#!/bin/bash #################################################################################################### #### author: SlickStack ############################################################################ #### link: https://slickstack.io ################################################################### #### mirror: https://mirrors.slickstack.io/bash/ss-install-nginx-config.txt ######################## #### path: /var/www/ss-install-nginx-config ######################################################## #### destination: n/a (not a boilerplate) ########################################################## #### purpose: Reinstalls the Nginx module config files based on ss-config (idempotent) ############# #### module version: Nginx 1.18.x ################################################################## #### sourced by: ss-install ######################################################################## #### bash aliases: ss install nginx config ######################################################### #################################################################################################### ## SS-CONFIG MUST BE PROPERLY CONFIGURED AND ON CURRENT BUILD BEFORE RUNNING SS-INSTALL ## ## ENSURE YOUR SS-CONFIG BUILD REMAINS CURRENT BY RUNNING SS-UPDATE OCCASIONALLY ## ## source ss-config ## source /var/www/ss-config ## source ss-functions ## source /var/www/ss-functions ## BELOW THIS RELIES ON SS-CONFIG AND SS-FUNCTIONS #################################################################################################### #### TABLE OF CONTENTS (SS-Install-Nginx-Config) ################################################### #################################################################################################### ## this is a brief summary of the different code snippets you will find in this script ## ## each section should be commented so you understand what is being accomplished ## ## A. Touch Timestamp File ## B. Message (Begin Script) ## C. Reset Permissions (Nginx SSL) ## D. Generate DH Parameters (Conditional) ## E. Run SS-Encrypt-OpenSSL ## F. Generate Htpasswd File ## G. Install Nginx.conf ## H. Delete Old Server Blocks ## I. Install Server Block (Development) ## J. Install Server Block (Staging) ## K. Install Server Block (Production) ## XX. Install Cloudflare.conf For Real IPs (Optional) #################################################################################################### #### A. SS-Install-Nginx-Config: Touch Timestamp File ############################################## #################################################################################################### ## this is a dummy timestamp file that will remember the last time this script was run ## ## it can be useful for developer reference and is sometimes used by SlickStack ## ss_touch "${TIMESTAMP_SS_INSTALL_NGINX_CONFIG}" #################################################################################################### #### B. SS-Install-Nginx-Config: Message (Begin Script) ############################################ #################################################################################################### ## this is a simple message that announces to the shell the purpose of this bash script ## ## it will only be seen by sudo users who manually run this script in the shell ## ss_echo "${COLOR_INFO}Running ss-install-nginx-config... ${COLOR_RESET}" #################################################################################################### #### C. SS-Install-Nginx-Config: Reset Permissions (Nginx SSL) ##################################### #################################################################################################### ## ensures folders exist first ... improve this later? ## source "${PATH_SS_PERMS_NGINX_CONFIG}" source "${PATH_SS_PERMS_NGINX_SSL}" #################################################################################################### #### D. SS-Install-Nginx-Config: Generate DH Parameters (Conditional) ############################## #################################################################################################### ## this will generate DH parameters using OpenSSL for use by Lets Encrypt certificates ## ## by maintaining this file we are able to strengthen the security of the SSL ## if [[ ! -f "${PATH_DHPARAM_PEM}" ]]; then ss_dhparam "${PATH_DHPARAM_PEM}" fi #################################################################################################### #### E. SS-Install-Nginx-Config: Run SS-Encrypt-OpenSSL ############################################ #################################################################################################### ## here we generate slickstack.crt and slickstack.key as the default SSL for Nginx ## ## this approach is extremely stable and works fantastic with CloudFlare ## if [[ ! -f "${PATH_THIRDPARTY_CONF}" ]]; then source "${PATH_SS_ENCRYPT_OPENSSL}" fi #################################################################################################### #### F. SS-Install-Nginx-Config: Generate Htpasswd File ############################################ #################################################################################################### ## null file contents ## cat /dev/null > "${PATH_HTPASSWD}" ## copy guest user credentials ## ENCRYPTED_GUEST_PASSWORD=$(openssl passwd -apr1 "${GUEST_PASSWORD}") printf "${GUEST_USER}:${ENCRYPTED_GUEST_PASSWORD}\n" >> "${PATH_HTPASSWD}" #################################################################################################### #### G. SS-Install-Nginx-Config: Install Nginx.conf ################################################ #################################################################################################### ## here we install an optimized Nginx config designed for high traffic and CloudFlare ## ## this step is critical to setting up caching, SSL certs, and HTTP headers ## ## download latest Nginx config boilerplate ## ss_wget "${TMP_NGINX_CONF}" "${GITHUB_NGINX_CONF}" ## replace site domain and tld ## ss_sed "s/@SITE_DOMAIN/${SITE_DOMAIN}/g" "${TMP_NGINX_CONF}" ss_sed "s/@SITE_TLD/${SITE_TLD}/g" "${TMP_NGINX_CONF}" ## noindex entire site using HTTP headers (if enabled) ## if [[ "${SITE_NOINDEX}" == "true" ]]; then ss_sed "s/#@NOINDEX# //g" "${TMP_NGINX_CONF}" else ss_sed "/#@NOINDEX# /d" "${TMP_NGINX_CONF}" fi ## access log ## ## force enabled for now ## # if [[ -z "${NGINX_ACCESS_LOG}" ]]; then # ss_sed "s/@NGINX_ACCESS_LOG/off/g" "${TMP_NGINX_CONF}" # else # ss_sed "s|@NGINX_ACCESS_LOG|/var/www/logs/nginx-access.log|g" "${TMP_NGINX_CONF}" # fi ## FASTCGI CACHE ## ## FCGI Cache memory ## if [[ -z "${FCGI_CACHE_MEMORY}" ]]; then ss_sed "s/@FCGI_CACHE_MEMORY/256m/g" "${TMP_NGINX_CONF}" else ss_sed "s/@FCGI_CACHE_MEMORY/${FCGI_CACHE_MEMORY}/g" "${TMP_NGINX_CONF}" fi ## FCGI Cache inactive ## if [[ -z "${FCGI_CACHE_INACTIVE}" ]]; then ss_sed "s/@FCGI_CACHE_INACTIVE/1440m/g" "${TMP_NGINX_CONF}" else ss_sed "s/@FCGI_CACHE_INACTIVE/${FCGI_CACHE_INACTIVE}/g" "${TMP_NGINX_CONF}" fi ## FCGI Cache max size ## if [[ -z "${FCGI_CACHE_MAX_SIZE}" ]]; then ss_sed "s/@FCGI_CACHE_MAX_SIZE/4096m/g" "${TMP_NGINX_CONF}" else ss_sed "s/@FCGI_CACHE_MAX_SIZE/${FCGI_CACHE_MAX_SIZE}/g" "${TMP_NGINX_CONF}" fi ## FCGI Cache connect timeout ## if [[ -z "${FCGI_CONNECT_TIMEOUT}" ]]; then ss_sed "s/@FCGI_CONNECT_TIMEOUT/60s/g" "${TMP_NGINX_CONF}" else ss_sed "s/@FCGI_CONNECT_TIMEOUT/${FCGI_CONNECT_TIMEOUT}/g" "${TMP_NGINX_CONF}" fi ## FCGI Cache read timeout ## if [[ -z "${FCGI_READ_TIMEOUT}" ]]; then ss_sed "s/@FCGI_READ_TIMEOUT/60s/g" "${TMP_NGINX_CONF}" else ss_sed "s/@FCGI_READ_TIMEOUT/${FCGI_READ_TIMEOUT}/g" "${TMP_NGINX_CONF}" fi ## FCGI Cache send timeout ## if [[ -z "${FCGI_SEND_TIMEOUT}" ]]; then ss_sed "s/@FCGI_SEND_TIMEOUT/60s/g" "${TMP_NGINX_CONF}" else ss_sed "s/@FCGI_SEND_TIMEOUT/${FCGI_SEND_TIMEOUT}/g" "${TMP_NGINX_CONF}" fi ## FCGI Cache buffers ## if [[ -z "${FCGI_BUFFERS}" ]]; then ss_sed "s/@FCGI_BUFFERS/32 32k/g" "${TMP_NGINX_CONF}" else ss_sed "s/@FCGI_BUFFERS/${FCGI_BUFFERS}/g" "${TMP_NGINX_CONF}" fi ## FCGI Cache buffer size ## if [[ -z "${FCGI_BUFFER_SIZE}" ]]; then ss_sed "s/@FCGI_BUFFER_SIZE/32k/g" "${TMP_NGINX_CONF}" else ss_sed "s/@FCGI_BUFFER_SIZE/${FCGI_BUFFER_SIZE}/g" "${TMP_NGINX_CONF}" fi ## FCGI Cache busy buffers size ## if [[ -z "${FCGI_BUSY_BUFFERS_SIZE}" ]]; then ss_sed "s/@FCGI_BUSY_BUFFERS_SIZE/256k/g" "${TMP_NGINX_CONF}" else ss_sed "s/@FCGI_BUSY_BUFFERS_SIZE/${FCGI_BUSY_BUFFERS_SIZE}/g" "${TMP_NGINX_CONF}" fi ## FCGI Cache temp file write size ## if [[ -z "${FCGI_TEMP_FILE_WRITE_SIZE}" ]]; then ss_sed "s/@FCGI_TEMP_FILE_WRITE_SIZE/256k/g" "${TMP_NGINX_CONF}" else ss_sed "s/@FCGI_TEMP_FILE_WRITE_SIZE/${FCGI_TEMP_FILE_WRITE_SIZE}/g" "${TMP_NGINX_CONF}" fi ## Nginx worker rlimit nofile ## if [[ -z "${NGINX_WORKER_RLIMIT_NOFILE}" ]]; then ss_sed "s/@NGINX_WORKER_RLIMIT_NOFILE/65535/g" "${TMP_NGINX_CONF}" else ss_sed "s/@NGINX_WORKER_RLIMIT_NOFILE/${NGINX_WORKER_RLIMIT_NOFILE}/g" "${TMP_NGINX_CONF}" fi ## Nginx worker connections ## if [[ -z "${NGINX_WORKER_CONNECTIONS}" ]]; then ss_sed "s/@NGINX_WORKER_CONNECTIONS/8192/g" "${TMP_NGINX_CONF}" else ss_sed "s/@NGINX_WORKER_CONNECTIONS/${NGINX_WORKER_CONNECTIONS}/g" "${TMP_NGINX_CONF}" fi ## Nginx server names hash bucket size ## if [[ -z "${NGINX_SERVER_NAMES_HASH_BUCKET_SIZE}" ]]; then ss_sed "s/@NGINX_SERVER_NAMES_HASH_BUCKET_SIZE/64/g" "${TMP_NGINX_CONF}" else ss_sed "s/@NGINX_SERVER_NAMES_HASH_BUCKET_SIZE/${NGINX_SERVER_NAMES_HASH_BUCKET_SIZE}/g" "${TMP_NGINX_CONF}" fi ## Nginx server names max hash size ## if [[ -z "${NGINX_SERVER_NAMES_MAX_HASH_SIZE}" ]]; then ss_sed "s/@NGINX_SERVER_NAMES_MAX_HASH_SIZE/64/g" "${TMP_NGINX_CONF}" else ss_sed "s/@NGINX_SERVER_NAMES_MAX_HASH_SIZE/${NGINX_SERVER_NAMES_MAX_HASH_SIZE}/g" "${TMP_NGINX_CONF}" fi ## Nginx types max hash size ## if [[ -z "${NGINX_TYPES_MAX_HASH_SIZE}" ]]; then ss_sed "s/@NGINX_TYPES_MAX_HASH_SIZE/2048/g" "${TMP_NGINX_CONF}" else ss_sed "s/@NGINX_TYPES_MAX_HASH_SIZE/${NGINX_TYPES_MAX_HASH_SIZE}/g" "${TMP_NGINX_CONF}" fi ## Nginx client max body size ## if [[ -z "${NGINX_CLIENT_MAX_BODY_SIZE}" ]]; then ss_sed "s/@NGINX_CLIENT_MAX_BODY_SIZE/512M/g" "${TMP_NGINX_CONF}" else ss_sed "s/@NGINX_CLIENT_MAX_BODY_SIZE/${NGINX_CLIENT_MAX_BODY_SIZE}/g" "${TMP_NGINX_CONF}" fi ## Nginx client body buffer size ## if [[ -z "${NGINX_CLIENT_BODY_BUFFER_SIZE}" ]]; then ss_sed "s/@NGINX_CLIENT_BODY_BUFFER_SIZE/16k/g" "${TMP_NGINX_CONF}" else ss_sed "s/@NGINX_CLIENT_BODY_BUFFER_SIZE/${NGINX_CLIENT_BODY_BUFFER_SIZE}/g" "${TMP_NGINX_CONF}" fi ## Nginx client header buffer size ## if [[ -z "${NGINX_CLIENT_HEADER_BUFFER_SIZE}" ]]; then ss_sed "s/@NGINX_CLIENT_HEADER_BUFFER_SIZE/4k/g" "${TMP_NGINX_CONF}" else ss_sed "s/@NGINX_CLIENT_HEADER_BUFFER_SIZE/${NGINX_CLIENT_HEADER_BUFFER_SIZE}/g" "${TMP_NGINX_CONF}" fi ## Nginx large client header buffers ## if [[ -z "${NGINX_LARGE_CLIENT_HEADER_BUFFERS}" ]]; then ss_sed "s/@NGINX_LARGE_CLIENT_HEADER_BUFFERS/4 64k/g" "${TMP_NGINX_CONF}" else ss_sed "s/@NGINX_LARGE_CLIENT_HEADER_BUFFERS/${NGINX_LARGE_CLIENT_HEADER_BUFFERS}/g" "${TMP_NGINX_CONF}" fi ## Nginx client body timeout ## if [[ -z "${NGINX_CLIENT_BODY_TIMEOUT}" ]]; then ss_sed "s/@NGINX_CLIENT_BODY_TIMEOUT/15s/g" "${TMP_NGINX_CONF}" else ss_sed "s/@NGINX_CLIENT_BODY_TIMEOUT/${NGINX_CLIENT_BODY_TIMEOUT}/g" "${TMP_NGINX_CONF}" fi ## Nginx client header timeout ## if [[ -z "${NGINX_CLIENT_HEADER_TIMEOUT}" ]]; then ss_sed "s/@NGINX_CLIENT_HEADER_TIMEOUT/15s/g" "${TMP_NGINX_CONF}" else ss_sed "s/@NGINX_CLIENT_HEADER_TIMEOUT/${NGINX_CLIENT_HEADER_TIMEOUT}/g" "${TMP_NGINX_CONF}" fi ## Nginx keepalive timeout ## if [[ -z "${NGINX_KEEPALIVE_TIMEOUT}" ]]; then ss_sed "s/@NGINX_KEEPALIVE_TIMEOUT/15s/g" "${TMP_NGINX_CONF}" else ss_sed "s/@NGINX_KEEPALIVE_TIMEOUT/${NGINX_KEEPALIVE_TIMEOUT}/g" "${TMP_NGINX_CONF}" fi ## Nginx keepalive requests ## if [[ -z "${NGINX_KEEPALIVE_REQUESTS}" ]]; then ss_sed "s/@NGINX_KEEPALIVE_REQUESTS/65535/g" "${TMP_NGINX_CONF}" else ss_sed "s/@NGINX_KEEPALIVE_REQUESTS/${NGINX_KEEPALIVE_REQUESTS}/g" "${TMP_NGINX_CONF}" fi ## Nginx send timeout ## if [[ -z "${NGINX_SEND_TIMEOUT}" ]]; then ss_sed "s/@NGINX_SEND_TIMEOUT/15s/g" "${TMP_NGINX_CONF}" else ss_sed "s/@NGINX_SEND_TIMEOUT/${NGINX_SEND_TIMEOUT}/g" "${TMP_NGINX_CONF}" fi ## Open File Cache max files ## if [[ -z "${OPEN_FILE_CACHE_MAX}" ]]; then ss_sed "s/@OPEN_FILE_CACHE_MAX/200000/g" "${TMP_NGINX_CONF}" else ss_sed "s/@OPEN_FILE_CACHE_MAX/${OPEN_FILE_CACHE_MAX}/g" "${TMP_NGINX_CONF}" fi ## Open File Cache inactive ## if [[ -z "${OPEN_FILE_CACHE_INACTIVE}" ]]; then ss_sed "s/@OPEN_FILE_CACHE_INACTIVE/20s/g" "${TMP_NGINX_CONF}" else ss_sed "s/@OPEN_FILE_CACHE_INACTIVE/${OPEN_FILE_CACHE_INACTIVE}/g" "${TMP_NGINX_CONF}" fi ## Open File Cache valid ## if [[ -z "${OPEN_FILE_CACHE_VALID}" ]]; then ss_sed "s/@OPEN_FILE_CACHE_VALID/30s/g" "${TMP_NGINX_CONF}" else ss_sed "s/@OPEN_FILE_CACHE_VALID/${OPEN_FILE_CACHE_VALID}/g" "${TMP_NGINX_CONF}" fi ## Open File Cache min uses ## if [[ -z "${OPEN_FILE_CACHE_MIN_USES}" ]]; then ss_sed "s/@OPEN_FILE_CACHE_MIN_USES/2/g" "${TMP_NGINX_CONF}" else ss_sed "s/@OPEN_FILE_CACHE_MIN_USES/${OPEN_FILE_CACHE_MIN_USES}/g" "${TMP_NGINX_CONF}" fi ## Open File Cache errors ## if [[ -z "${OPEN_FILE_CACHE_ERRORS}" ]]; then ss_sed "s/@OPEN_FILE_CACHE_ERRORS/on/g" "${TMP_NGINX_CONF}" else ss_sed "s/@OPEN_FILE_CACHE_ERRORS/${OPEN_FILE_CACHE_ERRORS}/g" "${TMP_NGINX_CONF}" fi if [[ -z "${NGINX_HEADER_STRICT_TRANSPORT_SECURITY}" ]]; then ss_sed "s/@NGINX_HEADER_STRICT_TRANSPORT_SECURITY/max-age=15552000/g" "${TMP_NGINX_CONF}" else ss_sed "s/@NGINX_HEADER_STRICT_TRANSPORT_SECURITY/${NGINX_HEADER_STRICT_TRANSPORT_SECURITY}/g" "${TMP_NGINX_CONF}" fi if [[ -z "${NGINX_HEADER_REFERRER_POLICY}" ]]; then ss_sed "s/@NGINX_HEADER_REFERRER_POLICY/strict-origin-when-cross-origin/g" "${TMP_NGINX_CONF}" else ss_sed "s/@NGINX_HEADER_REFERRER_POLICY/${NGINX_HEADER_REFERRER_POLICY}/g" "${TMP_NGINX_CONF}" fi if [[ -z "${NGINX_HEADER_PERMISSIONS_POLICY}" ]]; then ss_sed "s/@NGINX_HEADER_PERMISSIONS_POLICY/accelerometer=(), ambient-light-sensor=(), autoplay=*, battery=(), camera=(), display-capture=*, document-domain=*, encrypted-media=*, fullscreen=*, geolocation=(self), gyroscope=(), layout-animations=*, legacy-image-formats=*, magnetometer=(), microphone=(self), midi=(), oversized-images=*, payment=*, picture-in-picture=*, publickey-credentials-get=*, sync-xhr=*, usb=(), vibrate=(), wake-lock=(), xr-spatial-tracking=()/g" "${TMP_NGINX_CONF}" else ss_sed "s/@NGINX_HEADER_PERMISSIONS_POLICY/${NGINX_HEADER_PERMISSIONS_POLICY}/g" "${TMP_NGINX_CONF}" fi if [[ -z "${NGINX_HEADER_FEATURE_POLICY}" ]]; then ss_sed "s/@NGINX_HEADER_FEATURE_POLICY/ambient-light-sensor none; animations self; autoplay none; accelerometer none; camera none; display-capture none; document-domain none; document-write none; encrypted-media none; fullscreen self; geolocation none; gyroscope none; image-compression *; legacy-image-formats *; magnetometer none; max-downscaling-image *; microphone none; midi none; notifications self; payment none; picture-in-picture self; push none; speaker self; sync-xhr none; unsized-media *; usb none; vertical-scroll self; wake-lock none; webauthn none; vibrate none; vr none; xr-spatial-tracking none;/g" "${TMP_NGINX_CONF}" else ss_sed "s/@NGINX_HEADER_FEATURE_POLICY/${NGINX_HEADER_FEATURE_POLICY}/g" "${TMP_NGINX_CONF}" fi ## copy files to their destinations ## ss_mv "${TMP_NGINX_CONF}" "${PATH_NGINX_CONF}" #################################################################################################### #### H. SS-Install-Nginx-Config: Delete Old Server Blocks ########################################## #################################################################################################### ## here we delete any existing previous server blocks to avoid conflicts with Nginx ## ## if this step is not performed then Nginx could result in fatal errors ## ## ADD CHECK FIRST THAT TMP BLOCK FILES VALID? ## ## delete server blocks ## ss_rm /var/www/sites/* #################################################################################################### #### I. SS-Install-Nginx-Config: Install Server Block (Development) ################################ #################################################################################################### ## here we install the Nginx server block for dev subdomain if enabled in ss-config ## ## this block is independent and distinct from other Nginx server blocks ## if [[ "${DEV_SITE}" == "true" ]]; then ## download latest server block (staging site) ## ss_wget "${TMP_NGINX_BLOCK_DEVELOPMENT}" "${GITHUB_NGINX_BLOCK_DEVELOPMENT}" ## replace site variables ## SITE_DOMAIN_EXCLUDING_WWW=$(echo "${SITE_DOMAIN/www./}") ss_sed "s/@SITE_DOMAIN_EXCLUDING_WWW/${SITE_DOMAIN_EXCLUDING_WWW}/g" "${TMP_NGINX_BLOCK_DEVELOPMENT}" ss_sed "s/@SITE_DOMAIN_INCLUDING_WWW/${SITE_DOMAIN_INCLUDING_WWW}/g" "${TMP_NGINX_BLOCK_DEVELOPMENT}" ss_sed "s/@SITE_DOMAIN/${SITE_DOMAIN}/g" "${TMP_NGINX_BLOCK_DEVELOPMENT}" ss_sed "s/@SITE_TLD/${SITE_TLD}/g" "${TMP_NGINX_BLOCK_DEVELOPMENT}" ss_sed "s/@DOMAIN/${SITE_DOMAIN}/g" "${TMP_NGINX_BLOCK_DEVELOPMENT}" ss_sed "s/@CACHEVALID/${FCGI_CACHE_VALID}/g" "${TMP_NGINX_BLOCK_DEVELOPMENT}" ## Multisite domain mapping (optional) ## if [[ "$WP_MULTISITE_DOMAIN_MAPPING" == "true" ]]; then ss_sed "s/#@WP_MULTISITE_DOMAIN_MAPPING# //g" "${TMP_NGINX_BLOCK_DEVELOPMENT}" else ss_sed "s/#@WP_MULTISITE_DOMAIN_MAPPING_FALSE# //g" "${TMP_NGINX_BLOCK_DEVELOPMENT}" fi ## Multisite subdomains (optional) ## if [[ "$WP_MULTISITE_SUBDOMAINS" == "true" ]]; then ss_sed "s/#@WP_MULTISITE_SUBDOMAINS# //g" "${TMP_NGINX_BLOCK_DEVELOPMENT}" fi ## FastCGI Cache ## if [[ "$FCGI_CACHE" == "false" ]]; then ss_sed "s/@FCGI_CACHE/1/g" "${TMP_NGINX_BLOCK_DEVELOPMENT}" else ss_sed "s/@FCGI_CACHE/0/g" "${TMP_NGINX_BLOCK_DEVELOPMENT}" fi ## password protect ## if [[ "$DEV_SITE_PROTECT" != "true" ]]; then ss_sed "/auth_basic/d" "${TMP_NGINX_BLOCK_DEVELOPMENT}" fi ## copy files to destinations ## if [[ "$SS_INSTALL_NGINX_CONFIG_OVERWRITE_BLOCKS" != "false" ]]; then ss_mv "${TMP_NGINX_BLOCK_DEVELOPMENT}" "${PATH_NGINX_BLOCK_DEVELOPMENT}" fi fi #################################################################################################### #### J. SS-Install-Nginx-Config: Install Server Block (Staging) #################################### #################################################################################################### ## here we install the Nginx server block for staging subdomain if enabled in ss-config ## ## this block is independent and distinct from other Nginx server blocks ## if [[ "${STAGING_SITE}" == "true" ]]; then ## download latest server block (staging site) ## ss_wget "${TMP_NGINX_BLOCK_STAGING}" "${GITHUB_NGINX_BLOCK_STAGING}" ## replace site variables ## SITE_DOMAIN_EXCLUDING_WWW=$(echo "${SITE_DOMAIN/www./}") ss_sed "s/@SITE_DOMAIN_EXCLUDING_WWW/${SITE_DOMAIN_EXCLUDING_WWW}/g" "${TMP_NGINX_BLOCK_STAGING}" ss_sed "s/@SITE_DOMAIN_INCLUDING_WWW/${SITE_DOMAIN_INCLUDING_WWW}/g" "${TMP_NGINX_BLOCK_STAGING}" ss_sed "s/@SITE_DOMAIN/${SITE_DOMAIN}/g" "${TMP_NGINX_BLOCK_STAGING}" ss_sed "s/@SITE_TLD/${SITE_TLD}/g" "${TMP_NGINX_BLOCK_STAGING}" ss_sed "s/@DOMAIN/${SITE_DOMAIN}/g" "${TMP_NGINX_BLOCK_STAGING}" ss_sed "s/@CACHEVALID/${FCGI_CACHE_VALID}/g" "${TMP_NGINX_BLOCK_STAGING}" ## Multisite domain mapping (optional) ## if [[ "${WP_MULTISITE_DOMAIN_MAPPING}" == "true" ]]; then ss_sed "s/#@WP_MULTISITE_DOMAIN_MAPPING# //g" "${TMP_NGINX_BLOCK_STAGING}" else ss_sed "s/#@WP_MULTISITE_DOMAIN_MAPPING_FALSE# //g" "${TMP_NGINX_BLOCK_STAGING}" fi ## Multisite subdomains (optional) ## if [[ "${WP_MULTISITE_SUBDOMAINS}" == "true" ]]; then ss_sed "s/#@WP_MULTISITE_SUBDOMAINS# //g" "${TMP_NGINX_BLOCK_STAGING}" fi ## FastCGI Cache ## if [[ "${FCGI_CACHE}" == "false" ]]; then ss_sed "s/@FCGI_CACHE/1/g" "${TMP_NGINX_BLOCK_STAGING}" else ss_sed "s/@FCGI_CACHE/0/g" "${TMP_NGINX_BLOCK_STAGING}" fi ## password protect ## if [[ "${STAGING_SITE_PROTECT}" != "true" ]]; then ss_sed "/auth_basic/d" "${TMP_NGINX_BLOCK_STAGING}" fi ## copy files to destinations ## if [[ "${SS_INSTALL_NGINX_CONFIG_OVERWRITE_BLOCKS}" != "false" ]]; then ss_mv "${TMP_NGINX_BLOCK_STAGING}" "${PATH_NGINX_BLOCK_STAGING}" fi fi #################################################################################################### #### K. SS-Install-Nginx-Config: Install Server Block (Production) ################################# #################################################################################################### ## here we install the Nginx server block for production (default) site no matter what ## ## this block is independent and distinct from other Nginx server blocks ## ## download latest server block boilerplate (single site / Multisite) ## if [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "true" ]]; then ss_wget "${TMP_NGINX_BLOCK_PRODUCTION}" "${GITHUB_NGINX_BLOCK_PRODUCTION_MULTISITE}" elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]]; then ss_wget "${TMP_NGINX_BLOCK_PRODUCTION}" "${GITHUB_NGINX_BLOCK_PRODUCTION_MULTISITE_SUBDIRECTORIES}" else ss_wget "${TMP_NGINX_BLOCK_PRODUCTION}" "${GITHUB_NGINX_BLOCK_PRODUCTION}" fi ## replace site variables ## SITE_DOMAIN_EXCLUDING_WWW=$(echo "${SITE_DOMAIN/www./}") ss_sed "s/@SITE_DOMAIN_EXCLUDING_WWW/${SITE_DOMAIN_EXCLUDING_WWW}/g" "${TMP_NGINX_BLOCK_PRODUCTION}" ss_sed "s/@SITE_DOMAIN_INCLUDING_WWW/${SITE_DOMAIN_INCLUDING_WWW}/g" "${TMP_NGINX_BLOCK_PRODUCTION}" ss_sed "s/@SITE_DOMAIN/${SITE_DOMAIN}/g" "${TMP_NGINX_BLOCK_PRODUCTION}" ss_sed "s/@SITE_TLD/${SITE_TLD}/g" "${TMP_NGINX_BLOCK_PRODUCTION}" ss_sed "s/@DOMAIN/${SITE_DOMAIN}/g" "${TMP_NGINX_BLOCK_PRODUCTION}" ss_sed "s/@CACHEVALID/${FCGI_CACHE_VALID}/g" "${TMP_NGINX_BLOCK_PRODUCTION}" ## Multisite domain mapping (optional) ## if [[ "${WP_MULTISITE_DOMAIN_MAPPING}" == "true" ]]; then ss_sed "s/#@WP_MULTISITE_DOMAIN_MAPPING# //g" "${TMP_NGINX_BLOCK_PRODUCTION}" else ss_sed "s/#@WP_MULTISITE_DOMAIN_MAPPING_FALSE# //g" "${TMP_NGINX_BLOCK_PRODUCTION}" fi ## Multisite subdomains (optional) ## if [[ "${WP_MULTISITE_SUBDOMAINS}" == "true" ]]; then ss_sed "s/#@WP_MULTISITE_SUBDOMAINS# //g" "${TMP_NGINX_BLOCK_PRODUCTION}" fi ## FastCGI Cache ## if [[ "${FCGI_CACHE}" == "false" ]]; then ss_sed "s/@FCGI_CACHE/1/g" "${TMP_NGINX_BLOCK_PRODUCTION}" else ss_sed "s/@FCGI_CACHE/0/g" "${TMP_NGINX_BLOCK_PRODUCTION}" fi ## copy files to destinations ## if [[ "${SS_INSTALL_NGINX_CONFIG_OVERWRITE_BLOCKS}" != "false" ]]; then ss_mv "${TMP_NGINX_BLOCK_PRODUCTION}" "${PATH_NGINX_BLOCK_PRODUCTION}" fi #################################################################################################### #################################################################################################### ## done by ss-encrypt-certbot via ss-install-nginx-openssl ## ## run ss-restart-php ## # source "${PATH_SS_RESTART_PHP}" ## run ss-restart-nginx ## # source "${PATH_SS_RESTART_NGINX}" #################################################################################################### #### SS-Install-Nginx-Config: Run SS-Encrypt-Certbot ############################################### #################################################################################################### ## here we generate slickstack.crt and slickstack.key as the default SSL for Nginx ## ## this approach is extremely stable and works fantastic with CloudFlare ## source "${PATH_SS_ENCRYPT_CERTBOT}" #################################################################################################### #### SS-Install-Nginx-Config: Run SS-Install-Nginx-SSL ############################################# #################################################################################################### ## here we update the Nginx config files to activate either OpenSSL or Lets Encrypt SSL ## ## this depends on your ss-config settings (both certs should exist regardless) ## ## run ss-install-nginx-ssl ## source "${PATH_SS_INSTALL_NGINX_SSL}" ## MAYBE DELETE THIS SNIPPET and SCRIPT AND PUT INLINE HERE INSTEAD #################################################################################################### #### SS-Install-Nginx-Config: Enable TMPFS Mount (Optional) ######################################## #################################################################################################### if [[ "${FCGI_CACHE_TMPFS}" == "true" ]]; then mount -t tmpfs -o size=${FCGI_CACHE_MEMORY} tmpfs /var/www/cache ss_sed '/tmpfs/d' /etc/fstab echo "tmpfs /var/www/cache tmpfs defaults,size=${FCGI_CACHE_MEMORY} 0 0" >> /etc/fstab else ss_sed '/tmpfs/d' /etc/fstab fi #################################################################################################### #### SS-Install-Nginx-Config: Install Cloudflare.conf For Real IPs (Optional) ###################### #################################################################################################### if [[ "${NGINX_CLOUDFLARE_IPS}" == "true" ]]; then source "${PATH_SS_INSTALL_NGINX_CLOUDFLARE_IPS}" fi #################################################################################################### #### SS-Install-Nginx-Config: Reset Permissions (Nginx Config) ##################################### #################################################################################################### ## run ss-perms-nginx-config ## source "${PATH_SS_PERMS_NGINX_CONFIG}" ######## cleanup old files (temp) ########## ss_rm /var/www/sites/production ss_rm /var/www/sites/staging ss_rm /var/www/sites/development #################################################################################################### #### SS-Install-Nginx-Config: Restart Modules (Nginx) ############################################## #################################################################################################### ## run ss-restart-nginx ## source "${PATH_SS_RESTART_NGINX}" #################################################################################################### #### SS-Install-Nginx-Config: Install WordPress Config (Via SS-Install-WordPress-Config) ########### #################################################################################################### ## ensures that concatenate is disabled in wp-config to support latest nginx server block ## if [[ "${SS_APP}" == "wordpress" || -z "${SS_APP}" ]]; then source "${PATH_SS_INSTALL_WORDPRESS_CONFIG}" fi #################################################################################################### #### SS-Install-Nginx-Config: Cleanup Temporary Files ############################################## #################################################################################################### ## we briefly cleanup any leftover temporarily files that are relevant to this script ## ## this is performed before and after associated code runs to avoid conflicts ## ss_rm /tmp/nginx* ss_rm /tmp/server-block* ss_rm /tmp/default* ss_rm /tmp/letsencrypt.conf* ss_rm /tmp/openssl.conf* ss_rm /tmp/maintenance.html #################################################################################################### #### SlickStack: Reset Permissions (SlickStack Scripts) ############################################ #################################################################################################### ## we include this permissions reset in all cron jobs and bash scripts for redundancy ## ## chmod 0700 means only the root/sudo users can execute any SlickStack scripts ## ## THIS SNIPPET DOES NOT RELY ON SS-CONFIG OR SS-FUNCTIONS ## SNIPPET: ss bash scripts, ss cron jobs ## UPDATED: 02JUL2022 chown root:root /var/www/ss* ## must be root:root chown root:root /var/www/crons/*cron* ## must be root:root chown root:root /var/www/crons/custom/*cron* ## must be root:root chmod 0700 /var/www/ss* ## 0700 means only root/sudo can execute chmod 0700 /var/www/crons/*cron* ## 0700 means only root/sudo can execute chmod 0700 /var/www/crons/custom/*cron* ## 0700 means only root/sudo can execute #################################################################################################### #### SlickStack: External References Used To Improve This Script (Thanks, Interwebz) ############### #################################################################################################### ## Ref: https://serverfault.com/questions/527630/difference-in-sites-available-vs-sites-enabled-vs-conf-d-directories-nginx ## Ref: https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-server-blocks-virtual-hosts-on-ubuntu-16-04 ## Ref: https://ar.al/2018/07/05/nginx-remember-to-remove-the-default-site/ ## Ref: https://discourse.roots.io/t/http-does-not-redirect-to-https-only-at-the-first-access/8669 ## Ref: https://www.linode.com/docs/guides/how-to-configure-nginx/ ## Ref: https://www.shellscript.sh/tips/pattern-substitution/ ## Ref: https://stackoverflow.com/questions/11618696/shell-write-variable-contents-to-a-file ## Ref: https://coderwall.com/p/zvvgna/create-htpasswd-file-for-nginx-without-apache ## Ref: https://www.tecmint.com/password-protect-web-directories-in-nginx/ ## Ref: https://www.web2generators.com/apache-tools/htpasswd-generator ## Ref: https://www.mkssoftware.com/docs/man1/openssl_passwd.1.asp ## Ref: https://linuxize.com/post/nginx-log-files/ ## Ref: https://coderwall.com/p/zvvgna/create-htpasswd-file-for-nginx-without-apache ## Ref: https://community.centminmod.com/threads/how-to-properly-password-protect-a-directory-or-file.579/page-2 ## Ref: https://httpd.apache.org/docs/2.4/misc/password_encryptions.html ## Ref: https://8gwifi.org/htpasswd.jsp ## Ref: https://blog.benpri.me/blog/2019/01/13/why-you-shouldnt-be-using-bcrypt-and-scrypt/ ## Ref: https://rpartlan.tumblr.com/post/141705066884/bye-bye-bcrypt-hello-openssl ## Ref: https://www.openssl.org/docs/manmaster/man1/openssl-passwd.html ## Ref: https://github.com/littlebizzy/slickstack/issues/198 ## Ref: https://github.com/ergin/nginx-cloudflare-real-ip ## SS_EOF