oanhnn/remove-vhost.sh

## remove-vhost.sh
#!/usr/bin/env bash

DOMAIN=${1:-example.local}
APP_SLUG=${2:-example}

service nginx stop

rm -rf /etc/nginx/sites-available/10-${APP_SLUG}.conf /etc/nginx/sites-enabled/10-${APP_SLUG}
echo "[✔] Remove Virtual Host for ${DOMAIN}"

certbot delete --cert-name ${DOMAIN}
echo "[✔] Remove SSL certificate for ${DOMAIN}"

service nginx start
echo "[✔] Reload NGINX service"

## setup-server.sh
#!/usr/bin/env bash

apt-get update -y
apt-get upgrade -y

apt-get install -y software-properties-common
apt-add-repository -y ppa:certbot/certbot
apt-get update -y

# Install Certbot
apt-get install -y certbot
echo "[✔] Install Certbot"

apt-get install -y nginx
systemctl enable nginx
service nginx restart
echo "[✔] Install NGINX"

# Setup auto renew
rm -rf /tmp/cron-root && touch /tmp/cron-root
crontab -u root -l > /tmp/cron-root
echo '02 20 * * 03 sleep $[($RANDOM % 60) + 1]m; /usr/bin/certbot renew --pre-hook "/usr/sbin/service nginx stop" --post-hook "/usr/sbin/service nginx start" --quiet --no-self-upgrade' >> /tmp/cron-root
cat /tmp/cron-root | crontab -u root -
echo "[✔] Setup auto renew SSL"

# Change NGINX user
sed -i "s|^user .*|user www-data;|i" /etc/nginx/nginx.conf
echo "[✔] Change NGINX user"

# Generate dhparam File
openssl dhparam -out /etc/nginx/dhparams.pem 2048
echo "[✔] Generate dhparam file"

# Disable the default NGINX site
rm /etc/nginx/sites-enabled/default
mv /etc/nginx/sites-available/default /etc/nginx/sites-available/99-default-bakup
echo "[✔] Disable the default NGINX site"

# Configure upsteams and http upgrade
cat > /etc/nginx/conf.d/http_upgrade.conf << EOF
map \$http_upgrade \$connection_upgrade {
    default upgrade;
    ''      close;
}
EOF
echo "[✔] Configure upsteams and http upgrade"

# Install A Catch All Server
cat > /etc/nginx/sites-available/99-catch-all << EOF
server {
    return 404;
}
EOF
ln -s /etc/nginx/sites-available/99-catch-all /etc/nginx/sites-enabled/99-catch-all
echo "[✔] Config a catch all server"

# Restart Nginx
nginx -t
service nginx reload
echo "[✔] Reload NGINX service"

# Setup firewall
ufw allow 22
ufw allow 80
ufw allow 443
ufw enable -y
systemctl enable ufw
systemctl restart ufw
echo "[✔] Setting up firewall"

## setup-vhost.sh
#!/usr/bin/env bash

DOMAIN=${1:-example.local}
APP_SLUG=${2:-example}
APP_PORT=${3:-3000}
DBA_PORT=${4:-3001}

# Stop NGINX
service nginx stop
echo "[✔] Stoped NGINX service"

# Make SSL certificate
certbot certonly --standalone --preferred-challenges http -d $DOMAIN -d admin.$DOMAIN
echo "[✔] Make SSL certificate for ${DOMAIN}"

# Install A PHP WebApp Server
cat > /etc/nginx/sites-available/10-${APP_SLUG}.conf << EOF
upstream ${APP_SLUG}_site {
    server 127.0.0.1:${APP_PORT};
}

upstream ${APP_SLUG}_data {
    server 127.0.0.1:${DBA_PORT};
}

server {
    listen 80;
    listen [::]:80;

    server_name ${DOMAIN} admin.${DOMAIN} manage.${DOMAIN} db.${DOMAIN};
    server_tokens off;
    access_log off;

    location / {
        return  301 https://\$server_name\$request_uri;
    }
}

server {
    listen 443;
    listen [::]:443;

    server_name ${DOMAIN} admin.${DOMAIN} manage.${DOMAIN};
    server_tokens off;
    access_log off;

    ssl on;

    ssl_certificate     /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;

    ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers  on;
    ssl_ciphers                ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
    ssl_session_cache          shared:SSL:10m;
    ssl_session_timeout        30m;

    location / {
        proxy_set_header Host              \$host;
        proxy_set_header X-Real-Ip         \$remote_addr;
        proxy_set_header X-Forwarded-For   \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto \$scheme;
        proxy_pass http://${APP_SLUG}_site/;
    }
}

server {
    listen 443;
    listen [::]:443;

    server_name db.${DOMAIN};
    server_tokens off;
    access_log off;

    ssl on;

    ssl_certificate     /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;

    ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers  on;
    ssl_ciphers                ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
    ssl_session_cache          shared:SSL:10m;
    ssl_session_timeout        30m;

    location / {
        proxy_set_header Host              \$host;
        proxy_set_header X-Real-Ip         \$remote_addr;
        proxy_set_header X-Forwarded-For   \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto \$scheme;
        proxy_pass http://${APP_SLUG}_data/;
    }
}
EOF
ln -s /etc/nginx/sites-available/10-${APP_SLUG}.conf /etc/nginx/sites-enabled/10-${APP_SLUG}
echo "[✔] Config Virtual Host for ${DOMAIN}"

# Restart Nginx
nginx -t
service nginx reload
echo "[✔] Reload NGINX service"
	#!/usr/bin/env bash

	apt-get update -y
	apt-get upgrade -y

	apt-get install -y software-properties-common
	apt-add-repository -y ppa:certbot/certbot
	apt-get update -y

	# Install Certbot
	apt-get install -y certbot
	echo "[✔] Install Certbot"

	apt-get install -y nginx
	systemctl enable nginx
	service nginx restart
	echo "[✔] Install NGINX"

	# Setup auto renew
	rm -rf /tmp/cron-root && touch /tmp/cron-root
	crontab -u root -l > /tmp/cron-root
	echo '02 20 * * 03 sleep $[($RANDOM % 60) + 1]m; /usr/bin/certbot renew --pre-hook "/usr/sbin/service nginx stop" --post-hook "/usr/sbin/service nginx start" --quiet --no-self-upgrade' >> /tmp/cron-root
	cat /tmp/cron-root \| crontab -u root -
	echo "[✔] Setup auto renew SSL"

	# Change NGINX user
	sed -i "s\|^user .*\|user www-data;\|i" /etc/nginx/nginx.conf
	echo "[✔] Change NGINX user"

	# Generate dhparam File
	openssl dhparam -out /etc/nginx/dhparams.pem 2048
	echo "[✔] Generate dhparam file"

	# Disable the default NGINX site
	rm /etc/nginx/sites-enabled/default
	mv /etc/nginx/sites-available/default /etc/nginx/sites-available/99-default-bakup
	echo "[✔] Disable the default NGINX site"

	# Configure upsteams and http upgrade
	cat > /etc/nginx/conf.d/http_upgrade.conf << EOF
	map \$http_upgrade \$connection_upgrade {
	default upgrade;
	'' close;
	}
	EOF
	echo "[✔] Configure upsteams and http upgrade"

	# Install A Catch All Server
	cat > /etc/nginx/sites-available/99-catch-all << EOF
	server {
	return 404;
	}
	EOF
	ln -s /etc/nginx/sites-available/99-catch-all /etc/nginx/sites-enabled/99-catch-all
	echo "[✔] Config a catch all server"

	# Restart Nginx
	nginx -t
	service nginx reload
	echo "[✔] Reload NGINX service"

	# Setup firewall
	ufw allow 22
	ufw allow 80
	ufw allow 443
	ufw enable -y
	systemctl enable ufw
	systemctl restart ufw
	echo "[✔] Setting up firewall"
	#!/usr/bin/env bash

	DOMAIN=${1:-example.local}
	APP_SLUG=${2:-example}
	APP_PORT=${3:-3000}
	DBA_PORT=${4:-3001}

	# Stop NGINX
	service nginx stop
	echo "[✔] Stoped NGINX service"

	# Make SSL certificate
	certbot certonly --standalone --preferred-challenges http -d $DOMAIN -d admin.$DOMAIN
	echo "[✔] Make SSL certificate for ${DOMAIN}"

	# Install A PHP WebApp Server
	cat > /etc/nginx/sites-available/10-${APP_SLUG}.conf << EOF
	upstream ${APP_SLUG}_site {
	server 127.0.0.1:${APP_PORT};
	}

	upstream ${APP_SLUG}_data {
	server 127.0.0.1:${DBA_PORT};
	}

	server {
	listen 80;
	listen [::]:80;

	server_name ${DOMAIN} admin.${DOMAIN} manage.${DOMAIN} db.${DOMAIN};
	server_tokens off;
	access_log off;

	location / {
	return 301 https://\$server_name\$request_uri;
	}
	}

	server {
	listen 443;
	listen [::]:443;

	server_name ${DOMAIN} admin.${DOMAIN} manage.${DOMAIN};
	server_tokens off;
	access_log off;

	ssl on;

	ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 30m;

	location / {
	proxy_set_header Host \$host;
	proxy_set_header X-Real-Ip \$remote_addr;
	proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto \$scheme;
	proxy_pass http://${APP_SLUG}_site/;
	}
	}

	server {
	listen 443;
	listen [::]:443;

	server_name db.${DOMAIN};
	server_tokens off;
	access_log off;

	ssl on;

	ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 30m;

	location / {
	proxy_set_header Host \$host;
	proxy_set_header X-Real-Ip \$remote_addr;
	proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto \$scheme;
	proxy_pass http://${APP_SLUG}_data/;
	}
	}
	EOF
	ln -s /etc/nginx/sites-available/10-${APP_SLUG}.conf /etc/nginx/sites-enabled/10-${APP_SLUG}
	echo "[✔] Config Virtual Host for ${DOMAIN}"

	# Restart Nginx
	nginx -t
	service nginx reload
	echo "[✔] Reload NGINX service"