linuxtool/Config/Web/nginx.sh

#!/bin/bash

declare path_script=$1

if ! command -v nginx &> /dev/null; then
    if [[ -f "/usr/bin/apt-get" ]];then
      apt-get update -y
      apt-get install nginx -y
    elif [[ -f "/usr/bin/apt" ]];then
      apt update -y
      apt install nginx -y
    elif [[ -f "/usr/bin/pacman" ]];then
      pacman -Syu --noconfirm
      pacman -Sy --noconfirm nginx
    else
      echo "nginx未安装"
      exit
    fi
fi

declare pick
echo "========$(basename $0 .sh)========"
echo "1.新增站点配置文件"
echo "2.查看已有站点配置文件"
echo "3.删除站点配置文件"
read -p "请选择：" pick
case $pick in
'1')
  declare domain
  read -p "请输入要绑定的域名多个用 空格 隔开：" domain

  declare ssl_certificate
  declare ssl_certificate_key
  declare ssl_domain=$(echo "${domain}" | awk '{print $1}')

  echo "ssl证书"
  echo "1.自动申请(默认)"
  echo "2.手动输入"
  read -p "请输入：" pick
  if [[ $pick == 2 ]]; then
      echo "证书,默认 ${HOME}/.acme.sh/${ssl_domain}_ecc/fullchain.cer"
      read -p "请输入证书地址：" ssl_certificate
      if [[ -z $ssl_certificate ]];then
        ssl_certificate="${HOME}/.acme.sh/${ssl_domain}_ecc/fullchain.cer"
      fi
      echo "密钥,默认 ${HOME}/.acme.sh/${ssl_domain}_ecc/${ssl_domain}.key"

      read -p "请输入密钥地址：" ssl_certificate_key
      if [[ -z $ssl_certificate_key ]];then
        ssl_certificate_key="${HOME}/.acme.sh/${ssl_domain}_ecc/${ssl_domain}.key"
      fi
  else
      echo "1.nginx(默认)"
      read -p "请选择：" pick
      bash "${path_script}/Config/Web/acme.sh" "nginx" "${domain}"
      ssl_certificate="${HOME}/.acme.sh/${ssl_domain}_ecc/fullchain.cer"
      ssl_certificate_key="${HOME}/.acme.sh/${ssl_domain}_ecc/${ssl_domain}.key"
  fi



  declare name
  read -p "请输入配置文件名,默认为域名：" name
  if [[ -z $name ]]; then
      name=$ssl_domain
  fi

  echo "工作方式"
  echo "1.反向代理（默认）"
  echo "2.静态文件"
  read -p "请选择：" pick
  declare path
  if [[ $pick == 2 ]]; then
    read -p "请输入要代理的站点路径" path
    cat > "/etc/nginx/sites-available/${name}.conf" << EOF
server {
    listen 443 ssl;  # 监听 443 端口并启用 SSL
    server_name ${domain};  # 替换为你的域名

    # SSL 证书配置
    ssl_certificate ${ssl_certificate};  # 证书文件路径
    ssl_certificate_key ${ssl_certificate_key};  # 证书密钥文件路径
    ssl_protocols TLSv1.2 TLSv1.3;  # 仅使用安全的 TLS 协议版本
    ssl_ciphers HIGH:!aNULL:!MD5;  # 安全的密码套件
    ssl_prefer_server_ciphers on;  # 优先使用服务器的密码套件
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # HTTP/2 支持（可选）
    listen 443 ssl http2;

    # HSTS（HTTP 严格传输安全）强制浏览器使用 HTTPS
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # 静态文件目录
    root ${path};
    index index.html index.htm;

    # 日志
    access_log /var/log/nginx/example.com_access.log;
    error_log /var/log/nginx/example.com_error.log;

    # 默认处理
    location / {
        try_files \$uri \$uri/ =404;
    }

    # 防止访问隐藏文件（如 .git）
    location ~ /\. {
        deny all;
    }

    # 错误页面配置
    error_page 404 /404.html;
    location = /404.html {
        root /var/www/example.com/html;
    }
}

# HTTP 到 HTTPS 重定向
server {
    listen 80;  # 监听 80 端口
    server_name ${domain};

    # 将所有 HTTP 请求重定向到 HTTPS
    return 301 https://\$host\$request_uri;
}
EOF
  else
    read -p "请输入后端服务器的地址,如果只输入数字代表端口：" path
    if [[ $path =~ [0-9]+ ]]; then
        path="http://127.0.0.1:${path}"
    fi
    cat > "/etc/nginx/sites-available/${name}.conf" << EOF
server {
    listen 443 ssl http2;  # 监听 443 端口，并启用 HTTP/2
    server_name ${domain};  # 替换为你的域名

    # SSL 证书配置
    ssl_certificate ${ssl_certificate};  # 证书文件路径
    ssl_certificate_key ${ssl_certificate_key};  # 证书密钥文件路径
    ssl_protocols TLSv1.2 TLSv1.3;  # 使用安全的 TLS 协议版本
    ssl_ciphers HIGH:!aNULL:!MD5;  # 安全密码套件
    ssl_prefer_server_ciphers on;

    # 启用 SSL session 缓存和超时设置
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # 强制使用 HTTPS (HSTS)
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # 日志设置
    access_log /var/log/nginx/${name}_access.log;
    error_log /var/log/nginx/${name}_error.log;

    # 错误页面配置
    error_page 404 /404.html;
    location = /404.html {
        root /var/www/example.com/html;
    }

    # 反向代理到后台应用 (常规 HTTP/HTTPS)
    location / {
        proxy_pass ${path};  # 反向代理到后端应用服务器
        proxy_set_header Host \$host;  # 保持原始主机头
        proxy_set_header X-Real-IP \$remote_addr;  # 传递客户端的真实 IP
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;  # 传递代理链中的 IP
        proxy_set_header X-Forwarded-Proto \$scheme;  # 传递协议（HTTP 或 HTTPS）

        # 防止后端服务器返回不安全的内容
        proxy_redirect off;

        # 超时时间配置
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
        send_timeout 60s;
    }

    # WebSocket 反向代理到后台应用
    location /ws {
        proxy_pass ${path};  # 反向代理到 WebSocket 应用服务器
        proxy_http_version 1.1;  # WebSocket 必须使用 HTTP 1.1
        proxy_set_header Upgrade \$http_upgrade;  # 升级请求头，用于 WebSocket
        proxy_set_header Connection "Upgrade";  # 持久连接，保持 WebSocket 连接
        proxy_set_header Host \$host;  # 保持原始主机头
        proxy_set_header X-Real-IP \$remote_addr;  # 传递客户端的真实 IP
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;  # 传递代理链中的 IP
        proxy_set_header X-Forwarded-Proto \$scheme;  # 传递协议（HTTP 或 HTTPS）

        # 超时时间配置 (WebSocket 是长连接)
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 3600s;  # WebSocket 长连接需较长读超时
        send_timeout 60s;
    }

    # 错误页面配置
    error_page 502 /502.html;
    location = /502.html {
        root /usr/share/nginx/html;  # 错误页面路径
    }
}

# HTTP 到 HTTPS 重定向
server {
    listen 80;  # 监听 HTTP 80 端口
    server_name ${domain};  # 替换为你的域名

    # 将所有 HTTP 请求重定向到 HTTPS
    return 301 https://\$host\$request_uri;
}

EOF
  fi
  ln -s "/etc/nginx/sites-available/${name}.conf" "/etc/nginx/sites-enabled" &> /dev/null
  nginx -s reload &> /dev/null
  echo "配置完成"
  ;;
esac