-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathnginx_setup.sh
More file actions
78 lines (66 loc) · 2.17 KB
/
nginx_setup.sh
File metadata and controls
78 lines (66 loc) · 2.17 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
#!/bin/bash
# nginx.sh --> Install and Configure Nginx with Security Enhancements
set -euo pipefail
source "$(dirname "$0")/env.sh"
echo "=== 04_install_basics: Installing packages..." | tee -a "$LOG_FILE"
{
# Update package list
apt-get update
# Install Nginx and supporting packages
apt-get install -y nginx nginx-extras certbot python3-certbot-nginx apache2-utils fail2ban
# Create Nginx cache directories
mkdir -p /var/cache/nginx/proxy_cache
chown -R www-data:www-data /var/cache/nginx/proxy_cache
# Basic security configurations
# Backup original nginx.conf
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup
# Create basic security parameters
cat > /etc/nginx/conf.d/security.conf << 'EOF'
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Basic DoS mitigation
client_body_timeout 10s;
client_header_timeout 10s;
client_max_body_size 100M;
large_client_header_buffers 2 1k;
# File upload security
client_body_buffer_size 16k;
EOF
# Configure fail2ban for Nginx
cat > /etc/fail2ban/jail.d/nginx.conf << 'EOF'
[nginx-http-auth]
enabled = true
port = http,https
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 3
findtime = 600
bantime = 3600
[nginx-bad-requests]
enabled = true
port = http,https
filter = nginx-bad-requests
logpath = /var/log/nginx/access.log
maxretry = 3
findtime = 600
bantime = 3600
EOF
# Restart services
systemctl enable nginx
systemctl enable fail2ban
systemctl restart fail2ban
systemctl restart nginx
} 2>&1 | tee -a "$LOG_FILE"
# Verify installation
if systemctl is-active --quiet nginx; then
echo "Nginx installed and running successfully." | tee -a "$LOG_FILE"
else
echo "Error: Nginx installation failed!" | tee -a "$LOG_FILE"
exit 1
fi
echo "Done." | tee -a "$LOG_FILE"