devdatt
/
update_deploy_infra
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update

This commit is contained in:
devdatt 2025-06-17 13:44:36 +05:30
parent 98613f6d79
commit beaf7bb60b
1 changed files with 245 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

289
cdn_setup/setup.sh
View File

@ -1,67 +1,268 @@
apt install nginx fail2ban -y;
apt install php-fpm php-cli php-mysql php-zip php-gd php-mbstring php-curl php-xml php-pear php-bcmath -y
mkdir /etc/ssl/private;
mkdir /var/www/account.urmic.org;
mkdir /var/www/cdn.urmic.org;
mkdir /var/www/stream.urmic.org;
cat >> /etc/fail2ban/jail.d/nginx.conf<<EOL
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
action = iptables-multiport[name=NoAuthFailures, port="http,https"]
logpath = /var/log/nginx/error.log
maxretry = 5
bantime = 7200
EOL
cat >> /etc/ssl/private/bundle.crt<<EOL
-----BEGIN CERTIFICATE-----
MIIGlzCCBP+gAwIBAgIRAKfsciVkCheKiiJ6JWprPmIwDQYJKoZIhvcNAQEMBQAw
YDELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE
AxMuU2VjdGlnbyBQdWJsaWMgU2VydmVyIEF1dGhlbnRpY2F0aW9uIENBIERWIFIz
NjAeFw0yNTA2MTQwMDAwMDBaFw0yNjA2MTQyMzU5NTlaMBgxFjAUBgNVBAMTDWNk
bi51cm1pYy5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJjz97
Q0FEsQmaczaP20p1sfVu8PMSR7exP/fD0AdaVg+3bOPxFpzWnHtCz/8nONemlmG3
792ENwhgIRUlRKq5zxSjHQva33AZjJxkROTwPZWa1R+1sb6IneRIY3Nvp/o6Vwi+
Ydv+xXph3JVK/AGL+M0+5NbDJr0WySZb+c9tjp9e8QviPq5cPcKQ2vxUcXgcgRrQ
kEI/vZWqThgkTOdkovds6bZ/EB7VBIoRM8VYRXJjwjVUDpBgLV8SacLHi7RfEqvW
lrd9nPCt1BYQrPYc5aI3vt93+81SdfjsNeUcNI8JOp09huqzYUe6YxL0MEULnAzC
5wbokg4C53i9nd+fAgMBAAGjggMSMIIDDjAfBgNVHSMEGDAWgBRowBIWGA6vzvaH
pjJXo0ZRXcsHJzAdBgNVHQ4EFgQUEcG11BpxNF+JQV5UhtL5gdTeGyowDgYDVR0P
AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMEkGA1UdIARCMEAwNAYLKwYBBAGyMQECAgcwJTAjBggrBgEFBQcCARYX
aHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQIBMIGEBggrBgEFBQcBAQR4
MHYwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuc2VjdGlnby5jb20vU2VjdGlnb1B1
YmxpY1NlcnZlckF1dGhlbnRpY2F0aW9uQ0FEVlIzNi5jcnQwIwYIKwYBBQUHMAGG
F2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMIIBfAYKKwYBBAHWeQIEAgSCAWwEggFo
AWYAdgCWl2S/VViXrfdDh2g3CEJ36fA61fak8zZuRqQ/D8qpxgAAAZdsLUXYAAAE
AwBHMEUCIQCcACsQTKLkAlsDvB4dMjIcLbGTcNMoLO0WqfBLsdzLBgIgLHi/p8ln
5M+iitGp8w0IkAkyHLHIeXm06zwvymmDX3IAdQAZhtTHKKpv/roDb3gqTQGRqs4t
cjEPrs5dcEEtJUzH1AAAAZdsLUW8AAAEAwBGMEQCIBRvDR4MLOgSfX1R6I4gywme
H3HR1zgSJ2cwX7Hp70w9AiAR3jY2cullIDsZa87/jEQY+Z8Uj9X0HFNBeM9DOCJL
+AB1AA5XlLzzrqk+MxssmQez95Dfm8I9cTIl3SGpJaxhxU4hAAABl2wtRbgAAAQD
AEYwRAIgTsvGnb93NiOa+Atg/gEj6vVuHdVwmK7E4BKnBfYmYpwCIDKN58QMd5XZ
7feKLhBHFXdosKiS/UAYuTfPpEoEbARBMD0GA1UdEQQ2MDSCDWNkbi51cm1pYy5v
cmeCEWFjY291bnQudXJtaWMub3JnghBzdHJlYW0udXJtaWMub3JnMA0GCSqGSIb3
DQEBDAUAA4IBgQB+Myp/1oM3PdbzgYgihyYN6nsGAiX9Bri5xzJe+ey/70gYgzzs
vJ7ZWzCXXanoRs8idIFJUUuj+runqY2zVbU6gHEflWAKmyIwiM9+XRSoF3SUb3yh
vf2mS+FZzazu3IXD24G+FpUsNjMHiDv+Ck9awZfzckAGlRLH3EghpZ4g4ADNBdXN
K4c92/g5yCIhu16go//1VC3OV9xWRDEix1xNoxIPMM8wTCCZY6Rq86DDBbKLeayx
blboVuXaexIclTbLcrWZ0x/mkXMzRuFz2MMPKd+z6N6j4lOGsotPLqUbskoqgf+k
kxUizk1OlHEsoHakTFxguIWlnHH3r1NnOEb3dOukMsH+IyLOv4M8t1ADQ5E26vLQ
883ZK5ON9xFR8Vq6jVc6CNRbtFqBInhQHpzazJZ7h+6xpYfgCMUuwzKOllxErS6R
yLWcYzt2qt9cpab8C/DuUqdj5LQLdmSBnO529GERt2HHqE7fcAISA7ycCPCGb/Mi
ef0pPfxF87jbdzo=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw
MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU
aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B
3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY
tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/
Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2
VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT
79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6
c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT
Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l
c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee
UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE
Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd
BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G
A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF
Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO
VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3
ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs
8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR
iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze
Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ
XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/
qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB
VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB
L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
jjxDah2nGN59PRbxYvnKkKj9
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGTDCCBDSgAwIBAgIQOXpmzCdWNi4NqofKbqvjsTANBgkqhkiG9w0BAQwFADBf
MQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTYwNAYDVQQD
Ey1TZWN0aWdvIFB1YmxpYyBTZXJ2ZXIgQXV0aGVudGljYXRpb24gUm9vdCBSNDYw
HhcNMjEwMzIyMDAwMDAwWhcNMzYwMzIxMjM1OTU5WjBgMQswCQYDVQQGEwJHQjEY
MBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFB1Ymxp
YyBTZXJ2ZXIgQXV0aGVudGljYXRpb24gQ0EgRFYgUjM2MIIBojANBgkqhkiG9w0B
AQEFAAOCAY8AMIIBigKCAYEAljZf2HIz7+SPUPQCQObZYcrxLTHYdf1ZtMRe7Yeq
RPSwygz16qJ9cAWtWNTcuICc++p8Dct7zNGxCpqmEtqifO7NvuB5dEVexXn9RFFH
12Hm+NtPRQgXIFjx6MSJcNWuVO3XGE57L1mHlcQYj+g4hny90aFh2SCZCDEVkAja
EMMfYPKuCjHuuF+bzHFb/9gV8P9+ekcHENF2nR1efGWSKwnfG5RawlkaQDpRtZTm
M64TIsv/r7cyFO4nSjs1jLdXYdz5q3a4L0NoabZfbdxVb+CUEHfB0bpulZQtH1Rv
38e/lIdP7OTTIlZh6OYL6NhxP8So0/sht/4J9mqIGxRFc0/pC8suja+wcIUna0HB
pXKfXTKpzgis+zmXDL06ASJf5E4A2/m+Hp6b84sfPAwQ766rI65mh50S0Di9E3Pn
2WcaJc+PILsBmYpgtmgWTR9eV9otfKRUBfzHUHcVgarub/XluEpRlTtZudU5xbFN
xx/DgMrXLUAPaI60fZ6wA+PTAgMBAAGjggGBMIIBfTAfBgNVHSMEGDAWgBRWc1hk
lfmSGrASKgRieaFAFYghSTAdBgNVHQ4EFgQUaMASFhgOr872h6YyV6NGUV3LBycw
DgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMBsGA1UdIAQUMBIwBgYEVR0gADAIBgZngQwBAgEw
VAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL2NybC5zZWN0aWdvLmNvbS9TZWN0aWdv
UHVibGljU2VydmVyQXV0aGVudGljYXRpb25Sb290UjQ2LmNybDCBhAYIKwYBBQUH
AQEEeDB2ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3Rp
Z29QdWJsaWNTZXJ2ZXJBdXRoZW50aWNhdGlvblJvb3RSNDYucDdjMCMGCCsGAQUF
BzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTANBgkqhkiG9w0BAQwFAAOCAgEA
YtOC9Fy+TqECFw40IospI92kLGgoSZGPOSQXMBqmsGWZUQ7rux7cj1du6d9rD6C8
ze1B2eQjkrGkIL/OF1s7vSmgYVafsRoZd/IHUrkoQvX8FZwUsmPu7amgBfaY3g+d
q1x0jNGKb6I6Bzdl6LgMD9qxp+3i7GQOnd9J8LFSietY6Z4jUBzVoOoz8iAU84OF
h2HhAuiPw1ai0VnY38RTI+8kepGWVfGxfBWzwH9uIjeooIeaosVFvE8cmYUB4TSH
5dUyD0jHct2+8ceKEtIoFU/FfHq/mDaVnvcDCZXtIgitdMFQdMZaVehmObyhRdDD
4NQCs0gaI9AAgFj4L9QtkARzhQLNyRf87Kln+YU0lgCGr9HLg3rGO8q+Y4ppLsOd
unQZ6ZxPNGIfOApbPVf5hCe58EZwiWdHIMn9lPP6+F404y8NNugbQixBber+x536
WrZhFZLjEkhp7fFXf9r32rNPfb74X/U90Bdy4lzp3+X1ukh1BuMxA/EEhDoTOS3l
7ABvc7BYSQubQ2490OcdkIzUh3ZwDrakMVrbaTxUM2p24N6dB+ns2zptWCva6jzW
r8IWKIMxzxLPv5Kt3ePKcUdvkBU/smqujSczTzzSjIoR5QqQA6lN1ZRSnuHIWCvh
JEltkYnTAH41QJ6SAWO66GrrUESwN/cgZzL4JLEqz1Y=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGlTCCBH2gAwIBAgIRANJ/u8HeNZ5SFq1hSVhgmcQwDQYJKoZIhvcNAQEMBQAw
gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTIx
MDMyMjAwMDAwMFoXDTM4MDExODIzNTk1OVowXzELMAkGA1UEBhMCR0IxGDAWBgNV
BAoTD1NlY3RpZ28gTGltaXRlZDE2MDQGA1UEAxMtU2VjdGlnbyBQdWJsaWMgU2Vy
dmVyIEF1dGhlbnRpY2F0aW9uIFJvb3QgUjQ2MIICIjANBgkqhkiG9w0BAQEFAAOC
Ag8AMIICCgKCAgEAk77VNlJ12AEjoBxHQknuY7a3If3EldVIKyZ8FFMQ2nn9K7ct
pNQs+uoy3UnCub0PSD17WphUr55dMXRPB/xQId2kz2hPGxJjbSWZTCqZ80gwYfqB
fB6nCErcPiscHxhMcao1jK34bug7StnllALWiYQTqm3ITzPMUJY3kjPcX4jnn1TZ
SPCYQ9Zm/Z8XOEPFAVEL1+MjDxRdWxTnS77d9MjaAzfR1jmhIVEwg7Bt1zBOlluR
8HAkq79FgWRDDb0hOi886Z4NyyC1QifM2m+b7mQwkDnNk2WBITG1I1AzNyLjOO34
MTDMRf5i+dFdMnlCh99qzFYZQE3Oqrv5tXZJlPEn+JGlg+UGs2MOgNzgElWApjtm
tDmHLcjw0NEU6eQNTQ72XVdyxTscR1ad4tX7gWGMzE2AkDRbt9cUddzYBEifwMEo
iLTpHMqnsfFWt3tJTFnlIBWohAIp+jiUaZpJBo/NH3kUFxIMg3reH7GX7vmXeCik
yESS6X0mBaZYcpt5E9gRX67FOGI0aLKGMI74kGGeMmz1BzbNokxu7Io27fLmmRVE
cMN8vJw5wLTha/eDJSNX2RKA5UnwdQ/vjescm1QotCE8/HwK/+97a3X/ix2gGQWr
+vgrgULoOLq7+6r9PeDzyt9Ol5cp7fMYVumllqy9w5CYsuD5otSmR0N8bc8CAwEA
AaOCASAwggEcMB8GA1UdIwQYMBaAFFN5v1qqK0rPVIDh2JvAnfKyA2bLMB0GA1Ud
DgQWBBRWc1hklfmSGrASKgRieaFAFYghSTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0T
AQH/BAUwAwEB/zAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEQYDVR0g
BAowCDAGBgRVHSAAMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRy
dXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDA1
BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVz
dC5jb20wDQYJKoZIhvcNAQEMBQADggIBADpvBIlq7bMU0cFDT/9P9+BsgCkRgQs0
S6Bf7vJSlWMHwby0VGvxCS0hrbi0K2BINZbEbsVsgpQq04431yyoVn3Hldorgq24
RldRDOOipEZDTFB9wC9HYt1thHF00XeG2C8KC1plwoEzKAIhPvefI/C3cT0CfTXJ
uFjUbKIgSwjNjw6YHtLgoy/hd5+JLUlLco/gzFX/qWbT7tEquOMYpsNKWZj8TLqP
q6zMiG4Na6feEZte6YPXGrMWlTWN341vDedc+yxQqSug79HJUQcOZs7KyDWztmae
QxsPE49UV/8XwrfZtZaYyrs4FpD94Z4Q8dzXGL8+qEJjxgcza7W6PROaClubavd1
VKPm8+aCW77u7SxpR2TFGL6kPdxsKyFijpcunR5V79sUyROfNdzjrAcFWZXK8sbb
9FlnwuVG677JLv+ZVTX5AxLvW5OB4zt5uS+zB62wJ/Wv+jXGAttSAcJec4iFgCWH
Rvdi/jJoSzRLa3nEzx6pFIzclSCnh0u1xCeLcUBypSiPga8W+6PkuoyQq8U9qs9E
oxG5NvrvlyshwUS9yvcZRGw7Ljlx4jJH/BhIPR8kIBCQj1vna9TziZOrw1Of8hDU
bHKFG9Pm8Dp2vbjz/2JH39qvxshPKVllGfq+5klPm7yZRUYTiCMAbqwNdL/nsqF2
Rnnyp58XRStJ
-----END CERTIFICATE-----
EOL
cat >> /etc/ssl/private/server.key<<EOL
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDJjz97Q0FEsQma
czaP20p1sfVu8PMSR7exP/fD0AdaVg+3bOPxFpzWnHtCz/8nONemlmG3792ENwhg
IRUlRKq5zxSjHQva33AZjJxkROTwPZWa1R+1sb6IneRIY3Nvp/o6Vwi+Ydv+xXph
3JVK/AGL+M0+5NbDJr0WySZb+c9tjp9e8QviPq5cPcKQ2vxUcXgcgRrQkEI/vZWq
ThgkTOdkovds6bZ/EB7VBIoRM8VYRXJjwjVUDpBgLV8SacLHi7RfEqvWlrd9nPCt
1BYQrPYc5aI3vt93+81SdfjsNeUcNI8JOp09huqzYUe6YxL0MEULnAzC5wbokg4C
53i9nd+fAgMBAAECggEAF7LFgn8mWea829GHDUP5zbvGQSyIT9Jp2SfNwFKhwq/S
ujzN0idX+m28ml7tP5XR2S7eP2uu7mAwFmldXJvlvOIJqaH9JldWDVL4gluNVWfQ
QrujNlA3OEXkNNSommy0IY7hIs1LuflLCd2PGhlmLyhqLWZnj9tqqRaucWr+RgGk
47453Cw0eoklhujPSw3dQnV5tQp6ATzOxmCTp7o7rgU6JXC3FUFSqbgCtPMO0kj7
p7cAtM5hAFhViNRospmUiYhv0pilvlaIRKs1mc0O76ppnX1fLQqUSYBRylhAjeVN
C1RENbRwe+jnQ6zfpv6OBuqIDpsvZW25TqN3ke1/hQKBgQDvI8HSxX3JUcOWAjqo
19XC4TEtWpGtaMHTCm897HmZdb6vRrJBMNPR66oT9zOAmkneql1YGT9IbBcPG2uQ
AhWBu4Epid7hBjyLfD0Xy83iCfkc8tGcVTcKau7oF+qoOa0nkP7FJaxx5C+XKUcv
HWiMezIgukJ+IOEUO68FteUb/QKBgQDXxTSm0W9LPlnQD/gLdrj3jPuzor1hND8n
GfQUsnSOMdbWa9tQOs2e41FPlK9UB6lJHYXfthB0VPzRVG9BX1/vDz69FjM7v0dT
Ml8NpqQ3SGsCBmKItSyKBh9ZstH+Z3FDVdZt9pNaDMKWDWAE//yHOpjEcacTZjpD
EqCt/OfGywKBgBWKI/gnH7hVbAeD9eKlZjSicfqC0OJMsEChDPoH5cAD0gQZmw6y
JjIfRvd7aaEoxISQ1c2MoJ2WVtFeh+a1uVgxGmYya+fa1vM9YodVLRsyCMUpveWV
61o93Xz8Qn+ailUpAzmgthKgGgVEi4vb20HkCtTV0g1oSr22zoH2K0fFAoGBANJW
hQgl3Bd+lbD1EDmkp5Vy0x9/gpvSgcnNTBotCOBhB2yJQgdI+49rS6WHbQ8+VLFY
3VuCsTGmc7pgVABnSC7ULrXHgXQ59/7LeMvm6eiWaPJVZRKdguieJUucvYcCMfCR
KfKST3yWOc5rBXJ6VSNCZRADNvr7Scp+yzIw+4TXAoGAA9/CSnYr1/ifU1NjDOQ3
hDQRnrMAG/JH8/UBdwsyt+hRhlInxAl6gA85IAyGtUF0WKCsNuyCHUH7zlkAUrhL
1d756qZ7URF4GbvGAQctzst6RbgUBAJTocm4AZg6+GLh8FzAt1ynJkZ7a4TtEy4u
/t5OaZy7FsC5O6LpMGFK318=
-----END PRIVATE KEY-----
EOL
cat >> /etc/nginx/sites-available/cdn.urmic.org<<EOL
server {
listen 80;
listen [::]:80;
server_name cdn.urmic.org;
# Redirect HTTP to HTTPS
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name cdn.urmic.org;
# SSL settings (use certbot or your provider)
ssl_certificate /etc/letsencrypt/live/cdn.urmic.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cdn.urmic.org/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
root /var/www/cdn.urmic.org;
index index.php index.html index.htm;
if ($request_method !~ ^(GET|HEAD|POST|OPTIONS)$) {
ssl_certificate /etc/ssl/private/bundle.crt;
ssl_certificate_key /etc/ssl/private/server.key;
# SSL settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
# Limit Request Methods
if ($request_method !~ ^(GET|HEAD|POST)$) {
return 444;
}
# Root CDN content
root /var/www/cdn.urmic.org;
index index.html;
# Apply rate limiting (defined in nginx.conf)
limit_req zone=cdnlimit burst=25 nodelay;
# Rate Limiting (Anti-DDoS)
limit_req zone=req_limit_per_ip burst=10 nodelay;
# Connection limiting
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
limit_conn conn_limit_per_ip 10;
# Basic Security Headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer-when-downgrade";
add_header Content-Security-Policy "default-src 'self' cdn.urmic.org;";
# Protect against large request bodies
client_max_body_size 5M;
# Logging
access_log /var/log/nginx/cdn.urmic.org.access.log;
error_log /var/log/nginx/cdn.urmic.org.error.log warn;
# Cache Control (for static CDN files)
location ~* \.(jpg|jpeg|png|gif|ico|css|js|woff|woff2|ttf|svg|eot|mp4|webm|ogg|avi)$ {
expires 30d;
access_log off;
add_header Cache-Control "public, no-transform";
# PHP-FPM handling
location / {
try_files $uri $uri/ /index.php?$args;
}
# General static file serving
location / {
try_files $uri $uri/ =404;
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.2-fpm.sock; # Adjust PHP version if different
}
# Deny access to hidden files
location ~ /\. {
location ~ /\.(?!well-known).* {
deny all;
}
# Block common bots and scanners
if ($http_user_agent ~* (wget|curl|bot|scanner|spider|python|libwww-perl)) {
return 403;
}
access_log /var/log/nginx/cdn_access.log;
error_log /var/log/nginx/cdn_error.log;
}
EOL
ln -s /etc/nginx/sites-available/account.urmic.org /etc/nginx/sites-enabled/
ln -s /etc/nginx/sites-available/cdn.urmic.org /etc/nginx/sites-enabled/
ln -s /etc/nginx/sites-available/stream.urmic.org /etc/nginx/sites-enabled/