diff --git a/web-manage/nginx/setup/README.md b/web-manage/nginx/setup/README.md new file mode 100644 index 0000000..ceb935b --- /dev/null +++ b/web-manage/nginx/setup/README.md @@ -0,0 +1,4 @@ +nginx-contegix +============== + +Developing the new Nginx Contegix Standards \ No newline at end of file diff --git a/web-manage/nginx/setup/new_nginx_vhost.sh b/web-manage/nginx/setup/new_nginx_vhost.sh new file mode 100755 index 0000000..0ed3400 --- /dev/null +++ b/web-manage/nginx/setup/new_nginx_vhost.sh @@ -0,0 +1,102 @@ +#!/bin/sh + + +## Title: new_nginx_vhost.sh +## Description: Deploy a new nginx vhost in the "Contegix" way, covers SSL vhosts as well +## Authors: Bradley McCrorey (initial script, in 2012) +## Kevin Dreyer ( update of script, altered deployment method and provided more structure to the deployment, created custom templates for use by script ) +## Matt Burchett ( nginx modifications ) +## Version: 0.1 +## +## Usage: +# export FQDN=www.domain.com USESSL=Y/N INTERFACE=eth0/eth1; svn cat --username=your.username --no-auth-cache https://jira.com/svn/NSAK/trunk/toolbox/common/bin/new_nginx_vhost.sh | bash + +echo -e "FQDN: $FQDN" +echo -e "USESSL: $USESSL" +echo -e "NET: $INTERFACE\n" + + +# Check to see if they set FQDN, if not ask for user input +if [ -z "$FQDN" ]; then + echo -e "No FQDN variable set. Please enter the FQDN (e.g. www.example.com), followed by [ENTER]:" + read FQDN +fi + +# Check to see if they set SSL, if not ask for user input +if [ -z "$USESSL" ]; then + echo -e "No SSL variable set. Do you want an SSL enabled vhost? Please enter Y or N, followed by [ENTER]:" + read USESSL +fi + +# Check to see if they set an interface, if not ask for user input +if [ -z "$INTERFACE" ]; then + echo -e "No interface set. Please enter the interface name (e.g. eth0, eth1, eth1:3), followed by [ENTER]:" + read INTERFACE +fi + +# Strip the FQDN down to its basic parts +set -- $(echo $FQDN |awk -F\. '{print $1,$2,$3}') +HOST_NAME=$1 +DOMAIN_NAME="$2.$3" + + +# Extract the IP address out of ifconfig. +IPADDR=$(ifconfig $INTERFACE | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}' |tr -d '\n') + +# Just in case, create directory structure +mkdir -p /etc/nginx/vhosts.d/includes/ + +# Do the thang. +cd /etc/nginx/vhosts.d + +# Configure port 80 loader +cat /etc/nginx/templates.d/vhosts.d/vhost-template.conf | \ +sed "s/IP_ADDRESS/${IPADDR}/g;s/DOMAIN_NAME/${DOMAIN_NAME}/g;s/HOST_NAME/${HOST_NAME}/g" \ +> /etc/nginx/vhosts.d/${HOST_NAME}.${DOMAIN_NAME}.conf + +# Configure port 443 loader +cat /etc/nginx/templates.d/vhosts.d/vhost-template-ssl.conf | \ +sed "s/IP_ADDRESS/${IPADDR}/g;s/DOMAIN_NAME/${DOMAIN_NAME}/g;s/HOST_NAME/${HOST_NAME}/g" \ +> /etc/nginx/vhosts.d/${HOST_NAME}.${DOMAIN_NAME}-ssl.conf + +# Configure Main vhost +cat /etc/nginx/templates.d/vhosts.d/includes/vhost-template.conf | \ +sed "s/IP_ADDRESS/${IPADDR}/g;s/DOMAIN_NAME/${DOMAIN_NAME}/g;s/HOST_NAME/${HOST_NAME}/g" \ +> /etc/nginx/vhosts.d/includes/${HOST_NAME}.${DOMAIN_NAME}.conf + + +# create the dir structure under /var/www +mkdir -p /var/www/domains/${DOMAIN_NAME}/${HOST_NAME}/{htdocs,logs,cgi-bin,ssl} + +if [ "$USESSL" = "Y" ] || [ "$USESSL" = "y" ] || [ "$USESSL" = "yes" ] || [ "$USESSL" = "Yes" ] || [ "$USESSL" = "YES" ]; then + export USESSL="Y" + echo -e "**************WITHSSL****************** \n" + echo -e "The basic vhost is configured, you will still need to create/upload a SSL cert, then fix the appropriate lines in \n" + echo -e "/etc/nginx/vhosts.d/${HOST_NAME}.${DOMAIN_NAME}-ssl.conf \n " + echo -e "The nginx -t that will run in a moment will likely fail until this is completed.\n \n" +else + echo -e "--------------NOSSL------------------- \n" + echo -e "SSL will not be in use. Disabling the SSL config file.\n" + echo -e "The port 443 loader has been renamed to *.OFF, simply rename to *.conf and kick nginx to re-enable\n" + mv /etc/nginx/vhosts.d/${HOST_NAME}.${DOMAIN_NAME}-ssl.conf{,.OFF} +fi + + +# Notify user what is expected now + +if [ "$USESSL" = "Y" ]; then + echo -e "**************WITHSSL****************** \n" + echo -e "Now we will test the nginx configuration as-is. If you are using SSL but don't have the SSL certs in place yet, \n" + echo -e "This test will likely fail citing that as the reason. You can solve that by creating/uploading the SSL certs to the proper spot\n" + echo -e "Then ensuring the ssl vhost config points to those certs, then finally you can run the command again to test the config. \n" + echo -e "/usr/sbin/nginx -t \n" +else + echo -e "--------------NOSSL-------------------- \n" + echo "Now we will test the nginx configuration as-is. Since you are not utilizing SSL, it should result with no errors.\n" +fi + +# check the nginx config +/usr/sbin/nginx -t 2>&1 && echo -e "\n nginx config looks good. restart nginx when ready.\n" + + +## EOF diff --git a/web-manage/nginx/setup/nginx/scripts/generate-ssl-cert.sh b/web-manage/nginx/setup/nginx/scripts/generate-ssl-cert.sh new file mode 100755 index 0000000..864df17 --- /dev/null +++ b/web-manage/nginx/setup/nginx/scripts/generate-ssl-cert.sh @@ -0,0 +1,16 @@ +#!/bin/sh + +if [[ $# -ne 1 ]]; then + echo "Usage: $0 host.domain" + echo "eg. $0 www.contegix.com" + exit 1 +fi + +HOSTNAME=$1 +SERIAL=`date +%Y%m%d%H%M` + +umask 077 + +openssl genrsa -out $HOSTNAME.key 2048 +openssl req -new -set_serial $SERIAL -key $HOSTNAME.key -out $HOSTNAME.csr +openssl x509 -set_serial $SERIAL -req -days 3650 -in $HOSTNAME.csr -signkey $HOSTNAME.key -out $HOSTNAME.self.crt diff --git a/web-manage/nginx/setup/nginx/scripts/lock_wordpress_site.sh b/web-manage/nginx/setup/nginx/scripts/lock_wordpress_site.sh new file mode 100755 index 0000000..68cdb93 --- /dev/null +++ b/web-manage/nginx/setup/nginx/scripts/lock_wordpress_site.sh @@ -0,0 +1,80 @@ +#!/bin/sh + +## lock_wordpress_site.sh +## +## Usage: cd /var/www/domains/test.com/www/htdocs && ~/lock_wordpress_site.sh +## +## This locks a wordpress site by chowning everything to root:root and chowns wp-content apache:apache +## Notes: +## - make sure you are cd'd into the correct directory prior to running this script +## - this script will check for certain files that should be in place in the working directory +## else it will exit and not change anything + + +WORKINGDIR=$(pwd) +FILECHECK="wp-login.php" +BASEDIR=$(basename "$WORKINGDIR") +GROUPNAME="wp" +VHOSTNAME="/etc/httpd/vhosts.d/includes/HOST_NAME.DOMAIN_NAME.conf" + +if [ -f wp-login.php ]; +then + if [[ "$WORKINGDIR" =~ "/var/www/domains" && ( "$BASEDIR" == "htdocs" || "$BASEDIR" == "current" || "$BASEDIR" =~ "wordpress*" ) ]]; + then + echo "$FILECHECK file exists, proceeding to lock permissions from apache" + chown -R root:"$GROUPNAME" . + chown -R apache:"$GROUPNAME" wp-content + chown -R root:"$GROUPNAME" wp-content/plugins + find . -type f -exec chmod 0664 {} \; + find . -type d -exec chmod 0775 {} \; + find . -name wp-config.php -exec chmod 0644 {} \; + find . -name readme.html -exec chmod 0400 {} \; + + # Wordpress Plugin-specific Mods. Any specific permissions for plugins put in this portion + if [[ -d "$WORKINGDIR/wp-content/plugins/gallery-bank" ]]; + then + chown -R apache:"$GROUPNAME" "$WORKINGDIR/wp-content/plugins/gallery-bank/lib/cache" + fi + if [[ -d "$WORKINGDIR/wp-content/plugins/wp-security-scan" ]]; + then + echo -e "WP Security Scan Plugin Installed, Fixing Backups Perms\n" + chown -R apache:"$GROUPNAME" "$WORKINGDIR/wp-content/plugins/wp-security-scan/res/backups" + fi + + # Fix Apache vhost + echo -e "Lockdown of Permissions complete, moving on to fixing the apache vhost, re-applying protective rewrites\n" + sed -i 's/#Include/Include/g' $VHOSTNAME + + echo -e "Changes made, Reloading Apache to read in the updated configuration\n" + service httpd reload + if [ $? == 0 ]; then + echo -e "Apache reload successful, Permissions are now fixed and locked down.\n" + logger -p user.info -t WORDPRESS "Permissions for Wordpress Site at $WORKINGDIR Fixed and Locked Back Down by $USER" + exit 0 + else + apachectl -t + echo -e "\n Apache Reload FAILED. You may have to apply changes manually.\n" + logger -p user.info -t WORDPRESS "Permissions for Wordpress Site at $WORKINGDIR FAILED to Revert due ot Apache Reload Fail, by $USER" + exit 1 + fi + else + echo "###############################################################" + echo "# Directory check failed! #" + echo "###############################################################" + echo "Your base directory is not htdocs, current, or wordpress*" + echo "Or you're not in /var/www/domains/*" + echo -e "\n $WORKINGDIR \n" + echo "Are you sure you're in the correct directory?" + logger -p user.err -t WORDPRESS "Permissions for Wordpress Site at $WORKINGDIR FAILED to be Fixed by $USER, Perms still OPEN - Bad Current Directory" + exit 1 + fi +else + echo "###############################################################" + echo "# Directory check failed! #" + echo "###############################################################" + echo "The $FILECHECK file does not exist in the current working directory:" + echo -e "\n $WORKINGDIR \n" + echo "Are you sure you're in the correct directory?" + logger -p user.err -t WORDPRESS "Permissions for Wordpress Site at $WORKINGDIR FAILED to be Fixed by $USER, Perms still OPEN - Bad Current Directory, no $FILECHECK" + exit 1 +fi diff --git a/web-manage/nginx/setup/nginx/scripts/unlock_wordpress_site.sh b/web-manage/nginx/setup/nginx/scripts/unlock_wordpress_site.sh new file mode 100755 index 0000000..48ab9df --- /dev/null +++ b/web-manage/nginx/setup/nginx/scripts/unlock_wordpress_site.sh @@ -0,0 +1,62 @@ +#!/bin/sh + +## unlock_wordpress_site.sh +## +## Usage: cd /var/www/domains/test.com/www/htdocs && ~/unlock_wordpress_site.sh +## +## This unlocks a wordpress site by chowning everything to apache:apache +## Notes: +## - make sure you are cd'd into the correct directory prior to running this script +## - this script will check for certain files that should be in place in the working directory +## else it will exit and not change anything + + +WORKINGDIR=$(pwd) +FILECHECK="wp-login.php" +BASEDIR=$(basename "$WORKINGDIR") +GROUPNAME="wp" +VHOSTNAME="/etc/httpd/vhosts.d/includes/HOST_NAME.DOMAIN_NAME.conf" + +if [ -f wp-login.php ]; +then + if [[ "$WORKINGDIR" =~ "/var/www/domains" && ( "$BASEDIR" == "htdocs" || "$BASEDIR" == "current" || "$BASEDIR" =~ "wordpress*" ) ]]; + then + echo "$FILECHECK file exists, proceeding to grant full permissions to apache" + chown -R apache."$GROUPNAME" . + find . -type f -exec chmod 0664 {} \; + find . -type d -exec chmod 0775 {} \; + + sed -i 's/Include/#Include/g' $VHOSTNAME + echo -e "Changes made, Reloading Apache to read in the updated configuration\n" + service httpd reload + if [ $? == 0 ]; then + echo "Apache Reload Successful. The Instance is now insecure and ready for modification." + logger -p user.info -t WORDPRESS "Permissions for Wordpress Site at $WORKINGDIR Unlocked and Opened Up by $USER" + exit 0 + else + echo "Apache Reload FAILED. You may have to apply changes manually." + logger -p user.info -t WORDPRESS "Permissions for Wordpress Site at $WORKINGDIR FAILED to Unlock and Open Due to Apache Reload Fail, by $USER" + exit 1 + fi + else + echo "###############################################################" + echo "# Directory check failed! #" + echo "###############################################################" + echo "Your base directory is not htdocs, current, or wordpress*" + echo "Or you're not in /var/www/domains/*" + echo -e "\nWorking Directory: $WORKINGDIR \n" + echo -e "\nBase Directory: $BASEDIR \n" + echo "Are you sure you're in the correct directory?" + logger -p user.err -t WORDPRESS "Permissions for Wordpress Site at $WORKINGDIR FAILED to be Removed by $USER - Bad Current Directory" + exit 1 + fi +else + echo "###############################################################" + echo "# Directory check failed! #" + echo "###############################################################" + echo "The $FILECHECK file does not exist in the current working directory:" + echo -e "\n $WORKINGDIR \n" + echo "Are you sure you're in the correct directory?" + logger -p user.err -t WORDPRESS "Permissions for Wordpress Site at $WORKINGDIR FAILED to be Removed by $USER - Bad Current Directory, no $FILECHECK" + exit 1 +fi diff --git a/web-manage/nginx/setup/nginx_setup.sh b/web-manage/nginx/setup/nginx_setup.sh new file mode 100755 index 0000000..eb93511 --- /dev/null +++ b/web-manage/nginx/setup/nginx_setup.sh @@ -0,0 +1,456 @@ +#!/bin/sh + + +## Title: nginx_setup.sh +## Description: Deploy base nginx configurations +## Authors: Matt Burchett (2015-03-28) +## Version: 0.6 +## + +# I've placed all the installation in a function called "redhat" just in case this gets developed for compatiblity with another distribution. +function redhatlinux { + + #checking if epel repo is installed and enabled + +if [ -z "`yum repolist | grep epel`" ]; then + echo "EPEL repo not installed, would you like to install it now? (y/N)" + read epelinstall + if [ "$epelinstall" = "y" ]; then + cd /tmp + echo "Downloading epel package." + wget http://mirror.pnl.gov/epel/6/i386/epel-release-6-8.noarch.rpm + echo "Installing Package." + yum localinstall epel-release-6-8.noarch.rpm + cd + else + echo "EPEL has to be enabled to install and setup nginx. Exiting." + exit + fi +else + echo "EPEL repo enabled. All good!" +fi + +echo +sleep 1 + +#checking if nginx is installed + +if [ -z "`rpm -qi nginx | grep URL`" ]; then + echo "nginx is not installed. Would you like to install it now? (y/N)" + read nginxinstall + if [ "$nginxinstall" = "y" ]; then + echo "Okay, installing nginx." + yum install nginx php-fpm + echo "Nginx installed. Enabling services by default." + chkconfig nginx on + chkconfig php-fpm on + echo "Services enabled." + else + echo "Wrong answer given. Exiting." + exit + fi +else + echo "nginx is already installed, moving on." +fi + + #start PHP-FPM configuration + +echo "Starting php-fpm configuration..." + +echo + +# change how it listens +echo "Changing php-fpm to listen on socket (unix:/var/run/php5-fpm.sock)..." + +sed -i 's,listen = 127.0.0.1:9000, listen = /var/run/php5-fpm.sock,g' /etc/php-fpm.d/www.conf + +if [ "`cat /etc/php-fpm.d/www.conf | grep 'var/run/php5-fpm.sock'`" ]; then + echo "Change successfully made." + cat /etc/php-fpm.d/www.conf | grep 'var/run/php5-fpm.sock' + +else + echo "Change not made. Please edit the file manually and change listen = 127.0.0.1:9000 to listen = /var/run/php5-fpm.sock." +fi + +echo +sleep 1 + +# change who it listens as +echo "Changing listen.owner to = apache..." + +sed -i 's:;listen.owner = nobody:listen.owner = apache:g' /etc/php-fpm.d/www.conf + +if [ "`cat /etc/php-fpm.d/www.conf | grep 'listen.owner = apache'`" ]; then + echo "Change successfully made." + cat /etc/php-fpm.d/www.conf | grep 'listen.owner = apache' + +else + echo "Change not made. Please edit the file manually and uncomment listen.owner and set it's ownership to apache." +fi + +echo +sleep 1 + +# group too +echo "Changing listen.group to = apache..." + +sed -i 's:;listen.group = nobody:listen.group = apache:g' /etc/php-fpm.d/www.conf + +if [ "`cat /etc/php-fpm.d/www.conf | grep 'listen.group = apache'`" ]; then + echo "Change successfully made." + cat /etc/php-fpm.d/www.conf | grep 'listen.group = apache' + +else + echo "Change not made. Please edit the file manually and uncomment listen.group and set it's ownership to apache." +fi + +echo +sleep 1 + +echo "Configuration of php-fpm complete." +#end php-fpm configuration +} + +function tuning { + +echo "Creating $FILE ..." + +cat << EOF > $FILE +server_names_hash_bucket_size 64; +EOF + +if [ -f $FILE ]; then + echo "$FILE created." +else + echo "Creation of $FILE failed, please create manually." +fi + +} + +function vhosts { + +echo "Creating $FILE ..." + +cat << EOF > $FILE +include /etc/nginx/vhosts.d/*.conf; +EOF + +if [ -f $FILE ]; then + echo "$FILE created." +else + echo "Creation of $FILE failed, please create manually." +fi + +} + +function restrictions { + +echo "Creating $FILE..." + +cat << EOF > $FILE +location = /favicon.ico { + log_not_found off; + access_log off; +} +location = /robots.txt { + allow all; + log_not_found off; + access_log off; +} +location ~ /\. { + deny all; +} +location ~* /(?:uploads|files)/.*\.php$ { + + deny all; +} +EOF + +if [ -f $FILE ];then + echo "$FILE created." +else + echo "Creation of $FILE failed, please create manually." +fi + +} + +function wordpress { + +echo "Creating $FILE..." + +cat << EOF > $FILE +# Add trailing slash to */wp-admin requests. + +rewrite /wp-admin\$ \$scheme://\$host\$uri/ permanent; + +location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)\$ { + + access_log off; log_not_found off; expires max; + +} +EOF + +if [ -f $FILE ];then + echo "$FILE created." +else + echo "Creation of $FILE failed, please create manually." +fi + +} + +#end functions + +#this bit is bad, but valid for now to make sure we don't screw up another OS +if [ -f "/etc/redhat-release" ]; then + echo "RedHat (or variant) detected. Installing..." + redhatlinux +else + echo "Unsupported operating system, exiting..." + # exit +fi + +echo +sleep 1 + +echo "Copying configuration files in place..." + +#make the directories needed +mkdir -p /etc/nginx/{conf.d,vhosts.d/includes,templates.d/conf.d,templates.d/vhosts.d/includes} + +echo + +#create the tuning.conf and creating templates + +if [ -f /etc/nginx/conf.d/tuning.conf ]; then + echo "Previous tuning.conf detected, not overwriting. Updating template..." + FILE=/etc/nginx/templates.d/conf.d/tuning.conf + tuning +else + echo "No previous tuning.conf detected, creating and making template..." + + #/etc/nginx/conf.d/tuning.conf + FILE=/etc/nginx/conf.d/tuning.conf + tuning + + #/etc/nginx/templates.d/conf.d/tuning.conf + FILE=/etc/nginx/templates.d/conf.d/tuning.conf + tuning +fi + +echo +sleep 1 + +#create the vhost conf and creating templates + +if [ -f /etc/nginx/conf.d/vhosts.conf ]; then + echo "Previous vhosts.conf detected, not overwriting. Updating template..." + FILE=/etc/nginx/templates.d/conf.d/vhosts.conf + vhosts +else + echo "No previous vhosts.conf detected, creating and making template..." + + #/etc/nginx/conf.d/vhosts.conf + FILE=/etc/nginx/conf.d/vhosts.conf + vhosts + + #/etc/nginx/templates.d/conf.d/vhosts.conf + FILE=/etc/nginx/templates.d/conf.d/vhosts.conf + vhosts +fi + +echo +sleep 1 + +# create includes/restrictions.conf and creating templates + +if [ -f /etc/nginx/vhosts.d/includes/restrictions.conf ]; then + echo "Previous restrictions detected, not overwriting. Updating template..." + FILE=/etc/nginx/templates.d/vhosts.d/includes/restrictions.conf + restrictions +else + echo "No previous restrictions.conf detected, creating and making template..." + + #/etc/nginx/vhosts.d/includes/restrictions.conf + FILE=/etc/nginx/vhosts.d/includes/restrictions.conf + restrictions + + #/etc/nginx/templates.d/vhosts.d/includes/restrictions.conf + FILE=/etc/nginx/templates.d/vhosts.d/includes/restrictions.conf + restrictions +fi + +echo +sleep 1 + +# create includes/wordpress.conf and creating templates +if [ -f /etc/nginx/vhosts.d/includes/wordpress.conf ]; then + echo "Previous wordpress.conf detected, not overwriting. Updating template..." + FILE=/etc/nginx/templates.d/vhosts.d/includes/wordpress.conf + wordpress +else + echo "No previous wordpress.conf detected, creating and making template..." + + #/etc/nginx/vhosts.d/includes/wordpress.conf + FILE=/etc/nginx/vhosts.d/includes/wordpress.conf + wordpress + + #/etc/nginx/templates.d/vhosts.d/includes/wordpress.conf + FILE=/etc/nginx/templates.d/vhosts.d/includes/wordpress.conf + wordpress +fi + +echo +sleep 1 + +#start creation of the vhost templates +echo "Configuration of nginx complete. Creating template files..." + +echo +sleep 1 + +#main vhost template (not include) +echo "Creating vhost-template.conf..." + +cat << EOF > /etc/nginx/templates.d/vhosts.d/vhost-template.conf + server { + listen 80; + server_name HOST_NAME.DOMAIN_NAME; + + #To enable HTTPS, uncomment this line. + #rewrite ^(.*) https://\$server_name\$1 permanent; + + include /etc/nginx/vhosts.d/includes/HOST_NAME.DOMAIN_NAME.conf; + + } +EOF + +if [ -f /etc/nginx/templates.d/vhosts.d/vhost-template.conf ];then + echo "vhost-template.conf created." +else + echo "Creation of vhost-template.conf failed, please create manually." +fi + +echo +sleep 1 + +#ssl vhost template (not include) +echo "Creating vhost-template-ssl.conf..." + +cat << EOF > /etc/nginx/templates.d/vhosts.d/vhost-template-ssl.conf + server { + listen 443 ssl; + server_name HOST_NAME.DOMAIN_NAME; + + ssl on; + ssl_certificate /var/www/domains/DOMAIN_NAME/HOST_NAME/ssl/HOST_NAME.DOMAIN_NAME.crt; + ssl_certificate_key /var/www/domains/DOMAIN_NAME/HOST_NAME/ssl/HOST_NAME.DOMAIN_NAME.key; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + + include /etc/nginx/vhosts.d/includes/HOST_NAME.DOMAIN_NAME.conf; + } +EOF + +if [ -f /etc/nginx/templates.d/vhosts.d/vhost-template-ssl.conf ];then + echo "vhost-template-ssl.conf created." +else + echo "Creation of vhost-template-ssl.conf failed, please create manually." +fi +echo +sleep 1 + +#main vhost template (include) (SSL too) +echo "Creating includes/vhost-template.conf..." + +cat << EOF > /etc/nginx/templates.d/vhosts.d/includes/vhost-template.conf + root /var/www/domains/DOMAIN_NAME/HOST_NAME/htdocs; + index index.html index.htm index.php; + access_log /var/www/domains/DOMAIN_NAME/HOST_NAME/logs/access_log; + error_log /var/www/domains/DOMAIN_NAME/HOST_NAME/logs/error_log; + + #custom maintenance message + location @sorry502 { + return 502 "This site is currently undergoing maintenance. We apologize for the inconvenience."; + } + + location @sorry503 { + return 503 "This site is currently undergoing maintenance. We apologize for the inconvenience."; + } + + + error_page 500 504 /50x.html; + error_page 502 @sorry502; + error_page 503 @sorry503; + + location = /50x.html { + root /usr/share/nginx/html; + } + + include /etc/nginx/vhosts.d/includes/restrictions.conf; + #If this is a Wordpress vhost, uncomment this line + #include /etc/nginx/vhosts.d/includes/wordpress.conf; + + + location ~ \.php$ { + try_files \$uri =404; + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name; + include fastcgi_params; + } + + + # These are placeholders until I figure out how to make them work specifically. + # ScriptAlias /cgi-bin "/var/www/domains/DOMAIN_NAME/HOST_NAME/cgi-bin" + + # + # AllowOverride None + # Options None + # Order allow,deny + # Allow from all + # + + + ## If you will be installing any j2ee apps, e.g. Atlassian Jira, Confluence, Crowd, Fisheye, Bamboo, Stash, etc. you will need + ## To uncomment the following Proxy* Lines and change appropriately. + ## If this is a plain vhost, say for wordpress, you can leave them commented out. + ## Currently, nginx does not have support out-of-the-box for AJP connectors, nginx would have to be custom compiled for support. + ## HTTP connectors MUST be used. + + # location / { + # proxy_read_timeout 300; + # proxy_connect_timeout 300; + # proxy_redirect off; + + # proxy_set_header X-Forwarded-Proto \$scheme; + # proxy_set_header Host \$http_host; + # proxy_set_header X-Real-IP \$remote_addr; + + # proxy_pass http://j2ee.HOST_NAME.DOMAIN_NAME:8009; + # } + + +EOF + +if [ -f /etc/nginx/templates.d/vhosts.d/includes/vhost-template.conf ];then + echo "includes/vhost-template.conf created." +else + echo "Creation of includes/vhost-template.conf failed, please create manually." +fi + +echo + +sleep 1 + +#Check for problems. +echo "Checking nginx for errors." +nginx -t + +echo "nginx configuration complete." + +echo + +#exit +echo "Complete." +exit \ No newline at end of file