mirror of
https://github.com/mtan93/install-nextcloud.git
synced 2026-03-08 05:31:52 +00:00
Merge pull request #33 from riegercloud/Nextcloud-TLSv1.3
Nextcloud ready for TLS v1.3
This commit is contained in:
rieger::CLOUD
@@ -4,8 +4,8 @@ The initial script (install-nextcloud.sh) will install your self hosted Nextclou
|
||||
Fail2Ban (Nextcloud and SSH jails)
|
||||
MariaDB 10.3.9
|
||||
Nextcloud 14
|
||||
NGINX 1.15.3
|
||||
OpenSSL 1.1.0
|
||||
NGINX 1.15.4 TLSv.1.3
|
||||
OpenSSL 1.1.1
|
||||
PHP 7.2.10
|
||||
Redis-Server
|
||||
self signed or Let's Encrypt SSL using the second script
|
||||
|
||||
@@ -3,8 +3,9 @@
|
||||
# https://www.c-rieger.de
|
||||
# https://github.com/riegercloud
|
||||
# INSTALL-NEXTCLOUD.SH
|
||||
# Version 5.2 AMD64
|
||||
# September, 20th 2018
|
||||
# Version 6.0
|
||||
# OpenSSL 1.1.1, TLSv1.3
|
||||
# Octobre, 02nd 2018
|
||||
################################################
|
||||
# Ubuntu 18.04 LTS AMD64 - Nextcloud 14
|
||||
################################################
|
||||
@@ -65,8 +66,20 @@ update_and_clean
|
||||
apt install software-properties-common zip unzip screen curl git wget ffmpeg libfile-fcntllock-perl -y
|
||||
apt remove nginx nginx-common nginx-full -y --allow-change-held-packages
|
||||
update_and_clean
|
||||
###instal NGINX
|
||||
apt install nginx -y
|
||||
###instal NGINX using TLSv1.3, OpenSSL 1.1.1
|
||||
mkdir /usr/local/src/nginx && cd /usr/local/src/nginx/
|
||||
apt install dpkg-dev -y && apt source nginx
|
||||
cd /usr/local/src && apt install git -y
|
||||
git clone https://github.com/openssl/openssl.git
|
||||
cd openssl && git checkout OpenSSL_1_1_1-stable
|
||||
cp /usr/local/src/install-nextcloud/rules.nginx /usr/local/src/nginx/nginx-1.15.4/debian/rules
|
||||
sed -i "s/.*-Werror.*/# &/" /usr/local/src/nginx/nginx-1.15.4/auto/cc/gcc
|
||||
cd /usr/local/src/nginx/nginx-1.15.4/
|
||||
apt build-dep nginx -y && dpkg-buildpackage -b
|
||||
cd /usr/local/src/nginx/
|
||||
dpkg -i nginx_1.15.4-1~bionic_amd64.deb
|
||||
service nginx restart && apt-mark hold nginx
|
||||
# apt install nginx -y
|
||||
###enable NGINX autostart
|
||||
systemctl enable nginx.service
|
||||
### prepare the NGINX
|
||||
@@ -425,12 +438,12 @@ ssl_trusted_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_tickets off;
|
||||
ssl_protocols TLSv1.2;
|
||||
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384';
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384';
|
||||
ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
|
||||
ssl_prefer_server_ciphers on;
|
||||
#ssl_stapling on;
|
||||
#ssl_stapling_verify on;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
EOF
|
||||
touch /etc/nginx/proxy.conf
|
||||
cat <<EOF >/etc/nginx/proxy.conf
|
||||
|
||||
137
rules.nginx
Normal file
137
rules.nginx
Normal file
@@ -0,0 +1,137 @@
|
||||
#!/usr/bin/make -f
|
||||
|
||||
#export DH_VERBOSE=1
|
||||
export DEB_BUILD_MAINT_OPTIONS=hardening=+all,-pie
|
||||
export DEB_CFLAGS_MAINT_APPEND=-Wp,-D_FORTIFY_SOURCE=2 -fPIC
|
||||
export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -pie
|
||||
DPKG_EXPORT_BUILDFLAGS = 1
|
||||
include /usr/share/dpkg/buildflags.mk
|
||||
|
||||
PKGS = nginx nginx-dbg
|
||||
|
||||
BUILDDIR_nginx = $(CURDIR)/debian/build-nginx
|
||||
BUILDDIR_nginx_debug = $(CURDIR)/debian/build-nginx-debug
|
||||
INSTALLDIR = $(CURDIR)/debian/nginx
|
||||
BASEDIR = $(CURDIR)
|
||||
|
||||
ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
|
||||
NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
|
||||
ifeq (${NUMJOBS}, 0)
|
||||
NUMJOBS = 1
|
||||
endif
|
||||
else
|
||||
NUMJOBS = 1
|
||||
endif
|
||||
|
||||
DO_PKGS = $(PKGS)
|
||||
|
||||
config.env.%:
|
||||
dh_testdir
|
||||
mkdir -p $(BUILDDIR_$*)
|
||||
cp -Pa $(CURDIR)/auto $(BUILDDIR_$*)/
|
||||
cp -Pa $(CURDIR)/conf $(BUILDDIR_$*)/
|
||||
cp -Pa $(CURDIR)/configure $(BUILDDIR_$*)/
|
||||
cp -Pa $(CURDIR)/contrib $(BUILDDIR_$*)/
|
||||
cp -Pa $(CURDIR)/man $(BUILDDIR_$*)/
|
||||
cp -Pa $(CURDIR)/src $(BUILDDIR_$*)/
|
||||
touch $@
|
||||
|
||||
config.status.nginx: config.env.nginx
|
||||
cd $(BUILDDIR_nginx) && \
|
||||
CFLAGS="" ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt="$(CFLAGS)" --with-ld-opt="$(LDFLAGS)" --with-openssl=/usr/local/src/openssl
|
||||
touch $@
|
||||
|
||||
config.status.nginx_debug: config.env.nginx_debug
|
||||
cd $(BUILDDIR_nginx_debug) && \
|
||||
CFLAGS="" ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt="$(CFLAGS)" --with-ld-opt="$(LDFLAGS)" --with-openssl=/usr/local/src/openssl --with-debug
|
||||
touch $@
|
||||
|
||||
build-arch.%: config.status.%
|
||||
dh_testdir
|
||||
dh_prep
|
||||
$(MAKE) -j$(NUMJOBS) -C $(BUILDDIR_$*) build
|
||||
|
||||
build-arch: build-arch.nginx build-arch.nginx_debug
|
||||
dh_testdir
|
||||
touch $@
|
||||
|
||||
build-dbg.%: install
|
||||
dh_testdir
|
||||
dh_strip --dbg-package=nginx-dbg
|
||||
|
||||
build-dbg: build-dbg.nginx
|
||||
dh_testdir
|
||||
touch $@
|
||||
|
||||
build-indep:
|
||||
dh_testdir
|
||||
touch $@
|
||||
|
||||
build: build-arch build-indep
|
||||
dh_testdir
|
||||
touch $@
|
||||
|
||||
clean:
|
||||
dh_testdir
|
||||
dh_testroot
|
||||
dh_clean
|
||||
rm -f $(CURDIR)/objs
|
||||
rm -rf $(CURDIR)/debian/build-*
|
||||
rm -f $(CURDIR)/debian/*.init
|
||||
find $(CURDIR) -maxdepth 1 -size 0 -delete
|
||||
|
||||
post-build:
|
||||
mv $(BUILDDIR_nginx_debug)/objs/nginx $(BUILDDIR_nginx_debug)/objs/nginx-debug
|
||||
ln -s $(BUILDDIR_nginx)/objs $(CURDIR)/objs
|
||||
cp $(BUILDDIR_nginx)/objs/nginx.8 $(BUILDDIR_nginx)/objs/nginx-debug.8
|
||||
|
||||
install:
|
||||
dh_testdir
|
||||
dh_testroot
|
||||
dh_prep
|
||||
dh_installdirs
|
||||
dh_install
|
||||
mkdir -p $(INSTALLDIR)/usr/lib/nginx/modules
|
||||
mkdir -p $(INSTALLDIR)/usr/share/doc/nginx
|
||||
install -m 644 debian/CHANGES $(INSTALLDIR)/usr/share/doc/nginx/changelog
|
||||
install -m 644 debian/nginx.vh.default.conf $(INSTALLDIR)/etc/nginx/conf.d/default.conf
|
||||
ln -s /usr/lib/nginx/modules $(INSTALLDIR)/etc/nginx/modules
|
||||
|
||||
binary-indep: build post-build install
|
||||
dh_testdir
|
||||
dh_testroot
|
||||
dh_installman -i -pnginx
|
||||
dh_installdebconf
|
||||
sed -e 's/%%PROVIDES%%/nginx/g' \
|
||||
-e 's/%%DEFAULTSTART%%/2 3 4 5/g' \
|
||||
-e 's/%%DEFAULTSTOP%%/0 1 6/g' \
|
||||
< debian/nginx.init.in > debian/nginx.init
|
||||
dh_installinit -i -pnginx --no-restart-on-upgrade --no-start --name=nginx
|
||||
dh_systemd_enable -pnginx --name=nginx nginx.service
|
||||
sed -e 's/%%PROVIDES%%/nginx-debug/g' \
|
||||
-e 's/%%DEFAULTSTART%%//g' \
|
||||
-e 's/%%DEFAULTSTOP%%/0 1 2 3 4 5 6/g' \
|
||||
< debian/nginx.init.in > debian/nginx-debug.init
|
||||
dh_installinit -i -pnginx --no-restart-on-upgrade --no-start --noscripts --name=nginx-debug
|
||||
dh_systemd_enable -pnginx --name=nginx-debug --no-enable nginx-debug.service
|
||||
dh_installlogrotate -i -pnginx --name=nginx
|
||||
|
||||
binary-arch: install build-dbg
|
||||
dh_testdir
|
||||
dh_testroot
|
||||
dh_installchangelogs -a
|
||||
dh_installdocs -a
|
||||
dh_lintian -a
|
||||
dh_link -aA
|
||||
dh_compress -a
|
||||
dh_perl -a
|
||||
dh_fixperms -a
|
||||
dh_installdeb -a
|
||||
dh_shlibdeps -a --dpkg-shlibdeps-params=--ignore-missing-info
|
||||
dh_gencontrol -a
|
||||
dh_md5sums -a
|
||||
dh_builddeb $(foreach p,$(DO_PKGS),-p$(p))
|
||||
|
||||
binary: binary-indep binary-arch
|
||||
|
||||
.PHONY: build clean binary-indep binary-arch binary install
|
||||
Reference in New Issue
Block a user