jitsi/README.nginx.exec-shell-script

#!/usr/bin/bash

#
# Run script to enabel/disable recording using a webinterface
# 
# see: 
#    https://stackoverflow.com/questions/22891148/nginx-how-to-run-a-shell-script-on-every-request

WEBSITE_NAME="rec.video.faire-mobilitaet.de"
DOCUMENT_ROOT="/var/www/$WEBSITE_NAME"

# Install 'fcgiwrap'
#
apt-get install fcgiwrap

# Create document root directory
#
if [[ ! -d "$DOCUMENT_ROOT" ]] ; then
   mkdir "$DOCUMENT_ROOT"
fi

# Ceate script enable-recording.sh
#
cat <<EOF > ${DOCUMENT_ROOT}/enable-recording.sh
#!/bin/sh
# -*- coding: utf-8 -*-
NAME=\`"Enable Recording"\`
echo "Content-type:text/html\r\n"
echo "<html><head>"
echo "<title>\$NAME</title>"
echo '<meta name="description" content="'\$NAME'">'
echo '<meta name="keywords" content="'\$NAME'">'
echo '<meta http-equiv="Content-type" content="text/html;charset=UTF-8">'
echo '<meta name="ROBOTS" content="noindex">'
echo "</head><body><pre>"
sudo /usr/local/src/jitsi/jitsi_enable_recording.sh
echo '&nbsp;<br />&nbsp;<br />
   <form>
      <input type="button" value="Go back!" onclick="history.back()">
   </form>'
echo "</pre></body></html>"
EOF

chmod 755 ${DOCUMENT_ROOT}/enable-recording.sh



# Ceate script disable-recording.sh
#
cat <<EOF > ${DOCUMENT_ROOT}/disable-recording.sh
#!/bin/sh
# -*- coding: utf-8 -*-
NAME=\`"Disable Recording"\`
echo "Content-type:text/html\r\n"
echo "<html><head>"
echo "<title>\$NAME</title>"
echo '<meta name="description" content="'\$NAME'">'
echo '<meta name="keywords" content="'\$NAME'">'
echo '<meta http-equiv="Content-type" content="text/html;charset=UTF-8">'
echo '<meta name="ROBOTS" content="noindex">'
echo "</head><body><pre>"
sudo /usr/local/src/jitsi/jitsi_disable_recording.sh
echo '&nbsp;<br />&nbsp;<br />
   <form>
      <input type="button" value="Go back!" onclick="history.back()">
   </form>'
echo "</pre></body></html>"
EOF

chmod 755 ${DOCUMENT_ROOT}/disable-recording.sh


# Create NGINX configuration for site
#
cat <<EOF > "/etc/nginx/sites-available/${WEBSITE_NAME}.conf"
# - ${WEBSITE_NAME}

server {
    listen 80;
    listen [::]:80;
    server_name ${WEBSITE_NAME};

    return 301 https://\$host\$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name ${WEBSITE_NAME};

    root /var/www/${WEBSITE_NAME};

    auth_basic "Video Admin Area";
    auth_basic_user_file conf.d/.htpasswd-rec-video;

    # Include location directive for Let's Encrypt ACME Challenge
    #
    # Needed for (automated) updating certificate
    #
    include snippets/letsencrypt-acme-challenge.conf;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    #
    # To generate a dhparam.pem file, run in a terminal
    #    openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 2048
    #
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;

    # Eable session resumption to improve https performance
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 10m;
    ssl_session_tickets off;

    #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # omit SSLv3 because of POODLE
    # omit SSLv3 because of POODLE
    # omit  TLSv1 TLSv1.1
    ssl_protocols TLSv1.2 TLSv1.3;

    # ECDHE better than DHE (faster)  ECDHE & DHE GCM better than CBC (attacks on AES)
    # Everything better than SHA1 (deprecated)
    #
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CC:ECDHE-ECDSA-ARIA128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;


    add_header Strict-Transport-Security "max-age=31536000";

    ssl_certificate /var/lib/dehydrated/certs/${WEBSITE_NAME}/fullchain.pem;
    ssl_certificate_key /var/lib/dehydrated/certs/${WEBSITE_NAME}/privkey.pem;
    ssl_trusted_certificate /var/lib/dehydrated/certs/${WEBSITE_NAME}/chain.pem;

    # ssi on with javascript for multidomain variables in config.js
    ssi on;
    ssi_types application/x-javascript application/javascript;

    index index.html index.htm;
    error_page 404 /static/404.html;

    autoindex on;

   location ~ (\.sh)$ {
      add_header Content-Type text/html;
      gzip off;
      root /var/www/\$server_name;
      autoindex on;
      fastcgi_pass unix:/var/run/fcgiwrap.socket;
      include /etc/nginx/fastcgi_params;
      fastcgi_param DOCUMENT_ROOT /var/www/\$server_name;
      fastcgi_param SCRIPT_FILENAME /var/www/\$server_name\$fastcgi_script_name;
   }
}
EOF

ln -s ../sites-available/${WEBSITE_NAME}.conf /etc/nginx/sites-enabled/${WEBSITE_NAME}