Bachir Soussi Chiadmi 6 gadi atpakaļ
vecāks
revīzija
a587dc0847
3 mainītis faili ar 13 papildinājumiem un 8 dzēšanām
  1. 6 3
      assets/drupal-ssl.nginxconf
  2. 3 3
      assets/simple-phpfpm-ssl.nginxconf
  3. 4 2
      bin/vhost.sh

+ 6 - 3
assets/drupal-ssl.nginxconf

@@ -15,14 +15,14 @@ server {
   root /var/www/DOMAIN.LTD/public_html;
 
   #SSL Certificates
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_certificate "/etc/letsencrypt/live/DOMAIN.LTD/cert.pem";
   ssl_certificate_key "/etc/letsencrypt/live/DOMAIN.LTD/privkey.pem";
-  ssl_dhparam /etc/nginx/dhparam.pem;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  #ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
+  ssl_dhparam /etc/nginx/ssl/certs/DOMAIN.LTD/dhparam.pem;
   ssl_session_cache shared:SSL:1m;
   ssl_session_timeout 10m;
   ssl_ciphers HIGH:!aNULL:!MD5;
+  #ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
   ssl_prefer_server_ciphers  on;
 
   add_header Strict-Transport-Security "max-age=31536000;
@@ -134,4 +134,7 @@ server {
     expires max;
     log_not_found off;
   }
+
+  # website should not be displayed inside a <frame>, an <iframe> or an <object>
+  add_header X-Frame-Options DENY;
 }

+ 3 - 3
assets/simple-phpfpm-ssl.nginxconf

@@ -32,14 +32,14 @@ server {
   client_max_body_size 100m;
 
   #SSL Certificates
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_certificate "/etc/letsencrypt/live/DOMAIN.LTD/cert.pem";
   ssl_certificate_key "/etc/letsencrypt/live/DOMAIN.LTD/privkey.pem";
-  ssl_dhparam /etc/nginx/dhparam.pem;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  #ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
+  ssl_dhparam /etc/nginx/ssl/certs/DOMAIN.LTD/dhparam.pem;
   ssl_session_cache shared:SSL:1m;
   ssl_session_timeout 10m;
   ssl_ciphers HIGH:!aNULL:!MD5;
+  #ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
   ssl_prefer_server_ciphers  on;
 
   add_header Strict-Transport-Security "max-age=31536000;

+ 4 - 2
bin/vhost.sh

@@ -63,7 +63,8 @@ if [ "$vh" = "y" ]; then
   if [ "$_letsencrypt" = "yes" ]; then
     apt-get --yes --force-yes install certbot
     certbot certonly --standalone -d "$_domain" --cert-name "$_domain"
-    openssl dhparam -out /etc/nginx/dhparam.pem 2048
+    mkdir -p /etc/nginx/ssl/certs/"$_domain"
+    openssl dhparam -out /etc/nginx/ssl/certs/"$_domain"/dhparam.pem 2048
     # renewing
     touch /var/spool/cron/crontabs/root
     crontab -l > mycron
@@ -113,7 +114,7 @@ if [ "$vh" = "y" ]; then
       do
         read -p "enter an existing user name ? " user
         if [ "$user" != "" ]; then
-          check if user already exists
+          # check if user already exists
           if id "$user" >/dev/null 2>&1; then
             read -p "is user name $user correcte [y|n] " validated
             if [ "$validated" = "y" ]; then
@@ -135,6 +136,7 @@ if [ "$vh" = "y" ]; then
     mkdir /home/"$user"/www/
     chown "$user":admin /home/"$user"/www/
     ln -s /var/www/"$_domain" /home/"$user"/www/"$_domain"
+    chown "$user":admin /home/"$user"/www/"$_domain"
 
   else
     echo -e 'no shortcut installed'