boban
/
mailwolt-installer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
mailwolt-installer/scripts/70-nginx.sh

308 lines
9.0 KiB
Bash
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh
log "Nginx konfigurieren …"
# Flags/Umgebung (kommen idealerweise aus bootstrap; hier Fallbacks)
DEV_MODE="${DEV_MODE:-0}" # 1 = DEV (Vite-Proxy aktiv), 0 = PROD
PROXY_MODE="${PROXY_MODE:-0}" # 1 = NPM/Proxy davor
NPM_IP="${NPM_IP:-}" # z.B. 10.10.20.20
# Erwartet gesetzt: UI_HOST, WEBMAIL_HOST, APP_DIR
: "${UI_HOST:?UI_HOST fehlt}"
: "${WEBMAIL_HOST:?WEBMAIL_HOST fehlt}"
: "${APP_DIR:?APP_DIR fehlt}"
ACME_ROOT="/var/www/letsencrypt"
install -d -m 0755 "$ACME_ROOT"
# Default-Sites konsequent entfernen (verhindert doppelten default_server)
rm -f /etc/nginx/sites-enabled/default /etc/nginx/sites-available/default || true
# HTTP/2 prüfen
NGINX_HTTP2_SUFFIX=""
if nginx -V 2>&1 | grep -q http_v2; then
NGINX_HTTP2_SUFFIX=" http2"
fi
# PHP-FPM Socket oder TCP ermitteln und fastcgi_pass bauen
detect_php_fpm_sock(){
for v in 8.3 8.2 8.1 8.0 7.4; do
s="/run/php/php${v}-fpm.sock"
[[ -S "$s" ]] && { echo "unix:${s}"; return; }
done
[[ -S "/run/php/php-fpm.sock" ]] && { echo "unix:/run/php/php-fpm.sock"; return; }
echo "127.0.0.1:9000"
}
PHP_FPM_TARGET="$(detect_php_fpm_sock)"
if [[ "$PHP_FPM_TARGET" == unix:* ]]; then
FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET};"
else
FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET};"
fi
# Helper zum Bauen einer Site
# $1=host, $2=cert_dir (/etc/ssl/ui oder /etc/ssl/webmail), $3=outfile
build_site(){
local host="$1" cert_dir="$2" outfile="$3"
local cert="${cert_dir}/fullchain.pem"
local key="${cert_dir}/privkey.pem"
cat > "$outfile" <<CONF
# --- ${host} : HTTP (ACME + Redirect) ---
server {
listen 80;
listen [::]:80;
server_name ${host};
# ACME HTTP-01
location ^~ /.well-known/acme-challenge/ {
root ${ACME_ROOT};
allow all;
}
return 301 https://\$host\$request_uri;
}
# --- ${host} : HTTPS ---
server {
listen 443 ssl${NGINX_HTTP2_SUFFIX};
listen [::]:443 ssl${NGINX_HTTP2_SUFFIX};
server_name ${host};
ssl_certificate ${cert};
ssl_certificate_key ${key};
ssl_protocols TLSv1.2 TLSv1.3;
root ${APP_DIR}/public;
index index.php index.html;
access_log /var/log/nginx/${host}_ssl_access.log;
error_log /var/log/nginx/${host}_ssl_error.log;
client_max_body_size 25m;
location / { try_files \$uri \$uri/ /index.php?\$query_string; }
location ~ \.php\$ {
include snippets/fastcgi-php.conf;
${FASTCGI_PASS}
}
location ^~ /livewire/ { try_files \$uri /index.php?\$query_string; }
location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)\$ { expires 30d; access_log off; }
# WebSocket: Laravel Reverb
location /ws/ {
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host \$host;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
proxy_pass http://127.0.0.1:8080/;
}
# Reverb HTTP API
location /apps/ {
proxy_http_version 1.1;
proxy_set_header Host \$host;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
proxy_pass http://127.0.0.1:8080/apps/;
}
CONF
if [[ "$DEV_MODE" = "1" ]]; then
cat >> "$outfile" <<'CONF'
# DEV: Vite-Proxy
location ^~ /@vite/ { proxy_pass http://127.0.0.1:5173/@vite/; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; }
location ^~ /node_modules/ { proxy_pass http://127.0.0.1:5173/node_modules/; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; }
location ^~ /resources/ { proxy_pass http://127.0.0.1:5173/resources/; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; }
CONF
fi
echo "}" >> "$outfile"
}
# Sites erzeugen
UI_SITE="/etc/nginx/sites-available/ui-mailwolt.conf"
WEBMAIL_SITE="/etc/nginx/sites-available/webmail-mailwolt.conf"
build_site "$UI_HOST" "/etc/ssl/ui" "$UI_SITE"
build_site "$WEBMAIL_HOST" "/etc/ssl/webmail" "$WEBMAIL_SITE"
ln -sf "$UI_SITE" "/etc/nginx/sites-enabled/ui-mailwolt.conf"
ln -sf "$WEBMAIL_SITE" "/etc/nginx/sites-enabled/webmail-mailwolt.conf"
# Real-IP nur, wenn Proxy davor
if [[ "$PROXY_MODE" -eq 1 && -n "$NPM_IP" ]]; then
cat > /etc/nginx/conf.d/realip.conf <<NGX
real_ip_header X-Forwarded-For;
set_real_ip_from ${NPM_IP};
real_ip_recursive on;
NGX
else
rm -f /etc/nginx/conf.d/realip.conf || true
fi
# Test & reload
if nginx -t; then
systemctl enable --now nginx >/dev/null 2>&1 || true
systemctl reload nginx || true
else
die "nginx -t fehlgeschlagen siehe /var/log/nginx/*.log"
fi
##!/usr/bin/env bash
#set -euo pipefail
#source ./lib.sh
#
#log "Nginx konfigurieren …"
#
#ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
#
#NGINX_SITE="/etc/nginx/sites-available/${APP_USER}.conf"
#NGINX_SITE_LINK="/etc/nginx/sites-enabled/${APP_USER}.conf"
#ACME_ROOT="/var/www/letsencrypt"
#install -d -m 0755 "$ACME_ROOT"
#
## Default-Sites konsequent entfernen (verhindert doppelten default_server)
#rm -f /etc/nginx/sites-enabled/default /etc/nginx/sites-available/default || true
#
## HTTP/2 prüfen
#NGINX_HTTP2_SUFFIX=""
#if nginx -V 2>&1 | grep -q http_v2; then
# NGINX_HTTP2_SUFFIX=" http2"
#fi
#
## PHP-FPM Socket oder TCP ermitteln und fastcgi_pass bauen
#detect_php_fpm_sock(){
# for v in 8.3 8.2 8.1 8.0 7.4; do
# s="/run/php/php${v}-fpm.sock"
# [[ -S "$s" ]] && { echo "unix:${s}"; return; }
# done
# [[ -S "/run/php/php-fpm.sock" ]] && { echo "unix:/run/php/php-fpm.sock"; return; }
# echo "127.0.0.1:9000"
#}
#PHP_FPM_TARGET="$(detect_php_fpm_sock)"
#if [[ "$PHP_FPM_TARGET" == unix:* ]]; then
# FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET};" # << keep the unix: prefix!
#else
# FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET};"
#fi
#
## Prüfen, ob UI-Zert vorhanden ist
#UI_CERT="/etc/ssl/ui/fullchain.pem"
#UI_KEY="/etc/ssl/ui/privkey.pem"
#SSL_ENABLED=0
#[[ -s "$UI_CERT" && -s "$UI_KEY" ]] && SSL_ENABLED=1
#
#TPL="${ROOT_DIR}/config/nginx/site.conf.tmpl"
#[[ -f "$TPL" ]] || die "Nginx-Template fehlt: $TPL"
#render="$(cat "$TPL")"
#
## --------- Bausteine, die in das Template eingesetzt werden ---------
#
## (A) HTTP-Body, wenn KEIN SSL → App direkt über Port 80
#HTTP_BODY_APP="$(cat <<'HTTP'
# root ${APP_DIR}/public;
# index index.php index.html;
#
# access_log /var/log/nginx/${APP_USER}_access.log;
# error_log /var/log/nginx/${APP_USER}_error.log;
#
# client_max_body_size 25m;
#
# location / { try_files $uri $uri/ /index.php?$query_string; }
# location ~ \.php$ {
# include snippets/fastcgi-php.conf;
# __FASTCGI_PASS__
# }
# location ^~ /livewire/ { try_files $uri /index.php?$query_string; }
# location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)$ { expires 30d; access_log off; }
#HTTP
#)"
#
## (B) HTTP-Body, wenn SSL → nur Redirect auf 443
#HTTP_BODY_REDIRECT='return 301 https://$host$request_uri;'
#
## (C) kompletter SSL-Serverblock (wird nur eingefügt, wenn SSL aktiv)
#SSL_BLOCK="$(cat <<'SSL'
#server {
# listen 443 ssl${NGINX_HTTP2_SUFFIX};
# listen [::]:443 ssl${NGINX_HTTP2_SUFFIX};
# server_name _;
#
# ssl_certificate ${UI_CERT};
# ssl_certificate_key ${UI_KEY};
# ssl_protocols TLSv1.2 TLSv1.3;
#
# root ${APP_DIR}/public;
# index index.php index.html;
#
# access_log /var/log/nginx/${APP_USER}_ssl_access.log;
# error_log /var/log/nginx/${APP_USER}_ssl_error.log;
#
# client_max_body_size 25m;
#
# location / { try_files $uri $uri/ /index.php?$query_string; }
# location ~ \.php$ {
# include snippets/fastcgi-php.conf;
# __FASTCGI_PASS__
# }
# location ^~ /livewire/ { try_files $uri /index.php?$query_string; }
# location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)$ { expires 30d; access_log off; }
#
# # WebSocket: Laravel Reverb
# location /ws/ {
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "Upgrade";
# proxy_set_header Host $host;
# proxy_read_timeout 60s;
# proxy_send_timeout 60s;
# proxy_pass http://127.0.0.1:8080/;
# }
#
# # Reverb HTTP API
# location /apps/ {
# proxy_http_version 1.1;
# proxy_set_header Host $host;
# proxy_read_timeout 60s;
# proxy_send_timeout 60s;
# proxy_pass http://127.0.0.1:8080/apps/;
# }
#}
#SSL
#)"
#
## --------- Platzhalter ersetzen ---------
#if [[ $SSL_ENABLED -eq 1 ]]; then
# render="${render/__HTTP_BODY__/$HTTP_BODY_REDIRECT}"
# render="${render/__SSL_SERVER_BLOCK__/$SSL_BLOCK}"
#else
# render="${render/__HTTP_BODY__/$HTTP_BODY_APP}"
# # HTTPS-Block komplett entfernen
# render="${render/__SSL_SERVER_BLOCK__/}"
#fi
#
## Variablen & __FASTCGI_PASS__ im fertigen Render ersetzen
#render="$(echo "$render" \
# | sed "s|\${APP_DIR}|${APP_DIR}|g; s|\${APP_USER}|${APP_USER}|g; \
# s|\${UI_CERT}|${UI_CERT}|g; s|\${UI_KEY}|${UI_KEY}|g; \
# s|\${NGINX_HTTP2_SUFFIX}|${NGINX_HTTP2_SUFFIX}|g; \
# s|__FASTCGI_PASS__|${FASTCGI_PASS}|g")"
#
## Schreiben/aktivieren
#echo "$render" > "$NGINX_SITE"
#ln -sf "$NGINX_SITE" "$NGINX_SITE_LINK"
#
## Test & reload
#if nginx -t; then
# systemctl enable --now nginx >/dev/null 2>&1 || true
# systemctl reload nginx || true
#else
# die "nginx -t fehlgeschlagen siehe /var/log/nginx/*.log"
#fi
Reference in New Issue View Git Blame Copy Permalink