allow per-site custom nginx config, improving permissions
This commit is contained in:
parent
6f61c2e48a
commit
ccaeb8335e
4 changed files with 29 additions and 3 deletions
11
add-site.sh
11
add-site.sh
|
|
@ -36,7 +36,7 @@ hostname=$(hostname -f)
|
|||
|
||||
# Set up directory structure
|
||||
main_web_root="/var/www/$domain"
|
||||
sudo mkdir -p "$main_web_root"/{_main/www,subdomains,logs}
|
||||
sudo mkdir -p "$main_web_root"/{_main/www,subdomains,logs,nginx}
|
||||
|
||||
# Create the user with the web root as home directory and add to www-data and websftpusers groups
|
||||
sudo useradd -m -d /var/www/$domain -s /bin/false -U -G www-data,websftpusers $username
|
||||
|
|
@ -50,11 +50,16 @@ sudo find "$main_web_root" -type f -exec chmod 640 {} +
|
|||
# Set ownership and permissions for the main web root
|
||||
# SFTP chroot requires the user's home directory to be owned by root and not writable by others
|
||||
sudo chown "root:www-data" "$main_web_root"
|
||||
sudo chmod 755 "$main_web_root"
|
||||
sudo chmod 750 "$main_web_root"
|
||||
|
||||
# Set ownership and permissions for the logs directory
|
||||
sudo chown root:www-data "$main_web_root/logs"
|
||||
sudo chmod 755 "$main_web_root/logs"
|
||||
sudo chmod 750 "$main_web_root/logs"
|
||||
|
||||
# Set ownership and permissions for the nginx directory
|
||||
sudo chown root:www-data "$main_web_root/nginx"
|
||||
sudo chmod 750 "$main_web_root/nginx"
|
||||
sudo chmod 640 "$main_web_root/nginx/*"
|
||||
|
||||
# Create MySQL user and grant permissions
|
||||
sudo mysql <<EOF
|
||||
|
|
|
|||
|
|
@ -16,6 +16,9 @@ apt install nginx ufw ntp fail2ban -y
|
|||
# Install PHP and necessary modules
|
||||
apt install php-fpm php-curl php-gd php-mbstring php-xml php-zip php-pdo php-mysql php-sqlite3 -y
|
||||
|
||||
# Add ubuntu user to www-data group
|
||||
usermod -a -G www-data ubuntu
|
||||
|
||||
# Set timezone
|
||||
timedatectl set-timezone UTC
|
||||
|
||||
|
|
|
|||
|
|
@ -55,6 +55,9 @@ server {
|
|||
index index.html index.htm index.php;
|
||||
client_max_body_size 20M;
|
||||
|
||||
# Include site-specific configurations
|
||||
include /var/www/$DOMAIN/nginx/*.conf;
|
||||
|
||||
# Block .ht* files
|
||||
location ~ /\.ht {
|
||||
deny all;
|
||||
|
|
|
|||
|
|
@ -31,6 +31,20 @@ if [ ! -d "/etc/letsencrypt/live/$domain" ]; then
|
|||
exit 1
|
||||
fi
|
||||
|
||||
# Create nginx config directory in web root
|
||||
NGINX_CONF_DIR="/var/www/$domain/nginx"
|
||||
if [ ! -d "$NGINX_CONF_DIR" ]; then
|
||||
echo "Creating nginx configuration directory..."
|
||||
mkdir -p "$NGINX_CONF_DIR"
|
||||
chown root:www-data "$NGINX_CONF_DIR"
|
||||
chmod 750 "$NGINX_CONF_DIR"
|
||||
# Only try to chmod files if they exist
|
||||
if [ "$(ls -A $NGINX_CONF_DIR)" ]; then
|
||||
chmod 640 "$NGINX_CONF_DIR"/*
|
||||
fi
|
||||
echo "Created $NGINX_CONF_DIR with secure permissions"
|
||||
fi
|
||||
|
||||
# Backup existing configuration
|
||||
backup_file="/etc/nginx/sites-available/${domain}.backup-$(date +%Y%m%d-%H%M%S)"
|
||||
cp "/etc/nginx/sites-available/$domain" "$backup_file"
|
||||
|
|
@ -57,3 +71,4 @@ systemctl reload nginx
|
|||
|
||||
echo "Configuration update complete for $domain"
|
||||
echo "Previous configuration backed up to: $backup_file"
|
||||
echo "Site-specific nginx configurations can be added in: $NGINX_CONF_DIR"
|
||||
|
|
|
|||
Loading…
Reference in a new issue