diff --git a/AppendCMS.sh b/AppendCMS.sh index 39a1fce..b29f433 100644 --- a/AppendCMS.sh +++ b/AppendCMS.sh @@ -210,11 +210,17 @@ fi if [ $sslenable = 1 ]; then msg " Setting up SSL" + site_ext=ssl if [ $domainwww = 1 ]; then certbot --"$webserv" -n -d "$domain" -d "www.$domain" -m "$email" --hsts --redirect --no-eff-email --agree-tos elif [ $domainwww = 0 ]; then certbot --"$webserv" -n -d "$domain" -m "$email" --hsts --redirect --no-eff-email --agree-tos fi + if curl --retry 2 --retry-delay 1 --output /dev/null --silent --head --fail "$repo"/raw/branch/"$branch"/CoreModules/"$webserv"/ssl-handler.sh; then + source <(curl --retry 7 --retry-delay 5 -s "$repo"/raw/branch/"$branch"/CoreModules/"$webserv"/ssl-handler.sh) + fi +elif [ $sslenable = 0 ]; then + site_ext=nossl fi wget -q -t7 "$repo"/raw/branch/"$branch"/Scripts/EnableSSL.sh -O ~/activateSSL-$domain.sh diff --git a/CMS/nextcloud/nginx-conf.sh b/CMS/nextcloud/nginx-conf.sh index b58c54f..92c2a70 100644 --- a/CMS/nextcloud/nginx-conf.sh +++ b/CMS/nextcloud/nginx-conf.sh @@ -3,9 +3,9 @@ #Configuring nginx wget -q -t7 "$repo"/raw/branch/"$branch"/CMS/nextcloud/Nginx-unconfigured -O /tmp/nginx-siteconf sed -i -e 's/PHPver/'$phpver'/g' -e 's/DOMAINname/'$domain'/' -e 's/SITEname/'$sitename'/' /tmp/nginx-siteconf -sed -i -e "0,/^#ConfHere/s/\(^#Conf.*\)/#ConfHere1 /" -e '/#ConfHere1/ r /tmp/nginx-siteconf' -e '/#ConfHere/c\' /etc/nginx/sites-available/"$sitename" +sed -i -e "0,/^#ConfHere/s/\(^#Conf.*\)/#ConfHere1 /" -e '/#ConfHere1/ r /tmp/nginx-siteconf' -e '/#ConfHere/c\' /etc/nginx/sites-available/"$sitename"_"$site_ext" if [ $sslenable = 0 ]; then -sed -i -e '/fastcgi_param HTTPS/c\# fastcgi_param HTTPS' /etc/nginx/sites-available/"$sitename" + sed -i -e '/fastcgi_param HTTPS/c\# fastcgi_param HTTPS' /etc/nginx/sites-available/"$sitename"_nossl fi mkdir -p /var/www/"$domain"/html/data systemctl reload nginx diff --git a/CMS/none/nginx-conf.sh b/CMS/none/nginx-conf.sh index c96fa30..8990392 100644 --- a/CMS/none/nginx-conf.sh +++ b/CMS/none/nginx-conf.sh @@ -1,6 +1,6 @@ wget -q -t7 "$repo"/raw/branch/"$branch"/CMS/none/Nginx-unconfigured -O /tmp/nginx-siteconf sed -i -e 's/PHPver/'$phpver'/g' -e 's/DOMAINname/'$domain'/' -e 's/SITEname/'$sitename'/' /tmp/nginx-siteconf -sed -i -e "0,/^#ConfHere/s/\(^#Conf.*\)/#ConfHere1 /" -e '/#ConfHere1/ r /tmp/nginx-siteconf' -e '/#ConfHere/c\' /etc/nginx/sites-available/"$sitename" +sed -i -e "0,/^#ConfHere/s/\(^#Conf.*\)/#ConfHere1 /" -e '/#ConfHere1/ r /tmp/nginx-siteconf' -e '/#ConfHere/c\' /etc/nginx/sites-available/"$sitename"_"$site_ext" mkdir -p /var/www/"$domain"/html echo "$webserv has been succsefully installed by the Wizard" > /var/www/$domain/html/index.html diff --git a/CMS/wordpress/nginx-conf.sh b/CMS/wordpress/nginx-conf.sh index f790870..f2acf64 100644 --- a/CMS/wordpress/nginx-conf.sh +++ b/CMS/wordpress/nginx-conf.sh @@ -1,7 +1,7 @@ #Configuring nginx wget -q -t7 "$repo"/raw/branch/"$branch"/CMS/wordpress/Nginx-unconfigured -O /tmp/nginx-siteconf sed -i -e 's/PHPver/'$phpver'/g' -e 's/DOMAINname/'$domain'/' -e 's/SITEname/'$sitename'/' /tmp/nginx-siteconf -sed -i -e "0,/^#ConfHere/s/\(^#Conf.*\)/#ConfHere1 /" -e '/#ConfHere1/ r /tmp/nginx-siteconf' -e '/#ConfHere/c\' /etc/nginx/sites-available/"$sitename" +sed -i -e "0,/^#ConfHere/s/\(^#Conf.*\)/#ConfHere1 /" -e '/#ConfHere1/ r /tmp/nginx-siteconf' -e '/#ConfHere/c\' /etc/nginx/sites-available/"$sitename"_"$site_ext" #Reloading Services systemctl reload nginx php$phpver-fpm \ No newline at end of file diff --git a/CoreModules/nginx/appendCMS-conf.sh b/CoreModules/nginx/appendCMS-conf.sh index f144c6c..8dfa695 100644 --- a/CoreModules/nginx/appendCMS-conf.sh +++ b/CoreModules/nginx/appendCMS-conf.sh @@ -2,8 +2,21 @@ # Nginx # ############# -wget -q -t7 "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/site-unconfigured -O /etc/nginx/sites-available/"$sitename" -sed -i -e 's/DOMAINname/'$domain'/' /etc/nginx/sites-available/"$sitename" -ln -s /etc/nginx/sites-available/"$sitename" /etc/nginx/sites-enabled/ +if [ $domainwww = 1 ]; then + #non-ssl + wget -q -t7 -O - "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/site-wwwredir >> /etc/nginx/sites-available/"$sitename"_nossl + echo "" >> /etc/nginx/sites-available/"$sitename"_nossl + #ssl + wget -q -t7 -O - "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/site_ssl-wwwredir >> /etc/nginx/sites-available/"$sitename"_ssl + echo "" >> /etc/nginx/sites-available/"$sitename"_ssl +fi + +#non-ssl +wget -q -t7 -O - "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/site-unconfigured >> /etc/nginx/sites-available/"$sitename"_nossl +sed -i -e 's/DOMAINname/'$domain'/' /etc/nginx/sites-available/"$sitename"_nossl +ln -s /etc/nginx/sites-available/"$sitename"_nossl /etc/nginx/sites-enabled/"$sitename" +#ssl +wget -q -t7 -O - "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/site_ssl-unconfigured >> /etc/nginx/sites-available/"$sitename"_ssl +sed -i -e 's/DOMAINname/'$domain'/' /etc/nginx/sites-available/"$sitename"_ssl systemctl reload nginx \ No newline at end of file diff --git a/CoreModules/nginx/conf.sh b/CoreModules/nginx/conf.sh index ec27ec3..e5b4e11 100644 --- a/CoreModules/nginx/conf.sh +++ b/CoreModules/nginx/conf.sh @@ -7,15 +7,24 @@ systemctl stop php${phpver}-fpm nginx mkdir -p /etc/nginx/sites-available /etc/nginx/sites-enabled /etc/nginx/snippets /etc/nginx/modules-available /etc/nginx/modules-enabled /etc/nginx/snippets/ wget -q -t7 "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/fastcgi.conf -O /etc/nginx/fastcgi.conf wget -q -t7 "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/fastcgi-php.conf -O /etc/nginx/snippets/fastcgi-php.conf +wget -q -t7 "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/snippets-ssl.conf -O /etc/nginx/snippets/ngx-ssl.conf wget -q -t7 "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/nginx-default.conf -O /etc/nginx/nginx.conf if [ $domainwww = 1 ]; then - wget -q -t7 -O - "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/site-wwwredir >> /etc/nginx/sites-available/"$sitename" - echo "" >> /etc/nginx/sites-available/"$sitename" + #non-ssl + wget -q -t7 -O - "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/site-wwwredir >> /etc/nginx/sites-available/"$sitename"_nossl + echo "" >> /etc/nginx/sites-available/"$sitename"_nossl + #ssl + wget -q -t7 -O - "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/site_ssl-wwwredir >> /etc/nginx/sites-available/"$sitename"_ssl + echo "" >> /etc/nginx/sites-available/"$sitename"_ssl fi -wget -q -t7 -O - "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/site-unconfigured >> /etc/nginx/sites-available/"$sitename" -sed -i -e 's/DOMAINname/'$domain'/' /etc/nginx/sites-available/"$sitename" -ln -s /etc/nginx/sites-available/"$sitename" /etc/nginx/sites-enabled/ +#non-ssl +wget -q -t7 -O - "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/site-unconfigured >> /etc/nginx/sites-available/"$sitename"_nossl +sed -i -e 's/DOMAINname/'$domain'/' /etc/nginx/sites-available/"$sitename"_nossl +ln -s /etc/nginx/sites-available/"$sitename"_nossl /etc/nginx/sites-enabled/"$sitename" +#ssl +wget -q -t7 -O - "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/site_ssl-unconfigured >> /etc/nginx/sites-available/"$sitename"_ssl +sed -i -e 's/DOMAINname/'$domain'/' /etc/nginx/sites-available/"$sitename"_ssl wget -q -t7 "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/site-unconfigured -O /etc/nginx/sites-available/Backend sed -i -e 's/DOMAINname/'$hostname'/' /etc/nginx/sites-available/Backend @@ -27,6 +36,8 @@ wget -q -t7 "$repo"/raw/branch/"$branch"/Scripts/toggles/toggle-PhpMyAdmin_NGINX # custom Welcome page echo "$webserv is functioning normally" > /var/www/html/index.html + + ############### # PHP-FPM # ############### diff --git a/CoreModules/nginx/config/nginx/nginx-default.conf b/CoreModules/nginx/config/nginx/nginx-default.conf index bed94c6..a74cb27 100644 --- a/CoreModules/nginx/config/nginx/nginx-default.conf +++ b/CoreModules/nginx/config/nginx/nginx-default.conf @@ -28,17 +28,6 @@ http { include /etc/nginx/mime.types; default_type application/octet-stream; - ssl_protocols TLSv1.3 TLSv1.2; - ssl_prefer_server_ciphers on; - ssl_ciphers EECDH+AESGCM:EDH+AESGCM; - ssl_session_cache shared:SSL:20m; - ssl_session_timeout 180m; - ssl_ecdh_curve secp384r1; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Frame-Options sameorigin; - add_header X-Content-Type-Options nosniff; - add_header X-Xss-Protection "1; mode=block"; - #access_log /var/log/nginx/access.log; access_log off; error_log /var/log/nginx/error.log; diff --git a/CoreModules/nginx/config/nginx/site_ssl-unconfigured b/CoreModules/nginx/config/nginx/site_ssl-unconfigured new file mode 100644 index 0000000..4178ca9 --- /dev/null +++ b/CoreModules/nginx/config/nginx/site_ssl-unconfigured @@ -0,0 +1,24 @@ +server { + listen 80; + listen [::]:80; + server_name DOMAINname; + + location / { + return 301 https://$host$request_uri; + } + +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name DOMAINname; + ssl_certificate /etc/letsencrypt/live/DOMAINname/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/DOMAINname/privkey.pem; + include ../snippets/ngx-ssl.conf; + + + +#ConfHere + +} \ No newline at end of file diff --git a/CoreModules/nginx/config/nginx/site_ssl-wwwredir b/CoreModules/nginx/config/nginx/site_ssl-wwwredir new file mode 100644 index 0000000..841cd48 --- /dev/null +++ b/CoreModules/nginx/config/nginx/site_ssl-wwwredir @@ -0,0 +1,18 @@ +server { + #www.domain > domain redirect + listen 80; + listen [::]:80; + server_name www.DOMAINname; + return 301 http://DOMAINname$request_uri; +} + +server { + #SSL www.domain > domain redirect + listen 443 ssl; + listen [::]:443 ssl; + server_name www.DOMAINname; + ssl_certificate /etc/letsencrypt/live/DOMAINname/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/DOMAINname/privkey.pem; + include ../snippets/ngx-ssl.conf; + return 301 https://DOMAINname$request_uri; +} diff --git a/CoreModules/nginx/config/nginx/snippets-ssl.conf b/CoreModules/nginx/config/nginx/snippets-ssl.conf new file mode 100644 index 0000000..57d0fd8 --- /dev/null +++ b/CoreModules/nginx/config/nginx/snippets-ssl.conf @@ -0,0 +1,10 @@ +ssl_session_cache shared:le_nginx_SSL:1m; +ssl_session_timeout 1440m; +ssl_prefer_server_ciphers on; +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; +add_header X-Frame-Options sameorigin; +add_header X-Content-Type-Options nosniff; +add_header X-Xss-Protection "1; mode=block"; +add_header Strict-Transport-Security "max-age=31536000" always; +ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; \ No newline at end of file diff --git a/CoreModules/nginx/ssl-handler.sh b/CoreModules/nginx/ssl-handler.sh new file mode 100644 index 0000000..370099f --- /dev/null +++ b/CoreModules/nginx/ssl-handler.sh @@ -0,0 +1,3 @@ +rm /etc/nginx/sites-enabled/"$sitename" +ln -s /etc/nginx/sites-available/"$sitename"_ssl /etc/nginx/sites-enabled/"$sitename" +systemctl reload nginx \ No newline at end of file diff --git a/Scripts/EnableSSL.sh b/Scripts/EnableSSL.sh index e838149..2c4f0ed 100644 --- a/Scripts/EnableSSL.sh +++ b/Scripts/EnableSSL.sh @@ -12,8 +12,8 @@ if [ $webservice = apache ]; then fi #Backing-up and removing current config -sed -n '/#beginConf/,/#endConf/p' /etc/"$webservice"/sites-enabled/"$confname" > /tmp/"$confname"-config -sed -n -i '/#beginConf/{:a;N;/#endConf/!ba;N;s/.*\n/#ConfHere\n/};p' /etc/"$webservice"/sites-enabled/"$confname" +sed -n '/#beginConf/,/#endConf/p' /etc/"$webservice"/sites-available/"$confname"_nossl > /tmp/"$confname"-config +sed -n -i '/#beginConf/{:a;N;/#endConf/!ba;N;s/.*\n/#ConfHere\n/};p' /etc/"$webservice"/sites-available/"$confname"_nossl systemctl reload $webservice #Enabling SSL @@ -24,6 +24,7 @@ elif [ $domainwww = 0 ]; then fi #Restoring config -sed -i -e "0,/^#ConfHere/s/\(^#Conf.*\)/#ConfHere1 /" -e "/#ConfHere1/ r /tmp/"$confname"-config" -e '/#ConfHere/c\' /etc/"$webservice"/sites-enabled/"$confname" - +sed -i -e "0,/^#ConfHere/s/\(^#Conf.*\)/#ConfHere1 /" -e "/#ConfHere1/ r /tmp/"$confname"-config" -e '/#ConfHere/c\' /etc/"$webservice"/sites-available/"$confname"_ssl +rm /etc/"$webservice"/sites-enabled/"$confname" +ln -s /etc/"$webservice"/sites-available/"$sitename"_ssl /etc/nginx/sites-enabled/"$sitename" systemctl reload $webservice \ No newline at end of file diff --git a/installer.sh b/installer.sh index 7aedf28..b6c52ed 100644 --- a/installer.sh +++ b/installer.sh @@ -535,13 +535,19 @@ done if [ $sslenable = 1 ]; then -msg " Setting up SSL" 8 78 -if [ $domainwww = 1 ]; then - certbot --"$webserv" -n -d "$domain" -d "www.$domain" -m "$email" --hsts --redirect --no-eff-email --agree-tos -elif [ $domainwww = 0 ]; then - certbot --"$webserv" -n -d "$domain" -m "$email" --hsts --redirect --no-eff-email --agree-tos -fi + msg " Setting up SSL" 8 78 + site_ext=ssl + if [ $domainwww = 1 ]; then + certbot --"$webserv" -n -d "$domain" -d "www.$domain" -m "$email" --hsts --redirect --no-eff-email --agree-tos + elif [ $domainwww = 0 ]; then + certbot --"$webserv" -n -d "$domain" -m "$email" --hsts --redirect --no-eff-email --agree-tos + fi certbot --"$webserv" -n -d "$hostname" -m "$email" --hsts --redirect --no-eff-email --agree-tos + if curl --retry 2 --retry-delay 1 --output /dev/null --silent --head --fail "$repo"/raw/branch/"$branch"/CoreModules/"$webserv"/ssl-handler.sh; then + source <(curl --retry 7 --retry-delay 5 -s "$repo"/raw/branch/"$branch"/CoreModules/"$webserv"/ssl-handler.sh) + fi +elif [ $sslenable = 0 ]; then + site_ext=nossl fi wget -q -t7 "$repo"/raw/branch/"$branch"/Scripts/EnableSSL.sh -O ~/activateSSL-$domain.sh