Last active
April 22, 2019 05:44
-
-
Save mattjcowan/0338725ff6ca5f18473c9d15b1dd374c to your computer and use it in GitHub Desktop.
Startup script - Ubuntu 16.04 - nvm, node, dotnet core 2.0, nginx w/ self-signed cert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# USE LIKE THIS | |
# curl GIST_URL | bash | |
# curl -o /tmp/ubuntu1604-startup.sh GIST_URL | |
# chmod +x /tmp/ubuntu1604-startup.sh | |
# cd /tmp/ | |
# ./ubuntu1604-startup.sh | |
publicip="$(dig +short myip.opendns.com @resolver1.opendns.com)" | |
# Install nvm | |
curl https://raw.githubusercontent.com/creationix/nvm/v0.33.6/install.sh | bash | |
# Install node | |
nvm install v8.9.1 | |
nvm alias default v8.9.1 | |
nvm use default | |
npm i -g rimraf dotenv pm2 forever nodemon | |
# dotnet core pre-requisites | |
# see: https://docs.microsoft.com/en-us/dotnet/core/linux-prerequisites?tabs=netcore2x | |
sudo apt-get install libunwind8 -y | |
sudo apt-get install liblttng-ust0 -y | |
sudo apt-get install libcurl3 -y | |
sudo apt-get install libssl1.0.0 -y | |
sudo apt-get install libuuid1 -y | |
sudo apt-get install libkrb5 -y | |
sudo apt-get install zlib1g -y | |
sudo apt-get install libicu55 -y | |
# Register the Microsoft Product key as trusted | |
curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg | |
sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/microsoft.gpg | |
# Set up the desired version host package feed. | |
sudo sh -c 'echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-ubuntu-xenial-prod xenial main" > /etc/apt/sources.list.d/dotnetdev.list' | |
sudo apt-get update | |
# Install .NET core (for some reasons there are issues here with timing, and even a sleep after this doesn't quite work) | |
sudo apt-get install dotnet-sdk-2.0.0 -y | |
# Create sample app if it does not exist | |
if [ ! -d /var/www/webapp ]; then | |
cd /home/ | |
mkdir apps | |
cd /home/apps | |
# Create app | |
dotnet new web --name WebApp --output webapp | |
cd webapp | |
dotnet restore | |
dotnet build | |
dotnet publish -c Release -o dist | |
# deploy the webapp | |
sudo mv dist/ /var/www/webapp | |
fi | |
# Install nginx: https://docs.microsoft.com/en-us/aspnet/core/publishing/linuxproduction?tabs=aspnetcore2x | |
sudo apt-get install nginx -y | |
sudo service nginx start | |
# Overwrite nginx file | |
cat >/etc/nginx/sites-available/default <<EOL | |
server { | |
listen 80; | |
location / { | |
proxy_pass http://localhost:5000; | |
proxy_http_version 1.1; | |
proxy_set_header Upgrade \$http_upgrade; | |
proxy_set_header Connection keep-alive; | |
proxy_set_header Host \$host; | |
proxy_cache_bypass \$http_upgrade; | |
} | |
} | |
EOL | |
# reload nginx | |
sudo nginx -s reload | |
# create system.d service | |
cat >/etc/systemd/system/kestrel-webapp.service <<EOL | |
[Unit] | |
Description=WebApp Kestrel Service | |
[Service] | |
WorkingDirectory=/var/www/webapp | |
ExecStart=/usr/bin/dotnet /var/www/webapp/WebApp.dll | |
Restart=always | |
RestartSec=5 # Restart service after 5 seconds if it crashes | |
SyslogIdentifier=dotnet-webapp | |
User=www-data | |
Environment=ASPNETCORE_ENVIRONMENT=Production | |
Environment=DOTNET_PRINT_TELEMETRY_MESSAGE=false | |
[Install] | |
WantedBy=multi-user.target | |
EOL | |
# enable the service to start after system restarts | |
systemctl enable kestrel-webapp.service | |
# start the service and check status | |
systemctl start kestrel-webapp.service | |
systemctl status kestrel-webapp.service | |
# setup firewall: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-16-04 | |
sudo apt-get install ufw | |
sudo ufw default deny incoming | |
sudo ufw default allow outgoing | |
sudo ufw allow ssh | |
sudo ufw allow 80 | |
sudo ufw allow 443 | |
sudo ufw enable -y | |
# create a self-signed certificate: https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04 | |
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt -subj /C=US/ST=Illinois/L=Chicago/O=Startup/CN=$publicip | |
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 > /dev/null 2>&1 | |
cat >/etc/nginx/snippets/self-signed.conf <<EOL | |
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; | |
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; | |
EOL | |
cat >/etc/nginx/snippets/ssl-params.conf <<EOL | |
# from https://cipherli.st/ | |
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_prefer_server_ciphers on; | |
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; | |
ssl_ecdh_curve secp384r1; | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_tickets off; | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
resolver 8.8.8.8 8.8.4.4 valid=300s; | |
resolver_timeout 5s; | |
# Disable preloading HSTS for now. You can use the commented out header line that includes | |
# the "preload" directive if you understand the implications. | |
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; | |
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; | |
add_header X-Frame-Options DENY; | |
add_header X-Content-Type-Options nosniff; | |
ssl_dhparam /etc/ssl/certs/dhparam.pem; | |
EOL | |
# Before we go any further, let's back up our current server block file: | |
sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.bak | |
cat >/etc/nginx/sites-available/default <<EOL | |
server { | |
# SSL configuration | |
listen 80 default_server; | |
listen [::]:80 default_server; | |
listen 443 ssl http2 default_server; | |
listen [::]:443 ssl http2 default_server; | |
server_name $publicip; | |
include snippets/self-signed.conf; | |
include snippets/ssl-params.conf; | |
location / { | |
proxy_pass http://localhost:5000; | |
proxy_http_version 1.1; | |
proxy_set_header Upgrade \$http_upgrade; | |
proxy_set_header Connection keep-alive; | |
proxy_set_header Host \$host; | |
proxy_cache_bypass \$http_upgrade; | |
} | |
} | |
EOL | |
# restart nginx | |
sudo systemctl restart nginx | |
# improve nginx further | |
# see: https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-with-http-2-support-on-ubuntu-16-04 | |
echo Done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment