From 462bd962375e149c65b795a14574a0bb4896487f Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Sun, 30 Sep 2018 11:07:39 +0100
Subject: [PATCH] Include web configuration in deploy script
---
website/deploy.sh | 189 ++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 189 insertions(+)
diff --git a/website/deploy.sh b/website/deploy.sh
index aee04d9df..9a52beafe 100755
--- a/website/deploy.sh
+++ b/website/deploy.sh
@@ -3,6 +3,193 @@
lang=$1
dest_dir=$2
+site_domain=freedombone.net
+site_onion_port=8149
+
+{ echo 'server {';
+ echo ' listen 80;';
+ echo ' listen [::]:80;';
+ echo " server_name ${site_domain};";
+ echo " root /var/www/${site_domain}/htdocs;";
+ echo ' access_log /dev/null;';
+ echo ' error_log /dev/null;';
+ echo ' client_max_body_size 20m;';
+ echo ' client_body_buffer_size 128k;';
+ echo '';
+ echo ' limit_conn conn_limit_per_ip 10;';
+ echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;';
+ echo '';
+ echo ' index index.php;';
+ echo " rewrite ^ https://\$server_name\$request_uri? permanent;";
+ echo '}';
+ echo '';
+ echo 'server {';
+ echo ' listen 443 ssl;';
+ echo " server_name ${site_domain};";
+ echo '';
+ echo ' gzip on;';
+ echo ' gzip_min_length 1000;';
+ echo ' gzip_proxied expired no-cache no-store private auth;';
+ echo ' gzip_types text/plain application/xml;';
+ echo '';
+ echo ' ssl_stapling off;';
+ echo ' ssl_stapling_verify off;';
+ echo ' ssl on;';
+ echo " ssl_certificate /etc/letsencrypt/live/${site_domain}/fullchain.pem;";
+ echo " ssl_certificate_key /etc/letsencrypt/live/${site_domain}/privkey.pem;";
+ echo " ssl_dhparam /etc/ssl/certs/${site_domain}.dhparam;";
+ echo '';
+ echo ' ssl_session_cache builtin:1000 shared:SSL:10m;'
+ echo ' ssl_session_timeout 60m;';
+ echo ' ssl_prefer_server_ciphers on;';
+ echo ' ssl_protocols TLSv1 TLSv1.1 TLSv1.2;';
+ echo " ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';";
+ echo " add_header Content-Security-Policy \"default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'\";";
+ echo ' add_header X-XSS-Protection "1; mode=block";';
+ echo ' add_header X-Robots-Tag none;';
+ echo ' add_header X-Download-Options noopen;';
+ echo ' add_header X-Permitted-Cross-Domain-Policies none;';
+ echo ' add_header X-Frame-Options DENY;';
+ echo ' add_header X-Content-Type-Options nosniff;';
+ echo '';
+ echo ' add_header Strict-Transport-Security max-age=15768000;';
+ echo '';
+ echo ' access_log /dev/null;';
+ echo ' error_log /dev/null;';
+ echo '';
+ echo " root /var/www/${site_domain}/htdocs;";
+ echo '';
+ echo ' index index.html;';
+ echo '';
+ echo ' location / {';
+ echo ' client_max_body_size 15m;';
+ echo ' client_body_buffer_size 1m;';
+ echo '';
+ echo ' limit_conn conn_limit_per_ip 10;';
+ echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;';
+ echo ' }';
+ echo '';
+ echo ' location /downloads {';
+ echo ' client_max_body_size 2G;';
+ echo ' client_body_buffer_size 128k;';
+ echo '';
+ echo ' limit_conn conn_limit_per_ip 10;';
+ echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;';
+ echo ' autoindex on;';
+ echo ' }';
+ echo '';
+ echo ' location ^~ /.well-known/ {';
+ echo ' allow all;';
+ echo ' }';
+ echo '}';
+ echo '';
+ echo 'server {';
+ echo " listen 127.0.0.1:${site_onion_port} default_server;";
+ echo " server_name ${site_domain};";
+ echo '';
+ echo ' add_header X-Frame-Options DENY;';
+ echo ' add_header X-Content-Type-Options nosniff;';
+ echo '';
+ echo ' access_log /dev/null;';
+ echo ' error_log /dev/null;';
+ echo '';
+ echo " root /var/www/${site_domain}/htdocs;";
+ echo '';
+ echo ' index index.html;';
+ echo '';
+ echo ' location / {';
+ echo ' #proxy_pass http://127.0.0.1:8099;';
+ echo ' client_max_body_size 15m;';
+ echo ' client_body_buffer_size 1m;';
+ echo '';
+ echo ' limit_conn conn_limit_per_ip 10;';
+ echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;';
+ echo ' }';
+ echo '';
+ echo ' location ^~ /downloads/ {';
+ echo ' client_max_body_size 1m;';
+ echo ' client_body_buffer_size 128k;';
+ echo '';
+ echo ' limit_conn conn_limit_per_ip 10;';
+ echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;';
+ echo ' autoindex on;';
+ echo ' }';
+ echo '';
+ echo ' location ^~ /.well-known/ {';
+ echo ' allow all;';
+ echo ' }';
+ echo '}';
+ echo '';
+ echo '# TURN Server';
+ echo 'server {';
+ echo ' listen 3407 ssl;';
+ echo ' listen [::]:3407 ssl;';
+ echo " server_name ${site_domain};";
+ echo '';
+ echo ' ssl_stapling off;';
+ echo ' ssl_stapling_verify off;';
+ echo ' ssl on;';
+ echo " ssl_certificate /etc/letsencrypt/live/${site_domain}/fullchain.pem;";
+ echo " ssl_certificate_key /etc/letsencrypt/live/${site_domain}/privkey.pem;";
+ echo " ssl_dhparam /etc/ssl/certs/${site_domain}.dhparam;";
+ echo '';
+ echo ' ssl_session_cache builtin:1000 shared:SSL:10m;';
+ echo ' ssl_session_timeout 60m;';
+ echo ' ssl_prefer_server_ciphers on;';
+ echo ' ssl_protocols TLSv1 TLSv1.1 TLSv1.2;';
+ echo " ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';";
+ echo " add_header Content-Security-Policy \"default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'\";";
+ echo ' add_header X-XSS-Protection "1; mode=block";';
+ echo ' add_header X-Robots-Tag none;';
+ echo ' add_header X-Download-Options noopen;';
+ echo ' add_header X-Permitted-Cross-Domain-Policies none;';
+ echo ' add_header X-Frame-Options DENY;';
+ echo ' add_header X-Content-Type-Options nosniff;';
+ echo '';
+ echo ' add_header Strict-Transport-Security max-age=15768000;';
+ echo '';
+ echo ' access_log /dev/null;';
+ echo ' error_log /dev/null;';
+ echo '';
+ echo ' index index.html;';
+ echo '';
+ echo ' location / {';
+ echo ' client_max_body_size 15m;';
+ echo ' client_body_buffer_size 128k;';
+ echo '';
+ echo ' limit_conn conn_limit_per_ip 10;';
+ echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;';
+ echo '';
+ echo ' proxy_pass http://localhost:3478;';
+ echo " proxy_set_header X-Forwarded-For \$remote_addr;";
+ echo ' }';
+ echo '}';
+ echo '';
+ echo 'server {';
+ echo ' listen 127.0.0.1:8110 default_server;';
+ echo " server_name ${site_domain};";
+ echo '';
+ echo ' add_header X-Frame-Options DENY;';
+ echo ' add_header X-Content-Type-Options nosniff;';
+ echo '';
+ echo ' access_log /dev/null;';
+ echo ' error_log /dev/null;';
+ echo '';
+ echo ' location / {';
+ echo ' client_max_body_size 15m;';
+ echo ' client_body_buffer_size 128k;';
+ echo '';
+ echo ' limit_conn conn_limit_per_ip 10;';
+ echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;';
+ echo '';
+ echo ' proxy_pass http://localhost:3478;';
+ echo " proxy_set_header X-Forwarded-For \$remote_addr;";
+ echo ' }';
+ echo '}';
+ echo '# End of TURN Server'; } > /etc/nginx/sites-available/${site_domain}
+
+nginx_ensite ${site_domain}
+
if [ ! "$lang" ]; then
lang='EN'
fi
@@ -28,4 +215,6 @@ fi
cp "$lang/images.txt" "$dest_dir/downloads"
chown -R www-data:www-data "$dest_dir"
+systemctl restart nginx
+
echo "Website deployed to $dest_dir"
--
GitLab