|
|
@@ -1437,7 +1437,7 @@ function set_default_onion_domains {
|
|
1437
|
1437
|
fi
|
|
1438
|
1438
|
}
|
|
1439
|
1439
|
|
|
1440
|
|
-function website_http_redirect {
|
|
|
1440
|
+function nginx_http_redirect {
|
|
1441
|
1441
|
# redirect port 80 to https
|
|
1442
|
1442
|
domain_name=$1
|
|
1443
|
1443
|
filename=/etc/nginx/sites-available/$domain_name
|
|
|
@@ -1456,6 +1456,21 @@ function website_http_redirect {
|
|
1456
|
1456
|
echo '' >> $filename
|
|
1457
|
1457
|
}
|
|
1458
|
1458
|
|
|
|
1459
|
+function nginx_ssl {
|
|
|
1460
|
+ # creates the SSL/TLS section for a website
|
|
|
1461
|
+ domain_name=$1
|
|
|
1462
|
+ filename=/etc/nginx/sites-available/$domain_name
|
|
|
1463
|
+ echo ' ssl on;' >> $filename
|
|
|
1464
|
+ echo " ssl_certificate /etc/ssl/certs/${domain_name}.crt;" >> $filename
|
|
|
1465
|
+ echo " ssl_certificate_key /etc/ssl/private/${domain_name}.key;" >> $filename
|
|
|
1466
|
+ echo " ssl_dhparam /etc/ssl/certs/${domain_name}.dhparam;" >> $filename
|
|
|
1467
|
+ echo '' >> $filename
|
|
|
1468
|
+ echo ' ssl_session_timeout 60m;' >> $filename
|
|
|
1469
|
+ echo ' ssl_prefer_server_ciphers on;' >> $filename
|
|
|
1470
|
+ echo " ssl_protocols $SSL_PROTOCOLS;" >> $filename
|
|
|
1471
|
+ echo " ssl_ciphers '$SSL_CIPHERS';" >> $filename
|
|
|
1472
|
+}
|
|
|
1473
|
+
|
|
1459
|
1474
|
function set_repo_commit {
|
|
1460
|
1475
|
repo_dir=$1
|
|
1461
|
1476
|
repo_commit_name=$2
|
|
|
@@ -6475,7 +6490,7 @@ function install_owncloud {
|
|
6475
|
6490
|
ln -s /usr/share/owncloud /var/www/$OWNCLOUD_DOMAIN_NAME/htdocs
|
|
6476
|
6491
|
|
|
6477
|
6492
|
if [[ $ONION_ONLY == "no" ]]; then
|
|
6478
|
|
- website_http_redirect $OWNCLOUD_DOMAIN_NAME
|
|
|
6493
|
+ nginx_http_redirect $OWNCLOUD_DOMAIN_NAME
|
|
6479
|
6494
|
echo 'server {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
6480
|
6495
|
echo ' listen 443 ssl;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
6481
|
6496
|
echo " root /var/www/$OWNCLOUD_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
|
@@ -6486,15 +6501,7 @@ function install_owncloud {
|
|
6486
|
6501
|
echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
6487
|
6502
|
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
6488
|
6503
|
echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
6489
|
|
- echo ' ssl on;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
6490
|
|
- echo " ssl_certificate /etc/ssl/certs/$OWNCLOUD_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
6491
|
|
- echo " ssl_certificate_key /etc/ssl/private/$OWNCLOUD_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
6492
|
|
- echo " ssl_dhparam /etc/ssl/certs/$OWNCLOUD_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
6493
|
|
- echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
6494
|
|
- echo ' ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
6495
|
|
- echo ' ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
6496
|
|
- echo " ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
6497
|
|
- echo " ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
|
6504
|
+ nginx_ssl $OWNCLOUD_DOMAIN_NAME
|
|
6498
|
6505
|
echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
6499
|
6506
|
echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
6500
|
6507
|
echo ' add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
|
@@ -6917,15 +6924,7 @@ function install_gogs {
|
|
6917
|
6924
|
echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6918
|
6925
|
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6919
|
6926
|
echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6920
|
|
- echo ' ssl on;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6921
|
|
- echo " ssl_certificate /etc/ssl/certs/$GIT_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6922
|
|
- echo " ssl_certificate_key /etc/ssl/private/$GIT_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6923
|
|
- echo " ssl_dhparam /etc/ssl/certs/$GIT_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6924
|
|
- echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6925
|
|
- echo ' ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6926
|
|
- echo ' ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6927
|
|
- echo " ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6928
|
|
- echo " ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
|
6927
|
+ nginx_ssl $GIT_DOMAIN_NAME
|
|
6929
|
6928
|
echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6930
|
6929
|
echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6931
|
6930
|
echo ' add_header Strict-Transport-Security max-age=0;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
|
@@ -7745,16 +7744,7 @@ function install_wiki {
|
|
7745
|
7744
|
echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7746
|
7745
|
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7747
|
7746
|
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7748
|
|
- echo ' ssl on;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7749
|
|
- echo " ssl_certificate /etc/ssl/certs/$WIKI_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7750
|
|
- echo " ssl_certificate_key /etc/ssl/private/$WIKI_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7751
|
|
- echo " ssl_dhparam /etc/ssl/certs/$WIKI_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7752
|
|
- echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7753
|
|
- echo ' ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7754
|
|
- echo ' ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7755
|
|
- echo ' ssl_session_cache builtin:1000 shared:SSL:10m;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7756
|
|
- echo " ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7757
|
|
- echo " ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
|
7747
|
+ nginx_ssl $WIKI_DOMAIN_NAME
|
|
7758
|
7748
|
echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7759
|
7749
|
echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7760
|
7750
|
echo ' add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
|
@@ -8095,16 +8085,7 @@ function install_blog {
|
|
8095
|
8085
|
echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8096
|
8086
|
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8097
|
8087
|
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8098
|
|
- echo ' ssl on;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8099
|
|
- echo " ssl_certificate /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8100
|
|
- echo " ssl_certificate_key /etc/ssl/private/$FULLBLOG_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8101
|
|
- echo " ssl_dhparam /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8102
|
|
- echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8103
|
|
- echo ' ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8104
|
|
- echo ' ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8105
|
|
- echo ' ssl_session_cache builtin:1000 shared:SSL:10m;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8106
|
|
- echo " ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8107
|
|
- echo " ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
|
8088
|
+ nginx_ssl $FULLBLOG_DOMAIN_NAME
|
|
8108
|
8089
|
echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8109
|
8090
|
echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8110
|
8091
|
echo ' add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
|
@@ -8672,22 +8653,13 @@ function install_gnu_social {
|
|
8672
|
8653
|
|
|
8673
|
8654
|
microblog_nginx_site=/etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
|
|
8674
|
8655
|
if [[ $ONION_ONLY == "no" ]]; then
|
|
8675
|
|
- website_http_redirect $MICROBLOG_DOMAIN_NAME
|
|
|
8656
|
+ nginx_http_redirect $MICROBLOG_DOMAIN_NAME
|
|
8676
|
8657
|
echo 'server {' >> $microblog_nginx_site
|
|
8677
|
8658
|
echo ' listen 443 ssl;' >> $microblog_nginx_site
|
|
8678
|
8659
|
echo " server_name $MICROBLOG_DOMAIN_NAME;" >> $microblog_nginx_site
|
|
8679
|
8660
|
echo '' >> $microblog_nginx_site
|
|
8680
|
8661
|
echo ' # Security' >> $microblog_nginx_site
|
|
8681
|
|
- echo ' ssl on;' >> $microblog_nginx_site
|
|
8682
|
|
- echo " ssl_certificate /etc/ssl/certs/$MICROBLOG_DOMAIN_NAME.pem;" >> $microblog_nginx_site
|
|
8683
|
|
- echo " ssl_certificate_key /etc/ssl/private/$MICROBLOG_DOMAIN_NAME.key;" >> $microblog_nginx_site
|
|
8684
|
|
- echo " ssl_dhparam /etc/ssl/certs/$MICROBLOG_DOMAIN_NAME.dhparam;" >> $microblog_nginx_site
|
|
8685
|
|
- echo '' >> $microblog_nginx_site
|
|
8686
|
|
- echo ' ssl_session_timeout 60m;' >> $microblog_nginx_site
|
|
8687
|
|
- echo ' ssl_prefer_server_ciphers on;' >> $microblog_nginx_site
|
|
8688
|
|
- echo ' ssl_session_cache builtin:1000 shared:SSL:10m;' >> $microblog_nginx_site
|
|
8689
|
|
- echo " ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> $microblog_nginx_site
|
|
8690
|
|
- echo " ssl_ciphers '$SSL_CIPHERS';" >> $microblog_nginx_site
|
|
|
8662
|
+ nginx_ssl $MICROBLOG_DOMAIN_NAME
|
|
8691
|
8663
|
echo ' add_header X-Frame-Options DENY;' >> $microblog_nginx_site
|
|
8692
|
8664
|
echo ' add_header X-Content-Type-Options nosniff;' >> $microblog_nginx_site
|
|
8693
|
8665
|
echo ' add_header Strict-Transport-Security max-age=15768000;' >> $microblog_nginx_site
|
|
|
@@ -9136,7 +9108,7 @@ function install_hubzilla {
|
|
9136
|
9108
|
add_ddns_domain
|
|
9137
|
9109
|
|
|
9138
|
9110
|
if [[ $ONION_ONLY == "no" ]]; then
|
|
9139
|
|
- website_http_redirect $HUBZILLA_DOMAIN_NAME
|
|
|
9111
|
+ nginx_http_redirect $HUBZILLA_DOMAIN_NAME
|
|
9140
|
9112
|
echo 'server {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
9141
|
9113
|
echo ' listen 443 ssl;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
9142
|
9114
|
echo " root /var/www/$HUBZILLA_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
|
@@ -9151,16 +9123,7 @@ function install_hubzilla {
|
|
9151
|
9123
|
echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
9152
|
9124
|
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
9153
|
9125
|
echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
9154
|
|
- echo ' ssl on;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
9155
|
|
- echo " ssl_certificate /etc/ssl/certs/$HUBZILLA_DOMAIN_NAME.bundle.crt;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
9156
|
|
- echo " ssl_certificate_key /etc/ssl/private/$HUBZILLA_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
9157
|
|
- echo " ssl_dhparam /etc/ssl/certs/$HUBZILLA_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
9158
|
|
- echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
9159
|
|
- echo ' ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
9160
|
|
- echo ' ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
9161
|
|
- echo ' ssl_session_cache builtin:1000 shared:SSL:10m;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
9162
|
|
- echo " ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
9163
|
|
- echo " ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
|
9126
|
+ nginx_ssl $HUBZILLA_DOMAIN_NAME
|
|
9164
|
9127
|
echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
9165
|
9128
|
echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
9166
|
9129
|
echo ' add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
|
@@ -9548,15 +9511,7 @@ function install_mediagoblin {
|
|
9548
|
9511
|
echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
|
|
9549
|
9512
|
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
|
|
9550
|
9513
|
echo '' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
|
|
9551
|
|
- echo ' ssl on;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
|
|
9552
|
|
- echo " ssl_certificate /etc/ssl/certs/$MEDIAGOBLIN_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
|
|
9553
|
|
- echo " ssl_certificate_key /etc/ssl/private/$MEDIAGOBLIN_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
|
|
9554
|
|
- echo " ssl_dhparam /etc/ssl/certs/$MEDIAGOBLIN_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
|
|
9555
|
|
- echo '' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
|
|
9556
|
|
- echo ' ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
|
|
9557
|
|
- echo ' ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
|
|
9558
|
|
- echo " ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
|
|
9559
|
|
- echo " ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
|
|
|
9514
|
+ nginx_ssl $MEDIAGOBLIN_DOMAIN_NAME
|
|
9560
|
9515
|
echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
|
|
9561
|
9516
|
echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
|
|
9562
|
9517
|
echo ' add_header Strict-Transport-Security max-age=0;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
|
Bob Mottram
9 年之前