diff --git a/src/freedombone b/src/freedombone
index 7c2cabe80d697dd8665b0b9ce99682cd63f65d98..3f7bee2f191b15ff47eef25c0c397368af784079 100755
--- a/src/freedombone
+++ b/src/freedombone
@@ -1437,7 +1437,7 @@ function set_default_onion_domains {
fi
}
-function website_http_redirect {
+function nginx_http_redirect {
# redirect port 80 to https
domain_name=$1
filename=/etc/nginx/sites-available/$domain_name
@@ -1456,6 +1456,21 @@ function website_http_redirect {
echo '' >> $filename
}
+function nginx_ssl {
+ # creates the SSL/TLS section for a website
+ domain_name=$1
+ filename=/etc/nginx/sites-available/$domain_name
+ echo ' ssl on;' >> $filename
+ echo " ssl_certificate /etc/ssl/certs/${domain_name}.crt;" >> $filename
+ echo " ssl_certificate_key /etc/ssl/private/${domain_name}.key;" >> $filename
+ echo " ssl_dhparam /etc/ssl/certs/${domain_name}.dhparam;" >> $filename
+ echo '' >> $filename
+ echo ' ssl_session_timeout 60m;' >> $filename
+ echo ' ssl_prefer_server_ciphers on;' >> $filename
+ echo " ssl_protocols $SSL_PROTOCOLS;" >> $filename
+ echo " ssl_ciphers '$SSL_CIPHERS';" >> $filename
+}
+
function set_repo_commit {
repo_dir=$1
repo_commit_name=$2
@@ -6475,7 +6490,7 @@ function install_owncloud {
ln -s /usr/share/owncloud /var/www/$OWNCLOUD_DOMAIN_NAME/htdocs
if [[ $ONION_ONLY == "no" ]]; then
- website_http_redirect $OWNCLOUD_DOMAIN_NAME
+ nginx_http_redirect $OWNCLOUD_DOMAIN_NAME
echo 'server {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
echo ' listen 443 ssl;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
echo " root /var/www/$OWNCLOUD_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
@@ -6486,15 +6501,7 @@ function install_owncloud {
echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
- echo ' ssl on;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
- echo " ssl_certificate /etc/ssl/certs/$OWNCLOUD_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
- echo " ssl_certificate_key /etc/ssl/private/$OWNCLOUD_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
- echo " ssl_dhparam /etc/ssl/certs/$OWNCLOUD_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
- echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
- echo ' ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
- echo ' ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
- echo " ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
- echo " ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+ nginx_ssl $OWNCLOUD_DOMAIN_NAME
echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
echo ' add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
@@ -6917,15 +6924,7 @@ function install_gogs {
echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
- echo ' ssl on;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
- echo " ssl_certificate /etc/ssl/certs/$GIT_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
- echo " ssl_certificate_key /etc/ssl/private/$GIT_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
- echo " ssl_dhparam /etc/ssl/certs/$GIT_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
- echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
- echo ' ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
- echo ' ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
- echo " ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
- echo " ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+ nginx_ssl $GIT_DOMAIN_NAME
echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' add_header Strict-Transport-Security max-age=0;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
@@ -7745,16 +7744,7 @@ function install_wiki {
echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
- echo ' ssl on;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
- echo " ssl_certificate /etc/ssl/certs/$WIKI_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
- echo " ssl_certificate_key /etc/ssl/private/$WIKI_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
- echo " ssl_dhparam /etc/ssl/certs/$WIKI_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
- echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
- echo ' ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
- echo ' ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
- echo ' ssl_session_cache builtin:1000 shared:SSL:10m;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
- echo " ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
- echo " ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+ nginx_ssl $WIKI_DOMAIN_NAME
echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
@@ -8095,16 +8085,7 @@ function install_blog {
echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
- echo ' ssl on;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
- echo " ssl_certificate /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
- echo " ssl_certificate_key /etc/ssl/private/$FULLBLOG_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
- echo " ssl_dhparam /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
- echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
- echo ' ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
- echo ' ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
- echo ' ssl_session_cache builtin:1000 shared:SSL:10m;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
- echo " ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
- echo " ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+ nginx_ssl $FULLBLOG_DOMAIN_NAME
echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
@@ -8672,22 +8653,13 @@ function install_gnu_social {
microblog_nginx_site=/etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
if [[ $ONION_ONLY == "no" ]]; then
- website_http_redirect $MICROBLOG_DOMAIN_NAME
+ nginx_http_redirect $MICROBLOG_DOMAIN_NAME
echo 'server {' >> $microblog_nginx_site
echo ' listen 443 ssl;' >> $microblog_nginx_site
echo " server_name $MICROBLOG_DOMAIN_NAME;" >> $microblog_nginx_site
echo '' >> $microblog_nginx_site
echo ' # Security' >> $microblog_nginx_site
- echo ' ssl on;' >> $microblog_nginx_site
- echo " ssl_certificate /etc/ssl/certs/$MICROBLOG_DOMAIN_NAME.pem;" >> $microblog_nginx_site
- echo " ssl_certificate_key /etc/ssl/private/$MICROBLOG_DOMAIN_NAME.key;" >> $microblog_nginx_site
- echo " ssl_dhparam /etc/ssl/certs/$MICROBLOG_DOMAIN_NAME.dhparam;" >> $microblog_nginx_site
- echo '' >> $microblog_nginx_site
- echo ' ssl_session_timeout 60m;' >> $microblog_nginx_site
- echo ' ssl_prefer_server_ciphers on;' >> $microblog_nginx_site
- echo ' ssl_session_cache builtin:1000 shared:SSL:10m;' >> $microblog_nginx_site
- echo " ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> $microblog_nginx_site
- echo " ssl_ciphers '$SSL_CIPHERS';" >> $microblog_nginx_site
+ nginx_ssl $MICROBLOG_DOMAIN_NAME
echo ' add_header X-Frame-Options DENY;' >> $microblog_nginx_site
echo ' add_header X-Content-Type-Options nosniff;' >> $microblog_nginx_site
echo ' add_header Strict-Transport-Security max-age=15768000;' >> $microblog_nginx_site
@@ -9136,7 +9108,7 @@ function install_hubzilla {
add_ddns_domain
if [[ $ONION_ONLY == "no" ]]; then
- website_http_redirect $HUBZILLA_DOMAIN_NAME
+ nginx_http_redirect $HUBZILLA_DOMAIN_NAME
echo 'server {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' listen 443 ssl;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo " root /var/www/$HUBZILLA_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
@@ -9151,16 +9123,7 @@ function install_hubzilla {
echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
- echo ' ssl on;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
- echo " ssl_certificate /etc/ssl/certs/$HUBZILLA_DOMAIN_NAME.bundle.crt;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
- echo " ssl_certificate_key /etc/ssl/private/$HUBZILLA_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
- echo " ssl_dhparam /etc/ssl/certs/$HUBZILLA_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
- echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
- echo ' ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
- echo ' ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
- echo ' ssl_session_cache builtin:1000 shared:SSL:10m;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
- echo " ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
- echo " ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+ nginx_ssl $HUBZILLA_DOMAIN_NAME
echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
@@ -9548,15 +9511,7 @@ function install_mediagoblin {
echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
- echo ' ssl on;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
- echo " ssl_certificate /etc/ssl/certs/$MEDIAGOBLIN_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
- echo " ssl_certificate_key /etc/ssl/private/$MEDIAGOBLIN_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
- echo " ssl_dhparam /etc/ssl/certs/$MEDIAGOBLIN_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
- echo '' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
- echo ' ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
- echo ' ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
- echo " ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
- echo " ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
+ nginx_ssl $MEDIAGOBLIN_DOMAIN_NAME
echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
echo ' add_header Strict-Transport-Security max-age=0;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME