freedombone-utils-web 38KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902
  1. #!/bin/bash
  2. #
  3. # .---. . .
  4. # | | |
  5. # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
  6. # | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
  7. # ' ' --' --' -' - -' ' ' -' -' -' ' - --'
  8. #
  9. # Freedom in the Cloud
  10. #
  11. # Web related functions
  12. #
  13. # License
  14. # =======
  15. #
  16. # Copyright (C) 2014-2016 Bob Mottram <bob@freedombone.net>
  17. #
  18. # This program is free software: you can redistribute it and/or modify
  19. # it under the terms of the GNU Affero General Public License as published by
  20. # the Free Software Foundation, either version 3 of the License, or
  21. # (at your option) any later version.
  22. #
  23. # This program is distributed in the hope that it will be useful,
  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  26. # GNU Affero General Public License for more details.
  27. #
  28. # You should have received a copy of the GNU Affero General Public License
  29. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  30. # default search engine for command line browser
  31. DEFAULT_SEARCH='https://searx.laquadrature.net'
  32. # onion port for the default domain
  33. DEFAULT_DOMAIN_ONION_PORT=8099
  34. # Whether Let's Encrypt is enabled for all sites
  35. LETSENCRYPT_ENABLED="no"
  36. LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
  37. # list of encryption protocols
  38. SSL_PROTOCOLS="TLSv1 TLSv1.1 TLSv1.2"
  39. # list of ciphers to use. See bettercrypto.org recommendations
  40. SSL_CIPHERS="EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"
  41. NGINX_ENSITE_REPO="https://github.com/perusio/nginx_ensite"
  42. NGINX_ENSITE_COMMIT='fa4d72ce1c0a490442c8474e9c8dc21ed52c93d0'
  43. # memory limit for php in MB
  44. MAX_PHP_MEMORY=64
  45. # logging level for Nginx
  46. WEBSERVER_LOG_LEVEL='warn'
  47. # test a domain name to see if it's valid
  48. function validate_domain_name {
  49. # count the number of dots in the domain name
  50. dots=${TEST_DOMAIN_NAME//[^.]}
  51. no_of_dots=${#dots}
  52. if (( $no_of_dots > 3 )); then
  53. TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has too many subdomains. It should be of the type w.x.y.z, x.y.z or y.z"
  54. fi
  55. if (( $no_of_dots == 0 )); then
  56. TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has no top level domain. It should be of the type w.x.y.z, x.y.z or y.z"
  57. fi
  58. }
  59. function nginx_disable_sniffing {
  60. domain_name=$1
  61. filename=/etc/nginx/sites-available/$domain_name
  62. echo ' add_header X-Frame-Options DENY;' >> $filename
  63. echo ' add_header X-Content-Type-Options nosniff;' >> $filename
  64. echo '' >> $filename
  65. }
  66. function nginx_limits {
  67. domain_name=$1
  68. max_body='20m'
  69. if [ $2 ]; then
  70. max_body=$2
  71. fi
  72. filename=/etc/nginx/sites-available/$domain_name
  73. echo " client_max_body_size ${max_body};" >> $filename
  74. echo ' client_body_buffer_size 128k;' >> $filename
  75. echo '' >> $filename
  76. echo ' limit_conn conn_limit_per_ip 10;' >> $filename
  77. echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> $filename
  78. echo '' >> $filename
  79. }
  80. function nginx_stapling {
  81. domain_name=$1
  82. filename=/etc/nginx/sites-available/$domain_name
  83. echo " ssl_stapling on;" >> $filename
  84. echo ' ssl_stapling_verify on;' >> $filename
  85. echo ' ssl_trusted_certificate /etc/ssl/certs/${domain_name}.pem;' >> $filename
  86. echo '' >> $filename
  87. }
  88. function nginx_http_redirect {
  89. # redirect port 80 to https
  90. domain_name=$1
  91. filename=/etc/nginx/sites-available/$domain_name
  92. echo 'server {' > $filename
  93. echo ' listen 80;' >> $filename
  94. echo ' listen [::]:80;' >> $filename
  95. echo " server_name ${domain_name};" >> $filename
  96. echo " root /var/www/${domain_name}/htdocs;" >> $filename
  97. echo ' access_log /dev/null;' >> $filename
  98. echo " error_log /dev/null;" >> $filename
  99. function_check nginx_limits
  100. nginx_limits $domain_name
  101. echo ' rewrite ^ https://$server_name$request_uri? permanent;' >> $filename
  102. echo '}' >> $filename
  103. echo '' >> $filename
  104. }
  105. function nginx_ssl {
  106. # creates the SSL/TLS section for a website
  107. domain_name=$1
  108. filename=/etc/nginx/sites-available/$domain_name
  109. echo ' ssl_stapling off;' >> $filename
  110. echo ' ssl_stapling_verify off;' >> $filename
  111. echo ' ssl on;' >> $filename
  112. if [ -f /etc/ssl/certs/${domain_name}.pem ]; then
  113. echo " ssl_certificate /etc/ssl/certs/${domain_name}.pem;" >> $filename
  114. else
  115. echo " ssl_certificate /etc/ssl/certs/${domain_name}.crt;" >> $filename
  116. fi
  117. echo " ssl_certificate_key /etc/ssl/private/${domain_name}.key;" >> $filename
  118. echo " ssl_dhparam /etc/ssl/certs/${domain_name}.dhparam;" >> $filename
  119. echo '' >> $filename
  120. echo ' ssl_session_cache builtin:1000 shared:SSL:10m;' >> $filename
  121. echo ' ssl_session_timeout 60m;' >> $filename
  122. echo ' ssl_prefer_server_ciphers on;' >> $filename
  123. echo " ssl_protocols $SSL_PROTOCOLS;" >> $filename
  124. echo " ssl_ciphers '$SSL_CIPHERS';" >> $filename
  125. echo " add_header Content-Security-Policy \"default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'\";" >> $filename
  126. #nginx_stapling $1
  127. }
  128. function nginx_keybase {
  129. # creates files suitable for keybase.io verification
  130. domain_name=$1
  131. filename=/etc/nginx/sites-available/$domain_name
  132. echo '' >> $filename
  133. echo " # make sure webfinger and other well known services aren't blocked" >> $filename
  134. echo ' # by denying dot files and rewrite request to the front controller' >> $filename
  135. echo ' location ^~ /.well-known/ {' >> $filename
  136. echo ' allow all;' >> $filename
  137. echo ' }' >> $filename
  138. if [ ! -d /var/www/${domain_name}/htdocs/.well-known ]; then
  139. mkdir -p /var/www/${domain_name}/htdocs/.well-known
  140. fi
  141. if [ ! -f /var/www/${domain_name}/htdocs/keybase.txt ]; then
  142. touch /var/www/${domain_name}/htdocs/keybase.txt
  143. fi
  144. if [ ! -f /var/www/${domain_name}/htdocs/.well-known/keybase.txt ]; then
  145. touch /var/www/${domain_name}/htdocs/.well-known/keybase.txt
  146. fi
  147. }
  148. # check an individual domain name
  149. function test_domain_name {
  150. if [ $1 ]; then
  151. TEST_DOMAIN_NAME=$1
  152. if [[ $TEST_DOMAIN_NAME != 'ttrss' ]]; then
  153. function_check validate_domain_name
  154. validate_domain_name
  155. if [[ $TEST_DOMAIN_NAME != $1 ]]; then
  156. echo $"Invalid domain name $TEST_DOMAIN_NAME"
  157. exit 8528
  158. fi
  159. fi
  160. fi
  161. }
  162. # Checks whether certificates were generated for the given hostname
  163. function check_certificates {
  164. if [ ! $1 ]; then
  165. return
  166. fi
  167. USE_LETSENCRYPT='no'
  168. if [ $2 ]; then
  169. USE_LETSENCRYPT=$2
  170. fi
  171. if [[ $USE_LETSENCRYPT == 'no' ]]; then
  172. if [ ! -f /etc/ssl/private/${1}.key ]; then
  173. echo $"Private certificate for ${CHECK_HOSTNAME} was not created"
  174. exit 63959
  175. fi
  176. if [ ! -f /etc/ssl/certs/${1}.crt ]; then
  177. echo $"Public certificate for ${CHECK_HOSTNAME} was not created"
  178. exit 7679
  179. fi
  180. if grep -q "${1}.pem" /etc/nginx/sites-available/${1}; then
  181. sed -i "s|${1}.pem|${1}.crt|g" /etc/nginx/sites-available/${1}
  182. fi
  183. else
  184. if [ ! -f /etc/letsencrypt/live/${1}/privkey.pem ]; then
  185. echo $"Private certificate for ${CHECK_HOSTNAME} was not created"
  186. exit 6282
  187. fi
  188. if [ ! -f /etc/letsencrypt/live/${1}/fullchain.pem ]; then
  189. echo $"Public certificate for ${CHECK_HOSTNAME} was not created"
  190. exit 5328
  191. fi
  192. if grep -q "${1}.crt" /etc/nginx/sites-available/${1}; then
  193. sed -i "s|${1}.crt|${1}.pem|g" /etc/nginx/sites-available/${1}
  194. fi
  195. fi
  196. if [ ! -f /etc/ssl/certs/${1}.dhparam ]; then
  197. echo $"Diffie–Hellman parameters for ${CHECK_HOSTNAME} were not created"
  198. exit 5989
  199. fi
  200. }
  201. function cert_exists {
  202. cert_type='dhparam'
  203. if [ $2 ]; then
  204. cert_type="$2"
  205. fi
  206. if [ -f /etc/ssl/certs/${1}.${cert_type} ]; then
  207. echo "1"
  208. else
  209. if [ -f /etc/letsencrypt/live/${1}/fullchain.${cert_type} ]; then
  210. echo "1"
  211. else
  212. echo "0"
  213. fi
  214. fi
  215. }
  216. function create_self_signed_cert {
  217. ${PROJECT_NAME}-addcert -h ${SITE_DOMAIN_NAME} --dhkey ${DH_KEYLENGTH}
  218. function_check check_certificates
  219. check_certificates ${SITE_DOMAIN_NAME}
  220. }
  221. function create_letsencrypt_cert {
  222. ${PROJECT_NAME}-addcert -e ${SITE_DOMAIN_NAME} -s ${LETSENCRYPT_SERVER} --dhkey ${DH_KEYLENGTH} --email ${MY_EMAIL_ADDRESS}
  223. if [ ! "$?" = "0" ]; then
  224. if [[ ${NO_SELF_SIGNED} == 'no' ]]; then
  225. echo $"Lets Encrypt failed for ${SITE_DOMAIN_NAME}, so try making a self-signed cert"
  226. ${PROJECT_NAME}-addcert -h ${SITE_DOMAIN_NAME} --dhkey ${DH_KEYLENGTH}
  227. function_check check_certificates
  228. check_certificates ${SITE_DOMAIN_NAME}
  229. else
  230. echo $"Lets Encrypt failed for $SITE_DOMAIN_NAME"
  231. exit 682529
  232. fi
  233. return
  234. fi
  235. function_check check_certificates
  236. check_certificates ${SITE_DOMAIN_NAME} 'yes'
  237. }
  238. function create_site_certificate {
  239. SITE_DOMAIN_NAME="$1"
  240. # if yes then only "valid" certs are allowed, not self-signed
  241. NO_SELF_SIGNED='no'
  242. if [ $2 ]; then
  243. NO_SELF_SIGNED="$2"
  244. fi
  245. if [[ $ONION_ONLY == "no" ]]; then
  246. if [[ "$(cert_exists ${SITE_DOMAIN_NAME})" == "0" ]]; then
  247. if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
  248. create_self_signed_cert
  249. else
  250. create_letsencrypt_cert
  251. fi
  252. else
  253. if [[ $LETSENCRYPT_ENABLED == "yes" ]]; then
  254. if [[ "$(cert_exists ${SITE_DOMAIN_NAME} pem)" == "0" ]]; then
  255. create_letsencrypt_cert
  256. fi
  257. fi
  258. fi
  259. fi
  260. }
  261. # script to automatically renew any Let's Encrypt certificates
  262. function letsencrypt_renewals {
  263. if [[ $ONION_ONLY != "no" ]]; then
  264. return
  265. fi
  266. renewals_script=/etc/cron.monthly/letsencrypt
  267. renewals_retry_script=/etc/cron.daily/letsencrypt
  268. renewal_failure_msg=$'The certificate for $LETSENCRYPT_DOMAIN could not be renewed'
  269. renewal_email_title=$'${PROJECT_NAME} Lets Encrypt certificate renewal'
  270. # the main script tries to renew once per month
  271. echo '#!/bin/bash' > $renewals_script
  272. echo '' >> $renewals_script
  273. echo "PROJECT_NAME='${PROJECT_NAME}'" >> $renewals_script
  274. echo 'COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt' >> $renewals_script
  275. echo '' >> $renewals_script
  276. echo 'if [ -d /etc/letsencrypt ]; then' >> $renewals_script
  277. echo ' if [ -f ~/letsencrypt_failed ]; then' >> $renewals_script
  278. echo ' rm ~/letsencrypt_failed' >> $renewals_script
  279. echo ' fi' >> $renewals_script
  280. echo -n ' ADMIN_USERNAME=$(cat $COMPLETION_FILE | grep "Admin user" | ' >> $renewals_script
  281. echo -n "awk -F ':' '{print " >> $renewals_script
  282. echo -n '$2' >> $renewals_script
  283. echo "}')" >> $renewals_script
  284. echo ' ADMIN_EMAIL_ADDRESS=$ADMIN_USERNAME@$HOSTNAME' >> $renewals_script
  285. echo ' for d in /etc/letsencrypt/live/*/ ; do' >> $renewals_script
  286. echo -n ' LETSENCRYPT_DOMAIN=$(echo "$d" | ' >> $renewals_script
  287. echo -n "awk -F '/' '{print " >> $renewals_script
  288. echo -n '$5' >> $renewals_script
  289. echo "}')" >> $renewals_script
  290. echo ' if [ -f /etc/nginx/sites-available/$LETSENCRYPT_DOMAIN ]; then' >> $renewals_script
  291. echo ' ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt' >> $renewals_script
  292. echo ' if [ ! "$?" = "0" ]; then' >> $renewals_script
  293. echo " echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt" >> $renewals_script
  294. echo ' echo "" >> ~/temp_renewletsencrypt.txt' >> $renewals_script
  295. echo ' ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt' >> $renewals_script
  296. echo -n " cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" " >> $renewals_script
  297. echo '$ADMIN_EMAIL_ADDRESS' >> $renewals_script
  298. echo ' rm ~/temp_renewletsencrypt.txt' >> $renewals_script
  299. echo ' if [ ! -f ~/letsencrypt_failed ]; then' >> $renewals_script
  300. echo ' touch ~/letsencrypt_failed' >> $renewals_script
  301. echo ' fi' >> $renewals_script
  302. echo ' fi' >> $renewals_script
  303. echo ' fi' >> $renewals_script
  304. echo ' done' >> $renewals_script
  305. echo 'fi' >> $renewals_script
  306. chmod +x $renewals_script
  307. # a secondary script keeps trying to renew after a failure
  308. echo '#!/bin/bash' > $renewals_retry_script
  309. echo '' >> $renewals_retry_script
  310. echo "PROJECT_NAME='${PROJECT_NAME}'" >> $renewals_retry_script
  311. echo 'COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt' >> $renewals_retry_script
  312. echo '' >> $renewals_retry_script
  313. echo 'if [ -d /etc/letsencrypt ]; then' >> $renewals_retry_script
  314. echo ' if [ -f ~/letsencrypt_failed ]; then' >> $renewals_retry_script
  315. echo ' rm ~/letsencrypt_failed' >> $renewals_retry_script
  316. echo -n ' ADMIN_USERNAME=$(cat $COMPLETION_FILE | grep "Admin user" | ' >> $renewals_retry_script
  317. echo -n "awk -F ':' '{print " >> $renewals_retry_script
  318. echo -n '$2' >> $renewals_retry_script
  319. echo "}')" >> $renewals_retry_script
  320. echo ' ADMIN_EMAIL_ADDRESS=$ADMIN_USERNAME@$HOSTNAME' >> $renewals_retry_script
  321. echo ' for d in /etc/letsencrypt/live/*/ ; do' >> $renewals_retry_script
  322. echo -n ' LETSENCRYPT_DOMAIN=$(echo "$d" | ' >> $renewals_retry_script
  323. echo -n "awk -F '/' '{print " >> $renewals_retry_script
  324. echo -n '$5' >> $renewals_retry_script
  325. echo "}')" >> $renewals_retry_script
  326. echo ' if [ -f /etc/nginx/sites-available/$LETSENCRYPT_DOMAIN ]; then' >> $renewals_retry_script
  327. echo ' ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt' >> $renewals_retry_script
  328. echo ' if [ ! "$?" = "0" ]; then' >> $renewals_retry_script
  329. echo " echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt" >> $renewals_retry_script
  330. echo ' echo "" >> ~/temp_renewletsencrypt.txt' >> $renewals_retry_script
  331. echo ' ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt' >> $renewals_retry_script
  332. echo -n " cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" " >> $renewals_retry_script
  333. echo '$ADMIN_EMAIL_ADDRESS' >> $renewals_retry_script
  334. echo ' rm ~/temp_renewletsencrypt.txt' >> $renewals_retry_script
  335. echo ' if [ ! -f ~/letsencrypt_failed ]; then' >> $renewals_retry_script
  336. echo ' touch ~/letsencrypt_failed' >> $renewals_retry_script
  337. echo ' fi' >> $renewals_retry_script
  338. echo ' fi' >> $renewals_retry_script
  339. echo ' fi' >> $renewals_retry_script
  340. echo ' done' >> $renewals_retry_script
  341. echo ' fi' >> $renewals_retry_script
  342. echo 'fi' >> $renewals_retry_script
  343. chmod +x $renewals_retry_script
  344. }
  345. function configure_php {
  346. sed -i "s/memory_limit = 128M/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php5/fpm/php.ini
  347. sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php5/fpm/php.ini
  348. sed -i "s/memory_limit = -1/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php5/cli/php.ini
  349. sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 50M/g" /etc/php5/fpm/php.ini
  350. sed -i "s/post_max_size = 8M/post_max_size = 50M/g" /etc/php5/fpm/php.ini
  351. }
  352. function install_web_server_access_control {
  353. if [ ! -f /etc/pam.d/nginx ]; then
  354. echo '#%PAM-1.0' > /etc/pam.d/nginx
  355. echo '@include common-auth' >> /etc/pam.d/nginx
  356. echo '@include common-account' >> /etc/pam.d/nginx
  357. echo '@include common-session' >> /etc/pam.d/nginx
  358. fi
  359. }
  360. function install_dynamicdns {
  361. if [[ $SYSTEM_TYPE == "mesh"* ]]; then
  362. return
  363. fi
  364. if [[ $ONION_ONLY != "no" ]]; then
  365. return
  366. fi
  367. # update to the next commit
  368. function_check set_repo_commit
  369. set_repo_commit $INSTALL_DIR/inadyn "inadyn commit" "$INADYN_COMMIT" $INADYN_REPO
  370. if [[ $(is_completed $FUNCNAME) == "1" ]]; then
  371. return
  372. fi
  373. # Here we compile from source because the current package
  374. # doesn't support https, which could result in passwords
  375. # being leaked
  376. # Debian version 1.99.4-1
  377. # https version 1.99.8
  378. apt-get -yq install build-essential curl libgnutls28-dev automake1.11
  379. if [ ! -d $INSTALL_DIR/inadyn ]; then
  380. git_clone $INADYN_REPO $INSTALL_DIR/inadyn
  381. fi
  382. if [ ! -d $INSTALL_DIR/inadyn ]; then
  383. echo 'inadyn repo not cloned'
  384. echo -n | openssl s_client -showcerts -connect github.com:443 -CApath /etc/ssl/certs
  385. exit 6785
  386. fi
  387. cd $INSTALL_DIR/inadyn
  388. git checkout $INADYN_COMMIT -b $INADYN_COMMIT
  389. set_completion_param "inadyn commit" "$INADYN_COMMIT"
  390. ./configure
  391. if [ ! "$?" = "0" ]; then
  392. exit 74890
  393. fi
  394. USE_OPENSSL=1 make
  395. if [ ! "$?" = "0" ]; then
  396. exit 74858
  397. fi
  398. make install
  399. if [ ! "$?" = "0" ]; then
  400. exit 3785
  401. fi
  402. # create an unprivileged user
  403. #chmod 600 /etc/shadow
  404. #chmod 600 /etc/gshadow
  405. #useradd -r -s /bin/false debian-inadyn
  406. #chmod 0000 /etc/shadow
  407. #chmod 0000 /etc/gshadow
  408. # create a configuration file
  409. echo 'background' > /etc/inadyn.conf
  410. echo 'verbose 1' >> /etc/inadyn.conf
  411. echo 'period 300' >> /etc/inadyn.conf
  412. echo 'startup-delay 60' >> /etc/inadyn.conf
  413. echo 'cache-dir /run/inadyn' >> /etc/inadyn.conf
  414. echo 'logfile /dev/null' >> /etc/inadyn.conf
  415. chmod 600 /etc/inadyn.conf
  416. echo '[Unit]' > /etc/systemd/system/inadyn.service
  417. echo 'Description=inadyn (DynDNS updater)' >> /etc/systemd/system/inadyn.service
  418. echo 'After=network.target' >> /etc/systemd/system/inadyn.service
  419. echo '' >> /etc/systemd/system/inadyn.service
  420. echo '[Service]' >> /etc/systemd/system/inadyn.service
  421. echo 'ExecStart=/usr/local/sbin/inadyn --config /etc/inadyn.conf' >> /etc/systemd/system/inadyn.service
  422. echo 'Restart=always' >> /etc/systemd/system/inadyn.service
  423. echo 'Type=forking' >> /etc/systemd/system/inadyn.service
  424. echo '' >> /etc/systemd/system/inadyn.service
  425. echo '[Install]' >> /etc/systemd/system/inadyn.service
  426. echo 'WantedBy=multi-user.target' >> /etc/systemd/system/inadyn.service
  427. systemctl enable inadyn
  428. systemctl start inadyn
  429. systemctl daemon-reload
  430. mark_completed $FUNCNAME
  431. }
  432. function install_command_line_browser {
  433. if [[ $(is_completed $FUNCNAME) == "1" ]]; then
  434. return
  435. fi
  436. apt-get -yq install elinks
  437. # set the home page
  438. if ! grep -q "WWW_HOME" /home/$MY_USERNAME/.bashrc; then
  439. if ! grep -q 'control' /home/$MY_USERNAME/.bashrc; then
  440. echo "export WWW_HOME=$DEFAULT_SEARCH" >> /home/$MY_USERNAME/.bashrc
  441. else
  442. sed -i "/control/i export WWW_HOME=$DEFAULT_SEARCH" /home/$MY_USERNAME/.bashrc
  443. fi
  444. fi
  445. mark_completed $FUNCNAME
  446. }
  447. function mesh_web_server {
  448. if [ -d /etc/apache2 ]; then
  449. chroot "$rootdir" apt-get -yq remove --purge apache2
  450. chroot "$rootdir" rm -rf /etc/apache2
  451. fi
  452. chroot "$rootdir" apt-get -yq install nginx
  453. if [ ! -d $rootdir/etc/nginx ]; then
  454. echo $'Unable to install web server'
  455. exit 346825
  456. fi
  457. }
  458. function install_web_server {
  459. if [ $INSTALLING_MESH ]; then
  460. mesh_web_server
  461. return
  462. fi
  463. # update to the next commit
  464. function_check set_repo_commit
  465. set_repo_commit $INSTALL_DIR/nginx_ensite "nginx-ensite commit" "$NGINX_ENSITE_COMMIT" $NGINX_ENSITE_REPO
  466. if [[ $(is_completed $FUNCNAME) == "1" ]]; then
  467. return
  468. fi
  469. # remove apache
  470. apt-get -yq remove --purge apache2
  471. if [ -d /etc/apache2 ]; then
  472. rm -rf /etc/apache2
  473. fi
  474. # install nginx
  475. apt-get -yq install nginx php5-fpm git
  476. # Turn off logs by default
  477. sed -i 's|access_log.*|access_log = /dev/null;|g' /etc/nginx/nginx.conf
  478. sed -i 's|error_log.*|error_log = /dev/null;|g' /etc/nginx/nginx.conf
  479. # limit the number of php processes
  480. sed -i 's/; process.max =.*/process.max = 32/g' /etc/php5/fpm/php-fpm.conf
  481. #sed -i 's/;process_control_timeout =.*/process_control_timeout = 300/g' /etc/php5/fpm/php-fpm.conf
  482. if ! grep -q "pm.max_children" /etc/php5/fpm/php-fpm.conf; then
  483. echo 'pm.max_children = 10' >> /etc/php5/fpm/php-fpm.conf
  484. echo 'pm.start_servers = 2' >> /etc/php5/fpm/php-fpm.conf
  485. echo 'pm.min_spare_servers = 2' >> /etc/php5/fpm/php-fpm.conf
  486. echo 'pm.max_spare_servers = 5' >> /etc/php5/fpm/php-fpm.conf
  487. echo 'pm.max_requests = 50' >> /etc/php5/fpm/php-fpm.conf
  488. fi
  489. if [ ! -d /etc/nginx ]; then
  490. echo $"ERROR: nginx does not appear to have installed. $CHECK_MESSAGE"
  491. exit 51
  492. fi
  493. # Nginx settings
  494. echo 'user www-data;' > /etc/nginx/nginx.conf
  495. #echo "worker_processes; $CPU_CORES" >> /etc/nginx/nginx.conf
  496. echo 'pid /run/nginx.pid;' >> /etc/nginx/nginx.conf
  497. echo '' >> /etc/nginx/nginx.conf
  498. echo 'events {' >> /etc/nginx/nginx.conf
  499. echo ' worker_connections 50;' >> /etc/nginx/nginx.conf
  500. echo ' # multi_accept on;' >> /etc/nginx/nginx.conf
  501. echo '}' >> /etc/nginx/nginx.conf
  502. echo '' >> /etc/nginx/nginx.conf
  503. echo 'http {' >> /etc/nginx/nginx.conf
  504. echo ' # limit the number of connections per single IP' >> /etc/nginx/nginx.conf
  505. echo ' limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;' >> /etc/nginx/nginx.conf
  506. echo '' >> /etc/nginx/nginx.conf
  507. echo ' # limit the number of requests for a given session' >> /etc/nginx/nginx.conf
  508. echo ' limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=140r/s;' >> /etc/nginx/nginx.conf
  509. echo '' >> /etc/nginx/nginx.conf
  510. echo ' # if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file' >> /etc/nginx/nginx.conf
  511. echo ' client_body_buffer_size 128k;' >> /etc/nginx/nginx.conf
  512. echo '' >> /etc/nginx/nginx.conf
  513. echo ' # headerbuffer size for the request header from client, its set for testing purpose' >> /etc/nginx/nginx.conf
  514. echo ' client_header_buffer_size 3m;' >> /etc/nginx/nginx.conf
  515. echo '' >> /etc/nginx/nginx.conf
  516. echo ' # maximum number and size of buffers for large headers to read from client request' >> /etc/nginx/nginx.conf
  517. echo ' large_client_header_buffers 4 256k;' >> /etc/nginx/nginx.conf
  518. echo '' >> /etc/nginx/nginx.conf
  519. echo ' # read timeout for the request body from client, its set for testing purpose' >> /etc/nginx/nginx.conf
  520. echo ' client_body_timeout 3m;' >> /etc/nginx/nginx.conf
  521. echo '' >> /etc/nginx/nginx.conf
  522. echo ' # how long to wait for the client to send a request header, its set for testing purpose' >> /etc/nginx/nginx.conf
  523. echo ' client_header_timeout 3m;' >> /etc/nginx/nginx.conf
  524. echo '' >> /etc/nginx/nginx.conf
  525. echo ' ##' >> /etc/nginx/nginx.conf
  526. echo ' # Basic Settings' >> /etc/nginx/nginx.conf
  527. echo ' ##' >> /etc/nginx/nginx.conf
  528. echo '' >> /etc/nginx/nginx.conf
  529. echo ' sendfile on;' >> /etc/nginx/nginx.conf
  530. echo ' tcp_nopush on;' >> /etc/nginx/nginx.conf
  531. echo ' tcp_nodelay on;' >> /etc/nginx/nginx.conf
  532. echo ' keepalive_timeout 65;' >> /etc/nginx/nginx.conf
  533. echo ' types_hash_max_size 2048;' >> /etc/nginx/nginx.conf
  534. echo ' server_tokens off;' >> /etc/nginx/nginx.conf
  535. echo '' >> /etc/nginx/nginx.conf
  536. echo ' # server_names_hash_bucket_size 64;' >> /etc/nginx/nginx.conf
  537. echo ' # server_name_in_redirect off;' >> /etc/nginx/nginx.conf
  538. echo '' >> /etc/nginx/nginx.conf
  539. echo ' include /etc/nginx/mime.types;' >> /etc/nginx/nginx.conf
  540. echo ' default_type application/octet-stream;' >> /etc/nginx/nginx.conf
  541. echo '' >> /etc/nginx/nginx.conf
  542. echo ' ##' >> /etc/nginx/nginx.conf
  543. echo ' # Logging Settings' >> /etc/nginx/nginx.conf
  544. echo ' ##' >> /etc/nginx/nginx.conf
  545. echo '' >> /etc/nginx/nginx.conf
  546. echo ' access_log /dev/null;' >> /etc/nginx/nginx.conf
  547. echo ' error_log /dev/null;' >> /etc/nginx/nginx.conf
  548. echo '' >> /etc/nginx/nginx.conf
  549. echo ' ###' >> /etc/nginx/nginx.conf
  550. echo ' # Gzip Settings' >> /etc/nginx/nginx.conf
  551. echo ' ##' >> /etc/nginx/nginx.conf
  552. echo ' gzip on;' >> /etc/nginx/nginx.conf
  553. echo ' gzip_disable "msie6";' >> /etc/nginx/nginx.conf
  554. echo '' >> /etc/nginx/nginx.conf
  555. echo ' # gzip_vary on;' >> /etc/nginx/nginx.conf
  556. echo ' # gzip_proxied any;' >> /etc/nginx/nginx.conf
  557. echo ' # gzip_comp_level 6;' >> /etc/nginx/nginx.conf
  558. echo ' # gzip_buffers 16 8k;' >> /etc/nginx/nginx.conf
  559. echo ' # gzip_http_version 1.1;' >> /etc/nginx/nginx.conf
  560. echo ' # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;' >> /etc/nginx/nginx.conf
  561. echo '' >> /etc/nginx/nginx.conf
  562. echo ' ##' >> /etc/nginx/nginx.conf
  563. echo ' # Virtual Host Configs' >> /etc/nginx/nginx.conf
  564. echo ' ##' >> /etc/nginx/nginx.conf
  565. echo '' >> /etc/nginx/nginx.conf
  566. echo ' include /etc/nginx/conf.d/*.conf;' >> /etc/nginx/nginx.conf
  567. echo ' include /etc/nginx/sites-enabled/*;' >> /etc/nginx/nginx.conf
  568. echo '}' >> /etc/nginx/nginx.conf
  569. # install a script to easily enable and disable nginx virtual hosts
  570. if [ ! -d $INSTALL_DIR ]; then
  571. mkdir $INSTALL_DIR
  572. fi
  573. cd $INSTALL_DIR
  574. function_check git_clone
  575. git_clone $NGINX_ENSITE_REPO $INSTALL_DIR/nginx_ensite
  576. cd $INSTALL_DIR/nginx_ensite
  577. git checkout $NGINX_ENSITE_COMMIT -b $NGINX_ENSITE_COMMIT
  578. set_completion_param "nginx-ensite commit" "$NGINX_ENSITE_COMMIT"
  579. make install
  580. nginx_dissite default
  581. function_check configure_firewall_for_web_access
  582. configure_firewall_for_web_access
  583. mark_completed $FUNCNAME
  584. }
  585. function remove_certs {
  586. domain_name=$1
  587. if [ ! $domain_name ]; then
  588. return
  589. fi
  590. if [ -f /etc/ssl/certs/${domain_name}.dhparam ]; then
  591. rm /etc/ssl/certs/${domain_name}.dhparam
  592. fi
  593. if [ -f /etc/ssl/certs/${domain_name}.pem ]; then
  594. rm /etc/ssl/certs/${domain_name}.pem
  595. fi
  596. if [ -f /etc/ssl/certs/${domain_name}.crt ]; then
  597. rm /etc/ssl/certs/${domain_name}.crt
  598. fi
  599. if [ -f /etc/ssl/private/${domain_name}.key ]; then
  600. rm /etc/ssl/private/${domain_name}.key
  601. fi
  602. }
  603. function configure_firewall_for_web_access {
  604. if [[ $(is_completed $FUNCNAME) == "1" ]]; then
  605. return
  606. fi
  607. if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
  608. # docker does its own firewalling
  609. return
  610. fi
  611. if [[ $ONION_ONLY != "no" ]]; then
  612. return
  613. fi
  614. firewall_add HTTP 80 tcp
  615. firewall_add HTTPS 443 tcp
  616. mark_completed $FUNCNAME
  617. }
  618. function update_default_domain {
  619. echo $'Updating default domain'
  620. if [[ $ONION_ONLY == 'no' ]]; then
  621. if [ -d /etc/prosody ]; then
  622. if [ -d /etc/jitsi ]; then
  623. read_config_param "JITSI_DOMAIN_NAME"
  624. if [ ${#JITSI_DOMAIN_NAME} -gt 0 ]; then
  625. if [ -f /etc/ssl/private/${JITSI_DOMAIN_NAME}.key ]; then
  626. cp /etc/ssl/private/${JITSI_DOMAIN_NAME}.key /etc/prosody/certs/${JITSI_DOMAIN_NAME}.key
  627. fi
  628. if [ -f /etc/ssl/certs/${JITSI_DOMAIN_NAME}.crt ]; then
  629. cp /etc/ssl/certs/${JITSI_DOMAIN_NAME}.crt /etc/prosody/certs/${JITSI_DOMAIN_NAME}.pem
  630. fi
  631. if [ -f /etc/ssl/certs/${JITSI_DOMAIN_NAME}.pem ]; then
  632. cp /etc/ssl/certs/${JITSI_DOMAIN_NAME}.pem /etc/prosody/certs/${JITSI_DOMAIN_NAME}.pem
  633. fi
  634. fi
  635. fi
  636. if [ ! -d /etc/prosody/certs ]; then
  637. mkdir /etc/prosody/certs
  638. fi
  639. cp /etc/ssl/private/xmpp* /etc/prosody/certs
  640. cp /etc/ssl/private/${DEFAULT_DOMAIN_NAME}* /etc/prosody/certs
  641. cp /etc/ssl/certs/xmpp* /etc/prosody/certs
  642. cp /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}* /etc/prosody/certs
  643. if [ ! -f /etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.dhparam ]; then
  644. if [ -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.dhparam ]; then
  645. cp /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.dhparam /etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.dhparam
  646. fi
  647. fi
  648. if [ ! /etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then
  649. if [ ! /etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.crt ]; then
  650. mv /etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.crt /etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem
  651. fi
  652. else
  653. sed -i "s|/etc/prosody/certs/xmpp.key|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key|g" /etc/prosody/conf.avail/xmpp.cfg.lua
  654. sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua
  655. sed -i "s|/etc/prosody/certs/xmpp.key|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key|g" /etc/prosody/prosody.cfg.lua
  656. sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/prosody/prosody.cfg.lua
  657. fi
  658. chown -R prosody:default /etc/prosody
  659. chmod -R 700 /etc/prosody/certs/*
  660. chmod 600 /etc/prosody/prosody.cfg.lua
  661. systemctl reload prosody
  662. fi
  663. if [ -d /var/lib/matrix ]; then
  664. if [ -f /etc/ssl/certs/${MATRIX_DOMAIN_NAME}.pem ]; then
  665. cp /etc/ssl/certs/${MATRIX_DOMAIN_NAME}.pem /var/lib/matrix/${MATRIX_DOMAIN_NAME}.tls.crt
  666. cp /etc/ssl/certs/${MATRIX_DOMAIN_NAME}.dhparam /var/lib/matrix/${MATRIX_DOMAIN_NAME}.tls.dh
  667. cp /etc/ssl/private/${MATRIX_DOMAIN_NAME}.key /var/lib/matrix/${MATRIX_DOMAIN_NAME}.tls.key
  668. chown -R matrix:matrix /var/lib/matrix
  669. chmod -R 700 /var/lib/matrix/*.pem
  670. chmod -R 700 /var/lib/matrix/*.key
  671. chmod -R 700 /var/lib/matrix/*.dhparam
  672. systemctl restart turn
  673. systemctl restart matrix
  674. fi
  675. fi
  676. if [ -d /var/lib/mumble-server ]; then
  677. if [[ "$(cert_exists ${DEFAULT_DOMAIN_NAME} pem)" == "1" ]]; then
  678. cp /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem /var/lib/mumble-server/mumble.pem
  679. cp /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.dhparam /var/lib/mumble-server/mumble.dhparam
  680. cp /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key /var/lib/mumble-server/mumble.key
  681. chown -R mumble-server:mumble-server /var/lib/mumble-server
  682. chmod -R 700 /var/lib/mumble-server/*.pem
  683. chmod -R 700 /var/lib/mumble-server/*.key
  684. chmod -R 700 /var/lib/mumble-server/*.dhparam
  685. systemctl restart mumble-server
  686. fi
  687. fi
  688. if [ -d /home/znc/.znc ]; then
  689. echo $'znc found'
  690. if [[ "$(cert_exists ${DEFAULT_DOMAIN_NAME} pem)" == "1" ]]; then
  691. pkill znc
  692. cat /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key > /home/znc/.znc/znc.pem
  693. chown znc:znc /home/znc/.znc/znc.pem
  694. chmod 700 /home/znc/.znc/znc.pem
  695. sed -i "s|CertFile =.*|CertFile = /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" /etc/ngircd/ngircd.conf
  696. sed -i "s|DHFile =.*|DHFile = /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.dhparam" /etc/ngircd/ngircd.conf
  697. sed -i "s|KeyFile =.*|KeyFile = /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key" /etc/ngircd/ngircd.conf
  698. echo $'irc certificates updated'
  699. systemctl restart ngircd
  700. su -c 'znc' - znc
  701. fi
  702. fi
  703. if [ -d /etc/dovecot ]; then
  704. if [ ${#DEFAULT_DOMAIN_NAME} -gt 0 ]; then
  705. if ! grep -q "ssl_cert = </etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" /etc/dovecot/conf.d/10-ssl.conf; then
  706. sed -i "s|#ssl_cert =.*|ssl_cert = </etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/dovecot/conf.d/10-ssl.conf
  707. sed -i "s|ssl_cert =.*|ssl_cert = </etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/dovecot/conf.d/10-ssl.conf
  708. systemctl restart dovecot
  709. fi
  710. fi
  711. fi
  712. if [ -d /etc/matrix-synapse ]; then
  713. cp /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem /etc/matrix-synapse/homeserver.tls.crt
  714. cp /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.dhparam /etc/matrix-synapse/homeserver.tls.dh
  715. cp /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key /etc/matrix-synapse/homeserver.tls.key
  716. chown matrix-synapse: /etc/matrix-synapse/homeserver.tls.key
  717. chown matrix-synapse: /etc/matrix-synapse/homeserver.tls.dh
  718. chown matrix-synapse: /etc/matrix-synapse/homeserver.tls.crt
  719. chmod -R 700 /etc/matrix-synapse/homeserver.tls.key
  720. chmod -R 700 /etc/matrix-synapse/homeserver.tls.dh
  721. chmod -R 700 /etc/matrix-synapse/homeserver.tls.crt
  722. systemctl restart matrix-synapse
  723. fi
  724. fi
  725. }
  726. function create_default_web_site {
  727. if [ ! -f /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME} ]; then
  728. # create a web site for the default domain
  729. if [ ! -d /var/www/${DEFAULT_DOMAIN_NAME}/htdocs ]; then
  730. mkdir -p /var/www/${DEFAULT_DOMAIN_NAME}/htdocs
  731. if [ -d /root/${PROJECT_NAME} ]; then
  732. cd /root/${PROJECT_NAME}/website
  733. ./deploy.sh EN /var/www/${DEFAULT_DOMAIN_NAME}/htdocs
  734. else
  735. if [ -d /home/${MY_USERNAME}/${PROJECT_NAME} ]; then
  736. cd /home/${MY_USERNAME}/${PROJECT_NAME}
  737. ./deploy.sh EN /var/www/${DEFAULT_DOMAIN_NAME}/htdocs
  738. fi
  739. fi
  740. fi
  741. # add a config for the default domain
  742. nginx_site=/etc/nginx/sites-available/$DEFAULT_DOMAIN_NAME
  743. if [[ $ONION_ONLY == "no" ]]; then
  744. function_check nginx_http_redirect
  745. nginx_http_redirect $DEFAULT_DOMAIN_NAME
  746. echo 'server {' >> $nginx_site
  747. echo ' listen 443 ssl;' >> $nginx_site
  748. echo ' listen [::]:443 ssl;' >> $nginx_site
  749. echo " server_name $DEFAULT_DOMAIN_NAME;" >> $nginx_site
  750. echo '' >> $nginx_site
  751. echo ' # Security' >> $nginx_site
  752. function_check nginx_ssl
  753. nginx_ssl $DEFAULT_DOMAIN_NAME
  754. function_check nginx_disable_sniffing
  755. nginx_disable_sniffing $DEFAULT_DOMAIN_NAME
  756. echo ' add_header Strict-Transport-Security max-age=15768000;' >> $nginx_site
  757. echo '' >> $nginx_site
  758. echo ' # Logs' >> $nginx_site
  759. echo ' access_log /dev/null;' >> $nginx_site
  760. echo ' error_log /dev/null;' >> $nginx_site
  761. echo '' >> $nginx_site
  762. echo ' # Root' >> $nginx_site
  763. echo " root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;" >> $nginx_site
  764. echo '' >> $nginx_site
  765. echo ' # Index' >> $nginx_site
  766. echo ' index index.html;' >> $nginx_site
  767. echo '' >> $nginx_site
  768. echo ' # Location' >> $nginx_site
  769. echo ' location / {' >> $nginx_site
  770. function_check nginx_limits
  771. nginx_limits $DEFAULT_DOMAIN_NAME '15m'
  772. echo ' }' >> $nginx_site
  773. echo '' >> $nginx_site
  774. echo ' # Restrict access that is unnecessary anyway' >> $nginx_site
  775. echo ' location ~ /\.(ht|git) {' >> $nginx_site
  776. echo ' deny all;' >> $nginx_site
  777. echo ' }' >> $nginx_site
  778. echo '}' >> $nginx_site
  779. else
  780. echo -n '' > $nginx_site
  781. fi
  782. echo 'server {' >> $nginx_site
  783. echo " listen 127.0.0.1:$DEFAULT_DOMAIN_ONION_PORT default_server;" >> $nginx_site
  784. echo " server_name $DEFAULT_DOMAIN_NAME;" >> $nginx_site
  785. echo '' >> $nginx_site
  786. function_check nginx_disable_sniffing
  787. nginx_disable_sniffing $DEFAULT_DOMAIN_NAME
  788. echo '' >> $nginx_site
  789. echo ' # Logs' >> $nginx_site
  790. echo ' access_log /dev/null;' >> $nginx_site
  791. echo ' error_log /dev/null;' >> $nginx_site
  792. echo '' >> $nginx_site
  793. echo ' # Root' >> $nginx_site
  794. echo " root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;" >> $nginx_site
  795. echo '' >> $nginx_site
  796. echo ' # Location' >> $nginx_site
  797. echo ' location / {' >> $nginx_site
  798. function_check nginx_limits
  799. nginx_limits $DEFAULT_DOMAIN_NAME '15m'
  800. echo ' }' >> $nginx_site
  801. echo '' >> $nginx_site
  802. echo ' # Restrict access that is unnecessary anyway' >> $nginx_site
  803. echo ' location ~ /\.(ht|git) {' >> $nginx_site
  804. echo ' deny all;' >> $nginx_site
  805. echo ' }' >> $nginx_site
  806. echo '}' >> $nginx_site
  807. if [ ! -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then
  808. function_check create_site_certificate
  809. create_site_certificate $DEFAULT_DOMAIN_NAME 'yes'
  810. fi
  811. nginx_ensite $DEFAULT_DOMAIN_NAME
  812. fi
  813. }
  814. # NOTE: deliberately no exit 0