Skip to content

Instantly share code, notes, and snippets.

@oanhnn
Last active November 21, 2020 23:11
Show Gist options
  • Save oanhnn/3f5bf2e0bda1e4d797b56eb0c150531a to your computer and use it in GitHub Desktop.
Save oanhnn/3f5bf2e0bda1e4d797b56eb0c150531a to your computer and use it in GitHub Desktop.
[Ubuntu 16.04] Setup server using NGINX proxy multi site with SSL (Certbot)
#!/usr/bin/env bash
DOMAIN=${1:-example.local}
APP_SLUG=${2:-example}
service nginx stop
rm -rf /etc/nginx/sites-available/10-${APP_SLUG}.conf /etc/nginx/sites-enabled/10-${APP_SLUG}
echo "[✔] Remove Virtual Host for ${DOMAIN}"
certbot delete --cert-name ${DOMAIN}
echo "[✔] Remove SSL certificate for ${DOMAIN}"
service nginx start
echo "[✔] Reload NGINX service"
#!/usr/bin/env bash
apt-get update -y
apt-get upgrade -y
apt-get install -y software-properties-common
apt-add-repository -y ppa:certbot/certbot
apt-get update -y
# Install Certbot
apt-get install -y certbot
echo "[✔] Install Certbot"
apt-get install -y nginx
systemctl enable nginx
service nginx restart
echo "[✔] Install NGINX"
# Setup auto renew
rm -rf /tmp/cron-root && touch /tmp/cron-root
crontab -u root -l > /tmp/cron-root
echo '02 20 * * 03 sleep $[($RANDOM % 60) + 1]m; /usr/bin/certbot renew --pre-hook "/usr/sbin/service nginx stop" --post-hook "/usr/sbin/service nginx start" --quiet --no-self-upgrade' >> /tmp/cron-root
cat /tmp/cron-root | crontab -u root -
echo "[✔] Setup auto renew SSL"
# Change NGINX user
sed -i "s|^user .*|user www-data;|i" /etc/nginx/nginx.conf
echo "[✔] Change NGINX user"
# Generate dhparam File
openssl dhparam -out /etc/nginx/dhparams.pem 2048
echo "[✔] Generate dhparam file"
# Disable the default NGINX site
rm /etc/nginx/sites-enabled/default
mv /etc/nginx/sites-available/default /etc/nginx/sites-available/99-default-bakup
echo "[✔] Disable the default NGINX site"
# Configure upsteams and http upgrade
cat > /etc/nginx/conf.d/http_upgrade.conf << EOF
map \$http_upgrade \$connection_upgrade {
default upgrade;
'' close;
}
EOF
echo "[✔] Configure upsteams and http upgrade"
# Install A Catch All Server
cat > /etc/nginx/sites-available/99-catch-all << EOF
server {
return 404;
}
EOF
ln -s /etc/nginx/sites-available/99-catch-all /etc/nginx/sites-enabled/99-catch-all
echo "[✔] Config a catch all server"
# Restart Nginx
nginx -t
service nginx reload
echo "[✔] Reload NGINX service"
# Setup firewall
ufw allow 22
ufw allow 80
ufw allow 443
ufw enable -y
systemctl enable ufw
systemctl restart ufw
echo "[✔] Setting up firewall"
#!/usr/bin/env bash
DOMAIN=${1:-example.local}
APP_SLUG=${2:-example}
APP_PORT=${3:-3000}
DBA_PORT=${4:-3001}
# Stop NGINX
service nginx stop
echo "[✔] Stoped NGINX service"
# Make SSL certificate
certbot certonly --standalone --preferred-challenges http -d $DOMAIN -d admin.$DOMAIN
echo "[✔] Make SSL certificate for ${DOMAIN}"
# Install A PHP WebApp Server
cat > /etc/nginx/sites-available/10-${APP_SLUG}.conf << EOF
upstream ${APP_SLUG}_site {
server 127.0.0.1:${APP_PORT};
}
upstream ${APP_SLUG}_data {
server 127.0.0.1:${DBA_PORT};
}
server {
listen 80;
listen [::]:80;
server_name ${DOMAIN} admin.${DOMAIN} manage.${DOMAIN} db.${DOMAIN};
server_tokens off;
access_log off;
location / {
return 301 https://\$server_name\$request_uri;
}
}
server {
listen 443;
listen [::]:443;
server_name ${DOMAIN} admin.${DOMAIN} manage.${DOMAIN};
server_tokens off;
access_log off;
ssl on;
ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 30m;
location / {
proxy_set_header Host \$host;
proxy_set_header X-Real-Ip \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
proxy_pass http://${APP_SLUG}_site/;
}
}
server {
listen 443;
listen [::]:443;
server_name db.${DOMAIN};
server_tokens off;
access_log off;
ssl on;
ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 30m;
location / {
proxy_set_header Host \$host;
proxy_set_header X-Real-Ip \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
proxy_pass http://${APP_SLUG}_data/;
}
}
EOF
ln -s /etc/nginx/sites-available/10-${APP_SLUG}.conf /etc/nginx/sites-enabled/10-${APP_SLUG}
echo "[✔] Config Virtual Host for ${DOMAIN}"
# Restart Nginx
nginx -t
service nginx reload
echo "[✔] Reload NGINX service"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment