#!/bin/bash # Run this script with "(sudo) bash ". # Exit on error. #set -e # Debug set -eux # Don't use ending slashes in paths! # The user nginx runs as. NGINX_USER='nginx' # The group nginx runs with. NGINX_GROUP='nginx' # Nginx configuration directory. NGINX_CONF='/etc/nginx' # Nginx configuration drop-in path. NGINX_CONFD='/etc/nginx/conf.d' # Where dummy SSL pems are stored. NGINX_PEM_DIR='/etc/nginx/pem' # The default site filename, don't use a full path or filename here. # Just a name please. NGINX_DEFAULT_SITE_CONF_NAME="default" main() { cat < " for example ... "sudo bash $0 nginx" nginx - Add nginx stable repo & install nginx. nginx-config - Add a basic nginx config with dumb SSL. ----- You'll be asked to continue if a file exists, if you're happy to continue hit enter or ctrl+c to cancel. INFO } nginx() { # Mostly taken from http://nginx.org/en/linux_packages.html # Continue if already installed? dpkg -l nginx && ( echo "Already installed? Continue (hit enter)?" read ) apt install -y curl gnupg2 ca-certificates lsb-release \ debian-archive-keyring openssl curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \ | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ http://nginx.org/packages/debian `lsb_release -cs` nginx" \ | tee /etc/apt/sources.list.d/nginx.list echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \ | tee /etc/apt/preferences.d/99nginx apt update apt install nginx } nginx-config() { cd ${NGINX_CONF:-/no_path/9} || ( echo "\"${NGINX_CONF}\" doesn't exist?" return 1; ) systemctl stop nginx # Make pems. cd ${NGINX_PEM_DIR:-/no_path/3} && ( echo "\"${NGINX_PEM_DIR}\" exists? Continue (hit enter)?" read ) || ( mkdir ${NGINX_PEM_DIR:-/no_path/3} cd ${NGINX_PEM_DIR:-/no_path/3} ) chown ${NGINX_USER:-nginx}:${NGINX_GROUP:-nginx} ${NGINX_PEM_DIR:-/no_path/3} chmod 740 ${NGINX_PEM_DIR:-/no_path/3} chmod g+s ${NGINX_PEM_DIR:-/no_path/3} touch ${NGINX_PEM_DIR:-/no_path/3}/default-{key,cert,dhparam}.pem openssl req -x509 -nodes -days 3650 -subj "/C=US/ST=Self Signed/L=Self Signed/O=Self Signed/OU=Self Signed/CN=Self Signed/emailAddress=self@signed" -newkey rsa:2048 -keyout ${NGINX_PEM_DIR:-/no_path/3}/default-key.pem -out ${NGINX_PEM_DIR:-/no_path/3}/default-cert.pem openssl dhparam -out ${NGINX_PEM_DIR:-/no_path/3}/default-dhparam.pem 4096 cd ${NGINX_CONFD:-/no_path/4} # This doesn't always exist. [[ -f "default.conf" ]] && mv default.conf default.conf.backup NGINX_DEFAULT_SITE_CONF_NAME=${NGINX_DEFAULT_SITE_CONF_NAME:-fail} NGINX_DEFAULT_SITE_CONF_NAME_FULL="${NGINX_CONFD:-/no_path/4}/${NGINX_DEFAULT_SITE_CONF_NAME:-fail}.conf" [[ -f "${NGINX_DEFAULT_SITE_CONF_NAME_FULL}" ]] && ( echo "\"${NGINX_DEFAULT_SITE_CONF_NAME_FULL}\" exists? Continue (hit enter)?" read ) cat < ${NGINX_DEFAULT_SITE_CONF_NAME_FULL} # Warn on any null variables uninitialized_variable_warn on; # Don't print software version server_tokens off; # If you don't use acme.sh you can remove this block. upstream acme { server 127.0.0.1:18080; } server { listen 80 default_server; listen [::]:80 default_server; location / { return 301 https://\$host\$request_uri; } # Proxy Let's Encrypt to acme upstream - remove if you don't use # acme.sh location ^~ /.well-known/acme-challenge/ { proxy_pass http://acme; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; ssl_certificate ${NGINX_PEM_DIR:-/no_path/6}/default-cert.pem; ssl_certificate_key ${NGINX_PEM_DIR:-/no_path/6}/default-key.pem; ssl_dhparam ${NGINX_PEM_DIR:-/no_path/6}/default-dhparam.pem; add_header Strict-Transport-Security "max-age=63072000" always; resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4; # Proxy Let's Encrypt to acme upstream - remove if you don't use # acme.sh location ^~ /.well-known/acme-challenge/ { proxy_pass http://acme; } # For everything else return 404 location / { log_not_found off; access_log off; return 404; } } NGX nginx -t systemctl restart nginx } ${1:-main} "$@"