183 lines
4.6 KiB
Bash
Executable File
183 lines
4.6 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Run this script with "(sudo) bash <filename> <args>".
|
|
|
|
# Exit on error.
|
|
#set -e
|
|
# Debug
|
|
set -eux
|
|
|
|
# Don't use ending slashes in paths!
|
|
|
|
# The user nginx runs as.
|
|
NGINX_USER='nginx'
|
|
|
|
# The group nginx runs with.
|
|
NGINX_GROUP='nginx'
|
|
|
|
# Nginx configuration directory.
|
|
NGINX_CONF='/etc/nginx'
|
|
|
|
# Nginx configuration drop-in path.
|
|
NGINX_CONFD='/etc/nginx/conf.d'
|
|
|
|
# Where dummy SSL pems are stored.
|
|
NGINX_PEM_DIR='/etc/nginx/pem'
|
|
|
|
# The default site filename, don't use a full path or filename here.
|
|
# Just a name please.
|
|
NGINX_DEFAULT_SITE_CONF_NAME="default"
|
|
|
|
main() {
|
|
cat <<INFO
|
|
Run with one of the following options:-
|
|
"sudo bash $0 <function> <args>" for example ...
|
|
"sudo bash $0 nginx"
|
|
|
|
nginx - Add nginx stable repo & install nginx.
|
|
nginx-config - Add a basic nginx config with dumb SSL.
|
|
-----
|
|
|
|
You'll be asked to continue if a file exists, if you're happy to
|
|
continue hit enter or ctrl+c to cancel.
|
|
INFO
|
|
}
|
|
|
|
|
|
nginx() {
|
|
# Mostly taken from http://nginx.org/en/linux_packages.html
|
|
|
|
# Continue if already installed?
|
|
dpkg -l nginx && (
|
|
echo "Already installed? Continue (hit enter)?"
|
|
read
|
|
)
|
|
|
|
apt install -y curl gnupg2 ca-certificates lsb-release \
|
|
debian-archive-keyring openssl
|
|
|
|
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
|
|
| tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
|
|
|
|
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
|
|
http://nginx.org/packages/debian `lsb_release -cs` nginx" \
|
|
| tee /etc/apt/sources.list.d/nginx.list
|
|
|
|
echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
|
|
| tee /etc/apt/preferences.d/99nginx
|
|
|
|
apt update
|
|
apt install nginx
|
|
}
|
|
|
|
nginx-config() {
|
|
|
|
cd ${NGINX_CONF:-/no_path/9} || (
|
|
echo "\"${NGINX_CONF}\" doesn't exist?"
|
|
return 1;
|
|
)
|
|
|
|
systemctl stop nginx
|
|
|
|
# Make pems.
|
|
cd ${NGINX_PEM_DIR:-/no_path/3} && (
|
|
echo "\"${NGINX_PEM_DIR}\" exists? Continue (hit enter)?"
|
|
read
|
|
) || (
|
|
mkdir ${NGINX_PEM_DIR:-/no_path/3}
|
|
cd ${NGINX_PEM_DIR:-/no_path/3}
|
|
)
|
|
|
|
chown ${NGINX_USER:-nginx}:${NGINX_GROUP:-nginx} ${NGINX_PEM_DIR:-/no_path/3}
|
|
|
|
chmod 740 ${NGINX_PEM_DIR:-/no_path/3}
|
|
|
|
chmod g+s ${NGINX_PEM_DIR:-/no_path/3}
|
|
|
|
touch ${NGINX_PEM_DIR:-/no_path/3}/default-{key,cert,dhparam}.pem
|
|
|
|
openssl req -x509 -nodes -days 3650 -subj "/C=US/ST=Self Signed/L=Self Signed/O=Self Signed/OU=Self Signed/CN=Self Signed/emailAddress=self@signed" -newkey rsa:2048 -keyout ${NGINX_PEM_DIR:-/no_path/3}/default-key.pem -out ${NGINX_PEM_DIR:-/no_path/3}/default-cert.pem
|
|
|
|
openssl dhparam -out ${NGINX_PEM_DIR:-/no_path/3}/default-dhparam.pem 4096
|
|
|
|
cd ${NGINX_CONFD:-/no_path/4}
|
|
|
|
# This doesn't always exist.
|
|
[[ -f "default.conf" ]] && mv default.conf default.conf.backup
|
|
|
|
NGINX_DEFAULT_SITE_CONF_NAME=${NGINX_DEFAULT_SITE_CONF_NAME:-fail}
|
|
|
|
NGINX_DEFAULT_SITE_CONF_NAME_FULL="${NGINX_CONFD:-/no_path/4}/${NGINX_DEFAULT_SITE_CONF_NAME:-fail}.conf"
|
|
|
|
[[ -f "${NGINX_DEFAULT_SITE_CONF_NAME_FULL}" ]] && (
|
|
echo "\"${NGINX_DEFAULT_SITE_CONF_NAME_FULL}\" exists? Continue (hit enter)?"
|
|
read
|
|
)
|
|
|
|
cat <<NGX > ${NGINX_DEFAULT_SITE_CONF_NAME_FULL}
|
|
# Warn on any null variables
|
|
uninitialized_variable_warn on;
|
|
|
|
# Don't print software version
|
|
server_tokens off;
|
|
|
|
# If you don't use acme.sh you can remove this block.
|
|
upstream acme {
|
|
server 127.0.0.1:18080;
|
|
}
|
|
|
|
server {
|
|
listen 80 default_server;
|
|
listen [::]:80 default_server;
|
|
|
|
location / {
|
|
return 301 https://\$host\$request_uri;
|
|
}
|
|
|
|
# Proxy Let's Encrypt to acme upstream - remove if you don't use
|
|
# acme.sh
|
|
location ^~ /.well-known/acme-challenge/ {
|
|
proxy_pass http://acme;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
ssl_prefer_server_ciphers off;
|
|
|
|
ssl_certificate ${NGINX_PEM_DIR:-/no_path/6}/default-cert.pem;
|
|
ssl_certificate_key ${NGINX_PEM_DIR:-/no_path/6}/default-key.pem;
|
|
ssl_dhparam ${NGINX_PEM_DIR:-/no_path/6}/default-dhparam.pem;
|
|
|
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
|
|
resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4;
|
|
|
|
# Proxy Let's Encrypt to acme upstream - remove if you don't use
|
|
# acme.sh
|
|
location ^~ /.well-known/acme-challenge/ {
|
|
proxy_pass http://acme;
|
|
}
|
|
|
|
# For everything else return 404
|
|
location / {
|
|
log_not_found off;
|
|
access_log off;
|
|
return 404;
|
|
}
|
|
|
|
}
|
|
NGX
|
|
|
|
nginx -t
|
|
|
|
systemctl restart nginx
|
|
|
|
}
|
|
|
|
${1:-main} "$@"
|