#!/bin/bash -e # RUN THIS AS ROOT ONLY! # Feed the Intigua server URL as the only argument, e.g. https://intigua-vp-uswest.cloudapp.net/ nginx=stable target_url=$1 target_wsus=$2 cfg=/etc/nginx/conf.d/intigua.conf enabled=/etc/nginx/sites-enabled/ keydir=/etc/nginx if [ "$target_url" == "" ]; then echo "no target url provided" exit 1 fi echo "INSTALLING NGINX" add-apt-repository --yes ppa:nginx/$nginx apt-get --yes update apt-get install --yes nginx #rm -f /etc/nginx/sites-enabled/default rm -f /etc/nginx/conf.d/* echo "GENERATING SERVER KEY" openssl req -x509 -newkey rsa:2048 -keyout $keydir/intigua.key -out $keydir/intigua.crt -days 3650 -nodes -subj "/C=US/ST=Massachussetts/L=Newton/O=Intigua/CN=JetProxy" chmod 400 $keydir/intigua.key echo "WRITING A LONG DHPARM FOR NGINX" cat << EOF > /etc/ssl/certs/dhparam.pem -----BEGIN DH PARAMETERS----- MIIBCAKCAQEAsMmTq7j5FY7xfEf1r48EyB7gTQvGLPzro5uS/7W287QWo6S3sj/5 UxpOLGmu+gha78tt0B68ptb2l6ny0GowDMDDj36RKmi6Hli8nOieqmfNRoeKpUtd qGKcY4tNW1hD0iTrmvWANCzarMLTCi3e9vrKpqMFGHTKPI1C1ORnCk0egJopJ2VM 0claPxrE77vwt3g10WzyfrE1mjc/GM0kYTejolHaB7np65H1ff9PnGfBjbpPZfKQ 0IatwadW4Vfeydq/8IB31Zf2xF+I2Ek4s3vfmf9IjEMWTJgRdF6aYA5WA4cgQ7KA YNu7Nb2QZudsKnhLR9NRse0ZSEgElqlUewIBAg== -----END DH PARAMETERS----- EOF echo "CONFIGURING NGINX" cat << 'EOF' > $cfg proxy_cache_path cache keys_zone=intigua_zone:100m max_size=5000m; proxy_cache intigua_zone; proxy_cache_lock on; ssl_dhparam /etc/ssl/certs/dhparam.pem; server { listen 80; location / { EOF echo " proxy_pass http://${target_url}/;" >> $cfg cat << 'EOF' >> $cfg proxy_read_timeout 10m; } } server { listen 443 ssl; location / { EOF echo " proxy_pass https://${target_url}/;" >> $cfg cat << 'EOF' >> $cfg proxy_read_timeout 10m; } proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_next_upstream off; # ssl on; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH; ssl_session_cache shared:TLSSL:16m; ssl_session_timeout 10m; ssl_certificate intigua.crt; ssl_certificate_key intigua.key; } EOF # WSUS server if [ "x$target_wsus" != "x" ]; then cat << 'EOF' >> $cfg server { listen 8530; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; EOF echo " proxy_pass http://${target_wsus}:8530/;" >> $cfg cat << EOF >> $cfg proxy_read_timeout 10m; } } server { listen 8531 ssl; location / { EOF echo " proxy_pass https://${target_wsus}:8531/;" >> $cfg cat << 'EOF' >> $cfg proxy_read_timeout 10m; } proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_next_upstream off; # ssl on; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK; ssl_session_cache shared:TLSSL:16m; ssl_session_timeout 10m; ssl_certificate intigua.crt; ssl_certificate_key intigua.key; } EOF else echo "WSUS not configured" fi echo "STARTING NGINX" update-rc.d nginx defaults service nginx restart nginx -t