myvemail/nginx-setup.sh

#!/usr/bin/env bash
# Fill in the following variables
appname=            #google
proxyurl=           #http://webapps.kvm:4001
domain=             #www.google.com
eff_email_address=  #eff@eff.com

# Check privilege
if [ $(id -u) -ne 0 ]
then
    echo "This script must be run by root" >&2
    exit 1
fi

# Variable check
if [ -z ${appname} ] || [ -z ${proxyurl} ] || [ -z ${domain} ] || [ -z ${eff_email_address} ]
then
    echo "Missing variable, exiting..."
    exit 1
fi

# Figure out nginx conf directory
if grep -q 'include.*conf.d' /etc/nginx/nginx.conf
then
    nginxdir=/etc/nginx/conf.d
elif grep -q 'include.*sites-available' /etc/nginx/nginx.conf
then
    nginxdir=/etc/nginx/sites-available
    ln -s -f /etc/nginx/sites-available/${appname}.conf /etc/nginx/sites-enabled/
else
    echo "Missing nginx directory, exiting..."
    exit 1
fi

# Virtual proxy
cat <<- 'proxy' | \
sed -e "s|{{domain}}|${domain}|" \
    -e "s|{{proxyurl}}|${proxyurl}|" \
    -e "s|{{appname}}|${appname}|" | tee ${nginxdir}/${appname}.conf >/dev/null
server {
    server_name {{domain}};

    location / {
        proxy_pass {{proxyurl}};
        error_log  /var/log/nginx/{{appname}}_error.log;
        access_log /var/log/nginx/{{appname}}_access.log;

        # proxy_params;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Accept-Encoding "";
        proxy_set_header Host $host;

        client_body_buffer_size 512k;
        proxy_read_timeout 86400s;
        client_max_body_size 0;

        # Websocket
        proxy_http_version 1.1;
        proxy_cache_bypass  $http_upgrade;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    # http_upgrade
    # Security
    server_tokens off;
    add_header X-Frame-Options                   "SAMEORIGIN"        	always;
    add_header X-Content-Type-Options            "nosniff"           	always;
    add_header X-XSS-Protection                  "1; mode=block"     	always;
    add_header Referrer-Policy                   "strict-origin"       	always;
    add_header X-Permitted-Cross-Domain-Policies "none"              	always;
    add_header X-Robots-Tag                      "noindex, nofollow" 	always;
    # add_header Content-Security-Policy 	    "default-src 'self';" 	always;

    # http2
    http2 on;

    # http3
    listen 443 quic;
    add_header Alt-Svc 'h3=":443"; ma=86400';
    quic_retry on;
    http3 on;

    # Certbot defaults
    listen 443 ssl;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    add_header Strict-Transport-Security "max-age=31536000" always;
}
proxy

# Run certbot
if nginx -t
then
    certbot --nginx --non-interactive --agree-tos --no-eff-email -m ${eff_email_address} -d ${domain} \
        --staple-ocsp --hsts --no-redirect --renew-hook 'docker exec --interactive --tty myvemail /bin/ash -c "dovecot reload; postfix reload"'

    # Link certificates
    ln -s /etc/letsencrypt/live/${domain}/fullchain.pem ./data/ssl/tls.pem
    ln -s /etc/letsencrypt/live/${domain}/privkey.pem ./data/ssl/tls.key
fi
First commit 2024-08-09 12:50:33 +00:00			`#!/usr/bin/env bash`
			`# Fill in the following variables`
			`appname= #google`
			`proxyurl= #http://webapps.kvm:4001`
			`domain= #www.google.com`
			`eff_email_address= #eff@eff.com`

			`# Check privilege`
			`if [ $(id -u) -ne 0 ]`
			`then`
			`echo "This script must be run by root" >&2`
			`exit 1`
			`fi`

			`# Variable check`
			`if [ -z ${appname} ] \|\| [ -z ${proxyurl} ] \|\| [ -z ${domain} ] \|\| [ -z ${eff_email_address} ]`
			`then`
			`echo "Missing variable, exiting..."`
			`exit 1`
			`fi`

			`# Figure out nginx conf directory`
			`if grep -q 'include.*conf.d' /etc/nginx/nginx.conf`
			`then`
			`nginxdir=/etc/nginx/conf.d`
			`elif grep -q 'include.*sites-available' /etc/nginx/nginx.conf`
			`then`
			`nginxdir=/etc/nginx/sites-available`
			`ln -s -f /etc/nginx/sites-available/${appname}.conf /etc/nginx/sites-enabled/`
			`else`
			`echo "Missing nginx directory, exiting..."`
			`exit 1`
			`fi`

			`# Virtual proxy`
			`cat <<- 'proxy' \| \`
			`sed -e "s\|{{domain}}\|${domain}\|" \`
			`-e "s\|{{proxyurl}}\|${proxyurl}\|" \`
			`-e "s\|{{appname}}\|${appname}\|" \| tee ${nginxdir}/${appname}.conf >/dev/null`
			`server {`
			`server_name {{domain}};`

			`location / {`
			`proxy_pass {{proxyurl}};`
			`error_log /var/log/nginx/{{appname}}_error.log;`
			`access_log /var/log/nginx/{{appname}}_access.log;`

			`# proxy_params;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Host $host;`
			`proxy_set_header X-Forwarded-Port $server_port;`
			`proxy_set_header X-Forwarded-Scheme $scheme;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header Accept-Encoding "";`
			`proxy_set_header Host $host;`

			`client_body_buffer_size 512k;`
			`proxy_read_timeout 86400s;`
			`client_max_body_size 0;`

			`# Websocket`
			`proxy_http_version 1.1;`
			`proxy_cache_bypass $http_upgrade;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection "upgrade";`
			`}`

			`# http_upgrade`
			`# Security`
			`server_tokens off;`
			`add_header X-Frame-Options "SAMEORIGIN" always;`
			`add_header X-Content-Type-Options "nosniff" always;`
			`add_header X-XSS-Protection "1; mode=block" always;`
			`add_header Referrer-Policy "strict-origin" always;`
			`add_header X-Permitted-Cross-Domain-Policies "none" always;`
			`add_header X-Robots-Tag "noindex, nofollow" always;`
			`# add_header Content-Security-Policy "default-src 'self';" always;`

			`# http2`
			`http2 on;`

			`# http3`
			`listen 443 quic;`
			`add_header Alt-Svc 'h3=":443"; ma=86400';`
			`quic_retry on;`
			`http3 on;`

			`# Certbot defaults`
			`listen 443 ssl;`
			`include /etc/letsencrypt/options-ssl-nginx.conf;`
			`ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;`
			`add_header Strict-Transport-Security "max-age=31536000" always;`
			`}`
			`proxy`

			`# Run certbot`
			`if nginx -t`
			`then`
			`certbot --nginx --non-interactive --agree-tos --no-eff-email -m ${eff_email_address} -d ${domain} \`
			`--staple-ocsp --hsts --no-redirect --renew-hook 'docker exec --interactive --tty myvemail /bin/ash -c "dovecot reload; postfix reload"'`

			`# Link certificates`
			`ln -s /etc/letsencrypt/live/${domain}/fullchain.pem ./data/ssl/tls.pem`
			`ln -s /etc/letsencrypt/live/${domain}/privkey.pem ./data/ssl/tls.key`
			`fi`