Add nginx secure config automation script.
This commit is contained in:
parent
eb84cbaaea
commit
84e5031080
|
@ -0,0 +1,98 @@
|
||||||
|
location_secure_configs=( \
|
||||||
|
'proxy_set_header Accept-Encoding "";' \
|
||||||
|
'proxy_set_header X-Real-IP $remote_addr;' \
|
||||||
|
'proxy_set_header X-Forwarded-Host $http_host;' \
|
||||||
|
'proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' \
|
||||||
|
'proxy_set_header Host $http_host;' \
|
||||||
|
"add_header X-Content-Type-Options nosniff;" \
|
||||||
|
"add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload;' always;" \
|
||||||
|
'proxy_cookie_path / "/; SameSite=Lax; HTTPOnly; Secure";' \
|
||||||
|
'proxy_set_header X-Forwarded-Proto https;' \
|
||||||
|
)
|
||||||
|
|
||||||
|
insert_space=""
|
||||||
|
|
||||||
|
generate_pattern() {
|
||||||
|
local config="$1"
|
||||||
|
echo "$config"|sed -E 's/[[:space:]]+/[[:space:]]+/g'|sed -E 's/\//\\\//g'|sed -E 's/;$/[[:space:]]*\0/1'
|
||||||
|
}
|
||||||
|
|
||||||
|
find_block_offset() {
|
||||||
|
local st_offset=""
|
||||||
|
local ed_offset=""
|
||||||
|
st_offset=`echo "$server_443_block"|grep -E "$1" -n|cut -d ':' -f1|head -1`
|
||||||
|
if [[ ! -z "$st_offset" ]]; then
|
||||||
|
ed_offset=`echo "$server_443_block" | awk '{if (NR>'$st_offset') print}' |grep -E "^[[:space:]]*}" -n|cut -d ':' -f1|head -1`
|
||||||
|
st_offset="$((server_443_st_offset + st_offset - 1))"
|
||||||
|
ed_offset="$((st_offset + ed_offset))"
|
||||||
|
fi
|
||||||
|
echo "$st_offset" "$ed_offset"
|
||||||
|
}
|
||||||
|
|
||||||
|
find_insert_offset() {
|
||||||
|
local st_offset="$1"
|
||||||
|
local ed_offset="$2"
|
||||||
|
local match_pattern="$3"
|
||||||
|
local block_contents=`print_block_contents "$st_offset" "$ed_offset"`
|
||||||
|
local insert_offset=`echo "$block_contents"|grep -E "$match_pattern" -n|cut -d ':' -f1|head -1`
|
||||||
|
if [[ -z "$insert_offset" ]]; then
|
||||||
|
insert_space=`echo "$block_contents"| awk '{if (NR==2) print}'| sed -E "s/^([[:space:]]*).*/\1/1"`
|
||||||
|
insert_offset="$((st_offset + 1))"
|
||||||
|
else
|
||||||
|
insert_space=`echo "$block_contents"| awk '{if (NR=='$insert_offset') print}'| sed -E "s/^([[:space:]]*).*/\1/1"`
|
||||||
|
insert_offset="$((st_offset + insert_offset - 1))"
|
||||||
|
fi
|
||||||
|
echo "$insert_offset","$insert_space"
|
||||||
|
}
|
||||||
|
|
||||||
|
append_config_to_block() {
|
||||||
|
local st_offset="$1"
|
||||||
|
local ed_offset="$2"
|
||||||
|
local insert_offset="$3"
|
||||||
|
local insert_config="$4"
|
||||||
|
local backslash="\\\\"
|
||||||
|
local insert_space=`echo "$5"|sed -E "s/[[:space:]]/${backslash}\0/g"`
|
||||||
|
local block_contents=`print_block_contents "$st_offset" "$ed_offset"`
|
||||||
|
local insert_pattern=`generate_pattern "$insert_config"`
|
||||||
|
if [[ -z `echo "$block_contents"|grep -E "$insert_pattern"` ]]; then
|
||||||
|
sed -i "${insert_offset}i${insert_space}${insert_config}" "$nginx_conf_path"
|
||||||
|
ed_offset="$((ed_offset + 1))"
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "$ed_offset"
|
||||||
|
}
|
||||||
|
|
||||||
|
print_block_contents() {
|
||||||
|
if [ -z "$1" ]; then
|
||||||
|
echo ""
|
||||||
|
else
|
||||||
|
cat "$nginx_conf_path" | awk '{if (NR>='$1' && NR<='$2') print}'
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
for nginx_conf_path in `find /etc/nginx/orbit_sites/ -type f`; do
|
||||||
|
|
||||||
|
ssl_offset=`grep -E '^[[:space:]]*listen[[:space:]]+443[[:space:]]+ssl' "$nginx_conf_path" -n|cut -d ':' -f1|head -1`
|
||||||
|
|
||||||
|
if [[ ! -z "$ssl_offset" ]]; then
|
||||||
|
server_443_st_offset=`cat "$nginx_conf_path" | awk '{if (NR<'$ssl_offset') print}'|grep -E '^[[:space:]]*server[[:space:]]+{' -n|cut -d ':' -f1|tail -1`
|
||||||
|
server_443_end_offset=`cat "$nginx_conf_path" | awk '{if (NR>'$ssl_offset') print}'|grep -E '^[[:space:]]*server[[:space:]]+{' -n|cut -d ':' -f1|head -1`
|
||||||
|
if [[ -z "$server_443_end_offset" ]]; then
|
||||||
|
server_443_end_offset=`wc -l < "$nginx_conf_path"`
|
||||||
|
else
|
||||||
|
server_443_end_offset="$((server_443_end_offset - 1 + ssl_offset))"
|
||||||
|
fi
|
||||||
|
server_443_block=`print_block_contents "$server_443_st_offset" "$server_443_end_offset"`
|
||||||
|
read location_st_offset location_ed_offset < <(find_block_offset "^[[:space:]]*location[[:space:]]+@app")
|
||||||
|
location_block=`print_block_contents "$location_st_offset" "$location_ed_offset"`
|
||||||
|
if [[ ! -z "$location_block" ]]; then
|
||||||
|
IFS=","
|
||||||
|
read insert_position insert_space < <(find_insert_offset "$location_st_offset" "$location_ed_offset" "^[[:space:]]*proxy_set_header[[:space:]]+")
|
||||||
|
IFS=" "
|
||||||
|
for config in "${location_secure_configs[@]}"; do
|
||||||
|
location_ed_offset=`append_config_to_block "$location_st_offset" "$location_ed_offset" "$insert_position" "$config" "$insert_space"`
|
||||||
|
# append_config_to_block "$location_st_offset" "$location_ed_offset" "$insert_position" "$config" "$insert_space"
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
Loading…
Reference in New Issue