ready setup

2025-06-17 14:25:14 +05:30 · 2025-06-17 14:25:14 +05:30 · 83dfb87a39
parent beaf7bb60b
commit 83dfb87a39
1 changed files with 150 additions and 14 deletions
--- a/cdn_setup/setup.sh
+++ b/cdn_setup/setup.sh
@ -1,22 +1,38 @@
-
 apt install nginx fail2ban -y;
 apt install php-fpm php-cli php-mysql php-zip php-gd php-mbstring php-curl php-xml php-pear php-bcmath -y

-
 mkdir /etc/ssl/private;
 mkdir /var/www/account.urmic.org;
 mkdir /var/www/cdn.urmic.org;
 mkdir /var/www/stream.urmic.org;

-
 cat >> /etc/fail2ban/jail.d/nginx.conf<<EOL
-[nginx-http-auth]
+[cdn]
 enabled = true
 filter = nginx-http-auth
 action = iptables-multiport[name=NoAuthFailures, port="http,https"]
-logpath = /var/log/nginx/error.log
+logpath = /var/log/nginx/cdn_error.log
 maxretry = 5
-bantime = 7200
+bantime = 3600
+findtime = 600
+
+[account]
+enabled = true
+filter = nginx-http-auth
+action = iptables-multiport[name=NoAuthFailures, port="http,https"]
+logpath = /var/log/nginx/account_error.log
+maxretry = 5
+bantime = 3600
+findtime = 600
+
+[stream]
+enabled = true
+filter = nginx-http-auth
+action = iptables-multiport[name=NoAuthFailures, port="http,https"]
+logpath = /var/log/nginx/stream_error.log
+maxretry = 5
+bantime = 3600
+findtime = 600
 EOL

 cat >> /etc/ssl/private/bundle.crt<<EOL
@ -204,7 +220,7 @@ server {
    listen 80;
    listen [::]:80;
    server_name cdn.urmic.org;
-    return 301 https://$host$request_uri;
+    return 301 https://\$host\$request_uri;
 }

 server {
@ -231,17 +247,13 @@ server {
    add_header X-XSS-Protection "1; mode=block";

    # Limit Request Methods
-    if ($request_method !~ ^(GET|HEAD|POST)$) {
+    if (\$request_method !~ ^(GET|HEAD|POST)$) {
        return 444;
    }

    # Apply rate limiting (defined in nginx.conf)
    limit_req zone=cdnlimit burst=25 nodelay;

-    # PHP-FPM handling
-    location / {
-        try_files $uri $uri/ /index.php?$args;
-    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
@ -254,7 +266,7 @@ server {
    }

    # Block common bots and scanners
-    if ($http_user_agent ~* (wget|curl|bot|scanner|spider|python|libwww-perl)) {
+    if (\$http_user_agent ~* (wget|curl|bot|scanner|spider|python|libwww-perl)) {
        return 403;
    }

@ -263,6 +275,130 @@ server {
 }
 EOL

+cat >> /etc/nginx/sites-available/account.urmic.org<<EOL
+server {
+    listen 80;
+    listen [::]:80;
+    server_name account.urmic.org;
+    return 301 https://\$host\$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name account.urmic.org;
+
+    root /var/www/account.urmic.org;
+    index index.php index.html index.htm;
+
+    ssl_certificate /etc/ssl/private/bundle.crt;
+    ssl_certificate_key /etc/ssl/private/server.key;
+
+    # SSL settings
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers off;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off;
+
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options DENY;
+    add_header X-XSS-Protection "1; mode=block";
+
+    # Limit Request Methods
+    if (\$request_method !~ ^(GET|HEAD|POST)$) {
+        return 444;
+    }
+
+    # Apply rate limiting (defined in nginx.conf)
+    limit_req zone=cdnlimit burst=25 nodelay;
+
+    
+
+    location ~ \.php$ {
+        include snippets/fastcgi-php.conf;
+        fastcgi_pass unix:/run/php/php8.2-fpm.sock; # Adjust PHP version if different
+    }
+
+    # Deny access to hidden files
+    location ~ /\.(?!well-known).* {
+        deny all;
+    }
+
+    # Block common bots and scanners
+    if (\$http_user_agent ~* (wget|curl|bot|scanner|spider|python|libwww-perl)) {
+        return 403;
+    }
+
+    access_log /var/log/nginx/account_access.log;
+    error_log /var/log/nginx/account_error.log;
+}
+EOL
+
+cat >> /etc/nginx/sites-available/stream.urmic.org<<EOL
+server {
+    listen 80;
+    server_name stream.urmic.org;
+
+    # Redirect HTTP to HTTPS
+    return 301 https://\$host\$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    server_name stream.urmic.org;
+
+    ssl_certificate /etc/ssl/private/bundle.crt;
+    ssl_certificate_key /etc/ssl/private/server.key;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers off;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off;
+
+    # Security headers
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options DENY;
+    add_header X-XSS-Protection "1; mode=block";
+
+    # Proxy all requests to Icecast
+    location / {
+        proxy_pass         http://127.0.0.1:8000;
+        proxy_set_header   Host \$host;
+        proxy_set_header   X-Real-IP \$remote_addr;
+        proxy_set_header   X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto \$scheme;
+
+        proxy_buffering off;
+    }
+
+    access_log /var/log/nginx/stream_access.log;
+    error_log  /var/log/nginx/stream_error.log;
+}
+EOL
+
+
 ln -s /etc/nginx/sites-available/account.urmic.org /etc/nginx/sites-enabled/
 ln -s /etc/nginx/sites-available/cdn.urmic.org /etc/nginx/sites-enabled/
-ln -s /etc/nginx/sites-available/stream.urmic.org /etc/nginx/sites-enabled/
+ln -s /etc/nginx/sites-available/stream.urmic.org /etc/nginx/sites-enabled/
+
+cat >> /var/www/account.urmic.org/index.php<<EOL
+<?php
+phpinfo();
+EOL
+
+cat >> /var/www/cdn.urmic.org/index.php<<EOL
+<?php
+phpinfo();
+EOL
+
+cat >> /var/www/stream.urmic.org/index.php<<EOL
+<?php
+phpinfo();
+EOL
+
+systemctl restart nginx;
+systemctl enable fail2ban
+systemctl restart fail2ban