keevie · October 17, 2023 21:57
diff --git a/install-nginx-certbot.sh b/install-nginx-certbot.sh
 sudo apt-get update
 sudo apt-get -y install nginx certbot python3-certbot-nginx

 #dnsname="warbler-azure.frameable.com"
 #email="[email protected]"

 if ! test -f /etc/letsencrypt/live/$dnsname/fullchain.pem; then
  sudo certbot --nginx -d "$dnsname" \
  --email="$email" \
  --agree-tos \
  --no-eff-email
 fi

 cat <<EOF > /etc/nginx/nginx.conf

 worker_processes        1;
 worker_rlimit_nofile    200000;

 events {
  worker_connections  16384;
 }

 http {
  # hides nginx version
  server_tokens off;
  include mime.types;
  include /etc/nginx/conf.d/*.conf;

  default_type  application/octet-stream;

  log_format  main '\$http_x_forwarded_for - [\$time_local] \$host "\$request" '
              '\$status \$body_bytes_sent "\$http_referer" '
              '"\$http_user_agent"';
  access_log /var/log/nginx/access.log main;

  map \$http_upgrade \$connection_upgrade {
    default     "upgrade";
  }

  server {
    server_name $dnsname; # managed by Certbot
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/$dnsname/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/$dnsname/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    # Double of default: 4 8k
    large_client_header_buffers 4 16k;
    client_header_timeout 60;
    client_body_timeout   60;
    keepalive_timeout     30d;
    gzip                  on;
    gzip_comp_level       4;
    gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
    proxy_read_timeout 30d;

    client_max_body_size 500m;
    proxy_send_timeout 2800s;
    send_timeout 2800s;
    proxy_connect_timeout 2800s;

    location / {
      proxy_pass http://127.0.0.1:8080;
      proxy_set_header   Connection "";
      proxy_http_version 1.1;
      chunked_transfer_encoding off;
      proxy_buffering off;
      proxy_buffer_size 16k;
      proxy_buffers 8 16k;
      proxy_cache off;
      proxy_set_header    Connection          \$connection_upgrade;
      proxy_set_header    Upgrade             \$http_upgrade;
      proxy_set_header        Host              \$host;
      proxy_set_header        X-Real-IP         \$remote_addr;
      proxy_set_header        X-Forwarded-For   \$proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto \$http_x_forwarded_proto;
      proxy_hide_header       X-Powered-By;
    }
  }

  server {
    listen 80 default_server;
    return 301 https://\$host\$request_uri;
  }
 }
 EOF

 if ! test -f /etc/letsencrypt/live/$dnsname/fullchain.pem; then
  rm /etc/nginx/sites-enabled/default
  sudo systemctl restart nginx
 fi
	sudo apt-get update
	sudo apt-get -y install nginx certbot python3-certbot-nginx

	#dnsname="warbler-azure.frameable.com"
	#email="[email protected]"

	if ! test -f /etc/letsencrypt/live/$dnsname/fullchain.pem; then
	sudo certbot --nginx -d "$dnsname" \
	--email="$email" \
	--agree-tos \
	--no-eff-email
	fi

	cat <<EOF > /etc/nginx/nginx.conf

	worker_processes 1;
	worker_rlimit_nofile 200000;

	events {
	worker_connections 16384;
	}

	http {
	# hides nginx version
	server_tokens off;
	include mime.types;
	include /etc/nginx/conf.d/*.conf;

	default_type application/octet-stream;

	log_format main '\$http_x_forwarded_for - [\$time_local] \$host "\$request" '
	'\$status \$body_bytes_sent "\$http_referer" '
	'"\$http_user_agent"';
	access_log /var/log/nginx/access.log main;

	map \$http_upgrade \$connection_upgrade {
	default "upgrade";
	}

	server {
	server_name $dnsname; # managed by Certbot
	listen [::]:443 ssl ipv6only=on; # managed by Certbot
	listen 443 ssl; # managed by Certbot
	ssl_certificate /etc/letsencrypt/live/$dnsname/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/$dnsname/privkey.pem; # managed by Certbot
	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

	# Double of default: 4 8k
	large_client_header_buffers 4 16k;
	client_header_timeout 60;
	client_body_timeout 60;
	keepalive_timeout 30d;
	gzip on;
	gzip_comp_level 4;
	gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
	proxy_read_timeout 30d;

	client_max_body_size 500m;
	proxy_send_timeout 2800s;
	send_timeout 2800s;
	proxy_connect_timeout 2800s;

	location / {
	proxy_pass http://127.0.0.1:8080;
	proxy_set_header Connection "";
	proxy_http_version 1.1;
	chunked_transfer_encoding off;
	proxy_buffering off;
	proxy_buffer_size 16k;
	proxy_buffers 8 16k;
	proxy_cache off;
	proxy_set_header Connection \$connection_upgrade;
	proxy_set_header Upgrade \$http_upgrade;
	proxy_set_header Host \$host;
	proxy_set_header X-Real-IP \$remote_addr;
	proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto \$http_x_forwarded_proto;
	proxy_hide_header X-Powered-By;
	}
	}

	server {
	listen 80 default_server;
	return 301 https://\$host\$request_uri;
	}
	}
	EOF

	if ! test -f /etc/letsencrypt/live/$dnsname/fullchain.pem; then
	rm /etc/nginx/sites-enabled/default
	sudo systemctl restart nginx
	fi