Nginx scripts and configs

Script: Nginx installer for Debian
Script: Nginx default config "generator" with dummy SSL
Configs: Various additional configs for Nginx

nginx/nginx-config.sh

@@ -0,0 +1,140 @@
+#!/bin/bash
+
+# Run this script with "(sudo) bash <filename> <args>".
+
+# Exit on error.
+#set -e
+# Debug
+set -eux
+
+# Don't use ending slashes in paths!
+
+# The user nginx runs as.
+NGINX_USER='nginx'
+
+# The group nginx runs with.
+NGINX_GROUP='nginx'
+
+# Nginx configuration directory.
+NGINX_CONF='/etc/nginx'
+
+# Nginx configuration drop-in path.
+NGINX_CONFD='/etc/nginx/conf.d'
+
+# Where dummy SSL pems are stored.
+NGINX_PEM_DIR='/etc/nginx/pem'
+
+# The default site filename, don't use a full path or filename here.
+# Just a name please.
+NGINX_DEFAULT_SITE_CONF_NAME="default"
+
+nginx-config() {
+
+cd ${NGINX_CONF:-/no_path/9} || (
+    echo "\"${NGINX_CONF}\" doesn't exist?"
+    return 1;
+)
+
+systemctl stop nginx
+
+# Make pems.
+cd ${NGINX_PEM_DIR:-/no_path/3} && (
+    echo "\"${NGINX_PEM_DIR}\" exists? Continue (hit enter)?"
+    read
+) || (
+    mkdir ${NGINX_PEM_DIR:-/no_path/3}
+    cd ${NGINX_PEM_DIR:-/no_path/3}
+)
+
+chown ${NGINX_USER:-nginx}:${NGINX_GROUP:-nginx} ${NGINX_PEM_DIR:-/no_path/3}
+
+chmod 740 ${NGINX_PEM_DIR:-/no_path/3}
+
+chmod g+s ${NGINX_PEM_DIR:-/no_path/3}
+
+touch ${NGINX_PEM_DIR:-/no_path/3}/default-{key,cert,dhparam}.pem
+
+openssl req -x509 -nodes -days 3650 -subj "/C=US/ST=Self Signed/L=Self Signed/O=Self Signed/OU=Self Signed/CN=Self Signed/emailAddress=self@signed" -newkey rsa:2048 -keyout ${NGINX_PEM_DIR:-/no_path/3}/default-key.pem -out ${NGINX_PEM_DIR:-/no_path/3}/default-cert.pem
+
+openssl dhparam -out ${NGINX_PEM_DIR:-/no_path/3}/default-dhparam.pem 4096
+
+cd ${NGINX_CONFD:-/no_path/4}
+
+# This doesn't always exist.
+[[ -f "default.conf" ]] && mv default.conf default.conf.backup
+
+NGINX_DEFAULT_SITE_CONF_NAME=${NGINX_DEFAULT_SITE_CONF_NAME:-fail}
+
+NGINX_DEFAULT_SITE_CONF_NAME_FULL="${NGINX_CONFD:-/no_path/4}/${NGINX_DEFAULT_SITE_CONF_NAME:-fail}.conf"
+
+[[ -f "${NGINX_DEFAULT_SITE_CONF_NAME_FULL}" ]] && (
+    echo "\"${NGINX_DEFAULT_SITE_CONF_NAME_FULL}\" exists? Continue (hit enter)?"
+    read
+)
+
+cat <<NGX > ${NGINX_DEFAULT_SITE_CONF_NAME_FULL}
+# Warn on any null variables
+uninitialized_variable_warn on;
+
+# Don't print software version
+server_tokens off;
+
+# If you don't use acme you can remove this block.
+upstream acme {
+    server 127.0.0.1:18080;
+}
+
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    location / {
+        return 301 https://\$host\$request_uri;
+    }
+
+    # Proxy Let's Encrypt to acme upstream - remove if you don't use
+    # acme.sh
+    location ^~ /.well-known/acme-challenge/ {
+        proxy_pass http://acme;
+    }
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    ssl_certificate ${NGINX_PEM_DIR:-/no_path/6}/default-cert.pem;
+    ssl_certificate_key ${NGINX_PEM_DIR:-/no_path/6}/default-key.pem;
+    ssl_dhparam ${NGINX_PEM_DIR:-/no_path/6}/default-dhparam.pem;
+
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4;
+
+    # Proxy Let's Encrypt to acme upstream - remove if you don't use
+    # acme.sh
+    location ^~ /.well-known/acme-challenge/ {
+        proxy_pass http://acme;
+    }
+
+    # For everything else return 404
+    location / {
+        log_not_found off;
+        access_log off;
+        return 404;
+    }
+
+}
+NGX
+
+nginx -t
+
+systemctl restart nginx
+
+}
+
+${1:-nginx-config} "$@"

nginx/nginx-deb-install.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+# Run this script with "(sudo) bash <filename> <args>".
+
+# Exit on error.
+#set -e
+# Debug
+set -eux
+
+nginx() {
+# Mostly taken from http://nginx.org/en/linux_packages.html
+
+# Continue if already installed?
+dpkg -l nginx && (
+    echo "Already installed? Continue (hit enter)?"
+    read
+)
+
+apt install -y curl gnupg2 ca-certificates lsb-release \
+    debian-archive-keyring openssl
+
+curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
+    | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
+
+echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
+http://nginx.org/packages/debian `lsb_release -cs` nginx" \
+    | tee /etc/apt/sources.list.d/nginx.list
+
+echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
+    | tee /etc/apt/preferences.d/99nginx
+
+apt update
+apt install nginx
+}
+
+${1:-nginx} "$@"

nginx/upstream.conf

@@ -0,0 +1,4 @@
+upstream custom_upstream {
+    #server unix:/run/custom_upstream;
+    server 127.0.0.1:8080;
+}

nginx/yeastar-ta100-location.inc

@@ -0,0 +1,18 @@
+    location ^~ /_ {
+        proxy_http_version 1.1;
+        proxy_pass http://yeastar/;
+        proxy_cookie_path / /_/;
+        proxy_buffering off;
+        sub_filter 'src="../' 'src="/_/';
+        sub_filter "src='../" "src='/_/";
+        sub_filter 'href="../' 'href="/_/';
+        sub_filter "href='../" "href='/_/";
+        sub_filter '/cgi/' '/_/cgi/';
+        sub_filter '../html/' '/_/html/';
+        sub_filter '/html/' '/_/html/';
+        sub_filter './js/' '/_/js/';
+        sub_filter 'html/guialert.html' '/_/html/guialert.html';
+        sub_filter 'path = /' 'path = /_/';
+        sub_filter_types text/html text/css text/javascript application/javascript;
+        sub_filter_once off;
+    }