lucassrg/ngnix_cloud-init-userdata.sh

## ngnix_cloud-init-userdata.sh
#!/bin/bash

###############################
# Input variables            #
##############################
DOMAIN=mysite.com
CERTS_ROOT_DIR=/etc/ssl

#Zip file containing the SSL certificate bundle
# Content of the zip file:
#unzip -l mysite.com.zip
#Archive:  mysite.com.zip
#  Length     Date   Time    Name
# --------    ----   ----    ----
#        0  05-14-18 14:46   mysite.com/
#      682  05-14-18 14:35   mysite.com/README
#     2147  05-14-18 14:46   mysite.com/cert.pem
#     1704  05-14-18 14:46   mysite.com/privkey.pem
#     1647  05-14-18 14:46   mysite.com/chain.pem
#     3794  05-14-18 14:46   mysite.com/fullchain.pem
# --------                   -------
#     9974                   6 files

CERTS_ZIP_URL=https://objectstorage.us-ashburn-1.oraclecloud.com/p/mysite.com.zip
SSL_CERTIFICATE=${CERTS_ROOT_DIR}/${DOMAIN}/fullchain.pem
SSL_CERTIFICATE_KEY=${CERTS_ROOT_DIR}/${DOMAIN}/privkey.pem
NGINX_SERVER_ROOT_DIR=/usr/share/nginx/html


# Update Yum Repo - Regional OCI yum repo
# 		http://yum-fra.oracle.com/yum-fra-ol7.repo
# 		http://yum-ash.oracle.com/yum-ash-ol7.repo
# 		http://yum-phx.oracle.com/yum-phx-ol7.repo

YUM_REPO=http://yum-ash.oracle.com/yum-ash-ol7.repo

mv /etc/yum.repos.d/public-yum-ol7.repo /etc/yum.repos.d/public-yum-ol7.repo.bak
wget -O /etc/yum.repos.d/yum-oci-ol7.repo ${YUM_REPO}


echo '=> install packages'
yum -y update
yum -y install nginx
echo '=> done installing packages.'


echo '=> update firewall rules'
firewall-offline-cmd --zone=public --add-service=http
firewall-offline-cmd --zone=public --add-service=https
systemctl restart firewalld
echo '=> done updating firewall rules'


echo '=> install certificates'
mkdir ${CERTS_ROOT_DIR}
wget ${CERTS_ZIP_URL} -O ${CERTS_ROOT_DIR}/certs.zip && unzip -d ${CERTS_ROOT_DIR}/ ${CERTS_ROOT_DIR}/certs.zip

echo '=> configure nginx'
nginx -t
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup
systemctl start nginx

echo '=> write hello world page'

mkdir ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}
touch ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_443.html
touch ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_80.html
HOSTNAME=`uname -n`

echo '<html><head></head><body><pre><code>' > ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_80.html
echo ${HOSTNAME} >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_80.html
echo 'PORT 80' >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_80.html
echo '' >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_80.html
cat /etc/os-release >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_80.html
echo '</code></pre></body></html>' >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_80.html


echo '<html><head></head><body><pre><code>' > ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_443.html
echo ${HOSTNAME} >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_443.html
echo 'PORT 443' >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_443.html
echo '' >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_443.html
cat /etc/os-release >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_443.html
echo '</code></pre></body></html>' >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_443.html

echo '=> write nginx.conf'

cat > /etc/nginx/conf.d/${DOMAIN}.nginx.conf <<EOF
server {
    listen              80;
    listen              [::]:80;
    server_name         ${DOMAIN} www.${DOMAIN} ${HOSTNAME};
#redirect to ssl
#    return 301          https://${DOMAIN}$request_uri;
#    return 301          https://www.${DOMAIN}$request_uri;


    location / {
        root   ${NGINX_SERVER_ROOT_DIR}/${DOMAIN};
        index  index_80.html;
    }
}

server {
    listen              443 ssl http2 default_server;
    listen              [::]:443 ssl http2 default_server;
    server_name         ${DOMAIN} www.${DOMAIN} ${HOSTNAME};

    location / {
        root   ${NGINX_SERVER_ROOT_DIR}/${DOMAIN};
        index  index_443.html;
    }
}
EOF


echo '=> write nginx.conf'
cat > /etc/nginx/nginx.conf <<EOF
#user  nginx;
worker_processes  auto;

#error_log  /var/log/nginx/error.log warn;
#pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;

    server_tokens       off;
    keepalive_timeout   75;

    #add_header          Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    #add_header          X-Content-Type-Options nosniff;
    #add_header          X-Frame-Options SAMEORIGIN;
    #add_header          X-XSS-Protection "1; mode=block";

    ssl_certificate     ${SSL_CERTIFICATE};
    ssl_certificate_key ${SSL_CERTIFICATE_KEY};
    ssl_ciphers         EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;
}
EOF


echo '=> Reloading nginx'
nginx -s reload

echo '=> Done '
	#!/bin/bash

	###############################
	# Input variables #
	##############################
	DOMAIN=mysite.com
	CERTS_ROOT_DIR=/etc/ssl

	#Zip file containing the SSL certificate bundle
	# Content of the zip file:
	#unzip -l mysite.com.zip
	#Archive: mysite.com.zip
	# Length Date Time Name
	# -------- ---- ---- ----
	# 0 05-14-18 14:46 mysite.com/
	# 682 05-14-18 14:35 mysite.com/README
	# 2147 05-14-18 14:46 mysite.com/cert.pem
	# 1704 05-14-18 14:46 mysite.com/privkey.pem
	# 1647 05-14-18 14:46 mysite.com/chain.pem
	# 3794 05-14-18 14:46 mysite.com/fullchain.pem
	# -------- -------
	# 9974 6 files

	CERTS_ZIP_URL=https://objectstorage.us-ashburn-1.oraclecloud.com/p/mysite.com.zip
	SSL_CERTIFICATE=${CERTS_ROOT_DIR}/${DOMAIN}/fullchain.pem
	SSL_CERTIFICATE_KEY=${CERTS_ROOT_DIR}/${DOMAIN}/privkey.pem
	NGINX_SERVER_ROOT_DIR=/usr/share/nginx/html



	# Update Yum Repo - Regional OCI yum repo
	# http://yum-fra.oracle.com/yum-fra-ol7.repo
	# http://yum-ash.oracle.com/yum-ash-ol7.repo
	# http://yum-phx.oracle.com/yum-phx-ol7.repo

	YUM_REPO=http://yum-ash.oracle.com/yum-ash-ol7.repo

	mv /etc/yum.repos.d/public-yum-ol7.repo /etc/yum.repos.d/public-yum-ol7.repo.bak
	wget -O /etc/yum.repos.d/yum-oci-ol7.repo ${YUM_REPO}




	echo '=> install packages'
	yum -y update
	yum -y install nginx
	echo '=> done installing packages.'


	echo '=> update firewall rules'
	firewall-offline-cmd --zone=public --add-service=http
	firewall-offline-cmd --zone=public --add-service=https
	systemctl restart firewalld
	echo '=> done updating firewall rules'


	echo '=> install certificates'
	mkdir ${CERTS_ROOT_DIR}
	wget ${CERTS_ZIP_URL} -O ${CERTS_ROOT_DIR}/certs.zip && unzip -d ${CERTS_ROOT_DIR}/ ${CERTS_ROOT_DIR}/certs.zip

	echo '=> configure nginx'
	nginx -t
	cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup
	systemctl start nginx

	echo '=> write hello world page'

	mkdir ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}
	touch ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_443.html
	touch ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_80.html
	HOSTNAME=`uname -n`

	echo '<html><head></head><body><pre><code>' > ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_80.html
	echo ${HOSTNAME} >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_80.html
	echo 'PORT 80' >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_80.html
	echo '' >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_80.html
	cat /etc/os-release >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_80.html
	echo '</code></pre></body></html>' >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_80.html



	echo '<html><head></head><body><pre><code>' > ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_443.html
	echo ${HOSTNAME} >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_443.html
	echo 'PORT 443' >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_443.html
	echo '' >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_443.html
	cat /etc/os-release >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_443.html
	echo '</code></pre></body></html>' >> ${NGINX_SERVER_ROOT_DIR}/${DOMAIN}/index_443.html

	echo '=> write nginx.conf'

	cat > /etc/nginx/conf.d/${DOMAIN}.nginx.conf <<EOF
	server {
	listen 80;
	listen [::]:80;
	server_name ${DOMAIN} www.${DOMAIN} ${HOSTNAME};
	#redirect to ssl
	# return 301 https://${DOMAIN}$request_uri;
	# return 301 https://www.${DOMAIN}$request_uri;


	location / {
	root ${NGINX_SERVER_ROOT_DIR}/${DOMAIN};
	index index_80.html;
	}
	}

	server {
	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server;
	server_name ${DOMAIN} www.${DOMAIN} ${HOSTNAME};

	location / {
	root ${NGINX_SERVER_ROOT_DIR}/${DOMAIN};
	index index_443.html;
	}
	}
	EOF


	echo '=> write nginx.conf'
	cat > /etc/nginx/nginx.conf <<EOF
	#user nginx;
	worker_processes auto;

	#error_log /var/log/nginx/error.log warn;
	#pid /var/run/nginx.pid;

	events {
	worker_connections 1024;
	}


	http {
	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	'$status $body_bytes_sent "$http_referer" '
	'"$http_user_agent" "$http_x_forwarded_for"';

	#access_log /var/log/nginx/access.log main;

	sendfile on;
	#tcp_nopush on;

	#gzip on;

	include /etc/nginx/conf.d/*.conf;

	server_tokens off;
	keepalive_timeout 75;

	#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
	#add_header X-Content-Type-Options nosniff;
	#add_header X-Frame-Options SAMEORIGIN;
	#add_header X-XSS-Protection "1; mode=block";

	ssl_certificate ${SSL_CERTIFICATE};
	ssl_certificate_key ${SSL_CERTIFICATE_KEY};
	ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;
	}
	EOF


	echo '=> Reloading nginx'
	nginx -s reload

	echo '=> Done '