mirror of
https://github.com/tommytran732/Pterodactyl-Script
synced 2024-11-22 10:31:34 -05:00
Stricter CSP
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
parent
5e3df84d80
commit
5234008aec
132
install.sh
132
install.sh
@ -115,6 +115,9 @@ required_infos() {
|
|||||||
|
|
||||||
timezone=$(timedatectl | grep "Time zone" | awk '{ print $3 }')
|
timezone=$(timedatectl | grep "Time zone" | awk '{ print $3 }')
|
||||||
|
|
||||||
|
dnf upgrade -y
|
||||||
|
dnf install -y bind-utils
|
||||||
|
|
||||||
output "Resolving DNS..."
|
output "Resolving DNS..."
|
||||||
SERVER_IP=$(dig +short myip.opendns.com @resolver1.opendns.com -4)
|
SERVER_IP=$(dig +short myip.opendns.com @resolver1.opendns.com -4)
|
||||||
DOMAIN_RECORD=$(dig +short ${FQDN})
|
DOMAIN_RECORD=$(dig +short ${FQDN})
|
||||||
@ -279,12 +282,31 @@ EOF
|
|||||||
|
|
||||||
upgrade_pterodactyl(){
|
upgrade_pterodactyl(){
|
||||||
cd /var/www/pterodactyl && php artisan p:upgrade
|
cd /var/www/pterodactyl && php artisan p:upgrade
|
||||||
chown -R nginx:nginx * /var/www/pterodactyl
|
chown -R nginx:nginx /var/www/pterodactyl
|
||||||
restorecon -R /var/www/pterodactyl
|
|
||||||
output "Your panel has successfully been updated to version ${PANEL}"
|
output "Your panel has successfully been updated to version ${PANEL}"
|
||||||
}
|
}
|
||||||
|
|
||||||
nginx_config(){
|
webserver_config(){
|
||||||
|
|
||||||
|
output "Configuring PHP socket..."
|
||||||
|
bash -c 'cat > /etc/php-fpm.d/www-pterodactyl.conf' <<-'EOF'
|
||||||
|
[pterodactyl]
|
||||||
|
|
||||||
|
user = nginx
|
||||||
|
group = nginx
|
||||||
|
|
||||||
|
listen = /run/php-fpm/pterodactyl.sock
|
||||||
|
listen.owner = nginx
|
||||||
|
listen.group = nginx
|
||||||
|
listen.mode = 0750
|
||||||
|
|
||||||
|
pm = ondemand
|
||||||
|
pm.max_children = 9
|
||||||
|
pm.process_idle_timeout = 10s
|
||||||
|
pm.max_requests = 200
|
||||||
|
EOF
|
||||||
|
systemctl restart php-fpm
|
||||||
|
|
||||||
output "Configuring Nginx web server..."
|
output "Configuring Nginx web server..."
|
||||||
|
|
||||||
echo '
|
echo '
|
||||||
@ -313,17 +335,20 @@ server {
|
|||||||
ssl_certificate_key /etc/letsencrypt/live/'"$FQDN"'/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/'"$FQDN"'/privkey.pem;
|
||||||
ssl_session_cache shared:SSL:10m;
|
ssl_session_cache shared:SSL:10m;
|
||||||
ssl_protocols TLSv1.2 TLSv1.3;
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
|
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256";
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload;";
|
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header Content-Security-Policy "default-src 'none'; connect-src *; font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com; img-src 'self' https://www.gravatar.com; manifest-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; frame-ancestors 'self'; block-all-mixed-content; base-uri 'none'";
|
||||||
add_header X-XSS-Protection "0";
|
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
|
||||||
add_header X-Robots-Tag none;
|
add_header Referrer-Policy "same-origin" always;
|
||||||
add_header Content-Security-Policy "upgrade-insecure-requests; block-all-mixed-content; frame-ancestors 'self'" always;
|
add_header X-Content-Type-Options "nosniff" always;
|
||||||
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), clipboard-write=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
|
#add_header X-UA-Compatible "IE=Edge" always;
|
||||||
add_header X-Frame-Options DENY;
|
add_header X-XSS-Protection "0" always;
|
||||||
add_header Referrer-Policy same-origin;
|
add_header Cross-Origin-Resource-Policy same-origin;
|
||||||
|
add_header Cross-Origin-Opener-Policy same-origin;
|
||||||
|
add_header X-XSS-Protection "0" always;
|
||||||
|
add_header Expect-CT "enforce, max-age=63072000";
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
try_files $uri $uri/ /index.php?$query_string;
|
try_files $uri $uri/ /index.php?$query_string;
|
||||||
@ -331,7 +356,7 @@ server {
|
|||||||
|
|
||||||
location ~ \.php$ {
|
location ~ \.php$ {
|
||||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||||
fastcgi_pass unix:/var/run/php-fpm/pterodactyl.sock;
|
fastcgi_pass unix:/run/php-fpm/pterodactyl.sock;
|
||||||
fastcgi_index index.php;
|
fastcgi_index index.php;
|
||||||
include fastcgi_params;
|
include fastcgi_params;
|
||||||
fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100M";
|
fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100M";
|
||||||
@ -349,51 +374,19 @@ server {
|
|||||||
location ~ /\.ht {
|
location ~ /\.ht {
|
||||||
deny all;
|
deny all;
|
||||||
}
|
}
|
||||||
}
|
}' | tee /etc/nginx/conf.d/pterodactyl.conf >/dev/null 2>&1
|
||||||
' | sudo -E tee /etc/nginx/conf.d/pterodactyl.conf >/dev/null 2>&1
|
|
||||||
|
|
||||||
service nginx restart
|
service nginx restart
|
||||||
chown -R nginx:nginx $(pwd)
|
|
||||||
restorecon -R /var/www/pterodactyl
|
restorecon -R /var/www/pterodactyl
|
||||||
setsebool -P httpd_can_network_connect 1
|
setsebool -P httpd_can_network_connect 1
|
||||||
setsebool -P httpd_execmem 1
|
setsebool -P httpd_execmem 1
|
||||||
setsebool -P httpd_unified 1
|
setsebool -P httpd_unified 1
|
||||||
}
|
}
|
||||||
|
|
||||||
php_config(){
|
|
||||||
output "Configuring PHP socket..."
|
|
||||||
bash -c 'cat > /etc/php-fpm.d/www-pterodactyl.conf' <<-'EOF'
|
|
||||||
[pterodactyl]
|
|
||||||
|
|
||||||
user = nginx
|
|
||||||
group = nginx
|
|
||||||
|
|
||||||
listen = /var/run/php-fpm/pterodactyl.sock
|
|
||||||
listen.owner = nginx
|
|
||||||
listen.group = nginx
|
|
||||||
listen.mode = 0750
|
|
||||||
|
|
||||||
pm = ondemand
|
|
||||||
pm.max_children = 9
|
|
||||||
pm.process_idle_timeout = 10s
|
|
||||||
pm.max_requests = 200
|
|
||||||
EOF
|
|
||||||
systemctl restart php-fpm
|
|
||||||
}
|
|
||||||
|
|
||||||
webserver_config(){
|
|
||||||
php_config
|
|
||||||
nginx_config
|
|
||||||
chown -R nginx:nginx /var/lib/php/session
|
|
||||||
}
|
|
||||||
|
|
||||||
install_wings() {
|
install_wings() {
|
||||||
cd /root || exit
|
|
||||||
output "Installing Pterodactyl Wings dependencies..."
|
|
||||||
dnf -y install curl tar unzip
|
|
||||||
|
|
||||||
output "Installing Docker"
|
output "Installing Docker"
|
||||||
curl -sSL https://get.docker.com/ | CHANNEL=stable bash
|
dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
|
||||||
|
dnf -y install docker-ce
|
||||||
|
|
||||||
systemctl enable --now docker
|
systemctl enable --now docker
|
||||||
output "Installing the Pterodactyl wings..."
|
output "Installing the Pterodactyl wings..."
|
||||||
@ -431,13 +424,8 @@ EOF
|
|||||||
systemctl enable wings
|
systemctl enable wings
|
||||||
output "Wings ${WINGS} has now been installed on your system."
|
output "Wings ${WINGS} has now been installed on your system."
|
||||||
output "You should go to your panel and configure the node now."
|
output "You should go to your panel and configure the node now."
|
||||||
output "Do `systemctl start wings` after you have run the auto deployment command."
|
output "If you get `bash: wings: command not found` when running the auto deployment command, replace `wings` with `/usr/local/bin/wings` and it will work."
|
||||||
if [ "$lsb_dist" != "fedora" ] || [ "$lsb_dist" = "centos" ] || [ "$lsb_dist" = "rhel" ] || [ "$lsb_dist" = "rocky" ] || [ "$lsb_dist" = "almalinux" ]; then
|
output "Do `systemctl start wings` after you are done configuring the node."
|
||||||
output "------------------------------------------------------------------"
|
|
||||||
output "IMPORTANT NOTICE!!!"
|
|
||||||
output "Since you are on a system with targetted SELinux policies, you should be changing the Daemon Server File Directory from /var/lib/pterodactyl/volumes to /var/srv/containers/pterodactyl."
|
|
||||||
output "------------------------------------------------------------------"
|
|
||||||
fi
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -556,15 +544,15 @@ EOF
|
|||||||
output "Configuring your firewall..."
|
output "Configuring your firewall..."
|
||||||
dnf -y install firewalld
|
dnf -y install firewalld
|
||||||
systemctl enable --now firewalld
|
systemctl enable --now firewalld
|
||||||
|
firewall-cmd --remove-service=cockpit
|
||||||
if [ "$installoption" = "1" ]; then
|
if [ "$installoption" = "1" ]; then
|
||||||
firewall-cmd --add-service=http --permanent
|
firewall-cmd --permanent --add-service=http
|
||||||
firewall-cmd --add-service=https --permanent
|
firewall-cmd --permanent --add-service=https
|
||||||
firewall-cmd --add-service=mysql --permanent
|
firewall-cmd --permanent --add-service=mysql
|
||||||
elif [ "$installoption" = "2" ]; then
|
elif [ "$installoption" = "2" ]; then
|
||||||
firewall-cmd --permanent --add-service=80/tcp
|
firewall-cmd --permanent --add-service=http
|
||||||
firewall-cmd --permanent --add-port=2022/tcp
|
firewall-cmd --permanent --add-port=2022/tcp
|
||||||
firewall-cmd --permanent --add-port=8080/tcp
|
firewall-cmd --permanent --add-port=8080/tcp
|
||||||
firewall-cmd --permanent --zone=trusted --change-interface=pterodactyl0
|
|
||||||
firewall-cmd --zone=trusted --add-masquerade --permanent
|
firewall-cmd --zone=trusted --add-masquerade --permanent
|
||||||
elif [ "$installoption" = "3" ]; then
|
elif [ "$installoption" = "3" ]; then
|
||||||
firewall-cmd --add-service=http --permanent
|
firewall-cmd --add-service=http --permanent
|
||||||
@ -572,30 +560,26 @@ EOF
|
|||||||
firewall-cmd --permanent --add-port=2022/tcp
|
firewall-cmd --permanent --add-port=2022/tcp
|
||||||
firewall-cmd --permanent --add-port=8080/tcp
|
firewall-cmd --permanent --add-port=8080/tcp
|
||||||
firewall-cmd --permanent --add-service=mysql
|
firewall-cmd --permanent --add-service=mysql
|
||||||
firewall-cmd --permanent --zone=trusted --change-interface=pterodactyl0
|
|
||||||
firewall-cmd --zone=trusted --add-masquerade --permanent
|
firewall-cmd --zone=trusted --add-masquerade --permanent
|
||||||
fi
|
fi
|
||||||
firewall-cmd --reload
|
firewall-cmd --reload
|
||||||
}
|
}
|
||||||
|
|
||||||
database_host_reset(){
|
database_host_reset(){
|
||||||
SERVER_IP=$(dig +short myip.opendns.com @resolver1.opendns.com -4)
|
|
||||||
adminpassword=`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1`
|
adminpassword=`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1`
|
||||||
Q0="SET old_passwords=0;"
|
Q0="SET old_passwords=0;"
|
||||||
Q1="SET PASSWORD FOR 'admin'@'$SERVER_IP' = PASSWORD('$adminpassword');"
|
Q1="SET PASSWORD FOR 'admin'@'$SERVER_IP' = PASSWORD('$adminpassword');"
|
||||||
Q2="FLUSH PRIVILEGES;"
|
Q2="FLUSH PRIVILEGES;"
|
||||||
SQL="${Q0}${Q1}${Q2}"
|
SQL="${Q0}${Q1}${Q2}"
|
||||||
mysql mysql -e "$SQL"
|
mysql mysql -e "$SQL"
|
||||||
output "New database host information:"
|
output "New database admin user information:"
|
||||||
output "Host: $SERVER_IP"
|
|
||||||
output "Port: 3306"
|
|
||||||
output "User: admin"
|
output "User: admin"
|
||||||
output "Password: $adminpassword"
|
output "Password: $adminpassword"
|
||||||
}
|
}
|
||||||
|
|
||||||
broadcast(){
|
print_info(){
|
||||||
if [ "$installoption" = "1" ] || [ "$installoption" = "3" ]; then
|
if [ "$installoption" = "1" ] || [ "$installoption" = "3" ]; then
|
||||||
broadcast_database
|
print_info_database
|
||||||
fi
|
fi
|
||||||
output "------------------------------------------------------------------"
|
output "------------------------------------------------------------------"
|
||||||
output "FIREWALL INFORMATION"
|
output "FIREWALL INFORMATION"
|
||||||
@ -606,14 +590,14 @@ broadcast(){
|
|||||||
output ""
|
output ""
|
||||||
}
|
}
|
||||||
|
|
||||||
broadcast_database(){
|
print_info_database(){
|
||||||
output "------------------------------------------------------------------"
|
output "------------------------------------------------------------------"
|
||||||
output "MARIADB/MySQL INFORMATION"
|
output "MARIADB/MySQL INFORMATION"
|
||||||
output ""
|
output ""
|
||||||
output "Your MariaDB/MySQL root password is $rootpassword"
|
output "Your MariaDB/MySQL root password is $rootpassword"
|
||||||
output ""
|
output ""
|
||||||
output "Create your MariaDB/MySQL host with the following information:"
|
output "Create your MariaDB/MySQL host with the following information:"
|
||||||
output "Host: $SERVER_IP"
|
output "Host: ${FQDN}"
|
||||||
output "Port: 3306"
|
output "Port: 3306"
|
||||||
output "User: admin"
|
output "User: admin"
|
||||||
output "Password: $adminpassword"
|
output "Password: $adminpassword"
|
||||||
@ -631,15 +615,15 @@ case $installoption in
|
|||||||
firewall
|
firewall
|
||||||
ssl_certs
|
ssl_certs
|
||||||
webserver_config
|
webserver_config
|
||||||
broadcast
|
print_info
|
||||||
broadcast_database
|
print_info_database
|
||||||
;;
|
;;
|
||||||
2) required_infos
|
2) required_infos
|
||||||
firewall
|
firewall
|
||||||
ssl_certs
|
ssl_certs
|
||||||
install_wings
|
install_wings
|
||||||
broadcast
|
print_info
|
||||||
broadcast_database
|
print_info_database
|
||||||
;;
|
;;
|
||||||
3) required_infos
|
3) required_infos
|
||||||
install_dependencies
|
install_dependencies
|
||||||
@ -648,7 +632,7 @@ case $installoption in
|
|||||||
ssl_certs
|
ssl_certs
|
||||||
webserver_config
|
webserver_config
|
||||||
install_wings
|
install_wings
|
||||||
broadcast
|
print_info
|
||||||
;;
|
;;
|
||||||
4) upgrade_pterodactyl
|
4) upgrade_pterodactyl
|
||||||
;;
|
;;
|
||||||
|
Loading…
Reference in New Issue
Block a user