kerus1024 · December 4, 2022 15:59 · Dec 4, 2022 · Nov 26, 2022 · Nov 26, 2022 · Nov 26, 2022
diff --git a/install-openresty.bash b/install-openresty.bash
@@ -194,10 +194,11 @@ http {
     # SSL/TLS Hardening
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
-    ssl_prefer_server_ciphers off;
+    ssl_prefer_server_ciphers on;
+    ssl_ecdh_curve X25519:P-521:P-384:P-256;
     ssl_session_cache shared:SSL:10m;
     ssl_session_timeout 10m;
-    ssl_ecdh_curve P-521:P-384:P-256:X25519;
+    
     ssl_early_data on;
     ssl_dhparam /usr/local/openresty/nginx/ssl/dhparam.pem;
 

diff --git a/install-openresty.bash b/install-openresty.bash
@@ -157,10 +157,10 @@ http {
     include koi-utf;
     default_type  application/octet-stream;
 
-    log_format main '$remote_addr : $remote_port to $server_addr : $server_port [$time_local] '
-    '"$request_method $scheme://$host$request_uri $server_protocol" '
-    '$status $body_bytes_sent "$http_referer" '
-    '"$http_user_agent" $request_time';
+    log_format main '\$remote_addr : \$remote_port to \$server_addr : \$server_port [\$time_local] '
+    '"\$request_method \$scheme://\$host\$request_uri \$server_protocol" '
+    '\$status \$body_bytes_sent "\$http_referer" '
+    '"\$http_user_agent" \$request_time';
 
     access_log  /var/log/nginx/access.log  main;
 

diff --git a/install-openresty.bash b/install-openresty.bash
@@ -38,6 +38,8 @@ apt-get install -y  libgeoip-dev \
 apt-get remove -y nginx
 
 # BZIP2 Build and install
+cd $SOURCE_WORK_DIRECTORY
+mkdir -p bzip2
 git clone git://sourceware.org/git/bzip2.git && cd bzip2 && make && make install
 
 # PCRE Build and install

diff --git a/install-openresty.bash b/install-openresty.bash
@@ -0,0 +1,369 @@
+#!/bin/bash
+#
+# Openresty Installation
+#    working on debian 11, ubuntu 22.04
+#
+
+# Define Some Variables
+set -ex
+ORIGIN_WORK_DIRECTORY="$(pwd)"
+SOURCE_WORK_DIRECTORY="/opt"
+
+VER_PCRE="8.45"
+VER_OPENSSL="1.1.1i"
+VER_OPENRESTY="1.21.4.1"
+
+DOWNLOAD_URL_PCRE_TGZ="http://ftp.cs.stanford.edu/mirrors/exim/pcre/pcre-${VER_PCRE}.tar.gz"
+DOWNLOAD_URL_OPENSSL_TGZ="https://www.openssl.org/source/openssl-${VER_OPENSSL}.tar.gz"
+DOWNLOAD_URL_OPENRESTY_TGZ="https://openresty.org/download/openresty-${VER_OPENRESTY}.tar.gz"
+
+if [ "$UID" -ne 0 ]; then
+  echo "Please run as root user"
+  exit 1
+fi
+
+# Preinstall Required Packages
+apt-get update -y && apt-get upgrade -y
+apt-get install -y  libgeoip-dev \
+                    lib32readline-dev \
+                    libreadline-dev \
+                    make \
+                    build-essential \
+                    zlib1g-dev \
+                    libperl-dev \
+                    git \
+                    wget
+
+# Kill NGINX
+apt-get remove -y nginx
+
+# BZIP2 Build and install
+git clone git://sourceware.org/git/bzip2.git && cd bzip2 && make && make install
+
+# PCRE Build and install
+mkdir -p $SOURCE_WORK_DIRECTORY/pcre_${VER_PCRE}
+wget -qO- $DOWNLOAD_URL_PCRE_TGZ | tar xvz --strip 1 -C $SOURCE_WORK_DIRECTORY/pcre_${VER_PCRE}
+cd $SOURCE_WORK_DIRECTORY/pcre_${VER_PCRE}
+./configure --prefix=/usr                     \
+            --docdir=/usr/share/doc/pcre-8.42 \
+            --enable-unicode-properties       \
+            --enable-pcre16                   \
+            --enable-pcre32                   \
+            --enable-pcregrep-libz            \
+            --enable-pcregrep-libbz2          \
+            --enable-pcretest-libreadline     \
+            --disable-static
+
+make -j$(nproc) && make install
+
+# OpenSSL Build and install
+mkdir -p $SOURCE_WORK_DIRECTORY/openssl_${VER_OPENSSL}
+wget -qO- $DOWNLOAD_URL_OPENSSL_TGZ | tar xvz --strip 1 -C $SOURCE_WORK_DIRECTORY/openssl_${VER_OPENSSL}
+cd $SOURCE_WORK_DIRECTORY/openssl_${VER_OPENSSL}
+./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared zlib
+make -j$(nproc) && make install
+
+echo "/usr/local/ssl/lib" | tee /etc/ld.so.conf.d/openssl.conf
+ldconfig -v
+ln -sf /usr/local/ssl/bin/openssl /usr/bin/openssl
+cat <<EOF | tee /etc/profile.d/openssl.sh
+export OPENSSL_CONF="/usr/local/ssl/openssl.cnf"
+export OPENSSL_PATH="/usr/local/ssl/bin"
+export OPENSSL_ROOT_DIR="/usr/local/ssl"
+export OPENSSL_LIBRARIES="/usr/local/ssl/lib"
+export OPENSSL_INCLUDE_DIR="/usr/local/ssl/include"
+export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
+export SSL_CERT_DIR=/etc/ssl/certs
+PATH=$PATH:$OPENSSL_PATH
+EOF
+chmod 755 /etc/profile.d/openssl.sh
+source /etc/profile.d/openssl.sh
+
+# Openresty Build and install
+mkdir -p $SOURCE_WORK_DIRECTORY/openresty_${VER_OPENRESTY}
+wget -qO- $DOWNLOAD_URL_OPENRESTY_TGZ | tar xvz --strip 1 -C $SOURCE_WORK_DIRECTORY/openresty_${VER_OPENRESTY}
+cd $SOURCE_WORK_DIRECTORY/openresty_${VER_OPENRESTY}
+git clone --recursive https://github.com/google/ngx_brotli
+./configure --prefix=/usr/local/openresty \
+            --with-cc-opt="-I /usr/local/ssl/include" \
+            --with-ld-opt="-L /usr/local/ssl/lib" \
+            --with-compat \
+            --add-module=./ngx_brotli \
+            --with-pcre-jit \
+            --with-http_realip_module \
+            --with-http_geoip_module=dynamic \
+            --with-http_v2_module \
+            --with-http_gzip_static_module \
+            --with-http_slice_module \
+            --with-stream \
+            --with-stream_ssl_module
+make -j$(nproc) && make install
+
+cat <<EOF | tee /lib/systemd/system/openresty.service
+[Unit]
+Description=The NGINX HTTP and reverse proxy server
+After=syslog.target network-online.target remote-fs.target nss-lookup.target
+Wants=network-online.target
+
+[Service]
+Type=forking
+PIDFile=/run/nginx.pid
+ExecStartPre=/usr/sbin/nginx -t
+ExecStart=/usr/sbin/nginx
+ExecReload=/usr/sbin/nginx -s reload
+ExecStop=/bin/kill -s QUIT $MAINPID
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+chmod 755 /lib/systemd/system/openresty.service
+
+ln -sf /usr/local/openresty/bin/openresty /usr/sbin/nginx
+ln -sf /usr/local/openresty/bin/openresty /usr/bin/nginx
+ln -sf /usr/local/openresty/bin/openresty /usr/local/bin/nginx
+ln -sf /lib/systemd/system/openresty.service /lib/systemd/system/nginx.service
+systemctl daemon-reload
+
+# Nginx Setting for Openresty
+useradd -r -s /bin/false nginx || true
+
+mkdir -p /var/log/nginx
+
+
+# default fakessl
+mkdir -p /usr/local/openresty/nginx/ssl
+openssl req -subj "/CN=localhost" -x509 -nodes -newkey rsa:4096 -keyout /usr/local/openresty/nginx/ssl/localhost.key -out /usr/local/openresty/nginx/ssl/localhost.crt -sha256 -days 365
+
+openssl dhparam -out /usr/local/openresty/nginx/ssl/dhparam.pem 4096
+
+cat <<EOF | tee /usr/local/openresty/nginx/conf/nginx.conf
+user nginx;
+worker_processes $(nproc);
+
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+
+events {
+    worker_connections 4096;
+}
+
+
+http {
+    include mime.types;
+    include koi-utf;
+    default_type  application/octet-stream;
+
+    log_format main '$remote_addr : $remote_port to $server_addr : $server_port [$time_local] '
+    '"$request_method $scheme://$host$request_uri $server_protocol" '
+    '$status $body_bytes_sent "$http_referer" '
+    '"$http_user_agent" $request_time';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    server_tokens off;
+
+    sendfile on;
+
+    tcp_nopush on;
+    tcp_nodelay off;
+
+    keepalive_timeout  65;
+
+    charset utf-8;
+    charset_types text/xml text/plain text/vnd.wap.wml
+                  application/javascript application/x-javascript
+                  application/rss+xml text/css;
+    override_charset on;
+
+    map_hash_bucket_size 256;
+    map_hash_max_size 4096;
+    server_names_hash_bucket_size 128;
+    server_names_hash_max_size 2048;
+    variables_hash_max_size 2048;
+
+    # OCSP Stapling
+    resolver 1.1.1.1 1.0.0.1 valid=86400s ipv6=off;
+    resolver_timeout 5s;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    # SSL/TLS Hardening
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+    ssl_ecdh_curve P-521:P-384:P-256:X25519;
+    ssl_early_data on;
+    ssl_dhparam /usr/local/openresty/nginx/ssl/dhparam.pem;
+
+    # HTTP/2 Push
+    http2_push on;
+    http2_push_preload on;
+
+    # Client Timeout
+    client_header_timeout  15s;
+    client_body_timeout    60s;
+    send_timeout           60s;
+
+    # Something
+    log_not_found off;
+    open_file_cache max=50000 inactive=60s;
+    open_file_cache_valid 120s;
+    open_file_cache_min_uses 2;
+    open_file_cache_errors off;
+    open_log_file_cache max=10000 inactive=30s min_uses=2;
+
+    # Keepalive
+    #keepalive_timeout 24h;
+    #keepalive_requests 15000;
+    #lingering_time 60s;
+    #lingering_close on;
+    #lingering_timeout 10s;
+    #keepalive_disable msie6;
+
+    # Default Body Size
+    client_max_body_size 1m;
+
+    # GZIP Compression
+    gzip on;
+    gzip_comp_level 9;
+    gzip_static on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_min_length 150;
+    gzip_buffers 2048 4k;
+    gzip_http_version 1.1;
+    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+    gzip_types text/richtext
+               text/plain
+               text/css
+               text/x-script
+               text/x-component
+               text/x-java-source
+               application/javascript
+               application/x-javascript
+               text/javascript
+               text/js
+               image/x-icon
+               application/x-perl
+               application/x-httpd-cgi
+               text/xml
+               application/xml
+               application/rss+xml
+               application/json
+               multipart/bag
+               multipart/mixed
+               application/xhtml+xml
+               font/ttf
+               font/otf
+               font/woff
+               font/woff2
+               image/svg+xml
+               application/vnd.ms-fontobject
+               application/ttf
+               application/x-ttf
+               application/otf
+               application/x-otf
+               application/x-font-ttf
+               application/x-font-truetype
+               application/x-font-opentype
+               application/x-opentype
+               application/woff
+               application/eot
+               application/font
+               application/font-woff
+               application/font-woff2
+               application/x-font-woff2
+               application/font-sfnt;
+    gzip_disable "MSIE [1-6].(?!.*SV1)";
+
+    # GeoIP2
+    #geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {
+    #    $geoip2_metadata_country_build metadata build_epoch;
+    #    $geoip2_data_country_code default=US source=$remote_addr country iso_code;
+    #    $geoip2_data_country_name country names en;
+    #}
+
+    #geoip2 /usr/share/GeoIP/GeoLite2-City.mmdb {
+    #    $geoip2_data_city_name default=London city names en;
+    #    $geoip2_data_continent_name default=Europe continent names en;
+    #    $geoip2_data_subdivisions_name default=London subdivisions 0 names en;
+    #}
+
+    # Default Index
+    index index.html;
+
+    # CloudFlare Client-IP
+    include /etc/nginx/include.d/cloudflare.conf;
+
+    # Default Server Directive
+    server {
+        listen 80;
+        server_name _ localhost;
+        location / {
+            root   /usr/local/openresty/nginx/html;
+            default_type text/html;
+        }
+    }
+
+    server {
+        listen 443 ssl http2;
+        server_name _ localhost;
+        ssl_certificate /usr/local/openresty/nginx/ssl/localhost.crt;
+        ssl_certificate_key /usr/local/openresty/nginx/ssl/localhost.key;
+        location / {
+            root   /usr/local/openresty/nginx/html;
+            default_type text/html;
+        }
+    }
+
+    include /etc/nginx/conf.d/*.conf;
+}
+
+include /etc/nginx/stream.d/*.conf;
+EOF
+
+mkdir -p /etc/nginx
+ln -sf /usr/local/openresty/nginx/conf/nginx.conf /etc/nginx/nginx.conf
+
+mkdir -p /etc/nginx/conf.d
+mkdir -p /etc/nginx/stream.d
+mkdir -p /etc/nginx/include.d
+
+cat <<EOF | tee /etc/nginx/include.d/__cloudflare-20221126.conf
+# https://www.cloudflare.com/ips/
+set_real_ip_from 103.21.244.0/22;
+set_real_ip_from 103.22.200.0/22;
+set_real_ip_from 103.31.4.0/22;
+set_real_ip_from 104.16.0.0/13;
+set_real_ip_from 104.24.0.0/14;
+set_real_ip_from 108.162.192.0/18;
+set_real_ip_from 131.0.72.0/22;
+set_real_ip_from 141.101.64.0/18;
+set_real_ip_from 162.158.0.0/15;
+set_real_ip_from 172.64.0.0/13;
+set_real_ip_from 173.245.48.0/20;
+set_real_ip_from 188.114.96.0/20;
+set_real_ip_from 190.93.240.0/20;
+set_real_ip_from 197.234.240.0/22;
+set_real_ip_from 198.41.128.0/17;
+set_real_ip_from 2400:cb00::/32;
+set_real_ip_from 2606:4700::/32;
+set_real_ip_from 2803:f800::/32;
+set_real_ip_from 2405:b500::/32;
+set_real_ip_from 2405:8100::/32;
+set_real_ip_from 2a06:98c0::/29;
+set_real_ip_from 2c0f:f248::/32;
+real_ip_header CF-Connecting-IP;
+EOF
+ln -sf /etc/nginx/include.d/__cloudflare-20221126.conf /etc/nginx/include.d/cloudflare.conf
+
+/usr/sbin/nginx -V
+/usr/sbin/nginx -t
+systemctl enable --now openresty
+
+cd ${ORIGIN_WORK_DIRECTORY}
+echo 'Enjoy Openresty !'