This repository has been archived by the owner on Feb 13, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
nginx.sh
228 lines (188 loc) · 6.14 KB
/
nginx.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
#!/bin/bash
if [ "$EUID" -ne 0 ]
then echo "Please run as root"
exit 1
fi
RED='\033[0;31m'
YELLOW='\033[1;33m'
NC='\033[0m'
gitdir=$PWD
##Logging setup
logfile=/var/log/nginx_install.log
mkfifo ${logfile}.pipe
tee < ${logfile}.pipe $logfile &
exec &> ${logfile}.pipe
rm ${logfile}.pipe
##Functions
function print_status ()
{
echo -e "\x1B[01;34m[*]\x1B[0m $1"
}
function print_good ()
{
echo -e "\x1B[01;32m[*]\x1B[0m $1"
}
function print_error ()
{
echo -e "\x1B[01;31m[*]\x1B[0m $1"
}
function print_notification ()
{
echo -e "\x1B[01;33m[*]\x1B[0m $1"
}
function error_check
{
if [ $? -eq 0 ]; then
print_good "$1 successfully."
else
print_error "$1 failed. Please check $logfile for more details."
exit 1
fi
}
function install_packages()
{
apt-get update &>> $logfile && apt-get install -y --allow-unauthenticated ${@} &>> $logfile
error_check 'Package installation completed'
}
function dir_check()
{
if [ ! -d $1 ]; then
print_notification "$1 does not exist. Creating.."
mkdir -p $1
else
print_notification "$1 already exists. (No problem, We'll use it anyhow)"
fi
}
########################################
##BEGIN MAIN SCRIPT##
#Pre checks: These are a couple of basic sanity checks the script does before proceeding.
echo
echo -e "${YELLOW}What is the name of the user account created for your cuckoo instance?${NC}"
read user
echo
echo -e "${YELLOW}What is the IP address of the machine that is hosting the cuckoo webpage?${NC}"
read ipaddr
echo
##Install nginx
print_status "${YELLOW}Waiting for dpkg process to free up...${NC}"
print_status "${YELLOW}If this takes too long try running ${RED}sudo rm -f /var/lib/dpkg/lock${YELLOW} in another terminal window.${NC}"
while fuser /var/lib/dpkg/lock >/dev/null 2>&1; do
sleep 1
done
print_status "${YELLOW}Installing Nginx...${NC}"
apt-get -qq install nginx apache2-utils -y &>> $logfile
usermod -a -G cuckoo $user &>> $logfile
error_check 'Nginx installed'
##Copy over service conf
cp nginx.service /lib/systemd/system/
##Create and secure keys
mkdir /etc/ssl/cuckoo/ &>> $logfile
cd /etc/ssl/cuckoo/ &>> $logfile
#openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout cuckoo.key -out cuckoo.crt
print_status "${YELLOW}Configuring and installing SSL keys...${NC}"
openssl req -subj '/CN=Cuckoo_Sandbox/'-x509 -nodes -days 3650 -newkey rsa:4096 -keyout cuckoo.key -out cuckoo.crt &>> $logfile
openssl dhparam -out dhparam.pem 4096 &>> $logfile
error_check 'SSL configured'
cd ..
mv cuckoo /etc/nginx &>> $logfile
mv /etc/nginx/cuckoo /etc/nginx/ssl &>> $logfile
chown -R root:www-data /etc/nginx/ssl &>> $logfile
chmod -R u=rX,g=rX,o= /etc/nginx/ssl &>> $logfile
##Remove default sites and create new cuckoo site
rm /etc/nginx/sites-enabled/default &>> $logfile
print_status "${YELLOW}Configuring Nginx webserver...${NC}"
sudo cat >> /tmp/cuckoo <<EOF
server {
listen $ipaddr:443 ssl http2;
ssl_certificate /etc/nginx/ssl/cuckoo.crt;
ssl_certificate_key /etc/nginx/ssl/cuckoo.key;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
# Uncomment this next line if you are using a signed, trusted cert
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
root /usr/share/nginx/html;
index index.html index.htm;
client_max_body_size 101M;
auth_basic "Login required";
auth_basic_user_file /etc/nginx/htpasswd;
location / {
proxy_pass http://127.0.0.1:8001;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
}
location /storage/analysis {
alias /etc/cuckoo-modified/storage/analyses/;
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
}
location /static {
alias /etc/cuckoo-modified/web/static/;
}
}
server {
listen $ipaddr:80 http2;
return 301 https://\$server_name$request_uri;
}
#server {
# listen 192.168.100.1:8080;
# root /home/cuckoo/vmshared;
# location / {
# try_files \$uri \$uri/ =404;
# autoindex on;
# autoindex_exact_size off;
# autoindex_localtime on;
# }
#}
# Host the upstream legacy API
server {
listen $ipaddr:4343 ssl http2;
ssl_certificate /etc/nginx/ssl/cuckoo.crt;
ssl_certificate_key /etc/nginx/ssl/cuckoo.key;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
# Uncomment this next line if you are using a signed, trusted cert
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
root /usr/share/nginx/html;
index index.html index.htm;
client_max_body_size 101M;
location / {
proxy_pass http://127.0.0.1:8001;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
# Restrict access
#allow IP_Address;
#allow 192.168.1.0/24;
#deny all;
}
}
EOF
error_check 'Site configured'
mv /tmp/cuckoo /etc/nginx/sites-available/
ln -s /etc/nginx/sites-available/cuckoo /etc/nginx/sites-enabled/cuckoo
##Create web user and secure password storage
echo -e "${YELLOW}Please type in a user name for the website.${NC}"
read webuser
htpasswd -c /etc/nginx/htpasswd $webuser
chown root:www-data /etc/nginx/htpasswd
chmod u=rw,g=r,o= /etc/nginx/htpasswd
##Create and restart service
systemctl enable nginx.service
update-rc.d nginx defaults
service nginx restart