update newsite

defaults.inc

@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
 
-VERS='4.2.34-04242023'
+VERS='4.3.1-04252023'
+
 NODETYPES=MYSQL,LB,WEB,NC,WPD,LPD,PW
 #NODETYPES=WPD,LPD,PW
 MYSQLHOSTS=10.10.1.51,10.10.1.52

nodemgmt-scripts.sh

@@ -707,11 +707,11 @@ CHECK_DOCKER_SERVICES(){
 }
 
 NEWCERT(){
-	echo ""
+	echo
 	if [ -z ${1+x} ]; then
 		echo -e -n "${idsCL[LightCyan]}Create certificate for what address: ${idsCL[Default]}"
 		read NEW_CERT
-		echo ""
+		echo
 	else
 		NEW_CERT=${1}
 	fi
@@ -735,12 +735,12 @@ NEWCERT(){
 		# echo -e "${idsCL[Green]}Completed${idsCL[Default]}"
 		# echo
 		
-		$CERT_DAEMON certonly --webroot -w /var/www/html -d ${NEW_CERT}
+		sudo -iu le $CERT_DAEMON certonly --certonly -d ${NEW_CERT}
 		# $CERT_DAEMON certonly --dry-run --webroot -w /var/www/html -d ${NEW_CERT}
 		if [ -f /etc/letsencrypt/live/${MAIN_CERT}/cert.pem ]; then
-			chown -R root:letsencrypt /etc/letsencrypt
-			chmod -R 6775 /etc/letsencrypt
-			if [ -f /etc/nginx/sites-available/${MAIN_CERT} ]; then
+			# chown -R root:letsencrypt /etc/letsencrypt
+			# chmod -R 6775 /etc/letsencrypt
+			if [ -f /etc/nginx/sites-enabled/${MAIN_CERT} ]; then
 				rm -f  ${FOLDER}/cert-request.lastrun
 				daterun=`date +%Y-%m-%d-%H-%M-%S`
 				echo -e "${NEW_CERT}\n${daterun}" > ${FOLDER}/cert-request.lastrun
@@ -1287,7 +1287,6 @@ NEWSITE(){
 			-proxy_host) PROXYHOST=${2};;
 			-proxy_port) PROXYPORT=${2};;
 			-h | -help | --help)
-				echo "Missing arguments"
 				echo ""
 				echo -e "Usage: ${idsCL[Yellow]}nodemgmt newcert${idsCL[Default]} {"
 				width=33
@@ -1344,9 +1343,43 @@ NEWSITE(){
 			read PROXYSCHEME
 			showdivide=yes
 		fi
+		if [ -z ${WEBOSCKET+x} ]; then
+			echo -e -n "${idsCL[LightCyan]}Enable Weboscket Support (y/N): ${idsCL[Default]}"
+			read WEBOSCKET
+			showdivide=yes
+			if [[ ${WEBOSCKET} =~ ^[Nn]$ ]] || [ "${WEBOSCKET}" = "" ]; then
+				WEBOSCKET=no
+			elif [[ ${WEBOSCKET} =~ ^[Yy]$ ]]; then
+				WEBOSCKET=yes
+			else
+				WEBOSCKET=no
+			fi
+		fi
+		if [ -z ${HSTS+x} ]; then
+			echo -e -n "${idsCL[LightCyan]}Enable HSTS Support (Y/n): ${idsCL[Default]}"
+			read HSTS
+			showdivide=yes
+			if [[ ${HSTS} =~ ^[Yy]$ ]] || [ "${HSTS}" = "" ]; then
+				HSTS=yes
+			else
+				HSTS=no
+			fi
+		fi
+		if [ -z ${EXPLOITS+x} ]; then
+			echo -e -n "${idsCL[LightCyan]}Block exploits (y/N): ${idsCL[Default]}"
+			read EXPLOITS
+			showdivide=yes
+			if [[ ${EXPLOITS} =~ ^[Nn]$ ]] || [ "${EXPLOITS}" = "" ]; then
+				EXPLOITS=no
+			elif [[ ${EXPLOITS} =~ ^[Yy]$ ]]; then
+				EXPLOITS=yes
+			else
+				EXPLOITS=no
+			fi
+		fi
 	fi
-	if [ "${showdivide}" = "yes" ]; then DIVIDER; fi
-	echo ""
+	[ "${showdivide}" == "yes" ] && DIVIDER
+	echo
 	width=14
 	printf "%-${width}s: %s\n" "New site" "${NEW_SITE}"
 	printf "%-${width}s: %s\n" "Create SSL" "${CREATE_SSL}"
@@ -1355,6 +1388,9 @@ NEWSITE(){
 		printf "%-${width}s: %s\n" "Proxy host" "${PROXYHOST}"
 		printf "%-${width}s: %s\n" "Proxy port" "${PROXYPORT}"
 		printf "%-${width}s: %s\n" "Proxy scheme" "${PROXYSCHEME}"
+		printf "%-${width}s: %s\n" "Websocket Support" "${WEBOSCKET}"
+		printf "%-${width}s: %s\n" "HSTS Support" "${HSTS}"
+		printf "%-${width}s: %s\n" "Block Exploits" "${EXPLOITS}"
 	fi
 	echo -e -n "${idsCL[LightRed]}Is this information correct? [Y/n]${idsCL[Default]} "
 	read response
@@ -1376,6 +1412,8 @@ NEWSITE(){
 		if [ "${GO}" = "true" ]; then
 			echo -e "${idsCL[LightGreen]}Setting up new site for '${idsCL[Yellow]}${MAIN_SITE}${idsCL[LightGreen]}' {${NGINX_SERVERNAME}}...${idsCL[Default]}"
 			echo ""
+			
+			######################################### LOCAL
 			if [ "${SITE_TYPE}" = "local" ]; then
 				echo -e "server {
 	listen 80;" > /etc/nginx/sites-available/${MAIN_SITE}
@@ -1438,40 +1476,27 @@ NEWSITE(){
 				# SET-PERMISSIONS ${MAIN_SITE}
 				# echo -e "${idsCL[Green]}Completed${idsCL[Default]}"
 				
-			else
 				
-				echo -e "server {
-	set \$forward_scheme ${PROXYSCHEME};
-	set \$server         \"${PROXYHOST}\";
-	set \$port           ${PROXYPORT};
-
-	listen 80;" > /etc/nginx/sites-available/${MAIN_SITE}
-				if [ "${CREATE_SSL}" = "yes" ]; then
-					echo -e "	listen 443 ssl http2;" >> /etc/nginx/sites-available/${MAIN_SITE}
-				fi
-				echo -e "
-	server_name ${NGINX_SERVERNAME};" >> /etc/nginx/sites-available/${MAIN_SITE}
-				if [ "${CREATE_SSL}" = "yes" ]; then 
-					echo -e "
-	include conf.d/include/letsencrypt-acme-challenge.conf;
-	include conf.d/include/ssl-ciphers.conf;
-	ssl_certificate /etc/letsencrypt/live/${MAIN_SITE}/fullchain.pem;
-	ssl_certificate_key /etc/letsencrypt/live/${MAIN_SITE}/privkey.pem;" >> /etc/nginx/sites-available/${MAIN_SITE}
-				fi
-				echo -e "
-	access_log /var/log/nginx/proxy-${MAIN_SITE}.log proxy;
-
-	location / {" >> /etc/nginx/sites-available/${MAIN_SITE}
-				if [ "${CREATE_SSL}" = "yes" ]; then
-					echo -e "		include conf.d/include/force-ssl.conf;" >> /etc/nginx/sites-available/${MAIN_SITE}
-				fi
-				echo -e "		include conf.d/include/proxy.conf;
-	}
-}
-" >> /etc/nginx/sites-available/${MAIN_SITE}
+							
+			######################################### PROXY
+			else
+				[ "${WEBSOCKET}" == "yes" ] && WEBSOCKET="include conf.d/include/websocket-support.conf;" || WEBSOCKET=""
+				[ "${HSTS}" == "yes" ] && HSTS="include conf.d/include/hsts-support.conf;" || HSTS=""
+				[ "${EXPLOITS}" == "yes" ] && EXPLOITS="include conf.d/include/block-exploits.conf;" || EXPLOITS=""
+				
+				cp ${FOLDER}/templates/nginx.proxy.site /etc/nginx/ites-enabled/${MAIN_SITE}
+				sed -i "s/<<HOSTNAME>>/${MAIN_SITE}/g" /etc/nginx/ites-enabled/${MAIN_SITE}
+				sed -i "s/<<PROXY_IP>>/${PROXYHOST}/g" /etc/nginx/ites-enabled/${MAIN_SITE}
+				sed -i "s/<<PROXY_PORT>>/${PROXYPORT}/g" /etc/nginx/ites-enabled/${MAIN_SITE}
+				sed -i "s/<<PROXY_SCHEME>>/${PROXYSCHEME}/g" /etc/nginx/ites-enabled/${MAIN_SITE}
+				sed -i "s/<<WEBSOCKET>>/${WEBSOCKET}/g" /etc/nginx/ites-enabled/${MAIN_SITE}
+				sed -i "s/<<HSTS>>/${HSTS}/g" /etc/nginx/ites-enabled/${MAIN_SITE}
+				sed -i "s/<<EXPLOITS>>/${EXPLOITS}/g" /etc/nginx/ites-enabled/${MAIN_SITE}
 			fi
 			
-			ln -s /etc/nginx/sites-available/${MAIN_SITE} /etc/nginx/sites-enabled/${MAIN_SITE}
+			
+			
+			
 			if [ "${CREATE_SSL}" = "yes" ]; then
 				NEWCERT ${NEW_SITE}
 			fi

templates/nginx.proxy.site

@@ -10,12 +10,19 @@ server {
 
 	include conf.d/include/letsencrypt-acme-challenge.conf;
 	include conf.d/include/ssl-ciphers.conf;
-	ssl_certificate /etc/letsencrypt/live/<<HOSTNAME>>/fullchain.pem;
-	ssl_certificate_key /etc/letsencrypt/live/<<HOSTNAME>>/privkey.pem;
+	ssl_certificate /opt/lb-data/letsencrypt/live/<<HOSTNAME>>/fullchain.pem;
+	ssl_certificate_key /opt/lb-data/letsencrypt/live/<<HOSTNAME>>/privkey.pem;
 
-	access_log /var/log/nginx/proxy-<<HOSTNAME>>.log proxy;
+	access_log /var/log/nginx/<<HOSTNAME>>.proxy.log proxy;
+	error_log /var/log/nginx/<<HOSTNAME>>.error.log warn;
+	
+	<<EXPLOITS>>
+	<<WEBSOCKET>>
+	<<HSTS>>
 
 	location / {
+		<<WEBSOCKET>>
+		<<HSTS>>
 		include conf.d/include/force-ssl.conf;
 		include conf.d/include/proxy.conf;
 	}