mirror of
https://github.com/joglomedia/LEMPer.git
synced 2026-04-11 15:38:43 +00:00
Update Nginx default config
This commit is contained in:
Edi Septriyanto
@@ -37,10 +37,8 @@ server {
|
||||
# PHP-FPM status monitoring.
|
||||
location ~ ^/php-fpm_(status|ping)$ {
|
||||
include /etc/nginx/fastcgi_params;
|
||||
|
||||
fastcgi_pass unix:/run/php/php8.0-fpm.sock;
|
||||
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
|
||||
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
|
||||
|
||||
allow all;
|
||||
auth_basic "Denied";
|
||||
auth_basic_user_file /srv/.htpasswd;
|
||||
@@ -48,7 +46,18 @@ server {
|
||||
log_not_found off;
|
||||
}
|
||||
|
||||
location ~ \.php81$ {
|
||||
location ~ \.php82$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
include /etc/nginx/includes/fastcgi.conf;
|
||||
# Uncomment to Enable PHP FastCGI cache.
|
||||
#include /etc/nginx/includes/fastcgi_cache.conf;
|
||||
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
|
||||
}
|
||||
|
||||
location ~ \.(php|php81)$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
@@ -59,7 +68,7 @@ server {
|
||||
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
|
||||
}
|
||||
|
||||
location ~ \.(php|php80)$ {
|
||||
location ~ \.php80$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
@@ -174,11 +183,21 @@ server {
|
||||
# Uncomment to Enable PHP FastCGI cache.
|
||||
#include /etc/nginx/includes/fastcgi_cache.conf;
|
||||
|
||||
fastcgi_pass unix:/run/php/php8.0-fpm.sock;
|
||||
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
|
||||
}
|
||||
}
|
||||
|
||||
location ~ \.php81$ {
|
||||
location ~ \.php82$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
include /etc/nginx/includes/fastcgi.conf;
|
||||
#include /etc/nginx/includes/fastcgi_cache.conf;
|
||||
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
|
||||
}
|
||||
|
||||
location ~ \.(php|php81)$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
@@ -188,7 +207,7 @@ server {
|
||||
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
|
||||
}
|
||||
|
||||
location ~ \.(php|php80)$ {
|
||||
location ~ \.php80$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
@@ -261,5 +280,3 @@ server {
|
||||
#include /etc/nginx/includes/error_pages.conf;
|
||||
#include /etc/nginx/includes/fcgiwrap.conf;
|
||||
}
|
||||
|
||||
## SSL redirection here.
|
||||
|
||||
317
etc/nginx/sites-available/default-ssl
Normal file
317
etc/nginx/sites-available/default-ssl
Normal file
@@ -0,0 +1,317 @@
|
||||
# Generated by LEMPer.sh
|
||||
|
||||
server {
|
||||
listen 443 ssl http2 default_server;
|
||||
listen [::]:443 ssl http2 default_server;
|
||||
|
||||
server_name localhost.localdomain;
|
||||
|
||||
## SSL configuration.
|
||||
ssl_certificate HOSTNAME_CERT_PATH/fullchain.pem;
|
||||
ssl_certificate_key HOSTNAME_CERT_PATH/privkey.pem;
|
||||
ssl_trusted_certificate HOSTNAME_CERT_PATH/fullchain.pem;
|
||||
include /etc/nginx/includes/ssl.conf;
|
||||
|
||||
access_log /var/log/nginx/localhost.access.log combined buffer=32k;
|
||||
error_log /var/log/nginx/localhost.error.log error;
|
||||
|
||||
root /usr/share/nginx/html;
|
||||
index index.php index.html index.htm;
|
||||
|
||||
include /etc/nginx/includes/rules_security.conf;
|
||||
include /etc/nginx/includes/rules_staticfiles.conf;
|
||||
include /etc/nginx/includes/rules_restriction.conf;
|
||||
#include /etc/nginx/includes/rules_fastcgi_cache.conf;
|
||||
|
||||
include /etc/nginx/vhost/site_default.conf;
|
||||
|
||||
# Nginx basic status monitoring.
|
||||
location = /nginx_status {
|
||||
stub_status;
|
||||
allow all;
|
||||
auth_basic "Denied";
|
||||
auth_basic_user_file /srv/.htpasswd;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
|
||||
# PHP-FPM status monitoring.
|
||||
location ~ ^/php-fpm_(status|ping)$ {
|
||||
include /etc/nginx/fastcgi_params;
|
||||
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
|
||||
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
|
||||
allow all;
|
||||
auth_basic "Denied";
|
||||
auth_basic_user_file /srv/.htpasswd;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
|
||||
location ~ \.php82$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
include /etc/nginx/includes/fastcgi.conf;
|
||||
# Uncomment to Enable PHP FastCGI cache.
|
||||
#include /etc/nginx/includes/fastcgi_cache.conf;
|
||||
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
|
||||
}
|
||||
|
||||
location ~ \.(php|php81)$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
include /etc/nginx/includes/fastcgi.conf;
|
||||
# Uncomment to Enable PHP FastCGI cache.
|
||||
#include /etc/nginx/includes/fastcgi_cache.conf;
|
||||
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
|
||||
}
|
||||
|
||||
location ~ \.php80$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
include /etc/nginx/includes/fastcgi.conf;
|
||||
#include /etc/nginx/includes/fastcgi_cache.conf;
|
||||
fastcgi_pass unix:/run/php/php8.0-fpm.sock;
|
||||
}
|
||||
|
||||
location ~ \.php74$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
include /etc/nginx/includes/fastcgi.conf;
|
||||
# Uncomment to Enable PHP FastCGI cache.
|
||||
#include /etc/nginx/includes/fastcgi_cache.conf;
|
||||
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
|
||||
}
|
||||
|
||||
location ~ \.php73$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
include /etc/nginx/includes/fastcgi.conf;
|
||||
#include /etc/nginx/includes/fastcgi_cache.conf;
|
||||
fastcgi_pass unix:/run/php/php7.3-fpm.sock;
|
||||
}
|
||||
|
||||
location ~ \.php72$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
include /etc/nginx/includes/fastcgi.conf;
|
||||
#include /etc/nginx/includes/fastcgi_cache.conf;
|
||||
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
|
||||
}
|
||||
|
||||
location ~ \.php71$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
include /etc/nginx/includes/fastcgi.conf;
|
||||
#include /etc/nginx/includes/fastcgi_cache.conf;
|
||||
fastcgi_pass unix:/run/php/php7.1-fpm.sock;
|
||||
}
|
||||
|
||||
location ~ \.php70$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
include /etc/nginx/includes/fastcgi.conf;
|
||||
#include /etc/nginx/includes/fastcgi_cache.conf;
|
||||
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
|
||||
}
|
||||
|
||||
location ~ \.php56$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
include /etc/nginx/includes/fastcgi.conf;
|
||||
#include /etc/nginx/includes/fastcgi_cache.conf;
|
||||
fastcgi_pass unix:/run/php/php5.6-fpm.sock;
|
||||
}
|
||||
|
||||
#include /etc/nginx/includes/error_pages.conf;
|
||||
#include /etc/nginx/includes/fcgiwrap.conf;
|
||||
}
|
||||
|
||||
## LEMPer Web-based Administration
|
||||
server {
|
||||
listen 8083 ssl http2;
|
||||
listen [::]:8083 ssl http2;
|
||||
|
||||
server_name localhost.localdomain;
|
||||
|
||||
## SSL configuration.
|
||||
ssl_certificate HOSTNAME_CERT_PATH/fullchain.pem;
|
||||
ssl_certificate_key HOSTNAME_CERT_PATH/privkey.pem;
|
||||
ssl_trusted_certificate HOSTNAME_CERT_PATH/fullchain.pem;
|
||||
include /etc/nginx/includes/ssl.conf;
|
||||
|
||||
root /usr/share/nginx/html;
|
||||
index index.php index.html index.htm;
|
||||
|
||||
# Log Settings.
|
||||
access_log /var/log/nginx/localhost.access.log combined buffer=32k;
|
||||
error_log /var/log/nginx/localhost.error.log error;
|
||||
|
||||
location /lcp {
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
|
||||
# Uncomment to enable naxsi on this location
|
||||
#include /etc/nginx/naxsi.rules;
|
||||
|
||||
# Uncomment to enable auto index
|
||||
#autoindex on;
|
||||
|
||||
# Set basic auth.
|
||||
allow all;
|
||||
auth_basic "Denied";
|
||||
auth_basic_user_file /srv/.htpasswd;
|
||||
|
||||
location ~ \.php$ {
|
||||
try_files $uri =404;
|
||||
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
|
||||
include /etc/nginx/fastcgi_params;
|
||||
include /etc/nginx/includes/fastcgi.conf;
|
||||
|
||||
# Uncomment to Enable PHP FastCGI cache.
|
||||
#include /etc/nginx/includes/fastcgi_cache.conf;
|
||||
|
||||
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
|
||||
}
|
||||
}
|
||||
|
||||
location ~ \.php82$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
include /etc/nginx/includes/fastcgi.conf;
|
||||
#include /etc/nginx/includes/fastcgi_cache.conf;
|
||||
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
|
||||
}
|
||||
|
||||
location ~ \.(php|php81)$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
include /etc/nginx/includes/fastcgi.conf;
|
||||
#include /etc/nginx/includes/fastcgi_cache.conf;
|
||||
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
|
||||
}
|
||||
|
||||
location ~ \.php80$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
include /etc/nginx/includes/fastcgi.conf;
|
||||
#include /etc/nginx/includes/fastcgi_cache.conf;
|
||||
fastcgi_pass unix:/run/php/php8.0-fpm.sock;
|
||||
}
|
||||
|
||||
location ~ \.php74$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
include /etc/nginx/includes/fastcgi.conf;
|
||||
#include /etc/nginx/includes/fastcgi_cache.conf;
|
||||
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
|
||||
}
|
||||
|
||||
location ~ \.php73$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
include /etc/nginx/includes/fastcgi.conf;
|
||||
#include /etc/nginx/includes/fastcgi_cache.conf;
|
||||
fastcgi_pass unix:/run/php/php7.3-fpm.sock;
|
||||
}
|
||||
|
||||
location ~ \.php72$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
include /etc/nginx/includes/fastcgi.conf;
|
||||
#include /etc/nginx/includes/fastcgi_cache.conf;
|
||||
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
|
||||
}
|
||||
|
||||
location ~ \.php71$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
include /etc/nginx/includes/fastcgi.conf;
|
||||
#include /etc/nginx/includes/fastcgi_cache.conf;
|
||||
fastcgi_pass unix:/run/php/php7.1-fpm.sock;
|
||||
}
|
||||
|
||||
location ~ \.php70$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
include /etc/nginx/includes/fastcgi.conf;
|
||||
#include /etc/nginx/includes/fastcgi_cache.conf;
|
||||
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
|
||||
}
|
||||
|
||||
location ~ \.php56$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
include /etc/nginx/includes/fastcgi.conf;
|
||||
#include /etc/nginx/includes/fastcgi_cache.conf;
|
||||
fastcgi_pass unix:/run/php/php5.6-fpm.sock;
|
||||
}
|
||||
|
||||
#include /etc/nginx/includes/error_pages.conf;
|
||||
#include /etc/nginx/includes/fcgiwrap.conf;
|
||||
}
|
||||
|
||||
|
||||
## HTTP to HTTPS redirection.
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
## Make site accessible from world wide.
|
||||
server_name localhost.localdomain;
|
||||
|
||||
## Automatically redirect site to HTTPS protocol.
|
||||
location / {
|
||||
return 301 https://$server_name:443$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 8082;
|
||||
listen [::]:8082;
|
||||
|
||||
## Make site accessible from world wide.
|
||||
server_name localhost.localdomain;
|
||||
|
||||
## Automatically redirect site to HTTPS protocol.
|
||||
location / {
|
||||
return 301 https://$server_name:8083$request_uri;
|
||||
}
|
||||
}
|
||||
@@ -268,8 +268,8 @@ enabled = true
|
||||
port = http,https
|
||||
filter = ${FRAMEWORK}
|
||||
action = iptables-multiport[name=webapps, port="http,https", protocol=tcp]
|
||||
logpath = ${WEBROOT}/access_log
|
||||
bantime = 30d
|
||||
logpath = ${WEBROOT}/logs/nginx/access_log
|
||||
bantime = 7d
|
||||
findtime = 5m
|
||||
maxretry = 3
|
||||
EOL
|
||||
@@ -492,11 +492,11 @@ function enable_ssl() {
|
||||
|
||||
# Change listening port to 443.
|
||||
if grep -qwE "^\ listen\ (\b[0-9]{1,3}\.){3}[0-9]{1,3}\b:80" "/etc/nginx/sites-available/${DOMAIN}.conf"; then
|
||||
run sed -i "s/\:80/\:443 ssl http2/g" "/etc/nginx/sites-available/${DOMAIN}.conf"
|
||||
run sed -i "s/\:80/\:443\ ssl\ http2/g" "/etc/nginx/sites-available/${DOMAIN}.conf"
|
||||
else
|
||||
run sed -i "s/listen\ 80/listen\ 443\ ssl\ http2/g" "/etc/nginx/sites-available/${DOMAIN}.conf"
|
||||
fi
|
||||
|
||||
|
||||
run sed -i "s/listen\ \[::\]:80/listen\ \[::\]:443\ ssl\ http2/g" "/etc/nginx/sites-available/${DOMAIN}.conf"
|
||||
|
||||
# Enable SSL configs.
|
||||
@@ -519,12 +519,12 @@ function enable_ssl() {
|
||||
# Append redirection block.
|
||||
cat >> "/etc/nginx/sites-available/${DOMAIN}.conf" <<EOL
|
||||
|
||||
# HTTP to HTTPS redirection.
|
||||
## HTTP to HTTPS redirection.
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
## Make site accessible from world web.
|
||||
## Make site accessible from world wide.
|
||||
server_name ${1};
|
||||
|
||||
## Automatically redirect site to HTTPS protocol.
|
||||
@@ -897,7 +897,7 @@ function generate_selfsigned_ssl() {
|
||||
|
||||
# Create chain file.
|
||||
run cat "/etc/lemper/ssl/${DOMAIN}/cert.pem" "${CA_CRT_FILE}" >> \
|
||||
"/etc/lemper/ssl/${DOMAIN}/chain.pem"
|
||||
"/etc/lemper/ssl/${DOMAIN}/fullchain.pem"
|
||||
|
||||
if [ -f "/etc/lemper/ssl/${DOMAIN}/cert.pem" ]; then
|
||||
success "Self-signed SSL certificate has been successfully generated."
|
||||
|
||||
@@ -1559,29 +1559,6 @@ function init_nginx_install() {
|
||||
MOD_STREAM_ENABLED=true
|
||||
fi
|
||||
fi
|
||||
|
||||
# Nginx init script.
|
||||
if [ ! -f /etc/init.d/nginx ]; then
|
||||
run cp etc/init.d/nginx /etc/init.d/
|
||||
run chmod ugo+x /etc/init.d/nginx
|
||||
fi
|
||||
|
||||
# Nginx systemd script.
|
||||
[ ! -f /lib/systemd/system/nginx.service ] && \
|
||||
run cp etc/systemd/nginx.service /lib/systemd/system/
|
||||
|
||||
[ ! -f /etc/systemd/system/multi-user.target.wants/nginx.service ] && \
|
||||
run ln -s /lib/systemd/system/nginx.service \
|
||||
/etc/systemd/system/multi-user.target.wants/nginx.service
|
||||
|
||||
# Try reloading daemon.
|
||||
run systemctl daemon-reload
|
||||
|
||||
# Enable in start up.
|
||||
run systemctl enable nginx.service
|
||||
|
||||
# Masked (?).
|
||||
run systemctl unmask nginx.service
|
||||
;;
|
||||
*)
|
||||
# Skip installation.
|
||||
@@ -1616,16 +1593,6 @@ function init_nginx_install() {
|
||||
[ ! -d /etc/nginx/sites-available ] && run mkdir -p /etc/nginx/sites-available
|
||||
[ ! -d /etc/nginx/sites-enabled ] && run mkdir -p /etc/nginx/sites-enabled
|
||||
|
||||
# Copy custom default vhost.
|
||||
[ -f /etc/nginx/sites-available/default ] && \
|
||||
run mv /etc/nginx/sites-available/default /etc/nginx/sites-available/default~
|
||||
run cp -f etc/nginx/sites-available/default /etc/nginx/sites-available/
|
||||
|
||||
# Enable default vhost (mandatory).
|
||||
[ -f /etc/nginx/sites-enabled/default ] && run unlink /etc/nginx/sites-enabled/default
|
||||
[ -f /etc/nginx/sites-enabled/00-default ] && run unlink /etc/nginx/sites-enabled/00-default
|
||||
run ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/00-default
|
||||
|
||||
# TODO: Add stream support.
|
||||
|
||||
if [[ "${MOD_STREAM_ENABLED}" == true ]]; then
|
||||
@@ -1660,8 +1627,9 @@ EOL
|
||||
[ -d /var/cache/nginx ] && run chown -hR www-data:www-data /var/cache/nginx
|
||||
|
||||
# Nginx Logrotate.
|
||||
run cp -f etc/logrotate.d/nginx /etc/logrotate.d/ && \
|
||||
run chmod 0644 /etc/logrotate.d/nginx
|
||||
#run cp -f etc/logrotate.d/nginx /etc/logrotate.d/ && \
|
||||
#run chmod 0644 /etc/logrotate.d/nginx
|
||||
add_nginx_logrotate
|
||||
|
||||
# Adjust nginx to meet hardware resources.
|
||||
echo "Customize Nginx configuration..."
|
||||
@@ -1726,8 +1694,47 @@ EOL
|
||||
# Generate default hostname SSL cert.
|
||||
generate_hostname_cert
|
||||
|
||||
# Nginx init script.
|
||||
if [ ! -f /etc/init.d/nginx ]; then
|
||||
run cp etc/init.d/nginx /etc/init.d/
|
||||
run chmod ugo+x /etc/init.d/nginx
|
||||
fi
|
||||
|
||||
# Nginx systemd script.
|
||||
[ ! -f /lib/systemd/system/nginx.service ] && \
|
||||
run cp etc/systemd/nginx.service /lib/systemd/system/
|
||||
|
||||
[ ! -f /etc/systemd/system/multi-user.target.wants/nginx.service ] && \
|
||||
run ln -s /lib/systemd/system/nginx.service \
|
||||
/etc/systemd/system/multi-user.target.wants/nginx.service
|
||||
|
||||
# Try reloading daemon.
|
||||
run systemctl daemon-reload
|
||||
|
||||
# Masked (?).
|
||||
run systemctl unmask nginx.service
|
||||
|
||||
# Enable in start up.
|
||||
run systemctl enable nginx.service
|
||||
|
||||
# Final test.
|
||||
if [[ "${DRYRUN}" != true ]]; then
|
||||
# Copy custom default vhost.
|
||||
[ -f /etc/nginx/sites-available/default ] && \
|
||||
run mv /etc/nginx/sites-available/default /etc/nginx/sites-available/default~
|
||||
|
||||
if [[ -n "${HOSTNAME_CERT_PATH}" && -f "${HOSTNAME_CERT_PATH}/fullchain.pem" ]]; then
|
||||
run cp -f etc/nginx/sites-available/default-ssl /etc/nginx/sites-available/default
|
||||
run sed -i "s|HOSTNAME_CERT_PATH|${HOSTNAME_CERT_PATH}|g" "/etc/nginx/sites-available/default"
|
||||
else
|
||||
run cp -f etc/nginx/sites-available/default /etc/nginx/sites-available/default
|
||||
fi
|
||||
|
||||
# Enable default vhost (mandatory).
|
||||
[ -f /etc/nginx/sites-enabled/default ] && run unlink /etc/nginx/sites-enabled/default
|
||||
[ -f /etc/nginx/sites-enabled/00-default ] && run unlink /etc/nginx/sites-enabled/00-default
|
||||
run ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/00-default
|
||||
|
||||
# Make default server accessible from hostname or IP address.
|
||||
if [[ $(dig "${HOSTNAME}" +short) == "${SERVER_IP}" ]]; then
|
||||
run sed -i "s/localhost.localdomain/${HOSTNAME}/g" /etc/nginx/sites-available/default
|
||||
@@ -1773,17 +1780,17 @@ EOL
|
||||
|
||||
function generate_hostname_cert() {
|
||||
# Generate a new certificate for the hostname domain.
|
||||
if [[ "${ENVIRONMENT}" == prod* ]]; then
|
||||
if [[ "${ENVIRONMENT}" == prod* && $(dig "${HOSTNAME}" +short) == "${SERVER_IP}" ]]; then
|
||||
# Stop webserver first.
|
||||
run systemctl stop nginx.service
|
||||
|
||||
if [[ $(dig "${HOSTNAME}" +short) == "${SERVER_IP}" ]]; then
|
||||
run certbot certonly --standalone --agree-tos --preferred-challenges http \
|
||||
--webroot-path=/usr/share/nginx/html -d "${HOSTNAME}"
|
||||
export HOSTNAME_CERT_PATH && \
|
||||
HOSTNAME_CERT_PATH="/etc/letsencrypt/live/${HOSTNAME}"
|
||||
if [[ ! -e "/etc/letsencrypt/live/${HOSTNAME}/fullchain.pem" ]]; then
|
||||
run certbot certonly --standalone --agree-tos --preferred-challenges http \
|
||||
--webroot-path=/usr/share/nginx/html -d "${HOSTNAME}"
|
||||
fi
|
||||
|
||||
HOSTNAME_CERT_PATH="/etc/letsencrypt/live/${HOSTNAME}"
|
||||
|
||||
# Re-start webserver.
|
||||
run systemctl start nginx.service
|
||||
else
|
||||
@@ -1798,34 +1805,61 @@ function generate_hostname_cert() {
|
||||
|
||||
# Create Certificate Authority (CA).
|
||||
run openssl req -x509 -sha256 -days 365000 -nodes -newkey "rsa:${KEY_HASH_LENGTH}" \
|
||||
-keyout /etc/lemper/ssl/lemperCA.key -out /etc/lemper/ssl/lemperCA.crt \
|
||||
-config /etc/lemper/ssl/ca.conf && \
|
||||
-keyout /etc/lemper/ssl/lemperCA.key -out /etc/lemper/ssl/lemperCA.crt \
|
||||
-config /etc/lemper/ssl/ca.conf && \
|
||||
|
||||
# Create Server Private Key.
|
||||
run openssl genrsa -out "/etc/lemper/ssl/${HOSTNAME}/privkey.pem" "${KEY_HASH_LENGTH}" && \
|
||||
|
||||
# Generate Certificate Signing Request (CSR) using Server Private Key.
|
||||
run openssl req -new -key "/etc/lemper/ssl/${HOSTNAME}/privkey.pem" \
|
||||
-out "/etc/lemper/ssl/${HOSTNAME}/csr.pem" -config /etc/lemper/ssl/csr.conf
|
||||
-out "/etc/lemper/ssl/${HOSTNAME}/csr.pem" -config /etc/lemper/ssl/csr.conf
|
||||
|
||||
# Generate SSL certificate With self signed CA.
|
||||
run openssl x509 -req -sha256 -days 365000 -CAcreateserial \
|
||||
-CA /etc/lemper/ssl/lemperCA.crt -CAkey /etc/lemper/ssl/lemperCA.key \
|
||||
-in "/etc/lemper/ssl/${HOSTNAME}/csr.pem" -out "/etc/lemper/ssl/${HOSTNAME}/cert.pem" \
|
||||
-extfile /etc/lemper/ssl/cert.conf
|
||||
-CA /etc/lemper/ssl/lemperCA.crt -CAkey /etc/lemper/ssl/lemperCA.key \
|
||||
-in "/etc/lemper/ssl/${HOSTNAME}/csr.pem" -out "/etc/lemper/ssl/${HOSTNAME}/cert.pem" \
|
||||
-extfile /etc/lemper/ssl/cert.conf
|
||||
|
||||
# Create chain file.
|
||||
run cat /etc/lemper/ssl/lemperCA.crt "/etc/lemper/ssl/${HOSTNAME}/cert.pem" > \
|
||||
"/etc/lemper/ssl/${HOSTNAME}/chain.pem"
|
||||
"/etc/lemper/ssl/${HOSTNAME}/fullchain.pem"
|
||||
|
||||
if [ -f "/etc/lemper/ssl/${HOSTNAME}/cert.pem" ]; then
|
||||
success "Self-signed SSL certificate has been successfully generated."
|
||||
HOSTNAME_CERT_PATH="/etc/lemper/ssl/${HOSTNAME}"
|
||||
success "Self-signed SSL certificate has been successfully generated."
|
||||
else
|
||||
fail "An error occurred when generating self-signed SSL certificate."
|
||||
fail "An error occurred when generating self-signed SSL certificate."
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
function add_nginx_logrotate() {
|
||||
run touch "/etc/logrotate.d/nginx"
|
||||
cat >> "/etc/logrotate.d/nginx" <<EOL
|
||||
/var/log/nginx/*.log /home/*/logs/nginx/*_log {
|
||||
daily
|
||||
rotate 3
|
||||
compress
|
||||
delaycompress
|
||||
missingok
|
||||
notifempty
|
||||
create 0640 www-data adm
|
||||
sharedscripts
|
||||
prerotate
|
||||
if [ -d /etc/logrotate.d/httpd-prerotate ]; then
|
||||
run-parts /etc/logrotate.d/httpd-prerotate;
|
||||
fi
|
||||
endscript
|
||||
postrotate
|
||||
invoke-rc.d nginx rotate >/dev/null 2>&1
|
||||
endscript
|
||||
}
|
||||
EOL
|
||||
|
||||
run chmod 0644 "/etc/logrotate.d/nginx"
|
||||
}
|
||||
|
||||
echo "[Nginx HTTP (Web) Server Installation]"
|
||||
|
||||
# Start running things from a call at the end so if this script is executed
|
||||
|
||||
Reference in New Issue
Block a user