Last active
April 15, 2020 00:32
-
-
Save castironclay/0fbf566363734354fe9718b6df9414d0 to your computer and use it in GitHub Desktop.
This will setup nginx on centos8 to run within a jail and includes the geoip2 module. Have your geoip database .mmdb file and nginx module zip file within the same directory as this script.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Update | |
yum update -y | |
yum install epel-release -y | |
yum update -y | |
# Create jail directories | |
D=/nginx | |
mkdir -p $D | |
mkdir -p $D/etc | |
mkdir -p $D/dev | |
mkdir -p $D/var | |
mkdir -p $D/var/run | |
mkdir -p $D/usr | |
mkdir -p $D/usr/local/nginx | |
mkdir -p $D/tmp | |
chmod 1777 $D/tmp | |
mkdir -p $D/var/tmp | |
chmod 1777 $D/var/tmp | |
mkdir -p $D/lib64 | |
mkdir -p $D/usr/local | |
mkdir -p $D/bin | |
mkdir -p $D/sbin | |
mkdir -p $D/var/lib | |
# Create required device files | |
/bin/mknod -m 0666 $D/dev/null c 1 3 | |
/bin/mknod -m 0666 $D/dev/random c 1 8 | |
/bin/mknod -m 0444 $D/dev/urandom c 1 9 | |
chmod 666 $D/dev/* | |
# Compile NGINX from source | |
yum install -y screen tar gzip wget gcc zlib-devel openssl-devel make pcre-devel libmaxminddb libxml2-devel libxslt-devel libgcrypt-devel gd-devel perl-ExtUtils-Embed GeoIP-devel | |
dnf --enablerepo=PowerTools install libmaxminddb-devel -y | |
unzip geoip2_module.zip | |
groupadd -g 951 nginx | |
useradd -g 951 -u 952 -c "Nginx web server" -d /var/lib/nginx -s /sbin/nologin nginx | |
curl -L https://github.com/nginx/nginx/archive/release-1.16.0.tar.gz > nginx.tar.gz | |
tar xf nginx.tar.gz | |
mv nginx-* nginx | |
cd nginx | |
auto/configure --with-pcre --with-threads --user=nginx --group=nginx --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_auth_request_module --modules-path=/usr/local/nginx/modules --add-module=../ngx_http_geoip2_module-master --without-http_geo_module | |
make | |
make install | |
# Move only required files | |
cp /bin/bash $D/bin/ | |
cp /sbin/nologin $D/sbin/ | |
cp -fv /etc/{group,prelink.cache,services,adjtime,shells,gshadow,shadow,hosts.deny,localtime,nsswitch.conf,nscd.conf,prelink.conf,protocols,hosts,passwd,ld.so.cache,ld.so.conf,resolv.conf,host.conf} $D/etc | |
cp -avr /etc/{ld.so.conf.d,prelink.conf.d} $D/etc | |
cp /lib64/ld-linux-x86-64.so.2 /nginx/lib64/ | |
cp /lib64/libnss_files.so.2 /nginx/lib64/ | |
cp /lib64/libnss_sss.so.2 /nginx/lib64/ | |
cp -avr /usr/local/nginx/* $D/usr/local/nginx | |
ldd $D/usr/local/nginx/sbin/nginx | grep "=> " | awk '{print $3}' | xargs -I '{}' cp -v '{}' $D/lib64 | |
ldd /bin/bash | grep "=> " | awk '{print $3}' | xargs -I '{}' cp -v '{}' /nginx/lib64 | |
ldd /sbin/nologin | grep "=> " | awk '{print $3}' | xargs -I '{}' cp -v '{}' /nginx/lib64 | |
cp GeoLite2-Country.mmdb /nginx/etc/GeoLite2-Country.mmdb | |
# Create self signed files | |
mkdir -p /nginx/usr/local/nginx/ssl/private | |
mkdir -p /nginx/usr/local/nginx/ssl/certs | |
mkdir -p /nginx/etc/ssl/certs | |
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /nginx/usr/local/nginx/ssl/private/nginx-selfsigned.key -out /nginx/usr/local/nginx/ssl/certs/nginx-selfsigned.crt | |
sudo openssl dhparam -out /nginx/etc/ssl/certs/dhparam.pem 2048 | |
# Test Nginx | |
chroot /nginx/ /usr/local/nginx/sbin/nginx -t |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Launch nginx
chroot /nginx/ /usr/local/nginx/sbin/nginx