Created
July 8, 2017 23:31
-
-
Save svedova/8fd7270a5acaf30ae1045e39e1bf3ea7 to your computer and use it in GitHub Desktop.
Install nginx and configure letsencrypt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Exit on error | |
| set -e | |
| echo "Hello, what is your app name?" | |
| read appname | |
| # slugify the app name | |
| appslug="$(echo $appname | iconv -t ascii//TRANSLIT | sed -r s/[^a-zA-Z0-9]+/-/g | sed -r s/^-+\|-+$//g | tr A-Z a-z)" | |
| echo "What is the host name? (eg: example.com)" | |
| read hostname | |
| echo "What is the root path for the project? (Leave empty for `pwd`)" | |
| read rootpath | |
| if [ -z "$VAR" ] | |
| then | |
| rootpath="$(pwd)" | |
| fi | |
| ############################################################# | |
| # WE GOT THE VARIABLES, LET'S PROCEED WITH THE INSTALLATION # | |
| ############################################################# | |
| apt-get update | |
| apt-get upgrade | |
| echo "Installing webserver..." | |
| apt install nginx | |
| # nginx conf for port 80 | |
| cat > /etc/nginx/sites-available/${appslug}-80 <<EOL | |
| server { | |
| listen 80; | |
| server_name ${hostname}; | |
| root ${rootpath}; | |
| # Required for letsencrypt | |
| location ~ /.well-known { | |
| allow all; | |
| } | |
| } | |
| EOL | |
| # nginx conf for post 443 | |
| cat > /etc/nginx/sites-available/${appslug}-443 <<EOL | |
| # Redirect 80 to 443 | |
| server { | |
| listen 80; | |
| listen [::]:80; | |
| server_name ${hostname}; | |
| return 301 https://$server_name$request_uri; | |
| } | |
| server { | |
| ssl on; | |
| listen 443 ssl http2 default_server; | |
| listen [::]:443 ssl http2 default_server; | |
| include snippets/ssl-${appslug}.conf; | |
| include snippets/ssl-params.conf; | |
| server_name ${hostname}; | |
| } | |
| EOL | |
| # enable confs | |
| ln -s /etc/nginx/sites-available/${appslug}-80 /etc/nginx/sites-enabled | |
| # Check for syntax | |
| nginx -t | |
| systemctl restart nginx | |
| echo "Configuring letsencrypt..." | |
| add-apt-repository ppa:certbot/certbot | |
| apt-get update | |
| apt-get install certbot | |
| # Create certificate for | |
| certbot certonly --webroot --webroot-path=${rootpath} -d ${hostname} | |
| # Check for the file if it exists | |
| ls -l /etc/letsencrypt/live/${hostname} | |
| # Generate strong Diffie-Hellman group to further increase security | |
| openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 | |
| cat > /etc/nginx/snippets/ssl-${appslug}.conf <<EOL | |
| ssl_certificate /etc/letsencrypt/live/${hostname}/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/${hostname}/privkey.pem; | |
| EOL | |
| # Create a conf with strong encryption settings | |
| cat > /etc/nginx/snippets/ssl-params.conf <<EOL | |
| # from https://cipherli.st/ | |
| # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_prefer_server_ciphers on; | |
| ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; | |
| ssl_ecdh_curve secp384r1; | |
| ssl_session_cache shared:SSL:10m; | |
| ssl_session_tickets off; | |
| ssl_stapling on; | |
| ssl_stapling_verify on; | |
| resolver 8.8.8.8 8.8.4.4 valid=300s; | |
| resolver_timeout 5s; | |
| # disable HSTS header for now | |
| #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; | |
| add_header X-Frame-Options DENY; | |
| add_header X-Content-Type-Options nosniff; | |
| ssl_dhparam /etc/ssl/certs/dhparam.pem; | |
| EOL | |
| # Now we can disable the http config and proceed with https | |
| rm /etc/nginx/sites-enabled/${appslug}-80 | |
| ln -s /etc/nginx/sites-available/${appslug}-443 /etc/nginx/sites-enabled | |
| nginx -t | |
| systemctl restart nginx |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment