fatchan
/
jschan
mirror of https://gitgud.io/fatchan/jschan.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

WIP improvement of nginx.sh to be smarter, fix a few broken things, and make it able to support self-signed or no https at all, support a subdomain hosted site, and make www optional

Browse Source
indiachan-spamvector
Thomas Lynch 2 years ago
parent 190410cc54
commit 9bbe1ade7b
1 changed files with 91 additions and 26 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 117
      configs/nginx/nginx.sh

117
configs/nginx/nginx.sh
Unescape View File

@ -5,17 +5,27 @@
[[ "$EUID" -ne 0 ]] && echo "Please run as root" && exit;
echo "[jschan nginx configuration helper]"
read -p "Enter the directory you cloned jschan (blank=$(pwd)): " JSCHAN_DIRECTORY
read -p "Enter the directory you cloned jschan, no trailing slash. (blank=$(pwd)): " JSCHAN_DIRECTORY
JSCHAN_DIRECTORY=${JSCHAN_DIRECTORY:-$(pwd)}
read -p "Enter your clearnet domain name e.g. example.com (blank=no clearnet domain): " CLEARNET_DOMAIN
SITES_AVAILABLE_NAME=${CLEARNET_DOMAIN:-jschan} #not sure on a good default, used for sites-available config name
read -p "Enter tor .onion address (blank=no .onion address): " ONION_DOMAIN
read -p "Enter lokinet .loki address (blank=no .loki address): " LOKI_DOMAIN
read -p "Would you like to add a www. subdomain? (y/n): " ADD_WWW_SUBDOMAIN
if [[ "$CLEARNET_DOMAIN" != "" ]]; then
read -p "Run certbot standalone and automatically configure a certificate for https on clearnet? (y/n): " CERTBOT
if [[ "$CERTBOT" == "n" ]]; then
read -p "Generate a self-signed certificate instead? (y/n): " SELFSIGNED
fi
if [[ "$SELFSIGNED" == "n" ]]; then
read -p "Warning: no https certificate chosen for clearnet. Continue without https? (y/n): " NOCERTIFICATE
[[ "$NOCERTIFICATE" == "n" ]] && echo "Exiting..." && exit;
fi
fi
read -p "Should robots.txt disallow compliant crawlers? (y/n): " ROBOTS_TXT_DISALLOW
read -p "Allow google captcha in content-security policy? (y/n): " GOOGLE_CAPTCHA
read -p "Allow Hcaptcha in content-security policy? (y/n): " H_CAPTCHA
read -p "Download and setup geoip for post flags? (y/n): " GEOIP
read -p "Use certbot to install letsencrypt certificate for https? (y/n): " LETSENCRYPT
#looks good?
read -p "Is this correct?
@ -23,6 +33,10 @@ jschan directory: $JSCHAN_DIRECTORY
clearnet domain: $CLEARNET_DOMAIN
.onion address: $ONION_DOMAIN
.loki address: $LOKI_DOMAIN
www subdomains: $ADD_WWW_SUBDOMAIN
certbot https cert: $CERTBOT
self-signed https cert: $SELFSIGNED
no https cert: $NOCERTIFICATE
robots.txt disallow all: $ROBOTS_TXT_DISALLOW
google captcha: $GOOGLE_CAPTCHA
hcaptcha: $H_CAPTCHA
@ -37,6 +51,10 @@ if [[ -f /etc/nginx/sites-available/$SITES_AVAILABLE_NAME ]]; then
[[ "$OVERWRITE" == "n" ]] && echo "Exiting..." && exit;
fi
echo "Stopping nginx..."
sudo systemctl stop nginx
echo "Copying snippets to nginx folder & replacing paths..."
#copy the snippets and replace install path, they aren't templated
sudo cp $JSCHAN_DIRECTORY/configs/nginx/snippets/* /etc/nginx/snippets
sudo sed -i "s|/path/to/jschan|$JSCHAN_DIRECTORY|g" /etc/nginx/snippets/*
@ -46,13 +64,66 @@ JSCHAN_CONFIG="upstream chan {
server 127.0.0.1:7000;
}"
#Use some variabels to make the templating easier later, depending on if they want www. or not
CLEARNET_SERVER_NAME="$CLEARNET_DOMAIN"
LOKI_SERVER_NAME="$LOKI_DOMAIN"
ONION_SERVER_NAME="$ONION_DOMAIN"
if [ "$ADD_WWW_SUBDOMAIN" == "y" ]; then
CLEARNET_SERVER_NAME="$CLEARNET_DOMAIN www.$CLEARNET_DOMAIN"
LOKI_SERVER_NAME="$LOKI_DOMAIN www.$LOKI_DOMAIN"
ONION_SERVER_NAME="$ONION_DOMAIN www.$ONION_DOMAIN"
fi
if [ "$CLEARNET_DOMAIN" != "" ]; then
if [ "$LETSENCRYPT" == "y" ]; then
HTTPS_MIDSECTION=""
HTTPS_CERT_SECTION=""
if [ "$CERTBOT" == "y" ]; then
#run certbot for certificate
sudo certbot certonly --standalone -d $CLEARNET_DOMAIN -d www.$CLEARNET_DOMAIN
if [ "$ADD_WWW_SUBDOMAIN" == "y" ]; then
echo "Running certbot to get SSL cert for $CLEARNET_DOMAIN and www.$CLEARNET_COMAIN..."
sudo certbot certonly --standalone -d $CLEARNET_DOMAIN -d www.$CLEARNET_DOMAIN
else
echo "Running certbot to get SSL cert for $CLEARNET_DOMAIN..."
sudo certbot certonly --standalone -d $CLEARNET_DOMAIN
fi
HTTPS_CERT_SECTION="
ssl_certificate /etc/letsencrypt/live/$CLEARNET_DOMAIN/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$CLEARNET_DOMAIN/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
"
elif [[ "$SELFSIGNED" == "y" ]]; then
read -p "Warning: no https certificate chosen for clearnet. Continue without any https? (y/n): " NOCERTIFICATE
if [[ "$NOCERTIFICATE" == "n" ]]; then
echo "Exiting..."
exit;
else
fi
fi
if [ "$CERTBOT" == "y" ]
HTTPS_MIDSECTION="
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
$HTTPS_CERT_SECTION
}
server {
if (\$host = www.$CLEARNET_DOMAIN) {
return 301 https://\$host\$request_uri;
}
if (\$host = $CLEARNET_DOMAIN) {
return 301 https://\$host\$request_uri;
}
server_name $CLEARNET_SERVER_NAME;
return 444;
"
#onion_location rediret header
ONION_LOCATION=""
if [ "$ONION_DOMAIN" != "" ]; then
@ -63,41 +134,24 @@ if [ "$CLEARNET_DOMAIN" != "" ]; then
JSCHAN_CONFIG="${JSCHAN_CONFIG}
server {
server_name www.$CLEARNET_DOMAIN $CLEARNET_DOMAIN;
server_name $CLEARNET_SERVER_NAME;
client_max_body_size 0;
$ONION_LOCATION
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/$CLEARNET_DOMAIN/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/$CLEARNET_DOMAIN/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
include /etc/nginx/snippets/security_headers.conf;
include /etc/nginx/snippets/error_pages.conf;
include /etc/nginx/snippets/jschan_clearnet_routes.conf;
include /etc/nginx/snippets/jschan_common_routes.conf;
}
server {
if (\$host = www.$CLEARNET_DOMAIN) {
return 301 https://\$host\$request_uri;
} # managed by Certbot
if (\$host = $CLEARNET_DOMAIN) {
return 301 https://$host\$request_uri;
} # managed by Certbot
server_name www.$CLEARNET_DOMAIN $CLEARNET_DOMAIN;
$HTTPS_MIDSECTION
listen 80;
listen [::]:80;
return 444; # managed by Certbot
}"
#replace clearnet domain in snippets
echo "Replacing clearnet domain in snippets..."
sudo sed -i "s/example.com/$CLEARNET_DOMAIN/g" /etc/nginx/snippets/*
fi
@ -122,10 +176,12 @@ server {
}"
#replace onion domain in snippets
echo "Replacing onion domain in snippets..."
sudo sed -i "s/example.onion/$ONION_DOMAIN/g" /etc/nginx/snippets/*
else
#no onion, remove it from CSP
echo "No onion, removing example.onion from CSP..."
sudo sed -i 's/ wss:\/\/www.example.onion\/ wss:\/\/example.onion\///g' /etc/nginx/snippets/security_headers*
fi
@ -148,24 +204,29 @@ server {
}"
#replace lokinet domain in snippets
echo "Replacing loki domain in snippets..."
sudo sed -i "s/example.loki/$LOKI_DOMAIN/g" /etc/nginx/snippets/*
else
#no lokinet, remove it from csp
echo "No lokinet, removing example.loki from CSP..."
sudo sed -i 's/ wss:\/\/www.example.loki\/ wss:\/\/example.loki\///g' /etc/nginx/snippets/security_headers*
fi
#write the config to file and syymlink to sites-available
echo "Writing main jschan vhost config..."
printf "$JSCHAN_CONFIG" > /etc/nginx/sites-available/$SITES_AVAILABLE_NAME
sudo ln -s -f /etc/nginx/sites-available/$SITES_AVAILABLE_NAME /etc/nginx/sites-enabled/$SITES_AVAILABLE_NAME
if [ "$GOOGLE_CAPTCHA" == "y" ]; then
echo "Allowing recaptcha in CSP..."
#add google captcha CSP exceptions
sudo sed -i "s|script-src|script-src https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ |g" /etc/nginx/snippets/*
sudo sed -i "s|frame-src|frame-src https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/ |g" /etc/nginx/snippets/*
fi
if [ "$H_CAPTCHA" == "y" ]; then
echo "Allowing hcaptcha in CSP..."
#add hcaptcha CSP exceptions
sudo sed -i "s|script-src|script-src https://hcaptcha.com https://*.hcaptcha.com |g" /etc/nginx/snippets/*
sudo sed -i "s|frame-src|frame-src https://hcaptcha.com https://*.hcaptcha.com |g" /etc/nginx/snippets/*
@ -174,12 +235,13 @@ if [ "$H_CAPTCHA" == "y" ]; then
fi
if [ "$ROBOTS_TXT_DISALLOW" == "y" ]; then
echo "Setting robots.txt to disallow all..."
#add path / (all) to disallow to make robots.txt block all robots instead of allowing
sudo sed -i "s|Disallow:|Disallow: /|g" /etc/nginx/snippets/jschan_common_routes.conf
fi
if [ "$GEOIP" == "y" ]; then
echo "Downloading and installing geoip database for nginx..."
#download geoip data
cd /usr/share/GeoIP
mv GeoIP.dat GeoIP.dat.bak
@ -195,8 +257,11 @@ if [ "$GEOIP" == "y" ]; then
geoip_country /usr/share/GeoIP/GeoIP.dat;' /etc/nginx/nginx.conf
fi
else
echo "Geoip not installed, removing directives..."
sudo sed '/geoip_country/d' /etc/nginx/nginx.conf
sudo sed '/geoip_country_code/d' /etc/nginx/snippets/jschan_clearnet_routes.conf
fi
echo "Restarting nginx..."
#and restart nginx
sudo systemctl restart nginx

Write Preview
Loading…
Cancel
Save