diff --git a/nginx/nginx-config.sh b/nginx/nginx-config.sh new file mode 100644 index 0000000..c4f223d --- /dev/null +++ b/nginx/nginx-config.sh @@ -0,0 +1,140 @@ +#!/bin/bash + +# Run this script with "(sudo) bash ". + +# Exit on error. +#set -e +# Debug +set -eux + +# Don't use ending slashes in paths! + +# The user nginx runs as. +NGINX_USER='nginx' + +# The group nginx runs with. +NGINX_GROUP='nginx' + +# Nginx configuration directory. +NGINX_CONF='/etc/nginx' + +# Nginx configuration drop-in path. +NGINX_CONFD='/etc/nginx/conf.d' + +# Where dummy SSL pems are stored. +NGINX_PEM_DIR='/etc/nginx/pem' + +# The default site filename, don't use a full path or filename here. +# Just a name please. +NGINX_DEFAULT_SITE_CONF_NAME="default" + +nginx-config() { + +cd ${NGINX_CONF:-/no_path/9} || ( + echo "\"${NGINX_CONF}\" doesn't exist?" + return 1; +) + +systemctl stop nginx + +# Make pems. +cd ${NGINX_PEM_DIR:-/no_path/3} && ( + echo "\"${NGINX_PEM_DIR}\" exists? Continue (hit enter)?" + read +) || ( + mkdir ${NGINX_PEM_DIR:-/no_path/3} + cd ${NGINX_PEM_DIR:-/no_path/3} +) + +chown ${NGINX_USER:-nginx}:${NGINX_GROUP:-nginx} ${NGINX_PEM_DIR:-/no_path/3} + +chmod 740 ${NGINX_PEM_DIR:-/no_path/3} + +chmod g+s ${NGINX_PEM_DIR:-/no_path/3} + +touch ${NGINX_PEM_DIR:-/no_path/3}/default-{key,cert,dhparam}.pem + +openssl req -x509 -nodes -days 3650 -subj "/C=US/ST=Self Signed/L=Self Signed/O=Self Signed/OU=Self Signed/CN=Self Signed/emailAddress=self@signed" -newkey rsa:2048 -keyout ${NGINX_PEM_DIR:-/no_path/3}/default-key.pem -out ${NGINX_PEM_DIR:-/no_path/3}/default-cert.pem + +openssl dhparam -out ${NGINX_PEM_DIR:-/no_path/3}/default-dhparam.pem 4096 + +cd ${NGINX_CONFD:-/no_path/4} + +# This doesn't always exist. +[[ -f "default.conf" ]] && mv default.conf default.conf.backup + +NGINX_DEFAULT_SITE_CONF_NAME=${NGINX_DEFAULT_SITE_CONF_NAME:-fail} + +NGINX_DEFAULT_SITE_CONF_NAME_FULL="${NGINX_CONFD:-/no_path/4}/${NGINX_DEFAULT_SITE_CONF_NAME:-fail}.conf" + +[[ -f "${NGINX_DEFAULT_SITE_CONF_NAME_FULL}" ]] && ( + echo "\"${NGINX_DEFAULT_SITE_CONF_NAME_FULL}\" exists? Continue (hit enter)?" + read +) + +cat < ${NGINX_DEFAULT_SITE_CONF_NAME_FULL} +# Warn on any null variables +uninitialized_variable_warn on; + +# Don't print software version +server_tokens off; + +# If you don't use acme you can remove this block. +upstream acme { + server 127.0.0.1:18080; +} + +server { + listen 80 default_server; + listen [::]:80 default_server; + + location / { + return 301 https://\$host\$request_uri; + } + + # Proxy Let's Encrypt to acme upstream - remove if you don't use + # acme.sh + location ^~ /.well-known/acme-challenge/ { + proxy_pass http://acme; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + ssl_certificate ${NGINX_PEM_DIR:-/no_path/6}/default-cert.pem; + ssl_certificate_key ${NGINX_PEM_DIR:-/no_path/6}/default-key.pem; + ssl_dhparam ${NGINX_PEM_DIR:-/no_path/6}/default-dhparam.pem; + + add_header Strict-Transport-Security "max-age=63072000" always; + + resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4; + + # Proxy Let's Encrypt to acme upstream - remove if you don't use + # acme.sh + location ^~ /.well-known/acme-challenge/ { + proxy_pass http://acme; + } + + # For everything else return 404 + location / { + log_not_found off; + access_log off; + return 404; + } + +} +NGX + +nginx -t + +systemctl restart nginx + +} + +${1:-nginx-config} "$@" diff --git a/nginx/nginx-deb-install.sh b/nginx/nginx-deb-install.sh new file mode 100755 index 0000000..8b87732 --- /dev/null +++ b/nginx/nginx-deb-install.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +# Run this script with "(sudo) bash ". + +# Exit on error. +#set -e +# Debug +set -eux + +nginx() { +# Mostly taken from http://nginx.org/en/linux_packages.html + +# Continue if already installed? +dpkg -l nginx && ( + echo "Already installed? Continue (hit enter)?" + read +) + +apt install -y curl gnupg2 ca-certificates lsb-release \ + debian-archive-keyring openssl + +curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \ + | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null + +echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ +http://nginx.org/packages/debian `lsb_release -cs` nginx" \ + | tee /etc/apt/sources.list.d/nginx.list + +echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \ + | tee /etc/apt/preferences.d/99nginx + +apt update +apt install nginx +} + +${1:-nginx} "$@" diff --git a/nginx/upstream.conf b/nginx/upstream.conf new file mode 100644 index 0000000..c6fcb3d --- /dev/null +++ b/nginx/upstream.conf @@ -0,0 +1,4 @@ +upstream custom_upstream { + #server unix:/run/custom_upstream; + server 127.0.0.1:8080; +} diff --git a/nginx/yeastar-ta100-location.inc b/nginx/yeastar-ta100-location.inc new file mode 100644 index 0000000..85dd3e2 --- /dev/null +++ b/nginx/yeastar-ta100-location.inc @@ -0,0 +1,18 @@ + location ^~ /_ { + proxy_http_version 1.1; + proxy_pass http://yeastar/; + proxy_cookie_path / /_/; + proxy_buffering off; + sub_filter 'src="../' 'src="/_/'; + sub_filter "src='../" "src='/_/"; + sub_filter 'href="../' 'href="/_/'; + sub_filter "href='../" "href='/_/"; + sub_filter '/cgi/' '/_/cgi/'; + sub_filter '../html/' '/_/html/'; + sub_filter '/html/' '/_/html/'; + sub_filter './js/' '/_/js/'; + sub_filter 'html/guialert.html' '/_/html/guialert.html'; + sub_filter 'path = /' 'path = /_/'; + sub_filter_types text/html text/css text/javascript application/javascript; + sub_filter_once off; + }