freedombone-utils-web 24KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579
  1. #!/bin/bash
  2. #
  3. # .---. . .
  4. # | | |
  5. # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
  6. # | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
  7. # ' ' --' --' -' - -' ' ' -' -' -' ' - --'
  8. #
  9. # Freedom in the Cloud
  10. #
  11. # Web related functions
  12. #
  13. # License
  14. # =======
  15. #
  16. # Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
  17. #
  18. # This program is free software: you can redistribute it and/or modify
  19. # it under the terms of the GNU Affero General Public License as published by
  20. # the Free Software Foundation, either version 3 of the License, or
  21. # (at your option) any later version.
  22. #
  23. # This program is distributed in the hope that it will be useful,
  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  26. # GNU Affero General Public License for more details.
  27. #
  28. # You should have received a copy of the GNU Affero General Public License
  29. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  30. # default search engine for command line browser
  31. DEFAULT_SEARCH='https://searx.laquadrature.net'
  32. # This isn't used here, but is included for mirrors creation purposes
  33. LETSENCRYPT_REPO="https://github.com/letsencrypt/letsencrypt"
  34. # Whether Let's Encrypt is enabled for all sites
  35. LETSENCRYPT_ENABLED="no"
  36. LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
  37. # list of encryption protocols
  38. SSL_PROTOCOLS="TLSv1 TLSv1.1 TLSv1.2"
  39. # list of ciphers to use. See bettercrypto.org recommendations
  40. SSL_CIPHERS="EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"
  41. NGINX_ENSITE_REPO="https://github.com/perusio/nginx_ensite"
  42. NGINX_ENSITE_COMMIT='fa4d72ce1c0a490442c8474e9c8dc21ed52c93d0'
  43. # memory limit for php in MB
  44. MAX_PHP_MEMORY=64
  45. # logging level for Nginx
  46. WEBSERVER_LOG_LEVEL='warn'
  47. # test a domain name to see if it's valid
  48. function validate_domain_name {
  49. # count the number of dots in the domain name
  50. dots=${TEST_DOMAIN_NAME//[^.]}
  51. no_of_dots=${#dots}
  52. if (( $no_of_dots > 3 )); then
  53. TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has too many subdomains. It should be of the type w.x.y.z, x.y.z or y.z"
  54. fi
  55. if (( $no_of_dots == 0 )); then
  56. TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has no top level domain. It should be of the type w.x.y.z, x.y.z or y.z"
  57. fi
  58. }
  59. function nginx_disable_sniffing {
  60. domain_name=$1
  61. filename=/etc/nginx/sites-available/$domain_name
  62. echo ' add_header X-Frame-Options DENY;' >> $filename
  63. echo ' add_header X-Content-Type-Options nosniff;' >> $filename
  64. echo '' >> $filename
  65. }
  66. function nginx_limits {
  67. domain_name=$1
  68. max_body='20m'
  69. if [ $2 ]; then
  70. max_body=$2
  71. fi
  72. filename=/etc/nginx/sites-available/$domain_name
  73. echo " client_max_body_size ${max_body};" >> $filename
  74. echo ' client_body_buffer_size 128k;' >> $filename
  75. echo '' >> $filename
  76. echo ' limit_conn conn_limit_per_ip 10;' >> $filename
  77. echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> $filename
  78. echo '' >> $filename
  79. }
  80. function nginx_stapling {
  81. domain_name=$1
  82. filename=/etc/nginx/sites-available/$domain_name
  83. echo " ssl_stapling on;" >> $filename
  84. echo ' ssl_stapling_verify on;' >> $filename
  85. echo ' ssl_trusted_certificate /etc/ssl/certs/${domain_name}.pem;' >> $filename
  86. echo '' >> $filename
  87. }
  88. function nginx_http_redirect {
  89. # redirect port 80 to https
  90. domain_name=$1
  91. filename=/etc/nginx/sites-available/$domain_name
  92. echo 'server {' > $filename
  93. echo ' listen 80;' >> $filename
  94. echo ' listen [::]:80;' >> $filename
  95. echo " server_name ${domain_name};" >> $filename
  96. echo " root /var/www/${domain_name}/htdocs;" >> $filename
  97. echo ' access_log off;' >> $filename
  98. echo " error_log /var/log/nginx/${domain_name}_error.log $WEBSERVER_LOG_LEVEL;" >> $filename
  99. function_check nginx_limits
  100. nginx_limits $domain_name
  101. echo ' rewrite ^ https://$server_name$request_uri? permanent;' >> $filename
  102. echo '}' >> $filename
  103. echo '' >> $filename
  104. }
  105. function nginx_ssl {
  106. # creates the SSL/TLS section for a website
  107. domain_name=$1
  108. filename=/etc/nginx/sites-available/$domain_name
  109. echo ' ssl on;' >> $filename
  110. echo " ssl_certificate /etc/ssl/certs/${domain_name}.crt;" >> $filename
  111. echo " ssl_certificate_key /etc/ssl/private/${domain_name}.key;" >> $filename
  112. echo " ssl_dhparam /etc/ssl/certs/${domain_name}.dhparam;" >> $filename
  113. echo '' >> $filename
  114. echo ' ssl_session_timeout 60m;' >> $filename
  115. echo ' ssl_prefer_server_ciphers on;' >> $filename
  116. echo " ssl_protocols $SSL_PROTOCOLS;" >> $filename
  117. echo " ssl_ciphers '$SSL_CIPHERS';" >> $filename
  118. nginx_stapling $1
  119. }
  120. # check an individual domain name
  121. function test_domain_name {
  122. if [ $1 ]; then
  123. TEST_DOMAIN_NAME=$1
  124. function_check validate_domain_name
  125. validate_domain_name
  126. if [[ $TEST_DOMAIN_NAME != $1 ]]; then
  127. echo $TEST_DOMAIN_NAME
  128. exit 8528
  129. fi
  130. fi
  131. }
  132. # Checks whether certificates were generated for the given hostname
  133. function check_certificates {
  134. if [ ! $1 ]; then
  135. return
  136. fi
  137. USE_LETSENCRYPT='no'
  138. if [ $2 ]; then
  139. USE_LETSENCRYPT=$2
  140. fi
  141. if [[ $USE_LETSENCRYPT == 'no' ]]; then
  142. if [ ! -f /etc/ssl/private/$1.key ]; then
  143. echo $"Private certificate for $CHECK_HOSTNAME was not created"
  144. exit 63959
  145. fi
  146. if [ ! -f /etc/ssl/certs/$1.crt ]; then
  147. echo $"Public certificate for $CHECK_HOSTNAME was not created"
  148. exit 7679
  149. fi
  150. else
  151. if [ ! -f /etc/letsencrypt/live/${1}/privkey.pem ]; then
  152. echo $"Private certificate for $CHECK_HOSTNAME was not created"
  153. exit 6282
  154. fi
  155. if [ ! -f /etc/letsencrypt/live/${1}/fullchain.pem ]; then
  156. echo $"Public certificate for $CHECK_HOSTNAME was not created"
  157. exit 5328
  158. fi
  159. fi
  160. if [ ! -f /etc/ssl/certs/$1.dhparam ]; then
  161. echo $"Diffie–Hellman parameters for $CHECK_HOSTNAME were not created"
  162. exit 5989
  163. fi
  164. }
  165. function create_site_certificate {
  166. SITE_DOMAIN_NAME="$1"
  167. # if yes then only "valid" certs are allowed, not self-signed
  168. NO_SELF_SIGNED='no'
  169. if [ $2 ]; then
  170. NO_SELF_SIGNED="$2"
  171. fi
  172. if [[ $ONION_ONLY == "no" ]]; then
  173. if [ ! -f /etc/ssl/certs/$SITE_DOMAIN_NAME.dhparam ]; then
  174. if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
  175. ${PROJECT_NAME}-addcert -h $SITE_DOMAIN_NAME --dhkey $DH_KEYLENGTH
  176. function_check check_certificates
  177. check_certificates $SITE_DOMAIN_NAME
  178. else
  179. ${PROJECT_NAME}-addcert -e $SITE_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH --email $MY_EMAIL_ADDRESS
  180. if [ ! "$?" = "0" ]; then
  181. if [[ $NO_SELF_SIGNED == 'no' ]]; then
  182. echo $"Lets Encrypt failed for $SITE_DOMAIN_NAME, so try making a self-signed cert"
  183. ${PROJECT_NAME}-addcert -h $SITE_DOMAIN_NAME --dhkey $DH_KEYLENGTH
  184. function_check check_certificates
  185. check_certificates $SITE_DOMAIN_NAME
  186. else
  187. echo $"Lets Encrypt failed for $SITE_DOMAIN_NAME"
  188. exit 682529
  189. fi
  190. else
  191. function_check check_certificates
  192. check_certificates $SITE_DOMAIN_NAME 'yes'
  193. fi
  194. fi
  195. fi
  196. fi
  197. }
  198. # script to automatically renew any Let's Encrypt certificates
  199. function letsencrypt_renewals {
  200. if [[ $ONION_ONLY != "no" ]]; then
  201. return
  202. fi
  203. renewals_script=/etc/cron.monthly/letsencrypt
  204. renewals_retry_script=/etc/cron.daily/letsencrypt
  205. renewal_failure_msg=$'The certificate for $LETSENCRYPT_DOMAIN could not be renewed'
  206. renewal_email_title=$'${PROJECT_NAME} Lets Encrypt certificate renewal'
  207. # the main script tries to renew once per month
  208. echo '#!/bin/bash' > $renewals_script
  209. echo '' >> $renewals_script
  210. echo "PROJECT_NAME='${PROJECT_NAME}'" >> $renewals_script
  211. echo 'COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt' >> $renewals_script
  212. echo '' >> $renewals_script
  213. echo 'if [ -d /etc/letsencrypt ]; then' >> $renewals_script
  214. echo ' if [ -f ~/letsencrypt_failed ]; then' >> $renewals_script
  215. echo ' rm ~/letsencrypt_failed' >> $renewals_script
  216. echo ' fi' >> $renewals_script
  217. echo -n ' ADMIN_USERNAME=$(cat $COMPLETION_FILE | grep "Admin user" | ' >> $renewals_script
  218. echo -n "awk -F ':' '{print " >> $renewals_script
  219. echo -n '$2' >> $renewals_script
  220. echo "}')" >> $renewals_script
  221. echo ' ADMIN_EMAIL_ADDRESS=$ADMIN_USERNAME@$HOSTNAME' >> $renewals_script
  222. echo ' for d in /etc/letsencrypt/live/*/ ; do' >> $renewals_script
  223. echo -n ' LETSENCRYPT_DOMAIN=$(echo "$d" | ' >> $renewals_script
  224. echo -n "awk -F '/' '{print " >> $renewals_script
  225. echo -n '$5' >> $renewals_script
  226. echo "}')" >> $renewals_script
  227. echo ' if [ -f /etc/nginx/sites-available/$LETSENCRYPT_DOMAIN ]; then' >> $renewals_script
  228. echo ' ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt' >> $renewals_script
  229. echo ' if [ ! "$?" = "0" ]; then' >> $renewals_script
  230. echo " echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt" >> $renewals_script
  231. echo ' echo "" >> ~/temp_renewletsencrypt.txt' >> $renewals_script
  232. echo ' ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt' >> $renewals_script
  233. echo -n " cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" " >> $renewals_script
  234. echo '$ADMIN_EMAIL_ADDRESS' >> $renewals_script
  235. echo ' rm ~/temp_renewletsencrypt.txt' >> $renewals_script
  236. echo ' if [ ! -f ~/letsencrypt_failed ]; then' >> $renewals_script
  237. echo ' touch ~/letsencrypt_failed' >> $renewals_script
  238. echo ' fi' >> $renewals_script
  239. echo ' fi' >> $renewals_script
  240. echo ' fi' >> $renewals_script
  241. echo ' done' >> $renewals_script
  242. echo 'fi' >> $renewals_script
  243. chmod +x $renewals_script
  244. # a secondary script keeps trying to renew after a failure
  245. echo '#!/bin/bash' > $renewals_retry_script
  246. echo '' >> $renewals_retry_script
  247. echo "PROJECT_NAME='${PROJECT_NAME}'" >> $renewals_retry_script
  248. echo 'COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt' >> $renewals_retry_script
  249. echo '' >> $renewals_retry_script
  250. echo 'if [ -d /etc/letsencrypt ]; then' >> $renewals_retry_script
  251. echo ' if [ -f ~/letsencrypt_failed ]; then' >> $renewals_retry_script
  252. echo ' rm ~/letsencrypt_failed' >> $renewals_retry_script
  253. echo -n ' ADMIN_USERNAME=$(cat $COMPLETION_FILE | grep "Admin user" | ' >> $renewals_retry_script
  254. echo -n "awk -F ':' '{print " >> $renewals_retry_script
  255. echo -n '$2' >> $renewals_retry_script
  256. echo "}')" >> $renewals_retry_script
  257. echo ' ADMIN_EMAIL_ADDRESS=$ADMIN_USERNAME@$HOSTNAME' >> $renewals_retry_script
  258. echo ' for d in /etc/letsencrypt/live/*/ ; do' >> $renewals_retry_script
  259. echo -n ' LETSENCRYPT_DOMAIN=$(echo "$d" | ' >> $renewals_retry_script
  260. echo -n "awk -F '/' '{print " >> $renewals_retry_script
  261. echo -n '$5' >> $renewals_retry_script
  262. echo "}')" >> $renewals_retry_script
  263. echo ' if [ -f /etc/nginx/sites-available/$LETSENCRYPT_DOMAIN ]; then' >> $renewals_retry_script
  264. echo ' ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt' >> $renewals_retry_script
  265. echo ' if [ ! "$?" = "0" ]; then' >> $renewals_retry_script
  266. echo " echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt" >> $renewals_retry_script
  267. echo ' echo "" >> ~/temp_renewletsencrypt.txt' >> $renewals_retry_script
  268. echo ' ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt' >> $renewals_retry_script
  269. echo -n " cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" " >> $renewals_retry_script
  270. echo '$ADMIN_EMAIL_ADDRESS' >> $renewals_retry_script
  271. echo ' rm ~/temp_renewletsencrypt.txt' >> $renewals_retry_script
  272. echo ' if [ ! -f ~/letsencrypt_failed ]; then' >> $renewals_retry_script
  273. echo ' touch ~/letsencrypt_failed' >> $renewals_retry_script
  274. echo ' fi' >> $renewals_retry_script
  275. echo ' fi' >> $renewals_retry_script
  276. echo ' fi' >> $renewals_retry_script
  277. echo ' done' >> $renewals_retry_script
  278. echo ' fi' >> $renewals_retry_script
  279. echo 'fi' >> $renewals_retry_script
  280. chmod +x $renewals_retry_script
  281. }
  282. function configure_php {
  283. sed -i "s/memory_limit = 128M/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php5/fpm/php.ini
  284. sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php5/fpm/php.ini
  285. sed -i "s/memory_limit = -1/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php5/cli/php.ini
  286. sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 50M/g" /etc/php5/fpm/php.ini
  287. sed -i "s/post_max_size = 8M/post_max_size = 50M/g" /etc/php5/fpm/php.ini
  288. }
  289. function install_web_server_access_control {
  290. if [ ! -f /etc/pam.d/nginx ]; then
  291. echo '#%PAM-1.0' > /etc/pam.d/nginx
  292. echo '@include common-auth' >> /etc/pam.d/nginx
  293. echo '@include common-account' >> /etc/pam.d/nginx
  294. echo '@include common-session' >> /etc/pam.d/nginx
  295. fi
  296. }
  297. function install_dynamicdns {
  298. if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
  299. return
  300. fi
  301. if [[ $ONION_ONLY != "no" ]]; then
  302. return
  303. fi
  304. # update to the next commit
  305. function_check set_repo_commit
  306. set_repo_commit $INSTALL_DIR/inadyn "inadyn commit" "$INADYN_COMMIT" $INADYN_REPO
  307. if grep -Fxq "install_dynamicdns" $COMPLETION_FILE; then
  308. return
  309. fi
  310. # Here we compile from source because the current package
  311. # doesn't support https, which could result in passwords
  312. # being leaked
  313. # Debian version 1.99.4-1
  314. # https version 1.99.8
  315. apt-get -y install build-essential curl libgnutls28-dev automake1.11
  316. if [ ! -d $INSTALL_DIR/inadyn ]; then
  317. git_clone $INADYN_REPO $INSTALL_DIR/inadyn
  318. fi
  319. if [ ! -d $INSTALL_DIR/inadyn ]; then
  320. echo 'inadyn repo not cloned'
  321. echo -n | openssl s_client -showcerts -connect github.com:443 -CApath /etc/ssl/certs
  322. exit 6785
  323. fi
  324. cd $INSTALL_DIR/inadyn
  325. git checkout $INADYN_COMMIT -b $INADYN_COMMIT
  326. if ! grep -q "inadyn commit" $COMPLETION_FILE; then
  327. echo "inadyn commit:$INADYN_COMMIT" >> $COMPLETION_FILE
  328. else
  329. sed -i "s/inadyn commit.*/inadyn commit:$INADYN_COMMIT/g" $COMPLETION_FILE
  330. fi
  331. ./configure
  332. if [ ! "$?" = "0" ]; then
  333. exit 74890
  334. fi
  335. USE_OPENSSL=1 make
  336. if [ ! "$?" = "0" ]; then
  337. exit 74858
  338. fi
  339. make install
  340. if [ ! "$?" = "0" ]; then
  341. exit 3785
  342. fi
  343. # create an unprivileged user
  344. #useradd -r -s /bin/false debian-inadyn
  345. # create a configuration file
  346. echo 'background' > /etc/inadyn.conf
  347. echo 'verbose 1' >> /etc/inadyn.conf
  348. echo 'period 300' >> /etc/inadyn.conf
  349. echo 'startup-delay 60' >> /etc/inadyn.conf
  350. echo 'cache-dir /run/inadyn' >> /etc/inadyn.conf
  351. echo 'logfile /dev/null' >> /etc/inadyn.conf
  352. chmod 600 /etc/inadyn.conf
  353. echo '[Unit]' > /etc/systemd/system/inadyn.service
  354. echo 'Description=inadyn (DynDNS updater)' >> /etc/systemd/system/inadyn.service
  355. echo 'After=network.target' >> /etc/systemd/system/inadyn.service
  356. echo '' >> /etc/systemd/system/inadyn.service
  357. echo '[Service]' >> /etc/systemd/system/inadyn.service
  358. echo 'ExecStart=/usr/local/sbin/inadyn --config /etc/inadyn.conf' >> /etc/systemd/system/inadyn.service
  359. echo 'Restart=always' >> /etc/systemd/system/inadyn.service
  360. echo 'Type=forking' >> /etc/systemd/system/inadyn.service
  361. echo '' >> /etc/systemd/system/inadyn.service
  362. echo '[Install]' >> /etc/systemd/system/inadyn.service
  363. echo 'WantedBy=multi-user.target' >> /etc/systemd/system/inadyn.service
  364. systemctl enable inadyn
  365. systemctl start inadyn
  366. systemctl daemon-reload
  367. echo 'install_dynamicdns' >> $COMPLETION_FILE
  368. }
  369. function install_command_line_browser {
  370. if grep -Fxq "install_command_line_browser" $COMPLETION_FILE; then
  371. return
  372. fi
  373. apt-get -y install elinks
  374. # set the home page
  375. if ! grep -q "WWW_HOME" /home/$MY_USERNAME/.bashrc; then
  376. if ! grep -q 'control' /home/$MY_USERNAME/.bashrc; then
  377. echo "export WWW_HOME=$DEFAULT_SEARCH" >> /home/$MY_USERNAME/.bashrc
  378. else
  379. sed -i "/control/i export WWW_HOME=$DEFAULT_SEARCH" /home/$MY_USERNAME/.bashrc
  380. fi
  381. fi
  382. echo 'install_command_line_browser' >> $COMPLETION_FILE
  383. }
  384. function mesh_web_server {
  385. if [ -d /etc/apache2 ]; then
  386. chroot "$rootdir" apt-get -y remove --purge apache2
  387. chroot "$rootdir" rm -rf /etc/apache2
  388. fi
  389. chroot "$rootdir" apt-get -y install nginx
  390. if [ ! -d $rootdir/etc/nginx ]; then
  391. echo $'Unable to install web server'
  392. exit 346825
  393. fi
  394. }
  395. function install_web_server {
  396. if [ $INSTALLING_MESH ]; then
  397. mesh_web_server
  398. return
  399. fi
  400. if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" ]]; then
  401. return
  402. fi
  403. # update to the next commit
  404. function_check set_repo_commit
  405. set_repo_commit $INSTALL_DIR/nginx_ensite "Nginx-ensite commit" "$NGINX_ENSITE_COMMIT" $NGINX_ENSITE_REPO
  406. if grep -Fxq "install_web_server" $COMPLETION_FILE; then
  407. return
  408. fi
  409. # remove apache
  410. apt-get -y remove --purge apache2
  411. if [ -d /etc/apache2 ]; then
  412. rm -rf /etc/apache2
  413. fi
  414. # install nginx
  415. apt-get -y install nginx php5-fpm git
  416. # limit the number of php processes
  417. sed -i 's/; process.max =.*/process.max = 32/g' /etc/php5/fpm/php-fpm.conf
  418. #sed -i 's/;process_control_timeout =.*/process_control_timeout = 300/g' /etc/php5/fpm/php-fpm.conf
  419. if ! grep -q "pm.max_children" /etc/php5/fpm/php-fpm.conf; then
  420. echo 'pm.max_children = 10' >> /etc/php5/fpm/php-fpm.conf
  421. echo 'pm.start_servers = 2' >> /etc/php5/fpm/php-fpm.conf
  422. echo 'pm.min_spare_servers = 2' >> /etc/php5/fpm/php-fpm.conf
  423. echo 'pm.max_spare_servers = 5' >> /etc/php5/fpm/php-fpm.conf
  424. echo 'pm.max_requests = 50' >> /etc/php5/fpm/php-fpm.conf
  425. fi
  426. if [ ! -d /etc/nginx ]; then
  427. echo $"ERROR: nginx does not appear to have installed. $CHECK_MESSAGE"
  428. exit 51
  429. fi
  430. # Nginx settings
  431. echo 'user www-data;' > /etc/nginx/nginx.conf
  432. #echo "worker_processes; $CPU_CORES" >> /etc/nginx/nginx.conf
  433. echo 'pid /run/nginx.pid;' >> /etc/nginx/nginx.conf
  434. echo '' >> /etc/nginx/nginx.conf
  435. echo 'events {' >> /etc/nginx/nginx.conf
  436. echo ' worker_connections 50;' >> /etc/nginx/nginx.conf
  437. echo ' # multi_accept on;' >> /etc/nginx/nginx.conf
  438. echo '}' >> /etc/nginx/nginx.conf
  439. echo '' >> /etc/nginx/nginx.conf
  440. echo 'http {' >> /etc/nginx/nginx.conf
  441. echo ' # limit the number of connections per single IP' >> /etc/nginx/nginx.conf
  442. echo ' limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;' >> /etc/nginx/nginx.conf
  443. echo '' >> /etc/nginx/nginx.conf
  444. echo ' # limit the number of requests for a given session' >> /etc/nginx/nginx.conf
  445. echo ' limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=140r/s;' >> /etc/nginx/nginx.conf
  446. echo '' >> /etc/nginx/nginx.conf
  447. echo ' # if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file' >> /etc/nginx/nginx.conf
  448. echo ' client_body_buffer_size 128k;' >> /etc/nginx/nginx.conf
  449. echo '' >> /etc/nginx/nginx.conf
  450. echo ' # headerbuffer size for the request header from client, its set for testing purpose' >> /etc/nginx/nginx.conf
  451. echo ' client_header_buffer_size 3m;' >> /etc/nginx/nginx.conf
  452. echo '' >> /etc/nginx/nginx.conf
  453. echo ' # maximum number and size of buffers for large headers to read from client request' >> /etc/nginx/nginx.conf
  454. echo ' large_client_header_buffers 4 256k;' >> /etc/nginx/nginx.conf
  455. echo '' >> /etc/nginx/nginx.conf
  456. echo ' # read timeout for the request body from client, its set for testing purpose' >> /etc/nginx/nginx.conf
  457. echo ' client_body_timeout 3m;' >> /etc/nginx/nginx.conf
  458. echo '' >> /etc/nginx/nginx.conf
  459. echo ' # how long to wait for the client to send a request header, its set for testing purpose' >> /etc/nginx/nginx.conf
  460. echo ' client_header_timeout 3m;' >> /etc/nginx/nginx.conf
  461. echo '' >> /etc/nginx/nginx.conf
  462. echo ' ##' >> /etc/nginx/nginx.conf
  463. echo ' # Basic Settings' >> /etc/nginx/nginx.conf
  464. echo ' ##' >> /etc/nginx/nginx.conf
  465. echo '' >> /etc/nginx/nginx.conf
  466. echo ' sendfile on;' >> /etc/nginx/nginx.conf
  467. echo ' tcp_nopush on;' >> /etc/nginx/nginx.conf
  468. echo ' tcp_nodelay on;' >> /etc/nginx/nginx.conf
  469. echo ' keepalive_timeout 65;' >> /etc/nginx/nginx.conf
  470. echo ' types_hash_max_size 2048;' >> /etc/nginx/nginx.conf
  471. echo ' server_tokens off;' >> /etc/nginx/nginx.conf
  472. echo '' >> /etc/nginx/nginx.conf
  473. echo ' # server_names_hash_bucket_size 64;' >> /etc/nginx/nginx.conf
  474. echo ' # server_name_in_redirect off;' >> /etc/nginx/nginx.conf
  475. echo '' >> /etc/nginx/nginx.conf
  476. echo ' include /etc/nginx/mime.types;' >> /etc/nginx/nginx.conf
  477. echo ' default_type application/octet-stream;' >> /etc/nginx/nginx.conf
  478. echo '' >> /etc/nginx/nginx.conf
  479. echo ' ##' >> /etc/nginx/nginx.conf
  480. echo ' # Logging Settings' >> /etc/nginx/nginx.conf
  481. echo ' ##' >> /etc/nginx/nginx.conf
  482. echo '' >> /etc/nginx/nginx.conf
  483. echo ' access_log /var/log/nginx/access.log;' >> /etc/nginx/nginx.conf
  484. echo ' error_log /var/log/nginx/error.log;' >> /etc/nginx/nginx.conf
  485. echo '' >> /etc/nginx/nginx.conf
  486. echo ' ###' >> /etc/nginx/nginx.conf
  487. echo ' # Gzip Settings' >> /etc/nginx/nginx.conf
  488. echo ' ##' >> /etc/nginx/nginx.conf
  489. echo ' gzip on;' >> /etc/nginx/nginx.conf
  490. echo ' gzip_disable "msie6";' >> /etc/nginx/nginx.conf
  491. echo '' >> /etc/nginx/nginx.conf
  492. echo ' # gzip_vary on;' >> /etc/nginx/nginx.conf
  493. echo ' # gzip_proxied any;' >> /etc/nginx/nginx.conf
  494. echo ' # gzip_comp_level 6;' >> /etc/nginx/nginx.conf
  495. echo ' # gzip_buffers 16 8k;' >> /etc/nginx/nginx.conf
  496. echo ' # gzip_http_version 1.1;' >> /etc/nginx/nginx.conf
  497. echo ' # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;' >> /etc/nginx/nginx.conf
  498. echo '' >> /etc/nginx/nginx.conf
  499. echo ' ##' >> /etc/nginx/nginx.conf
  500. echo ' # Virtual Host Configs' >> /etc/nginx/nginx.conf
  501. echo ' ##' >> /etc/nginx/nginx.conf
  502. echo '' >> /etc/nginx/nginx.conf
  503. echo ' include /etc/nginx/conf.d/*.conf;' >> /etc/nginx/nginx.conf
  504. echo ' include /etc/nginx/sites-enabled/*;' >> /etc/nginx/nginx.conf
  505. echo '}' >> /etc/nginx/nginx.conf
  506. # install a script to easily enable and disable nginx virtual hosts
  507. if [ ! -d $INSTALL_DIR ]; then
  508. mkdir $INSTALL_DIR
  509. fi
  510. cd $INSTALL_DIR
  511. function_check git_clone
  512. git_clone $NGINX_ENSITE_REPO $INSTALL_DIR/nginx_ensite
  513. cd $INSTALL_DIR/nginx_ensite
  514. git checkout $NGINX_ENSITE_COMMIT -b $NGINX_ENSITE_COMMIT
  515. if ! grep -q "Nginx-ensite commit" $COMPLETION_FILE; then
  516. echo "Nginx-ensite commit:$NGINX_ENSITE_COMMIT" >> $COMPLETION_FILE
  517. else
  518. sed -i "s/Nginx-ensite commit.*/Nginx-ensite commit:$NGINX_ENSITE_COMMIT/g" $COMPLETION_FILE
  519. fi
  520. make install
  521. nginx_dissite default
  522. function_check configure_firewall_for_web_access
  523. configure_firewall_for_web_access
  524. echo 'install_web_server' >> $COMPLETION_FILE
  525. }
  526. # NOTE: deliberately no exit 0