#!/bin/bash function escape_str(){ echo $1|sed -E 's/\\+//g' |sed -E 's/[\/\.\*]/\\\0/g' } ubuntu_ver="$(lsb_release -rs)" sudo apt install -y make org_pwd="$(pwd)" cpu_cores="$(nproc --all)" if [[ -z "$cpu_cores" ]]; then cpu_cores="1" fi openssl_ver="$(openssl version|xargs| awk '{print $2}')" openssl_dir="" openssl_source_dir="" force_reinstall_openssl="0" if [[ ! -d "/usr/include/openssl" ]] && [[ ! -d "/usr/local/include/openssl" ]] && [[ ! -d "/usr/pkg/include/openssl" ]] && [[ ! -d "/opt/local/include/openssl" ]]; then force_reinstall_openssl="1" fi if [[ "$openssl_ver" < "1.1.1" ]] || [[ "$force_reinstall_openssl" == "1" ]]; then # Build openssl target_openssl_ver="1.1.1m" sudo bash -l -c " cd /root && wget https://www.openssl.org/source/openssl-$target_openssl_ver.tar.gz --no-check-certificate && tar xzvf openssl-$target_openssl_ver.tar.gz && cd openssl-$target_openssl_ver && ./config no-ssl2 no-ssl3 zlib-dynamic -fPIC shared --prefix=/opt/openssl && make depend -j$cpu_cores && make install && rm -f /usr/bin/openssl && ln -s /opt/openssl/bin/* /usr/bin/. && echo'/opt/openssl/lib' > /etc/ld.so.conf.d/openssl.conf && ldconfig" openssl_ver="$target_openssl_ver" cd "$org_pwd" openssl_dir="/opt/openssl" openssl_source_dir="/root/openssl-$target_openssl_ver" fi if [ -z "$cpu_cores" ]; then cpu_cores="1"; fi if [[ "$ubuntu_ver" < "16" ]]; then #Need update ca-certificates manual sudo bash -l -c " cd /root && wget https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/ca-certificates/20210119~20.04.2/ca-certificates_20210119~20.04.2.tar.xz --no-check-certificate && tar -xJf ca-certificates_20210119~20.04.2.tar.xz && cd ca-certificates-20210119~20.04.1 && make -j$cpu_cores && make install && dpkg-reconfigure -fnoninteractive ca-certificates && update-ca-certificates --fresh --verbose && /usr/bin/c_rehash /etc/ssl/certs" cd "$org_pwd" else sudo apt-get update sudo apt-get install --reinstall ca-certificates -y fi install_modsecurity="0" if [[ "$1" == "--install-modsecurity" ]] || [[ "$2" == "--install-modsecurity" ]];then install_modsecurity="1" sudo bash -l -c " cd /root && apt-get install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev && git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity && cd ModSecurity && git submodule init && git submodule update && ./build.sh && ./configure && make && make install && cd .. && git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git " fi nginx_configure="" if [ -z $openssl_source_dir ]; then nginx_configure="./configure --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module" else nginx_configure="./configure --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module --with-openssl=$openssl_source_dir" fi if [[ "$install_modsecurity" == "1" ]]; then nginx_configure="$nginx_configure --add-dynamic-module=../ModSecurity-nginx" fi nginx_ver="" if [[ ! -z "$(which nginx)" ]]; then nginx_ver="$(nginx -v 2>&1|xargs|awk '{print $3}'|cut -d '/' -f 2)" fi if [[ ! -f /etc/init.d/nginx ]]; then sudo wget http://gitlab.tp.rulingcom.com/erictyl/install_r45_on_ubuntu_1804lts_doc/-/raw/master/nginx_service.sh -O /etc/init.d/nginx sudo chmod 755 /etc/init.d/nginx sudo chown root:root /etc/init.d/nginx if [[ "$ubuntu_ver" > "16" ]] || [[ "$ubuntu_ver" == "16" ]]; then sudo wget http://gitlab.tp.rulingcom.com/erictyl/install_r45_on_ubuntu_1804lts_doc/-/raw/master/nginx.service -O /lib/systemd/system/nginx.service sudo chown root:root /lib/systemd/system/nginx.service sudo chmod 644 /lib/systemd/system/nginx.service sudo systemctl daemon-reload sudo systemctl enable nginx fi fi nginx_target_ver="1.23.1" if [[ "$nginx_ver" < $nginx_target_ver ]] || [[ "$1" == '--force' ]] || [[ "$install_modsecurity" == "1" ]]; then if [ -f "/etc/nginx/nginx.conf" ]; then nginx_conf_exist="1" else nginx_conf_exist="0" fi #Build nginx and install sudo bash -l -c " cd /root && \ wget http://nginx.org/download/nginx-$nginx_target_ver.tar.gz && \ tar -zxvf nginx-$nginx_target_ver.tar.gz && \ cd nginx-$nginx_target_ver && \ apt remove nginx --purge -y && \ apt-get -y install libpcre3 libpcre3-dev libxml2 libxml2-dev libxslt-dev libgd-dev && \ $nginx_configure && \ make -j$cpu_cores && make install && \ rm -f /usr/sbin/nginx && \ ln -s /usr/share/nginx/sbin/nginx /usr/sbin/. && \ mkdir -p /var/lib/nginx && \ service nginx restart" if [[ "$install_modsecurity" == "1" ]]; then sudo bash -l -c " cd /root/nginx-$nginx_target_ver && \ make modules && \ mkdir -p /etc/nginx/modules && \ cp -f objs/ngx_http_modsecurity_module.so /etc/nginx/modules/. && \ echo 'load_module modules/ngx_http_modsecurity_module.so;' > /etc/nginx/modules-enabled/50-mod-modsecurity.conf && \ mkdir -p /etc/nginx/modsec && \ wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended && \ mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf && \ cd .. && \ cp -f ModSecurity/unicode.mapping /etc/nginx/modsec && \ sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf && \ wget http://gitlab.tp.rulingcom.com/erictyl/install_r45_on_ubuntu_1804lts_doc/-/raw/master/modsecurity_main.conf -O /etc/nginx/modsec/main.conf" fi if [[ $nginx_conf_exist == "0" ]]; then nginx_conf_path="/etc/nginx/nginx.conf" server_block_start=`sudo grep -E '^\s*server\s*{' $nginx_conf_path -n|cut -d : -f 1` http_block_start=`sudo grep -E '^\s*http\s*{' $nginx_conf_path -n|cut -d : -f 1` http_block_end_offset=`cat $nginx_conf_path | awk '{if (NR>='$http_block_start') print}'|grep -E '^}' -n|cut -d : -f 1|xargs|awk '{print $1}'` http_block_end=$((http_block_end_offset + http_block_start - 1)) if [ -z "$server_block_start" ]; then if [[ ! -f /etc/nginx/sites-enabled/default ]]; then sudo mkdir -p /etc/nginx/sites-enabled sudo wget http://gitlab.tp.rulingcom.com/erictyl/install_r45_on_ubuntu_1804lts_doc/-/raw/master/sites-enabled-default -O /etc/nginx/sites-enabled/default fi else server_block_contents=`cat $nginx_conf_path | awk '{if (NR>='$server_block_start' && NR <'$http_block_end') print}'` blank_text=`echo "$server_block_contents"|grep -E '^\s*' -m 1|sed 's/\w.*//g'` server_block_contents=`echo "$server_block_contents"|sed "s/^$blank_text//g"` sudo mkdir -p /etc/nginx/sites-enabled echo "$server_block_contents"|sudo tee /etc/nginx/sites-enabled/default 1>/dev/null nginx_conf_contents=`cat $nginx_conf_path | awk '{if (NR<'$server_block_start' || NR >='$http_block_end') print}'` echo "$nginx_conf_contents"|sudo tee $nginx_conf_path 1>/dev/null fi http_block_end_offset=`cat $nginx_conf_path | awk '{if (NR>='$http_block_start') print}'|grep -E '^}' -n|cut -d : -f 1|xargs|awk '{print $1}'` http_block_end=$((http_block_end_offset + http_block_start - 1)) include_list='/etc/nginx/conf.d/\*.conf /etc/nginx/sites-enabled/\*' if [ -z "$(grep 'Virtual Host Configs' $nginx_conf_path)" ]; then virtual_host_configs_text=`echo '\n ##\n # Virtual Host Configs\n ##'` sudo sed -i "$((http_block_end-1)),+0s/.*/\0\\n $(echo "$virtual_host_configs_text")/g" $nginx_conf_path http_block_end_offset=`cat $nginx_conf_path | awk '{if (NR>='$http_block_start') print}'|grep -E '^}' -n|cut -d : -f 1|xargs|awk '{print $1}'` http_block_end=$((http_block_end_offset + http_block_start - 1)) fi for file_list in $include_list; do if [[ "$(cat $nginx_conf_path)" != *"$(echo $file_list|sed 's/\\//g')"* ]]; then sudo sed -i $((http_block_end-1)),+0's/.*/\0\n include '$(escape_str $file_list)';/g' $nginx_conf_path http_block_end=$((http_block_end + 1)) fi done if [[ "$install_modsecurity" == "1" ]]; then echo "Please modify your nginx conf file by yourself!" echo " server { # ... modsecurity on; modsecurity_rules_file /etc/nginx/modsec/main.conf; } " fi fi cd "$org_pwd" fi