free
/
freedombone
Suivre 1
Favoriser 0
Bifurcation 0
Code Tickets 0 Demandes d'ajout 0 Versions 0 Wiki Activité
6948 Révisions
5 Branches
Aborescence: 86d1c1a7d3
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de '86d1c1a7d3'
${ noResults }
freedombone/src/freedombone-utils-web

freedombone-utils-web 38KB
Historique Brut

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904 
  1. #!/bin/bash

  2. #

  3. # .---.                  .              .

  4. # |                      |              |

  5. # |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.

  6. # |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'

  7. # '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'

  8. #

  9. #                    Freedom in the Cloud

  10. #

  11. # Web related functions

  12. #

  13. # License

  14. # =======

  15. #

  16. # Copyright (C) 2014-2017 Bob Mottram <bob@freedombone.net>

  17. #

  18. # This program is free software: you can redistribute it and/or modify

  19. # it under the terms of the GNU Affero General Public License as published by

  20. # the Free Software Foundation, either version 3 of the License, or

  21. # (at your option) any later version.

  22. #

  23. # This program is distributed in the hope that it will be useful,

  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  26. # GNU Affero General Public License for more details.

  27. #

  28. # You should have received a copy of the GNU Affero General Public License

  29. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  30. 

  31. # default search engine for command line browser

  32. DEFAULT_SEARCH='https://searx.laquadrature.net'

  33. 

  34. # onion port for the default domain

  35. DEFAULT_DOMAIN_ONION_PORT=8099

  36. 

  37. # Whether Let's Encrypt is enabled for all sites

  38. LETSENCRYPT_ENABLED="yes"

  39. LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'

  40. 

  41. # list of encryption protocols

  42. SSL_PROTOCOLS="TLSv1 TLSv1.1 TLSv1.2"

  43. 

  44. # Mozilla recommended default ciphers. These work better on Android

  45. # See https://wiki.mozilla.org/Security/Server_Side_TLS

  46. SSL_CIPHERS="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"

  47. 

  48. # some mobile apps (eg. NextCloud) have not very good cipher compatibility.

  49. # These ciphers can be used for those cases

  50. SSL_CIPHERS_MOBILE="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA"

  51. 

  52. NGINX_ENSITE_REPO="https://github.com/perusio/nginx_ensite"

  53. NGINX_ENSITE_COMMIT='fa4d72ce1c0a490442c8474e9c8dc21ed52c93d0'

  54. 

  55. # memory limit for php in MB

  56. MAX_PHP_MEMORY=64

  57. 

  58. # logging level for Nginx

  59. WEBSERVER_LOG_LEVEL='warn'

  60. 

  61. # test a domain name to see if it's valid

  62. function validate_domain_name {

  63.     # count the number of dots in the domain name

  64.     dots=${TEST_DOMAIN_NAME//[^.]}

  65.     no_of_dots=${#dots}

  66.     if (( $no_of_dots > 3 )); then

  67.         TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has too many subdomains. It should be of the type w.x.y.z, x.y.z or y.z"

  68.     fi

  69.     if (( $no_of_dots == 0 )); then

  70.         TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has no top level domain. It should be of the type w.x.y.z, x.y.z or y.z"

  71.     fi

  72. }

  73. 

  74. function nginx_disable_sniffing {

  75.     domain_name=$1

  76.     filename=/etc/nginx/sites-available/$domain_name

  77.     echo '    add_header X-Frame-Options DENY;' >> $filename

  78.     echo '    add_header X-Content-Type-Options nosniff;' >> $filename

  79.     echo '' >> $filename

  80. }

  81. 

  82. function nginx_limits {

  83.     domain_name=$1

  84.     max_body='20m'

  85.     if [ $2 ]; then

  86.         max_body=$2

  87.     fi

  88.     filename=/etc/nginx/sites-available/$domain_name

  89.     echo "    client_max_body_size ${max_body};" >> $filename

  90.     echo '    client_body_buffer_size 128k;' >> $filename

  91.     echo '' >> $filename

  92.     echo '    limit_conn conn_limit_per_ip 10;' >> $filename

  93.     echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> $filename

  94.     echo '' >> $filename

  95. }

  96. 

  97. function nginx_stapling {

  98.     domain_name=$1

  99.     filename=/etc/nginx/sites-available/$domain_name

  100.     echo "    ssl_stapling on;" >> $filename

  101.     echo '    ssl_stapling_verify on;' >> $filename

  102.     echo '    ssl_trusted_certificate /etc/ssl/certs/${domain_name}.pem;' >> $filename

  103.     echo '' >> $filename

  104. }

  105. 

  106. function nginx_http_redirect {

  107.     # redirect port 80 to https

  108.     domain_name=$1

  109.     filename=/etc/nginx/sites-available/$domain_name

  110.     echo 'server {' > $filename

  111.     echo '    listen 80;' >> $filename

  112.     echo '    listen [::]:80;' >> $filename

  113.     echo "    server_name ${domain_name};" >> $filename

  114.     echo "    root /var/www/${domain_name}/htdocs;" >> $filename

  115.     echo '    access_log /dev/null;' >> $filename

  116.     echo "    error_log /dev/null;" >> $filename

  117.     function_check nginx_limits

  118.     nginx_limits $domain_name

  119.     if [ ${#2} -gt 0 ]; then

  120.         echo "    $2;" >> $filename

  121.     fi

  122.     echo '    rewrite ^ https://$server_name$request_uri? permanent;' >> $filename

  123.     echo '}' >> $filename

  124.     echo '' >> $filename

  125. }

  126. 

  127. function nginx_compress {

  128.     domain_name=$1

  129.     filename=/etc/nginx/sites-available/$domain_name

  130. 

  131.     echo '    gzip            on;' >> $filename

  132.     echo '    gzip_min_length 1000;' >> $filename

  133.     echo '    gzip_proxied    expired no-cache no-store private auth;' >> $filename

  134.     echo '    gzip_types      text/plain application/xml;' >> $filename

  135. }

  136. 

  137. function nginx_ssl {

  138.     # creates the SSL/TLS section for a website

  139.     domain_name=$1

  140.     mobile_ciphers=$2

  141.     filename=/etc/nginx/sites-available/$domain_name

  142. 

  143.     echo '    ssl_stapling off;' >> $filename

  144.     echo '    ssl_stapling_verify off;' >> $filename

  145.     echo '    ssl on;' >> $filename

  146.     echo "    ssl_certificate /etc/letsencrypt/live/${domain_name}/fullchain.pem;" >> $filename

  147.     echo "    ssl_certificate_key /etc/letsencrypt/live/${domain_name}/privkey.pem;" >> $filename

  148.     echo "    ssl_dhparam /etc/ssl/certs/${domain_name}.dhparam;" >> $filename

  149.     echo '' >> $filename

  150.     echo '    ssl_session_cache  builtin:1000  shared:SSL:10m;' >> $filename

  151.     echo '    ssl_session_timeout 60m;' >> $filename

  152.     echo '    ssl_prefer_server_ciphers on;' >> $filename

  153.     echo "    ssl_protocols $SSL_PROTOCOLS;" >> $filename

  154.     if [ $mobile_ciphers ]; then

  155.         echo "    # Mobile compatible ciphers" >> $filename

  156.         echo "    ssl_ciphers '$SSL_CIPHERS_MOBILE';" >> $filename

  157.     else

  158.         echo "    ssl_ciphers '$SSL_CIPHERS';" >> $filename

  159.     fi

  160.     echo "    add_header Content-Security-Policy \"default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'\";" >> $filename

  161.     echo '    add_header X-XSS-Protection "1; mode=block";' >> $filename

  162.     echo '    add_header X-Robots-Tag none;' >> $filename

  163.     echo '    add_header X-Download-Options noopen;' >> $filename

  164.     echo '    add_header X-Permitted-Cross-Domain-Policies none;' >> $filename

  165. 

  166.     #nginx_stapling $1

  167. }

  168. 

  169. function nginx_keybase {

  170.     # creates files suitable for keybase.io verification

  171.     domain_name=$1

  172.     filename=/etc/nginx/sites-available/$domain_name

  173. 

  174.     echo '' >> $filename

  175.     echo "  # make sure webfinger and other well known services aren't blocked" >> $filename

  176.     echo '  # by denying dot files and rewrite request to the front controller' >> $filename

  177.     echo '  location ^~ /.well-known/ {' >> $filename

  178.     echo '      allow all;' >> $filename

  179.     echo '  }' >> $filename

  180. 

  181.     if [ ! -d /var/www/${domain_name}/htdocs/.well-known ]; then

  182.         mkdir -p /var/www/${domain_name}/htdocs/.well-known

  183.     fi

  184.     if [ ! -f /var/www/${domain_name}/htdocs/keybase.txt ]; then

  185.         touch /var/www/${domain_name}/htdocs/keybase.txt

  186.     fi

  187.     if [ ! -f /var/www/${domain_name}/htdocs/.well-known/keybase.txt ]; then

  188.         touch /var/www/${domain_name}/htdocs/.well-known/keybase.txt

  189.     fi

  190. }

  191. 

  192. # check an individual domain name

  193. function test_domain_name {

  194.     if [ $1 ]; then

  195.         TEST_DOMAIN_NAME=$1

  196.         if [[ $TEST_DOMAIN_NAME != 'ttrss' ]]; then

  197.             function_check validate_domain_name

  198.             validate_domain_name

  199.             if [[ $TEST_DOMAIN_NAME != $1 ]]; then

  200.                 echo $"Invalid domain name $TEST_DOMAIN_NAME"

  201.                 exit 8528

  202.             fi

  203.         fi

  204.     fi

  205. }

  206. 

  207. # Checks whether certificates were generated for the given hostname

  208. function check_certificates {

  209.     if [ ! $1 ]; then

  210.         return

  211.     fi

  212.     USE_LETSENCRYPT='no'

  213.     if [ $2 ]; then

  214.         USE_LETSENCRYPT=$2

  215.     fi

  216.     if [[ $USE_LETSENCRYPT == 'no' ]]; then

  217.         if [ ! -f /etc/ssl/private/${1}.key ]; then

  218.             echo $"Private certificate for ${CHECK_HOSTNAME} was not created"

  219.             exit 63959

  220.         fi

  221.         if [ ! -f /etc/ssl/certs/${1}.crt ]; then

  222.             echo $"Public certificate for ${CHECK_HOSTNAME} was not created"

  223.             exit 7679

  224.         fi

  225. 

  226.         if grep -q "${1}.pem" /etc/nginx/sites-available/${1}; then

  227.             sed -i "s|${1}.pem|${1}.crt|g" /etc/nginx/sites-available/${1}

  228.         fi

  229.     else

  230.         if [ ! -f /etc/letsencrypt/live/${1}/privkey.pem ]; then

  231.             echo $"Private certificate for ${CHECK_HOSTNAME} was not created"

  232.             exit 6282

  233.         fi

  234.         if [ ! -f /etc/letsencrypt/live/${1}/fullchain.pem ]; then

  235.             echo $"Public certificate for ${CHECK_HOSTNAME} was not created"

  236.             exit 5328

  237.         fi

  238.         if grep -q "${1}.crt" /etc/nginx/sites-available/${1}; then

  239.             sed -i "s|${1}.crt|${1}.pem|g" /etc/nginx/sites-available/${1}

  240.         fi

  241.     fi

  242.     if [ ! -f /etc/ssl/certs/${1}.dhparam ]; then

  243.         echo $"Diffie–Hellman parameters for ${CHECK_HOSTNAME} were not created"

  244.         exit 5989

  245.     fi

  246. }

  247. 

  248. function cert_exists {

  249.     cert_type='dhparam'

  250.     if [ $2 ]; then

  251.         cert_type="$2"

  252.     fi

  253.     if [ -f /etc/ssl/certs/${1}.${cert_type} ]; then

  254.         echo "1"

  255.     else

  256.         if [ -f /etc/letsencrypt/live/${1}/fullchain.${cert_type} ]; then

  257.             echo "1"

  258.         else

  259.             echo "0"

  260.         fi

  261.     fi

  262. }

  263. 

  264. function create_self_signed_cert {

  265.     ${PROJECT_NAME}-addcert -h ${SITE_DOMAIN_NAME} --dhkey ${DH_KEYLENGTH}

  266.     function_check check_certificates

  267.     check_certificates ${SITE_DOMAIN_NAME}

  268. }

  269. 

  270. function create_letsencrypt_cert {

  271.     ${PROJECT_NAME}-addcert -e ${SITE_DOMAIN_NAME} -s ${LETSENCRYPT_SERVER} --dhkey ${DH_KEYLENGTH} --email ${MY_EMAIL_ADDRESS}

  272.     if [ ! "$?" = "0" ]; then

  273.         if [[ ${NO_SELF_SIGNED} == 'no' ]]; then

  274.             echo $"Lets Encrypt failed for ${SITE_DOMAIN_NAME}, so try making a self-signed cert"

  275.             ${PROJECT_NAME}-addcert -h ${SITE_DOMAIN_NAME} --dhkey ${DH_KEYLENGTH}

  276.             function_check check_certificates

  277.             check_certificates ${SITE_DOMAIN_NAME}

  278.         else

  279.             echo $"Lets Encrypt failed for $SITE_DOMAIN_NAME"

  280.             exit 682529

  281.         fi

  282.         return

  283.     fi

  284. 

  285.     function_check check_certificates

  286.     check_certificates ${SITE_DOMAIN_NAME} 'yes'

  287. }

  288. 

  289. function create_site_certificate {

  290.     SITE_DOMAIN_NAME="$1"

  291. 

  292.     # if yes then only "valid" certs are allowed, not self-signed

  293.     NO_SELF_SIGNED='no'

  294.     if [ $2 ]; then

  295.         NO_SELF_SIGNED="$2"

  296.     fi

  297. 

  298.     if [[ $ONION_ONLY == "no" ]]; then

  299.         if [[ "$(cert_exists ${SITE_DOMAIN_NAME})" == "0" ]]; then

  300.             if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then

  301.                 create_self_signed_cert

  302.             else

  303.                 create_letsencrypt_cert

  304.             fi

  305.         else

  306.             if [[ $LETSENCRYPT_ENABLED == "yes" ]]; then

  307.                 if [[ "$(cert_exists ${SITE_DOMAIN_NAME} pem)" == "0" ]]; then

  308.                     create_letsencrypt_cert

  309.                 fi

  310.             fi

  311.         fi

  312.     fi

  313. }

  314. 

  315. # script to automatically renew any Let's Encrypt certificates

  316. function letsencrypt_renewals {

  317.     if [[ $ONION_ONLY != "no" ]]; then

  318.         return

  319.     fi

  320. 

  321.     renewals_script=/etc/cron.monthly/letsencrypt

  322.     renewals_retry_script=/etc/cron.daily/letsencrypt

  323.     renewal_failure_msg=$'The certificate for $LETSENCRYPT_DOMAIN could not be renewed'

  324.     renewal_email_title=$'${PROJECT_NAME} Lets Encrypt certificate renewal'

  325. 

  326.     # the main script tries to renew once per month

  327.     echo '#!/bin/bash' > $renewals_script

  328.     echo '' >> $renewals_script

  329.     echo "PROJECT_NAME='${PROJECT_NAME}'" >> $renewals_script

  330.     echo 'COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt' >> $renewals_script

  331.     echo '' >> $renewals_script

  332.     echo 'if [ -d /etc/letsencrypt ]; then' >> $renewals_script

  333.     echo '    if [ -f ~/letsencrypt_failed ]; then' >> $renewals_script

  334.     echo '        rm ~/letsencrypt_failed' >> $renewals_script

  335.     echo '    fi' >> $renewals_script

  336.     echo -n '    ADMIN_USERNAME=$(cat $COMPLETION_FILE | grep "Admin user" | ' >> $renewals_script

  337.     echo -n "awk -F ':' '{print " >> $renewals_script

  338.     echo -n '$2' >> $renewals_script

  339.     echo "}')" >> $renewals_script

  340.     echo '    ADMIN_EMAIL_ADDRESS=$ADMIN_USERNAME@$HOSTNAME' >> $renewals_script

  341.     echo '    for d in /etc/letsencrypt/live/*/ ; do' >> $renewals_script

  342.     echo -n '        LETSENCRYPT_DOMAIN=$(echo "$d" | ' >> $renewals_script

  343.     echo -n "awk -F '/' '{print " >> $renewals_script

  344.     echo -n '$5' >> $renewals_script

  345.     echo "}')" >> $renewals_script

  346.     echo '        if [ -f /etc/nginx/sites-available/$LETSENCRYPT_DOMAIN ]; then' >> $renewals_script

  347.     echo '            ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt' >> $renewals_script

  348.     echo '            if [ ! "$?" = "0" ]; then' >> $renewals_script

  349.     echo "                echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt" >> $renewals_script

  350.     echo '                echo "" >> ~/temp_renewletsencrypt.txt' >> $renewals_script

  351.     echo '                ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt' >> $renewals_script

  352.     echo -n "                cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" " >> $renewals_script

  353.     echo '$ADMIN_EMAIL_ADDRESS' >> $renewals_script

  354.     echo '                rm ~/temp_renewletsencrypt.txt' >> $renewals_script

  355.     echo '                if [ ! -f ~/letsencrypt_failed ]; then' >> $renewals_script

  356.     echo '                    touch ~/letsencrypt_failed' >> $renewals_script

  357.     echo '                fi' >> $renewals_script

  358.     echo '            fi' >> $renewals_script

  359.     echo '        fi' >> $renewals_script

  360.     echo '    done' >> $renewals_script

  361.     echo 'fi' >> $renewals_script

  362.     chmod +x $renewals_script

  363. 

  364.     # a secondary script keeps trying to renew after a failure

  365.     echo '#!/bin/bash' > $renewals_retry_script

  366.     echo '' >> $renewals_retry_script

  367.     echo "PROJECT_NAME='${PROJECT_NAME}'" >> $renewals_retry_script

  368.     echo 'COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt' >> $renewals_retry_script

  369.     echo '' >> $renewals_retry_script

  370.     echo 'if [ -d /etc/letsencrypt ]; then' >> $renewals_retry_script

  371.     echo '    if [ -f ~/letsencrypt_failed ]; then' >> $renewals_retry_script

  372.     echo '        rm ~/letsencrypt_failed' >> $renewals_retry_script

  373.     echo -n '        ADMIN_USERNAME=$(cat $COMPLETION_FILE | grep "Admin user" | ' >> $renewals_retry_script

  374.     echo -n "awk -F ':' '{print " >> $renewals_retry_script

  375.     echo -n '$2' >> $renewals_retry_script

  376.     echo "}')" >> $renewals_retry_script

  377.     echo '        ADMIN_EMAIL_ADDRESS=$ADMIN_USERNAME@$HOSTNAME' >> $renewals_retry_script

  378.     echo '        for d in /etc/letsencrypt/live/*/ ; do' >> $renewals_retry_script

  379.     echo -n '            LETSENCRYPT_DOMAIN=$(echo "$d" | ' >> $renewals_retry_script

  380.     echo -n "awk -F '/' '{print " >> $renewals_retry_script

  381.     echo -n '$5' >> $renewals_retry_script

  382.     echo "}')" >> $renewals_retry_script

  383.     echo '            if [ -f /etc/nginx/sites-available/$LETSENCRYPT_DOMAIN ]; then' >> $renewals_retry_script

  384.     echo '                ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt' >> $renewals_retry_script

  385.     echo '                if [ ! "$?" = "0" ]; then' >> $renewals_retry_script

  386.     echo "                    echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt" >> $renewals_retry_script

  387.     echo '                    echo "" >> ~/temp_renewletsencrypt.txt' >> $renewals_retry_script

  388.     echo '                    ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt' >> $renewals_retry_script

  389.     echo -n "                    cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" " >> $renewals_retry_script

  390.     echo '$ADMIN_EMAIL_ADDRESS' >> $renewals_retry_script

  391.     echo '                    rm ~/temp_renewletsencrypt.txt' >> $renewals_retry_script

  392.     echo '                    if [ ! -f ~/letsencrypt_failed ]; then' >> $renewals_retry_script

  393.     echo '                        touch ~/letsencrypt_failed' >> $renewals_retry_script

  394.     echo '                    fi' >> $renewals_retry_script

  395.     echo '                fi' >> $renewals_retry_script

  396.     echo '            fi' >> $renewals_retry_script

  397.     echo '        done' >> $renewals_retry_script

  398.     echo '    fi' >> $renewals_retry_script

  399.     echo 'fi' >> $renewals_retry_script

  400.     chmod +x $renewals_retry_script

  401. }

  402. 

  403. function configure_php {

  404.     sed -i "s/memory_limit = 128M/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php/7.0/fpm/php.ini

  405.     sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php/7.0/fpm/php.ini

  406.     sed -i "s/memory_limit = -1/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php/7.0/cli/php.ini

  407.     sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 50M/g" /etc/php/7.0/fpm/php.ini

  408.     sed -i "s/post_max_size = 8M/post_max_size = 50M/g" /etc/php/7.0/fpm/php.ini

  409. }

  410. 

  411. function install_web_server_access_control {

  412.     if [ ! -f /etc/pam.d/nginx ]; then

  413.         echo '#%PAM-1.0' > /etc/pam.d/nginx

  414.         echo '@include common-auth' >> /etc/pam.d/nginx

  415.         echo '@include common-account' >> /etc/pam.d/nginx

  416.         echo '@include common-session' >> /etc/pam.d/nginx

  417.     fi

  418. }

  419. 

  420. function install_dynamicdns {

  421.     if [[ $SYSTEM_TYPE == "mesh"* ]]; then

  422.         return

  423.     fi

  424.     if [[ $ONION_ONLY != "no" ]]; then

  425.         return

  426.     fi

  427. 

  428.     # update to the next commit

  429.     function_check set_repo_commit

  430.     set_repo_commit $INSTALL_DIR/inadyn "inadyn commit" "$INADYN_COMMIT" $INADYN_REPO

  431. 

  432.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  433.         return

  434.     fi

  435. 

  436.     # Here we compile from source because the current package

  437.     # doesn't support https, which could result in passwords

  438.     # being leaked

  439.     # Debian version 1.99.4-1

  440.     # https version 1.99.8

  441. 

  442.     apt-get -yq install build-essential curl libgnutls28-dev automake1.11

  443.     if [ ! -d $INSTALL_DIR/inadyn ]; then

  444.         if [ -d /repos/inadyn ]; then

  445.             mkdir $INSTALL_DIR/inadyn

  446.             cp -r -p /repos/inadyn/. $INSTALL_DIR/inadyn

  447.             cd $INSTALL_DIR/inadyn

  448.             git pull

  449.         else

  450.             git_clone $INADYN_REPO $INSTALL_DIR/inadyn

  451.         fi

  452.     fi

  453.     if [ ! -d $INSTALL_DIR/inadyn ]; then

  454.         echo 'inadyn repo not cloned'

  455.         echo -n | openssl s_client -showcerts -connect github.com:443 -CApath /etc/ssl/certs

  456.         exit 6785

  457.     fi

  458.     cd $INSTALL_DIR/inadyn

  459.     git checkout $INADYN_COMMIT -b $INADYN_COMMIT

  460.     set_completion_param "inadyn commit" "$INADYN_COMMIT"

  461. 

  462.     #./autogen.sh

  463.     ./configure

  464.     if [ ! "$?" = "0" ]; then

  465.         exit 74890

  466.     fi

  467.     USE_OPENSSL=1 make

  468.     if [ ! "$?" = "0" ]; then

  469.         exit 74858

  470.     fi

  471.     make install

  472.     if [ ! "$?" = "0" ]; then

  473.         exit 3785

  474.     fi

  475. 

  476.     # create an unprivileged user

  477.     #chmod 600 /etc/shadow

  478.     #chmod 600 /etc/gshadow

  479.     #useradd -r -s /bin/false debian-inadyn

  480.     #chmod 0000 /etc/shadow

  481.     #chmod 0000 /etc/gshadow

  482. 

  483.     # create a configuration file

  484.     echo 'background' > /etc/inadyn.conf

  485.     echo 'verbose        1' >> /etc/inadyn.conf

  486.     echo 'period         300' >> /etc/inadyn.conf

  487.     echo 'startup-delay  60' >> /etc/inadyn.conf

  488.     echo 'cache-dir      /run/inadyn' >> /etc/inadyn.conf

  489.     echo 'logfile        /dev/null' >> /etc/inadyn.conf

  490.     chmod 600 /etc/inadyn.conf

  491. 

  492.     echo '[Unit]' > /etc/systemd/system/inadyn.service

  493.     echo 'Description=inadyn (DynDNS updater)' >> /etc/systemd/system/inadyn.service

  494.     echo 'After=network.target' >> /etc/systemd/system/inadyn.service

  495.     echo '' >> /etc/systemd/system/inadyn.service

  496.     echo '[Service]' >> /etc/systemd/system/inadyn.service

  497.     echo 'ExecStart=/usr/local/sbin/inadyn --config /etc/inadyn.conf' >> /etc/systemd/system/inadyn.service

  498.     echo 'Restart=always' >> /etc/systemd/system/inadyn.service

  499.     echo 'Type=forking' >> /etc/systemd/system/inadyn.service

  500.     echo '' >> /etc/systemd/system/inadyn.service

  501.     echo '[Install]' >> /etc/systemd/system/inadyn.service

  502.     echo 'WantedBy=multi-user.target' >> /etc/systemd/system/inadyn.service

  503.     systemctl enable inadyn

  504.     systemctl start inadyn

  505.     systemctl daemon-reload

  506. 

  507.     mark_completed $FUNCNAME

  508. }

  509. 

  510. function install_command_line_browser {

  511.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  512.         return

  513.     fi

  514.     apt-get -yq install elinks

  515. 

  516.     # set the home page

  517.     if ! grep -q "WWW_HOME" /home/$MY_USERNAME/.bashrc; then

  518.         if ! grep -q 'controluser' /home/$MY_USERNAME/.bashrc; then

  519.             echo "export WWW_HOME=$DEFAULT_SEARCH" >> /home/$MY_USERNAME/.bashrc

  520.         else

  521.             sed -i "/controluser/i export WWW_HOME=$DEFAULT_SEARCH" /home/$MY_USERNAME/.bashrc

  522.         fi

  523.     fi

  524. 

  525.     mark_completed $FUNCNAME

  526. }

  527. 

  528. function mesh_web_server {

  529.     if [ -d /etc/apache2 ]; then

  530.         chroot "$rootdir" apt-get -yq remove --purge apache2

  531.         chroot "$rootdir" rm -rf /etc/apache2

  532.     fi

  533. 

  534.     chroot "$rootdir" apt-get -yq install nginx

  535. 

  536.     if [ ! -d $rootdir/etc/nginx ]; then

  537.         echo $'Unable to install web server'

  538.         exit 346825

  539.     fi

  540. }

  541. 

  542. function install_web_server {

  543.     if [ $INSTALLING_MESH ]; then

  544.         mesh_web_server

  545.         return

  546.     fi

  547. 

  548.     # update to the next commit

  549.     function_check set_repo_commit

  550.     set_repo_commit $INSTALL_DIR/nginx_ensite "nginx-ensite commit" "$NGINX_ENSITE_COMMIT" $NGINX_ENSITE_REPO

  551. 

  552.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  553.         return

  554.     fi

  555.     # remove apache

  556.     apt-get -yq remove --purge apache2

  557.     if [ -d /etc/apache2 ]; then

  558.         rm -rf /etc/apache2

  559.     fi

  560.     # install nginx

  561.     apt-get -yq install nginx

  562.     apt-get -yq install php-fpm git

  563. 

  564.     # Turn off logs by default

  565.     sed -i 's|access_log.*|access_log = /dev/null;|g' /etc/nginx/nginx.conf

  566.     sed -i 's|error_log.*|error_log = /dev/null;|g' /etc/nginx/nginx.conf

  567. 

  568.     # limit the number of php processes

  569.     sed -i 's/; process.max =.*/process.max = 32/g' /etc/php/7.0/fpm/php-fpm.conf

  570.     #sed -i 's/;process_control_timeout =.*/process_control_timeout = 300/g' /etc/php/7.0/fpm/php-fpm.conf

  571. 

  572.     if ! grep -q "pm.max_children" /etc/php/7.0/fpm/php-fpm.conf; then

  573.         echo 'pm.max_children = 10' >> /etc/php/7.0/fpm/php-fpm.conf

  574.         echo 'pm.start_servers = 2' >> /etc/php/7.0/fpm/php-fpm.conf

  575.         echo 'pm.min_spare_servers = 2' >> /etc/php/7.0/fpm/php-fpm.conf

  576.         echo 'pm.max_spare_servers = 5' >> /etc/php/7.0/fpm/php-fpm.conf

  577.         echo 'pm.max_requests = 50' >> /etc/php/7.0/fpm/php-fpm.conf

  578.     fi

  579. 

  580.     if [ ! -d /etc/nginx ]; then

  581.         echo $"ERROR: nginx does not appear to have installed. $CHECK_MESSAGE"

  582.         exit 51

  583.     fi

  584. 

  585.     # Nginx settings

  586.     echo 'user www-data;' > /etc/nginx/nginx.conf

  587.     #echo "worker_processes; $CPU_CORES" >> /etc/nginx/nginx.conf

  588.     echo 'pid /run/nginx.pid;' >> /etc/nginx/nginx.conf

  589.     echo '' >> /etc/nginx/nginx.conf

  590.     echo 'events {' >> /etc/nginx/nginx.conf

  591.     echo '        worker_connections 50;' >> /etc/nginx/nginx.conf

  592.     echo '        # multi_accept on;' >> /etc/nginx/nginx.conf

  593.     echo '}' >> /etc/nginx/nginx.conf

  594.     echo '' >> /etc/nginx/nginx.conf

  595.     echo 'http {' >> /etc/nginx/nginx.conf

  596.     echo '        # limit the number of connections per single IP' >> /etc/nginx/nginx.conf

  597.     echo '        limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;' >> /etc/nginx/nginx.conf

  598.     echo '' >> /etc/nginx/nginx.conf

  599.     echo '        # limit the number of requests for a given session' >> /etc/nginx/nginx.conf

  600.     echo '        limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=140r/s;' >> /etc/nginx/nginx.conf

  601.     echo '' >> /etc/nginx/nginx.conf

  602.     echo '        # if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file' >> /etc/nginx/nginx.conf

  603.     echo '        client_body_buffer_size  128k;' >> /etc/nginx/nginx.conf

  604.     echo '' >> /etc/nginx/nginx.conf

  605.     echo '        # headerbuffer size for the request header from client, its set for testing purpose' >> /etc/nginx/nginx.conf

  606.     echo '        client_header_buffer_size 3m;' >> /etc/nginx/nginx.conf

  607.     echo '' >> /etc/nginx/nginx.conf

  608.     echo '        # maximum number and size of buffers for large headers to read from client request' >> /etc/nginx/nginx.conf

  609.     echo '        large_client_header_buffers 4 256k;' >> /etc/nginx/nginx.conf

  610.     echo '' >> /etc/nginx/nginx.conf

  611.     echo '        # read timeout for the request body from client, its set for testing purpose' >> /etc/nginx/nginx.conf

  612.     echo '        client_body_timeout   3m;' >> /etc/nginx/nginx.conf

  613.     echo '' >> /etc/nginx/nginx.conf

  614.     echo '        # how long to wait for the client to send a request header, its set for testing purpose' >> /etc/nginx/nginx.conf

  615.     echo '        client_header_timeout 3m;' >> /etc/nginx/nginx.conf

  616.     echo '' >> /etc/nginx/nginx.conf

  617.     echo '        ##' >> /etc/nginx/nginx.conf

  618.     echo '        # Basic Settings' >> /etc/nginx/nginx.conf

  619.     echo '        ##' >> /etc/nginx/nginx.conf

  620.     echo '' >> /etc/nginx/nginx.conf

  621.     echo '        sendfile on;' >> /etc/nginx/nginx.conf

  622.     echo '        tcp_nopush on;' >> /etc/nginx/nginx.conf

  623.     echo '        tcp_nodelay on;' >> /etc/nginx/nginx.conf

  624.     echo '        keepalive_timeout 65;' >> /etc/nginx/nginx.conf

  625.     echo '        types_hash_max_size 2048;' >> /etc/nginx/nginx.conf

  626.     echo '        server_tokens off;' >> /etc/nginx/nginx.conf

  627.     echo '' >> /etc/nginx/nginx.conf

  628.     echo '        # server_names_hash_bucket_size 64;' >> /etc/nginx/nginx.conf

  629.     echo '        # server_name_in_redirect off;' >> /etc/nginx/nginx.conf

  630.     echo '' >> /etc/nginx/nginx.conf

  631.     echo '        include /etc/nginx/mime.types;' >> /etc/nginx/nginx.conf

  632.     echo '        default_type application/octet-stream;' >> /etc/nginx/nginx.conf

  633.     echo '' >> /etc/nginx/nginx.conf

  634.     echo '        ##' >> /etc/nginx/nginx.conf

  635.     echo '        # Logging Settings' >> /etc/nginx/nginx.conf

  636.     echo '        ##' >> /etc/nginx/nginx.conf

  637.     echo '' >> /etc/nginx/nginx.conf

  638.     echo '        access_log /dev/null;' >> /etc/nginx/nginx.conf

  639.     echo '        error_log /dev/null;' >> /etc/nginx/nginx.conf

  640.     echo '' >> /etc/nginx/nginx.conf

  641.     echo '        ###' >> /etc/nginx/nginx.conf

  642.     echo '        # Gzip Settings' >> /etc/nginx/nginx.conf

  643.     echo '        ##' >> /etc/nginx/nginx.conf

  644.     echo '        gzip on;' >> /etc/nginx/nginx.conf

  645.     echo '        gzip_disable "msie6";' >> /etc/nginx/nginx.conf

  646.     echo '' >> /etc/nginx/nginx.conf

  647.     echo '        # gzip_vary on;' >> /etc/nginx/nginx.conf

  648.     echo '        # gzip_proxied any;' >> /etc/nginx/nginx.conf

  649.     echo '        # gzip_comp_level 6;' >> /etc/nginx/nginx.conf

  650.     echo '        # gzip_buffers 16 8k;' >> /etc/nginx/nginx.conf

  651.     echo '        # gzip_http_version 1.1;' >> /etc/nginx/nginx.conf

  652.     echo '        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;' >> /etc/nginx/nginx.conf

  653.     echo '' >> /etc/nginx/nginx.conf

  654.     echo '        ##' >> /etc/nginx/nginx.conf

  655.     echo '        # Virtual Host Configs' >> /etc/nginx/nginx.conf

  656.     echo '        ##' >> /etc/nginx/nginx.conf

  657.     echo '' >> /etc/nginx/nginx.conf

  658.     echo '        include /etc/nginx/conf.d/*.conf;' >> /etc/nginx/nginx.conf

  659.     echo '        include /etc/nginx/sites-enabled/*;' >> /etc/nginx/nginx.conf

  660.     echo '}' >> /etc/nginx/nginx.conf

  661. 

  662.     # install a script to easily enable and disable nginx virtual hosts

  663.     if [ ! -d $INSTALL_DIR ]; then

  664.         mkdir $INSTALL_DIR

  665.     fi

  666.     cd $INSTALL_DIR

  667.     function_check git_clone

  668.     git_clone $NGINX_ENSITE_REPO $INSTALL_DIR/nginx_ensite

  669.     cd $INSTALL_DIR/nginx_ensite

  670.     git checkout $NGINX_ENSITE_COMMIT -b $NGINX_ENSITE_COMMIT

  671. 

  672.     set_completion_param "nginx-ensite commit" "$NGINX_ENSITE_COMMIT"

  673. 

  674.     make install

  675.     nginx_dissite default

  676. 

  677.     function_check configure_firewall_for_web_access

  678.     configure_firewall_for_web_access

  679. 

  680.     mark_completed $FUNCNAME

  681. }

  682. 

  683. function remove_certs {

  684.     domain_name=$1

  685. 

  686.     if [ ! $domain_name ]; then

  687.         return

  688.     fi

  689. 

  690.     if [ -f /etc/ssl/certs/${domain_name}.dhparam ]; then

  691.         rm /etc/ssl/certs/${domain_name}.dhparam

  692.     fi

  693. 

  694.     if [ -f /etc/ssl/certs/${domain_name}.pem ]; then

  695.         rm /etc/ssl/certs/${domain_name}.pem

  696.     fi

  697. 

  698.     if [ -f /etc/ssl/certs/${domain_name}.crt ]; then

  699.         rm /etc/ssl/certs/${domain_name}.crt

  700.     fi

  701. 

  702.     if [ -f /etc/ssl/private/${domain_name}.key ]; then

  703.         rm /etc/ssl/private/${domain_name}.key

  704.     fi

  705. }

  706. 

  707. function configure_firewall_for_web_access {

  708.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  709.         return

  710.     fi

  711.     if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then

  712.         # docker does its own firewalling

  713.         return

  714.     fi

  715.     if [[ $ONION_ONLY != "no" ]]; then

  716.         return

  717.     fi

  718.     firewall_add HTTP 80 tcp

  719.     firewall_add HTTPS 443 tcp

  720.     mark_completed $FUNCNAME

  721. }

  722. 

  723. function update_default_domain {

  724.     echo $'Updating default domain'

  725.     if [[ $ONION_ONLY == 'no' ]]; then

  726.         if [ -d /etc/prosody ]; then

  727.             if [ -f /etc/mumble-server.ini ]; then

  728.                 if [ ! -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then

  729.                     if ! grep -q "mumble.pem" /etc/mumble-server.ini; then

  730.                         sed -i 's|sslCert=.*|sslCert=/var/lib/mumble-server/mumble.pem|g' /etc/mumble-server.ini

  731.                         sed -i 's|sslKey=.*|sslKey=/var/lib/mumble-server/mumble.key|g' /etc/mumble-server.ini

  732.                         systemctl restart mumble

  733.                     fi

  734.                 else

  735.                     if ! grep -q "${DEFAULT_DOMAIN_NAME}.pem" /etc/mumble-server.ini; then

  736.                         usermod -a -G ssl-cert mumble-server

  737.                         sed -i "s|sslCert=.*|sslCert=/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/mumble-server.ini

  738.                         sed -i "s|sslKey=.*|sslKey=/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/mumble-server.ini

  739.                         systemctl restart mumble

  740.                     fi

  741.                 fi

  742.             fi

  743. 

  744.             if [ ! -d /etc/prosody/certs ]; then

  745.                 mkdir /etc/prosody/certs

  746.             fi

  747.             cp /etc/ssl/private/xmpp* /etc/prosody/certs

  748.             cp /etc/ssl/certs/xmpp* /etc/prosody/certs

  749.             if [ /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then

  750.                 usermod -a -G ssl-cert prosody

  751.                 sed -i "s|/etc/prosody/certs/xmpp.key|/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/prosody/conf.avail/xmpp.cfg.lua

  752.                 sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua

  753. 

  754.                 sed -i "s|/etc/prosody/certs/xmpp.key|/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/prosody/prosody.cfg.lua

  755.                 sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/prosody/prosody.cfg.lua

  756.             fi

  757. 

  758.             if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key" /etc/prosody/conf.avail/xmpp.cfg.lua; then

  759.                 sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key|/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/prosody/conf.avail/xmpp.cfg.lua

  760.             fi

  761. 

  762.             if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem" /etc/prosody/conf.avail/xmpp.cfg.lua; then

  763.                 sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem|/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua

  764.             fi

  765. 

  766.             if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key" /etc/prosody/prosody.cfg.lua; then

  767.                 sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key|/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/prosody/prosody.cfg.lua

  768.             fi

  769. 

  770.             if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem" /etc/prosody/prosody.cfg.lua; then

  771.                 sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem|/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/prosody/prosody.cfg.lua

  772.             fi

  773. 

  774.             chown -R prosody:default /etc/prosody

  775.             chmod -R 700 /etc/prosody/certs/*

  776.             chmod 600 /etc/prosody/prosody.cfg.lua

  777.             systemctl reload prosody

  778.         fi

  779. 

  780.         if [ -d /home/znc/.znc ]; then

  781.             echo $'znc found'

  782.             if [[ "$(cert_exists ${DEFAULT_DOMAIN_NAME} pem)" == "1" ]]; then

  783.                 pkill znc

  784.                 cat /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key > /home/znc/.znc/znc.pem

  785.                 chown znc:znc /home/znc/.znc/znc.pem

  786.                 chmod 700 /home/znc/.znc/znc.pem

  787. 

  788.                 sed -i "s|CertFile =.*|CertFile = /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" /etc/ngircd/ngircd.conf

  789.                 sed -i "s|DHFile =.*|DHFile = /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.dhparam" /etc/ngircd/ngircd.conf

  790.                 sed -i "s|KeyFile =.*|KeyFile = /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key" /etc/ngircd/ngircd.conf

  791.                 echo $'irc certificates updated'

  792. 

  793.                 systemctl restart ngircd

  794.                 su -c 'znc' - znc

  795.             fi

  796.         fi

  797. 

  798.         if [ -d /etc/dovecot ]; then

  799.             if [ ${#DEFAULT_DOMAIN_NAME} -gt 0 ]; then

  800.                 if ! grep -q "ssl_cert = </etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" /etc/dovecot/conf.d/10-ssl.conf; then

  801.                     sed -i "s|#ssl_cert =.*|ssl_cert = </etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/dovecot/conf.d/10-ssl.conf

  802.                     sed -i "s|ssl_cert =.*|ssl_cert = </etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/dovecot/conf.d/10-ssl.conf

  803.                     systemctl restart dovecot

  804.                 fi

  805.             fi

  806.         fi

  807.     fi

  808. }

  809. 

  810. function create_default_web_site {

  811.     if [ ! -f /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME} ]; then

  812.         # create a web site for the default domain

  813.         if [ ! -d /var/www/${DEFAULT_DOMAIN_NAME}/htdocs ]; then

  814.             mkdir -p /var/www/${DEFAULT_DOMAIN_NAME}/htdocs

  815.             if [ -d /root/${PROJECT_NAME} ]; then

  816.                 cd /root/${PROJECT_NAME}/website

  817.                 ./deploy.sh EN /var/www/${DEFAULT_DOMAIN_NAME}/htdocs

  818.             else

  819.                 if [ -d /home/${MY_USERNAME}/${PROJECT_NAME} ]; then

  820.                     cd /home/${MY_USERNAME}/${PROJECT_NAME}

  821.                     ./deploy.sh EN /var/www/${DEFAULT_DOMAIN_NAME}/htdocs

  822.                 fi

  823.             fi

  824.         fi

  825. 

  826.         # add a config for the default domain

  827.         nginx_site=/etc/nginx/sites-available/$DEFAULT_DOMAIN_NAME

  828.         if [[ $ONION_ONLY == "no" ]]; then

  829.             function_check nginx_http_redirect

  830.             nginx_http_redirect $DEFAULT_DOMAIN_NAME

  831.             echo 'server {' >> $nginx_site

  832.             echo '  listen 443 ssl;' >> $nginx_site

  833.             echo '  listen [::]:443 ssl;' >> $nginx_site

  834.             echo "  server_name $DEFAULT_DOMAIN_NAME;" >> $nginx_site

  835.             echo '' >> $nginx_site

  836.             echo '  # Security' >> $nginx_site

  837.             function_check nginx_ssl

  838.             nginx_ssl $DEFAULT_DOMAIN_NAME mobile

  839. 

  840.             function_check nginx_disable_sniffing

  841.             nginx_disable_sniffing $DEFAULT_DOMAIN_NAME

  842. 

  843.             echo '  add_header Strict-Transport-Security max-age=15768000;' >> $nginx_site

  844.             echo '' >> $nginx_site

  845.             echo '  # Logs' >> $nginx_site

  846.             echo '  access_log /dev/null;' >> $nginx_site

  847.             echo '  error_log /dev/null;' >> $nginx_site

  848.             echo '' >> $nginx_site

  849.             echo '  # Root' >> $nginx_site

  850.             echo "  root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;" >> $nginx_site

  851.             echo '' >> $nginx_site

  852.             echo '  # Index' >> $nginx_site

  853.             echo '  index index.html;' >> $nginx_site

  854.             echo '' >> $nginx_site

  855.             echo '  # Location' >> $nginx_site

  856.             echo '  location / {' >> $nginx_site

  857.             function_check nginx_limits

  858.             nginx_limits $DEFAULT_DOMAIN_NAME '15m'

  859.             echo '  }' >> $nginx_site

  860.             echo '' >> $nginx_site

  861.             echo '  # Restrict access that is unnecessary anyway' >> $nginx_site

  862.             echo '  location ~ /\.(ht|git) {' >> $nginx_site

  863.             echo '    deny all;' >> $nginx_site

  864.             echo '  }' >> $nginx_site

  865.             echo '}' >> $nginx_site

  866.         else

  867.             echo -n '' > $nginx_site

  868.         fi

  869.         echo 'server {' >> $nginx_site

  870.         echo "    listen 127.0.0.1:$DEFAULT_DOMAIN_ONION_PORT default_server;" >> $nginx_site

  871.         echo "    server_name $DEFAULT_DOMAIN_NAME;" >> $nginx_site

  872.         echo '' >> $nginx_site

  873.         function_check nginx_disable_sniffing

  874.         nginx_disable_sniffing $DEFAULT_DOMAIN_NAME

  875.         echo '' >> $nginx_site

  876.         echo '  # Logs' >> $nginx_site

  877.         echo '  access_log /dev/null;' >> $nginx_site

  878.         echo '  error_log /dev/null;' >> $nginx_site

  879.         echo '' >> $nginx_site

  880.         echo '  # Root' >> $nginx_site

  881.         echo "  root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;" >> $nginx_site

  882.         echo '' >> $nginx_site

  883.         echo '  # Location' >> $nginx_site

  884.         echo '  location / {' >> $nginx_site

  885.         function_check nginx_limits

  886.         nginx_limits $DEFAULT_DOMAIN_NAME '15m'

  887.         echo '  }' >> $nginx_site

  888.         echo '' >> $nginx_site

  889.         echo '  # Restrict access that is unnecessary anyway' >> $nginx_site

  890.         echo '  location ~ /\.(ht|git) {' >> $nginx_site

  891.         echo '    deny all;' >> $nginx_site

  892.         echo '  }' >> $nginx_site

  893.         echo '}' >> $nginx_site

  894. 

  895.         if [ ! -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then

  896.             function_check create_site_certificate

  897.             create_site_certificate $DEFAULT_DOMAIN_NAME 'yes'

  898.         fi

  899. 

  900.         nginx_ensite $DEFAULT_DOMAIN_NAME

  901.     fi

  902. }

  903. 

  904. # NOTE: deliberately no exit 0