vestacp_reverse_proxy.sh

#!/bin/sh

#----------------------------------------------------------#
#                   settings                               #
#----------------------------------------------------------#

#text colors
redtext() { echo "$(tput setaf 1)$*$(tput setaf 9)"; }
greentext() { echo "$(tput setaf 2)$*$(tput setaf 9)"; }
yellowtext() { echo "$(tput setaf 3)$*$(tput setaf 9)"; }


#get info
memory=$(grep 'MemTotal' /proc/meminfo |tr ' ' '\n' |grep [0-9])  #get current server ram size
vIPAddress=$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1  -d'/')

vHostname=$(hostname -f)
read -r -p "What e-mail address would you like to receive VestaCP alerts to? " vEmail
read -r -p "Please type a password to use with VestaCP: " vPassword
vAddString="--hostname $vHostname --email $vEmail --password $vPassword"

read -r -p "Please enter your real server IP: " vRealServer
read -r -p "Do you want to add SSH Key? [y/N] 
(if you don't have ssh key, you can generate it yourself using using tool like PuTTYgen) " vAddSsh

if [ $vAddSsh == "y" ] || [ $vAddSsh == "Y" ]; then
  read -r -p "Please input your public SSH Key: " vSshKey
fi

read -r -p "Do you want to make admin panel accesible to localhost only (you can still access admin panel using SSH tunnel)? [y/N] " vProtectAdminPanel





#----------------------------------------------------------#
#                   install vestacp                        #
#----------------------------------------------------------#

#install vestacp LAMP + remi (bypass question)
curl -O http://vestacp.com/pub/vst-install.sh
echo "y" | bash vst-install.sh --nginx yes --phpfpm yes --apache no --named no --remi no --vsftpd no --proftpd no --iptables no --fail2ban no --quota no --exim yes --dovecot no --spamassassin no --clamav no --softaculous no --mysql no --postgresql no $vAddString --force

greentext "Vestacp installed"




#----------------------------------------------------------#
#               setting nginx reverse proxy                #
#----------------------------------------------------------#

greentext "Configuring nginx as reverse proxy..."

vNginxConfigLoc="/home/admin/conf/web/$(hostname -f).nginx.conf"


#find 'listen' change all line to '80;' (for all occurence)
#sed -i -e '/listen/s/.*/listen 80;/' $vNginxConfigLoc

#find 'listen' changeline to '80;' (only on first occurence)
sed -i -e '0,/listen/s/listen.*/listen 80;/' $vNginxConfigLoc

#find 'server_name' change line to 'server_name $vIPAddress' (only on first occurence)
sed -i -e "0,/server_name/s/server_name.*/server_name $vIPAddress;/" $vNginxConfigLoc

#add nginx reverse proxy setting
nginx_setting='\n
\nserver {
\n	listen 80 default_server;
\n	listen [::]:80 default_server;
\n    server_name _ ;
\n	access_log  off;
\n    error_log off;
\n	
\n	return 301 https://$host$request_uri;
\n}
\n
\n
\nserver {
\n
\n   listen 443 default_server;
\n	listen [::]:443 default_server;
\n    server_name _ ;
\n	access_log  off;
\n    error_log off;
\n	
\n	ssl on;
\n    ssl_certificate /usr/local/vesta/ssl/certificate.crt;
\n    ssl_certificate_key /usr/local/vesta/ssl/certificate.key;
\n    ssl_session_cache shared:SSL:10m;
\n
\n	location / {
\n		proxy_pass      https://'"$vRealServer"';
\n		proxy_set_header Host $host;
\n	}
\n}
\n'
echo -e $nginx_setting >> $vNginxConfigLoc

#restart nginx
service nginx restart



#----------------------------------------------------------#
#                   install Monit                          #
#----------------------------------------------------------#

greentext "installing monit"

yum -y install monit
#chkconfig monit on

# Vesta Control Panel
wget http://c.vestacp.com/rhel/7/monit/vesta-nginx.conf -O /etc/monit.d/vesta-nginx.conf
wget http://c.vestacp.com/rhel/7/monit/vesta-php.conf -O /etc/monit.d/vesta-php.conf

# Nginx
wget http://c.vestacp.com/rhel/7/monit/nginx.conf -O /etc/monit.d/nginx.conf

# vesta-nginx (nginx for admin panel)
# wget http://c.vestacp.com/rhel/7/monit/vesta-nginx.conf -O /etc/monit.d/vesta-nginx.conf

# Apache
# wget http://c.vestacp.com/rhel/7/monit/httpd.conf -O /etc/monit.d/httpd.conf

# MySQL
# wget http://c.vestacp.com/rhel/7/monit/mysql.conf -O /etc/monit.d/mysql.conf

# Exim
wget http://c.vestacp.com/rhel/7/monit/exim.conf -O /etc/monit.d/exim.conf

# Dovecot
# wget http://c.vestacp.com/rhel/7/monit/dovecot.conf -O /etc/monit.d/dovecot.conf

# ClamAV
# wget http://c.vestacp.com/rhel/7/monit/clamd.conf -O /etc/monit.d/clamd.conf

# Spamassassin
# wget http://c.vestacp.com/rhel/7/monit/spamassassin.conf -O /etc/monit.d/spamassassin.conf

# OpenSSH
wget http://c.vestacp.com/rhel/7/monit/sshd.conf -O /etc/monit.d/sshd.conf

# vesta-php
# wget http://c.vestacp.com/rhel/7/monit/vesta-php.conf -O /etc/monit.d/vesta-php.conf

service monit start
check_result $? 'starting monit'


#----------------------------------------------------------#
#                  add SSH KEY                             #
#----------------------------------------------------------#

greentext "adding ssh key"

if [ $vAddSsh == "y" ] || [ $vAddSsh == "Y" ]; then

#create the ~/.ssh directory if it does not already exist (it safe beacuse of -p)
mkdir -p ~/.ssh

#add your public key (vps_4096 file)
echo $vSshKey >> ~/.ssh/authorized_keys

#make sure permission and ownership correct
chmod -R go= ~/.ssh
chown -R $USER:$USER ~/.ssh

#disable login with password
sed -i -e 's/#PermitRootLogin yes/PermitRootLogin prohibit-password/g' /etc/ssh/sshd_config

#restart ssh
systemctl reload sshd.service
check_result $? 'reloading sshd'

fi


#----------------------------------------------------------#
#               Disable shell login for admin              #
#----------------------------------------------------------#

greentext "disabling shell login for admin..."
/usr/local/vesta/bin/v-change-user-shell admin nologin



#----------------------------------------------------------#
#                 Protect Admin panel                      #
#----------------------------------------------------------#

greentext "making admin panel only accessible from localhost..."

#make vesta admin panel accessible only for localhost (use ssh tunnel to access it from anywhere something like "ssh user@server -L8083:localhost:8083")
if [ $vProtectAdminPanel == "y" ] || [ $vProtectAdminPanel == "Y" ]; then
  
  #admin panel
  sed -i -e '/8083/ s|0.0.0.0/0|127.0.0.1|' /usr/local/vesta/data/firewall/rules.conf
  ## OR USE THIS, but if the id is changing it wont work ## /usr/local/vesta/bin/v-change-firewall-rule 2 ACCEPT 127.0.0.1 8083 TCP VestaAdmin && service vesta restart

  #update firewall then restart vesta
  /usr/local/vesta/bin/v-update-firewall
  service vesta restart

fi


#----------------------------------------------------------#
#                          Done                            #
#----------------------------------------------------------#

#done
echo "Done!";
echo " ";
echo "You can access VestaCP here: https://$vIPAddress:8083/";
echo "Username: admin";
echo "Password: $vPassword";
echo " ";
echo " ";
echo "PLEASE REBOOT THE SERVER ONCE YOU HAVE COPIED THE DETAILS ABOVE.";

#reboot
read -r -p "Do you want to reboot now? [y/N] " vReboot
if [ $vReboot == "y" ] || [ $vReboot == "Y" ]; then
  reboot
fi