|
|
@@ -1471,6 +1471,14 @@ function nginx_ssl {
|
|
1471
|
1471
|
echo " ssl_ciphers '$SSL_CIPHERS';" >> $filename
|
|
1472
|
1472
|
}
|
|
1473
|
1473
|
|
|
|
1474
|
+function nginx_disable_sniffing {
|
|
|
1475
|
+ domain_name=$1
|
|
|
1476
|
+ filename=/etc/nginx/sites-available/$domain_name
|
|
|
1477
|
+ echo ' add_header X-Frame-Options DENY;' >> $filename
|
|
|
1478
|
+ echo ' add_header X-Content-Type-Options nosniff;' >> $filename
|
|
|
1479
|
+ echo '' >> $filename
|
|
|
1480
|
+}
|
|
|
1481
|
+
|
|
1474
|
1482
|
function set_repo_commit {
|
|
1475
|
1483
|
repo_dir=$1
|
|
1476
|
1484
|
repo_commit_name=$2
|
|
|
@@ -6502,8 +6510,7 @@ function install_owncloud {
|
|
6502
|
6510
|
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
6503
|
6511
|
echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
6504
|
6512
|
nginx_ssl $OWNCLOUD_DOMAIN_NAME
|
|
6505
|
|
- echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
6506
|
|
- echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
|
6513
|
+ nginx_disable_sniffing $OWNCLOUD_DOMAIN_NAME
|
|
6507
|
6514
|
echo ' add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
6508
|
6515
|
echo ' # if you want to be able to access the site via HTTP' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
6509
|
6516
|
echo ' # then replace the above with the following:' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
|
@@ -6578,8 +6585,7 @@ function install_owncloud {
|
|
6578
|
6585
|
echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
6579
|
6586
|
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
6580
|
6587
|
echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
6581
|
|
- echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
6582
|
|
- echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
|
6588
|
+ nginx_disable_sniffing $OWNCLOUD_DOMAIN_NAME
|
|
6583
|
6589
|
echo ' add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
6584
|
6590
|
echo ' # if you want to be able to access the site via HTTP' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
6585
|
6591
|
echo ' # then replace the above with the following:' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
|
|
|
@@ -6899,8 +6905,7 @@ function install_gogs {
|
|
6899
|
6905
|
echo " server_name $GIT_DOMAIN_NAME;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6900
|
6906
|
echo ' access_log off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6901
|
6907
|
echo " error_log /var/log/nginx/${GIT_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6902
|
|
- echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6903
|
|
- echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
|
6908
|
+ nginx_disable_sniffing $GIT_DOMAIN_NAME
|
|
6904
|
6909
|
echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6905
|
6910
|
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6906
|
6911
|
echo ' location / {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
|
@@ -6925,8 +6930,7 @@ function install_gogs {
|
|
6925
|
6930
|
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6926
|
6931
|
echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6927
|
6932
|
nginx_ssl $GIT_DOMAIN_NAME
|
|
6928
|
|
- echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6929
|
|
- echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
|
6933
|
+ nginx_disable_sniffing $GIT_DOMAIN_NAME
|
|
6930
|
6934
|
echo ' add_header Strict-Transport-Security max-age=0;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6931
|
6935
|
echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6932
|
6936
|
echo ' location / {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
|
@@ -6960,8 +6964,7 @@ function install_gogs {
|
|
6960
|
6964
|
echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6961
|
6965
|
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6962
|
6966
|
echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6963
|
|
- echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6964
|
|
- echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
|
6967
|
+ nginx_disable_sniffing $GIT_DOMAIN_NAME
|
|
6965
|
6968
|
echo ' add_header Strict-Transport-Security max-age=0;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6966
|
6969
|
echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6967
|
6970
|
echo ' location / {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
|
@@ -7661,8 +7664,7 @@ function install_wiki {
|
|
7661
|
7664
|
echo ' client_max_body_size 20m;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7662
|
7665
|
echo ' client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7663
|
7666
|
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7664
|
|
- echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7665
|
|
- echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
|
7667
|
+ nginx_disable_sniffing $WIKI_DOMAIN_NAME
|
|
7666
|
7668
|
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7667
|
7669
|
echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7668
|
7670
|
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
|
@@ -7745,8 +7747,7 @@ function install_wiki {
|
|
7745
|
7747
|
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7746
|
7748
|
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7747
|
7749
|
nginx_ssl $WIKI_DOMAIN_NAME
|
|
7748
|
|
- echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7749
|
|
- echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
|
7750
|
+ nginx_disable_sniffing $WIKI_DOMAIN_NAME
|
|
7750
|
7751
|
echo ' add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7751
|
7752
|
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7752
|
7753
|
echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
|
@@ -7829,8 +7830,7 @@ function install_wiki {
|
|
7829
|
7830
|
echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7830
|
7831
|
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7831
|
7832
|
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7832
|
|
- echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7833
|
|
- echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
|
7833
|
+ nginx_disable_sniffing $WIKI_DOMAIN_NAME
|
|
7834
|
7834
|
echo ' add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7835
|
7835
|
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
7836
|
7836
|
echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
|
|
@@ -8000,8 +8000,7 @@ function install_blog {
|
|
8000
|
8000
|
echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8001
|
8001
|
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8002
|
8002
|
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8003
|
|
- echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8004
|
|
- echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
|
8003
|
+ nginx_disable_sniffing $FULLBLOG_DOMAIN_NAME
|
|
8005
|
8004
|
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8006
|
8005
|
echo ' # Always redirect the login page to https' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8007
|
8006
|
echo ' location /login {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
|
@@ -8086,8 +8085,7 @@ function install_blog {
|
|
8086
|
8085
|
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8087
|
8086
|
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8088
|
8087
|
nginx_ssl $FULLBLOG_DOMAIN_NAME
|
|
8089
|
|
- echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8090
|
|
- echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
|
8088
|
+ nginx_disable_sniffing $FULLBLOG_DOMAIN_NAME
|
|
8091
|
8089
|
echo ' add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8092
|
8090
|
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8093
|
8091
|
echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
|
@@ -8170,8 +8168,7 @@ function install_blog {
|
|
8170
|
8168
|
echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8171
|
8169
|
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8172
|
8170
|
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8173
|
|
- echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8174
|
|
- echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
|
8171
|
+ nginx_disable_sniffing $FULLBLOG_DOMAIN_NAME
|
|
8175
|
8172
|
echo ' add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8176
|
8173
|
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
8177
|
8174
|
echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
|
|
@@ -8394,8 +8391,7 @@ function install_rss_reader {
|
|
8394
|
8391
|
echo ' deny all;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
|
|
8395
|
8392
|
echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
|
|
8396
|
8393
|
echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
|
|
8397
|
|
- echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
|
|
8398
|
|
- echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
|
|
|
8394
|
+ nginx_disable_sniffing $RSS_READER_DOMAIN_NAME
|
|
8399
|
8395
|
echo ' client_max_body_size 15m;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
|
|
8400
|
8396
|
echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
|
|
8401
|
8397
|
echo ' set $mobile_rewrite do_not_perform;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
|
|
|
@@ -8660,8 +8656,7 @@ function install_gnu_social {
|
|
8660
|
8656
|
echo '' >> $microblog_nginx_site
|
|
8661
|
8657
|
echo ' # Security' >> $microblog_nginx_site
|
|
8662
|
8658
|
nginx_ssl $MICROBLOG_DOMAIN_NAME
|
|
8663
|
|
- echo ' add_header X-Frame-Options DENY;' >> $microblog_nginx_site
|
|
8664
|
|
- echo ' add_header X-Content-Type-Options nosniff;' >> $microblog_nginx_site
|
|
|
8659
|
+ nginx_disable_sniffing $MICROBLOG_DOMAIN_NAME
|
|
8665
|
8660
|
echo ' add_header Strict-Transport-Security max-age=15768000;' >> $microblog_nginx_site
|
|
8666
|
8661
|
echo '' >> $microblog_nginx_site
|
|
8667
|
8662
|
echo ' # Logs' >> $microblog_nginx_site
|
|
|
@@ -8735,8 +8730,7 @@ function install_gnu_social {
|
|
8735
|
8730
|
echo ' deny all;' >> $microblog_nginx_site
|
|
8736
|
8731
|
echo ' }' >> $microblog_nginx_site
|
|
8737
|
8732
|
echo '' >> $microblog_nginx_site
|
|
8738
|
|
- echo ' add_header X-Frame-Options DENY;' >> $microblog_nginx_site
|
|
8739
|
|
- echo ' add_header X-Content-Type-Options nosniff;' >> $microblog_nginx_site
|
|
|
8733
|
+ nginx_disable_sniffing $MICROBLOG_DOMAIN_NAME
|
|
8740
|
8734
|
echo ' client_max_body_size 15m;' >> $microblog_nginx_site
|
|
8741
|
8735
|
echo '}' >> $microblog_nginx_site
|
|
8742
|
8736
|
|
|
|
@@ -9124,8 +9118,7 @@ function install_hubzilla {
|
|
9124
|
9118
|
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
9125
|
9119
|
echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
9126
|
9120
|
nginx_ssl $HUBZILLA_DOMAIN_NAME
|
|
9127
|
|
- echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
9128
|
|
- echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
|
9121
|
+ nginx_disable_sniffing $HUBZILLA_DOMAIN_NAME
|
|
9129
|
9122
|
echo ' add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
9130
|
9123
|
echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
9131
|
9124
|
echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
|
@@ -9201,8 +9194,7 @@ function install_hubzilla {
|
|
9201
|
9194
|
echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
9202
|
9195
|
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
9203
|
9196
|
echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
9204
|
|
- echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
9205
|
|
- echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
|
9197
|
+ nginx_disable_sniffing $HUBZILLA_DOMAIN_NAME
|
|
9206
|
9198
|
echo ' add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
9207
|
9199
|
echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
9208
|
9200
|
echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
|
|
|
@@ -9512,8 +9504,7 @@ function install_mediagoblin {
|
|
9512
|
9504
|
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
|
|
9513
|
9505
|
echo '' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
|
|
9514
|
9506
|
nginx_ssl $MEDIAGOBLIN_DOMAIN_NAME
|
|
9515
|
|
- echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
|
|
9516
|
|
- echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
|
|
|
9507
|
+ nginx_disable_sniffing $MEDIAGOBLIN_DOMAIN_NAME
|
|
9517
|
9508
|
echo ' add_header Strict-Transport-Security max-age=0;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
|
|
9518
|
9509
|
echo '' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
|
|
9519
|
9510
|
echo ' location / {' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
|
Bob Mottram
9 年之前