titanz/NGINX-Configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Support non ip pinning setups

Browse Source 
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2024-07-27 15:05:37 -07:00
parent c4014dc57e
commit b6482df91f
No known key found for this signature in database
GPG Key ID: 555C902A34EC968F
1 changed files with 31 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
setup.sh
View File

@ -24,6 +24,25 @@ unpriv(){
sudo -u nobody "$@" sudo -u nobody "$@"
} }
ip_pinning_prompt(){
output 'Do you intend to pin IP addresses in your NGINX config?'
output
output '1) No'
output '2) Yes'
output 'Insert the number of your selection:'
read -r choice
case $choice in
1 ) ip_pinning=0
;;
2 ) ip_pinning=1
;;
* ) output 'You did not enter a valid selection.'
ip_pinning_prompt
esac
}
ip_pinning_prompt
# Allow reverse proxy # Allow reverse proxy
sudo setsebool -P httpd_can_network_connect 1 sudo setsebool -P httpd_can_network_connect 1
@ -36,11 +55,13 @@ sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --add-port=443/udp sudo firewall-cmd --permanent --add-port=443/udp
sudo firewall-cmd --reload sudo firewall-cmd --reload
# Add 99-nonlocal-bind.conf if [ "${ip_pinning}" = '1' ]; then
# This fixes a long standing bug where network-online.target is reached before IPv6 is obtained, which breaks IPv6 pinning. # Add 99-nonlocal-bind.conf
# Also, if you are using floating IPs for NGINX stream like I do, you need it anyways # This fixes a long standing bug where network-online.target is reached before IPv6 is obtained, which breaks IPv6 pinning.
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/sysctl.d/99-nonlocal-bind.conf | sudo tee /etc/sysctl.d/99-nonlocal-bind.conf > /dev/null # Also, if you are using floating IPs for NGINX stream like I do, you need it anyways
sudo chmod 644 /etc/sysctl.d/99-nonlocal-bind.conf unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/sysctl.d/99-nonlocal-bind.conf | sudo tee /etc/sysctl.d/99-nonlocal-bind.conf > /dev/null
sudo chmod 644 /etc/sysctl.d/99-nonlocal-bind.conf
fi
# Setup webroot for NGINX # Setup webroot for NGINX
## Explicitly using /var/srv here because SELinux does not follow symlinks ## Explicitly using /var/srv here because SELinux does not follow symlinks
@ -102,3 +123,8 @@ unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/security.conf | sudo tee /etc/nginx/snippets/security.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/security.conf | sudo tee /etc/nginx/snippets/security.conf > /dev/null
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/cross-origin-security.conf | sudo tee /etc/nginx/snippets/cross-origin-security.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/cross-origin-security.conf | sudo tee /etc/nginx/snippets/cross-origin-security.conf > /dev/null
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/universal_paths.conf | sudo tee /etc/nginx/snippets/universal_paths.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/universal_paths.conf | sudo tee /etc/nginx/snippets/universal_paths.conf > /dev/null
if [ "${ip_pinning}" = '0' ]; then
sed -i 's/ipv4_1://g' /etc/nginx/conf.d/sites_default.conf
sed -i 's/ipv6_1/::/g' /etc/nginx/conf.d/sites_default.conf
fi