commit aac19f54bab636627366eb185b888d5e878132ff Author: Christoph Date: Sun Jul 21 03:33:27 2019 +0200 Initial commit diff --git a/install_nginx.sh b/install_nginx.sh new file mode 100755 index 0000000..af8668f --- /dev/null +++ b/install_nginx.sh @@ -0,0 +1,490 @@ +#!/usr/bin/env bash + +script_name="$(basename $(realpath $0))" +working_dir="$(dirname $(realpath $0))" + +log_file="${LOCK_DIR}/${script_name%%.*}.log" + + +# ---------- +# Base Function(s) +# ---------- + +clean_up() { + + # Perform program exit housekeeping + rm -rf "$LOCK_DIR" + blank_line + exit $1 +} + + +echononl(){ + if $terminal ; then + echo X\\c > /tmp/shprompt$$ + if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then + echo -e -n " $*\\c" 1>&2 + else + echo -e -n " $*" 1>&2 + fi + rm /tmp/shprompt$$ + fi +} + + +fatal(){ + echo "" + if $terminal ; then + echo -e " [ \033[31m\033[1mFatal\033[m ] $*" + else + echo -e " [ Fatal ] $*" + fi + echo "" + if $terminal ; then + echo -e " \033[1mScript terminated\033[m.." + else + echo -e " Script terminated.." + fi + echo "" + rm -rf $LOCK_DIR + exit 1 +} + +error (){ + echo "" + if $terminal ; then + echo -e " [ \033[31m\033[1mError\033[m ] $*" + else + echo " [ Error ] $*" + fi + echo "" +} + +warn (){ + if $LOGGING || $terminal ; then + echo "" + if $terminal ; then + echo -e " [ \033[33m\033[1mWarn\033[m ] $*" + else + echo " [ Warn ] $*" + fi + echo "" + fi +} + +info (){ + if $LOGGING || $terminal ; then + echo "" + if $terminal ; then + echo -e " [ \033[32m\033[1mInfo\033[m ] $*" + else + echo " [ Info ] $*" + fi + echo "" + fi +} + +ok (){ + if $LOGGING || $terminal ; then + echo "" + if $terminal ; then + echo -e " [ \033[32m\033[1mOk\033[m ] $*" + else + echo " [ Ok ] $*" + fi + echo "" + fi +} + +echo_done() { + if $terminal ; then + echo -e "\033[75G[ \033[32mdone\033[m ]" + fi +} +echo_ok() { + if $terminal ; then + echo -e "\033[75G[ \033[32mok\033[m ]" + fi +} +echo_failed(){ + if $terminal ; then + echo -e "\033[75G[ \033[1;31mfailed\033[m ]" + fi +} +echo_skipped() { + if $terminal ; then + echo -e "\033[75G[ \033[33m\033[1mskipped\033[m ]" + fi +} +echo_wait(){ + if $terminal ; then + echo -en "\033[75G[ \033[5m\033[1m...\033[m ]" + fi +} + +trim() { + local var="$*" + var="${var#"${var%%[![:space:]]*}"}" # remove leading whitespace characters + var="${var%"${var##*[![:space:]]}"}" # remove trailing whitespace characters + echo -n "$var" +} + +blank_line() { + if $terminal ; then + echo "" + fi +} + + + +# ---------- +# - Jobhandling +# ---------- + +# - Run 'clean_up' for signals SIGHUP SIGINT SIGTERM +# - +trap clean_up SIGHUP SIGINT SIGTERM + +# - Create lock directory '$LOCK_DIR" +# +mkdir "$LOCK_DIR" + + +# ---------- +# - Some checks .. +# ---------- + +# - Running in a terminal? +# - +if [[ -t 1 ]] ; then + terminal=true +else + terminal=false +fi + +# -Is systemd supported on this system? +# - +systemd_supported=false +systemd=$(which systemd) +systemctl=$(which systemctl) + +if [[ -n "$systemd" ]] && [[ -n "$systemctl" ]] ; then + systemd_supported=true +fi + + +# ========== +# - Begin Main Script +# ========== + +# ---------- +# - Headline +# ---------- + +if $terminal ; then + echo "" + echo -e "\033[1m----------\033[m" + echo -e "\033[32m\033[1mRunning script \033[m\033[1m$script_name\033[32m .. \033[m" + echo -e "\033[1m----------\033[m" +fi + +_debian_packages=" + ssl-cert + ca-certificates + openssl + nginx +" +declare -a deb_package_arr +for _pkg in $_debian_packages ; do + deb_package_arr+=("$_pkg") +done + +blank_line +for _debian_pkg in ${deb_package_arr[@]} ; do + echononl "Installing $_debian_pkg .." + if ! dpkg -l $_debian_pkg 2> /dev/null | grep -e "^ii" > /dev/null 2>&1 ; then + + DEBIAN_FRONTEND=noninteractive apt-get install -q -y $_debian_pkg > ${log_file} 2>&1 + + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + else + echo_skipped + fi +done + +blank_line + +_failed=false +echononl "Generate a dhparam.pem file.." +if [[ -f "/etc/nginx/ssl/dhparam.pem" ]]; then + echo_skipped +else + if [[ ! -d "/etc/nginx/ssl" ]] ; then + mkdir /etc/nginx/ssl > ${log_file} 2>&1 + if [[ $? -ne 0 ]] ; then + _failed=true + fi + fi + openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 >> ${log_file} 2>&1 + if [[ $? -ne 0 ]] ; then + _failed=true + fi + if $_failed ; then + echo_failed + error "$(cat $log_file)" + else + echo_o + fi +fi + +blank_line + +echononl "Backup file '/etc/nginx/sites-available/default'" +cp -a /etc/nginx/sites-available/default /etc/nginx/sites-available/default.ORIG > ${log_file} 2>&1 +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + +echononl "Create new file '/etc/nginx/sites-available/default'" +cat << EOF > /etc/nginx/sites-available/default 2> ${log_file} +## +# You should look at the following URL's in order to grasp a solid understanding +# of Nginx configuration files in order to fully unleash the power of Nginx. +# https://www.nginx.com/resources/wiki/start/ +# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ +# https://wiki.debian.org/Nginx/DirectoryStructure +# +# In most cases, administrators will remove this file from sites-enabled/ and +# leave it as reference inside of sites-available where it will continue to be +# updated by the nginx packaging team. +# +# This file will automatically load configuration files provided by other +# applications, such as Drupal or Wordpress. These applications will be made +# available underneath a path with that package name, such as /drupal8. +# +# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. +## + +# Default server configuration +# +server { + + # Listen on primary IP address + listen 80 default_server; + listen [::]:80 default_server; + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + + server_name _ ; + + if (\$scheme = http) { + return 301 https://\$host\$request_uri; + } + + # Include location directive for Let's Encrypt ACME Challenge + # + # Needed for (automated) updating certificate + # + include snippets/letsencrypt-acme-challenge.conf; + + # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits + # + # To generate a dhparam.pem file, run in a terminal + # openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 + # + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + # Eable session resumption to improve https performance + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 10m; + ssl_session_tickets off; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # omit SSLv3 because of POODLE + + # ECDHE better than DHE (faster) ECDHE & DHE GCM better than CBC (attacks on AES) + # Everything better than SHA1 (deprecated) + # + ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA'; + ssl_prefer_server_ciphers on; +EOF + +if [[ -f "/var/lib/dehydrated/certs/$(hostname -f)/fullchain.pem" ]] \ + && [[ -f "/var/lib/dehydrated/certs/$(hostname -f)/privkey.pem" ]]; then + cat << EOF >> /etc/nginx/sites-available/default 2>> ${log_file} + + ssl_certificate /var/lib/dehydrated/certs/$(hostname -f)/fullchain.pem; + ssl_certificate_key /var/lib/dehydrated/certs/$(hostname -f)/privkey.pem; +EOF +else + cat << EOF >> /etc/nginx/sites-available/default 2>> ${log_file} + ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; + ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; +EOF +fi +cat << EOF >> /etc/nginx/sites-available/default 2>> ${log_file} + + add_header Strict-Transport-Security "max-age=31536000" always; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options nosniff; + #add_header X-Frame-Options "SAMEORIGIN"; + + root /var/www/html; + + # Add index.php to the list if you are using PHP + index index.html index.htm index.nginx-debian.html; + + #location = /favicon.ico { + # return 204; + # log_not_found off; + # access_log off; + #} + + location = /robots.txt { + log_not_found off; + access_log off; + } + + location / { + # First attempt to serve request as file, then + # as directory, then fall back to displaying a 404. + try_files \$uri \$uri/ =404; + } + +} +EOF +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + +echononl "Create default index.html .." +cat < /var/www/html/index.html 2> ${log_file} +cat < /var/www/html/index.html + + + +HTTP Error 404 / Http Fehler 404 + + + + + + +
+ + + +
+ +

HTTP Error 404

+

The site you have requestet was not found on this Server

+

Please check your spelling and ry again.

+

Thank You very much!

+ +

HTTP Fehler 404

+

Die von Ihnen aufgerufene Seite gibt es leider nicht - Sorry

+

Bitte prüfen Sie die Adresse und versuchen es nochmals.

+

Vielen Dank für Ihr Verständnis!

+ +
+
+ + + +EOF +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + +# - Stop OpenVPN Service +# - +echononl "Stop Nginx WebsService" +if $systemd_supported ; then + $systemctl stop nginx > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + echo_failed + error "$(cat $log_file)" + else + echo_ok + fi +else + /etc/init.d/nginx stop > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + echo_failed + error "$(cat $log_file)" + else + echo_ok + fi +fi + +if [[ ! -f "/etc/nginx/snippets/letsencrypt-acme-challenge.conf" ]]; then + + warn "Befor startin nginx service again, take care 'dehydrated' is installed." +else + # - Start OpenVPN Service + # - + echononl "Start Nginx WebsService" + if $systemd_supported ; then + $systemctl start nginx > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + echo_failed + error "$(cat $log_file)" + else + echo_ok + fi + else + /etc/init.d/nginx start > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + echo_failed + error "$(cat $log_file)" + else + echo_ok + fi + fi +fi + +clean_up 0