free
/
freedombone
Suivre 1
Favoriser 0
Bifurcation 0
Code Tickets 0 Demandes d'ajout 0 Versions 0 Wiki Activité
4895 Révisions
5 Branches
Aborescence: 6d4819ff47
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de '6d4819ff47'
${ noResults }
freedombone/src/freedombone-utils-web

freedombone-utils-web 27KB
Historique Brut

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680 
  1. #!/bin/bash

  2. #

  3. # .---.                  .              .

  4. # |                      |              |

  5. # |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.

  6. # |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'

  7. # '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'

  8. #

  9. #                    Freedom in the Cloud

  10. #

  11. # Web related functions

  12. #

  13. # License

  14. # =======

  15. #

  16. # Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>

  17. #

  18. # This program is free software: you can redistribute it and/or modify

  19. # it under the terms of the GNU Affero General Public License as published by

  20. # the Free Software Foundation, either version 3 of the License, or

  21. # (at your option) any later version.

  22. #

  23. # This program is distributed in the hope that it will be useful,

  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  26. # GNU Affero General Public License for more details.

  27. #

  28. # You should have received a copy of the GNU Affero General Public License

  29. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  30. 

  31. # default search engine for command line browser

  32. DEFAULT_SEARCH='https://searx.laquadrature.net'

  33. 

  34. # Whether Let's Encrypt is enabled for all sites

  35. LETSENCRYPT_ENABLED="no"

  36. LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'

  37. 

  38. # list of encryption protocols

  39. SSL_PROTOCOLS="TLSv1 TLSv1.1 TLSv1.2"

  40. 

  41. # list of ciphers to use.  See bettercrypto.org recommendations

  42. SSL_CIPHERS="EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"

  43. 

  44. NGINX_ENSITE_REPO="https://github.com/perusio/nginx_ensite"

  45. NGINX_ENSITE_COMMIT='fa4d72ce1c0a490442c8474e9c8dc21ed52c93d0'

  46. 

  47. # memory limit for php in MB

  48. MAX_PHP_MEMORY=64

  49. 

  50. # logging level for Nginx

  51. WEBSERVER_LOG_LEVEL='warn'

  52. 

  53. # test a domain name to see if it's valid

  54. function validate_domain_name {

  55.     # count the number of dots in the domain name

  56.     dots=${TEST_DOMAIN_NAME//[^.]}

  57.     no_of_dots=${#dots}

  58.     if (( $no_of_dots > 3 )); then

  59.         TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has too many subdomains. It should be of the type w.x.y.z, x.y.z or y.z"

  60.     fi

  61.     if (( $no_of_dots == 0 )); then

  62.         TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has no top level domain. It should be of the type w.x.y.z, x.y.z or y.z"

  63.     fi

  64. }

  65. 

  66. function nginx_disable_sniffing {

  67.     domain_name=$1

  68.     filename=/etc/nginx/sites-available/$domain_name

  69.     echo '    add_header X-Frame-Options DENY;' >> $filename

  70.     echo '    add_header X-Content-Type-Options nosniff;' >> $filename

  71.     echo '' >> $filename

  72. }

  73. 

  74. function nginx_limits {

  75.     domain_name=$1

  76.     max_body='20m'

  77.     if [ $2 ]; then

  78.         max_body=$2

  79.     fi

  80.     filename=/etc/nginx/sites-available/$domain_name

  81.     echo "    client_max_body_size ${max_body};" >> $filename

  82.     echo '    client_body_buffer_size 128k;' >> $filename

  83.     echo '' >> $filename

  84.     echo '    limit_conn conn_limit_per_ip 10;' >> $filename

  85.     echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> $filename

  86.     echo '' >> $filename

  87. }

  88. 

  89. function nginx_stapling {

  90.     domain_name=$1

  91.     filename=/etc/nginx/sites-available/$domain_name

  92.     echo "    ssl_stapling on;" >> $filename

  93.     echo '    ssl_stapling_verify on;' >> $filename

  94.     echo '    ssl_trusted_certificate /etc/ssl/certs/${domain_name}.pem;' >> $filename

  95.     echo '' >> $filename

  96. }

  97. 

  98. function nginx_http_redirect {

  99.     # redirect port 80 to https

  100.     domain_name=$1

  101.     filename=/etc/nginx/sites-available/$domain_name

  102.     echo 'server {' > $filename

  103.     echo '    listen 80;' >> $filename

  104.     echo '    listen [::]:80;' >> $filename

  105.     echo "    server_name ${domain_name};" >> $filename

  106.     echo "    root /var/www/${domain_name}/htdocs;" >> $filename

  107.     echo '    access_log off;' >> $filename

  108.     echo "    error_log /var/log/nginx/${domain_name}_error.log $WEBSERVER_LOG_LEVEL;" >> $filename

  109.     function_check nginx_limits

  110.     nginx_limits $domain_name

  111.     echo '    rewrite ^ https://$server_name$request_uri? permanent;' >> $filename

  112.     echo '}' >> $filename

  113.     echo '' >> $filename

  114. }

  115. 

  116. function nginx_ssl {

  117.     # creates the SSL/TLS section for a website

  118.     domain_name=$1

  119.     filename=/etc/nginx/sites-available/$domain_name

  120. 

  121.     echo '    ssl_stapling off;' >> $filename

  122.     echo '    ssl_stapling_verify off;' >> $filename

  123.     echo '    ssl on;' >> $filename

  124.     echo "    ssl_certificate /etc/ssl/certs/${domain_name}.crt;" >> $filename

  125.     echo "    ssl_certificate_key /etc/ssl/private/${domain_name}.key;" >> $filename

  126.     echo "    ssl_dhparam /etc/ssl/certs/${domain_name}.dhparam;" >> $filename

  127.     echo '' >> $filename

  128.     echo '    ssl_session_cache  builtin:1000  shared:SSL:10m;' >> $filename

  129.     echo '    ssl_session_timeout 60m;' >> $filename

  130.     echo '    ssl_prefer_server_ciphers on;' >> $filename

  131.     echo "    ssl_protocols $SSL_PROTOCOLS;" >> $filename

  132.     echo "    ssl_ciphers '$SSL_CIPHERS';" >> $filename

  133.     #nginx_stapling $1

  134. }

  135. 

  136. # check an individual domain name

  137. function test_domain_name {

  138.     if [ $1 ]; then

  139.         TEST_DOMAIN_NAME=$1

  140.         function_check validate_domain_name

  141.         validate_domain_name

  142.         if [[ $TEST_DOMAIN_NAME != $1 ]]; then

  143.             echo $TEST_DOMAIN_NAME

  144.             exit 8528

  145.         fi

  146.     fi

  147. }

  148. 

  149. # Checks whether certificates were generated for the given hostname

  150. function check_certificates {

  151.     if [ ! $1 ]; then

  152.         return

  153.     fi

  154.     USE_LETSENCRYPT='no'

  155.     if [ $2 ]; then

  156.         USE_LETSENCRYPT=$2

  157.     fi

  158.     if [[ $USE_LETSENCRYPT == 'no' ]]; then

  159.         if [ ! -f /etc/ssl/private/${1}.key ]; then

  160.             echo $"Private certificate for ${CHECK_HOSTNAME} was not created"

  161.             exit 63959

  162.         fi

  163.         if [ ! -f /etc/ssl/certs/${1}.crt ]; then

  164.             echo $"Public certificate for ${CHECK_HOSTNAME} was not created"

  165.             exit 7679

  166.         fi

  167. 

  168.         if grep -q "${1}.pem" /etc/nginx/sites-available/${1}; then

  169.             sed -i "s|${1}.pem|${1}.crt|g" /etc/nginx/sites-available/${1}

  170.         fi

  171.     else

  172.         if [ ! -f /etc/letsencrypt/live/${1}/privkey.pem ]; then

  173.             echo $"Private certificate for ${CHECK_HOSTNAME} was not created"

  174.             exit 6282

  175.         fi

  176.         if [ ! -f /etc/letsencrypt/live/${1}/fullchain.pem ]; then

  177.             echo $"Public certificate for ${CHECK_HOSTNAME} was not created"

  178.             exit 5328

  179.         fi

  180.         if grep -q "${1}.crt" /etc/nginx/sites-available/${1}; then

  181.             sed -i "s|${1}.crt|${1}.pem|g" /etc/nginx/sites-available/${1}

  182.         fi

  183.     fi

  184.     if [ ! -f /etc/ssl/certs/${1}.dhparam ]; then

  185.         echo $"Diffie–Hellman parameters for ${CHECK_HOSTNAME} were not created"

  186.         exit 5989

  187.     fi

  188. }

  189. 

  190. function cert_exists {

  191.     cert_type='dhparam'

  192.     if [ $2 ]; then

  193.         cert_type="$2"

  194.     fi

  195.     if [ -f /etc/ssl/certs/${1}.${cert_type} ]; then

  196.         echo "1"

  197.     else

  198.         echo "0"

  199.     fi

  200. }

  201. 

  202. function create_self_signed_cert {

  203.     ${PROJECT_NAME}-addcert -h ${SITE_DOMAIN_NAME} --dhkey ${DH_KEYLENGTH}

  204.     function_check check_certificates

  205.     check_certificates ${SITE_DOMAIN_NAME}

  206. }

  207. 

  208. function create_letsencrypt_cert {

  209.     ${PROJECT_NAME}-addcert -e ${SITE_DOMAIN_NAME} -s ${LETSENCRYPT_SERVER} --dhkey ${DH_KEYLENGTH} --email ${MY_EMAIL_ADDRESS}

  210.     if [ ! "$?" = "0" ]; then

  211.         if [[ ${NO_SELF_SIGNED} == 'no' ]]; then

  212.             echo $"Lets Encrypt failed for ${SITE_DOMAIN_NAME}, so try making a self-signed cert"

  213.             ${PROJECT_NAME}-addcert -h ${SITE_DOMAIN_NAME} --dhkey ${DH_KEYLENGTH}

  214.             function_check check_certificates

  215.             check_certificates ${SITE_DOMAIN_NAME}

  216.         else

  217.             echo $"Lets Encrypt failed for $SITE_DOMAIN_NAME"

  218.             exit 682529

  219.         fi

  220.         return

  221.     fi

  222. 

  223.     function_check check_certificates

  224.     check_certificates ${SITE_DOMAIN_NAME} 'yes'

  225. }

  226. 

  227. function create_site_certificate {

  228.     SITE_DOMAIN_NAME="$1"

  229. 

  230.     # if yes then only "valid" certs are allowed, not self-signed

  231.     NO_SELF_SIGNED='no'

  232.     if [ $2 ]; then

  233.         NO_SELF_SIGNED="$2"

  234.     fi

  235. 

  236.     if [[ $ONION_ONLY == "no" ]]; then

  237.         if [[ $(cert_exists $SITE_DOMAIN_NAME) == "0" ]]; then

  238.             if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then

  239.                 create_self_signed_cert

  240.             else

  241.                 create_letsencrypt_cert

  242.             fi

  243.         else

  244.             if [[ $LETSENCRYPT_ENABLED == "yes" ]]; then

  245.                 if [[ $(cert_exists $SITE_DOMAIN_NAME pem) == "0" ]]; then

  246.                     create_letsencrypt_cert

  247.                 fi

  248.             fi

  249.         fi

  250.     fi

  251. }

  252. 

  253. # script to automatically renew any Let's Encrypt certificates

  254. function letsencrypt_renewals {

  255.     if [[ $ONION_ONLY != "no" ]]; then

  256.         return

  257.     fi

  258. 

  259.     renewals_script=/etc/cron.monthly/letsencrypt

  260.     renewals_retry_script=/etc/cron.daily/letsencrypt

  261.     renewal_failure_msg=$'The certificate for $LETSENCRYPT_DOMAIN could not be renewed'

  262.     renewal_email_title=$'${PROJECT_NAME} Lets Encrypt certificate renewal'

  263. 

  264.     # the main script tries to renew once per month

  265.     echo '#!/bin/bash' > $renewals_script

  266.     echo '' >> $renewals_script

  267.     echo "PROJECT_NAME='${PROJECT_NAME}'" >> $renewals_script

  268.     echo 'COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt' >> $renewals_script

  269.     echo '' >> $renewals_script

  270.     echo 'if [ -d /etc/letsencrypt ]; then' >> $renewals_script

  271.     echo '    if [ -f ~/letsencrypt_failed ]; then' >> $renewals_script

  272.     echo '        rm ~/letsencrypt_failed' >> $renewals_script

  273.     echo '    fi' >> $renewals_script

  274.     echo -n '    ADMIN_USERNAME=$(cat $COMPLETION_FILE | grep "Admin user" | ' >> $renewals_script

  275.     echo -n "awk -F ':' '{print " >> $renewals_script

  276.     echo -n '$2' >> $renewals_script

  277.     echo "}')" >> $renewals_script

  278.     echo '    ADMIN_EMAIL_ADDRESS=$ADMIN_USERNAME@$HOSTNAME' >> $renewals_script

  279.     echo '    for d in /etc/letsencrypt/live/*/ ; do' >> $renewals_script

  280.     echo -n '        LETSENCRYPT_DOMAIN=$(echo "$d" | ' >> $renewals_script

  281.     echo -n "awk -F '/' '{print " >> $renewals_script

  282.     echo -n '$5' >> $renewals_script

  283.     echo "}')" >> $renewals_script

  284.     echo '        if [ -f /etc/nginx/sites-available/$LETSENCRYPT_DOMAIN ]; then' >> $renewals_script

  285.     echo '            ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt' >> $renewals_script

  286.     echo '            if [ ! "$?" = "0" ]; then' >> $renewals_script

  287.     echo "                echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt" >> $renewals_script

  288.     echo '                echo "" >> ~/temp_renewletsencrypt.txt' >> $renewals_script

  289.     echo '                ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt' >> $renewals_script

  290.     echo -n "                cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" " >> $renewals_script

  291.     echo '$ADMIN_EMAIL_ADDRESS' >> $renewals_script

  292.     echo '                rm ~/temp_renewletsencrypt.txt' >> $renewals_script

  293.     echo '                if [ ! -f ~/letsencrypt_failed ]; then' >> $renewals_script

  294.     echo '                    touch ~/letsencrypt_failed' >> $renewals_script

  295.     echo '                fi' >> $renewals_script

  296.     echo '            fi' >> $renewals_script

  297.     echo '        fi' >> $renewals_script

  298.     echo '    done' >> $renewals_script

  299.     echo 'fi' >> $renewals_script

  300.     chmod +x $renewals_script

  301. 

  302.     # a secondary script keeps trying to renew after a failure

  303.     echo '#!/bin/bash' > $renewals_retry_script

  304.     echo '' >> $renewals_retry_script

  305.     echo "PROJECT_NAME='${PROJECT_NAME}'" >> $renewals_retry_script

  306.     echo 'COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt' >> $renewals_retry_script

  307.     echo '' >> $renewals_retry_script

  308.     echo 'if [ -d /etc/letsencrypt ]; then' >> $renewals_retry_script

  309.     echo '    if [ -f ~/letsencrypt_failed ]; then' >> $renewals_retry_script

  310.     echo '        rm ~/letsencrypt_failed' >> $renewals_retry_script

  311.     echo -n '        ADMIN_USERNAME=$(cat $COMPLETION_FILE | grep "Admin user" | ' >> $renewals_retry_script

  312.     echo -n "awk -F ':' '{print " >> $renewals_retry_script

  313.     echo -n '$2' >> $renewals_retry_script

  314.     echo "}')" >> $renewals_retry_script

  315.     echo '        ADMIN_EMAIL_ADDRESS=$ADMIN_USERNAME@$HOSTNAME' >> $renewals_retry_script

  316.     echo '        for d in /etc/letsencrypt/live/*/ ; do' >> $renewals_retry_script

  317.     echo -n '            LETSENCRYPT_DOMAIN=$(echo "$d" | ' >> $renewals_retry_script

  318.     echo -n "awk -F '/' '{print " >> $renewals_retry_script

  319.     echo -n '$5' >> $renewals_retry_script

  320.     echo "}')" >> $renewals_retry_script

  321.     echo '            if [ -f /etc/nginx/sites-available/$LETSENCRYPT_DOMAIN ]; then' >> $renewals_retry_script

  322.     echo '                ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt' >> $renewals_retry_script

  323.     echo '                if [ ! "$?" = "0" ]; then' >> $renewals_retry_script

  324.     echo "                    echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt" >> $renewals_retry_script

  325.     echo '                    echo "" >> ~/temp_renewletsencrypt.txt' >> $renewals_retry_script

  326.     echo '                    ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt' >> $renewals_retry_script

  327.     echo -n "                    cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" " >> $renewals_retry_script

  328.     echo '$ADMIN_EMAIL_ADDRESS' >> $renewals_retry_script

  329.     echo '                    rm ~/temp_renewletsencrypt.txt' >> $renewals_retry_script

  330.     echo '                    if [ ! -f ~/letsencrypt_failed ]; then' >> $renewals_retry_script

  331.     echo '                        touch ~/letsencrypt_failed' >> $renewals_retry_script

  332.     echo '                    fi' >> $renewals_retry_script

  333.     echo '                fi' >> $renewals_retry_script

  334.     echo '            fi' >> $renewals_retry_script

  335.     echo '        done' >> $renewals_retry_script

  336.     echo '    fi' >> $renewals_retry_script

  337.     echo 'fi' >> $renewals_retry_script

  338.     chmod +x $renewals_retry_script

  339. }

  340. 

  341. function configure_php {

  342.     sed -i "s/memory_limit = 128M/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php5/fpm/php.ini

  343.     sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php5/fpm/php.ini

  344.     sed -i "s/memory_limit = -1/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php5/cli/php.ini

  345.     sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 50M/g" /etc/php5/fpm/php.ini

  346.     sed -i "s/post_max_size = 8M/post_max_size = 50M/g" /etc/php5/fpm/php.ini

  347. }

  348. 

  349. function install_web_server_access_control {

  350.     if [ ! -f /etc/pam.d/nginx ]; then

  351.         echo '#%PAM-1.0' > /etc/pam.d/nginx

  352.         echo '@include common-auth' >> /etc/pam.d/nginx

  353.         echo '@include common-account' >> /etc/pam.d/nginx

  354.         echo '@include common-session' >> /etc/pam.d/nginx

  355.     fi

  356. }

  357. 

  358. function install_dynamicdns {

  359.     if [[ $SYSTEM_TYPE == "mesh"* ]]; then

  360.         return

  361.     fi

  362.     if [[ $ONION_ONLY != "no" ]]; then

  363.         return

  364.     fi

  365. 

  366.     # update to the next commit

  367.     function_check set_repo_commit

  368.     set_repo_commit $INSTALL_DIR/inadyn "inadyn commit" "$INADYN_COMMIT" $INADYN_REPO

  369. 

  370.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  371.         return

  372.     fi

  373. 

  374.     # Here we compile from source because the current package

  375.     # doesn't support https, which could result in passwords

  376.     # being leaked

  377.     # Debian version 1.99.4-1

  378.     # https version 1.99.8

  379. 

  380.     apt-get -yq install build-essential curl libgnutls28-dev automake1.11

  381.     if [ ! -d $INSTALL_DIR/inadyn ]; then

  382.         git_clone $INADYN_REPO $INSTALL_DIR/inadyn

  383.     fi

  384.     if [ ! -d $INSTALL_DIR/inadyn ]; then

  385.         echo 'inadyn repo not cloned'

  386.         echo -n | openssl s_client -showcerts -connect github.com:443 -CApath /etc/ssl/certs

  387.         exit 6785

  388.     fi

  389.     cd $INSTALL_DIR/inadyn

  390.     git checkout $INADYN_COMMIT -b $INADYN_COMMIT

  391.     set_completion_param "inadyn commit" "$INADYN_COMMIT"

  392. 

  393.     ./configure

  394.     if [ ! "$?" = "0" ]; then

  395.         exit 74890

  396.     fi

  397.     USE_OPENSSL=1 make

  398.     if [ ! "$?" = "0" ]; then

  399.         exit 74858

  400.     fi

  401.     make install

  402.     if [ ! "$?" = "0" ]; then

  403.         exit 3785

  404.     fi

  405. 

  406.     # create an unprivileged user

  407.     #useradd -r -s /bin/false debian-inadyn

  408. 

  409.     # create a configuration file

  410.     echo 'background' > /etc/inadyn.conf

  411.     echo 'verbose        1' >> /etc/inadyn.conf

  412.     echo 'period         300' >> /etc/inadyn.conf

  413.     echo 'startup-delay  60' >> /etc/inadyn.conf

  414.     echo 'cache-dir      /run/inadyn' >> /etc/inadyn.conf

  415.     echo 'logfile        /dev/null' >> /etc/inadyn.conf

  416.     chmod 600 /etc/inadyn.conf

  417. 

  418.     echo '[Unit]' > /etc/systemd/system/inadyn.service

  419.     echo 'Description=inadyn (DynDNS updater)' >> /etc/systemd/system/inadyn.service

  420.     echo 'After=network.target' >> /etc/systemd/system/inadyn.service

  421.     echo '' >> /etc/systemd/system/inadyn.service

  422.     echo '[Service]' >> /etc/systemd/system/inadyn.service

  423.     echo 'ExecStart=/usr/local/sbin/inadyn --config /etc/inadyn.conf' >> /etc/systemd/system/inadyn.service

  424.     echo 'Restart=always' >> /etc/systemd/system/inadyn.service

  425.     echo 'Type=forking' >> /etc/systemd/system/inadyn.service

  426.     echo '' >> /etc/systemd/system/inadyn.service

  427.     echo '[Install]' >> /etc/systemd/system/inadyn.service

  428.     echo 'WantedBy=multi-user.target' >> /etc/systemd/system/inadyn.service

  429.     systemctl enable inadyn

  430.     systemctl start inadyn

  431.     systemctl daemon-reload

  432. 

  433.     mark_completed $FUNCNAME

  434. }

  435. 

  436. function install_command_line_browser {

  437.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  438.         return

  439.     fi

  440.     apt-get -yq install elinks

  441. 

  442.     # set the home page

  443.     if ! grep -q "WWW_HOME" /home/$MY_USERNAME/.bashrc; then

  444.         if ! grep -q 'control' /home/$MY_USERNAME/.bashrc; then

  445.             echo "export WWW_HOME=$DEFAULT_SEARCH" >> /home/$MY_USERNAME/.bashrc

  446.         else

  447.             sed -i "/control/i export WWW_HOME=$DEFAULT_SEARCH" /home/$MY_USERNAME/.bashrc

  448.         fi

  449.     fi

  450. 

  451.     mark_completed $FUNCNAME

  452. }

  453. 

  454. function mesh_web_server {

  455.     if [ -d /etc/apache2 ]; then

  456.         chroot "$rootdir" apt-get -yq remove --purge apache2

  457.         chroot "$rootdir" rm -rf /etc/apache2

  458.     fi

  459. 

  460.     chroot "$rootdir" apt-get -yq install nginx

  461. 

  462.     if [ ! -d $rootdir/etc/nginx ]; then

  463.         echo $'Unable to install web server'

  464.         exit 346825

  465.     fi

  466. }

  467. 

  468. function install_web_server {

  469.     if [ $INSTALLING_MESH ]; then

  470.         mesh_web_server

  471.         return

  472.     fi

  473. 

  474.     # update to the next commit

  475.     function_check set_repo_commit

  476.     set_repo_commit $INSTALL_DIR/nginx_ensite "nginx-ensite commit" "$NGINX_ENSITE_COMMIT" $NGINX_ENSITE_REPO

  477. 

  478.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  479.         return

  480.     fi

  481.     # remove apache

  482.     apt-get -yq remove --purge apache2

  483.     if [ -d /etc/apache2 ]; then

  484.         rm -rf /etc/apache2

  485.     fi

  486.     # install nginx

  487.     apt-get -yq install nginx php5-fpm git

  488. 

  489.     # limit the number of php processes

  490.     sed -i 's/; process.max =.*/process.max = 32/g' /etc/php5/fpm/php-fpm.conf

  491.     #sed -i 's/;process_control_timeout =.*/process_control_timeout = 300/g' /etc/php5/fpm/php-fpm.conf

  492. 

  493.     if ! grep -q "pm.max_children" /etc/php5/fpm/php-fpm.conf; then

  494.         echo 'pm.max_children = 10' >> /etc/php5/fpm/php-fpm.conf

  495.         echo 'pm.start_servers = 2' >> /etc/php5/fpm/php-fpm.conf

  496.         echo 'pm.min_spare_servers = 2' >> /etc/php5/fpm/php-fpm.conf

  497.         echo 'pm.max_spare_servers = 5' >> /etc/php5/fpm/php-fpm.conf

  498.         echo 'pm.max_requests = 50' >> /etc/php5/fpm/php-fpm.conf

  499.     fi

  500. 

  501.     if [ ! -d /etc/nginx ]; then

  502.         echo $"ERROR: nginx does not appear to have installed. $CHECK_MESSAGE"

  503.         exit 51

  504.     fi

  505. 

  506.     # Nginx settings

  507.     echo 'user www-data;' > /etc/nginx/nginx.conf

  508.     #echo "worker_processes; $CPU_CORES" >> /etc/nginx/nginx.conf

  509.     echo 'pid /run/nginx.pid;' >> /etc/nginx/nginx.conf

  510.     echo '' >> /etc/nginx/nginx.conf

  511.     echo 'events {' >> /etc/nginx/nginx.conf

  512.     echo '        worker_connections 50;' >> /etc/nginx/nginx.conf

  513.     echo '        # multi_accept on;' >> /etc/nginx/nginx.conf

  514.     echo '}' >> /etc/nginx/nginx.conf

  515.     echo '' >> /etc/nginx/nginx.conf

  516.     echo 'http {' >> /etc/nginx/nginx.conf

  517.     echo '        # limit the number of connections per single IP' >> /etc/nginx/nginx.conf

  518.     echo '        limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;' >> /etc/nginx/nginx.conf

  519.     echo '' >> /etc/nginx/nginx.conf

  520.     echo '        # limit the number of requests for a given session' >> /etc/nginx/nginx.conf

  521.     echo '        limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=140r/s;' >> /etc/nginx/nginx.conf

  522.     echo '' >> /etc/nginx/nginx.conf

  523.     echo '        # if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file' >> /etc/nginx/nginx.conf

  524.     echo '        client_body_buffer_size  128k;' >> /etc/nginx/nginx.conf

  525.     echo '' >> /etc/nginx/nginx.conf

  526.     echo '        # headerbuffer size for the request header from client, its set for testing purpose' >> /etc/nginx/nginx.conf

  527.     echo '        client_header_buffer_size 3m;' >> /etc/nginx/nginx.conf

  528.     echo '' >> /etc/nginx/nginx.conf

  529.     echo '        # maximum number and size of buffers for large headers to read from client request' >> /etc/nginx/nginx.conf

  530.     echo '        large_client_header_buffers 4 256k;' >> /etc/nginx/nginx.conf

  531.     echo '' >> /etc/nginx/nginx.conf

  532.     echo '        # read timeout for the request body from client, its set for testing purpose' >> /etc/nginx/nginx.conf

  533.     echo '        client_body_timeout   3m;' >> /etc/nginx/nginx.conf

  534.     echo '' >> /etc/nginx/nginx.conf

  535.     echo '        # how long to wait for the client to send a request header, its set for testing purpose' >> /etc/nginx/nginx.conf

  536.     echo '        client_header_timeout 3m;' >> /etc/nginx/nginx.conf

  537.     echo '' >> /etc/nginx/nginx.conf

  538.     echo '        ##' >> /etc/nginx/nginx.conf

  539.     echo '        # Basic Settings' >> /etc/nginx/nginx.conf

  540.     echo '        ##' >> /etc/nginx/nginx.conf

  541.     echo '' >> /etc/nginx/nginx.conf

  542.     echo '        sendfile on;' >> /etc/nginx/nginx.conf

  543.     echo '        tcp_nopush on;' >> /etc/nginx/nginx.conf

  544.     echo '        tcp_nodelay on;' >> /etc/nginx/nginx.conf

  545.     echo '        keepalive_timeout 65;' >> /etc/nginx/nginx.conf

  546.     echo '        types_hash_max_size 2048;' >> /etc/nginx/nginx.conf

  547.     echo '        server_tokens off;' >> /etc/nginx/nginx.conf

  548.     echo '' >> /etc/nginx/nginx.conf

  549.     echo '        # server_names_hash_bucket_size 64;' >> /etc/nginx/nginx.conf

  550.     echo '        # server_name_in_redirect off;' >> /etc/nginx/nginx.conf

  551.     echo '' >> /etc/nginx/nginx.conf

  552.     echo '        include /etc/nginx/mime.types;' >> /etc/nginx/nginx.conf

  553.     echo '        default_type application/octet-stream;' >> /etc/nginx/nginx.conf

  554.     echo '' >> /etc/nginx/nginx.conf

  555.     echo '        ##' >> /etc/nginx/nginx.conf

  556.     echo '        # Logging Settings' >> /etc/nginx/nginx.conf

  557.     echo '        ##' >> /etc/nginx/nginx.conf

  558.     echo '' >> /etc/nginx/nginx.conf

  559.     echo '        access_log /var/log/nginx/access.log;' >> /etc/nginx/nginx.conf

  560.     echo '        error_log /var/log/nginx/error.log;' >> /etc/nginx/nginx.conf

  561.     echo '' >> /etc/nginx/nginx.conf

  562.     echo '        ###' >> /etc/nginx/nginx.conf

  563.     echo '        # Gzip Settings' >> /etc/nginx/nginx.conf

  564.     echo '        ##' >> /etc/nginx/nginx.conf

  565.     echo '        gzip on;' >> /etc/nginx/nginx.conf

  566.     echo '        gzip_disable "msie6";' >> /etc/nginx/nginx.conf

  567.     echo '' >> /etc/nginx/nginx.conf

  568.     echo '        # gzip_vary on;' >> /etc/nginx/nginx.conf

  569.     echo '        # gzip_proxied any;' >> /etc/nginx/nginx.conf

  570.     echo '        # gzip_comp_level 6;' >> /etc/nginx/nginx.conf

  571.     echo '        # gzip_buffers 16 8k;' >> /etc/nginx/nginx.conf

  572.     echo '        # gzip_http_version 1.1;' >> /etc/nginx/nginx.conf

  573.     echo '        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;' >> /etc/nginx/nginx.conf

  574.     echo '' >> /etc/nginx/nginx.conf

  575.     echo '        ##' >> /etc/nginx/nginx.conf

  576.     echo '        # Virtual Host Configs' >> /etc/nginx/nginx.conf

  577.     echo '        ##' >> /etc/nginx/nginx.conf

  578.     echo '' >> /etc/nginx/nginx.conf

  579.     echo '        include /etc/nginx/conf.d/*.conf;' >> /etc/nginx/nginx.conf

  580.     echo '        include /etc/nginx/sites-enabled/*;' >> /etc/nginx/nginx.conf

  581.     echo '}' >> /etc/nginx/nginx.conf

  582. 

  583.     # install a script to easily enable and disable nginx virtual hosts

  584.     if [ ! -d $INSTALL_DIR ]; then

  585.         mkdir $INSTALL_DIR

  586.     fi

  587.     cd $INSTALL_DIR

  588.     function_check git_clone

  589.     git_clone $NGINX_ENSITE_REPO $INSTALL_DIR/nginx_ensite

  590.     cd $INSTALL_DIR/nginx_ensite

  591.     git checkout $NGINX_ENSITE_COMMIT -b $NGINX_ENSITE_COMMIT

  592. 

  593.     set_completion_param "nginx-ensite commit" "$NGINX_ENSITE_COMMIT"

  594. 

  595.     make install

  596.     nginx_dissite default

  597. 

  598.     function_check configure_firewall_for_web_access

  599.     configure_firewall_for_web_access

  600. 

  601.     mark_completed $FUNCNAME

  602. }

  603. 

  604. function remove_certs {

  605.     domain_name=$1

  606. 

  607.     if [ ! $domain_name ]; then

  608.         return

  609.     fi

  610. 

  611.     if [ -f /etc/ssl/certs/${domain_name}.dhparam ]; then

  612.         rm /etc/ssl/certs/${domain_name}.dhparam

  613.     fi

  614. 

  615.     if [ -f /etc/ssl/certs/${domain_name}.pem ]; then

  616.         rm /etc/ssl/certs/${domain_name}.pem

  617.     fi

  618. 

  619.     if [ -f /etc/ssl/certs/${domain_name}.crt ]; then

  620.         rm /etc/ssl/certs/${domain_name}.crt

  621.     fi

  622. 

  623.     if [ -f /etc/ssl/private/${domain_name}.key ]; then

  624.         rm /etc/ssl/private/${domain_name}.key

  625.     fi

  626. }

  627. 

  628. function configure_firewall_for_web_access {

  629.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  630.         return

  631.     fi

  632.     if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then

  633.         # docker does its own firewalling

  634.         return

  635.     fi

  636.     if [[ $ONION_ONLY != "no" ]]; then

  637.         return

  638.     fi

  639.     firewall_add HTTP 80 tcp

  640.     firewall_add HTTPS 443 tcp

  641.     mark_completed $FUNCNAME

  642. }

  643. 

  644. function update_default_domain {

  645.     if [ -d /etc/prosody ]; then

  646.         if [ ! -d /etc/prosody/certs ]; then

  647.             mkdir /etc/prosody/certs

  648.         fi

  649. 

  650.         if [[ $(cert_exists chat.${DEFAULT_DOMAIN_NAME} pem) == "1" ]]; then

  651.             sed -i 's|--Component "conference.|Component "chat.|g' /etc/prosody/prosody.cfg.lua

  652.         fi

  653.         if [[ $(cert_exists xmpp.${DEFAULT_DOMAIN_NAME} pem) == "1" ]]; then

  654.             sed -i 's|--Component "conference.|Component "xmpp.|g' /etc/prosody/prosody.cfg.lua

  655.         fi

  656.         if [[ $(cert_exists conference.${DEFAULT_DOMAIN_NAME} pem) == "1" ]]; then

  657.             sed -i 's|--Component "conference.|Component "conference.|g' /etc/prosody/prosody.cfg.lua

  658.         fi

  659. 

  660.         cp /etc/ssl/private/xmpp* /etc/prosody/certs

  661.         cp /etc/ssl/private/${DEFAULT_DOMAIN_NAME}* /etc/prosody/certs

  662.         cp /etc/ssl/certs/xmpp* /etc/prosody/certs

  663.         cp /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}* /etc/prosody/certs

  664.         if [ ! /etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then

  665.             if [ ! /etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.crt ]; then

  666.                 mv /etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.crt /etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem

  667.             fi

  668.         else

  669.             sed -i "s|/etc/prosody/certs/xmpp.key|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key|g" /etc/prosody/conf.avail/xmpp.cfg.lua

  670.             sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua

  671. 

  672.             sed -i "s|/etc/prosody/certs/xmpp.key|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key|g" /etc/prosody/prosody.cfg.lua

  673.             sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/prosody/prosody.cfg.lua

  674.         fi

  675.         chown -R prosody:prosody /etc/prosody

  676.         systemctl restart prosody

  677.     fi

  678. }

  679. 

  680. # NOTE: deliberately no exit 0