diff --git a/website/deploy.sh b/website/deploy.sh
index 4274bcd8115a48b1f967dba4d281b8bec01e9ab5..8c552b59828ff1376336d27aa457e795d01dbbdb 100755
--- a/website/deploy.sh
+++ b/website/deploy.sh
@@ -4,9 +4,17 @@ lang=$1
dest_dir=$2
PROJECT_NAME=freedombone
+
+CONFIGURATION_FILE=/root/${PROJECT_NAME}.cfg
+
+ONION_ONLY='no'
site_domain=${PROJECT_NAME}.net
site_onion_port=8149
+if [ -f "$CONFIGURATION_FILE" ]; then
+ ONION_ONLY=$(grep 'ONION_ONLY=' "$CONFIGURATION_FILE" | head -n 1 | awk -F '=' '{print $2}')
+fi
+
if ! grep -q ":$site_onion_port" /etc/torrc.d/${PROJECT_NAME}; then
{ echo "HiddenServiceDir /var/lib/tor/hidden_service_${PROJECT_NAME}/";
echo 'HiddenServiceVersion 3';
@@ -14,84 +22,134 @@ if ! grep -q ":$site_onion_port" /etc/torrc.d/${PROJECT_NAME}; then
systemctl restart tor
fi
+if [[ "$ONION_ONLY" == 'no' ]]; then
+ { echo 'server {';
+ echo ' listen 80;';
+ echo ' listen [::]:80;';
+ echo " server_name ${site_domain};";
+ echo " root /var/www/${site_domain}/htdocs;";
+ echo ' access_log /dev/null;';
+ echo ' error_log /dev/null;';
+ echo ' client_max_body_size 20m;';
+ echo ' client_body_buffer_size 128k;';
+ echo '';
+ echo ' limit_conn conn_limit_per_ip 10;';
+ echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;';
+ echo '';
+ echo ' index index.php;';
+ echo " rewrite ^ https://\$server_name\$request_uri? permanent;";
+ echo '}';
+ echo '';
+ echo 'server {';
+ echo ' listen 443 ssl;';
+ echo " server_name ${site_domain};";
+ echo '';
+ echo ' gzip on;';
+ echo ' gzip_min_length 1000;';
+ echo ' gzip_proxied expired no-cache no-store private auth;';
+ echo ' gzip_types text/plain application/xml;';
+ echo '';
+ echo ' ssl_stapling off;';
+ echo ' ssl_stapling_verify off;';
+ echo ' ssl on;';
+ echo " ssl_certificate /etc/letsencrypt/live/${site_domain}/fullchain.pem;";
+ echo " ssl_certificate_key /etc/letsencrypt/live/${site_domain}/privkey.pem;";
+ echo " ssl_dhparam /etc/ssl/certs/${site_domain}.dhparam;";
+ echo '';
+ echo ' ssl_session_cache builtin:1000 shared:SSL:10m;'
+ echo ' ssl_session_timeout 60m;';
+ echo ' ssl_prefer_server_ciphers on;';
+ echo ' ssl_protocols TLSv1 TLSv1.1 TLSv1.2;';
+ echo " ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';";
+ echo " add_header Content-Security-Policy \"default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'\";";
+ echo ' add_header X-XSS-Protection "1; mode=block";';
+ echo ' add_header X-Robots-Tag none;';
+ echo ' add_header X-Download-Options noopen;';
+ echo ' add_header X-Permitted-Cross-Domain-Policies none;';
+ echo ' add_header X-Frame-Options DENY;';
+ echo ' add_header X-Content-Type-Options nosniff;';
+ echo '';
+ echo ' add_header Strict-Transport-Security max-age=15768000;';
+ echo '';
+ echo ' access_log /dev/null;';
+ echo ' error_log /dev/null;';
+ echo '';
+ echo " root /var/www/${site_domain}/htdocs;";
+ echo '';
+ echo ' index index.html;';
+ echo '';
+ echo ' location / {';
+ echo ' client_max_body_size 15m;';
+ echo ' client_body_buffer_size 1m;';
+ echo '';
+ echo ' limit_conn conn_limit_per_ip 10;';
+ echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;';
+ echo ' }';
+ echo '';
+ echo ' location /downloads {';
+ echo ' client_max_body_size 2G;';
+ echo ' client_body_buffer_size 128k;';
+ echo '';
+ echo ' limit_conn conn_limit_per_ip 10;';
+ echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;';
+ echo ' autoindex on;';
+ echo ' }';
+ echo '';
+ echo ' location ^~ /.well-known/ {';
+ echo ' allow all;';
+ echo ' }';
+ echo '}';
+ echo '';
+ echo '# TURN Server';
+ echo 'server {';
+ echo ' listen 3407 ssl;';
+ echo ' listen [::]:3407 ssl;';
+ echo " server_name ${site_domain};";
+ echo '';
+ echo ' ssl_stapling off;';
+ echo ' ssl_stapling_verify off;';
+ echo ' ssl on;';
+ echo " ssl_certificate /etc/letsencrypt/live/${site_domain}/fullchain.pem;";
+ echo " ssl_certificate_key /etc/letsencrypt/live/${site_domain}/privkey.pem;";
+ echo " ssl_dhparam /etc/ssl/certs/${site_domain}.dhparam;";
+ echo '';
+ echo ' ssl_session_cache builtin:1000 shared:SSL:10m;';
+ echo ' ssl_session_timeout 60m;';
+ echo ' ssl_prefer_server_ciphers on;';
+ echo ' ssl_protocols TLSv1 TLSv1.1 TLSv1.2;';
+ echo " ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';";
+ echo " add_header Content-Security-Policy \"default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'\";";
+ echo ' add_header X-XSS-Protection "1; mode=block";';
+ echo ' add_header X-Robots-Tag none;';
+ echo ' add_header X-Download-Options noopen;';
+ echo ' add_header X-Permitted-Cross-Domain-Policies none;';
+ echo ' add_header X-Frame-Options DENY;';
+ echo ' add_header X-Content-Type-Options nosniff;';
+ echo '';
+ echo ' add_header Strict-Transport-Security max-age=15768000;';
+ echo '';
+ echo ' access_log /dev/null;';
+ echo ' error_log /dev/null;';
+ echo '';
+ echo ' index index.html;';
+ echo '';
+ echo ' location / {';
+ echo ' client_max_body_size 15m;';
+ echo ' client_body_buffer_size 128k;';
+ echo '';
+ echo ' limit_conn conn_limit_per_ip 10;';
+ echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;';
+ echo '';
+ echo ' proxy_pass http://localhost:3478;';
+ echo " proxy_set_header X-Forwarded-For \$remote_addr;";
+ echo ' }';
+ echo '}';
+ echo ''; } > /etc/nginx/sites-available/${site_domain}
+else
+ echo -n '' > /etc/nginx/sites-available/${site_domain}
+fi
+
{ echo 'server {';
- echo ' listen 80;';
- echo ' listen [::]:80;';
- echo " server_name ${site_domain};";
- echo " root /var/www/${site_domain}/htdocs;";
- echo ' access_log /dev/null;';
- echo ' error_log /dev/null;';
- echo ' client_max_body_size 20m;';
- echo ' client_body_buffer_size 128k;';
- echo '';
- echo ' limit_conn conn_limit_per_ip 10;';
- echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;';
- echo '';
- echo ' index index.php;';
- echo " rewrite ^ https://\$server_name\$request_uri? permanent;";
- echo '}';
- echo '';
- echo 'server {';
- echo ' listen 443 ssl;';
- echo " server_name ${site_domain};";
- echo '';
- echo ' gzip on;';
- echo ' gzip_min_length 1000;';
- echo ' gzip_proxied expired no-cache no-store private auth;';
- echo ' gzip_types text/plain application/xml;';
- echo '';
- echo ' ssl_stapling off;';
- echo ' ssl_stapling_verify off;';
- echo ' ssl on;';
- echo " ssl_certificate /etc/letsencrypt/live/${site_domain}/fullchain.pem;";
- echo " ssl_certificate_key /etc/letsencrypt/live/${site_domain}/privkey.pem;";
- echo " ssl_dhparam /etc/ssl/certs/${site_domain}.dhparam;";
- echo '';
- echo ' ssl_session_cache builtin:1000 shared:SSL:10m;'
- echo ' ssl_session_timeout 60m;';
- echo ' ssl_prefer_server_ciphers on;';
- echo ' ssl_protocols TLSv1 TLSv1.1 TLSv1.2;';
- echo " ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';";
- echo " add_header Content-Security-Policy \"default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'\";";
- echo ' add_header X-XSS-Protection "1; mode=block";';
- echo ' add_header X-Robots-Tag none;';
- echo ' add_header X-Download-Options noopen;';
- echo ' add_header X-Permitted-Cross-Domain-Policies none;';
- echo ' add_header X-Frame-Options DENY;';
- echo ' add_header X-Content-Type-Options nosniff;';
- echo '';
- echo ' add_header Strict-Transport-Security max-age=15768000;';
- echo '';
- echo ' access_log /dev/null;';
- echo ' error_log /dev/null;';
- echo '';
- echo " root /var/www/${site_domain}/htdocs;";
- echo '';
- echo ' index index.html;';
- echo '';
- echo ' location / {';
- echo ' client_max_body_size 15m;';
- echo ' client_body_buffer_size 1m;';
- echo '';
- echo ' limit_conn conn_limit_per_ip 10;';
- echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;';
- echo ' }';
- echo '';
- echo ' location /downloads {';
- echo ' client_max_body_size 2G;';
- echo ' client_body_buffer_size 128k;';
- echo '';
- echo ' limit_conn conn_limit_per_ip 10;';
- echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;';
- echo ' autoindex on;';
- echo ' }';
- echo '';
- echo ' location ^~ /.well-known/ {';
- echo ' allow all;';
- echo ' }';
- echo '}';
- echo '';
- echo 'server {';
echo " listen 127.0.0.1:${site_onion_port} default_server;";
echo " server_name ${site_domain};";
echo '';
@@ -128,51 +186,6 @@ fi
echo ' }';
echo '}';
echo '';
- echo '# TURN Server';
- echo 'server {';
- echo ' listen 3407 ssl;';
- echo ' listen [::]:3407 ssl;';
- echo " server_name ${site_domain};";
- echo '';
- echo ' ssl_stapling off;';
- echo ' ssl_stapling_verify off;';
- echo ' ssl on;';
- echo " ssl_certificate /etc/letsencrypt/live/${site_domain}/fullchain.pem;";
- echo " ssl_certificate_key /etc/letsencrypt/live/${site_domain}/privkey.pem;";
- echo " ssl_dhparam /etc/ssl/certs/${site_domain}.dhparam;";
- echo '';
- echo ' ssl_session_cache builtin:1000 shared:SSL:10m;';
- echo ' ssl_session_timeout 60m;';
- echo ' ssl_prefer_server_ciphers on;';
- echo ' ssl_protocols TLSv1 TLSv1.1 TLSv1.2;';
- echo " ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';";
- echo " add_header Content-Security-Policy \"default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'\";";
- echo ' add_header X-XSS-Protection "1; mode=block";';
- echo ' add_header X-Robots-Tag none;';
- echo ' add_header X-Download-Options noopen;';
- echo ' add_header X-Permitted-Cross-Domain-Policies none;';
- echo ' add_header X-Frame-Options DENY;';
- echo ' add_header X-Content-Type-Options nosniff;';
- echo '';
- echo ' add_header Strict-Transport-Security max-age=15768000;';
- echo '';
- echo ' access_log /dev/null;';
- echo ' error_log /dev/null;';
- echo '';
- echo ' index index.html;';
- echo '';
- echo ' location / {';
- echo ' client_max_body_size 15m;';
- echo ' client_body_buffer_size 128k;';
- echo '';
- echo ' limit_conn conn_limit_per_ip 10;';
- echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;';
- echo '';
- echo ' proxy_pass http://localhost:3478;';
- echo " proxy_set_header X-Forwarded-For \$remote_addr;";
- echo ' }';
- echo '}';
- echo '';
echo 'server {';
echo ' listen 127.0.0.1:8110 default_server;';
echo " server_name ${site_domain};";
@@ -194,14 +207,16 @@ fi
echo " proxy_set_header X-Forwarded-For \$remote_addr;";
echo ' }';
echo '}';
- echo '# End of TURN Server'; } > /etc/nginx/sites-available/${site_domain}
+ echo '# End of TURN Server'; } >> /etc/nginx/sites-available/${site_domain}
nginx_ensite ${site_domain}
-if [ ! -f "/etc/letsencrypt/live/${site_domain}/fullchain.pem" ]; then
- DH_KEYLENGTH=2048
- LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
- ${PROJECT_NAME}-addcert -e "${site_domain}" -s "$LETSENCRYPT_SERVER" --dhkey "$DH_KEYLENGTH"
+if [[ "$ONION_ONLY" == 'no' ]]; then
+ if [ ! -f "/etc/letsencrypt/live/${site_domain}/fullchain.pem" ]; then
+ DH_KEYLENGTH=2048
+ LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
+ ${PROJECT_NAME}-addcert -e "${site_domain}" -s "$LETSENCRYPT_SERVER" --dhkey "$DH_KEYLENGTH"
+ fi
fi
if [ ! "$lang" ]; then