diff --git a/install_nginx.sh b/install_nginx.sh index 2ebb680..4a35549 100755 --- a/install_nginx.sh +++ b/install_nginx.sh @@ -172,6 +172,16 @@ if [[ -n "$systemd" ]] && [[ -n "$systemctl" ]] ; then systemd_supported=true fi +# - Is PHP-FPM socket in use +# - + +declare -a _php_socket_arr=() +while IFS='' read -r -d '' _socket ; do + echo "socket: $_socket" + _php_major_version="$(echo "$_socket" | cut -d '-' -f2)" + _php_socket_arr+=("${_php_major_version}:$_socket") +done < <(find "/tmp" -type s -name "php*" -print0 | sort -z) + # ========== # - Begin Main Script @@ -253,6 +263,7 @@ else error "$(cat $log_file)" fi +_failed=false echononl "Create new file '/etc/nginx/sites-available/default'" cat << EOF > /etc/nginx/sites-available/default 2> ${log_file} ## @@ -275,6 +286,61 @@ cat << EOF > /etc/nginx/sites-available/default 2> ${log_file} # Default server configuration # +EOF + +if [[ $? -ne 0 ]] ; then + _failed=true +fi + +if [[ ${#_php_socket_arr[@]} -gt 0 ]] ; then + cat << EOF >> /etc/nginx/sites-available/default 2> ${log_file} +server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name _ ; + +EOF + if [[ $? -ne 0 ]] ; then + _failed=true + fi + + for _val in ${_php_socket_arr[@]} ; do + IFS=':' read -a _val_arr <<< "${_val}" + cat << EOF >> /etc/nginx/sites-available/default 2> ${log_file} + location ~ ^/(status-${_val_arr[0]}|ping-${_val_arr[0]})$ { + access_log off; + allow 127.0.0.1; + deny all; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name; + fastcgi_pass unix:/tmp/php-${_val_arr[0]}-fpm.www.sock; + } + +EOF + if [[ $? -ne 0 ]] ; then + _failed=true + fi + done + + cat << EOF >> /etc/nginx/sites-available/default 2> ${log_file} +} +server { + + # Listen on primary IP address + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + + server_name _ ; + + #if (\$scheme = http) { + # return 301 https://\$host\$request_uri; + #} + +EOF + +else + cat << EOF >> /etc/nginx/sites-available/default 2> ${log_file} server { # Listen on primary IP address @@ -289,6 +355,14 @@ server { return 301 https://\$host\$request_uri; } +EOF + if [[ $? -ne 0 ]] ; then + _failed=true + fi + +fi + +cat << EOF >> /etc/nginx/sites-available/default 2> ${log_file} # Include location directive for Let's Encrypt ACME Challenge # # Needed for (automated) updating certificate @@ -315,11 +389,14 @@ server { # ECDHE better than DHE (faster) ECDHE & DHE GCM better than CBC (attacks on AES) # Everything better than SHA1 (deprecated) # - #ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!3DES'; - #ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!3DES'; - ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CC:ECDHE-ECDSA-ARIA128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; + #ssl_ciphers HIGH:MEDIUM:!MD5:!RC4:!3DES; + ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-ARIA128-GCM-SHA256; + ssl_prefer_server_ciphers on; EOF +if [[ $? -ne 0 ]] ; then + _failed=true +fi if [[ -f "/var/lib/dehydrated/certs/$(hostname -f)/fullchain.pem" ]] \ && [[ -f "/var/lib/dehydrated/certs/$(hostname -f)/privkey.pem" ]]; then @@ -328,11 +405,17 @@ if [[ -f "/var/lib/dehydrated/certs/$(hostname -f)/fullchain.pem" ]] \ ssl_certificate /var/lib/dehydrated/certs/$(hostname -f)/fullchain.pem; ssl_certificate_key /var/lib/dehydrated/certs/$(hostname -f)/privkey.pem; EOF + if [[ $? -ne 0 ]] ; then + _failed=true + fi else cat << EOF >> /etc/nginx/sites-available/default 2>> ${log_file} ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; EOF + if [[ $? -ne 0 ]] ; then + _failed=true + fi fi cat << EOF >> /etc/nginx/sites-available/default 2>> ${log_file} @@ -370,11 +453,23 @@ cat << EOF >> /etc/nginx/sites-available/default 2>> ${log_file} } EOF -if [[ $? -eq 0 ]] ; then - echo_ok -else +if [[ $? -ne 0 ]] ; then + _failed=true +fi +if $_failed ; then echo_failed error "$(cat $log_file)" + + echononl "continue anyway [yes/no]: " + read OK + OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')" + while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do + echononl "Wrong entry! - repeat [yes/no]: " + read OK + done + [[ $OK = "yes" ]] || fatal "Abbruch durch User" +else + echo_ok fi echononl "Create default index.html .." @@ -449,7 +544,7 @@ else error "$(cat $log_file)" fi -# - Stop OpenVPN Service +# - Stop Nginx Service # - echononl "Stop Nginx WebsService" if $systemd_supported ; then @@ -474,7 +569,7 @@ if [[ ! -f "/etc/nginx/snippets/letsencrypt-acme-challenge.conf" ]]; then warn "Befor startin nginx service again, take care 'dehydrated' is installed." else - # - Start OpenVPN Service + # - Start Nginx Service # - echononl "Start Nginx WebsService" if $systemd_supported ; then