mirror of
https://github.com/tommytran732/Pterodactyl-Script
synced 2024-11-25 11:41:34 -05:00
Stricter CSP
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
parent
5e3df84d80
commit
5234008aec
132
install.sh
132
install.sh
@ -115,6 +115,9 @@ required_infos() {
|
||||
|
||||
timezone=$(timedatectl | grep "Time zone" | awk '{ print $3 }')
|
||||
|
||||
dnf upgrade -y
|
||||
dnf install -y bind-utils
|
||||
|
||||
output "Resolving DNS..."
|
||||
SERVER_IP=$(dig +short myip.opendns.com @resolver1.opendns.com -4)
|
||||
DOMAIN_RECORD=$(dig +short ${FQDN})
|
||||
@ -279,12 +282,31 @@ EOF
|
||||
|
||||
upgrade_pterodactyl(){
|
||||
cd /var/www/pterodactyl && php artisan p:upgrade
|
||||
chown -R nginx:nginx * /var/www/pterodactyl
|
||||
restorecon -R /var/www/pterodactyl
|
||||
chown -R nginx:nginx /var/www/pterodactyl
|
||||
output "Your panel has successfully been updated to version ${PANEL}"
|
||||
}
|
||||
|
||||
nginx_config(){
|
||||
webserver_config(){
|
||||
|
||||
output "Configuring PHP socket..."
|
||||
bash -c 'cat > /etc/php-fpm.d/www-pterodactyl.conf' <<-'EOF'
|
||||
[pterodactyl]
|
||||
|
||||
user = nginx
|
||||
group = nginx
|
||||
|
||||
listen = /run/php-fpm/pterodactyl.sock
|
||||
listen.owner = nginx
|
||||
listen.group = nginx
|
||||
listen.mode = 0750
|
||||
|
||||
pm = ondemand
|
||||
pm.max_children = 9
|
||||
pm.process_idle_timeout = 10s
|
||||
pm.max_requests = 200
|
||||
EOF
|
||||
systemctl restart php-fpm
|
||||
|
||||
output "Configuring Nginx web server..."
|
||||
|
||||
echo '
|
||||
@ -313,17 +335,20 @@ server {
|
||||
ssl_certificate_key /etc/letsencrypt/live/'"$FQDN"'/privkey.pem;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
|
||||
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256";
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload;";
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "0";
|
||||
add_header X-Robots-Tag none;
|
||||
add_header Content-Security-Policy "upgrade-insecure-requests; block-all-mixed-content; frame-ancestors 'self'" always;
|
||||
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), clipboard-write=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
|
||||
add_header X-Frame-Options DENY;
|
||||
add_header Referrer-Policy same-origin;
|
||||
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
|
||||
add_header Content-Security-Policy "default-src 'none'; connect-src *; font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com; img-src 'self' https://www.gravatar.com; manifest-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; frame-ancestors 'self'; block-all-mixed-content; base-uri 'none'";
|
||||
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
|
||||
add_header Referrer-Policy "same-origin" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
#add_header X-UA-Compatible "IE=Edge" always;
|
||||
add_header X-XSS-Protection "0" always;
|
||||
add_header Cross-Origin-Resource-Policy same-origin;
|
||||
add_header Cross-Origin-Opener-Policy same-origin;
|
||||
add_header X-XSS-Protection "0" always;
|
||||
add_header Expect-CT "enforce, max-age=63072000";
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php?$query_string;
|
||||
@ -331,7 +356,7 @@ server {
|
||||
|
||||
location ~ \.php$ {
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass unix:/var/run/php-fpm/pterodactyl.sock;
|
||||
fastcgi_pass unix:/run/php-fpm/pterodactyl.sock;
|
||||
fastcgi_index index.php;
|
||||
include fastcgi_params;
|
||||
fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100M";
|
||||
@ -349,51 +374,19 @@ server {
|
||||
location ~ /\.ht {
|
||||
deny all;
|
||||
}
|
||||
}
|
||||
' | sudo -E tee /etc/nginx/conf.d/pterodactyl.conf >/dev/null 2>&1
|
||||
}' | tee /etc/nginx/conf.d/pterodactyl.conf >/dev/null 2>&1
|
||||
|
||||
service nginx restart
|
||||
chown -R nginx:nginx $(pwd)
|
||||
restorecon -R /var/www/pterodactyl
|
||||
setsebool -P httpd_can_network_connect 1
|
||||
setsebool -P httpd_execmem 1
|
||||
setsebool -P httpd_unified 1
|
||||
}
|
||||
|
||||
php_config(){
|
||||
output "Configuring PHP socket..."
|
||||
bash -c 'cat > /etc/php-fpm.d/www-pterodactyl.conf' <<-'EOF'
|
||||
[pterodactyl]
|
||||
|
||||
user = nginx
|
||||
group = nginx
|
||||
|
||||
listen = /var/run/php-fpm/pterodactyl.sock
|
||||
listen.owner = nginx
|
||||
listen.group = nginx
|
||||
listen.mode = 0750
|
||||
|
||||
pm = ondemand
|
||||
pm.max_children = 9
|
||||
pm.process_idle_timeout = 10s
|
||||
pm.max_requests = 200
|
||||
EOF
|
||||
systemctl restart php-fpm
|
||||
}
|
||||
|
||||
webserver_config(){
|
||||
php_config
|
||||
nginx_config
|
||||
chown -R nginx:nginx /var/lib/php/session
|
||||
}
|
||||
|
||||
install_wings() {
|
||||
cd /root || exit
|
||||
output "Installing Pterodactyl Wings dependencies..."
|
||||
dnf -y install curl tar unzip
|
||||
|
||||
output "Installing Docker"
|
||||
curl -sSL https://get.docker.com/ | CHANNEL=stable bash
|
||||
dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
|
||||
dnf -y install docker-ce
|
||||
|
||||
systemctl enable --now docker
|
||||
output "Installing the Pterodactyl wings..."
|
||||
@ -431,13 +424,8 @@ EOF
|
||||
systemctl enable wings
|
||||
output "Wings ${WINGS} has now been installed on your system."
|
||||
output "You should go to your panel and configure the node now."
|
||||
output "Do `systemctl start wings` after you have run the auto deployment command."
|
||||
if [ "$lsb_dist" != "fedora" ] || [ "$lsb_dist" = "centos" ] || [ "$lsb_dist" = "rhel" ] || [ "$lsb_dist" = "rocky" ] || [ "$lsb_dist" = "almalinux" ]; then
|
||||
output "------------------------------------------------------------------"
|
||||
output "IMPORTANT NOTICE!!!"
|
||||
output "Since you are on a system with targetted SELinux policies, you should be changing the Daemon Server File Directory from /var/lib/pterodactyl/volumes to /var/srv/containers/pterodactyl."
|
||||
output "------------------------------------------------------------------"
|
||||
fi
|
||||
output "If you get `bash: wings: command not found` when running the auto deployment command, replace `wings` with `/usr/local/bin/wings` and it will work."
|
||||
output "Do `systemctl start wings` after you are done configuring the node."
|
||||
}
|
||||
|
||||
|
||||
@ -556,15 +544,15 @@ EOF
|
||||
output "Configuring your firewall..."
|
||||
dnf -y install firewalld
|
||||
systemctl enable --now firewalld
|
||||
firewall-cmd --remove-service=cockpit
|
||||
if [ "$installoption" = "1" ]; then
|
||||
firewall-cmd --add-service=http --permanent
|
||||
firewall-cmd --add-service=https --permanent
|
||||
firewall-cmd --add-service=mysql --permanent
|
||||
firewall-cmd --permanent --add-service=http
|
||||
firewall-cmd --permanent --add-service=https
|
||||
firewall-cmd --permanent --add-service=mysql
|
||||
elif [ "$installoption" = "2" ]; then
|
||||
firewall-cmd --permanent --add-service=80/tcp
|
||||
firewall-cmd --permanent --add-service=http
|
||||
firewall-cmd --permanent --add-port=2022/tcp
|
||||
firewall-cmd --permanent --add-port=8080/tcp
|
||||
firewall-cmd --permanent --zone=trusted --change-interface=pterodactyl0
|
||||
firewall-cmd --zone=trusted --add-masquerade --permanent
|
||||
elif [ "$installoption" = "3" ]; then
|
||||
firewall-cmd --add-service=http --permanent
|
||||
@ -572,30 +560,26 @@ EOF
|
||||
firewall-cmd --permanent --add-port=2022/tcp
|
||||
firewall-cmd --permanent --add-port=8080/tcp
|
||||
firewall-cmd --permanent --add-service=mysql
|
||||
firewall-cmd --permanent --zone=trusted --change-interface=pterodactyl0
|
||||
firewall-cmd --zone=trusted --add-masquerade --permanent
|
||||
fi
|
||||
firewall-cmd --reload
|
||||
}
|
||||
|
||||
database_host_reset(){
|
||||
SERVER_IP=$(dig +short myip.opendns.com @resolver1.opendns.com -4)
|
||||
adminpassword=`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1`
|
||||
Q0="SET old_passwords=0;"
|
||||
Q1="SET PASSWORD FOR 'admin'@'$SERVER_IP' = PASSWORD('$adminpassword');"
|
||||
Q2="FLUSH PRIVILEGES;"
|
||||
SQL="${Q0}${Q1}${Q2}"
|
||||
mysql mysql -e "$SQL"
|
||||
output "New database host information:"
|
||||
output "Host: $SERVER_IP"
|
||||
output "Port: 3306"
|
||||
output "New database admin user information:"
|
||||
output "User: admin"
|
||||
output "Password: $adminpassword"
|
||||
}
|
||||
|
||||
broadcast(){
|
||||
print_info(){
|
||||
if [ "$installoption" = "1" ] || [ "$installoption" = "3" ]; then
|
||||
broadcast_database
|
||||
print_info_database
|
||||
fi
|
||||
output "------------------------------------------------------------------"
|
||||
output "FIREWALL INFORMATION"
|
||||
@ -606,14 +590,14 @@ broadcast(){
|
||||
output ""
|
||||
}
|
||||
|
||||
broadcast_database(){
|
||||
print_info_database(){
|
||||
output "------------------------------------------------------------------"
|
||||
output "MARIADB/MySQL INFORMATION"
|
||||
output ""
|
||||
output "Your MariaDB/MySQL root password is $rootpassword"
|
||||
output ""
|
||||
output "Create your MariaDB/MySQL host with the following information:"
|
||||
output "Host: $SERVER_IP"
|
||||
output "Host: ${FQDN}"
|
||||
output "Port: 3306"
|
||||
output "User: admin"
|
||||
output "Password: $adminpassword"
|
||||
@ -631,15 +615,15 @@ case $installoption in
|
||||
firewall
|
||||
ssl_certs
|
||||
webserver_config
|
||||
broadcast
|
||||
broadcast_database
|
||||
print_info
|
||||
print_info_database
|
||||
;;
|
||||
2) required_infos
|
||||
firewall
|
||||
ssl_certs
|
||||
install_wings
|
||||
broadcast
|
||||
broadcast_database
|
||||
print_info
|
||||
print_info_database
|
||||
;;
|
||||
3) required_infos
|
||||
install_dependencies
|
||||
@ -648,7 +632,7 @@ case $installoption in
|
||||
ssl_certs
|
||||
webserver_config
|
||||
install_wings
|
||||
broadcast
|
||||
print_info
|
||||
;;
|
||||
4) upgrade_pterodactyl
|
||||
;;
|
||||
|
Loading…
Reference in New Issue
Block a user