titanz/NGINX-Configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Support non ip pinning setups

Browse Source 
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2024-07-27 15:05:37 -07:00
parent c4014dc57e
commit b6482df91f
No known key found for this signature in database
GPG Key ID: 555C902A34EC968F
1 changed files with 31 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
setup.sh
View File

@ -24,6 +24,25 @@ unpriv(){
sudo -u nobody "$@"
}
ip_pinning_prompt(){
output 'Do you intend to pin IP addresses in your NGINX config?'
output
output '1) No'
output '2) Yes'
output 'Insert the number of your selection:'
read -r choice
case $choice in
1 ) ip_pinning=0
;;
2 ) ip_pinning=1
;;
* ) output 'You did not enter a valid selection.'
ip_pinning_prompt
esac
}
ip_pinning_prompt
# Allow reverse proxy
sudo setsebool -P httpd_can_network_connect 1
@ -36,11 +55,13 @@ sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --add-port=443/udp
sudo firewall-cmd --reload
if [ "${ip_pinning}" = '1' ]; then
# Add 99-nonlocal-bind.conf
# This fixes a long standing bug where network-online.target is reached before IPv6 is obtained, which breaks IPv6 pinning.
# Also, if you are using floating IPs for NGINX stream like I do, you need it anyways
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/sysctl.d/99-nonlocal-bind.conf | sudo tee /etc/sysctl.d/99-nonlocal-bind.conf > /dev/null
sudo chmod 644 /etc/sysctl.d/99-nonlocal-bind.conf
fi
# Setup webroot for NGINX
## Explicitly using /var/srv here because SELinux does not follow symlinks
@ -102,3 +123,8 @@ unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/security.conf | sudo tee /etc/nginx/snippets/security.conf > /dev/null
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/cross-origin-security.conf | sudo tee /etc/nginx/snippets/cross-origin-security.conf > /dev/null
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/universal_paths.conf | sudo tee /etc/nginx/snippets/universal_paths.conf > /dev/null
if [ "${ip_pinning}" = '0' ]; then
sed -i 's/ipv4_1://g' /etc/nginx/conf.d/sites_default.conf
sed -i 's/ipv6_1/::/g' /etc/nginx/conf.d/sites_default.conf
fi