diff --git a/src/freedombone b/src/freedombone index 7c2cabe8..3f7bee2f 100755 --- a/src/freedombone +++ b/src/freedombone @@ -1437,7 +1437,7 @@ function set_default_onion_domains { fi } -function website_http_redirect { +function nginx_http_redirect { # redirect port 80 to https domain_name=$1 filename=/etc/nginx/sites-available/$domain_name @@ -1456,6 +1456,21 @@ function website_http_redirect { echo '' >> $filename } +function nginx_ssl { + # creates the SSL/TLS section for a website + domain_name=$1 + filename=/etc/nginx/sites-available/$domain_name + echo ' ssl on;' >> $filename + echo " ssl_certificate /etc/ssl/certs/${domain_name}.crt;" >> $filename + echo " ssl_certificate_key /etc/ssl/private/${domain_name}.key;" >> $filename + echo " ssl_dhparam /etc/ssl/certs/${domain_name}.dhparam;" >> $filename + echo '' >> $filename + echo ' ssl_session_timeout 60m;' >> $filename + echo ' ssl_prefer_server_ciphers on;' >> $filename + echo " ssl_protocols $SSL_PROTOCOLS;" >> $filename + echo " ssl_ciphers '$SSL_CIPHERS';" >> $filename +} + function set_repo_commit { repo_dir=$1 repo_commit_name=$2 @@ -6475,7 +6490,7 @@ function install_owncloud { ln -s /usr/share/owncloud /var/www/$OWNCLOUD_DOMAIN_NAME/htdocs if [[ $ONION_ONLY == "no" ]]; then - website_http_redirect $OWNCLOUD_DOMAIN_NAME + nginx_http_redirect $OWNCLOUD_DOMAIN_NAME echo 'server {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' listen 443 ssl;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo " root /var/www/$OWNCLOUD_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME @@ -6486,15 +6501,7 @@ function install_owncloud { echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME - echo ' ssl on;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME - echo " ssl_certificate /etc/ssl/certs/$OWNCLOUD_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME - echo " ssl_certificate_key /etc/ssl/private/$OWNCLOUD_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME - echo " ssl_dhparam /etc/ssl/certs/$OWNCLOUD_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME - echo ' ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME - echo ' ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME - echo " ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME - echo " ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME + nginx_ssl $OWNCLOUD_DOMAIN_NAME echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME @@ -6917,15 +6924,7 @@ function install_gogs { echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' ssl on;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo " ssl_certificate /etc/ssl/certs/$GIT_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo " ssl_certificate_key /etc/ssl/private/$GIT_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo " ssl_dhparam /etc/ssl/certs/$GIT_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo " ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo " ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + nginx_ssl $GIT_DOMAIN_NAME echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME echo ' add_header Strict-Transport-Security max-age=0;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME @@ -7745,16 +7744,7 @@ function install_wiki { echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' ssl on;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " ssl_certificate /etc/ssl/certs/$WIKI_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " ssl_certificate_key /etc/ssl/private/$WIKI_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " ssl_dhparam /etc/ssl/certs/$WIKI_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' ssl_session_cache builtin:1000 shared:SSL:10m;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + nginx_ssl $WIKI_DOMAIN_NAME echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME @@ -8095,16 +8085,7 @@ function install_blog { echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' ssl on;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo " ssl_certificate /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo " ssl_certificate_key /etc/ssl/private/$FULLBLOG_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo " ssl_dhparam /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' ssl_session_cache builtin:1000 shared:SSL:10m;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo " ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo " ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + nginx_ssl $FULLBLOG_DOMAIN_NAME echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME echo ' add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME @@ -8672,22 +8653,13 @@ function install_gnu_social { microblog_nginx_site=/etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME if [[ $ONION_ONLY == "no" ]]; then - website_http_redirect $MICROBLOG_DOMAIN_NAME + nginx_http_redirect $MICROBLOG_DOMAIN_NAME echo 'server {' >> $microblog_nginx_site echo ' listen 443 ssl;' >> $microblog_nginx_site echo " server_name $MICROBLOG_DOMAIN_NAME;" >> $microblog_nginx_site echo '' >> $microblog_nginx_site echo ' # Security' >> $microblog_nginx_site - echo ' ssl on;' >> $microblog_nginx_site - echo " ssl_certificate /etc/ssl/certs/$MICROBLOG_DOMAIN_NAME.pem;" >> $microblog_nginx_site - echo " ssl_certificate_key /etc/ssl/private/$MICROBLOG_DOMAIN_NAME.key;" >> $microblog_nginx_site - echo " ssl_dhparam /etc/ssl/certs/$MICROBLOG_DOMAIN_NAME.dhparam;" >> $microblog_nginx_site - echo '' >> $microblog_nginx_site - echo ' ssl_session_timeout 60m;' >> $microblog_nginx_site - echo ' ssl_prefer_server_ciphers on;' >> $microblog_nginx_site - echo ' ssl_session_cache builtin:1000 shared:SSL:10m;' >> $microblog_nginx_site - echo " ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> $microblog_nginx_site - echo " ssl_ciphers '$SSL_CIPHERS';" >> $microblog_nginx_site + nginx_ssl $MICROBLOG_DOMAIN_NAME echo ' add_header X-Frame-Options DENY;' >> $microblog_nginx_site echo ' add_header X-Content-Type-Options nosniff;' >> $microblog_nginx_site echo ' add_header Strict-Transport-Security max-age=15768000;' >> $microblog_nginx_site @@ -9136,7 +9108,7 @@ function install_hubzilla { add_ddns_domain if [[ $ONION_ONLY == "no" ]]; then - website_http_redirect $HUBZILLA_DOMAIN_NAME + nginx_http_redirect $HUBZILLA_DOMAIN_NAME echo 'server {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME echo ' listen 443 ssl;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME echo " root /var/www/$HUBZILLA_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME @@ -9151,16 +9123,7 @@ function install_hubzilla { echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' ssl on;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo " ssl_certificate /etc/ssl/certs/$HUBZILLA_DOMAIN_NAME.bundle.crt;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo " ssl_certificate_key /etc/ssl/private/$HUBZILLA_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo " ssl_dhparam /etc/ssl/certs/$HUBZILLA_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' ssl_session_cache builtin:1000 shared:SSL:10m;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo " ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo " ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + nginx_ssl $HUBZILLA_DOMAIN_NAME echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME echo ' add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME @@ -9548,15 +9511,7 @@ function install_mediagoblin { echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME - echo ' ssl on;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME - echo " ssl_certificate /etc/ssl/certs/$MEDIAGOBLIN_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME - echo " ssl_certificate_key /etc/ssl/private/$MEDIAGOBLIN_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME - echo " ssl_dhparam /etc/ssl/certs/$MEDIAGOBLIN_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME - echo ' ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME - echo ' ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME - echo " ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME - echo " ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME + nginx_ssl $MEDIAGOBLIN_DOMAIN_NAME echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' add_header Strict-Transport-Security max-age=0;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME