nakaz/letsencrypt.sh

## letsencrypt.sh
# as super user after pointing domain to server. ref: https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04
cd /usr/local/sbin
wget https://dl.eff.org/certbot-auto
chmod a+x /usr/local/sbin/certbot-auto
certbot-auto certonly -a webroot --webroot-path=/usr/share/nginx/html -d [[site.com]] -d www.[[site.com]]
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

# as root, edit the nginx config for the site you just set up
vim /etc/nginx/conf.d/[[site.com]].conf
# when editing the file, just follow all the directions to comment and uncomment TLS-related config

service nginx restart

# set up auto-cert-renewal
crontab -e

## within the crontab
30 2 * * 1 /usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log
35 2 * * 1 /etc/init.d/nginx reload

## misc.sh
# Install nginx mainline for http2 features. ref: http://nginx.org/en/linux_packages.html
wget http://nginx.org/keys/nginx_signing.key
apt-key add nginx_signing.key
touch /etc/apt/sources.list.d/nginx.list
echo deb http://nginx.org/packages/mainline/ubuntu/ xenial nginx >> /etc/apt/sources.list.d/nginx.list
echo deb-src http://nginx.org/packages/mainline/ubuntu/ xenial nginx >> /etc/apt/sources.list.d/nginx.list
apt-get install software-properties-common -y
apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xcbcb082a1bb943db
apt-get update

apt-get install nginx

# set box time
timedatectl set-timezone [[timezone]]

# Update worker process if needed
vim /etc/nginx/nginx.conf
# user  deploy www-data;
# worker_processes  2;
sudo service nginx restart

## nginx.conf
# DO NOT COPY/PASTE
# This gist is for reference

# Redirect all http requests from 80 into https in 443. ref: http://serverfault.com/questions/67316/in-nginx-how-can-i-rewrite-all-http-requests-to-https-while-maintaining-sub-dom/401632#401632

server {
   listen         80;
   server_name    my.domain.com;
   return         301 https://$server_name$request_uri;
}

server {
   listen         443 ssl;
   server_name    my.domain.com;
   # add Strict-Transport-Security to prevent man in the middle attacks
   add_header Strict-Transport-Security "max-age=31536000";

   # rest of the goods
}

server {
  listen       80 default_server; # comment out after TLS setup
  listen   [::]:80 default_server; # comment out after TLS setup
  # listen 443 ssl; # uncomment after TLS setup

  server_name  [[site.com]] www.[[site.com]];

  # uncomment the lines below after TLS setup
  # ssl_certificate /etc/letsencrypt/live/[[site.com]]/fullchain.pem;
  # ssl_certificate_key /etc/letsencrypt/live/[[site.com]]/privkey.pem;
  # ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  # ssl_prefer_server_ciphers on;
  # ssl_dhparam /etc/ssl/certs/dhparam.pem;
  # ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
  # ssl_session_timeout 1d;
  # ssl_session_cache shared:SSL:50m;
  # ssl_stapling on;
  # ssl_stapling_verify on;
  # add_header Strict-Transport-Security max-age=15768000;

  # root   /var/www/path/to/site.com;
  root   /usr/share/nginx/html;
  index index.html index.htm;
  location / {
      # whatever you need to do here
      # proxy_pass
  }

  gzip on;
  gzip_disable "msie6";
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_buffers 16 8k;
  gzip_http_version 1.1;
  gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xm    l+rss text/javascript;
  #error_page  404              /404.html;
  # redirect server error pages to the static page /50x.html
  #
  error_page   500 502 503 504  /50x.html;
  location = /50x.html {
      root   /usr/share/nginx/html;
  }
  location ~ /.well-known {
      allow all;
  }
  location ~ /\.ht {
      deny  all;
  }
  location = /favicon.ico { log_not_found off; access_log off; }
  location = /robots.txt { log_not_found off; access_log off; allow all; }
  location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
      expires max;
      log_not_found off;
  }
}
	# as super user after pointing domain to server. ref: https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04
	cd /usr/local/sbin
	wget https://dl.eff.org/certbot-auto
	chmod a+x /usr/local/sbin/certbot-auto
	certbot-auto certonly -a webroot --webroot-path=/usr/share/nginx/html -d [[site.com]] -d www.[[site.com]]
	openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

	# as root, edit the nginx config for the site you just set up
	vim /etc/nginx/conf.d/[[site.com]].conf
	# when editing the file, just follow all the directions to comment and uncomment TLS-related config

	service nginx restart

	# set up auto-cert-renewal
	crontab -e

	## within the crontab
	30 2 * * 1 /usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log
	35 2 * * 1 /etc/init.d/nginx reload
	# Install nginx mainline for http2 features. ref: http://nginx.org/en/linux_packages.html
	wget http://nginx.org/keys/nginx_signing.key
	apt-key add nginx_signing.key
	touch /etc/apt/sources.list.d/nginx.list
	echo deb http://nginx.org/packages/mainline/ubuntu/ xenial nginx >> /etc/apt/sources.list.d/nginx.list
	echo deb-src http://nginx.org/packages/mainline/ubuntu/ xenial nginx >> /etc/apt/sources.list.d/nginx.list
	apt-get install software-properties-common -y
	apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xcbcb082a1bb943db
	apt-get update

	apt-get install nginx

	# set box time
	timedatectl set-timezone [[timezone]]

	# Update worker process if needed
	vim /etc/nginx/nginx.conf
	# user deploy www-data;
	# worker_processes 2;
	sudo service nginx restart
	# DO NOT COPY/PASTE
	# This gist is for reference

	# Redirect all http requests from 80 into https in 443. ref: http://serverfault.com/questions/67316/in-nginx-how-can-i-rewrite-all-http-requests-to-https-while-maintaining-sub-dom/401632#401632

	server {
	listen 80;
	server_name my.domain.com;
	return 301 https://$server_name$request_uri;
	}

	server {
	listen 443 ssl;
	server_name my.domain.com;
	# add Strict-Transport-Security to prevent man in the middle attacks
	add_header Strict-Transport-Security "max-age=31536000";

	# rest of the goods
	}

	server {
	listen 80 default_server; # comment out after TLS setup
	listen [::]:80 default_server; # comment out after TLS setup
	# listen 443 ssl; # uncomment after TLS setup

	server_name [[site.com]] www.[[site.com]];

	# uncomment the lines below after TLS setup
	# ssl_certificate /etc/letsencrypt/live/[[site.com]]/fullchain.pem;
	# ssl_certificate_key /etc/letsencrypt/live/[[site.com]]/privkey.pem;
	# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	# ssl_prefer_server_ciphers on;
	# ssl_dhparam /etc/ssl/certs/dhparam.pem;
	# ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	# ssl_session_timeout 1d;
	# ssl_session_cache shared:SSL:50m;
	# ssl_stapling on;
	# ssl_stapling_verify on;
	# add_header Strict-Transport-Security max-age=15768000;

	# root /var/www/path/to/site.com;
	root /usr/share/nginx/html;
	index index.html index.htm;
	location / {
	# whatever you need to do here
	# proxy_pass
	}

	gzip on;
	gzip_disable "msie6";
	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 6;
	gzip_buffers 16 8k;
	gzip_http_version 1.1;
	gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xm l+rss text/javascript;
	#error_page 404 /404.html;
	# redirect server error pages to the static page /50x.html
	#
	error_page 500 502 503 504 /50x.html;
	location = /50x.html {
	root /usr/share/nginx/html;
	}
	location ~ /.well-known {
	allow all;
	}
	location ~ /\.ht {
	deny all;
	}
	location = /favicon.ico { log_not_found off; access_log off; }
	location = /robots.txt { log_not_found off; access_log off; allow all; }
	location ~* \.(css\|gif\|ico\|jpeg\|jpg\|js\|png)$ {
	expires max;
	log_not_found off;
	}
	}