diff --git a/install_nginx.sh b/install_nginx.sh index b9d62c3..02ed264 100644 --- a/install_nginx.sh +++ b/install_nginx.sh @@ -53,21 +53,34 @@ force_reinstall_openssl="0" if [[ ! -d "/usr/include/openssl" ]] && [[ ! -d "/usr/local/include/openssl" ]] && [[ ! -d "/usr/pkg/include/openssl" ]] && [[ ! -d "/opt/local/include/openssl" ]] && [[ ! -d /opt/openssl/include/openssl ]]; then force_reinstall_openssl="1" fi +target_openssl_ver="1.1.1w" +if [ "$(readlink -f `which openssl`)" == "/opt/openssl/bin/openssl" ]; then + openssl_dir="/opt/openssl/ssl" + openssl_source_dir="/root/openssl-$target_openssl_ver" + if [ -z `sudo readlink -f "$openssl_source_dir"` ]; then + force_reinstall_openssl="1" + else + if [ -d /opt/openssl/ssl/certs ] && [ ! -L /opt/openssl/ssl/certs ]; then + rm -rf /opt/openssl/ssl/certs && ln -sf /etc/ssl/certs /opt/openssl/ssl/. + fi + fi +fi if [[ $(vercomp "$openssl_ver" "1.1.1") == "<" ]] || [[ "$force_reinstall_openssl" == "1" ]]; then # Build openssl - target_openssl_ver="1.1.1q" sudo bash -l -c " cd /root && wget https://www.openssl.org/source/openssl-$target_openssl_ver.tar.gz --no-check-certificate -O openssl-$target_openssl_ver.tar.gz && tar xzvf openssl-$target_openssl_ver.tar.gz && + rm -rf /opt/openssl && cd openssl-$target_openssl_ver && ./config no-ssl2 no-ssl3 zlib-dynamic -fPIC shared --prefix=/opt/openssl && - make depend -j$cpu_cores && make install && + make depend -j$cpu_cores && make install -j$cpu_cores && rm -f /usr/bin/openssl && ln -sf /opt/openssl/bin/* /usr/bin/. && echo '/opt/openssl/lib' > /etc/ld.so.conf.d/openssl.conf && ldconfig && - cp -f /opt/openssl/lib/pkgconfig/openssl.pc /usr/lib/x86_64-linux-gnu/pkgconfig/." + cp -f /opt/openssl/lib/pkgconfig/openssl.pc /usr/lib/x86_64-linux-gnu/pkgconfig/. && + ln -sf /etc/ssl/certs /opt/openssl/ssl/." openssl_ver="$target_openssl_ver" cd "$org_pwd" openssl_dir="/opt/openssl/ssl" @@ -105,43 +118,33 @@ extra_build_nginx_cmd="true" if [[ "$@" == *"--install-modsecurity"* ]];then install_modsecurity="1" if [[ $(vercomp "$ubuntu_ver" "16") == "<" ]]; then #use 3.0.6 - sudo bash -l -c " - cd /root && - apt-get install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev && - git clone https://github.com/SpiderLabs/ModSecurity.git && - cd ModSecurity && - git checkout v3.0.6 && - git submodule init && - git submodule update && - ./build.sh && - ./configure && - make && - make install && - cd .. && - git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git - " + modsecurity_branch="v3.0.6" else - sudo bash -l -c " - cd /root && - apt-get install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev && - git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity && - cd ModSecurity && - git submodule init && - git submodule update && - ./build.sh && - ./configure && - make && - make install && - cd .. && - git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git - " + modsecurity_branch="v3/master" fi + sudo bash -l -c " + cd /root && + apt-get install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev && + rm -rf ModSecurity && + git clone --depth 1 -b $modsecurity_branch --single-branch https://github.com/SpiderLabs/ModSecurity && + cd ModSecurity && + git submodule init && + git submodule update && + ./build.sh && + ./configure && + make && + make install && + cd .. && + rm -rf ModSecurity-nginx && + git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git + " nginx_configure="$nginx_configure --add-dynamic-module=../ModSecurity-nginx" fi if [[ "$@" == *"--install-naxsi"* ]];then install_naxsi="1" sudo bash -l -c " cd /root && + rm -rf naxsi && git clone --depth 1 https://github.com/nbs-system/naxsi.git " nginx_configure="$nginx_configure --add-module=../naxsi/naxsi_src" @@ -238,11 +241,12 @@ if [[ $(vercomp "$nginx_ver" "$nginx_target_ver") == "<" ]] || [[ "$1" == '--fo cp -f objs/ngx_http_modsecurity_module.so /etc/nginx/modules/. && \ echo 'load_module modules/ngx_http_modsecurity_module.so;' > /etc/nginx/modules-enabled/50-mod-modsecurity.conf && \ mkdir -p /etc/nginx/modsec && \ - wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended && \ - mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf && \ + wget --no-check-certificate -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended -O modsecurity.conf && \ cd .. && \ cp -f ModSecurity/unicode.mapping /etc/nginx/modsec && \ sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf && \ + sed -i 's/SecRequestBodyLimit 13107200/SecRequestBodyLimit 131072000/' /etc/nginx/modsec/modsecurity.conf && \ + sed -i 's/SecRequestBodyNoFilesLimit 131072/SecRequestBodyNoFilesLimit 1310720/' /etc/nginx/modsec/modsecurity.conf && \ wget http://gitlab.tp.rulingcom.com/erictyl/install_r45_on_ubuntu_1804lts_doc/-/raw/master/modsecurity_main.conf -O /etc/nginx/modsec/main.conf" fi if [[ $nginx_conf_exist == "0" ]]; then