kit/nginx/nginx-config.sh

#!/bin/bash

# Run this script with "(sudo) bash <filename> <args>".

# Exit on error.
#set -e
# Debug
set -eux

# Don't use ending slashes in paths!

# The user nginx runs as.
NGINX_USER='nginx'

# The group nginx runs with.
NGINX_GROUP='nginx'

# Nginx configuration directory.
NGINX_CONF='/etc/nginx'

# Nginx configuration drop-in path.
NGINX_CONFD='/etc/nginx/conf.d'

# Where dummy SSL pems are stored.
NGINX_CERT_DIR='/etc/nginx/certs'

# The default site filename, don't use a full path or filename here.
# Just a name please.
NGINX_DEFAULT_SITE_CONF_NAME="default"

nginx-config() {

cd ${NGINX_CONF:-/no_path/9} || (
    echo "\"${NGINX_CONF}\" doesn't exist?"
    return 1;
)

systemctl stop nginx

# Make pems.
cd ${NGINX_CERT_DIR:-/no_path/3} && (
    echo "\"${NGINX_CERT_DIR}\" exists? Continue (hit enter)?"
    read
) || (
    mkdir ${NGINX_CERT_DIR:-/no_path/3}
    cd ${NGINX_CERT_DIR:-/no_path/3}
)

chown ${NGINX_USER:-nginx}:${NGINX_GROUP:-nginx} ${NGINX_CERT_DIR:-/no_path/3}

chmod 740 ${NGINX_CERT_DIR:-/no_path/3}

chmod g+s ${NGINX_CERT_DIR:-/no_path/3}

touch ${NGINX_CERT_DIR:-/no_path/3}/default.{key,cer,dhp}

openssl req -x509 -nodes -days 3650 -subj "/C=US/ST=Self Signed/L=Self Signed/O=Self Signed/OU=Self Signed/CN=Self Signed/emailAddress=self@signed" -newkey rsa:2048 -keyout ${NGINX_CERT_DIR:-/no_path/3}/default.key -out ${NGINX_CERT_DIR:-/no_path/3}/default.cer

openssl dhparam -out ${NGINX_CERT_DIR:-/no_path/3}/default.dhp 4096

cd ${NGINX_CONFD:-/no_path/4}

# This doesn't always exist.
[[ -f "default.conf" ]] && mv default.conf default.conf.backup

NGINX_DEFAULT_SITE_CONF_NAME=${NGINX_DEFAULT_SITE_CONF_NAME:-fail}

NGINX_DEFAULT_SITE_CONF_NAME_FULL="${NGINX_CONFD:-/no_path/4}/${NGINX_DEFAULT_SITE_CONF_NAME:-fail}.conf"

[[ -f "${NGINX_DEFAULT_SITE_CONF_NAME_FULL}" ]] && (
    echo "\"${NGINX_DEFAULT_SITE_CONF_NAME_FULL}\" exists? Continue (hit enter)?"
    read
)

cat <<NGX > ${NGINX_DEFAULT_SITE_CONF_NAME_FULL}
# Warn on any null variables
uninitialized_variable_warn on;

# Don't print software version
server_tokens off;

# If you don't use acme you can remove this block.
upstream acme {
    server 127.0.0.1:18080;
}

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    location / {
        return 301 https://\$host\$request_uri;
    }

    # Proxy Let's Encrypt to acme upstream - remove if you don't use
    # acme.sh
    location ^~ /.well-known/acme-challenge/ {
        proxy_pass http://acme;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    ssl_certificate ${NGINX_CERT_DIR:-/no_path/6}/default.cer;
    ssl_certificate_key ${NGINX_CERT_DIR:-/no_path/6}/default.key;
    ssl_dhparam ${NGINX_CERT_DIR:-/no_path/6}/default.dhp;

    add_header Strict-Transport-Security "max-age=63072000" always;

    resolver 9.9.9.9 149.112.112.112;

    # Proxy Let's Encrypt to acme upstream - remove if you don't use
    # acme.sh
    location ^~ /.well-known/acme-challenge/ {
        proxy_pass http://acme;
    }

    # For everything else return 404
    location / {
        log_not_found off;
        access_log off;
        return 404;
    }

}
NGX

nginx -t

systemctl restart nginx

}

${1:-nginx-config} "$@"