added files

Author: xhika

.env

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+# user
+USER=admin
+
+# nginx
+NGINX_HOST=example.domain.com
+
+# certbot mail
+CERTBOT_MAIL=example.mail.com
+
+# mysql
+MYSQL_HOST=mysql
+MYSQL_DATABASE=test
+MYSQL_ROOT_USER=root
+MYSQL_ROOT_PASSWORD=root
+MYSQL_USER=user
+MYSQL_PASSWORD=password

README.md

@@ -0,0 +1,47 @@
+# Create-A-Vhost!
+ Simple script that will deploy a virtual host on ubuntu
+
+
+## Instructions
+Start of with adding a new A record for the host at your host provider.
+In your server (ubuntu) 
+
+```bash
+use git clone https://github.com/xhika/deployVH.git
+```
+
+### Terminal
+```bash
+cd into folder
+
+chmod +w+r+x install.sh
+chmod +w+r+x config.sh
+
+!! Before running the script make sure to 
+edit the NGINX_HOST value to your desired host name !!
+
+sudo ./install.sh
+```
+
+### Multiple Virtual Hosts
+If multiple host wants to be created, don't forget to change the NGINX_HOST variable's value in .env file for a new Virtual Host to be created and then run 
+``` bash sudo ./config```
+
+
+## AWS (EC2)
+For this script to work on AWS EC2 instance follow these steps:
+```
+1. Enter EC2 dashboard -> Instances 
+2. Click on your newly created instance and a window will open below.
+3. Click Security tab, then inder Security group click on link 
+4. Edit inbound rules and add rules for http & https 
+select source to be 0.0.0.0/0 
+as the first ssh is on default.
+5. Save rules!
+```
+
+## Troubleshooting
+- If any troubles occur, make sure ports 80,443 are available.
+- If certbot fails, make sure envsubst have replaced variables correctly check in /etc/nginx/sites-enabled/{your_host_name}
+
+

config.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+set -a
+source .env
+
+# Export variables from .env
+export NGINX_HOST=${NGINX_HOST}
+export CERTBOT_MAIL=${CERTBOT_MAIL}
+
+export MYSQL_HOST=${MYSQL_HOST}
+export MYSQL_DATABASE=${MYSQL_DATABASE}
+export MYSQL_ROOT_USER=${MYSQL_ROOT_USER}
+export MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
+export MYSQL_USER=${MYSQL_USER}
+export MYSQL_PASSWORD=${MYSQL_PASSWORD}
+
+sudo unlink /etc/nginx/sites-enabled/default
+
+sudo mkdir -p /var/lib/letsencrypt/.well-known
+sudo chgrp www-data /var/lib/letsencrypt
+sudo chmod g+s /var/lib/letsencrypt
+sudo cp letsencrypt.conf /etc/nginx/snippets/letsencrypt.conf
+
+
+
+# Create directory for host
+sudo mkdir -p /var/www/${NGINX_HOST}/public
+
+# Replace variables
+envsubst "$(printf '${%s} ' $(env | sed 's/=.*//'))" < ./nginx.conf.template > /etc/nginx/sites-available/nginx.conf
+
+# Copy to virtual host
+sudo cp /etc/nginx/sites-available/nginx.conf /etc/nginx/sites-available/${NGINX_HOST}
+
+# Symlink
+sudo ln -s /etc/nginx/sites-available/${NGINX_HOST} /etc/nginx/sites-enabled/
+
+# Reload nginx
+sudo nginx -t
+sudo service nginx reload
+
+# Generating Certificate
+sudo certbot certonly --webroot --non-interactive --agree-tos --email [email protected] \
+    -w /var/www/${NGINX_HOST}/public -d ${NGINX_HOST} -d www.${NGINX_HOST}
+
+# Replace variables for ssl Virtual Host
+envsubst "$(printf '${%s} ' $(env | sed 's/=.*//'))" < ./nginx-ssl.conf.template > /etc/nginx/sites-available/nginx-ssl.conf
+# Copy to Virtual Host
+sudo cp /etc/nginx/sites-available/nginx-ssl.conf /etc/nginx/sites-available/${NGINX_HOST}
+
+# Reload nginx
+sudo nginx -t
+sudo service nginx reload
+
+sudo certbot renew --dry-run
+
+# .well-known directory
+sudo mkdir /var/www/${NGINX_HOST}/public/.well-known
+sudo chown www-data:www-data -R /var/www/${NGINX_HOST}/public/.well-known
+sudo chmod 755 -R /var/www/${NGINX_HOST}/public/.well-known
+
+# Copy index to domain path
+sudo cp ./index.php /var/www/${NGINX_HOST}/public
+
+
+
+
+
+

index.php

@@ -0,0 +1,3 @@
+<?php
+
+echo "Hello world!";

install.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+
+# Keep up to date!
+sudo apt update && apt -y upgrade
+sudo apt-get update
+sudo apt-get install -y software-properties-common
+
+# Install php
+sudo apt install -y php php-cli php-fpm php-json php-pdo php-mysql php-zip php-gd php-mbstring php-curl php-xml php-pear php-bcmath
+
+# Install node
+sudo apt install -y nodejs
+
+# Intall vim
+sudo apt install -y vim
+
+# Open ports & remove apache2
+sudo ufw allow http && sudo ufw allow https && sudo ufw reload
+sudo apt remove -y --purge --auto-remove apache2
+sudo rm -rf /var/www/html
+
+
+# Install nginx
+sudo apt install -y nginx
+sudo apt install -y python3-certbot-nginx python3-pyparsing
+sudo rm -rf /var/www/html
+
+# Install gettext for envsubst
+sudo apt-get install -y gettext-base
+
+# Install mysql
+sudo apt install -y mysql-server mysql-client
+
+# Install certbot
+sudo apt install -y certbot python3-certbot-nginx
+
+# Install snap for certbot
+sudo snap install -y core; sudo snap refresh core
+sudo snap install -y --classic certbot
+sudo ln -s /snap/bin/certbot /usr/bin/certbot
+
+
+
+# Check / Start & Reload nginx
+sudo nginx -t
+sudo service nginx start
+sudo service nginx reload
+
+##LATEST
+# SSL
+sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
+
+sudo cp ./ssl-params.conf /etc/nginx/snippets/ssl-params.conf
+
+# fail2ban
+sudo apt install -y fail2ban
+sudo cp ./jail.local /etc/fail2ban/jail.local
+sudo service fail2ban restart && sudo fail2ban-client status
+
+# Permissions
+sudo usermod -a -G www-data ${USER}
+#
+# ACL
+sudo apt -y install acl
+# 
+## sudo su
+sudo chown -R www-data:www-data /var/www && setfacl -Rd -m g:www-data:rwx /var/www && setfacl -R -m g:www-data:rwx /var/www && chmod -R g+s /var/www
+
+
+# Nginx configuration
+cp ./nginx.conf.template /nginx.conf.template
+cp ./nginx.conf.template /etc/nginx/sites-available/nginx.conf
+cp ./nginx-ssl.conf.template /etc/nginx/sites-available/nginx-ssl.conf
+
+# Run second script
+sudo ./config.sh
+
+
+

jail.local

@@ -0,0 +1,5 @@
+[sshd]
+enabled = true
+port = 3113
+[nginx-http-auth]
+enabled = true

letsencrypt.conf

@@ -0,0 +1,6 @@
+location ^~ /.well-known/acme-challenge/ {
+  allow all;
+  root /var/lib/letsencrypt/;
+  default_type "text/plain";
+  try_files $uri =404;
+}

nginx-ssl.conf.template

@@ -0,0 +1,49 @@
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name ${NGINX_HOST} www.${NGINX_HOST};
+
+    return 301 https://${NGINX_HOST}$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name www.${NGINX_HOST};
+
+    ssl_certificate /etc/letsencrypt/live/${NGINX_HOST}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${NGINX_HOST}/privkey.pem;
+    include snippets/ssl-params.conf;
+
+    return 301 https://${NGINX_HOST}$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name ${NGINX_HOST};
+
+    ssl_certificate /etc/letsencrypt/live/${NGINX_HOST}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${NGINX_HOST}/privkey.pem;
+
+    include snippets/ssl-params.conf;
+
+    root /var/www/${NGINX_HOST}/public;
+    index index.php index.html index.htm;
+
+    location / {
+        try_files $uri $uri/ /index.php?q=$uri&$args;
+    }
+
+    location ~ \.php$ {
+        include snippets/fastcgi-php.conf;
+        fastcgi_pass unix:/run/php/php7.4-fpm.sock;
+    }
+
+    location ~ /\.ht {
+        deny all;
+    }
+}

nginx.conf.template

@@ -0,0 +1,22 @@
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name ${NGINX_HOST} www.${NGINX_HOST};
+
+    root /var/www/${NGINX_HOST}/public;
+    index index.php index.html index.htm;
+
+    location / {
+        try_files $uri $uri/ /index.php?q=\$uri\&$args;
+    }
+
+    location ~ \.php$ {
+        include snippets/fastcgi-php.conf;
+        fastcgi_pass unix:/run/php/php7.4-fpm.sock;
+    }
+
+    location ~ /\.ht {
+        deny all;
+    }
+}

ssl-params.conf

@@ -0,0 +1,17 @@
+# https://cipherli.st/ & https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+ssl_ecdh_curve secp384r1;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver 8.8.8.8 8.8.4.4 valid=300s;
+resolver_timeout 5s;
+add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+
+ssl_dhparam /etc/ssl/certs/dhparam.pem;