mirror of
https://github.com/tommytran732/Linux-Setup-Scripts
synced 2024-11-21 09:01:33 -05:00
Compare commits
2 Commits
01da22602b
...
ff53556f25
Author | SHA1 | Date | |
---|---|---|---|
ff53556f25 | |||
07034675a1 |
@ -1,5 +0,0 @@
|
|||||||
# Sample Scripts
|
|
||||||
|
|
||||||
These are sample scripts to set up some common stacks, meant to be run after the main scripts have been run.
|
|
||||||
|
|
||||||
I am writing these for convenience and to do demos. I do not actually use them in production, so they will not be maintained properly like the main scripts.
|
|
@ -1,155 +0,0 @@
|
|||||||
# RHEL 9 LEMP Drupal Multisite
|
|
||||||
|
|
||||||
First you need to run the following scripts:
|
|
||||||
|
|
||||||
- https://github.com/TommyTran732/Linux-Setup-Scripts/blob/main/RHEL-9.sh
|
|
||||||
- https://github.com/TommyTran732/Linux-Setup-Scripts/blob/main/sample-scripts/RHEL-9-LEMP.sh
|
|
||||||
|
|
||||||
## Install composer
|
|
||||||
|
|
||||||
```
|
|
||||||
sudo dnf install -y composer
|
|
||||||
```
|
|
||||||
|
|
||||||
## Install other necessary packages
|
|
||||||
|
|
||||||
```
|
|
||||||
sudo dnf install -y php-gd php-mysqlnd php-opcache php-pdo unzip
|
|
||||||
```
|
|
||||||
|
|
||||||
## Setup Directory Structure
|
|
||||||
|
|
||||||
```
|
|
||||||
# Add unprivileged user for drupal
|
|
||||||
sudo useradd -U -m -s /bin/bash drupal
|
|
||||||
|
|
||||||
# Make drupal directory
|
|
||||||
|
|
||||||
sudo mkdir -p /srv/drupal
|
|
||||||
sudo chown drupal:drupal /srv/drupal
|
|
||||||
|
|
||||||
# Setup ACL
|
|
||||||
sudo setfacl -dm u:nginx:rwx /srv/drupal
|
|
||||||
sudo setfacl -m u:nginx:rwx /srv/drupal
|
|
||||||
|
|
||||||
# Setup SELinux context
|
|
||||||
sudo semanage fcontext -a -t httpd_sys_content_t "$(realpath /srv/drupal)(/.*)?"
|
|
||||||
sudo semanage fcontext -a -t httpd_sys_rw_content_t "$(realpath /srv/drupal)(/.*)/web/sites(/.*)/files(/.*)?"
|
|
||||||
sudo semanage fcontext -a -t httpd_sys_rw_content_t "$(realpath /srv/drupal)(/.*)/web/sites(/.*)/settings.php"
|
|
||||||
sudo restorecon -Rv /srv/drupal
|
|
||||||
```
|
|
||||||
|
|
||||||
## Install Drupal
|
|
||||||
|
|
||||||
Switch to the `drupal` user:
|
|
||||||
|
|
||||||
```
|
|
||||||
sudo su - drupal
|
|
||||||
```
|
|
||||||
|
|
||||||
As the drupal user, run:
|
|
||||||
|
|
||||||
```
|
|
||||||
# This is only needed on RHEL, for some reason upstream composer on Ubuntu sets the correct permission regardless of umask
|
|
||||||
umask 022
|
|
||||||
|
|
||||||
cd /srv/drupal
|
|
||||||
composer create-project drupal/recommended-project drupal.yourdomain.tld
|
|
||||||
cp /srv/drupal/drupal.yourdomain.tld/web/sites/default/default.settings.php /srv/drupal/drupal.yourdomain.tld/web/sites/default/settings.php
|
|
||||||
```
|
|
||||||
|
|
||||||
Exit the drupal user:
|
|
||||||
```
|
|
||||||
exit
|
|
||||||
```
|
|
||||||
|
|
||||||
Fix the labels (why mkdir is giving us the wrong label idk, need more investigation):
|
|
||||||
|
|
||||||
```
|
|
||||||
sudo restorecon -Rv /srv/drupal
|
|
||||||
```
|
|
||||||
|
|
||||||
## Generate an SSL certificate
|
|
||||||
|
|
||||||
```
|
|
||||||
certbot certonly --nginx --no-eff-email \
|
|
||||||
--key-type ecdsa \
|
|
||||||
--cert-name drupal.yourdomain.tld \
|
|
||||||
-d drupal.yourdomain.tld
|
|
||||||
```
|
|
||||||
|
|
||||||
## NGINX configuration file
|
|
||||||
|
|
||||||
As root, download [this file](https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/sample-configurations/snippets/security-drupal-no-proxy.conf) and put it in `/etc/nginx/snippets/security-drupal-no-proxy.conf`
|
|
||||||
|
|
||||||
As root, put the following file in `/etc/nginx/conf.d/sites_drupal.conf`:
|
|
||||||
|
|
||||||
```
|
|
||||||
server {
|
|
||||||
listen 443 quic reuseport;
|
|
||||||
listen 443 ssl;
|
|
||||||
listen [::]:443 quic reuseport;
|
|
||||||
listen [::]:443 ssl;
|
|
||||||
|
|
||||||
server_name drupal.yourdomain.tld;
|
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/drupal.yourdomain.tld/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/drupal.yourdomain.tld/privkey.pem;
|
|
||||||
ssl_trusted_certificate /etc/letsencrypt/live/drupal.yourdomain.tld/chain.pem;
|
|
||||||
|
|
||||||
include snippets/hsts.conf;
|
|
||||||
include snippets/security-drupal-no-proxy.conf;
|
|
||||||
include snippets/cross-origin-security.conf;
|
|
||||||
include snippets/quic.conf;
|
|
||||||
|
|
||||||
add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline'; base-uri 'none'; block-all-mixed-content; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests";
|
|
||||||
|
|
||||||
index index.php;
|
|
||||||
root /srv/drupal/drupal.yourdomain.tld/web;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
try_files $uri $uri/ /index.php?$args;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ \.php$ {
|
|
||||||
fastcgi_pass unix:/var/run/php-fpm/www.sock;
|
|
||||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
||||||
include fastcgi_params;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
**Notes**: `listen 443 quic reuseport;` is only needed once. If you plan to have multiple vhosts on this setup with SSL, consider making a dedicated vhost for this config so that it is nicer and easier to manage. An example can be found [here](https://github.com/TommyTran732/NGINX-Configs/blob/main/etc/nginx/conf.d/sites_default_quic.conf).
|
|
||||||
|
|
||||||
## Setup the Database for Drupal
|
|
||||||
|
|
||||||
As root, log into MariaDB:
|
|
||||||
|
|
||||||
```
|
|
||||||
mariadb -uroot
|
|
||||||
```
|
|
||||||
|
|
||||||
Run the following queries:
|
|
||||||
```
|
|
||||||
CREATE DATABASE drupal_default CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
||||||
CREATE USER 'drupal_default'@'127.0.0.1' IDENTIFIED BY 'yourPassword';
|
|
||||||
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES ON drupal_default.* TO 'drupal_default'@'127.0.0.1';
|
|
||||||
exit
|
|
||||||
```
|
|
||||||
|
|
||||||
## Configure Drupal
|
|
||||||
|
|
||||||
Go to drupal.yourdomain.tld and follow the prompts.
|
|
||||||
|
|
||||||
Switch to the `drupal` user:
|
|
||||||
|
|
||||||
```
|
|
||||||
sudo su - drupal
|
|
||||||
```
|
|
||||||
|
|
||||||
As the drupal user, run:
|
|
||||||
|
|
||||||
```
|
|
||||||
chmod 400 /srv/drupal/drupal.yourdomain.tld/web/sites/default/settings.php
|
|
||||||
setfacl -m u:nginx:r /srv/drupal/drupal.yourdomain.tld/web/sites/default/settings.php
|
|
||||||
```
|
|
@ -1,68 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
# Copyright (C) 2024 Thien Tran
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
|
||||||
# use this file except in compliance with the License. You may obtain a copy of
|
|
||||||
# the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations under
|
|
||||||
# the License.
|
|
||||||
|
|
||||||
# Assumes that it is run AFTER https://github.com/TommyTran732/Linux-Setup-Scripts/blob/main/RHEL.sh
|
|
||||||
|
|
||||||
set -eu
|
|
||||||
|
|
||||||
output(){
|
|
||||||
printf '\e[1;34m%-6s\e[m\n' "${@}"
|
|
||||||
}
|
|
||||||
|
|
||||||
unpriv(){
|
|
||||||
sudo -u nobody "$@"
|
|
||||||
}
|
|
||||||
|
|
||||||
# Remove hardened_malloc (It breaks php-fpm)
|
|
||||||
sudo rm -rf /etc/ld.so.preload
|
|
||||||
sudo dnf remove -y hardened_malloc
|
|
||||||
|
|
||||||
# Install NGINX
|
|
||||||
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/yum.repos.d/nginx.repo | sudo tee /etc/yum.repos.d/nginx.repo > /dev/null
|
|
||||||
sudo chmod 644 /etc/yum.repos.d/nginx.repo
|
|
||||||
sudo dnf install -y nginx
|
|
||||||
|
|
||||||
# Install EPEL
|
|
||||||
sudo subscription-manager repos --enable "codeready-builder-for-rhel-9-$(arch)-rpms"
|
|
||||||
sudo dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
|
|
||||||
|
|
||||||
# Install certbot
|
|
||||||
sudo dnf install -y certbot python3-certbot-nginx
|
|
||||||
|
|
||||||
# Install PHP
|
|
||||||
sudo dnf install -y https://rpms.remirepo.net/enterprise/remi-release-9.rpm
|
|
||||||
sudo dnf module install -y php:remi-8.3/common
|
|
||||||
sudo systemctl enable --now php-fpm
|
|
||||||
|
|
||||||
# Install MariaDB
|
|
||||||
unpriv curl -LsS https://r.mariadb.com/downloads/mariadb_repo_setup | sudo bash
|
|
||||||
sudo dnf install -y MariaDB-server
|
|
||||||
sudo systemctl enable --now mariadb
|
|
||||||
|
|
||||||
# Secure MariaDB
|
|
||||||
output "Running mariadb-secure-installation."
|
|
||||||
output "You should answer yes to everything except setting the root password."
|
|
||||||
output "This is already done via the UNIX socket if you switch it with the prompts so you should be okay."
|
|
||||||
sudo mariadb-secure-installation
|
|
||||||
|
|
||||||
# Run NGINX Setup script
|
|
||||||
unpriv curl -LsS https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/setup.sh | sudo bash
|
|
||||||
|
|
||||||
# Fix PHP permission
|
|
||||||
sudo sed -i 's/user = apache/user = nginx/g' /etc/php-fpm.d/www.conf
|
|
||||||
sudo sed -i 's/group = apache/group = nginx/g' /etc/php-fpm.d/www.conf
|
|
||||||
sudo chgrp nginx /var/lib/php/opcache /var/lib/php/session /var/lib/php/wsdlcache
|
|
||||||
sudo systemctl restart php-fpm
|
|
@ -1,146 +0,0 @@
|
|||||||
# Ubuntu 24.04 LEMP Drupal
|
|
||||||
|
|
||||||
First you need to run the following scripts:
|
|
||||||
|
|
||||||
- https://github.com/TommyTran732/Linux-Setup-Scripts/blob/main/Ubuntu-24.04-Server.sh
|
|
||||||
- https://github.com/TommyTran732/Linux-Setup-Scripts/blob/main/sample-scripts/Ubuntu-24.04-LEMP.sh
|
|
||||||
|
|
||||||
## Install composer
|
|
||||||
|
|
||||||
```
|
|
||||||
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
|
|
||||||
php composer-setup.php
|
|
||||||
php -r "unlink('composer-setup.php');"
|
|
||||||
|
|
||||||
sudo chown root:root composer.phar
|
|
||||||
sudo mv composer.phar /usr/local/bin
|
|
||||||
```
|
|
||||||
|
|
||||||
## Install other necessary packages
|
|
||||||
|
|
||||||
```
|
|
||||||
sudo apt install -y unzip
|
|
||||||
```
|
|
||||||
|
|
||||||
## Setup Directory Structure
|
|
||||||
|
|
||||||
```
|
|
||||||
# Add unprivileged user for drupal
|
|
||||||
sudo useradd -U -m -s /bin/bash drupal
|
|
||||||
|
|
||||||
# Make drupal directory
|
|
||||||
|
|
||||||
sudo mkdir -p /srv/drupal
|
|
||||||
sudo chown drupal:drupal /srv/drupal
|
|
||||||
|
|
||||||
# Setup ACL
|
|
||||||
sudo apt install -y acl
|
|
||||||
sudo setfacl -dm u:nginx:rwx /srv/drupal
|
|
||||||
sudo setfacl -m u:nginx:rwx /srv/drupal
|
|
||||||
```
|
|
||||||
|
|
||||||
## Install Drupal
|
|
||||||
|
|
||||||
Switch to the `drupal` user:
|
|
||||||
|
|
||||||
```
|
|
||||||
sudo su - drupal
|
|
||||||
```
|
|
||||||
|
|
||||||
As the drupal user, run:
|
|
||||||
|
|
||||||
```
|
|
||||||
cd /srv/drupal
|
|
||||||
composer create-project drupal/recommended-project drupal.yourdomain.tld
|
|
||||||
cp /srv/drupal/drupal.yourdomain.tld/web/sites/default/default.settings.php /srv/drupal/drupal.yourdomain.tld/web/sites/default/settings.php
|
|
||||||
```
|
|
||||||
|
|
||||||
Exit the drupal user:
|
|
||||||
```
|
|
||||||
exit
|
|
||||||
```
|
|
||||||
|
|
||||||
## Generate an SSL certificate
|
|
||||||
|
|
||||||
```
|
|
||||||
certbot certonly --nginx --no-eff-email \
|
|
||||||
--key-type ecdsa \
|
|
||||||
--cert-name drupal.yourdomain.tld \
|
|
||||||
-d drupal.yourdomain.tld
|
|
||||||
```
|
|
||||||
|
|
||||||
## NGINX configuration file
|
|
||||||
|
|
||||||
As root, download [this file](https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/sample-configurations/snippets/security-drupal-no-proxy.conf) and put it in `/etc/nginx/snippets/security-drupal-no-proxy.conf`
|
|
||||||
|
|
||||||
As root, put the following file in `/etc/nginx/conf.d/sites_drupal.conf`:
|
|
||||||
|
|
||||||
```
|
|
||||||
server {
|
|
||||||
listen 443 quic reuseport;
|
|
||||||
listen 443 ssl;
|
|
||||||
listen [::]:443 quic reuseport;
|
|
||||||
listen [::]:443 ssl;
|
|
||||||
|
|
||||||
server_name drupal.yourdomain.tld;
|
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/drupal.yourdomain.tld/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/drupal.yourdomain.tld/privkey.pem;
|
|
||||||
ssl_trusted_certificate /etc/letsencrypt/live/drupal.yourdomain.tld/chain.pem;
|
|
||||||
|
|
||||||
include snippets/hsts.conf;
|
|
||||||
include snippets/security-drupal-no-proxy.conf;
|
|
||||||
include snippets/cross-origin-security.conf;
|
|
||||||
include snippets/quic.conf;
|
|
||||||
|
|
||||||
add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline'; base-uri 'none'; block-all-mixed-content; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests";
|
|
||||||
|
|
||||||
index index.php;
|
|
||||||
root /srv/drupal/drupal.yourdomain.tld/web;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
try_files $uri $uri/ /index.php?$args;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ \.php$ {
|
|
||||||
fastcgi_pass unix:/var/run/php/php8.3-fpm.sock;
|
|
||||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
||||||
include fastcgi_params;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
**Notes**: `listen 443 quic reuseport;` is only needed once. If you plan to have multiple vhosts on this setup with SSL, consider making a dedicated vhost for this config so that it is nicer and easier to manage. An example can be found [here](https://github.com/TommyTran732/NGINX-Configs/blob/main/etc/nginx/conf.d/sites_default_quic.conf).
|
|
||||||
|
|
||||||
## Setup the Database for Drupal
|
|
||||||
|
|
||||||
As root, log into MariaDB:
|
|
||||||
|
|
||||||
```
|
|
||||||
mariadb -uroot
|
|
||||||
```
|
|
||||||
|
|
||||||
Run the following queries:
|
|
||||||
```
|
|
||||||
CREATE DATABASE drupal CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
||||||
CREATE USER 'drupal'@'127.0.0.1' IDENTIFIED BY 'yourPassword';
|
|
||||||
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES ON drupal.* TO 'drupal'@'127.0.0.1';
|
|
||||||
exit
|
|
||||||
```
|
|
||||||
|
|
||||||
## Configure Drupal
|
|
||||||
|
|
||||||
Go to drupal.yourdomain.tld and follow the prompts.
|
|
||||||
|
|
||||||
Switch to the `drupal` user:
|
|
||||||
|
|
||||||
```
|
|
||||||
sudo su - drupal
|
|
||||||
```
|
|
||||||
|
|
||||||
As the drupal user, run:
|
|
||||||
|
|
||||||
```
|
|
||||||
chmod 400 /srv/drupal/drupal.yourdomain.tld/web/sites/default/settings.php
|
|
||||||
setfacl -m u:nginx:r /srv/drupal/drupal.yourdomain.tld/web/sites/default/settings.php
|
|
||||||
```
|
|
@ -1,117 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
# Copyright (C) 2024 Thien Tran
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
|
||||||
# use this file except in compliance with the License. You may obtain a copy of
|
|
||||||
# the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations under
|
|
||||||
# the License.
|
|
||||||
|
|
||||||
# Assumes that it is run AFTER https://github.com/TommyTran732/Linux-Setup-Scripts/blob/main/Ubuntu-24.04-Server.sh
|
|
||||||
|
|
||||||
set -eu
|
|
||||||
|
|
||||||
output(){
|
|
||||||
printf '\e[1;34m%-6s\e[m\n' "${@}"
|
|
||||||
}
|
|
||||||
|
|
||||||
unpriv(){
|
|
||||||
sudo -u nobody "$@"
|
|
||||||
}
|
|
||||||
|
|
||||||
# Open ports
|
|
||||||
sudo ufw allow 80/tcp
|
|
||||||
sudo ufw allow 443
|
|
||||||
|
|
||||||
# Add mainline NGINX repo
|
|
||||||
# This is extremely important as Ubuntu keeps shipping outdated NGINX
|
|
||||||
unpriv curl -s https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
|
|
||||||
sudo chmod 644 /usr/share/keyrings/nginx-archive-keyring.gpg
|
|
||||||
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/sources.list.d/nginx.sources | sudo tee /etc/apt/sources.list.d/nginx.sources > /dev/null
|
|
||||||
sudo chmod 644 /etc/apt/sources.list.d/nginx.sources
|
|
||||||
|
|
||||||
# Add the PHP PPA (Ubuntu repos do not have the latest version, and do not handle pinning properly)
|
|
||||||
sudo add-apt-repository -y ppa:ondrej/php
|
|
||||||
|
|
||||||
# Add upstream MariaDB repo
|
|
||||||
unpriv curl -s https://supplychain.mariadb.com/mariadb-keyring-2019.gpg | sudo tee /usr/share/keyrings/mariadb-keyring-2019.gpg
|
|
||||||
sudo chmod 644 /usr/share/keyrings/mariadb-keyring-2019.gpg
|
|
||||||
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/sources.list.d/mariadb.sources | sudo tee /etc/apt/sources.list.d/mariadb.sources > /dev/null
|
|
||||||
sudo chmod 644 /etc/apt/sources.list.d/maridadb.sources
|
|
||||||
|
|
||||||
# Update the VM again
|
|
||||||
sudo apt update
|
|
||||||
sudo apt full-upgrade -y
|
|
||||||
|
|
||||||
# Install the packages
|
|
||||||
sudo apt install -y nginx mariadb-server php8.3 php8.3-cli php8.3-common php8.3-curl php8.3-fpm php8.3-gd php8.3-mbstring php8.3-mysql php8.3-opcache php8.3-readline php8.3-sqlite3 php8.3-xml php8.3-zip php8.3-apcu
|
|
||||||
|
|
||||||
# Install certbot
|
|
||||||
sudo snap install --classic certbot
|
|
||||||
sudo ln -s /snap/bin/certbot /usr/bin/certbot
|
|
||||||
|
|
||||||
# Secure MariaDB
|
|
||||||
output "Running mariadb-secure-installation."
|
|
||||||
output "You should answer yes to everything except setting the root password."
|
|
||||||
output "This is already done via the UNIX socket if you switch it with the prompts so you should be okay."
|
|
||||||
sudo mariadb-secure-installation
|
|
||||||
|
|
||||||
# Port NGINX configs from https://github.com/TommyTran732/NGINX-Configs
|
|
||||||
|
|
||||||
sudo rm -rf /etc/nginx/conf.d/default.conf
|
|
||||||
|
|
||||||
## NGINX hardening
|
|
||||||
sudo mkdir -p /etc/systemd/system/nginx.service.d
|
|
||||||
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/nginx.service.d/local.conf | sudo tee /etc/systemd/system/nginx.service.d/override.conf > /dev/null
|
|
||||||
sudo chmod 644 /etc/systemd/system/nginx.service.d/override.conf
|
|
||||||
sudo systemctl daemon-reload
|
|
||||||
|
|
||||||
## Setup nginx-create-session-ticket-keys
|
|
||||||
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/nginx-create-session-ticket-keys | sudo tee /usr/local/bin/nginx-create-session-ticket-keys > /dev/null
|
|
||||||
sudo chmod u+x /usr/local/bin/nginx-create-session-ticket-keys
|
|
||||||
|
|
||||||
## Setup nginx-rotate-session-ticket-keys
|
|
||||||
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/nginx-rotate-session-ticket-keys | sudo tee /usr/local/bin/nginx-rotate-session-ticket-keys > /dev/null
|
|
||||||
sudo chmod u+x /usr/local/bin/nginx-rotate-session-ticket-keys
|
|
||||||
|
|
||||||
## Download the units
|
|
||||||
unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/nginx-create-session-ticket-keys.service | sudo tee /etc/systemd/system/nginx-create-session-ticket-keys.service > /dev/null
|
|
||||||
unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/nginx-rotate-session-ticket-keys.service | sudo tee /etc/systemd/system/nginx-rotate-session-ticket-keys.service > /dev/null
|
|
||||||
unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/nginx-rotate-session-ticket-keys.timer | sudo tee /etc/systemd/system/nginx-rotate-session-ticket-keys.timer > /dev/null
|
|
||||||
|
|
||||||
## Systemd Hardening
|
|
||||||
sudo mkdir -p /etc/systemd/system/nginx.service.d
|
|
||||||
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/systemd/system/nginx.service.d/override.conf | sudo tee /etc/systemd/system/nginx.service.d/override.conf > /dev/null
|
|
||||||
sudo chmod 644 /etc/systemd/system/nginx.service.d/override.conf
|
|
||||||
sudo systemctl daemon-reload
|
|
||||||
|
|
||||||
## Enable the units
|
|
||||||
sudo systemctl enable --now nginx-create-session-ticket-keys.service
|
|
||||||
sudo systemctl enable --now nginx-rotate-session-ticket-keys.timer
|
|
||||||
|
|
||||||
## Download NGINX configs
|
|
||||||
|
|
||||||
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/http2.conf | sudo tee /etc/nginx/conf.d/http2.conf > /dev/null
|
|
||||||
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/sites_default.conf | sudo tee /etc/nginx/conf.d/sites_default.conf > /dev/null
|
|
||||||
sudo sed -i 's/include snippets/universal_paths.conf;//g' /etc/nginx/conf.d/sites_default.conf
|
|
||||||
sudo sed -i 's/ipv4_1://g' /etc/nginx/conf.d/sites_default.conf
|
|
||||||
sudo sed -i 's/ipv6_1/::/g' /etc/nginx/conf.d/sites_default.conf
|
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/tls.conf | sudo tee /etc/nginx/conf.d/tls.conf > /dev/null
|
|
||||||
|
|
||||||
sudo mkdir -p /etc/nginx/snippets
|
|
||||||
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/hsts.conf | sudo tee /etc/nginx/snippets/hsts.conf > /dev/null
|
|
||||||
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/proxy.conf | sudo tee /etc/nginx/snippets/proxy.conf > /dev/null
|
|
||||||
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/quic.conf | sudo tee /etc/nginx/snippets/quic.conf > /dev/null
|
|
||||||
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/security.conf | sudo tee /etc/nginx/snippets/security.conf > /dev/null
|
|
||||||
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/cross-origin-security.conf | sudo tee /etc/nginx/snippets/cross-origin-security.conf > /dev/null
|
|
||||||
|
|
||||||
# Fix PHP permission
|
|
||||||
sudo sed -i 's/www-data/nginx/g' /etc/php/8.3/fpm/pool.d/www.conf
|
|
||||||
sudo systemctl restart php8.3-fpm
|
|
Loading…
Reference in New Issue
Block a user