1
0
mirror of https://github.com/tommytran732/Pterodactyl-Script synced 2024-11-22 10:31:34 -05:00

Stricter CSP

Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2022-12-07 09:44:19 -05:00
parent 5e3df84d80
commit 5234008aec
No known key found for this signature in database
GPG Key ID: 060B29EB996BD9F2

View File

@ -115,6 +115,9 @@ required_infos() {
timezone=$(timedatectl | grep "Time zone" | awk '{ print $3 }') timezone=$(timedatectl | grep "Time zone" | awk '{ print $3 }')
dnf upgrade -y
dnf install -y bind-utils
output "Resolving DNS..." output "Resolving DNS..."
SERVER_IP=$(dig +short myip.opendns.com @resolver1.opendns.com -4) SERVER_IP=$(dig +short myip.opendns.com @resolver1.opendns.com -4)
DOMAIN_RECORD=$(dig +short ${FQDN}) DOMAIN_RECORD=$(dig +short ${FQDN})
@ -279,12 +282,31 @@ EOF
upgrade_pterodactyl(){ upgrade_pterodactyl(){
cd /var/www/pterodactyl && php artisan p:upgrade cd /var/www/pterodactyl && php artisan p:upgrade
chown -R nginx:nginx * /var/www/pterodactyl chown -R nginx:nginx /var/www/pterodactyl
restorecon -R /var/www/pterodactyl
output "Your panel has successfully been updated to version ${PANEL}" output "Your panel has successfully been updated to version ${PANEL}"
} }
nginx_config(){ webserver_config(){
output "Configuring PHP socket..."
bash -c 'cat > /etc/php-fpm.d/www-pterodactyl.conf' <<-'EOF'
[pterodactyl]
user = nginx
group = nginx
listen = /run/php-fpm/pterodactyl.sock
listen.owner = nginx
listen.group = nginx
listen.mode = 0750
pm = ondemand
pm.max_children = 9
pm.process_idle_timeout = 10s
pm.max_requests = 200
EOF
systemctl restart php-fpm
output "Configuring Nginx web server..." output "Configuring Nginx web server..."
echo ' echo '
@ -313,17 +335,20 @@ server {
ssl_certificate_key /etc/letsencrypt/live/'"$FQDN"'/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/'"$FQDN"'/privkey.pem;
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256";
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload;"; add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
add_header X-Content-Type-Options nosniff; add_header Content-Security-Policy "default-src 'none'; connect-src *; font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com; img-src 'self' https://www.gravatar.com; manifest-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; frame-ancestors 'self'; block-all-mixed-content; base-uri 'none'";
add_header X-XSS-Protection "0"; add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
add_header X-Robots-Tag none; add_header Referrer-Policy "same-origin" always;
add_header Content-Security-Policy "upgrade-insecure-requests; block-all-mixed-content; frame-ancestors 'self'" always; add_header X-Content-Type-Options "nosniff" always;
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), clipboard-write=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always; #add_header X-UA-Compatible "IE=Edge" always;
add_header X-Frame-Options DENY; add_header X-XSS-Protection "0" always;
add_header Referrer-Policy same-origin; add_header Cross-Origin-Resource-Policy same-origin;
add_header Cross-Origin-Opener-Policy same-origin;
add_header X-XSS-Protection "0" always;
add_header Expect-CT "enforce, max-age=63072000";
location / { location / {
try_files $uri $uri/ /index.php?$query_string; try_files $uri $uri/ /index.php?$query_string;
@ -331,7 +356,7 @@ server {
location ~ \.php$ { location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php-fpm/pterodactyl.sock; fastcgi_pass unix:/run/php-fpm/pterodactyl.sock;
fastcgi_index index.php; fastcgi_index index.php;
include fastcgi_params; include fastcgi_params;
fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100M"; fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100M";
@ -349,51 +374,19 @@ server {
location ~ /\.ht { location ~ /\.ht {
deny all; deny all;
} }
} }' | tee /etc/nginx/conf.d/pterodactyl.conf >/dev/null 2>&1
' | sudo -E tee /etc/nginx/conf.d/pterodactyl.conf >/dev/null 2>&1
service nginx restart service nginx restart
chown -R nginx:nginx $(pwd)
restorecon -R /var/www/pterodactyl restorecon -R /var/www/pterodactyl
setsebool -P httpd_can_network_connect 1 setsebool -P httpd_can_network_connect 1
setsebool -P httpd_execmem 1 setsebool -P httpd_execmem 1
setsebool -P httpd_unified 1 setsebool -P httpd_unified 1
} }
php_config(){
output "Configuring PHP socket..."
bash -c 'cat > /etc/php-fpm.d/www-pterodactyl.conf' <<-'EOF'
[pterodactyl]
user = nginx
group = nginx
listen = /var/run/php-fpm/pterodactyl.sock
listen.owner = nginx
listen.group = nginx
listen.mode = 0750
pm = ondemand
pm.max_children = 9
pm.process_idle_timeout = 10s
pm.max_requests = 200
EOF
systemctl restart php-fpm
}
webserver_config(){
php_config
nginx_config
chown -R nginx:nginx /var/lib/php/session
}
install_wings() { install_wings() {
cd /root || exit
output "Installing Pterodactyl Wings dependencies..."
dnf -y install curl tar unzip
output "Installing Docker" output "Installing Docker"
curl -sSL https://get.docker.com/ | CHANNEL=stable bash dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
dnf -y install docker-ce
systemctl enable --now docker systemctl enable --now docker
output "Installing the Pterodactyl wings..." output "Installing the Pterodactyl wings..."
@ -431,13 +424,8 @@ EOF
systemctl enable wings systemctl enable wings
output "Wings ${WINGS} has now been installed on your system." output "Wings ${WINGS} has now been installed on your system."
output "You should go to your panel and configure the node now." output "You should go to your panel and configure the node now."
output "Do `systemctl start wings` after you have run the auto deployment command." output "If you get `bash: wings: command not found` when running the auto deployment command, replace `wings` with `/usr/local/bin/wings` and it will work."
if [ "$lsb_dist" != "fedora" ] || [ "$lsb_dist" = "centos" ] || [ "$lsb_dist" = "rhel" ] || [ "$lsb_dist" = "rocky" ] || [ "$lsb_dist" = "almalinux" ]; then output "Do `systemctl start wings` after you are done configuring the node."
output "------------------------------------------------------------------"
output "IMPORTANT NOTICE!!!"
output "Since you are on a system with targetted SELinux policies, you should be changing the Daemon Server File Directory from /var/lib/pterodactyl/volumes to /var/srv/containers/pterodactyl."
output "------------------------------------------------------------------"
fi
} }
@ -556,15 +544,15 @@ EOF
output "Configuring your firewall..." output "Configuring your firewall..."
dnf -y install firewalld dnf -y install firewalld
systemctl enable --now firewalld systemctl enable --now firewalld
firewall-cmd --remove-service=cockpit
if [ "$installoption" = "1" ]; then if [ "$installoption" = "1" ]; then
firewall-cmd --add-service=http --permanent firewall-cmd --permanent --add-service=http
firewall-cmd --add-service=https --permanent firewall-cmd --permanent --add-service=https
firewall-cmd --add-service=mysql --permanent firewall-cmd --permanent --add-service=mysql
elif [ "$installoption" = "2" ]; then elif [ "$installoption" = "2" ]; then
firewall-cmd --permanent --add-service=80/tcp firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-port=2022/tcp firewall-cmd --permanent --add-port=2022/tcp
firewall-cmd --permanent --add-port=8080/tcp firewall-cmd --permanent --add-port=8080/tcp
firewall-cmd --permanent --zone=trusted --change-interface=pterodactyl0
firewall-cmd --zone=trusted --add-masquerade --permanent firewall-cmd --zone=trusted --add-masquerade --permanent
elif [ "$installoption" = "3" ]; then elif [ "$installoption" = "3" ]; then
firewall-cmd --add-service=http --permanent firewall-cmd --add-service=http --permanent
@ -572,30 +560,26 @@ EOF
firewall-cmd --permanent --add-port=2022/tcp firewall-cmd --permanent --add-port=2022/tcp
firewall-cmd --permanent --add-port=8080/tcp firewall-cmd --permanent --add-port=8080/tcp
firewall-cmd --permanent --add-service=mysql firewall-cmd --permanent --add-service=mysql
firewall-cmd --permanent --zone=trusted --change-interface=pterodactyl0
firewall-cmd --zone=trusted --add-masquerade --permanent firewall-cmd --zone=trusted --add-masquerade --permanent
fi fi
firewall-cmd --reload firewall-cmd --reload
} }
database_host_reset(){ database_host_reset(){
SERVER_IP=$(dig +short myip.opendns.com @resolver1.opendns.com -4)
adminpassword=`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1` adminpassword=`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1`
Q0="SET old_passwords=0;" Q0="SET old_passwords=0;"
Q1="SET PASSWORD FOR 'admin'@'$SERVER_IP' = PASSWORD('$adminpassword');" Q1="SET PASSWORD FOR 'admin'@'$SERVER_IP' = PASSWORD('$adminpassword');"
Q2="FLUSH PRIVILEGES;" Q2="FLUSH PRIVILEGES;"
SQL="${Q0}${Q1}${Q2}" SQL="${Q0}${Q1}${Q2}"
mysql mysql -e "$SQL" mysql mysql -e "$SQL"
output "New database host information:" output "New database admin user information:"
output "Host: $SERVER_IP"
output "Port: 3306"
output "User: admin" output "User: admin"
output "Password: $adminpassword" output "Password: $adminpassword"
} }
broadcast(){ print_info(){
if [ "$installoption" = "1" ] || [ "$installoption" = "3" ]; then if [ "$installoption" = "1" ] || [ "$installoption" = "3" ]; then
broadcast_database print_info_database
fi fi
output "------------------------------------------------------------------" output "------------------------------------------------------------------"
output "FIREWALL INFORMATION" output "FIREWALL INFORMATION"
@ -606,14 +590,14 @@ broadcast(){
output "" output ""
} }
broadcast_database(){ print_info_database(){
output "------------------------------------------------------------------" output "------------------------------------------------------------------"
output "MARIADB/MySQL INFORMATION" output "MARIADB/MySQL INFORMATION"
output "" output ""
output "Your MariaDB/MySQL root password is $rootpassword" output "Your MariaDB/MySQL root password is $rootpassword"
output "" output ""
output "Create your MariaDB/MySQL host with the following information:" output "Create your MariaDB/MySQL host with the following information:"
output "Host: $SERVER_IP" output "Host: ${FQDN}"
output "Port: 3306" output "Port: 3306"
output "User: admin" output "User: admin"
output "Password: $adminpassword" output "Password: $adminpassword"
@ -631,15 +615,15 @@ case $installoption in
firewall firewall
ssl_certs ssl_certs
webserver_config webserver_config
broadcast print_info
broadcast_database print_info_database
;; ;;
2) required_infos 2) required_infos
firewall firewall
ssl_certs ssl_certs
install_wings install_wings
broadcast print_info
broadcast_database print_info_database
;; ;;
3) required_infos 3) required_infos
install_dependencies install_dependencies
@ -648,7 +632,7 @@ case $installoption in
ssl_certs ssl_certs
webserver_config webserver_config
install_wings install_wings
broadcast print_info
;; ;;
4) upgrade_pterodactyl 4) upgrade_pterodactyl
;; ;;