erikdemarco/vestacp_reverse_proxy.sh

## vestacp_reverse_proxy.sh
#!/bin/sh

#----------------------------------------------------------#
#                   settings                               #
#----------------------------------------------------------#

#text colors
redtext() { echo "$(tput setaf 1)$*$(tput setaf 9)"; }
greentext() { echo "$(tput setaf 2)$*$(tput setaf 9)"; }
yellowtext() { echo "$(tput setaf 3)$*$(tput setaf 9)"; }


#get info
memory=$(grep 'MemTotal' /proc/meminfo |tr ' ' '\n' |grep [0-9])  #get current server ram size
vIPAddress=$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1  -d'/')

vHostname=$(hostname -f)
read -r -p "What e-mail address would you like to receive VestaCP alerts to? " vEmail
read -r -p "Please type a password to use with VestaCP: " vPassword
vAddString="--hostname $vHostname --email $vEmail --password $vPassword"

read -r -p "Please enter your real server IP: " vRealServer
read -r -p "Do you want to add SSH Key? [y/N]
(if you don't have ssh key, you can generate it yourself using using tool like PuTTYgen) " vAddSsh

if [ $vAddSsh == "y" ] || [ $vAddSsh == "Y" ]; then
  read -r -p "Please input your public SSH Key: " vSshKey
fi

read -r -p "Do you want to make admin panel accesible to localhost only (you can still access admin panel using SSH tunnel)? [y/N] " vProtectAdminPanel


#----------------------------------------------------------#
#                   install vestacp                        #
#----------------------------------------------------------#

#install vestacp LAMP + remi (bypass question)
curl -O http://vestacp.com/pub/vst-install.sh
echo "y" | bash vst-install.sh --nginx yes --phpfpm yes --apache no --named no --remi no --vsftpd no --proftpd no --iptables no --fail2ban no --quota no --exim yes --dovecot no --spamassassin no --clamav no --softaculous no --mysql no --postgresql no $vAddString --force

greentext "Vestacp installed"


#----------------------------------------------------------#
#               setting nginx reverse proxy                #
#----------------------------------------------------------#

greentext "Configuring nginx as reverse proxy..."

vNginxConfigLoc="/home/admin/conf/web/$(hostname -f).nginx.conf"


#find 'listen' change all line to '80;' (for all occurence)
#sed -i -e '/listen/s/.*/listen 80;/' $vNginxConfigLoc

#find 'listen' changeline to '80;' (only on first occurence)
sed -i -e '0,/listen/s/listen.*/listen 80;/' $vNginxConfigLoc

#find 'server_name' change line to 'server_name $vIPAddress' (only on first occurence)
sed -i -e "0,/server_name/s/server_name.*/server_name $vIPAddress;/" $vNginxConfigLoc

#add nginx reverse proxy setting
nginx_setting='\n
\nserver {
\n	listen 80 default_server;
\n	listen [::]:80 default_server;
\n    server_name _ ;
\n	access_log  off;
\n    error_log off;
\n
\n	return 301 https://$host$request_uri;
\n}
\n
\n
\nserver {
\n
\n   listen 443 default_server;
\n	listen [::]:443 default_server;
\n    server_name _ ;
\n	access_log  off;
\n    error_log off;
\n
\n	ssl on;
\n    ssl_certificate /usr/local/vesta/ssl/certificate.crt;
\n    ssl_certificate_key /usr/local/vesta/ssl/certificate.key;
\n    ssl_session_cache shared:SSL:10m;
\n
\n	location / {
\n		proxy_pass      https://'"$vRealServer"';
\n		proxy_set_header Host $host;
\n	}
\n}
\n'
echo -e $nginx_setting >> $vNginxConfigLoc

#restart nginx
service nginx restart


#----------------------------------------------------------#
#                   install Monit                          #
#----------------------------------------------------------#

greentext "installing monit"

yum -y install monit
#chkconfig monit on

# Vesta Control Panel
wget http://c.vestacp.com/rhel/7/monit/vesta-nginx.conf -O /etc/monit.d/vesta-nginx.conf
wget http://c.vestacp.com/rhel/7/monit/vesta-php.conf -O /etc/monit.d/vesta-php.conf

# Nginx
wget http://c.vestacp.com/rhel/7/monit/nginx.conf -O /etc/monit.d/nginx.conf

# vesta-nginx (nginx for admin panel)
# wget http://c.vestacp.com/rhel/7/monit/vesta-nginx.conf -O /etc/monit.d/vesta-nginx.conf

# Apache
# wget http://c.vestacp.com/rhel/7/monit/httpd.conf -O /etc/monit.d/httpd.conf

# MySQL
# wget http://c.vestacp.com/rhel/7/monit/mysql.conf -O /etc/monit.d/mysql.conf

# Exim
wget http://c.vestacp.com/rhel/7/monit/exim.conf -O /etc/monit.d/exim.conf

# Dovecot
# wget http://c.vestacp.com/rhel/7/monit/dovecot.conf -O /etc/monit.d/dovecot.conf

# ClamAV
# wget http://c.vestacp.com/rhel/7/monit/clamd.conf -O /etc/monit.d/clamd.conf

# Spamassassin
# wget http://c.vestacp.com/rhel/7/monit/spamassassin.conf -O /etc/monit.d/spamassassin.conf

# OpenSSH
wget http://c.vestacp.com/rhel/7/monit/sshd.conf -O /etc/monit.d/sshd.conf

# vesta-php
# wget http://c.vestacp.com/rhel/7/monit/vesta-php.conf -O /etc/monit.d/vesta-php.conf

service monit start
check_result $? 'starting monit'


#----------------------------------------------------------#
#                  add SSH KEY                             #
#----------------------------------------------------------#

greentext "adding ssh key"

if [ $vAddSsh == "y" ] || [ $vAddSsh == "Y" ]; then

#create the ~/.ssh directory if it does not already exist (it safe beacuse of -p)
mkdir -p ~/.ssh

#add your public key (vps_4096 file)
echo $vSshKey >> ~/.ssh/authorized_keys

#make sure permission and ownership correct
chmod -R go= ~/.ssh
chown -R $USER:$USER ~/.ssh

#disable login with password
sed -i -e 's/#PermitRootLogin yes/PermitRootLogin prohibit-password/g' /etc/ssh/sshd_config

#restart ssh
systemctl reload sshd.service
check_result $? 'reloading sshd'

fi


#----------------------------------------------------------#
#               Disable shell login for admin              #
#----------------------------------------------------------#

greentext "disabling shell login for admin..."
/usr/local/vesta/bin/v-change-user-shell admin nologin


#----------------------------------------------------------#
#                 Protect Admin panel                      #
#----------------------------------------------------------#

greentext "making admin panel only accessible from localhost..."

#make vesta admin panel accessible only for localhost (use ssh tunnel to access it from anywhere something like "ssh user@server -L8083:localhost:8083")
if [ $vProtectAdminPanel == "y" ] || [ $vProtectAdminPanel == "Y" ]; then

  #admin panel
  sed -i -e '/8083/ s|0.0.0.0/0|127.0.0.1|' /usr/local/vesta/data/firewall/rules.conf
  ## OR USE THIS, but if the id is changing it wont work ## /usr/local/vesta/bin/v-change-firewall-rule 2 ACCEPT 127.0.0.1 8083 TCP VestaAdmin && service vesta restart

  #update firewall then restart vesta
  /usr/local/vesta/bin/v-update-firewall
  service vesta restart

fi


#----------------------------------------------------------#
#                          Done                            #
#----------------------------------------------------------#

#done
echo "Done!";
echo " ";
echo "You can access VestaCP here: https://$vIPAddress:8083/";
echo "Username: admin";
echo "Password: $vPassword";
echo " ";
echo " ";
echo "PLEASE REBOOT THE SERVER ONCE YOU HAVE COPIED THE DETAILS ABOVE.";

#reboot
read -r -p "Do you want to reboot now? [y/N] " vReboot
if [ $vReboot == "y" ] || [ $vReboot == "Y" ]; then
  reboot
fi
	#!/bin/sh

	#----------------------------------------------------------#
	# settings #
	#----------------------------------------------------------#

	#text colors
	redtext() { echo "$(tput setaf 1)$*$(tput setaf 9)"; }
	greentext() { echo "$(tput setaf 2)$*$(tput setaf 9)"; }
	yellowtext() { echo "$(tput setaf 3)$*$(tput setaf 9)"; }


	#get info
	memory=$(grep 'MemTotal' /proc/meminfo \|tr ' ' '\n' \|grep [0-9]) #get current server ram size
	vIPAddress=$(ip addr \| grep 'state UP' -A2 \| tail -n1 \| awk '{print $2}' \| cut -f1 -d'/')

	vHostname=$(hostname -f)
	read -r -p "What e-mail address would you like to receive VestaCP alerts to? " vEmail
	read -r -p "Please type a password to use with VestaCP: " vPassword
	vAddString="--hostname $vHostname --email $vEmail --password $vPassword"

	read -r -p "Please enter your real server IP: " vRealServer
	read -r -p "Do you want to add SSH Key? [y/N]
	(if you don't have ssh key, you can generate it yourself using using tool like PuTTYgen) " vAddSsh

	if [ $vAddSsh == "y" ] \|\| [ $vAddSsh == "Y" ]; then
	read -r -p "Please input your public SSH Key: " vSshKey
	fi

	read -r -p "Do you want to make admin panel accesible to localhost only (you can still access admin panel using SSH tunnel)? [y/N] " vProtectAdminPanel





	#----------------------------------------------------------#
	# install vestacp #
	#----------------------------------------------------------#

	#install vestacp LAMP + remi (bypass question)
	curl -O http://vestacp.com/pub/vst-install.sh
	echo "y" \| bash vst-install.sh --nginx yes --phpfpm yes --apache no --named no --remi no --vsftpd no --proftpd no --iptables no --fail2ban no --quota no --exim yes --dovecot no --spamassassin no --clamav no --softaculous no --mysql no --postgresql no $vAddString --force

	greentext "Vestacp installed"




	#----------------------------------------------------------#
	# setting nginx reverse proxy #
	#----------------------------------------------------------#

	greentext "Configuring nginx as reverse proxy..."

	vNginxConfigLoc="/home/admin/conf/web/$(hostname -f).nginx.conf"


	#find 'listen' change all line to '80;' (for all occurence)
	#sed -i -e '/listen/s/.*/listen 80;/' $vNginxConfigLoc

	#find 'listen' changeline to '80;' (only on first occurence)
	sed -i -e '0,/listen/s/listen.*/listen 80;/' $vNginxConfigLoc

	#find 'server_name' change line to 'server_name $vIPAddress' (only on first occurence)
	sed -i -e "0,/server_name/s/server_name.*/server_name $vIPAddress;/" $vNginxConfigLoc

	#add nginx reverse proxy setting
	nginx_setting='\n
	\nserver {
	\n listen 80 default_server;
	\n listen [::]:80 default_server;
	\n server_name _ ;
	\n access_log off;
	\n error_log off;
	\n
	\n return 301 https://$host$request_uri;
	\n}
	\n
	\n
	\nserver {
	\n
	\n listen 443 default_server;
	\n listen [::]:443 default_server;
	\n server_name _ ;
	\n access_log off;
	\n error_log off;
	\n
	\n ssl on;
	\n ssl_certificate /usr/local/vesta/ssl/certificate.crt;
	\n ssl_certificate_key /usr/local/vesta/ssl/certificate.key;
	\n ssl_session_cache shared:SSL:10m;
	\n
	\n location / {
	\n proxy_pass https://'"$vRealServer"';
	\n proxy_set_header Host $host;
	\n }
	\n}
	\n'
	echo -e $nginx_setting >> $vNginxConfigLoc

	#restart nginx
	service nginx restart



	#----------------------------------------------------------#
	# install Monit #
	#----------------------------------------------------------#

	greentext "installing monit"

	yum -y install monit
	#chkconfig monit on

	# Vesta Control Panel
	wget http://c.vestacp.com/rhel/7/monit/vesta-nginx.conf -O /etc/monit.d/vesta-nginx.conf
	wget http://c.vestacp.com/rhel/7/monit/vesta-php.conf -O /etc/monit.d/vesta-php.conf

	# Nginx
	wget http://c.vestacp.com/rhel/7/monit/nginx.conf -O /etc/monit.d/nginx.conf

	# vesta-nginx (nginx for admin panel)
	# wget http://c.vestacp.com/rhel/7/monit/vesta-nginx.conf -O /etc/monit.d/vesta-nginx.conf

	# Apache
	# wget http://c.vestacp.com/rhel/7/monit/httpd.conf -O /etc/monit.d/httpd.conf

	# MySQL
	# wget http://c.vestacp.com/rhel/7/monit/mysql.conf -O /etc/monit.d/mysql.conf

	# Exim
	wget http://c.vestacp.com/rhel/7/monit/exim.conf -O /etc/monit.d/exim.conf

	# Dovecot
	# wget http://c.vestacp.com/rhel/7/monit/dovecot.conf -O /etc/monit.d/dovecot.conf

	# ClamAV
	# wget http://c.vestacp.com/rhel/7/monit/clamd.conf -O /etc/monit.d/clamd.conf

	# Spamassassin
	# wget http://c.vestacp.com/rhel/7/monit/spamassassin.conf -O /etc/monit.d/spamassassin.conf

	# OpenSSH
	wget http://c.vestacp.com/rhel/7/monit/sshd.conf -O /etc/monit.d/sshd.conf

	# vesta-php
	# wget http://c.vestacp.com/rhel/7/monit/vesta-php.conf -O /etc/monit.d/vesta-php.conf

	service monit start
	check_result $? 'starting monit'


	#----------------------------------------------------------#
	# add SSH KEY #
	#----------------------------------------------------------#

	greentext "adding ssh key"

	if [ $vAddSsh == "y" ] \|\| [ $vAddSsh == "Y" ]; then

	#create the ~/.ssh directory if it does not already exist (it safe beacuse of -p)
	mkdir -p ~/.ssh

	#add your public key (vps_4096 file)
	echo $vSshKey >> ~/.ssh/authorized_keys

	#make sure permission and ownership correct
	chmod -R go= ~/.ssh
	chown -R $USER:$USER ~/.ssh

	#disable login with password
	sed -i -e 's/#PermitRootLogin yes/PermitRootLogin prohibit-password/g' /etc/ssh/sshd_config

	#restart ssh
	systemctl reload sshd.service
	check_result $? 'reloading sshd'

	fi


	#----------------------------------------------------------#
	# Disable shell login for admin #
	#----------------------------------------------------------#

	greentext "disabling shell login for admin..."
	/usr/local/vesta/bin/v-change-user-shell admin nologin



	#----------------------------------------------------------#
	# Protect Admin panel #
	#----------------------------------------------------------#

	greentext "making admin panel only accessible from localhost..."

	#make vesta admin panel accessible only for localhost (use ssh tunnel to access it from anywhere something like "ssh user@server -L8083:localhost:8083")
	if [ $vProtectAdminPanel == "y" ] \|\| [ $vProtectAdminPanel == "Y" ]; then

	#admin panel
	sed -i -e '/8083/ s\|0.0.0.0/0\|127.0.0.1\|' /usr/local/vesta/data/firewall/rules.conf
	## OR USE THIS, but if the id is changing it wont work ## /usr/local/vesta/bin/v-change-firewall-rule 2 ACCEPT 127.0.0.1 8083 TCP VestaAdmin && service vesta restart

	#update firewall then restart vesta
	/usr/local/vesta/bin/v-update-firewall
	service vesta restart

	fi


	#----------------------------------------------------------#
	# Done #
	#----------------------------------------------------------#

	#done
	echo "Done!";
	echo " ";
	echo "You can access VestaCP here: https://$vIPAddress:8083/";
	echo "Username: admin";
	echo "Password: $vPassword";
	echo " ";
	echo " ";
	echo "PLEASE REBOOT THE SERVER ONCE YOU HAVE COPIED THE DETAILS ABOVE.";

	#reboot
	read -r -p "Do you want to reboot now? [y/N] " vReboot
	if [ $vReboot == "y" ] \|\| [ $vReboot == "Y" ]; then
	reboot
	fi