#!/usr/bin/env bash DOMAIN=${1:-example.local} APP_SLUG=${2:-example} APP_PORT=${3:-3000} DBA_PORT=${4:-3001} # Stop NGINX service nginx stop echo "[✔] Stoped NGINX service" # Make SSL certificate certbot certonly --standalone --preferred-challenges http -d $DOMAIN -d admin.$DOMAIN echo "[✔] Make SSL certificate for ${DOMAIN}" # Install A PHP WebApp Server cat > /etc/nginx/sites-available/10-${APP_SLUG}.conf << EOF upstream ${APP_SLUG}_site { server 127.0.0.1:${APP_PORT}; } upstream ${APP_SLUG}_data { server 127.0.0.1:${DBA_PORT}; } server { listen 80; listen [::]:80; server_name ${DOMAIN} admin.${DOMAIN} manage.${DOMAIN} db.${DOMAIN}; server_tokens off; access_log off; location / { return 301 https://\$server_name\$request_uri; } } server { listen 443; listen [::]:443; server_name ${DOMAIN} admin.${DOMAIN} manage.${DOMAIN}; server_tokens off; access_log off; ssl on; ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; ssl_session_cache shared:SSL:10m; ssl_session_timeout 30m; location / { proxy_set_header Host \$host; proxy_set_header X-Real-Ip \$remote_addr; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto \$scheme; proxy_pass http://${APP_SLUG}_site/; } } server { listen 443; listen [::]:443; server_name db.${DOMAIN}; server_tokens off; access_log off; ssl on; ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; ssl_session_cache shared:SSL:10m; ssl_session_timeout 30m; location / { proxy_set_header Host \$host; proxy_set_header X-Real-Ip \$remote_addr; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto \$scheme; proxy_pass http://${APP_SLUG}_data/; } } EOF ln -s /etc/nginx/sites-available/10-${APP_SLUG}.conf /etc/nginx/sites-enabled/10-${APP_SLUG} echo "[✔] Config Virtual Host for ${DOMAIN}" # Restart Nginx nginx -t service nginx reload echo "[✔] Reload NGINX service"