diff --git a/README.nginx.exec-shell-script b/README.nginx.exec-shell-script new file mode 100644 index 0000000..d9ef095 --- /dev/null +++ b/README.nginx.exec-shell-script @@ -0,0 +1,149 @@ +#!/usr/bin/bash + +# +# Run script to enabel/disable recording using a webinterface +# +# see: +# https://stackoverflow.com/questions/22891148/nginx-how-to-run-a-shell-script-on-every-request + +WEBSITE_NAME="o30.oopen.de" +DOCUMENT_ROOT="/var/www/$WEBSITE_NAME" + +# Install 'fcgiwrap' +# +apt-get install fcgiwrap + +# Create document root directory +# +if [[ ! -d "$DOCUMENT_ROOT" ]] ; then + mkdir "$DOCUMENT_ROOT" +fi + +# Ceate script enable-recording.sh +# +cat < ${DOCUMENT_ROOT}/enable-recording.sh +#!/bin/sh +# -*- coding: utf-8 -*- +NAME=\`"Enable Recording"\` +echo "Content-type:text/html\r\n" +echo "" +echo "\$NAME" +echo '' +echo '' +echo '' +echo '' +echo "
"
+sudo /usr/local/src/jitsi/jitsi_enable_recording.sh
+echo ' 
 

+   

+      
+   
'
+echo "
" +EOF + + + +# Ceate script disable-recording.sh +# +cat < ${DOCUMENT_ROOT}/disable-recording.sh +#!/bin/sh +# -*- coding: utf-8 -*- +NAME=\`"Disable Recording"\` +echo "Content-type:text/html\r\n" +echo "" +echo "\$NAME" +echo '' +echo '' +echo '' +echo '' +echo "
"
+sudo /usr/local/src/jitsi/jitsi_disable_recording.sh
+echo ' 
 

+   

+      
+   
'
+echo "
" +EOF + + +# Create NGINX configuration for site +# +cat <> "/etc/nginx/sites-available/${WEBSITE_NAME}.conf" +cat <> "/root/${WEBSITE_NAME}.conf" +# - ${WEBSITE_NAME} + +server { + listen 80; + listen [::]:80; + server_name ${WEBSITE_NAME}; + + return 301 https://\$host\$request_uri; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name ${WEBSITE_NAME}; + + # Include location directive for Let's Encrypt ACME Challenge + # + # Needed for (automated) updating certificate + # + include snippets/letsencrypt-acme-challenge.conf; + + # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits + # + # To generate a dhparam.pem file, run in a terminal + # openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 2048 + # + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + # Eable session resumption to improve https performance + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 10m; + ssl_session_tickets off; + + #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # omit SSLv3 because of POODLE + # omit SSLv3 because of POODLE + # omit TLSv1 TLSv1.1 + ssl_protocols TLSv1.2 TLSv1.3; + + # ECDHE better than DHE (faster) ECDHE & DHE GCM better than CBC (attacks on AES) + # Everything better than SHA1 (deprecated) + # + ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA'; + ssl_prefer_server_ciphers on; + + #ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + #ssl_prefer_server_ciphers on; + #ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED"; + + add_header Strict-Transport-Security "max-age=31536000"; + + ssl_certificate /var/lib/dehydrated/certs/${WEBSITE_NAME}/fullchain.pem; + ssl_certificate_key /var/lib/dehydrated/certs/${WEBSITE_NAME}/privkey.pem; + ssl_trusted_certificate /var/lib/dehydrated/certs/${WEBSITE_NAME}/chain.pem; + + root /var/www/o30.oopen.de; + + # ssi on with javascript for multidomain variables in config.js + ssi on; + ssi_types application/x-javascript application/javascript; + + index index.html index.htm; + error_page 404 /static/404.html; + + autoindex on; + + location ~ (\.sh)$ { + add_header Content-Type text/html; + gzip off; + root /var/www/\$server_name; + autoindex on; + fastcgi_pass unix:/var/run/fcgiwrap.socket; + include /etc/nginx/fastcgi_params; + fastcgi_param DOCUMENT_ROOT /var/www/\$server_name; + fastcgi_param SCRIPT_FILENAME /var/www/\$server_name\$fastcgi_script_name; + } +} +EOF