Skip to content

Instantly share code, notes, and snippets.

@lucassrg
Created May 29, 2018 18:47
Show Gist options
  • Save lucassrg/f728481e4140e0a7acec452099b3f530 to your computer and use it in GitHub Desktop.
Save lucassrg/f728481e4140e0a7acec452099b3f530 to your computer and use it in GitHub Desktop.
Sample Cloud-init userdata script for setting up NGNIX with SSL Certificate
#!/bin/bash
###############################
# Input variables #
##############################
DOMAIN=mysite.com
CERTS_ROOT_DIR=/etc/ssl
#Zip file containing the SSL certificate bundle
# Content of the zip file:
#unzip -l mysite.com.zip
#Archive: mysite.com.zip
# Length Date Time Name
# -------- ---- ---- ----
# 0 05-14-18 14:46 mysite.com/
# 682 05-14-18 14:35 mysite.com/README
# 2147 05-14-18 14:46 mysite.com/cert.pem
# 1704 05-14-18 14:46 mysite.com/privkey.pem
# 1647 05-14-18 14:46 mysite.com/chain.pem
# 3794 05-14-18 14:46 mysite.com/fullchain.pem
# -------- -------
# 9974 6 files
CERTS_ZIP_URL=https://objectstorage.us-ashburn-1.oraclecloud.com/p/mysite.com.zip
SSL_CERTIFICATE=${CERTS_ROOT_DIR}/${DOMAIN}/fullchain.pem
SSL_CERTIFICATE_KEY=${CERTS_ROOT_DIR}/${DOMAIN}/privkey.pem
NGINX_SERVER_ROOT_DIR=/usr/share/nginx/html
# Update Yum Repo - Regional OCI yum repo
# http://yum-fra.oracle.com/yum-fra-ol7.repo
# http://yum-ash.oracle.com/yum-ash-ol7.repo
# http://yum-phx.oracle.com/yum-phx-ol7.repo
YUM_REPO=http://yum-ash.oracle.com/yum-ash-ol7.repo
mv /etc/yum.repos.d/public-yum-ol7.repo /etc/yum.repos.d/public-yum-ol7.repo.bak
wget -O /etc/yum.repos.d/yum-oci-ol7.repo ${YUM_REPO}
echo '=> install packages'
yum -y update
yum -y install nginx
echo '=> done installing packages.'
echo '=> update firewall rules'
firewall-offline-cmd --zone=public --add-service=http
firewall-offline-cmd --zone=public --add-service=https
systemctl restart firewalld
echo '=> done updating firewall rules'
echo '=> install certificates'
mkdir ${CERTS_ROOT_DIR}
wget ${CERTS_ZIP_URL} -O ${CERTS_ROOT_DIR}/certs.zip && unzip -d ${CERTS_ROOT_DIR}/ ${CERTS_ROOT_DIR}/certs.zip
echo '=> configure nginx'
nginx -t
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup
systemctl start nginx
echo '=> write hello world page'
mkdir ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}
touch ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_443.html
touch ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_80.html
HOSTNAME=`uname -n`
echo '<html><head></head><body><pre><code>' > ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_80.html
echo ${HOSTNAME} >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_80.html
echo 'PORT 80' >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_80.html
echo '' >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_80.html
cat /etc/os-release >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_80.html
echo '</code></pre></body></html>' >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_80.html
echo '<html><head></head><body><pre><code>' > ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_443.html
echo ${HOSTNAME} >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_443.html
echo 'PORT 443' >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_443.html
echo '' >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_443.html
cat /etc/os-release >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_443.html
echo '</code></pre></body></html>' >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_443.html
echo '=> write nginx.conf'
cat > /etc/nginx/conf.d/${DOMAIN}.nginx.conf <<EOF
server {
listen 80;
listen [::]:80;
server_name ${DOMAIN} www.${DOMAIN} ${HOSTNAME};
#redirect to ssl
# return 301 https://${DOMAIN}$request_uri;
# return 301 https://www.${DOMAIN}$request_uri;
location / {
root ${NGINX_SERVER_ROOT_DIR}/${DOMAIN};
index index_80.html;
}
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name ${DOMAIN} www.${DOMAIN} ${HOSTNAME};
location / {
root ${NGINX_SERVER_ROOT_DIR}/${DOMAIN};
index index_443.html;
}
}
EOF
echo '=> write nginx.conf'
cat > /etc/nginx/nginx.conf <<EOF
#user nginx;
worker_processes auto;
#error_log /var/log/nginx/error.log warn;
#pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
#gzip on;
include /etc/nginx/conf.d/*.conf;
server_tokens off;
keepalive_timeout 75;
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
#add_header X-Content-Type-Options nosniff;
#add_header X-Frame-Options SAMEORIGIN;
#add_header X-XSS-Protection "1; mode=block";
ssl_certificate ${SSL_CERTIFICATE};
ssl_certificate_key ${SSL_CERTIFICATE_KEY};
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
}
EOF
echo '=> Reloading nginx'
nginx -s reload
echo '=> Done '
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment