#!/bin/bash -e

# RUN THIS AS ROOT ONLY!
# Feed the Intigua server URL as the only argument, e.g. https://intigua-vp-uswest.cloudapp.net/


nginx=stable
target_url=$1
target_wsus=$2
cfg=/etc/nginx/sites-available/intigua
enabled=/etc/nginx/sites-enabled/
keydir=/etc/nginx
nginx_conf_folder=/etc/nginx/conf.d/
RHEL_RELEASE_FILE="/etc/redhat-release"

if [ "$target_url" == "" ]; then
    echo "no target url provided"
    exit 1
fi

if [ "$target_wsus" == "" ]; then
    echo "no wsus url provided"
fi

# Check if nginx is installed
if nginx -v ; then
    echo "NGINX INSTALLED, UPDATING"
    command=update
    yum $command nginx -y
else
    echo "NGINX NOT INSTALLED, INSTALLING"
    command=install
    yum $command nginx -y
fi


if nginx -v ; then echo "NGINX INSTALLED" ; else echo "COULD NOT INSTALL NGINX, EXIT" ; exit 1; fi

echo "CONFIGURING NGINX"
rm -rf /etc/nginx/cache
rm -rf /etc/nginx/sites-enabled/
rm -rf /etc/nginx/sites-available/
rm -f /etc/nginx/conf.d/*.conf
mkdir /etc/nginx/cache
mkdir /etc/nginx/sites-enabled/
mkdir /etc/nginx/sites-available/

echo "GENERATING SERVER KEY"
openssl req -x509 -newkey rsa:2048 -keyout $keydir/intigua.key -out $keydir/intigua.crt -days 3650 -nodes -subj "/C=US/ST=Massachussetts/L=Newton/O=Intigua/CN=JetProxy"
chmod 400 $keydir/intigua.key


echo "WRITING A LONG DHPARM FOR NGINX"
cat << EOF > /etc/ssl/certs/dhparam.pem
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAsMmTq7j5FY7xfEf1r48EyB7gTQvGLPzro5uS/7W287QWo6S3sj/5
UxpOLGmu+gha78tt0B68ptb2l6ny0GowDMDDj36RKmi6Hli8nOieqmfNRoeKpUtd
qGKcY4tNW1hD0iTrmvWANCzarMLTCi3e9vrKpqMFGHTKPI1C1ORnCk0egJopJ2VM
0claPxrE77vwt3g10WzyfrE1mjc/GM0kYTejolHaB7np65H1ff9PnGfBjbpPZfKQ
0IatwadW4Vfeydq/8IB31Zf2xF+I2Ek4s3vfmf9IjEMWTJgRdF6aYA5WA4cgQ7KA
YNu7Nb2QZudsKnhLR9NRse0ZSEgElqlUewIBAg==
-----END DH PARAMETERS-----
EOF

echo "CONFIGURING NGINX"
cat << 'EOF' > $cfg
proxy_cache_path cache keys_zone=intigua_zone:100m max_size=5000m;
proxy_cache intigua_zone;
proxy_cache_lock on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;

server {
    listen 80;

    location / {
EOF
echo "        proxy_pass http://${target_url}/;" >> $cfg
cat << 'EOF' >> $cfg
        proxy_read_timeout 10m;
    }
}

server {
    listen 443 ssl;

    location / {
EOF
echo "        proxy_pass https://${target_url}/;" >> $cfg
cat << 'EOF' >> $cfg
        proxy_read_timeout 10m;
    }

    proxy_set_header  X-Real-IP  $remote_addr;
    proxy_set_header  X-Forwarded-Proto $scheme;
    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header  X-Forwarded-Host $host;
    proxy_set_header  X-Forwarded-Server $host;
    proxy_next_upstream off;

#   ssl                       on;
    ssl_prefer_server_ciphers on;
    ssl_protocols             TLSv1.2 TLSv1.3;
    ssl_ciphers            ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
    ssl_session_cache       shared:TLSSL:16m;
    ssl_session_timeout     10m;
    ssl_certificate         intigua.crt;
    ssl_certificate_key     intigua.key;

}

EOF

# WSUS server
if [ "x$target_wsus" != "x" ]; then

cat << 'EOF' >> $cfg
server {
    listen 8530;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
EOF
echo "        proxy_pass http://${target_wsus}:8530/;" >> $cfg
cat << EOF >> $cfg
        proxy_read_timeout 10m;
    }
}

server {
    listen 8531 ssl;

    location / {
EOF
echo "        proxy_pass https://${target_wsus}:8531/;" >> $cfg
cat << 'EOF' >> $cfg
        proxy_read_timeout 10m;
    }

    proxy_set_header  X-Real-IP  $remote_addr;
    proxy_set_header  X-Forwarded-Proto $scheme;
    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header  X-Forwarded-Host $host;
    proxy_set_header  X-Forwarded-Server $host;
    proxy_next_upstream off;

#   ssl                       on;
    ssl_prefer_server_ciphers on;
    ssl_protocols           TLSv1.2 TLSv1.3;
    ssl_ciphers             EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
    ssl_session_cache       shared:TLSSL:16m;
    ssl_session_timeout     10m;
    ssl_certificate         intigua.crt;
    ssl_certificate_key     intigua.key;

}

EOF
#installing seamanage
yum provides /usr/sbin/semanage
yum install -y policycoreutils-python* 
semanage port -a -t http_port_t -p tcp 8530
semanage port -a -t http_port_t -p tcp 8531

else
	echo "WSUS not configured"
fi

ln -s $cfg $enabled/intigua.conf
ln -s $cfg $nginx_conf_folder/intigua.conf

echo "CHANGING CHOWN FOR NGINX FOLDER"
chown nginx /etc/nginx/
chown nginx /etc/nginx/cache



echo "STARTING NGINX"
if pidof systemd ; then
    systemctl restart nginx
else
    service nginx restart
fi
nginx -t