install/nginx
0
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

support ping/status sites for php fpm in order sto use check_webservice script.

Browse Source
This commit is contained in:
Christoph 2021-10-09 13:23:13 +02:00
parent 1a6a61c6c3
commit e92b105a59
1 changed files with 103 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

111
install_nginx.sh
View File

@ -172,6 +172,16 @@ if [[ -n "$systemd" ]] && [[ -n "$systemctl" ]] ; then
systemd_supported=true
fi
# - Is PHP-FPM socket in use
# -
declare -a _php_socket_arr=()
while IFS='' read -r -d '' _socket ; do
echo "socket: $_socket"
_php_major_version="$(echo "$_socket" | cut -d '-' -f2)"
_php_socket_arr+=("${_php_major_version}:$_socket")
done < <(find "/tmp" -type s -name "php*" -print0 | sort -z)
# ==========
# - Begin Main Script
@ -253,6 +263,7 @@ else
error "$(cat $log_file)"
fi
_failed=false
echononl "Create new file '/etc/nginx/sites-available/default'"
cat << EOF > /etc/nginx/sites-available/default 2> ${log_file}
##
@ -275,6 +286,61 @@ cat << EOF > /etc/nginx/sites-available/default 2> ${log_file}
# Default server configuration
#
EOF
if [[ $? -ne 0 ]] ; then
_failed=true
fi
if [[ ${#_php_socket_arr[@]} -gt 0 ]] ; then
cat << EOF >> /etc/nginx/sites-available/default 2> ${log_file}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _ ;
EOF
if [[ $? -ne 0 ]] ; then
_failed=true
fi
for _val in ${_php_socket_arr[@]} ; do
IFS=':' read -a _val_arr <<< "${_val}"
cat << EOF >> /etc/nginx/sites-available/default 2> ${log_file}
location ~ ^/(status-${_val_arr[0]}|ping-${_val_arr[0]})$ {
access_log off;
allow 127.0.0.1;
deny all;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
fastcgi_pass unix:/tmp/php-${_val_arr[0]}-fpm.www.sock;
}
EOF
if [[ $? -ne 0 ]] ; then
_failed=true
fi
done
cat << EOF >> /etc/nginx/sites-available/default 2> ${log_file}
}
server {
# Listen on primary IP address
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name _ ;
#if (\$scheme = http) {
# return 301 https://\$host\$request_uri;
#}
EOF
else
cat << EOF >> /etc/nginx/sites-available/default 2> ${log_file}
server {
# Listen on primary IP address
@ -289,6 +355,14 @@ server {
return 301 https://\$host\$request_uri;
}
EOF
if [[ $? -ne 0 ]] ; then
_failed=true
fi
fi
cat << EOF >> /etc/nginx/sites-available/default 2> ${log_file}
# Include location directive for Let's Encrypt ACME Challenge
#
# Needed for (automated) updating certificate
@ -315,11 +389,14 @@ server {
# ECDHE better than DHE (faster) ECDHE & DHE GCM better than CBC (attacks on AES)
# Everything better than SHA1 (deprecated)
#
#ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!3DES';
#ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!3DES';
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CC:ECDHE-ECDSA-ARIA128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
#ssl_ciphers HIGH:MEDIUM:!MD5:!RC4:!3DES;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-ARIA128-GCM-SHA256;
ssl_prefer_server_ciphers on;
EOF
if [[ $? -ne 0 ]] ; then
_failed=true
fi
if [[ -f "/var/lib/dehydrated/certs/$(hostname -f)/fullchain.pem" ]] \
&& [[ -f "/var/lib/dehydrated/certs/$(hostname -f)/privkey.pem" ]]; then
@ -328,11 +405,17 @@ if [[ -f "/var/lib/dehydrated/certs/$(hostname -f)/fullchain.pem" ]] \
ssl_certificate /var/lib/dehydrated/certs/$(hostname -f)/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/$(hostname -f)/privkey.pem;
EOF
if [[ $? -ne 0 ]] ; then
_failed=true
fi
else
cat << EOF >> /etc/nginx/sites-available/default 2>> ${log_file}
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
EOF
if [[ $? -ne 0 ]] ; then
_failed=true
fi
fi
cat << EOF >> /etc/nginx/sites-available/default 2>> ${log_file}
@ -370,11 +453,23 @@ cat << EOF >> /etc/nginx/sites-available/default 2>> ${log_file}
}
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
if [[ $? -ne 0 ]] ; then
_failed=true
fi
if $_failed ; then
echo_failed
error "$(cat $log_file)"
echononl "continue anyway [yes/no]: "
read OK
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
echononl "Wrong entry! - repeat [yes/no]: "
read OK
done
[[ $OK = "yes" ]] || fatal "Abbruch durch User"
else
echo_ok
fi
echononl "Create default index.html .."
@ -449,7 +544,7 @@ else
error "$(cat $log_file)"
fi
# - Stop OpenVPN Service
# - Stop Nginx Service
# -
echononl "Stop Nginx WebsService"
if $systemd_supported ; then
@ -474,7 +569,7 @@ if [[ ! -f "/etc/nginx/snippets/letsencrypt-acme-challenge.conf" ]]; then
warn "Befor startin nginx service again, take care 'dehydrated' is installed."
else
# - Start OpenVPN Service
# - Start Nginx Service
# -
echononl "Start Nginx WebsService"
if $systemd_supported ; then