309 lines
17 KiB
Bash
309 lines
17 KiB
Bash
#!/bin/bash
|
|
vercomp () {
|
|
if [[ "$1" == "$2" ]]; then
|
|
echo "=";
|
|
return 0;
|
|
fi
|
|
local IFS=.;
|
|
local i ver1=($1) ver2=($2);
|
|
# fill empty fields in ver1 with zeros
|
|
for ((i=${#ver1[@]}; i<${#ver2[@]}; i++)); do
|
|
ver1[i]=0
|
|
done
|
|
for ((i=0; i<${#ver1[@]}; i++)); do
|
|
if [[ -z ${ver2[i]} ]]; then
|
|
# fill empty fields in ver2 with zeros
|
|
ver2[i]=0
|
|
fi
|
|
if ((10#${ver1[i]} > 10#${ver2[i]})); then
|
|
echo ">";
|
|
return 0;
|
|
fi
|
|
if ((10#${ver1[i]} < 10#${ver2[i]})); then
|
|
echo "<";
|
|
return 0;
|
|
fi
|
|
done
|
|
echo "=";
|
|
return 0;
|
|
}
|
|
function escape_str(){
|
|
echo $1|sed -E 's/\\+//g' |sed -E 's/[\/\.\*]/\\\0/g'
|
|
}
|
|
ubuntu_ver="$(lsb_release -rs)"
|
|
if [[ -e "/etc/needrestart/needrestart.conf" ]]; then
|
|
sudo sed -E -i "s/(^|#)\\\$nrconf\{restart\}\s*=.*/\$nrconf\{restart\} = 'a';/g" /etc/needrestart/needrestart.conf
|
|
sudo sed -E -i "s/(^|#)\\\$nrconf\{kernelhints\}\s*=.*/\$nrconf\{kernelhints\} = -1;/g" /etc/needrestart/needrestart.conf
|
|
fi
|
|
sudo apt-get update
|
|
if [[ -z "$(which git)" ]]; then
|
|
sudo apt-get install -y git
|
|
fi
|
|
sudo apt-get install -y linux-kernel-headers software-properties-common build-essential
|
|
sudo apt-get install -y libxslt-dev libgd-dev
|
|
org_pwd="$(pwd)"
|
|
cpu_cores="$(nproc --all)"
|
|
if [[ -z "$cpu_cores" ]]; then
|
|
cpu_cores="1"
|
|
fi
|
|
openssl_ver="$(openssl version|xargs| awk '{print $2}')"
|
|
openssl_dir=""
|
|
openssl_source_dir=""
|
|
force_reinstall_openssl="0"
|
|
if [[ ! -d "/usr/include/openssl" ]] && [[ ! -d "/usr/local/include/openssl" ]] && [[ ! -d "/usr/pkg/include/openssl" ]] && [[ ! -d "/opt/local/include/openssl" ]] && [[ ! -d /opt/openssl/include/openssl ]]; then
|
|
force_reinstall_openssl="1"
|
|
fi
|
|
target_openssl_ver="1.1.1w"
|
|
if [ "$(readlink -f `which openssl`)" == "/opt/openssl/bin/openssl" ]; then
|
|
openssl_dir="/opt/openssl/ssl"
|
|
openssl_source_dir="/root/openssl-$target_openssl_ver"
|
|
if [ ! -e "$openssl_source_dir" ] || [ -z `readlink -f "$openssl_source_dir"` ]; then
|
|
force_reinstall_openssl="1"
|
|
else
|
|
if [ -d /opt/openssl/ssl/certs ] && [ ! -L /opt/openssl/ssl/certs ]; then
|
|
rm -rf /opt/openssl/ssl/certs && ln -sf /etc/ssl/certs /opt/openssl/ssl/.
|
|
fi
|
|
fi
|
|
fi
|
|
if [[ $(vercomp "${openssl_ver:0:-1}" "1.1.1") == "<" ]] || [[ "$force_reinstall_openssl" == "1" ]]; then
|
|
# Build openssl
|
|
sudo bash -l -c "
|
|
cd /root &&
|
|
wget https://www.openssl.org/source/openssl-$target_openssl_ver.tar.gz --no-check-certificate -O openssl-$target_openssl_ver.tar.gz &&
|
|
tar xzvf openssl-$target_openssl_ver.tar.gz &&
|
|
rm -rf /opt/openssl &&
|
|
cd openssl-$target_openssl_ver &&
|
|
./config no-ssl2 no-ssl3 zlib-dynamic -fPIC shared --prefix=/opt/openssl &&
|
|
make depend -j$cpu_cores && make install -j$cpu_cores &&
|
|
rm -f /usr/bin/openssl &&
|
|
ln -sf /opt/openssl/bin/* /usr/bin/. &&
|
|
echo '/opt/openssl/lib' > /etc/ld.so.conf.d/openssl.conf &&
|
|
ldconfig &&
|
|
cp -f /opt/openssl/lib/pkgconfig/openssl.pc /usr/lib/x86_64-linux-gnu/pkgconfig/. &&
|
|
ln -sf /etc/ssl/certs /opt/openssl/ssl/."
|
|
openssl_ver="$target_openssl_ver"
|
|
cd "$org_pwd"
|
|
openssl_dir="/opt/openssl/ssl"
|
|
openssl_source_dir="/root/openssl-$target_openssl_ver"
|
|
fi
|
|
if [ -z "$cpu_cores" ]; then
|
|
cpu_cores="1";
|
|
fi
|
|
if [[ $(vercomp "$ubuntu_ver" "16") == "<" ]]; then #Need update ca-certificates manual
|
|
sudo apt-get install -y openssl libssl1.0 libssl-dev
|
|
sudo apt-get install -y apt-transport-https ca-certificates
|
|
sudo update-ca-certificates
|
|
sudo bash -l -c "
|
|
cd /root &&
|
|
wget https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/ca-certificates/20210119~20.04.2/ca-certificates_20210119~20.04.2.tar.xz --no-check-certificate -O ca-certificates_20210119~20.04.2.tar.xz &&
|
|
tar -xJf ca-certificates_20210119~20.04.2.tar.xz &&
|
|
cd ca-certificates-20210119~20.04.1 &&
|
|
make -j$cpu_cores && make install &&
|
|
dpkg-reconfigure -fnoninteractive ca-certificates &&
|
|
if [ -e /etc/ca-certificates.conf ]; then sed -E 's/^!//g' -i /etc/ca-certificates.conf; sed -i 's/mozilla\/DST_Root_CA_X3.crt/!mozilla\/DST_Root_CA_X3.crt/' /etc/ca-certificates.conf; fi &&
|
|
dpkg-reconfigure -fnoninteractive ca-certificates &&
|
|
update-ca-certificates --fresh --verbose &&
|
|
/usr/bin/c_rehash /etc/ssl/certs"
|
|
cd "$org_pwd"
|
|
else
|
|
sudo apt-get install --reinstall ca-certificates -y
|
|
fi
|
|
nginx_configure=""
|
|
if [ -z $openssl_source_dir ]; then
|
|
nginx_configure="./configure --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-mail=dynamic --with-mail_ssl_module --add-module=../headers-more-nginx-module"
|
|
else
|
|
nginx_configure="./configure --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-mail=dynamic --with-mail_ssl_module --add-module=../headers-more-nginx-module --with-openssl=$openssl_source_dir"
|
|
fi
|
|
install_modsecurity="0"
|
|
install_passenger="0"
|
|
extra_remove_packages=""
|
|
extra_build_nginx_cmd="true"
|
|
if [[ "$@" == *"--install-modsecurity"* ]];then
|
|
install_modsecurity="1"
|
|
if [[ $(vercomp "$ubuntu_ver" "16") == "<" ]]; then #use 3.0.6
|
|
modsecurity_branch="v3.0.6"
|
|
else
|
|
modsecurity_branch="v3/master"
|
|
fi
|
|
sudo bash -l -c "
|
|
cd /root &&
|
|
apt-get install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev &&
|
|
rm -rf ModSecurity &&
|
|
git clone --depth 1 -b $modsecurity_branch --single-branch https://github.com/SpiderLabs/ModSecurity &&
|
|
cd ModSecurity &&
|
|
git submodule init &&
|
|
git submodule update &&
|
|
./build.sh &&
|
|
./configure &&
|
|
make &&
|
|
make install &&
|
|
cd .. &&
|
|
rm -rf ModSecurity-nginx &&
|
|
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
|
|
"
|
|
nginx_configure="$nginx_configure --add-dynamic-module=../ModSecurity-nginx"
|
|
fi
|
|
if [[ "$@" == *"--install-naxsi"* ]];then
|
|
install_naxsi="1"
|
|
sudo bash -l -c "
|
|
cd /root &&
|
|
rm -rf naxsi &&
|
|
git clone --depth 1 https://github.com/nbs-system/naxsi.git
|
|
"
|
|
nginx_configure="$nginx_configure --add-module=../naxsi/naxsi_src"
|
|
fi
|
|
if [[ "$@" == *"--install-passenger"* ]];then
|
|
install_passenger="1"
|
|
extra_remove_packages="$extra_remove_packages passenger"
|
|
if [ -e "/etc/profile.d/rvm.sh" ]; then
|
|
source "/etc/profile.d/rvm.sh"
|
|
fi
|
|
if [ -z "$rvm_path" ]; then
|
|
sudo apt-add-repository -y ppa:rael-gc/rvm
|
|
sudo apt-get update
|
|
sudo apt-get install rvm -y
|
|
sudo usermod -a -G rvm $USER
|
|
echo 'source "/etc/profile.d/rvm.sh"' >> ~/.bashrc
|
|
source "/etc/profile.d/rvm.sh"
|
|
sudo chown $USER:$USER $HOME -R
|
|
rvm user gemsets
|
|
sudo chown $USER:$USER /usr/share/rvm -R
|
|
sudo apt install libjemalloc-dev -y
|
|
rvm install 2.7.6 --with-openssl-dir="$openssl_dir" -C --with-jemalloc
|
|
curl -sSL https://rvm.io/mpapis.asc | sudo gpg --import -
|
|
curl -sSL https://rvm.io/pkuczynski.asc | sudo gpg --import -
|
|
rvmsudo rvm get stable && rvm reload && rvmsudo rvm repair all
|
|
fi
|
|
gem_path=`which gem`
|
|
path_for_sudo=`sudo bash -l -c 'echo $PATH'`
|
|
path_for_sudo="PATH=$(dirname $gem_path):$path_for_sudo"
|
|
$gem_path install passenger
|
|
if [ ! -d "/usr/include/curl" ]; then # /usr/include/curl must exist when building passenger nginx
|
|
sudo apt-get -y install libcurl4-openssl-dev
|
|
fi
|
|
|
|
nginx_configure="$nginx_configure --add-dynamic-module=$(bash -l -c "$path_for_sudo passenger-config --nginx-addon-dir")"
|
|
nginx_configure="export $path_for_sudo && $nginx_configure"
|
|
echo $nginx_configure
|
|
extra_build_nginx_cmd="$extra_build_nginx_cmd && ln -s /usr/lib/nginx/modules/ngx_http_passenger_module.so /etc/nginx/modules-enabled/ngx_http_passenger_module.so && \
|
|
echo 'load_module /etc/nginx/modules-enabled/ngx_http_passenger_module.so;' > /etc/nginx/modules-enabled/50-mod-http-passenger.conf"
|
|
fi
|
|
|
|
nginx_ver=""
|
|
if [[ ! -z "$(which nginx)" ]]; then
|
|
nginx_ver="$(nginx -v 2>&1|xargs|awk '{print $3}'|cut -d '/' -f 2)"
|
|
fi
|
|
if [[ ! -f /etc/init.d/nginx ]]; then
|
|
sudo wget http://gitlab.tp.rulingcom.com/erictyl/install_r45_on_ubuntu_1804lts_doc/-/raw/master/nginx_service.sh -O /etc/init.d/nginx
|
|
sudo chmod 755 /etc/init.d/nginx
|
|
sudo chown root:root /etc/init.d/nginx
|
|
if [[ $(vercomp "$ubuntu_ver" "16") == ">" ]]; then
|
|
sudo wget http://gitlab.tp.rulingcom.com/erictyl/install_r45_on_ubuntu_1804lts_doc/-/raw/master/nginx.service -O /lib/systemd/system/nginx.service
|
|
sudo chown root:root /lib/systemd/system/nginx.service
|
|
sudo chmod 644 /lib/systemd/system/nginx.service
|
|
sudo chmod -x /lib/systemd/system/nginx.service
|
|
sudo systemctl daemon-reload
|
|
sudo systemctl unmask nginx
|
|
sudo systemctl enable nginx
|
|
fi
|
|
fi
|
|
nginx_target_ver="1.23.4"
|
|
if [[ $(vercomp "$nginx_ver" "$nginx_target_ver") == "<" ]] || [[ "$1" == '--force' ]] || [[ "$install_modsecurity" == "1" ]] || [[ "$install_passenger" == "1" ]]; then
|
|
if [ -f "/etc/nginx/nginx.conf" ]; then
|
|
nginx_conf_exist="1"
|
|
else
|
|
nginx_conf_exist="0"
|
|
fi
|
|
nginx_org_path="$(which nginx)"
|
|
if [[ ! -z "$nginx_org_path" ]]; then
|
|
rm -f $nginx_org_path
|
|
fi
|
|
#Build nginx and install
|
|
sudo bash -l -c "
|
|
cd /root && \
|
|
if [ ! -e headers-more-nginx-module ]; then git clone https://github.com/openresty/headers-more-nginx-module.git; fi && \
|
|
wget http://nginx.org/download/nginx-$nginx_target_ver.tar.gz -O nginx-$nginx_target_ver.tar.gz && \
|
|
tar -zxvf nginx-$nginx_target_ver.tar.gz && \
|
|
cd nginx-$nginx_target_ver && \
|
|
apt remove nginx ${extra_remove_packages} --purge -y && \
|
|
apt-get -y install libpcre3 libpcre3-dev libxml2 libxml2-dev libxslt-dev libgd-dev && \
|
|
if [ -e Makefile ]; then make clean; fi && \
|
|
$nginx_configure && \
|
|
make -j$cpu_cores && make install && \
|
|
mkdir -p /etc/nginx/modules && \
|
|
if [ ! -e /usr/share/nginx/modules ]; then ln -s /etc/nginx/modules /usr/share/nginx/modules; fi && \
|
|
rm -f /usr/sbin/nginx && \
|
|
mkdir -p /etc/nginx/modules-enabled && \
|
|
ln -s /usr/share/nginx/sbin/nginx /usr/sbin/. && $extra_build_nginx_cmd && \
|
|
mkdir -p /var/lib/nginx && \
|
|
service nginx restart"
|
|
if [[ "$install_modsecurity" == "1" ]]; then
|
|
sudo bash -l -c "
|
|
cd /root/nginx-$nginx_target_ver && \
|
|
make modules && \
|
|
cp -f objs/ngx_http_modsecurity_module.so /etc/nginx/modules/. && \
|
|
echo 'load_module modules/ngx_http_modsecurity_module.so;' > /etc/nginx/modules-enabled/50-mod-modsecurity.conf && \
|
|
mkdir -p /etc/nginx/modsec && \
|
|
wget --no-check-certificate -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended -O /etc/nginx/modsec/modsecurity.conf && \
|
|
cd .. && \
|
|
cp -f ModSecurity/unicode.mapping /etc/nginx/modsec && \
|
|
sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf && \
|
|
sed -i 's/SecRequestBodyLimit 13107200/SecRequestBodyLimit 131072000/' /etc/nginx/modsec/modsecurity.conf && \
|
|
sed -i 's/SecRequestBodyNoFilesLimit 131072/SecRequestBodyNoFilesLimit 1310720/' /etc/nginx/modsec/modsecurity.conf && \
|
|
wget http://gitlab.tp.rulingcom.com/erictyl/install_r45_on_ubuntu_1804lts_doc/-/raw/master/modsecurity_main.conf -O /etc/nginx/modsec/main.conf"
|
|
fi
|
|
if [[ $nginx_conf_exist == "0" ]]; then
|
|
nginx_conf_path="/etc/nginx/nginx.conf"
|
|
sudo cp -f /etc/nginx/nginx.conf /etc/nginx/nginx_bak.conf
|
|
server_block_start=`sudo grep -E '^\s*server\s*{' $nginx_conf_path -n|cut -d : -f 1`
|
|
http_block_start=`sudo grep -E '^\s*http\s*{' $nginx_conf_path -n|cut -d : -f 1`
|
|
http_block_end_offset=`cat $nginx_conf_path | awk '{if (NR>='$http_block_start') print}'|grep -E '^}' -n|cut -d : -f 1|xargs|awk '{print $1}'`
|
|
http_block_end=$((http_block_end_offset + http_block_start - 1))
|
|
if [ -z "$server_block_start" ]; then
|
|
if [[ ! -f /etc/nginx/sites-enabled/default ]]; then
|
|
sudo mkdir -p /etc/nginx/sites-enabled
|
|
sudo wget http://gitlab.tp.rulingcom.com/erictyl/install_r45_on_ubuntu_1804lts_doc/-/raw/master/sites-enabled-default -O /etc/nginx/sites-enabled/default
|
|
fi
|
|
else
|
|
server_block_contents=`cat $nginx_conf_path | awk '{if (NR>='$server_block_start' && NR <'$http_block_end') print}'`
|
|
blank_text=`echo "$server_block_contents"|grep -E '^\s*' -m 1|sed 's/\w.*//g'`
|
|
server_block_contents=`echo "$server_block_contents"|sed "s/^$blank_text//g"`
|
|
sudo mkdir -p /etc/nginx/sites-enabled
|
|
echo "$server_block_contents"|sudo tee /etc/nginx/sites-enabled/default 1>/dev/null
|
|
nginx_conf_contents=`cat $nginx_conf_path | awk '{if (NR<'$server_block_start' || NR >='$http_block_end') print}'`
|
|
echo "$nginx_conf_contents"|sudo tee $nginx_conf_path 1>/dev/null
|
|
fi
|
|
http_block_end_offset=`cat $nginx_conf_path | awk '{if (NR>='$http_block_start') print}'|grep -E '^}' -n|cut -d : -f 1|xargs|awk '{print $1}'`
|
|
http_block_end=$((http_block_end_offset + http_block_start - 1))
|
|
include_list='/etc/nginx/conf.d/\*.conf /etc/nginx/sites-enabled/\*'
|
|
if [ -z "$(grep 'Virtual Host Configs' $nginx_conf_path)" ]; then
|
|
virtual_host_configs_text=`echo '\n ##\n # Virtual Host Configs\n ##'`
|
|
sudo sed -i "$((http_block_end-1)),+0s/.*/\0\\n $(echo "$virtual_host_configs_text")/g" $nginx_conf_path
|
|
http_block_end_offset=`cat $nginx_conf_path | awk '{if (NR>='$http_block_start') print}'|grep -E '^}' -n|cut -d : -f 1|xargs|awk '{print $1}'`
|
|
http_block_end=$((http_block_end_offset + http_block_start - 1))
|
|
fi
|
|
for file_list in $include_list; do
|
|
if [[ "$(cat $nginx_conf_path)" != *"$(echo $file_list|sed 's/\\//g')"* ]]; then
|
|
sudo sed -i $((http_block_end-1)),+0's/.*/\0\n include '$(escape_str $file_list)';/g' $nginx_conf_path
|
|
http_block_end=$((http_block_end + 1))
|
|
fi
|
|
done
|
|
fi
|
|
if [[ -z "$(grep -E 'include\s+\/etc\/nginx\/modules-enabled\/\*\.conf;' /etc/nginx/nginx.conf)" ]]; then
|
|
nginx_conf_path="/etc/nginx/nginx.conf"
|
|
nginx_conf_contents=`echo "$(echo 'include /etc/nginx/modules-enabled/*.conf;'; cat $nginx_conf_path)"`
|
|
sudo bash -l -c "echo '$nginx_conf_contents' > $nginx_conf_path"
|
|
sudo service nginx restart
|
|
fi
|
|
if [[ "$install_modsecurity" == "1" ]]; then
|
|
echo "Please modify your nginx conf file by yourself!"
|
|
echo "
|
|
server {
|
|
# ...
|
|
modsecurity on;
|
|
modsecurity_rules_file /etc/nginx/modsec/main.conf;
|
|
}
|
|
"
|
|
fi
|
|
cd "$org_pwd"
|
|
fi |