mtan93/install-nextcloud
1
0
Fork 0
mirror of https://github.com/mtan93/install-nextcloud.git synced 2026-03-18 21:03:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #33 from riegercloud/Nextcloud-TLSv1.3

Browse Source 
Nextcloud ready for TLS v1.3
This commit is contained in:
rieger::CLOUD
2018-10-02 09:00:48 +02:00
committed by GitHub
parent 15f1433454 9deb6f26e0
commit 2b9c6cf8a3
3 changed files with 160 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@@ -4,8 +4,8 @@ The initial script (install-nextcloud.sh) will install your self hosted Nextclou
Fail2Ban (Nextcloud and SSH jails) Fail2Ban (Nextcloud and SSH jails)
MariaDB 10.3.9 MariaDB 10.3.9
Nextcloud 14 Nextcloud 14
NGINX 1.15.3 NGINX 1.15.4 TLSv.1.3
OpenSSL 1.1.0 OpenSSL 1.1.1
PHP 7.2.10 PHP 7.2.10
Redis-Server Redis-Server
self signed or Let's Encrypt SSL using the second script self signed or Let's Encrypt SSL using the second script

29
install-nextcloud.sh
View File

@@ -3,8 +3,9 @@
# https://www.c-rieger.de # https://www.c-rieger.de
# https://github.com/riegercloud # https://github.com/riegercloud
# INSTALL-NEXTCLOUD.SH # INSTALL-NEXTCLOUD.SH
# Version 5.2 AMD64 # Version 6.0
# September, 20th 2018 # OpenSSL 1.1.1, TLSv1.3
# Octobre, 02nd 2018
################################################ ################################################
# Ubuntu 18.04 LTS AMD64 - Nextcloud 14 # Ubuntu 18.04 LTS AMD64 - Nextcloud 14
################################################ ################################################
@@ -65,8 +66,20 @@ update_and_clean
apt install software-properties-common zip unzip screen curl git wget ffmpeg libfile-fcntllock-perl -y apt install software-properties-common zip unzip screen curl git wget ffmpeg libfile-fcntllock-perl -y
apt remove nginx nginx-common nginx-full -y --allow-change-held-packages apt remove nginx nginx-common nginx-full -y --allow-change-held-packages
update_and_clean update_and_clean
###instal NGINX ###instal NGINX using TLSv1.3, OpenSSL 1.1.1
apt install nginx -y mkdir /usr/local/src/nginx && cd /usr/local/src/nginx/
apt install dpkg-dev -y && apt source nginx
cd /usr/local/src && apt install git -y
git clone https://github.com/openssl/openssl.git
cd openssl && git checkout OpenSSL_1_1_1-stable
cp /usr/local/src/install-nextcloud/rules.nginx /usr/local/src/nginx/nginx-1.15.4/debian/rules
sed -i "s/.*-Werror.*/# &/" /usr/local/src/nginx/nginx-1.15.4/auto/cc/gcc
cd /usr/local/src/nginx/nginx-1.15.4/
apt build-dep nginx -y && dpkg-buildpackage -b
cd /usr/local/src/nginx/
dpkg -i nginx_1.15.4-1~bionic_amd64.deb
service nginx restart && apt-mark hold nginx
# apt install nginx -y
###enable NGINX autostart ###enable NGINX autostart
systemctl enable nginx.service systemctl enable nginx.service
### prepare the NGINX ### prepare the NGINX
@@ -425,12 +438,12 @@ ssl_trusted_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_session_timeout 1d; ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m; ssl_session_cache shared:SSL:50m;
ssl_session_tickets off; ssl_session_tickets off;
ssl_protocols TLSv1.2; ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384'; ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384';
ssl_ecdh_curve secp521r1:secp384r1:prime256v1; ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
#ssl_stapling on; ssl_stapling on;
#ssl_stapling_verify on; ssl_stapling_verify on;
EOF EOF
touch /etc/nginx/proxy.conf touch /etc/nginx/proxy.conf
cat <<EOF >/etc/nginx/proxy.conf cat <<EOF >/etc/nginx/proxy.conf

137
rules.nginx Normal file
View File

@@ -0,0 +1,137 @@
#!/usr/bin/make -f
#export DH_VERBOSE=1
export DEB_BUILD_MAINT_OPTIONS=hardening=+all,-pie
export DEB_CFLAGS_MAINT_APPEND=-Wp,-D_FORTIFY_SOURCE=2 -fPIC
export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -pie
DPKG_EXPORT_BUILDFLAGS = 1
include /usr/share/dpkg/buildflags.mk
PKGS = nginx nginx-dbg
BUILDDIR_nginx = $(CURDIR)/debian/build-nginx
BUILDDIR_nginx_debug = $(CURDIR)/debian/build-nginx-debug
INSTALLDIR = $(CURDIR)/debian/nginx
BASEDIR = $(CURDIR)
ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
ifeq (${NUMJOBS}, 0)
NUMJOBS = 1
endif
else
NUMJOBS = 1
endif
DO_PKGS = $(PKGS)
config.env.%:
dh_testdir
mkdir -p $(BUILDDIR_$*)
cp -Pa $(CURDIR)/auto $(BUILDDIR_$*)/
cp -Pa $(CURDIR)/conf $(BUILDDIR_$*)/
cp -Pa $(CURDIR)/configure $(BUILDDIR_$*)/
cp -Pa $(CURDIR)/contrib $(BUILDDIR_$*)/
cp -Pa $(CURDIR)/man $(BUILDDIR_$*)/
cp -Pa $(CURDIR)/src $(BUILDDIR_$*)/
touch $@
config.status.nginx: config.env.nginx
cd $(BUILDDIR_nginx) && \
CFLAGS="" ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt="$(CFLAGS)" --with-ld-opt="$(LDFLAGS)" --with-openssl=/usr/local/src/openssl
touch $@
config.status.nginx_debug: config.env.nginx_debug
cd $(BUILDDIR_nginx_debug) && \
CFLAGS="" ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt="$(CFLAGS)" --with-ld-opt="$(LDFLAGS)" --with-openssl=/usr/local/src/openssl --with-debug
touch $@
build-arch.%: config.status.%
dh_testdir
dh_prep
$(MAKE) -j$(NUMJOBS) -C $(BUILDDIR_$*) build
build-arch: build-arch.nginx build-arch.nginx_debug
dh_testdir
touch $@
build-dbg.%: install
dh_testdir
dh_strip --dbg-package=nginx-dbg
build-dbg: build-dbg.nginx
dh_testdir
touch $@
build-indep:
dh_testdir
touch $@
build: build-arch build-indep
dh_testdir
touch $@
clean:
dh_testdir
dh_testroot
dh_clean
rm -f $(CURDIR)/objs
rm -rf $(CURDIR)/debian/build-*
rm -f $(CURDIR)/debian/*.init
find $(CURDIR) -maxdepth 1 -size 0 -delete
post-build:
mv $(BUILDDIR_nginx_debug)/objs/nginx $(BUILDDIR_nginx_debug)/objs/nginx-debug
ln -s $(BUILDDIR_nginx)/objs $(CURDIR)/objs
cp $(BUILDDIR_nginx)/objs/nginx.8 $(BUILDDIR_nginx)/objs/nginx-debug.8
install:
dh_testdir
dh_testroot
dh_prep
dh_installdirs
dh_install
mkdir -p $(INSTALLDIR)/usr/lib/nginx/modules
mkdir -p $(INSTALLDIR)/usr/share/doc/nginx
install -m 644 debian/CHANGES $(INSTALLDIR)/usr/share/doc/nginx/changelog
install -m 644 debian/nginx.vh.default.conf $(INSTALLDIR)/etc/nginx/conf.d/default.conf
ln -s /usr/lib/nginx/modules $(INSTALLDIR)/etc/nginx/modules
binary-indep: build post-build install
dh_testdir
dh_testroot
dh_installman -i -pnginx
dh_installdebconf
sed -e 's/%%PROVIDES%%/nginx/g' \
-e 's/%%DEFAULTSTART%%/2 3 4 5/g' \
-e 's/%%DEFAULTSTOP%%/0 1 6/g' \
< debian/nginx.init.in > debian/nginx.init
dh_installinit -i -pnginx --no-restart-on-upgrade --no-start --name=nginx
dh_systemd_enable -pnginx --name=nginx nginx.service
sed -e 's/%%PROVIDES%%/nginx-debug/g' \
-e 's/%%DEFAULTSTART%%//g' \
-e 's/%%DEFAULTSTOP%%/0 1 2 3 4 5 6/g' \
< debian/nginx.init.in > debian/nginx-debug.init
dh_installinit -i -pnginx --no-restart-on-upgrade --no-start --noscripts --name=nginx-debug
dh_systemd_enable -pnginx --name=nginx-debug --no-enable nginx-debug.service
dh_installlogrotate -i -pnginx --name=nginx
binary-arch: install build-dbg
dh_testdir
dh_testroot
dh_installchangelogs -a
dh_installdocs -a
dh_lintian -a
dh_link -aA
dh_compress -a
dh_perl -a
dh_fixperms -a
dh_installdeb -a
dh_shlibdeps -a --dpkg-shlibdeps-params=--ignore-missing-info
dh_gencontrol -a
dh_md5sums -a
dh_builddeb $(foreach p,$(DO_PKGS),-p$(p))
binary: binary-indep binary-arch
.PHONY: build clean binary-indep binary-arch binary install