2026 13:10:20 +1000 Subject: [PATCH 07/13] Remove invalid lighty conf (removed in v1.4.56 - Trixie has v1.4.79) --- overlays/lighttpd/etc/lighttpd/ssl-params.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/overlays/lighttpd/etc/lighttpd/ssl-params.conf b/overlays/lighttpd/etc/lighttpd/ssl-params.conf index 3349834c..a7426044 100644 --- a/overlays/lighttpd/etc/lighttpd/ssl-params.conf +++ b/overlays/lighttpd/etc/lighttpd/ssl-params.conf @@ -5,7 +5,6 @@ ssl.pemfile = "/etc/ssl/private/cert.pem" ssl.privkey = "/etc/ssl/private/cert.key" -ssl.dh-file = "/etc/ssl/private/dhparams.pem" ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2") # lighttpd 1.4.79 TLS default appends X448 From 2c8007aa0e2760702d822f7e08b779b3a2b69e54 Mon Sep 17 00:00:00 2001 From: Jeremy Davis Date: Fri, 22 May 2026 13:12:12 +1000 Subject: [PATCH 08/13] Enable TKL default ciphers --- overlays/lighttpd/etc/lighttpd/ssl-params.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/overlays/lighttpd/etc/lighttpd/ssl-params.conf b/overlays/lighttpd/etc/lighttpd/ssl-params.conf index a7426044..33b88cc7 100644 --- a/overlays/lighttpd/etc/lighttpd/ssl-params.conf +++ b/overlays/lighttpd/etc/lighttpd/ssl-params.conf @@ -14,7 +14,7 @@ ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2") # See https://wiki.lighttpd.net/Docs_SSL # Uncomment to better match the less restricted Mozilla intermediate spec. # (TKL Ciphers set by common/conf/turnkey.d/zz-ssl-ciphers) -#ssl.openssl.ssl-conf-cmd += ("CipherString" => "ZZ_SSL_CIPHERS") +ssl.openssl.ssl-conf-cmd += ("CipherString" => "ZZ_SSL_CIPHERS") # HSTS config + additional hardening server.modules += ("mod_redirect") From 4c789b68456dee3919fe1887cb7259cafce13485 Mon Sep 17 00:00:00 2001 From: Jeremy Davis Date: Fri, 22 May 2026 14:07:27 +1000 Subject: [PATCH 09/13] Lighty doesn't appear to support aliases, so replace config with symlink; also ensure tkl-index matches first --- conf/adminer-lighttpd | 3 +++ overlays/adminer/etc/adminer/lighttpd.conf | 17 ++--------------- 2 files changed, 5 insertions(+), 15 deletions(-) diff --git a/conf/adminer-lighttpd b/conf/adminer-lighttpd index 2fbaefb7..b89579b2 100755 --- a/conf/adminer-lighttpd +++ b/conf/adminer-lighttpd @@ -7,3 +7,6 @@ sed -Ei 's|^[[:space:]]*#([[:space:]]*"mod_redirect".*)|\1|' /etc/lighttpd/light ln -s /etc/adminer/lighttpd.conf /etc/lighttpd/conf-available/50-adminer.conf lighty-enable-mod adminer || true lighty-enable-mod accesslog + +# Lighty doesn't support aliases, so we need to symlink tkl-index +ln -sf /etc/adminer/tkl-index.php /usr/share/adminer/adminer/tkl-index.php diff --git a/overlays/adminer/etc/adminer/lighttpd.conf b/overlays/adminer/etc/adminer/lighttpd.conf index 4b41e7eb..f3a92906 100644 --- a/overlays/adminer/etc/adminer/lighttpd.conf +++ b/overlays/adminer/etc/adminer/lighttpd.conf @@ -8,25 +8,11 @@ var.alias_redirects = ( "/externals/" => "/usr/share/adminer/externals/" ) -# Map tkl-index.php URL to the actual file in /etc/adminer/ -$HTTP["url"] == "/tkl-index.php" { - fastcgi.server = ( - ".php" => (( - "socket" => "/run/php/php-fpm.sock", # may need adjustment? - "check-local" => "disable", - "bin-environment" => ( - "SCRIPT_FILENAME" => "/etc/adminer/tkl-index.php" - ) - )) - ) -} - -index-file.names += ( "tkl-index.php" ) - # IPv4 $SERVER["socket"] == "0.0.0.0:12322" { ssl.engine = "enable" server.document-root = "/usr/share/adminer/adminer/" + index-file.names = ( "tkl-index.php", "index.php" ) alias.url = alias_redirects follow-symlink = "enable" @@ -38,6 +24,7 @@ $SERVER["socket"] == "0.0.0.0:12322" { $SERVER["socket"] == "[::]:12322" { ssl.engine = "enable" server.document-root = "/usr/share/adminer/adminer/" + index-file.names = ( "tkl-index.php", "index.php" ) alias.url = alias_redirects follow-symlink = "enable" From f8f7af911a80b8f76f22d1c022e35a0ef8c303be Mon Sep 17 00:00:00 2001 From: Jeremy Davis Date: Fri, 22 May 2026 14:11:23 +1000 Subject: [PATCH 10/13] Lighty fails if www-data can't write to logs --- conf/adminer | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/adminer b/conf/adminer index c30f6d9e..99dc7d85 100755 --- a/conf/adminer +++ b/conf/adminer @@ -18,7 +18,7 @@ chmod 644 /etc/adminer/tkl-*.php /etc/adminer/adminer.css # Set up custom Adminer specific logging (config in relevant webserver vhosts) mkdir -p /var/log/adminer touch /var/log/adminer/{access.log,error.log} -chown -R root:adm /var/log/adminer +chown -R www-data:www-data /var/log/adminer chmod 755 /var/log/adminer chmod 644 /var/log/adminer/*.log From 5eff74220f2bc10fcccae90e915535c2b3e0a5ec Mon Sep 17 00:00:00 2001 From: Jeremy Davis Date: Fri, 22 May 2026 14:16:35 +1000 Subject: [PATCH 11/13] Default root ownership of /etc/adminer - www-data only needs access to php/css files --- conf/adminer | 1 + 1 file changed, 1 insertion(+) diff --git a/conf/adminer b/conf/adminer index 99dc7d85..76f8ca3b 100755 --- a/conf/adminer +++ b/conf/adminer @@ -11,6 +11,7 @@ ln -sf $ADMINER_DIR/designs/nette/adminer.css $STATIC_DIR/default.css ln -sf /etc/adminer/adminer.css /usr/share/adminer/adminer/adminer.css # Ensure www-data has read access to php files in /etc/adminer +chown -R root:adm /etc/adminer chown root:www-data /etc/adminer /etc/adminer/tkl-*.php /etc/adminer/adminer.css chmod 755 /etc/adminer chmod 644 /etc/adminer/tkl-*.php /etc/adminer/adminer.css From 05a93bd0109f6d03ce28f19da03adcf2c740ce33 Mon Sep 17 00:00:00 2001 From: Jeremy Davis Date: Fri, 22 May 2026 17:02:08 +1000 Subject: [PATCH 12/13] Fix nginx adminer config --- overlays/adminer/etc/adminer/nginx.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/overlays/adminer/etc/adminer/nginx.conf b/overlays/adminer/etc/adminer/nginx.conf index f3ae57be..5d08e819 100644 --- a/overlays/adminer/etc/adminer/nginx.conf +++ b/overlays/adminer/etc/adminer/nginx.conf @@ -16,9 +16,10 @@ server { # Route tkl-index.php to /etc/adminer/ location = /tkl-index.php { + include /etc/nginx/snippets/fastcgi-php.conf; fastcgi_param HTTPS on; fastcgi_param SCRIPT_FILENAME /etc/adminer/tkl-index.php; - include /etc/nginx/snippets/php-fpm.conf; + fastcgi_pass unix:/run/php/php-fpm.sock; } location ~ \.php$ { From 76d50265badc28d3152547089c71876ae6f7b580 Mon Sep 17 00:00:00 2001 From: Jeremy Davis Date: Fri, 22 May 2026 17:11:52 +1000 Subject: [PATCH 13/13] Enable php-fpm by default and split http & https blocks --- .../nginx/etc/nginx/sites-available/tkl-default | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/overlays/nginx/etc/nginx/sites-available/tkl-default b/overlays/nginx/etc/nginx/sites-available/tkl-default index 9938d683..8a02b446 100644 --- a/overlays/nginx/etc/nginx/sites-available/tkl-default +++ b/overlays/nginx/etc/nginx/sites-available/tkl-default @@ -18,14 +18,18 @@ ## # Default server configuration -# + +# HTTP server { listen 80 default_server; listen [::]:80 default_server; - + server_name _; # temporary redirect to https - update to permanent (308) for production return 307 https://$host$request_uri; +} +# HTTPS +server { # SSL configuration listen 443 ssl default_server; listen [::]:443 ssl default_server; @@ -33,8 +37,8 @@ server { root /var/www; - # Ensure index.php is at the end of this list if using php-fpm - index index.html index.htm; + # index.php can be removed from the end of this list when not using php-fpm + index index.html index.htm index.php; server_name _; @@ -44,8 +48,8 @@ server { try_files $uri $uri/ =404; } - # Uncomment to enable PHP-FPM - #include snippets/php-fpm.conf; + # Comment to disable PHP-FPM + include snippets/php-fpm.conf; # Deny access to all dot files location ~ /\. {