kkarimi/nginx security hardening.sh

## nginx security hardening.sh
#!/usr/bin/env bash
# Install Nginx with fast-cgi support.
# Author: @claxch
# Warning: PROJECT_NAME, DOMAIN, SSL must be set as env variables.
# OS: deb

[ ! $EUID -eq 0 ] && echo 'Not root.' && exit

[[ \
   -z `env | grep -oE PROJECT_NAME=` || -z $PROJECT_NAME || \
   -z `env | grep -oE DOMAIN=` || -z $DOMAIN || \
   -z `env | grep -oE SSL=` || -z $SSL
]] && exit


nginx_path='/etc/nginx'
nginx_conf=$nginx_path'/nginx.conf'
nginx_conf_app=$nginx_path'/sites-available/default'

site=$PROJECT_NAME'.'$DOMAIN
cert_path=$nginx_path'/ssl'
cert_name=$site'.pem'
ssl_key=$cert_path'/'$cert_name

### installer ####
[ -d $nginx_path ] && apt-get purge -yqq nginx nginx-* && apt-get autoremove -yqq && rm -r $nginx_path 2>/dev/null
apt-get install --no-install-recommends --no-install-suggests -yqq nginx nginx-extras
default=`curl -sSL https://raw.githubusercontent.com/claxch/bashix/master/tools/nginx_appcfg_gen.sh | bash`


#### server config ####
conf="
user                                    www-data;
worker_processes                        auto;
events {
    worker_connections                  1024;
}
http {
    server_tokens                        off;
    include                              mime.types;
    default_type                         application/octet-stream;
    log_format  main                     '\$remote_addr - \$remote_user [\$time_local] "\$request"'
                                         '\$status \$body_bytes_sent "\$http_referer" '
                                         '"\$http_user_agent" "\$http_x_forwarded_for"';
    access_log                           /var/log/nginx/access.log;
    error_log                            /var/log/nginx/error.log;
    sendfile                             on;
    keepalive_timeout                    65;
    client_max_body_size                 24000M;
    index                                index.html index.php;
    include                              /etc/nginx/sites-enabled/*;
    ssl_prefer_server_ciphers            on;
    ssl_session_timeout                  10m;
    ssl_session_cache                    shared:SSL:10m;
    ssl_protocols                        TLSv1 TLSv1.1 TLSv1.2;
    # clear repose headers
    more_clear_headers                   'Server:';
    more_clear_headers                   'X-Powered-By:';
    more_clear_headers                   'Accept-Ranges:';
    more_clear_headers                   'Content-Length:';
    more_clear_headers                   'Date:';
    more_clear_headers                   'ETag:';
    more_clear_headers                   'Last-Modified:';
    more_clear_headers                   'Transfer-Encoding:';
}
"

### config update ###
cp $nginx_conf $nginx_conf.default
cp $nginx_conf_app $nginx_conf_app.default
echo "$conf" > $nginx_conf
echo "$default" > $nginx_conf_app

### SSL cert ###
mkdir $cert_path && cd $cert_path
openssl req \
   -x509 -nodes -days 365 -sha512 \
   -subj "/C=CH/ST=ZH/L=Zurich/CN=$site" \
   -newkey rsa:4096 -keyout $cert_name -out $cert_name
/etc/init.d/nginx restart

### project dir ###
project_path="/var/www/$site"
public=$project_path'/public'
[ -d '/var/www' ] && rm -r '/var/www' && mkdir -p $public
echo; echo "Public files available at: $public"
echo '<?php echo rand(100, 999);' > $public/index.php
	#!/usr/bin/env bash
	# Install Nginx with fast-cgi support.
	# Author: @claxch
	# Warning: PROJECT_NAME, DOMAIN, SSL must be set as env variables.
	# OS: deb

	[ ! $EUID -eq 0 ] && echo 'Not root.' && exit

	[[ \
	-z `env \| grep -oE PROJECT_NAME=` \|\| -z $PROJECT_NAME \|\| \
	-z `env \| grep -oE DOMAIN=` \|\| -z $DOMAIN \|\| \
	-z `env \| grep -oE SSL=` \|\| -z $SSL
	]] && exit


	nginx_path='/etc/nginx'
	nginx_conf=$nginx_path'/nginx.conf'
	nginx_conf_app=$nginx_path'/sites-available/default'

	site=$PROJECT_NAME'.'$DOMAIN
	cert_path=$nginx_path'/ssl'
	cert_name=$site'.pem'
	ssl_key=$cert_path'/'$cert_name

	### installer ####
	[ -d $nginx_path ] && apt-get purge -yqq nginx nginx-* && apt-get autoremove -yqq && rm -r $nginx_path 2>/dev/null
	apt-get install --no-install-recommends --no-install-suggests -yqq nginx nginx-extras
	default=`curl -sSL https://raw.githubusercontent.com/claxch/bashix/master/tools/nginx_appcfg_gen.sh \| bash`


	#### server config ####
	conf="
	user www-data;
	worker_processes auto;
	events {
	worker_connections 1024;
	}
	http {
	server_tokens off;
	include mime.types;
	default_type application/octet-stream;
	log_format main '\$remote_addr - \$remote_user [\$time_local] "\$request"'
	'\$status \$body_bytes_sent "\$http_referer" '
	'"\$http_user_agent" "\$http_x_forwarded_for"';
	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;
	sendfile on;
	keepalive_timeout 65;
	client_max_body_size 24000M;
	index index.html index.php;
	include /etc/nginx/sites-enabled/*;
	ssl_prefer_server_ciphers on;
	ssl_session_timeout 10m;
	ssl_session_cache shared:SSL:10m;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	# clear repose headers
	more_clear_headers 'Server:';
	more_clear_headers 'X-Powered-By:';
	more_clear_headers 'Accept-Ranges:';
	more_clear_headers 'Content-Length:';
	more_clear_headers 'Date:';
	more_clear_headers 'ETag:';
	more_clear_headers 'Last-Modified:';
	more_clear_headers 'Transfer-Encoding:';
	}
	"

	### config update ###
	cp $nginx_conf $nginx_conf.default
	cp $nginx_conf_app $nginx_conf_app.default
	echo "$conf" > $nginx_conf
	echo "$default" > $nginx_conf_app

	### SSL cert ###
	mkdir $cert_path && cd $cert_path
	openssl req \
	-x509 -nodes -days 365 -sha512 \
	-subj "/C=CH/ST=ZH/L=Zurich/CN=$site" \
	-newkey rsa:4096 -keyout $cert_name -out $cert_name
	/etc/init.d/nginx restart

	### project dir ###
	project_path="/var/www/$site"
	public=$project_path'/public'
	[ -d '/var/www' ] && rm -r '/var/www' && mkdir -p $public
	echo; echo "Public files available at: $public"
	echo '<?php echo rand(100, 999);' > $public/index.php