From 84e50310807d688c5dd38d0a87526f34f7d94c0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E9=82=B1=E5=8D=9A=E4=BA=9E?= Date: Wed, 24 Jul 2024 11:56:48 +0800 Subject: [PATCH] Add nginx secure config automation script. --- add_nginx_secure_conf.sh | 98 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 98 insertions(+) create mode 100644 add_nginx_secure_conf.sh diff --git a/add_nginx_secure_conf.sh b/add_nginx_secure_conf.sh new file mode 100644 index 0000000..3d46a02 --- /dev/null +++ b/add_nginx_secure_conf.sh @@ -0,0 +1,98 @@ +location_secure_configs=( \ + 'proxy_set_header Accept-Encoding "";' \ + 'proxy_set_header X-Real-IP $remote_addr;' \ + 'proxy_set_header X-Forwarded-Host $http_host;' \ + 'proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' \ + 'proxy_set_header Host $http_host;' \ + "add_header X-Content-Type-Options nosniff;" \ + "add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload;' always;" \ + 'proxy_cookie_path / "/; SameSite=Lax; HTTPOnly; Secure";' \ + 'proxy_set_header X-Forwarded-Proto https;' \ +) + +insert_space="" + +generate_pattern() { + local config="$1" + echo "$config"|sed -E 's/[[:space:]]+/[[:space:]]+/g'|sed -E 's/\//\\\//g'|sed -E 's/;$/[[:space:]]*\0/1' +} + +find_block_offset() { + local st_offset="" + local ed_offset="" + st_offset=`echo "$server_443_block"|grep -E "$1" -n|cut -d ':' -f1|head -1` + if [[ ! -z "$st_offset" ]]; then + ed_offset=`echo "$server_443_block" | awk '{if (NR>'$st_offset') print}' |grep -E "^[[:space:]]*}" -n|cut -d ':' -f1|head -1` + st_offset="$((server_443_st_offset + st_offset - 1))" + ed_offset="$((st_offset + ed_offset))" + fi + echo "$st_offset" "$ed_offset" +} + +find_insert_offset() { + local st_offset="$1" + local ed_offset="$2" + local match_pattern="$3" + local block_contents=`print_block_contents "$st_offset" "$ed_offset"` + local insert_offset=`echo "$block_contents"|grep -E "$match_pattern" -n|cut -d ':' -f1|head -1` + if [[ -z "$insert_offset" ]]; then + insert_space=`echo "$block_contents"| awk '{if (NR==2) print}'| sed -E "s/^([[:space:]]*).*/\1/1"` + insert_offset="$((st_offset + 1))" + else + insert_space=`echo "$block_contents"| awk '{if (NR=='$insert_offset') print}'| sed -E "s/^([[:space:]]*).*/\1/1"` + insert_offset="$((st_offset + insert_offset - 1))" + fi + echo "$insert_offset","$insert_space" +} + +append_config_to_block() { + local st_offset="$1" + local ed_offset="$2" + local insert_offset="$3" + local insert_config="$4" + local backslash="\\\\" + local insert_space=`echo "$5"|sed -E "s/[[:space:]]/${backslash}\0/g"` + local block_contents=`print_block_contents "$st_offset" "$ed_offset"` + local insert_pattern=`generate_pattern "$insert_config"` + if [[ -z `echo "$block_contents"|grep -E "$insert_pattern"` ]]; then + sed -i "${insert_offset}i${insert_space}${insert_config}" "$nginx_conf_path" + ed_offset="$((ed_offset + 1))" + fi + + echo "$ed_offset" +} + +print_block_contents() { + if [ -z "$1" ]; then + echo "" + else + cat "$nginx_conf_path" | awk '{if (NR>='$1' && NR<='$2') print}' + fi +} + +for nginx_conf_path in `find /etc/nginx/orbit_sites/ -type f`; do + + ssl_offset=`grep -E '^[[:space:]]*listen[[:space:]]+443[[:space:]]+ssl' "$nginx_conf_path" -n|cut -d ':' -f1|head -1` + + if [[ ! -z "$ssl_offset" ]]; then + server_443_st_offset=`cat "$nginx_conf_path" | awk '{if (NR<'$ssl_offset') print}'|grep -E '^[[:space:]]*server[[:space:]]+{' -n|cut -d ':' -f1|tail -1` + server_443_end_offset=`cat "$nginx_conf_path" | awk '{if (NR>'$ssl_offset') print}'|grep -E '^[[:space:]]*server[[:space:]]+{' -n|cut -d ':' -f1|head -1` + if [[ -z "$server_443_end_offset" ]]; then + server_443_end_offset=`wc -l < "$nginx_conf_path"` + else + server_443_end_offset="$((server_443_end_offset - 1 + ssl_offset))" + fi + server_443_block=`print_block_contents "$server_443_st_offset" "$server_443_end_offset"` + read location_st_offset location_ed_offset < <(find_block_offset "^[[:space:]]*location[[:space:]]+@app") + location_block=`print_block_contents "$location_st_offset" "$location_ed_offset"` + if [[ ! -z "$location_block" ]]; then + IFS="," + read insert_position insert_space < <(find_insert_offset "$location_st_offset" "$location_ed_offset" "^[[:space:]]*proxy_set_header[[:space:]]+") + IFS=" " + for config in "${location_secure_configs[@]}"; do + location_ed_offset=`append_config_to_block "$location_st_offset" "$location_ed_offset" "$insert_position" "$config" "$insert_space"` + # append_config_to_block "$location_st_offset" "$location_ed_offset" "$insert_position" "$config" "$insert_space" + done + fi + fi +done \ No newline at end of file