Last active
November 30, 2018 02:46
-
-
Save lesstif/4d162c4c8df756a65286 to your computer and use it in GitHub Desktop.
nginx virtualhost serve script for tomcat
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
## Installation | |
# curl -o serve-tomcat.sh https://gist.githubusercontent.com/lesstif/4d162c4c8df756a65286/raw | |
# sudo mv serve-tomcat.sh /usr/local/bin/ | |
# sudo chmod +x /usr/local/bin/serve-tomcat.sh | |
if [ "$#" -lt 2 ]; then | |
echo "Error: missing required minimal 2 parameters."; | |
echo "Usage: "; | |
echo " serve domain port [ssl]"; | |
exit 1; | |
fi | |
HOST=$1 | |
PORT=$2 | |
SSL=$3 | |
## for RHEL derived distro | |
if [ ! -d "/etc/nginx/sites-available" ];then | |
mkdir /etc/nginx/sites-available | |
fi | |
if [ ! -d "/etc/nginx/sites-enabled" ];then | |
mkdir /etc/nginx/sites-enabled | |
fi | |
if [ ! -d "/etc/nginx/ssl" ];then | |
mkdir /etc/nginx/ssl | |
fi | |
if [ "$SSL" != "" ];then | |
mkdir /etc/nginx/ssl 2>/dev/null | |
PATH_SSL="/etc/nginx/ssl" | |
PATH_KEY="${PATH_SSL}/${1}.key" | |
PATH_CSR="${PATH_SSL}/${1}.csr" | |
PATH_CRT="${PATH_SSL}/${1}.crt" | |
if [ ! -f "$PATH_KEY" ] || [ ! -f "$PATH_CSR" ] || [ ! -f "$PATH_CRT" ];then | |
openssl genrsa -out "$PATH_KEY" 2048 2>/dev/null | |
openssl req -new -key "$PATH_KEY" -out "$PATH_CSR" -subj "/CN=$1/O=Vagrant/C=UK" 2>/dev/null | |
openssl x509 -req -days 365 -in "$PATH_CSR" -signkey "$PATH_KEY" -out "$PATH_CRT" 2>/dev/null | |
fi | |
fi | |
block="##server { | |
##listen 80; | |
##server_name ${HOST}; | |
### root html; | |
### proxy the PHP scripts to Apache listening on 127.0.0.1:80 | |
### | |
##location / { | |
## return 301 https://\$server_name\$request_uri; | |
##} | |
##} | |
# HTTPS server | |
# | |
server { | |
listen 80; | |
listen 443; | |
server_name ${HOST}; | |
root html; | |
server_tokens off; | |
fastcgi_hide_header X-Powered-By; | |
index index.html index.htm; | |
charset utf-8; | |
location = /favicon.ico { access_log off; log_not_found off; } | |
location = /robots.txt { access_log off; log_not_found off; } | |
access_log /var/log/nginx/${HOST}-access.log combined; | |
error_log /var/log/nginx/${HOST}-error.log error; | |
# Default is HTTP/1, keepalive is only enabled in HTTP/1.1 | |
proxy_http_version 1.1; | |
# Remove the Connection header if the client sends it, | |
# it could be "close" to close a keepalive connection | |
proxy_set_header Connection \"\"; | |
## Create a backup of <TOMCAT_INSTALL>/conf/server.xml before editing it. | |
## Edit the HTTPS connector so that it has the parameters that point to the key store: | |
## scheme="https" proxyName="your.host.com" proxyPort="443" secure="true" | |
location / { | |
proxy_pass http://127.0.0.1:${PORT}; | |
proxy_set_header Host \$host; | |
## if your web server using other port(for example, 6080 with port forwarding), you need append exposed port number; | |
## See https://wiki.jenkins.io/display/JENKINS/Jenkins+behind+an+NGinX+reverse+proxy | |
# proxy_set_header Host \$host:6080; | |
# proxy_redirect http://127.0.0.1:\${PORT} https://jenkins.domain.tld:6080; | |
proxy_set_header X-Real-IP \$remote_addr; | |
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto \$scheme; | |
## prevent 504 timeout. default 60s; | |
proxy_connect_timeout 90; | |
proxy_send_timeout 90; | |
proxy_read_timeout 90; | |
send_timeout 90; | |
} | |
sendfile off; | |
client_max_body_size 100m; | |
location ~ /\.ht { | |
deny all; | |
} | |
#ssl on; | |
#ssl_certificate /etc/nginx/ssl/${HOST}.crt; | |
#ssl_certificate_key /etc/nginx/ssl/${HOST}.key; | |
### RHEL/CentOS derived distro. | |
# ssl_certificate /etc/pki/tls/certs/${HOST}.crt; | |
# ssl_certificate_key /etc/pki/tls/private/${HOST}.key; | |
ssl_session_timeout 5m; | |
### Dropping SSLv3, ref: POODLE | |
### TLS 1.3 works only when nginx(1.13.0) and OpenSSL 1.1.1 with TLSv1.3 support option. | |
# ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1; | |
# ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; | |
### HSTS(HTTP Strict Transport Security) | |
# add_header Strict-Transport-Security \"max-age=86400; includeSubdomains; preload\"; | |
} | |
" | |
echo "$block" > "/etc/nginx/sites-available/${HOST}" | |
ln -fs "/etc/nginx/sites-available/${HOST}" "/etc/nginx/sites-enabled/${HOST}" | |
service nginx restart | |
## check include sites-enabled directive | |
RED='\033[0;31m' | |
NC='\033[0m' # No Color | |
## detect distro | |
LSB_EXISTS=`command -v lsb_release` | |
if [[ ! -z "$LSB_EXISTS" ]];then | |
DISTRO=$(lsb_release -i | cut -d: -f2 | sed s/'^\t'//|tr '[:lower:]' '[:upper:]') | |
else | |
# echo "lsb_release not found" | |
DISTRO=$(cat /etc/os-release | grep ^NAME | cut -d'=' -f2 | \ | |
cut -d'"' -f2|cut -d' ' -f1 | \ | |
tr '[:lower:]' '[:upper:]') | |
fi | |
if [ "$DISTRO" == "CENTOS" -o "$DISTRO" == "REDHAT" -o "$DISTRO" == "AMAZON LINUX AMI" ];then | |
printf "\nyou must add '${RED}include /etc/nginx/sites-enabled/*;' into /etc/nginx/nginx.conf${NC}" | |
fi | |
if [ "$DISTRO" == "CENTOS" -o "$DISTRO" == "REDHAT" ];then | |
printf "\n\nSELinux user must adding port context. \n\n"; | |
printf "${RED}semanage port -a -p tcp -t http_port_t ${PORT}${NC}\n\n"; | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment