Add nginx secure config automation script.

This commit is contained in:
邱博亞 2024-07-24 11:56:48 +08:00
parent eb84cbaaea
commit 84e5031080
1 changed files with 98 additions and 0 deletions

98
add_nginx_secure_conf.sh Normal file
View File

@ -0,0 +1,98 @@
location_secure_configs=( \
'proxy_set_header Accept-Encoding "";' \
'proxy_set_header X-Real-IP $remote_addr;' \
'proxy_set_header X-Forwarded-Host $http_host;' \
'proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' \
'proxy_set_header Host $http_host;' \
"add_header X-Content-Type-Options nosniff;" \
"add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload;' always;" \
'proxy_cookie_path / "/; SameSite=Lax; HTTPOnly; Secure";' \
'proxy_set_header X-Forwarded-Proto https;' \
)
insert_space=""
generate_pattern() {
local config="$1"
echo "$config"|sed -E 's/[[:space:]]+/[[:space:]]+/g'|sed -E 's/\//\\\//g'|sed -E 's/;$/[[:space:]]*\0/1'
}
find_block_offset() {
local st_offset=""
local ed_offset=""
st_offset=`echo "$server_443_block"|grep -E "$1" -n|cut -d ':' -f1|head -1`
if [[ ! -z "$st_offset" ]]; then
ed_offset=`echo "$server_443_block" | awk '{if (NR>'$st_offset') print}' |grep -E "^[[:space:]]*}" -n|cut -d ':' -f1|head -1`
st_offset="$((server_443_st_offset + st_offset - 1))"
ed_offset="$((st_offset + ed_offset))"
fi
echo "$st_offset" "$ed_offset"
}
find_insert_offset() {
local st_offset="$1"
local ed_offset="$2"
local match_pattern="$3"
local block_contents=`print_block_contents "$st_offset" "$ed_offset"`
local insert_offset=`echo "$block_contents"|grep -E "$match_pattern" -n|cut -d ':' -f1|head -1`
if [[ -z "$insert_offset" ]]; then
insert_space=`echo "$block_contents"| awk '{if (NR==2) print}'| sed -E "s/^([[:space:]]*).*/\1/1"`
insert_offset="$((st_offset + 1))"
else
insert_space=`echo "$block_contents"| awk '{if (NR=='$insert_offset') print}'| sed -E "s/^([[:space:]]*).*/\1/1"`
insert_offset="$((st_offset + insert_offset - 1))"
fi
echo "$insert_offset","$insert_space"
}
append_config_to_block() {
local st_offset="$1"
local ed_offset="$2"
local insert_offset="$3"
local insert_config="$4"
local backslash="\\\\"
local insert_space=`echo "$5"|sed -E "s/[[:space:]]/${backslash}\0/g"`
local block_contents=`print_block_contents "$st_offset" "$ed_offset"`
local insert_pattern=`generate_pattern "$insert_config"`
if [[ -z `echo "$block_contents"|grep -E "$insert_pattern"` ]]; then
sed -i "${insert_offset}i${insert_space}${insert_config}" "$nginx_conf_path"
ed_offset="$((ed_offset + 1))"
fi
echo "$ed_offset"
}
print_block_contents() {
if [ -z "$1" ]; then
echo ""
else
cat "$nginx_conf_path" | awk '{if (NR>='$1' && NR<='$2') print}'
fi
}
for nginx_conf_path in `find /etc/nginx/orbit_sites/ -type f`; do
ssl_offset=`grep -E '^[[:space:]]*listen[[:space:]]+443[[:space:]]+ssl' "$nginx_conf_path" -n|cut -d ':' -f1|head -1`
if [[ ! -z "$ssl_offset" ]]; then
server_443_st_offset=`cat "$nginx_conf_path" | awk '{if (NR<'$ssl_offset') print}'|grep -E '^[[:space:]]*server[[:space:]]+{' -n|cut -d ':' -f1|tail -1`
server_443_end_offset=`cat "$nginx_conf_path" | awk '{if (NR>'$ssl_offset') print}'|grep -E '^[[:space:]]*server[[:space:]]+{' -n|cut -d ':' -f1|head -1`
if [[ -z "$server_443_end_offset" ]]; then
server_443_end_offset=`wc -l < "$nginx_conf_path"`
else
server_443_end_offset="$((server_443_end_offset - 1 + ssl_offset))"
fi
server_443_block=`print_block_contents "$server_443_st_offset" "$server_443_end_offset"`
read location_st_offset location_ed_offset < <(find_block_offset "^[[:space:]]*location[[:space:]]+@app")
location_block=`print_block_contents "$location_st_offset" "$location_ed_offset"`
if [[ ! -z "$location_block" ]]; then
IFS=","
read insert_position insert_space < <(find_insert_offset "$location_st_offset" "$location_ed_offset" "^[[:space:]]*proxy_set_header[[:space:]]+")
IFS=" "
for config in "${location_secure_configs[@]}"; do
location_ed_offset=`append_config_to_block "$location_st_offset" "$location_ed_offset" "$insert_position" "$config" "$insert_space"`
# append_config_to_block "$location_st_offset" "$location_ed_offset" "$insert_position" "$config" "$insert_space"
done
fi
fi
done