-
-
Save Decicus/2f09db5d30f4f24e39de3792bba75b72 to your computer and use it in GitHub Desktop.
Wiki page that describes the scripts/configs in a bit more detail: https://wiki.alex.lol/books/justsysadminthings/page/script-for-installingprepping-nginx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
. "$HOME/.acme.sh/acme.sh.env" | |
export CF_Account_ID="422c4fb547f02ab95c920ac70a78c4bf" | |
export CF_Token="" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 80 default_server; | |
listen [::]:80 default_server; | |
include letsencrypt.conf; | |
server_name _; | |
return 301 https://$host$request_uri; | |
} | |
server { | |
listen 443 ssl http2; | |
listen [::]:443 ssl http2; | |
server_name _; | |
root /var/www/html; | |
ssl_certificate /srv/ssl/default/fullchain.pem; | |
ssl_certificate_key /srv/ssl/default/key.pem; | |
server_tokens off; | |
include ssl_params.conf; | |
include letsencrypt.conf; | |
add_header X-Frame-Options "SAMEORIGIN"; | |
add_header X-XSS-Protection "1; mode=block"; | |
add_header X-Content-Type-Options "nosniff"; | |
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; | |
index index.nginx-debian.html index.html index.htm; | |
charset utf-8; | |
location / { | |
try_files $uri $uri/ =404; | |
} | |
location /.well-known { | |
auth_basic "off"; | |
} | |
location = /favicon.ico { access_log off; log_not_found off; } | |
location = /robots.txt { access_log off; log_not_found off; } | |
# Uncomment for PHP support (check /etc/nginx/phpfpm.conf), assumes PHP 8.1 FPM is installed. | |
# include phpfpm.conf; | |
access_log /var/log/nginx/default-access.log combined; | |
error_log /var/log/nginx/default-error.log error; | |
location ~ /\.ht { | |
deny all; | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
BITS=2048; | |
if [[ ! -z "$1" ]]; then | |
BITS=$1; | |
fi | |
sudo touch /etc/nginx/dhparams.pem | |
sudo chmod 700 /etc/nginx/dhparams.pem | |
sudo openssl dhparam -out /etc/nginx/dhparams.pem $BITS |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
location /.well-known/acme-challenge { | |
alias /var/www/html/.well-known/acme-challenge; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
location ~ \.php$ { | |
try_files $uri =404; | |
fastcgi_split_path_info ^(.+\.php)(/.+)$; | |
fastcgi_pass unix:/var/run/php/php8.1-fpm.sock; | |
fastcgi_index index.php; | |
include fastcgi_params; | |
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
proxy_set_header Host $http_host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
INSTALL_ACMESH=0; | |
DOWNLOAD_DEFAULT=0; | |
GIST="https://gist.github.com/Decicus/2f09db5d30f4f24e39de3792bba75b72/raw" | |
NGINX="/etc/nginx" | |
SSL_BASE="/srv/ssl" | |
DEFAULT_DIR="$NGINX/conf.d"; | |
DEFAULT_NAME="000-default.conf"; | |
DH_PARAMS_BITS=2048; | |
help() | |
{ | |
cat << EOF | |
usage: $0 | |
Install the \`nginx\` package via apt and add extra configuration files. | |
OPTIONS: | |
-h Shows helptext | |
-a Installs acme.sh and downloads "bootstrapping" files. | |
-d Downloads the $DEFAULT_NAME file into $DEFAULT_DIR | |
-b Use 4096 bits for dhparams (default: $DH_PARAMS_BITS) | |
EOF | |
} | |
while getopts "hadb" opt; do | |
case $opt in | |
h) | |
help | |
exit 0 | |
;; | |
a) | |
INSTALL_ACMESH=1; | |
echo "Installing and bootstrapping \`acme.sh\`"; | |
;; | |
d) | |
DOWNLOAD_DEFAULT=1; | |
echo "Downloading 000-default.conf to /etc/nginx/conf.d"; | |
;; | |
b) | |
DH_PARAMS_BITS=4096; | |
echo "Using 4096 bits for dhparams"; | |
;; | |
\?) | |
echo "Invalid option: -$OPTARG" >&2 | |
exit 1 | |
;; | |
:) | |
echo "Option -$OPTARG requires an argument." >&2 | |
exit 1 | |
;; | |
esac | |
done | |
# Make sure the 'essentials' are installed | |
# We use `nginx` as the script assumes the script for using nginx.org APT repos has been used (https://git.io/nginx-debian) | |
# Using `nginx-full` would in this case use the Debian/Ubuntu repos, which are a few versions behind. | |
sudo apt install -y nginx openssl curl | |
if [[ $INSTALL_ACMESH != 0 ]]; then | |
# Get acme.sh for issuing certificates | |
curl -L https://get.acme.sh/ | sudo bash | |
fi | |
# Create preferred base directory for storing SSL certificates | |
mkdir -p $SSL_BASE | |
chown -R root:root $SSL_BASE | |
chmod -R 600 $SSL_BASE | |
# Now the fun starts | |
# I have bash scripts that interact with acme.sh | |
# But I use zsh as the main shell | |
# Therefore I need a shared "environment file" that loads acme.sh | |
# And related environment variables | |
if [[ $INSTALL_ACMESH != 0 ]]; then | |
# Add to ZSH/Bash config files | |
curl -L "$GIST/.acmeenv" > "$HOME/.acmeenv" | |
echo '. "$HOME/.acmeenv"' >> "$HOME/.zshrc"; | |
echo '. "$HOME/.acmeenv"' >> "$HOME/.bashrc"; | |
fi | |
# Get the alias config for Let's Encrypt challenges: | |
curl -L "$GIST/letsencrypt.conf" > "$NGINX/letsencrypt.conf" | |
# Get the base SSL configuration | |
curl -L "$GIST/ssl_params.conf" > "$NGINX/ssl_params.conf" | |
# Get the base reverse proxy configuration | |
curl -L "$GIST/proxy_params" > "$NGINX/proxy_params" | |
# Get the PHP 8.1 FPM configuration (not enabled by default) | |
# You also need to install PHP before enabling it. | |
curl -L "$GIST/phpfpm.conf" > "$NGINX/phpfpm.conf" | |
# Get the dhparams file generation script, and execute. | |
DH_PARAMS_TEMP="$(mktemp)"; | |
curl -L "$GIST/generate-dhparams.sh" -o "${DH_PARAMS_TEMP}"; | |
sudo bash "${DH_PARAMS_TEMP}" $DH_PARAMS_BITS; | |
rm "${DH_PARAMS_TEMP}"; | |
# Check if systemd is installed and enable the service. | |
# Since I usually just install stock Debian with systemd, this may not be required. | |
CHECK_SYSTEMD=$(whereis systemctl) | |
if [[ $? -eq 0 ]]; then | |
systemctl enable --now nginx | |
fi | |
if [[ $DOWNLOAD_DEFAULT != 0 ]]; then | |
curl -L "$GIST/$DEFAULT_NAME" > "$DEFAULT_DIR/$DEFAULT_NAME" | |
# Remove the default configuration included when installing nginx. | |
rm /etc/nginx/conf.d/default.conf | |
fi | |
echo "Base setup done. Open this link for a base nginx site configuration: $GIST/$DEFAULT_NAME" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ssl_protocols TLSv1.2 TLSv1.3; | |
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; | |
ssl_prefer_server_ciphers off; | |
ssl_dhparam /etc/nginx/dhparams.pem; | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_timeout 1d; | |
ssl_session_tickets off; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment