-
Notifications
You must be signed in to change notification settings - Fork 6
/
centosngnixbootstrap
53 lines (53 loc) · 2.51 KB
/
centosngnixbootstrap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
#!/bin/bash
sudo su
#Configure NGINX Repo
cat << EOF > /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/7/\$basearch/
gpgcheck=1
enabled=1
EOF
#stay current and update all the things.
yum update -y
#Download repo signing key
curl -O https://nginx.org/keys/nginx_signing.key
#import signing key for repo
rpm --import ./nginx_signing.key
#install nginx
sudo yum install nginx -y
#clone my repo in order to grab the nginx.conf file inside.
git clone https://github.com/IAmATeaPot418/nginx-hardening.git
#remove existing nginx.conf file
sudo rm -f /etc/nginx/nginx.conf
#remove index.html
sudo rm -f /usr/share/nginx/html/index.html
#remove server error message
sudo rm -f /usr/share/nginx/html/50x.html
#move error messages to config
sudo mv nginx-hardening/50x.html /usr/share/nginx/html/50x.html
#copy nginx.conf hosted on repo and make it the NGINX configuration file
mv nginx-hardening/nginx.conf /etc/nginx/nginx.conf
#copy index.html hosted on repo and make it the NGINX index.html file.
sudo mv nginx-hardening/index.html /usr/share/nginx/html/index.html
#copy client side error message and server error messages
sudo mv nginx-hardening/40x.html /usr/share/nginx/html/40x.html
#remove the cloned repository because we only needed one file from it.
rm -rf /tmp/nginx-hardening
#install aws cli tools to obtain public network info in automated fashion
sudo yum install awscli -y
#use aws cli tools to get public ip address
publicip=$(curl http://169.254.169.254/latest/meta-data/public-ipv4)
#use aws cli tools to get public ip dns name
publicdns=$(curl http://169.254.169.254/latest/meta-data/public-hostname)
#add the public dns and public ip address to the server name directive to ensure you can only access NGINX when the host header is that name.
sed -i "s/server_name[^;]*;/server_name $publicip $publicdns;/" /etc/nginx/nginx.conf
#AWS public DNS names are too long for NGINX to handle.
#The following line is not required if your hostname and ipaddres are shorter. This line configures the size the server_name directive can be
sed -i "s/http {/http {\n server_names_hash_bucket_size 128;/g" /etc/nginx/nginx.conf
#change directories to the directory we want the certificate to be installed in.
cd /etc/nginx
#create a self-signed certificate
sudo openssl req -x509 -nodes -days 365 -subj "/C=US/ST=CA/L=SantaClara/O=Jamie/OU=Personal/CN=ILikeNginx" -newkey rsa:2048 -keyout /etc/nginx/nginx-selfsigned.key -out /etc/nginx/nginx-selfsigned.crt
#recycle nginx to make changes take effect.
service nginx restart