1
0
mirror of https://github.com/tommytran732/Pterodactyl-Script synced 2024-11-25 11:41:34 -05:00

Stricter CSP

Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2022-12-07 09:44:19 -05:00
parent 5e3df84d80
commit 5234008aec
No known key found for this signature in database
GPG Key ID: 060B29EB996BD9F2

View File

@ -115,6 +115,9 @@ required_infos() {
timezone=$(timedatectl | grep "Time zone" | awk '{ print $3 }')
dnf upgrade -y
dnf install -y bind-utils
output "Resolving DNS..."
SERVER_IP=$(dig +short myip.opendns.com @resolver1.opendns.com -4)
DOMAIN_RECORD=$(dig +short ${FQDN})
@ -279,12 +282,31 @@ EOF
upgrade_pterodactyl(){
cd /var/www/pterodactyl && php artisan p:upgrade
chown -R nginx:nginx * /var/www/pterodactyl
restorecon -R /var/www/pterodactyl
chown -R nginx:nginx /var/www/pterodactyl
output "Your panel has successfully been updated to version ${PANEL}"
}
nginx_config(){
webserver_config(){
output "Configuring PHP socket..."
bash -c 'cat > /etc/php-fpm.d/www-pterodactyl.conf' <<-'EOF'
[pterodactyl]
user = nginx
group = nginx
listen = /run/php-fpm/pterodactyl.sock
listen.owner = nginx
listen.group = nginx
listen.mode = 0750
pm = ondemand
pm.max_children = 9
pm.process_idle_timeout = 10s
pm.max_requests = 200
EOF
systemctl restart php-fpm
output "Configuring Nginx web server..."
echo '
@ -313,17 +335,20 @@ server {
ssl_certificate_key /etc/letsencrypt/live/'"$FQDN"'/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256";
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "0";
add_header X-Robots-Tag none;
add_header Content-Security-Policy "upgrade-insecure-requests; block-all-mixed-content; frame-ancestors 'self'" always;
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), clipboard-write=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
add_header X-Frame-Options DENY;
add_header Referrer-Policy same-origin;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'none'; connect-src *; font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com; img-src 'self' https://www.gravatar.com; manifest-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; frame-ancestors 'self'; block-all-mixed-content; base-uri 'none'";
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
add_header Referrer-Policy "same-origin" always;
add_header X-Content-Type-Options "nosniff" always;
#add_header X-UA-Compatible "IE=Edge" always;
add_header X-XSS-Protection "0" always;
add_header Cross-Origin-Resource-Policy same-origin;
add_header Cross-Origin-Opener-Policy same-origin;
add_header X-XSS-Protection "0" always;
add_header Expect-CT "enforce, max-age=63072000";
location / {
try_files $uri $uri/ /index.php?$query_string;
@ -331,7 +356,7 @@ server {
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php-fpm/pterodactyl.sock;
fastcgi_pass unix:/run/php-fpm/pterodactyl.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100M";
@ -349,51 +374,19 @@ server {
location ~ /\.ht {
deny all;
}
}
' | sudo -E tee /etc/nginx/conf.d/pterodactyl.conf >/dev/null 2>&1
}' | tee /etc/nginx/conf.d/pterodactyl.conf >/dev/null 2>&1
service nginx restart
chown -R nginx:nginx $(pwd)
restorecon -R /var/www/pterodactyl
setsebool -P httpd_can_network_connect 1
setsebool -P httpd_execmem 1
setsebool -P httpd_unified 1
}
php_config(){
output "Configuring PHP socket..."
bash -c 'cat > /etc/php-fpm.d/www-pterodactyl.conf' <<-'EOF'
[pterodactyl]
user = nginx
group = nginx
listen = /var/run/php-fpm/pterodactyl.sock
listen.owner = nginx
listen.group = nginx
listen.mode = 0750
pm = ondemand
pm.max_children = 9
pm.process_idle_timeout = 10s
pm.max_requests = 200
EOF
systemctl restart php-fpm
}
webserver_config(){
php_config
nginx_config
chown -R nginx:nginx /var/lib/php/session
}
install_wings() {
cd /root || exit
output "Installing Pterodactyl Wings dependencies..."
dnf -y install curl tar unzip
output "Installing Docker"
curl -sSL https://get.docker.com/ | CHANNEL=stable bash
dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
dnf -y install docker-ce
systemctl enable --now docker
output "Installing the Pterodactyl wings..."
@ -431,13 +424,8 @@ EOF
systemctl enable wings
output "Wings ${WINGS} has now been installed on your system."
output "You should go to your panel and configure the node now."
output "Do `systemctl start wings` after you have run the auto deployment command."
if [ "$lsb_dist" != "fedora" ] || [ "$lsb_dist" = "centos" ] || [ "$lsb_dist" = "rhel" ] || [ "$lsb_dist" = "rocky" ] || [ "$lsb_dist" = "almalinux" ]; then
output "------------------------------------------------------------------"
output "IMPORTANT NOTICE!!!"
output "Since you are on a system with targetted SELinux policies, you should be changing the Daemon Server File Directory from /var/lib/pterodactyl/volumes to /var/srv/containers/pterodactyl."
output "------------------------------------------------------------------"
fi
output "If you get `bash: wings: command not found` when running the auto deployment command, replace `wings` with `/usr/local/bin/wings` and it will work."
output "Do `systemctl start wings` after you are done configuring the node."
}
@ -556,15 +544,15 @@ EOF
output "Configuring your firewall..."
dnf -y install firewalld
systemctl enable --now firewalld
firewall-cmd --remove-service=cockpit
if [ "$installoption" = "1" ]; then
firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=https --permanent
firewall-cmd --add-service=mysql --permanent
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --permanent --add-service=mysql
elif [ "$installoption" = "2" ]; then
firewall-cmd --permanent --add-service=80/tcp
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-port=2022/tcp
firewall-cmd --permanent --add-port=8080/tcp
firewall-cmd --permanent --zone=trusted --change-interface=pterodactyl0
firewall-cmd --zone=trusted --add-masquerade --permanent
elif [ "$installoption" = "3" ]; then
firewall-cmd --add-service=http --permanent
@ -572,30 +560,26 @@ EOF
firewall-cmd --permanent --add-port=2022/tcp
firewall-cmd --permanent --add-port=8080/tcp
firewall-cmd --permanent --add-service=mysql
firewall-cmd --permanent --zone=trusted --change-interface=pterodactyl0
firewall-cmd --zone=trusted --add-masquerade --permanent
fi
firewall-cmd --reload
}
database_host_reset(){
SERVER_IP=$(dig +short myip.opendns.com @resolver1.opendns.com -4)
adminpassword=`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1`
Q0="SET old_passwords=0;"
Q1="SET PASSWORD FOR 'admin'@'$SERVER_IP' = PASSWORD('$adminpassword');"
Q2="FLUSH PRIVILEGES;"
SQL="${Q0}${Q1}${Q2}"
mysql mysql -e "$SQL"
output "New database host information:"
output "Host: $SERVER_IP"
output "Port: 3306"
output "New database admin user information:"
output "User: admin"
output "Password: $adminpassword"
}
broadcast(){
print_info(){
if [ "$installoption" = "1" ] || [ "$installoption" = "3" ]; then
broadcast_database
print_info_database
fi
output "------------------------------------------------------------------"
output "FIREWALL INFORMATION"
@ -606,14 +590,14 @@ broadcast(){
output ""
}
broadcast_database(){
print_info_database(){
output "------------------------------------------------------------------"
output "MARIADB/MySQL INFORMATION"
output ""
output "Your MariaDB/MySQL root password is $rootpassword"
output ""
output "Create your MariaDB/MySQL host with the following information:"
output "Host: $SERVER_IP"
output "Host: ${FQDN}"
output "Port: 3306"
output "User: admin"
output "Password: $adminpassword"
@ -631,15 +615,15 @@ case $installoption in
firewall
ssl_certs
webserver_config
broadcast
broadcast_database
print_info
print_info_database
;;
2) required_infos
firewall
ssl_certs
install_wings
broadcast
broadcast_database
print_info
print_info_database
;;
3) required_infos
install_dependencies
@ -648,7 +632,7 @@ case $installoption in
ssl_certs
webserver_config
install_wings
broadcast
print_info
;;
4) upgrade_pterodactyl
;;