free
/
freedombone
關註 1
收藏 0
複製 0
程式碼 問題管理 0 合併請求 0 版本發佈 0 Wiki Activity
6110 Commit
5 分支
目錄樹: f0fb62eaeb
分支列表 標籤列表
${ item.name }
Create branch ${ searchTerm }
from 'f0fb62eaeb'
${ noResults }
freedombone/src/freedombone-utils-web

freedombone-utils-web 38KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902 
  1. #!/bin/bash

  2. #

  3. # .---.                  .              .

  4. # |                      |              |

  5. # |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.

  6. # |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'

  7. # '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'

  8. #

  9. #                    Freedom in the Cloud

  10. #

  11. # Web related functions

  12. #

  13. # License

  14. # =======

  15. #

  16. # Copyright (C) 2014-2016 Bob Mottram <bob@freedombone.net>

  17. #

  18. # This program is free software: you can redistribute it and/or modify

  19. # it under the terms of the GNU Affero General Public License as published by

  20. # the Free Software Foundation, either version 3 of the License, or

  21. # (at your option) any later version.

  22. #

  23. # This program is distributed in the hope that it will be useful,

  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  26. # GNU Affero General Public License for more details.

  27. #

  28. # You should have received a copy of the GNU Affero General Public License

  29. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  30. 

  31. # default search engine for command line browser

  32. DEFAULT_SEARCH='https://searx.laquadrature.net'

  33. 

  34. # onion port for the default domain

  35. DEFAULT_DOMAIN_ONION_PORT=8099

  36. 

  37. # Whether Let's Encrypt is enabled for all sites

  38. LETSENCRYPT_ENABLED="no"

  39. LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'

  40. 

  41. # list of encryption protocols

  42. SSL_PROTOCOLS="TLSv1 TLSv1.1 TLSv1.2"

  43. 

  44. # list of ciphers to use.  See bettercrypto.org recommendations

  45. SSL_CIPHERS="EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"

  46. 

  47. NGINX_ENSITE_REPO="https://github.com/perusio/nginx_ensite"

  48. NGINX_ENSITE_COMMIT='fa4d72ce1c0a490442c8474e9c8dc21ed52c93d0'

  49. 

  50. # memory limit for php in MB

  51. MAX_PHP_MEMORY=64

  52. 

  53. # logging level for Nginx

  54. WEBSERVER_LOG_LEVEL='warn'

  55. 

  56. # test a domain name to see if it's valid

  57. function validate_domain_name {

  58.     # count the number of dots in the domain name

  59.     dots=${TEST_DOMAIN_NAME//[^.]}

  60.     no_of_dots=${#dots}

  61.     if (( $no_of_dots > 3 )); then

  62.         TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has too many subdomains. It should be of the type w.x.y.z, x.y.z or y.z"

  63.     fi

  64.     if (( $no_of_dots == 0 )); then

  65.         TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has no top level domain. It should be of the type w.x.y.z, x.y.z or y.z"

  66.     fi

  67. }

  68. 

  69. function nginx_disable_sniffing {

  70.     domain_name=$1

  71.     filename=/etc/nginx/sites-available/$domain_name

  72.     echo '    add_header X-Frame-Options DENY;' >> $filename

  73.     echo '    add_header X-Content-Type-Options nosniff;' >> $filename

  74.     echo '' >> $filename

  75. }

  76. 

  77. function nginx_limits {

  78.     domain_name=$1

  79.     max_body='20m'

  80.     if [ $2 ]; then

  81.         max_body=$2

  82.     fi

  83.     filename=/etc/nginx/sites-available/$domain_name

  84.     echo "    client_max_body_size ${max_body};" >> $filename

  85.     echo '    client_body_buffer_size 128k;' >> $filename

  86.     echo '' >> $filename

  87.     echo '    limit_conn conn_limit_per_ip 10;' >> $filename

  88.     echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> $filename

  89.     echo '' >> $filename

  90. }

  91. 

  92. function nginx_stapling {

  93.     domain_name=$1

  94.     filename=/etc/nginx/sites-available/$domain_name

  95.     echo "    ssl_stapling on;" >> $filename

  96.     echo '    ssl_stapling_verify on;' >> $filename

  97.     echo '    ssl_trusted_certificate /etc/ssl/certs/${domain_name}.pem;' >> $filename

  98.     echo '' >> $filename

  99. }

  100. 

  101. function nginx_http_redirect {

  102.     # redirect port 80 to https

  103.     domain_name=$1

  104.     filename=/etc/nginx/sites-available/$domain_name

  105.     echo 'server {' > $filename

  106.     echo '    listen 80;' >> $filename

  107.     echo '    listen [::]:80;' >> $filename

  108.     echo "    server_name ${domain_name};" >> $filename

  109.     echo "    root /var/www/${domain_name}/htdocs;" >> $filename

  110.     echo '    access_log /dev/null;' >> $filename

  111.     echo "    error_log /dev/null;" >> $filename

  112.     function_check nginx_limits

  113.     nginx_limits $domain_name

  114.     echo '    rewrite ^ https://$server_name$request_uri? permanent;' >> $filename

  115.     echo '}' >> $filename

  116.     echo '' >> $filename

  117. }

  118. 

  119. function nginx_ssl {

  120.     # creates the SSL/TLS section for a website

  121.     domain_name=$1

  122.     filename=/etc/nginx/sites-available/$domain_name

  123. 

  124.     echo '    ssl_stapling off;' >> $filename

  125.     echo '    ssl_stapling_verify off;' >> $filename

  126.     echo '    ssl on;' >> $filename

  127.     if [ -f /etc/ssl/certs/${domain_name}.pem ]; then

  128.         echo "    ssl_certificate /etc/ssl/certs/${domain_name}.pem;" >> $filename

  129.     else

  130.         echo "    ssl_certificate /etc/ssl/certs/${domain_name}.crt;" >> $filename

  131.     fi

  132.     echo "    ssl_certificate_key /etc/ssl/private/${domain_name}.key;" >> $filename

  133.     echo "    ssl_dhparam /etc/ssl/certs/${domain_name}.dhparam;" >> $filename

  134.     echo '' >> $filename

  135.     echo '    ssl_session_cache  builtin:1000  shared:SSL:10m;' >> $filename

  136.     echo '    ssl_session_timeout 60m;' >> $filename

  137.     echo '    ssl_prefer_server_ciphers on;' >> $filename

  138.     echo "    ssl_protocols $SSL_PROTOCOLS;" >> $filename

  139.     echo "    ssl_ciphers '$SSL_CIPHERS';" >> $filename

  140.     echo "    add_header Content-Security-Policy \"default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'\";" >> $filename

  141.     #nginx_stapling $1

  142. }

  143. 

  144. function nginx_keybase {

  145.     # creates files suitable for keybase.io verification

  146.     domain_name=$1

  147.     filename=/etc/nginx/sites-available/$domain_name

  148. 

  149.     echo '' >> $filename

  150.     echo "  # make sure webfinger and other well known services aren't blocked" >> $filename

  151.     echo '  # by denying dot files and rewrite request to the front controller' >> $filename

  152.     echo '  location ^~ /.well-known/ {' >> $filename

  153.     echo '      allow all;' >> $filename

  154.     echo '  }' >> $filename

  155. 

  156.     if [ ! -d /var/www/${domain_name}/htdocs/.well-known ]; then

  157.         mkdir -p /var/www/${domain_name}/htdocs/.well-known

  158.     fi

  159.     if [ ! -f /var/www/${domain_name}/htdocs/keybase.txt ]; then

  160.         touch /var/www/${domain_name}/htdocs/keybase.txt

  161.     fi

  162.     if [ ! -f /var/www/${domain_name}/htdocs/.well-known/keybase.txt ]; then

  163.         touch /var/www/${domain_name}/htdocs/.well-known/keybase.txt

  164.     fi

  165. }

  166. 

  167. # check an individual domain name

  168. function test_domain_name {

  169.     if [ $1 ]; then

  170.         TEST_DOMAIN_NAME=$1

  171.         if [[ $TEST_DOMAIN_NAME != 'ttrss' ]]; then

  172.             function_check validate_domain_name

  173.             validate_domain_name

  174.             if [[ $TEST_DOMAIN_NAME != $1 ]]; then

  175.                 echo $"Invalid domain name $TEST_DOMAIN_NAME"

  176.                 exit 8528

  177.             fi

  178.         fi

  179.     fi

  180. }

  181. 

  182. # Checks whether certificates were generated for the given hostname

  183. function check_certificates {

  184.     if [ ! $1 ]; then

  185.         return

  186.     fi

  187.     USE_LETSENCRYPT='no'

  188.     if [ $2 ]; then

  189.         USE_LETSENCRYPT=$2

  190.     fi

  191.     if [[ $USE_LETSENCRYPT == 'no' ]]; then

  192.         if [ ! -f /etc/ssl/private/${1}.key ]; then

  193.             echo $"Private certificate for ${CHECK_HOSTNAME} was not created"

  194.             exit 63959

  195.         fi

  196.         if [ ! -f /etc/ssl/certs/${1}.crt ]; then

  197.             echo $"Public certificate for ${CHECK_HOSTNAME} was not created"

  198.             exit 7679

  199.         fi

  200. 

  201.         if grep -q "${1}.pem" /etc/nginx/sites-available/${1}; then

  202.             sed -i "s|${1}.pem|${1}.crt|g" /etc/nginx/sites-available/${1}

  203.         fi

  204.     else

  205.         if [ ! -f /etc/letsencrypt/live/${1}/privkey.pem ]; then

  206.             echo $"Private certificate for ${CHECK_HOSTNAME} was not created"

  207.             exit 6282

  208.         fi

  209.         if [ ! -f /etc/letsencrypt/live/${1}/fullchain.pem ]; then

  210.             echo $"Public certificate for ${CHECK_HOSTNAME} was not created"

  211.             exit 5328

  212.         fi

  213.         if grep -q "${1}.crt" /etc/nginx/sites-available/${1}; then

  214.             sed -i "s|${1}.crt|${1}.pem|g" /etc/nginx/sites-available/${1}

  215.         fi

  216.     fi

  217.     if [ ! -f /etc/ssl/certs/${1}.dhparam ]; then

  218.         echo $"Diffie–Hellman parameters for ${CHECK_HOSTNAME} were not created"

  219.         exit 5989

  220.     fi

  221. }

  222. 

  223. function cert_exists {

  224.     cert_type='dhparam'

  225.     if [ $2 ]; then

  226.         cert_type="$2"

  227.     fi

  228.     if [ -f /etc/ssl/certs/${1}.${cert_type} ]; then

  229.         echo "1"

  230.     else

  231.         if [ -f /etc/letsencrypt/live/${1}/fullchain.${cert_type} ]; then

  232.             echo "1"

  233.         else

  234.             echo "0"

  235.         fi

  236.     fi

  237. }

  238. 

  239. function create_self_signed_cert {

  240.     ${PROJECT_NAME}-addcert -h ${SITE_DOMAIN_NAME} --dhkey ${DH_KEYLENGTH}

  241.     function_check check_certificates

  242.     check_certificates ${SITE_DOMAIN_NAME}

  243. }

  244. 

  245. function create_letsencrypt_cert {

  246.     ${PROJECT_NAME}-addcert -e ${SITE_DOMAIN_NAME} -s ${LETSENCRYPT_SERVER} --dhkey ${DH_KEYLENGTH} --email ${MY_EMAIL_ADDRESS}

  247.     if [ ! "$?" = "0" ]; then

  248.         if [[ ${NO_SELF_SIGNED} == 'no' ]]; then

  249.             echo $"Lets Encrypt failed for ${SITE_DOMAIN_NAME}, so try making a self-signed cert"

  250.             ${PROJECT_NAME}-addcert -h ${SITE_DOMAIN_NAME} --dhkey ${DH_KEYLENGTH}

  251.             function_check check_certificates

  252.             check_certificates ${SITE_DOMAIN_NAME}

  253.         else

  254.             echo $"Lets Encrypt failed for $SITE_DOMAIN_NAME"

  255.             exit 682529

  256.         fi

  257.         return

  258.     fi

  259. 

  260.     function_check check_certificates

  261.     check_certificates ${SITE_DOMAIN_NAME} 'yes'

  262. }

  263. 

  264. function create_site_certificate {

  265.     SITE_DOMAIN_NAME="$1"

  266. 

  267.     # if yes then only "valid" certs are allowed, not self-signed

  268.     NO_SELF_SIGNED='no'

  269.     if [ $2 ]; then

  270.         NO_SELF_SIGNED="$2"

  271.     fi

  272. 

  273.     if [[ $ONION_ONLY == "no" ]]; then

  274.         if [[ "$(cert_exists ${SITE_DOMAIN_NAME})" == "0" ]]; then

  275.             if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then

  276.                 create_self_signed_cert

  277.             else

  278.                 create_letsencrypt_cert

  279.             fi

  280.         else

  281.             if [[ $LETSENCRYPT_ENABLED == "yes" ]]; then

  282.                 if [[ "$(cert_exists ${SITE_DOMAIN_NAME} pem)" == "0" ]]; then

  283.                     create_letsencrypt_cert

  284.                 fi

  285.             fi

  286.         fi

  287.     fi

  288. }

  289. 

  290. # script to automatically renew any Let's Encrypt certificates

  291. function letsencrypt_renewals {

  292.     if [[ $ONION_ONLY != "no" ]]; then

  293.         return

  294.     fi

  295. 

  296.     renewals_script=/etc/cron.monthly/letsencrypt

  297.     renewals_retry_script=/etc/cron.daily/letsencrypt

  298.     renewal_failure_msg=$'The certificate for $LETSENCRYPT_DOMAIN could not be renewed'

  299.     renewal_email_title=$'${PROJECT_NAME} Lets Encrypt certificate renewal'

  300. 

  301.     # the main script tries to renew once per month

  302.     echo '#!/bin/bash' > $renewals_script

  303.     echo '' >> $renewals_script

  304.     echo "PROJECT_NAME='${PROJECT_NAME}'" >> $renewals_script

  305.     echo 'COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt' >> $renewals_script

  306.     echo '' >> $renewals_script

  307.     echo 'if [ -d /etc/letsencrypt ]; then' >> $renewals_script

  308.     echo '    if [ -f ~/letsencrypt_failed ]; then' >> $renewals_script

  309.     echo '        rm ~/letsencrypt_failed' >> $renewals_script

  310.     echo '    fi' >> $renewals_script

  311.     echo -n '    ADMIN_USERNAME=$(cat $COMPLETION_FILE | grep "Admin user" | ' >> $renewals_script

  312.     echo -n "awk -F ':' '{print " >> $renewals_script

  313.     echo -n '$2' >> $renewals_script

  314.     echo "}')" >> $renewals_script

  315.     echo '    ADMIN_EMAIL_ADDRESS=$ADMIN_USERNAME@$HOSTNAME' >> $renewals_script

  316.     echo '    for d in /etc/letsencrypt/live/*/ ; do' >> $renewals_script

  317.     echo -n '        LETSENCRYPT_DOMAIN=$(echo "$d" | ' >> $renewals_script

  318.     echo -n "awk -F '/' '{print " >> $renewals_script

  319.     echo -n '$5' >> $renewals_script

  320.     echo "}')" >> $renewals_script

  321.     echo '        if [ -f /etc/nginx/sites-available/$LETSENCRYPT_DOMAIN ]; then' >> $renewals_script

  322.     echo '            ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt' >> $renewals_script

  323.     echo '            if [ ! "$?" = "0" ]; then' >> $renewals_script

  324.     echo "                echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt" >> $renewals_script

  325.     echo '                echo "" >> ~/temp_renewletsencrypt.txt' >> $renewals_script

  326.     echo '                ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt' >> $renewals_script

  327.     echo -n "                cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" " >> $renewals_script

  328.     echo '$ADMIN_EMAIL_ADDRESS' >> $renewals_script

  329.     echo '                rm ~/temp_renewletsencrypt.txt' >> $renewals_script

  330.     echo '                if [ ! -f ~/letsencrypt_failed ]; then' >> $renewals_script

  331.     echo '                    touch ~/letsencrypt_failed' >> $renewals_script

  332.     echo '                fi' >> $renewals_script

  333.     echo '            fi' >> $renewals_script

  334.     echo '        fi' >> $renewals_script

  335.     echo '    done' >> $renewals_script

  336.     echo 'fi' >> $renewals_script

  337.     chmod +x $renewals_script

  338. 

  339.     # a secondary script keeps trying to renew after a failure

  340.     echo '#!/bin/bash' > $renewals_retry_script

  341.     echo '' >> $renewals_retry_script

  342.     echo "PROJECT_NAME='${PROJECT_NAME}'" >> $renewals_retry_script

  343.     echo 'COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt' >> $renewals_retry_script

  344.     echo '' >> $renewals_retry_script

  345.     echo 'if [ -d /etc/letsencrypt ]; then' >> $renewals_retry_script

  346.     echo '    if [ -f ~/letsencrypt_failed ]; then' >> $renewals_retry_script

  347.     echo '        rm ~/letsencrypt_failed' >> $renewals_retry_script

  348.     echo -n '        ADMIN_USERNAME=$(cat $COMPLETION_FILE | grep "Admin user" | ' >> $renewals_retry_script

  349.     echo -n "awk -F ':' '{print " >> $renewals_retry_script

  350.     echo -n '$2' >> $renewals_retry_script

  351.     echo "}')" >> $renewals_retry_script

  352.     echo '        ADMIN_EMAIL_ADDRESS=$ADMIN_USERNAME@$HOSTNAME' >> $renewals_retry_script

  353.     echo '        for d in /etc/letsencrypt/live/*/ ; do' >> $renewals_retry_script

  354.     echo -n '            LETSENCRYPT_DOMAIN=$(echo "$d" | ' >> $renewals_retry_script

  355.     echo -n "awk -F '/' '{print " >> $renewals_retry_script

  356.     echo -n '$5' >> $renewals_retry_script

  357.     echo "}')" >> $renewals_retry_script

  358.     echo '            if [ -f /etc/nginx/sites-available/$LETSENCRYPT_DOMAIN ]; then' >> $renewals_retry_script

  359.     echo '                ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt' >> $renewals_retry_script

  360.     echo '                if [ ! "$?" = "0" ]; then' >> $renewals_retry_script

  361.     echo "                    echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt" >> $renewals_retry_script

  362.     echo '                    echo "" >> ~/temp_renewletsencrypt.txt' >> $renewals_retry_script

  363.     echo '                    ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt' >> $renewals_retry_script

  364.     echo -n "                    cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" " >> $renewals_retry_script

  365.     echo '$ADMIN_EMAIL_ADDRESS' >> $renewals_retry_script

  366.     echo '                    rm ~/temp_renewletsencrypt.txt' >> $renewals_retry_script

  367.     echo '                    if [ ! -f ~/letsencrypt_failed ]; then' >> $renewals_retry_script

  368.     echo '                        touch ~/letsencrypt_failed' >> $renewals_retry_script

  369.     echo '                    fi' >> $renewals_retry_script

  370.     echo '                fi' >> $renewals_retry_script

  371.     echo '            fi' >> $renewals_retry_script

  372.     echo '        done' >> $renewals_retry_script

  373.     echo '    fi' >> $renewals_retry_script

  374.     echo 'fi' >> $renewals_retry_script

  375.     chmod +x $renewals_retry_script

  376. }

  377. 

  378. function configure_php {

  379.     sed -i "s/memory_limit = 128M/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php5/fpm/php.ini

  380.     sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php5/fpm/php.ini

  381.     sed -i "s/memory_limit = -1/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php5/cli/php.ini

  382.     sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 50M/g" /etc/php5/fpm/php.ini

  383.     sed -i "s/post_max_size = 8M/post_max_size = 50M/g" /etc/php5/fpm/php.ini

  384. }

  385. 

  386. function install_web_server_access_control {

  387.     if [ ! -f /etc/pam.d/nginx ]; then

  388.         echo '#%PAM-1.0' > /etc/pam.d/nginx

  389.         echo '@include common-auth' >> /etc/pam.d/nginx

  390.         echo '@include common-account' >> /etc/pam.d/nginx

  391.         echo '@include common-session' >> /etc/pam.d/nginx

  392.     fi

  393. }

  394. 

  395. function install_dynamicdns {

  396.     if [[ $SYSTEM_TYPE == "mesh"* ]]; then

  397.         return

  398.     fi

  399.     if [[ $ONION_ONLY != "no" ]]; then

  400.         return

  401.     fi

  402. 

  403.     # update to the next commit

  404.     function_check set_repo_commit

  405.     set_repo_commit $INSTALL_DIR/inadyn "inadyn commit" "$INADYN_COMMIT" $INADYN_REPO

  406. 

  407.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  408.         return

  409.     fi

  410. 

  411.     # Here we compile from source because the current package

  412.     # doesn't support https, which could result in passwords

  413.     # being leaked

  414.     # Debian version 1.99.4-1

  415.     # https version 1.99.8

  416. 

  417.     apt-get -yq install build-essential curl libgnutls28-dev automake1.11

  418.     if [ ! -d $INSTALL_DIR/inadyn ]; then

  419.         git_clone $INADYN_REPO $INSTALL_DIR/inadyn

  420.     fi

  421.     if [ ! -d $INSTALL_DIR/inadyn ]; then

  422.         echo 'inadyn repo not cloned'

  423.         echo -n | openssl s_client -showcerts -connect github.com:443 -CApath /etc/ssl/certs

  424.         exit 6785

  425.     fi

  426.     cd $INSTALL_DIR/inadyn

  427.     git checkout $INADYN_COMMIT -b $INADYN_COMMIT

  428.     set_completion_param "inadyn commit" "$INADYN_COMMIT"

  429. 

  430.     ./configure

  431.     if [ ! "$?" = "0" ]; then

  432.         exit 74890

  433.     fi

  434.     USE_OPENSSL=1 make

  435.     if [ ! "$?" = "0" ]; then

  436.         exit 74858

  437.     fi

  438.     make install

  439.     if [ ! "$?" = "0" ]; then

  440.         exit 3785

  441.     fi

  442. 

  443.     # create an unprivileged user

  444.     #chmod 600 /etc/shadow

  445.     #chmod 600 /etc/gshadow

  446.     #useradd -r -s /bin/false debian-inadyn

  447.     #chmod 0000 /etc/shadow

  448.     #chmod 0000 /etc/gshadow

  449. 

  450.     # create a configuration file

  451.     echo 'background' > /etc/inadyn.conf

  452.     echo 'verbose        1' >> /etc/inadyn.conf

  453.     echo 'period         300' >> /etc/inadyn.conf

  454.     echo 'startup-delay  60' >> /etc/inadyn.conf

  455.     echo 'cache-dir      /run/inadyn' >> /etc/inadyn.conf

  456.     echo 'logfile        /dev/null' >> /etc/inadyn.conf

  457.     chmod 600 /etc/inadyn.conf

  458. 

  459.     echo '[Unit]' > /etc/systemd/system/inadyn.service

  460.     echo 'Description=inadyn (DynDNS updater)' >> /etc/systemd/system/inadyn.service

  461.     echo 'After=network.target' >> /etc/systemd/system/inadyn.service

  462.     echo '' >> /etc/systemd/system/inadyn.service

  463.     echo '[Service]' >> /etc/systemd/system/inadyn.service

  464.     echo 'ExecStart=/usr/local/sbin/inadyn --config /etc/inadyn.conf' >> /etc/systemd/system/inadyn.service

  465.     echo 'Restart=always' >> /etc/systemd/system/inadyn.service

  466.     echo 'Type=forking' >> /etc/systemd/system/inadyn.service

  467.     echo '' >> /etc/systemd/system/inadyn.service

  468.     echo '[Install]' >> /etc/systemd/system/inadyn.service

  469.     echo 'WantedBy=multi-user.target' >> /etc/systemd/system/inadyn.service

  470.     systemctl enable inadyn

  471.     systemctl start inadyn

  472.     systemctl daemon-reload

  473. 

  474.     mark_completed $FUNCNAME

  475. }

  476. 

  477. function install_command_line_browser {

  478.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  479.         return

  480.     fi

  481.     apt-get -yq install elinks

  482. 

  483.     # set the home page

  484.     if ! grep -q "WWW_HOME" /home/$MY_USERNAME/.bashrc; then

  485.         if ! grep -q 'control' /home/$MY_USERNAME/.bashrc; then

  486.             echo "export WWW_HOME=$DEFAULT_SEARCH" >> /home/$MY_USERNAME/.bashrc

  487.         else

  488.             sed -i "/control/i export WWW_HOME=$DEFAULT_SEARCH" /home/$MY_USERNAME/.bashrc

  489.         fi

  490.     fi

  491. 

  492.     mark_completed $FUNCNAME

  493. }

  494. 

  495. function mesh_web_server {

  496.     if [ -d /etc/apache2 ]; then

  497.         chroot "$rootdir" apt-get -yq remove --purge apache2

  498.         chroot "$rootdir" rm -rf /etc/apache2

  499.     fi

  500. 

  501.     chroot "$rootdir" apt-get -yq install nginx

  502. 

  503.     if [ ! -d $rootdir/etc/nginx ]; then

  504.         echo $'Unable to install web server'

  505.         exit 346825

  506.     fi

  507. }

  508. 

  509. function install_web_server {

  510.     if [ $INSTALLING_MESH ]; then

  511.         mesh_web_server

  512.         return

  513.     fi

  514. 

  515.     # update to the next commit

  516.     function_check set_repo_commit

  517.     set_repo_commit $INSTALL_DIR/nginx_ensite "nginx-ensite commit" "$NGINX_ENSITE_COMMIT" $NGINX_ENSITE_REPO

  518. 

  519.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  520.         return

  521.     fi

  522.     # remove apache

  523.     apt-get -yq remove --purge apache2

  524.     if [ -d /etc/apache2 ]; then

  525.         rm -rf /etc/apache2

  526.     fi

  527.     # install nginx

  528.     apt-get -yq install nginx php5-fpm git

  529. 

  530.     # Turn off logs by default

  531.     sed -i 's|access_log.*|access_log = /dev/null;|g' /etc/nginx/nginx.conf

  532.     sed -i 's|error_log.*|error_log = /dev/null;|g' /etc/nginx/nginx.conf

  533. 

  534.     # limit the number of php processes

  535.     sed -i 's/; process.max =.*/process.max = 32/g' /etc/php5/fpm/php-fpm.conf

  536.     #sed -i 's/;process_control_timeout =.*/process_control_timeout = 300/g' /etc/php5/fpm/php-fpm.conf

  537. 

  538.     if ! grep -q "pm.max_children" /etc/php5/fpm/php-fpm.conf; then

  539.         echo 'pm.max_children = 10' >> /etc/php5/fpm/php-fpm.conf

  540.         echo 'pm.start_servers = 2' >> /etc/php5/fpm/php-fpm.conf

  541.         echo 'pm.min_spare_servers = 2' >> /etc/php5/fpm/php-fpm.conf

  542.         echo 'pm.max_spare_servers = 5' >> /etc/php5/fpm/php-fpm.conf

  543.         echo 'pm.max_requests = 50' >> /etc/php5/fpm/php-fpm.conf

  544.     fi

  545. 

  546.     if [ ! -d /etc/nginx ]; then

  547.         echo $"ERROR: nginx does not appear to have installed. $CHECK_MESSAGE"

  548.         exit 51

  549.     fi

  550. 

  551.     # Nginx settings

  552.     echo 'user www-data;' > /etc/nginx/nginx.conf

  553.     #echo "worker_processes; $CPU_CORES" >> /etc/nginx/nginx.conf

  554.     echo 'pid /run/nginx.pid;' >> /etc/nginx/nginx.conf

  555.     echo '' >> /etc/nginx/nginx.conf

  556.     echo 'events {' >> /etc/nginx/nginx.conf

  557.     echo '        worker_connections 50;' >> /etc/nginx/nginx.conf

  558.     echo '        # multi_accept on;' >> /etc/nginx/nginx.conf

  559.     echo '}' >> /etc/nginx/nginx.conf

  560.     echo '' >> /etc/nginx/nginx.conf

  561.     echo 'http {' >> /etc/nginx/nginx.conf

  562.     echo '        # limit the number of connections per single IP' >> /etc/nginx/nginx.conf

  563.     echo '        limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;' >> /etc/nginx/nginx.conf

  564.     echo '' >> /etc/nginx/nginx.conf

  565.     echo '        # limit the number of requests for a given session' >> /etc/nginx/nginx.conf

  566.     echo '        limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=140r/s;' >> /etc/nginx/nginx.conf

  567.     echo '' >> /etc/nginx/nginx.conf

  568.     echo '        # if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file' >> /etc/nginx/nginx.conf

  569.     echo '        client_body_buffer_size  128k;' >> /etc/nginx/nginx.conf

  570.     echo '' >> /etc/nginx/nginx.conf

  571.     echo '        # headerbuffer size for the request header from client, its set for testing purpose' >> /etc/nginx/nginx.conf

  572.     echo '        client_header_buffer_size 3m;' >> /etc/nginx/nginx.conf

  573.     echo '' >> /etc/nginx/nginx.conf

  574.     echo '        # maximum number and size of buffers for large headers to read from client request' >> /etc/nginx/nginx.conf

  575.     echo '        large_client_header_buffers 4 256k;' >> /etc/nginx/nginx.conf

  576.     echo '' >> /etc/nginx/nginx.conf

  577.     echo '        # read timeout for the request body from client, its set for testing purpose' >> /etc/nginx/nginx.conf

  578.     echo '        client_body_timeout   3m;' >> /etc/nginx/nginx.conf

  579.     echo '' >> /etc/nginx/nginx.conf

  580.     echo '        # how long to wait for the client to send a request header, its set for testing purpose' >> /etc/nginx/nginx.conf

  581.     echo '        client_header_timeout 3m;' >> /etc/nginx/nginx.conf

  582.     echo '' >> /etc/nginx/nginx.conf

  583.     echo '        ##' >> /etc/nginx/nginx.conf

  584.     echo '        # Basic Settings' >> /etc/nginx/nginx.conf

  585.     echo '        ##' >> /etc/nginx/nginx.conf

  586.     echo '' >> /etc/nginx/nginx.conf

  587.     echo '        sendfile on;' >> /etc/nginx/nginx.conf

  588.     echo '        tcp_nopush on;' >> /etc/nginx/nginx.conf

  589.     echo '        tcp_nodelay on;' >> /etc/nginx/nginx.conf

  590.     echo '        keepalive_timeout 65;' >> /etc/nginx/nginx.conf

  591.     echo '        types_hash_max_size 2048;' >> /etc/nginx/nginx.conf

  592.     echo '        server_tokens off;' >> /etc/nginx/nginx.conf

  593.     echo '' >> /etc/nginx/nginx.conf

  594.     echo '        # server_names_hash_bucket_size 64;' >> /etc/nginx/nginx.conf

  595.     echo '        # server_name_in_redirect off;' >> /etc/nginx/nginx.conf

  596.     echo '' >> /etc/nginx/nginx.conf

  597.     echo '        include /etc/nginx/mime.types;' >> /etc/nginx/nginx.conf

  598.     echo '        default_type application/octet-stream;' >> /etc/nginx/nginx.conf

  599.     echo '' >> /etc/nginx/nginx.conf

  600.     echo '        ##' >> /etc/nginx/nginx.conf

  601.     echo '        # Logging Settings' >> /etc/nginx/nginx.conf

  602.     echo '        ##' >> /etc/nginx/nginx.conf

  603.     echo '' >> /etc/nginx/nginx.conf

  604.     echo '        access_log /dev/null;' >> /etc/nginx/nginx.conf

  605.     echo '        error_log /dev/null;' >> /etc/nginx/nginx.conf

  606.     echo '' >> /etc/nginx/nginx.conf

  607.     echo '        ###' >> /etc/nginx/nginx.conf

  608.     echo '        # Gzip Settings' >> /etc/nginx/nginx.conf

  609.     echo '        ##' >> /etc/nginx/nginx.conf

  610.     echo '        gzip on;' >> /etc/nginx/nginx.conf

  611.     echo '        gzip_disable "msie6";' >> /etc/nginx/nginx.conf

  612.     echo '' >> /etc/nginx/nginx.conf

  613.     echo '        # gzip_vary on;' >> /etc/nginx/nginx.conf

  614.     echo '        # gzip_proxied any;' >> /etc/nginx/nginx.conf

  615.     echo '        # gzip_comp_level 6;' >> /etc/nginx/nginx.conf

  616.     echo '        # gzip_buffers 16 8k;' >> /etc/nginx/nginx.conf

  617.     echo '        # gzip_http_version 1.1;' >> /etc/nginx/nginx.conf

  618.     echo '        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;' >> /etc/nginx/nginx.conf

  619.     echo '' >> /etc/nginx/nginx.conf

  620.     echo '        ##' >> /etc/nginx/nginx.conf

  621.     echo '        # Virtual Host Configs' >> /etc/nginx/nginx.conf

  622.     echo '        ##' >> /etc/nginx/nginx.conf

  623.     echo '' >> /etc/nginx/nginx.conf

  624.     echo '        include /etc/nginx/conf.d/*.conf;' >> /etc/nginx/nginx.conf

  625.     echo '        include /etc/nginx/sites-enabled/*;' >> /etc/nginx/nginx.conf

  626.     echo '}' >> /etc/nginx/nginx.conf

  627. 

  628.     # install a script to easily enable and disable nginx virtual hosts

  629.     if [ ! -d $INSTALL_DIR ]; then

  630.         mkdir $INSTALL_DIR

  631.     fi

  632.     cd $INSTALL_DIR

  633.     function_check git_clone

  634.     git_clone $NGINX_ENSITE_REPO $INSTALL_DIR/nginx_ensite

  635.     cd $INSTALL_DIR/nginx_ensite

  636.     git checkout $NGINX_ENSITE_COMMIT -b $NGINX_ENSITE_COMMIT

  637. 

  638.     set_completion_param "nginx-ensite commit" "$NGINX_ENSITE_COMMIT"

  639. 

  640.     make install

  641.     nginx_dissite default

  642. 

  643.     function_check configure_firewall_for_web_access

  644.     configure_firewall_for_web_access

  645. 

  646.     mark_completed $FUNCNAME

  647. }

  648. 

  649. function remove_certs {

  650.     domain_name=$1

  651. 

  652.     if [ ! $domain_name ]; then

  653.         return

  654.     fi

  655. 

  656.     if [ -f /etc/ssl/certs/${domain_name}.dhparam ]; then

  657.         rm /etc/ssl/certs/${domain_name}.dhparam

  658.     fi

  659. 

  660.     if [ -f /etc/ssl/certs/${domain_name}.pem ]; then

  661.         rm /etc/ssl/certs/${domain_name}.pem

  662.     fi

  663. 

  664.     if [ -f /etc/ssl/certs/${domain_name}.crt ]; then

  665.         rm /etc/ssl/certs/${domain_name}.crt

  666.     fi

  667. 

  668.     if [ -f /etc/ssl/private/${domain_name}.key ]; then

  669.         rm /etc/ssl/private/${domain_name}.key

  670.     fi

  671. }

  672. 

  673. function configure_firewall_for_web_access {

  674.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  675.         return

  676.     fi

  677.     if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then

  678.         # docker does its own firewalling

  679.         return

  680.     fi

  681.     if [[ $ONION_ONLY != "no" ]]; then

  682.         return

  683.     fi

  684.     firewall_add HTTP 80 tcp

  685.     firewall_add HTTPS 443 tcp

  686.     mark_completed $FUNCNAME

  687. }

  688. 

  689. function update_default_domain {

  690.     echo $'Updating default domain'

  691.     if [[ $ONION_ONLY == 'no' ]]; then

  692.         if [ -d /etc/prosody ]; then

  693.             if [ -d /etc/jitsi ]; then

  694.                 read_config_param "JITSI_DOMAIN_NAME"

  695.                 if [ ${#JITSI_DOMAIN_NAME} -gt 0 ]; then

  696.                     if [ -f /etc/ssl/private/${JITSI_DOMAIN_NAME}.key ]; then

  697.                         cp /etc/ssl/private/${JITSI_DOMAIN_NAME}.key /etc/prosody/certs/${JITSI_DOMAIN_NAME}.key

  698.                     fi

  699.                     if [ -f /etc/ssl/certs/${JITSI_DOMAIN_NAME}.crt ]; then

  700.                         cp /etc/ssl/certs/${JITSI_DOMAIN_NAME}.crt /etc/prosody/certs/${JITSI_DOMAIN_NAME}.pem

  701.                     fi

  702.                     if [ -f /etc/ssl/certs/${JITSI_DOMAIN_NAME}.pem ]; then

  703.                         cp /etc/ssl/certs/${JITSI_DOMAIN_NAME}.pem /etc/prosody/certs/${JITSI_DOMAIN_NAME}.pem

  704.                     fi

  705.                 fi

  706.             fi

  707. 

  708.             if [ ! -d /etc/prosody/certs ]; then

  709.                 mkdir /etc/prosody/certs

  710.             fi

  711. 

  712.             cp /etc/ssl/private/xmpp* /etc/prosody/certs

  713.             cp /etc/ssl/private/${DEFAULT_DOMAIN_NAME}* /etc/prosody/certs

  714.             cp /etc/ssl/certs/xmpp* /etc/prosody/certs

  715.             cp /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}* /etc/prosody/certs

  716.             if [ ! -f /etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.dhparam ]; then

  717.                 if [ -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.dhparam ]; then

  718.                     cp /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.dhparam /etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.dhparam

  719.                 fi

  720.             fi

  721.             if [ ! /etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then

  722.                 if [ ! /etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.crt ]; then

  723.                     mv /etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.crt /etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem

  724.                 fi

  725.             else

  726.                 sed -i "s|/etc/prosody/certs/xmpp.key|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key|g" /etc/prosody/conf.avail/xmpp.cfg.lua

  727.                 sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua

  728. 

  729.                 sed -i "s|/etc/prosody/certs/xmpp.key|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key|g" /etc/prosody/prosody.cfg.lua

  730.                 sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/prosody/prosody.cfg.lua

  731.             fi

  732.             chown -R prosody:default /etc/prosody

  733.             chmod -R 700 /etc/prosody/certs/*

  734.             chmod 600 /etc/prosody/prosody.cfg.lua

  735.             systemctl reload prosody

  736.         fi

  737. 

  738.         if [ -d /var/lib/matrix ]; then

  739.             if [ -f /etc/ssl/certs/${MATRIX_DOMAIN_NAME}.pem ]; then

  740.                 cp /etc/ssl/certs/${MATRIX_DOMAIN_NAME}.pem /var/lib/matrix/${MATRIX_DOMAIN_NAME}.tls.crt

  741.                 cp /etc/ssl/certs/${MATRIX_DOMAIN_NAME}.dhparam /var/lib/matrix/${MATRIX_DOMAIN_NAME}.tls.dh

  742.                 cp /etc/ssl/private/${MATRIX_DOMAIN_NAME}.key /var/lib/matrix/${MATRIX_DOMAIN_NAME}.tls.key

  743.                 chown -R matrix:matrix /var/lib/matrix

  744.                 chmod -R 700 /var/lib/matrix/*.pem

  745.                 chmod -R 700 /var/lib/matrix/*.key

  746.                 chmod -R 700 /var/lib/matrix/*.dhparam

  747.                 systemctl restart turn

  748.                 systemctl restart matrix

  749.             fi

  750.         fi

  751. 

  752.         if [ -d /var/lib/mumble-server ]; then

  753.             if [[ "$(cert_exists ${DEFAULT_DOMAIN_NAME} pem)" == "1" ]]; then

  754.                 cp /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem /var/lib/mumble-server/mumble.pem

  755.                 cp /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.dhparam /var/lib/mumble-server/mumble.dhparam

  756.                 cp /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key /var/lib/mumble-server/mumble.key

  757.                 chown -R mumble-server:mumble-server /var/lib/mumble-server

  758.                 chmod -R 700 /var/lib/mumble-server/*.pem

  759.                 chmod -R 700 /var/lib/mumble-server/*.key

  760.                 chmod -R 700 /var/lib/mumble-server/*.dhparam

  761.                 systemctl restart mumble-server

  762.             fi

  763.         fi

  764. 

  765.         if [ -d /home/znc/.znc ]; then

  766.             echo $'znc found'

  767.             if [[ "$(cert_exists ${DEFAULT_DOMAIN_NAME} pem)" == "1" ]]; then

  768.                 pkill znc

  769.                 cat /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key > /home/znc/.znc/znc.pem

  770.                 chown znc:znc /home/znc/.znc/znc.pem

  771.                 chmod 700 /home/znc/.znc/znc.pem

  772. 

  773.                 sed -i "s|CertFile =.*|CertFile = /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" /etc/ngircd/ngircd.conf

  774.                 sed -i "s|DHFile =.*|DHFile = /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.dhparam" /etc/ngircd/ngircd.conf

  775.                 sed -i "s|KeyFile =.*|KeyFile = /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key" /etc/ngircd/ngircd.conf

  776.                 echo $'irc certificates updated'

  777. 

  778.                 systemctl restart ngircd

  779.                 su -c 'znc' - znc

  780.             fi

  781.         fi

  782. 

  783.         if [ -d /etc/dovecot ]; then

  784.             if [ ${#DEFAULT_DOMAIN_NAME} -gt 0 ]; then

  785.                 if ! grep -q "ssl_cert = </etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" /etc/dovecot/conf.d/10-ssl.conf; then

  786.                     sed -i "s|#ssl_cert =.*|ssl_cert = </etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/dovecot/conf.d/10-ssl.conf

  787.                     sed -i "s|ssl_cert =.*|ssl_cert = </etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/dovecot/conf.d/10-ssl.conf

  788.                     systemctl restart dovecot

  789.                 fi

  790.             fi

  791.         fi

  792. 

  793.         if [ -d /etc/matrix-synapse ]; then

  794.             cp /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem /etc/matrix-synapse/homeserver.tls.crt

  795.             cp /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.dhparam /etc/matrix-synapse/homeserver.tls.dh

  796.             cp /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key /etc/matrix-synapse/homeserver.tls.key

  797.             chown matrix-synapse: /etc/matrix-synapse/homeserver.tls.key

  798.             chown matrix-synapse: /etc/matrix-synapse/homeserver.tls.dh

  799.             chown matrix-synapse: /etc/matrix-synapse/homeserver.tls.crt

  800.             chmod -R 700 /etc/matrix-synapse/homeserver.tls.key

  801.             chmod -R 700 /etc/matrix-synapse/homeserver.tls.dh

  802.             chmod -R 700 /etc/matrix-synapse/homeserver.tls.crt

  803.             systemctl restart matrix-synapse

  804.         fi

  805.     fi

  806. }

  807. 

  808. function create_default_web_site {

  809.     if [ ! -f /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME} ]; then

  810.         # create a web site for the default domain

  811.         if [ ! -d /var/www/${DEFAULT_DOMAIN_NAME}/htdocs ]; then

  812.             mkdir -p /var/www/${DEFAULT_DOMAIN_NAME}/htdocs

  813.             if [ -d /root/${PROJECT_NAME} ]; then

  814.                 cd /root/${PROJECT_NAME}/website

  815.                 ./deploy.sh EN /var/www/${DEFAULT_DOMAIN_NAME}/htdocs

  816.             else

  817.                 if [ -d /home/${MY_USERNAME}/${PROJECT_NAME} ]; then

  818.                     cd /home/${MY_USERNAME}/${PROJECT_NAME}

  819.                     ./deploy.sh EN /var/www/${DEFAULT_DOMAIN_NAME}/htdocs

  820.                 fi

  821.             fi

  822.         fi

  823. 

  824.         # add a config for the default domain

  825.         nginx_site=/etc/nginx/sites-available/$DEFAULT_DOMAIN_NAME

  826.         if [[ $ONION_ONLY == "no" ]]; then

  827.             function_check nginx_http_redirect

  828.             nginx_http_redirect $DEFAULT_DOMAIN_NAME

  829.             echo 'server {' >> $nginx_site

  830.             echo '  listen 443 ssl;' >> $nginx_site

  831.             echo '  listen [::]:443 ssl;' >> $nginx_site

  832.             echo "  server_name $DEFAULT_DOMAIN_NAME;" >> $nginx_site

  833.             echo '' >> $nginx_site

  834.             echo '  # Security' >> $nginx_site

  835.             function_check nginx_ssl

  836.             nginx_ssl $DEFAULT_DOMAIN_NAME

  837. 

  838.             function_check nginx_disable_sniffing

  839.             nginx_disable_sniffing $DEFAULT_DOMAIN_NAME

  840. 

  841.             echo '  add_header Strict-Transport-Security max-age=15768000;' >> $nginx_site

  842.             echo '' >> $nginx_site

  843.             echo '  # Logs' >> $nginx_site

  844.             echo '  access_log /dev/null;' >> $nginx_site

  845.             echo '  error_log /dev/null;' >> $nginx_site

  846.             echo '' >> $nginx_site

  847.             echo '  # Root' >> $nginx_site

  848.             echo "  root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;" >> $nginx_site

  849.             echo '' >> $nginx_site

  850.             echo '  # Index' >> $nginx_site

  851.             echo '  index index.html;' >> $nginx_site

  852.             echo '' >> $nginx_site

  853.             echo '  # Location' >> $nginx_site

  854.             echo '  location / {' >> $nginx_site

  855.             function_check nginx_limits

  856.             nginx_limits $DEFAULT_DOMAIN_NAME '15m'

  857.             echo '  }' >> $nginx_site

  858.             echo '' >> $nginx_site

  859.             echo '  # Restrict access that is unnecessary anyway' >> $nginx_site

  860.             echo '  location ~ /\.(ht|git) {' >> $nginx_site

  861.             echo '    deny all;' >> $nginx_site

  862.             echo '  }' >> $nginx_site

  863.             echo '}' >> $nginx_site

  864.         else

  865.             echo -n '' > $nginx_site

  866.         fi

  867.         echo 'server {' >> $nginx_site

  868.         echo "    listen 127.0.0.1:$DEFAULT_DOMAIN_ONION_PORT default_server;" >> $nginx_site

  869.         echo "    server_name $DEFAULT_DOMAIN_NAME;" >> $nginx_site

  870.         echo '' >> $nginx_site

  871.         function_check nginx_disable_sniffing

  872.         nginx_disable_sniffing $DEFAULT_DOMAIN_NAME

  873.         echo '' >> $nginx_site

  874.         echo '  # Logs' >> $nginx_site

  875.         echo '  access_log /dev/null;' >> $nginx_site

  876.         echo '  error_log /dev/null;' >> $nginx_site

  877.         echo '' >> $nginx_site

  878.         echo '  # Root' >> $nginx_site

  879.         echo "  root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;" >> $nginx_site

  880.         echo '' >> $nginx_site

  881.         echo '  # Location' >> $nginx_site

  882.         echo '  location / {' >> $nginx_site

  883.         function_check nginx_limits

  884.         nginx_limits $DEFAULT_DOMAIN_NAME '15m'

  885.         echo '  }' >> $nginx_site

  886.         echo '' >> $nginx_site

  887.         echo '  # Restrict access that is unnecessary anyway' >> $nginx_site

  888.         echo '  location ~ /\.(ht|git) {' >> $nginx_site

  889.         echo '    deny all;' >> $nginx_site

  890.         echo '  }' >> $nginx_site

  891.         echo '}' >> $nginx_site

  892. 

  893.         if [ ! -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then

  894.             function_check create_site_certificate

  895.             create_site_certificate $DEFAULT_DOMAIN_NAME 'yes'

  896.         fi

  897. 

  898.         nginx_ensite $DEFAULT_DOMAIN_NAME

  899.     fi

  900. }

  901. 

  902. # NOTE: deliberately no exit 0