From a587dc08472798f41e134d5456d702001e520d94 Mon Sep 17 00:00:00 2001
From: Bachir Soussi Chiadmi <bachir@g-u-i.me>
Date: Sat, 7 Apr 2018 16:44:29 +0200
Subject: [PATCH] some fix

---
 assets/drupal-ssl.nginxconf        | 9 ++++++---
 assets/simple-phpfpm-ssl.nginxconf | 6 +++---
 bin/vhost.sh                       | 6 ++++--
 3 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/assets/drupal-ssl.nginxconf b/assets/drupal-ssl.nginxconf
index 1fcaed7..9c30180 100644
--- a/assets/drupal-ssl.nginxconf
+++ b/assets/drupal-ssl.nginxconf
@@ -15,14 +15,14 @@ server {
   root /var/www/DOMAIN.LTD/public_html;
 
   #SSL Certificates
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_certificate "/etc/letsencrypt/live/DOMAIN.LTD/cert.pem";
   ssl_certificate_key "/etc/letsencrypt/live/DOMAIN.LTD/privkey.pem";
-  ssl_dhparam /etc/nginx/dhparam.pem;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  #ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
+  ssl_dhparam /etc/nginx/ssl/certs/DOMAIN.LTD/dhparam.pem;
   ssl_session_cache shared:SSL:1m;
   ssl_session_timeout 10m;
   ssl_ciphers HIGH:!aNULL:!MD5;
+  #ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
   ssl_prefer_server_ciphers  on;
 
   add_header Strict-Transport-Security "max-age=31536000;
@@ -134,4 +134,7 @@ server {
     expires max;
     log_not_found off;
   }
+
+  # website should not be displayed inside a <frame>, an <iframe> or an <object>
+  add_header X-Frame-Options DENY;
 }
diff --git a/assets/simple-phpfpm-ssl.nginxconf b/assets/simple-phpfpm-ssl.nginxconf
index c2b4094..a25577e 100644
--- a/assets/simple-phpfpm-ssl.nginxconf
+++ b/assets/simple-phpfpm-ssl.nginxconf
@@ -32,14 +32,14 @@ server {
   client_max_body_size 100m;
 
   #SSL Certificates
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_certificate "/etc/letsencrypt/live/DOMAIN.LTD/cert.pem";
   ssl_certificate_key "/etc/letsencrypt/live/DOMAIN.LTD/privkey.pem";
-  ssl_dhparam /etc/nginx/dhparam.pem;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  #ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
+  ssl_dhparam /etc/nginx/ssl/certs/DOMAIN.LTD/dhparam.pem;
   ssl_session_cache shared:SSL:1m;
   ssl_session_timeout 10m;
   ssl_ciphers HIGH:!aNULL:!MD5;
+  #ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
   ssl_prefer_server_ciphers  on;
 
   add_header Strict-Transport-Security "max-age=31536000;
diff --git a/bin/vhost.sh b/bin/vhost.sh
index 578b726..2e3219d 100755
--- a/bin/vhost.sh
+++ b/bin/vhost.sh
@@ -63,7 +63,8 @@ if [ "$vh" = "y" ]; then
   if [ "$_letsencrypt" = "yes" ]; then
     apt-get --yes --force-yes install certbot
     certbot certonly --standalone -d "$_domain" --cert-name "$_domain"
-    openssl dhparam -out /etc/nginx/dhparam.pem 2048
+    mkdir -p /etc/nginx/ssl/certs/"$_domain"
+    openssl dhparam -out /etc/nginx/ssl/certs/"$_domain"/dhparam.pem 2048
     # renewing
     touch /var/spool/cron/crontabs/root
     crontab -l > mycron
@@ -113,7 +114,7 @@ if [ "$vh" = "y" ]; then
       do
         read -p "enter an existing user name ? " user
         if [ "$user" != "" ]; then
-          check if user already exists
+          # check if user already exists
           if id "$user" >/dev/null 2>&1; then
             read -p "is user name $user correcte [y|n] " validated
             if [ "$validated" = "y" ]; then
@@ -135,6 +136,7 @@ if [ "$vh" = "y" ]; then
     mkdir /home/"$user"/www/
     chown "$user":admin /home/"$user"/www/
     ln -s /var/www/"$_domain" /home/"$user"/www/"$_domain"
+    chown "$user":admin /home/"$user"/www/"$_domain"
 
   else
     echo -e 'no shortcut installed'