From b2689a62b11cf9a4423ac51af582a12a17a781a0 Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Sun, 27 Aug 2023 04:00:25 +0200 Subject: [PATCH] Start bookworm web server setup. --- bookworm/apt-mark/web | 4 +++ bookworm/etc_files/web/etc/nftables.conf | 22 ++++++++++++ bookworm/etc_files/web/etc/nginx/nginx.conf | 38 +++++++++++++++++++++ bookworm/setup_scripts/setup_web.sh | 21 ++++++++++++ 4 files changed, 85 insertions(+) create mode 100644 bookworm/apt-mark/web create mode 100755 bookworm/etc_files/web/etc/nftables.conf create mode 100644 bookworm/etc_files/web/etc/nginx/nginx.conf create mode 100755 bookworm/setup_scripts/setup_web.sh diff --git a/bookworm/apt-mark/web b/bookworm/apt-mark/web new file mode 100644 index 0000000..4912b8a --- /dev/null +++ b/bookworm/apt-mark/web @@ -0,0 +1,4 @@ +nginx-light +# for SSL +certbot +python3-certbot-nginx diff --git a/bookworm/etc_files/web/etc/nftables.conf b/bookworm/etc_files/web/etc/nftables.conf new file mode 100755 index 0000000..ec6732a --- /dev/null +++ b/bookworm/etc_files/web/etc/nftables.conf @@ -0,0 +1,22 @@ +#!/usr/sbin/nft -f + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority 0; policy drop; + iif lo accept comment "accept localhost traffic" + ct state invalid drop comment "drop invalid connections" + ct state established, related accept comment "accept traffic originated from us" + tcp dport 22 accept comment "accept SSH on default port" + tcp dport 80 accept comment "accept HTTP on default port" + tcp dport 443 accept comment "accept HTTPS on default port" + ip protocol icmp icmp type echo-request accept comment "accept ICMP for pinging" + } + chain forward { + type filter hook forward priority 0; policy drop; + } + chain output { + type filter hook output priority 0; policy accept; + } +} diff --git a/bookworm/etc_files/web/etc/nginx/nginx.conf b/bookworm/etc_files/web/etc/nginx/nginx.conf new file mode 100644 index 0000000..8320425 --- /dev/null +++ b/bookworm/etc_files/web/etc/nginx/nginx.conf @@ -0,0 +1,38 @@ +# system integration +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +# is expected even if empty +events { +} + +http { + # define content-type headers + include /etc/nginx/mime.types; + charset utf-8; + + # Some standard optimizations, i.e. Debian default. Explained in + # + # Not that I understand it all … + sendfile on; + tcp_nopush on; + tcp_nodelay on; + + # logging deactivated due to GDPR + #access_log /var/log/nginx/access.log; + #error_log /var/log/nginx/error.log; + access_log off; + error_log off; + + # virtual hosts: sites-enabled is the Debian way, conf.d the NGINX default + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; + + # Redirect all HTTP requests to HTTPS. + server { + listen 80; + return 301 https://$host$request_uri; + } +} diff --git a/bookworm/setup_scripts/setup_web.sh b/bookworm/setup_scripts/setup_web.sh new file mode 100755 index 0000000..ea4e305 --- /dev/null +++ b/bookworm/setup_scripts/setup_web.sh @@ -0,0 +1,21 @@ +#!/bin/sh +set -e + +expect_n_args 1 "(domain name)" "$@" +domain="$1" + +# Install configs, set up firewall. +./install_for_target.sh web +./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" web +nft -f /etc/nftables.conf + +# Set up letsencrypt certificate. TODO: Is it auto-renewed? +ln -sf /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default +certbot --nginx --agree-tos --redirect --no-eff-email -m "${mail}" -d "${domain}" +rm /etc/nginx/sites-enabled/default + +# Prepare NGINX. +sed -i "s/REPLACE_fqdn_ECALPER/${domain}/g" /etc/nginx/sites-available/dumpsite.nginx +ln -s /etc/nginx/sites-available/dumpsite.nginx /etc/nginx/sites-enabled/dumpsite.nginx + +service nginx restart -- 2.30.2