From 8c976051ab0b9e545a88e857b4301f19faa14b5f Mon Sep 17 00:00:00 2001 From: anorien90 Date: Wed, 3 Dec 2025 17:09:07 +0000 Subject: [PATCH] added add_location.sh --- bin/add_server.sh | 14 ++++++++ bin/add_user.sh | 0 config/nginx/template/http_location.conf | 17 +++++++++ config/nginx/template/https_location.conf | 44 +++++++++++++++++++++++ data/auth/.htpasswd | 1 + docker-compose.yml | 23 +++++------- setup.sh | 16 +++++++++ 7 files changed, 101 insertions(+), 14 deletions(-) create mode 100755 bin/add_server.sh create mode 100755 bin/add_user.sh create mode 100644 config/nginx/template/http_location.conf create mode 100644 config/nginx/template/https_location.conf create mode 100644 data/auth/.htpasswd mode change 100644 => 100755 setup.sh diff --git a/bin/add_server.sh b/bin/add_server.sh new file mode 100755 index 0000000..1ab42b8 --- /dev/null +++ b/bin/add_server.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +read -p "Enter server name: " SERVER_NAME + +mkdir .tmp +cp ./config/nginx/template/http_location.conf .tmp/"$SERVER_NAME.conf" + +# Replace placeholder SERVER_NAME in the copied file +sed -i "s/SERVER_NAME/$SERVER_NAME/g" .tmp/"$SERVER_NAME.conf" +mv .tmp/"$SERVER_NAME.conf" ./config/nginx/conf.d/ + +docker exec -it nginx-main nginx -s reload +docker exec -it certbot certbot certaonly --nginx -d "$SERVER_NAME" -d "www.$SERVER_NAME" + diff --git a/bin/add_user.sh b/bin/add_user.sh new file mode 100755 index 0000000..e69de29 diff --git a/config/nginx/template/http_location.conf b/config/nginx/template/http_location.conf new file mode 100644 index 0000000..6b022f2 --- /dev/null +++ b/config/nginx/template/http_location.conf @@ -0,0 +1,17 @@ +server { + # Listen on port 80 for standard HTTP traffic + listen 80; + + # Specify the domain name this block should respond to + server_name SERVER_NAME; + + location .well-known/acme-challenge/ { + root /var/www/certbot; + } + + location / { + # Redirect all HTTP requests to HTTPS + return 301 https://$host$request_uri; + } + +} diff --git a/config/nginx/template/https_location.conf b/config/nginx/template/https_location.conf new file mode 100644 index 0000000..09be69f --- /dev/null +++ b/config/nginx/template/https_location.conf @@ -0,0 +1,44 @@ +server { + # Listen on port 80 for standard HTTP traffic + listen 80; + + # Specify the domain name this block should respond to + server_name SERVER_NAME; + + location .well-known/acme-challenge/ { + root /var/www/certbot; + } + + location / { + # Redirect all HTTP requests to HTTPS + return 301 https://$host$request_uri; + } + +} + +server { + listen 443 ssl; + server_name SERVER_NAME; + ssl_certificate /etc/letsencrypt/live/SERVER_NAME/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/SERVER_NAME/privkey.pem; + + root /var/www/html/SERVER_NAME; + + index index.html index.htm; + + location / { + auth_basic "Restricted Documentation Area"; + auth_basic_user_file /etc/nginx/auth/AUTH_FILE; + try_files $uri $uri/ =404; + } + + location ~* \.(css|js|jpg|jpeg|png|gif|ico|svg)$ { + # Set cache duration to 30 days + expires 30d; + # Disable access logging for these files to reduce disk I/O + access_log off; + auth_basic "Restricted Documentation Area"; + auth_basic_user_file /etc/nginx/auth/AUTH_FILE; + } + +} diff --git a/data/auth/.htpasswd b/data/auth/.htpasswd new file mode 100644 index 0000000..bb95241 --- /dev/null +++ b/data/auth/.htpasswd @@ -0,0 +1 @@ +admin:$apr1$5wUJG.eY$rMZE3iil418vpdvzPJyUZ0 diff --git a/docker-compose.yml b/docker-compose.yml index dddbce5..4e7ffad 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,13 +6,12 @@ services: - "80:80" - "443:443" volumes: - - ./data/nginx.conf/:/etc/nginx/nginx.conf:ro # Nginx should only read its config - - ./data/.htpasswd:/etc/nginx/.htpasswd:ro - - ./data/conf.d/:/etc/nginx/conf.d/:ro - - ./data/certbot/www:/var/www/certbot/:ro - - ./data/certbot/conf:/etc/letsencrypt/:ro - - /prod/data/docs/:/var/www/html/docs.nxs.solutions/:ro - - ./logs/:/var/log/nginx/:rw + - ./config/nginx/:/etc/nginx/:ro # Nginx should only read its config + - ./data/auth/:/etc/nginx/auth:ro + - ./data/certbot:/var/www/certbot/:ro + - ./config/certbot:/etc/letsencrypt/:ro + - ./data/www/html/:/var/www/html/:ro + - ./logs/nginx/:/var/log/nginx/:rw networks: - fast-services restart: always @@ -24,9 +23,9 @@ services: entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $!; done;'" volumes: # Must be read-write for certbot to place challenge files - - ./data/certbot/www:/var/www/certbot/:rw + - ./data/certbot/:/var/www/certbot/:rw # Must be read-write for certbot to store and renew certificates - - ./data/certbot/conf:/etc/letsencrypt/:rw + - ./config/certbot/:/etc/letsencrypt/:rw # Only runs when explicitly called or for renewal cronjob restart: unless-stopped networks: @@ -43,11 +42,7 @@ services: # Ensure it always restarts restart: always volumes: - # 1. Mount the Nginx logs from the host (Read-Only) - - ./logs:/var/log/nginx:ro - # 2. Persist Fail2Ban's configuration and database - - /var/log/auth.log:/var/log/auth.log:ro - - /prod/gitea/logs/access.log:/var/log/gitea/access.log:ro + - ./logs/nginx:/var/log/nginx:ro - ./data/fail2ban:/data environment: # Optional: set timezone diff --git a/setup.sh b/setup.sh old mode 100644 new mode 100755 index e69de29..84885c6 --- a/setup.sh +++ b/setup.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +# Create a basic authentication file for Nginx +# 1. Check if htpasswd command is available + +if ! command -v htpasswd &> /dev/null +then + echo "htpasswd could not be found, please install apache2-utils or httpd-tools." + sudo apt-get update && sudo apt-get install -y apache2-utils +fi + +# 2. Create the password file with at least one user + +echo "Create an admin user for basic authentication." +htpasswd -c ./data/auth/.htpasswd admin +echo "Basic authentication file created at ./data/auth/.htpasswd"