Complete Overhaul of install script - improvements and added functionality: user input flow, clarified prompt messages. Cloudflare Zero-Trust Tunnel support, Cloudflare DNS-01 SSL cert option, adaptive performance tuning, general reliability and hardening #8
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ude: user input flow, clarified prompt messages. Cloudflare Zero-Trust Tunnel support, Cloudflare DNS-01 SSL cert option, adaptive performance tuning, general reliability and hardening Quick Overview: • Added guided interactive UX + unattended flags capabilities • Added new SSL cert method: Cloudflare DNS-01 • Added support and optimization for hosting behind a Cloudflare Zero-Trust Tunnel, rather than directly via public IP • Added safe reruns with cleanup/backup behavior • Added optional php-fpm+mpm_event “high performance” profile • Added boot-time autotune for (MariaDB/PHP-FPM/OPcache/Apache/system limits) for vertical scaling/future-proofing and maximal performance optimization • Improved logging, validation, and post-install diagnostics + reboot prompt Detailed Breakdown: 1) Safety & reliability (fail-fast + predictable) Auto-elevation to root (sudo self-elevate, hard stop if unavailable) Why: Prevents partial installs and permission-based weirdness; avoids “script ran but nothing happened.” set -euo pipefail and consistent error handling/logging (die, warn, say) Why: Fewer silent failures, faster debugging, safer automation. Non-interactive apt-get update && apt-get upgrade at the beginning Why: Reduces dependency conflicts and runtime surprises; aligns with “clean base image” installs. 2) Dependencies installed up front (clean installs actually work) Explicit prerequisites installed at start, assuming a fresh OS: Apache, MariaDB, PHP + extensions, certbot, cron, dnsutils, ufw, openssl, git, python3 bits, python3-certbot-dns-cloudflare Why: Prevents mid-script failures and reduces “works on my server” scenarios. 3) Cleaner, lower-error UX (interactive + unattended) Number-based menus for option-style prompts: Access mode, performance profile, timezone handling, branch selection, TLS method, cleanup options Why: Less user input error than free-form strings; faster and more approachable for non-experts. Timezone prompt improved: Offers detected TZ, UTC, or manual entry with examples (e.g., America/Denver) Why: Users often don’t know tz database formats; detection can be wrong. FQDN prompt clarified: Explicit example (itflow.example.com) Why: Reduces invalid domain input and confusion. 4) SSL/TLS improvements (adds options, doesn’t break the old path) Preserves original classic Let’s Encrypt behavior as default (letsencrypt via HTTP-01 / apache plugin) Why: Keeps the “common case” intact and avoids breaking expectations. Adds Cloudflare DNS-01 option (letsencrypt-dns-cloudflare) using API token credentials Why: Enables installs behind Cloudflare Tunnel / no inbound ports. DNS-01 works in locked-down network environments. Certificate reuse support (--reuse-cert-name or auto-detect existing cert under /etc/letsencrypt/live/<name>) Why: Avoids needless re-issuance; supports re-runs and pre-provisioned cert flows. UFW checks for classic HTTP-01 (ports 80/443): If UFW active and ports blocked, prompt to open them, or fail clearly in unattended mode Why: Classic LE fails silently otherwise; this makes the failure mode explicit and fixable. Certbot renewal dry-run included (non-fatal) Why: Verifies automation health up front so renewal failures don’t show up 60 days later. 5) Apache hardening & correctness improvements Global Apache ServerName set (/etc/apache2/conf-available/servername.conf) Why: Removes the common FQDN warning and prevents edge-case vhost behavior. Vhost generation improved: Proper HTTP vhost + optional HTTPS redirect (when TLS enabled) Explicit Directory block with AllowOverride All to support .htaccess Why: More consistent behavior across environments; avoids incomplete defaults. 6) Performance profile option (opt-in, controlled) Balanced (default): classic mod_php with prefork (matches original behavior) Why: Lowest-risk default. Minimizes potential compatibility surprises. High performance (opt-in): php-fpm + mpm_event + proxy_fcgi Why: Better concurrency and memory efficiency at scale (lots of simultaneous users / background jobs). Introducing this as a manual opt-in feature to avoid surprises. 7) Idempotent reruns + cleanup (ops-friendly) Cleanup options added: Web only: vhosts/webroot/cron for the domain DB only: drop itflow DB + itflow@localhost user (destructive) All: both web + DB Why: Fixes the “previous failed attempts” problem and supports clean re-install loops. Safe webroot behavior: If non-empty webroot exists, move to timestamped .bak-YYYYMMDD-HHMMSS instead of clobbering Why: Prevents accidental data loss while still allowing reruns. 8) Database improvements (stability + repeatability) MariaDB startup + readiness checks (mysqladmin ping) before DB actions Why: Avoids race conditions that cause intermittent failures. User creation logic made re-run safe: Creates user if missing, then ALTER USER sets password to a fresh random value Why: Prevents “Access denied” and broken state after partial installs. Credential generation improved: Uses openssl rand (replaces tr | head patterns) Why: More robust and consistent across distros; avoids subtle shell/pipeline edge cases. 9) Adaptive “autotune at boot” for dynamic scalability Adds a dedicated tool + systemd unit: /usr/local/sbin/itflow-autotune.sh itflow-autotune.service enabled at boot It automatically tunes based on detected RAM/CPU, and safely re-applies on boot. Tuning includes: MariaDB: InnoDB buffer pool sizing, connections, tmp table sizes, slow query logging Why: Out-of-box MariaDB defaults are not MSP-scale friendly; this reduces latency and improves throughput. OPcache: memory sizing and file cache sizing based on resources Why: Huge win for PHP app responsiveness under load. PHP-FPM pool tuning (high profile): pm.max_children, spares, pm.max_requests, timeouts Why: Avoids worker starvation, prevents memory creep, adapts when resources change. Apache MPM tuning: Event/prefork worker limits based on resources/profile Why: Prevents thrash and handles concurrency. System limits: LimitNOFILE=65535 for Apache + MariaDB Why: Helps at higher concurrency, avoids file descriptor exhaustion. Sysctl baseline: somaxconn, swappiness, etc. Why: Reasonable baseline for server workloads. First-run force apply marker Creates /var/lib/itflow-autotune/first_run_done after first successful apply. Why: Ensures the first run actually writes configs and restarts services, even if identical files existed; prevents the “it did nothing” confusion. Autotune status output Prints active MPM, php-fpm state, and file mtimes for the tuned configs Why: Reviewers/operators can verify changes quickly without digging. 10) Cloudflare Tunnel guidance only when relevant If access mode = cloudflare-tunnel, prints recommended tunnel origin settings: Match SNI to Host Origin Server Name HTTP Host Header Optional notes on Cloudflare SSL modes (Full strict recommended, but not mandatory) Why: Prevents misconfiguration and avoids adding tunnel-specific noise for non-tunnel users. 11) Post-install reboot prompt (clean UX) Recommends reboot and prompts interactively: Enter defaults to YES Only n/N rejects; other input re-prompts Exit immediately after calling reboot Why: Applies service changes cleanly and avoids SSH disconnect artifacts / weird repeated prompts.
This change fixes a real-world compatibility issue introduced by the optional High performance deployment mode (php-fpm + mpm_event) added in the revamped installer.
In php-fpm mode, Apache no longer supports certain mod_php-only directives inside .htaccess (e.g. php_flag, php_value, php_admin_*, and some handler/type directives). On ITFlow installs, the uploads/.htaccess file may include some of these directives, which can cause Apache to return HTTP 500 when serving files from /uploads — resulting in uploaded assets (company logos, user avatars, etc.) failing to display.
This commit addresses that cleanly and defensively:
Hardens uploads at the vhost level by explicitly denying execution of *.php inside ${WEBROOT}/uploads for both HTTP and HTTPS vhosts. This prevents any possibility of PHP execution from user-writable content regardless of per-directory .htaccess behavior.
Auto-patches uploads/.htaccess in High performance mode only, removing mod_php-only directives that can trigger HTTP 500 under php-fpm, while leaving behavior unchanged for the default Balanced (mod_php) profile.
Adds a repository-wide scan + warning (High performance mode only) to detect remaining mod_php directives anywhere else in the webroot. The script does not modify those files automatically—this is intentionally a warning-only safeguard to avoid surprising behavior changes.
Adds a localhost post-install smoke test (curl against http://localhost/ or https://localhost/) to catch HTTP 500 / bad status codes immediately after install. This reduces “install succeeded but site is broken” reports and speeds up troubleshooting.
Net result: High performance mode remains a drop-in option, but no longer breaks uploads, and is safer by default.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
### Quick Overview:
### Detailed Breakdown:
1) Safety & reliability (fail-fast + predictable)
Auto-elevation to root (sudo self-elevate, hard stop if unavailable)
Why: Prevents partial installs and permission-based weirdness; avoids “script ran but nothing happened.”
set -euo pipefail and consistent error handling/logging (die, warn, say)
Why: Fewer silent failures, faster debugging, safer automation.
Non-interactive apt-get update && apt-get upgrade at the beginning
Why: Reduces dependency conflicts and runtime surprises; aligns with “clean base image” installs.
2) Dependencies installed up front (ensures that clean installs reliably work)
Explicit prerequisites installed at start, assuming a fresh OS:
Apache, MariaDB, PHP + extensions, certbot, cron, dnsutils, ufw, openssl, git, python3 bits, python3-certbot-dns-cloudflare
Why: Prevents mid-script failures and reduces “works on my server” scenarios.
3) Cleaner, lower-error UX (interactive + unattended)
Number-based menus for option-style prompts:
Access mode, performance profile, timezone handling, branch selection, TLS method, cleanup options
Why: Less user input error than free-form strings; faster and more approachable for non-experts.
Timezone prompt improved:
Offers detected TZ, UTC, or manual entry with examples (e.g., America/Denver)
Why: Users often don’t know tz database formats; detection can be wrong.
FQDN prompt clarified:
Explicit example (itflow.example.com)
Why: Reduces invalid domain input and confusion.
4) SSL/TLS improvements (adds options, doesn’t break the old path)
Preserves original classic Let’s Encrypt behavior as default (letsencrypt via HTTP-01 / apache plugin)
Why: Keeps the “common case” intact and avoids breaking expectations.
Adds Cloudflare DNS-01 option (letsencrypt-dns-cloudflare) using API token credentials
Why: Enables installs behind Cloudflare Tunnel / no inbound ports. DNS-01 works in locked-down network environments.
Certificate reuse support (--reuse-cert-name or auto-detect existing cert under /etc/letsencrypt/live/)
Why: Avoids needless re-issuance; supports re-runs and pre-provisioned cert flows.
UFW checks for classic HTTP-01 (ports 80/443):
If UFW active and ports blocked, prompt to open them, or fail clearly in unattended mode
Why: Classic LE fails silently otherwise; this makes the failure mode explicit and fixable.
Certbot renewal dry-run included (non-fatal)
Why: Verifies automation health up front so renewal failures don’t show up 60 days later.
5) Apache hardening & correctness improvements
Global Apache ServerName set (/etc/apache2/conf-available/servername.conf)
Why: Removes the common FQDN warning and prevents edge-case vhost behavior.
Vhost generation improved:
Proper HTTP vhost + optional HTTPS redirect (when TLS enabled)
Explicit Directory block with AllowOverride All to support .htaccess
Why: More consistent behavior across environments; avoids incomplete defaults.
6) Performance profile option (opt-in, controlled)
Balanced (default): classic mod_php with prefork (matches original behavior)
Why: Lowest-risk default. Minimizes potential compatibility surprises.
High performance (opt-in): php-fpm + mpm_event + proxy_fcgi
Why: Better concurrency and memory efficiency at scale (lots of simultaneous users / background jobs) - especially with heavy customer portal and API traffic. Introducing this as a manual opt-in feature to avoid surprises.
7) Idempotent reruns + cleanup (ops-friendly)
Cleanup options added:
Web only: vhosts/webroot/cron for the domain
DB only: drop itflow DB + itflow@localhost user (destructive)
All: both web + DB
Why: Fixes the “previous failed attempts” problem caused by remnants from abandoned or failed previous installs, and supports clean re-install loops.
Safe webroot behavior:
If non-empty webroot exists, move to timestamped .bak-YYYYMMDD-HHMMSS instead of clobbering
Why: Prevents accidental data loss while still allowing reruns.
8) Database improvements (stability + repeatability)
MariaDB startup + readiness checks (mysqladmin ping) before DB actions
Why: Avoids race conditions that cause intermittent failures.
User creation logic made re-run safe:
Creates user if missing, then ALTER USER sets password to a fresh random value
Why: Prevents “Access denied” and broken state after partial installs.
Credential generation improved:
Uses openssl rand (replaces tr | head patterns)
Why: More robust and consistent across distros; avoids subtle shell/pipeline edge cases.
9) Adaptive “autotune at boot” for dynamic scalability
Adds a dedicated tool + systemd unit:
/usr/local/sbin/itflow-autotune.sh
itflow-autotune.service enabled at boot
It automatically tunes based on detected RAM/CPU, and safely re-applies on boot.
Tuning includes:
MariaDB: InnoDB buffer pool sizing, connections, tmp table sizes, slow query logging
Why: Out-of-box MariaDB defaults are not MSP-scale friendly; this reduces latency and improves throughput.
OPcache: memory sizing and file cache sizing based on resources
Why: Huge win for PHP app responsiveness under load.
PHP-FPM pool tuning (high profile): pm.max_children, spares, pm.max_requests, timeouts
Why: Avoids worker starvation, prevents memory creep, adapts when resources change.
Apache MPM tuning: Event/prefork worker limits based on resources/profile
Why: Prevents thrash and handles concurrency.
System limits: LimitNOFILE=65535 for Apache + MariaDB
Why: Helps at higher concurrency, avoids file descriptor exhaustion.
Sysctl baseline: somaxconn, swappiness, etc.
Why: Reasonable baseline for server workloads.
First-run force apply marker
Creates /var/lib/itflow-autotune/first_run_done after first successful apply.
Why: Ensures the first run actually writes configs and restarts services, even if identical files existed; prevents the “it did nothing” confusion.
Autotune status output
Prints active MPM, php-fpm state, and file mtimes for the tuned configs
Why: Reviewers/operators can verify changes quickly without digging.
10) Cloudflare Tunnel guidance only when relevant
If access mode = cloudflare-tunnel, prints recommended tunnel origin settings:
Why: Prevents misconfiguration and avoids adding tunnel-specific noise for non-tunnel users.
11) Post-install reboot prompt (clean UX)
Recommends reboot and prompts interactively:
Enter defaults to YES
Only n/N rejects; other input re-prompts
Exit immediately after calling reboot
Why: Applies service changes cleanly and avoids SSH disconnect artifacts / weird repeated prompts.