Installing Linux nginx config in prod install

2025-03-15 04:11:48 +01:00 · 2022-07-07 18:46:03 +02:00 · 2022-07-07 18:46:03 +02:00 · eeb84e5d42
commit eeb84e5d42
parent d46e1abd07
3 changed files with 49 additions and 64 deletions
--- a/production/install
+++ b/production/install
@ -197,6 +197,7 @@ case $OS in
        TOR_USER=debian-tor
        TOR_GROUP=debian-tor
        CERTBOT_PKG=python3-certbot-nginx
        NGINX_ETC_FOLDER=/etc/nginx
        NGINX_CONFIGURATION=/etc/nginx/nginx.conf
    ;;
 esac
@ -925,6 +926,8 @@ if [ "${TOR_INSTALL}" = ON ];then
        osSudo "${ROOT_USER}" /bin/sh -c "echo HiddenServiceDir ${TOR_RESOURCES}/${MEMPOOL_TOR_HS}/ >> ${TOR_CONFIGURATION}"
        osSudo "${ROOT_USER}" /bin/sh -c "echo HiddenServicePort 80 127.0.0.1:81 >> ${TOR_CONFIGURATION}"
        osSudo "${ROOT_USER}" /bin/sh -c "echo HiddenServiceVersion 3 >> ${TOR_CONFIGURATION}"
    else
        osSudo "${ROOT_USER}" sed -i.orig "s!__TOR_RESOURCES__!${TOR_RESOURCES}!" "${TOR_CONFIGURATION}"
    fi
    case $OS in
@ -936,7 +939,7 @@ if [ "${TOR_INSTALL}" = ON ];then
    # start tor now so it can bootstrap in time for bitcoin starting a few mins later
    echo "[*] Starting Tor service"
-    osSudo "${ROOT_USER}" service tor start
+    osSudo "${ROOT_USER}" service tor restart
 fi
 ########################
@ -1508,6 +1511,12 @@ _EOF_
 ##### nginx
 echo "[*] Read tor v3 onion hostnames"
 NGINX_MEMPOOL_ONION=$(cat "${TOR_RESOURCES}/mempool/hostname")
 NGINX_BISQ_ONION=$(cat "${TOR_RESOURCES}/bisq/hostname")
 NGINX_LIQUID_ONION=$(cat "${TOR_RESOURCES}/liquid/hostname")
 echo "[*] Adding Nginx configuration"
 case $OS in
@ -1517,8 +1526,16 @@ case $OS in
    Debian)
        osSudo "${ROOT_USER}" install -c -o "${ROOT_USER}" -g "${ROOT_GROUP}" -m 644 "${MEMPOOL_HOME}/${MEMPOOL_REPO_NAME}/production/nginx/nginx.conf" "${NGINX_CONFIGURATION}"
-#echo "[*] Restarting Nginx"
+        mkdir -p /var/cache/nginx/services /var/cache/nginx/api
-#osSudo "${ROOT_USER}" service nginx restart
+        chown www-data: /var/cache/nginx/services /var/cache/nginx/api
        ln -s /mempool/mempool /etc/nginx/mempool
        osSudo "${ROOT_USER}" sed -i.orig "s!__NGINX_USER__!www-data!" "${NGINX_CONFIGURATION}"
        osSudo "${ROOT_USER}" sed -i.orig "s!__NGINX_ETC_FOLDER__!${NGINX_ETC_FOLDER}!" "${NGINX_CONFIGURATION}"
        osSudo "${ROOT_USER}" sed -i.orig "s!__NGINX_MEMPOOL_ONION__!${NGINX_MEMPOOL_ONION%.onion}!" "${NGINX_CONFIGURATION}"
        osSudo "${ROOT_USER}" sed -i.orig "s!__NGINX_BISQ_ONION__!${NGINX_BISQ_ONION%.onion}!" "${NGINX_CONFIGURATION}"
        osSudo "${ROOT_USER}" sed -i.orig "s!__NGINX_LIQUID_ONION__!${NGINX_LIQUID_ONIONi%.onion}!" "${NGINX_CONFIGURATION}"
        echo "[*] Restarting Nginx"
        osSudo "${ROOT_USER}" service nginx restart
    ;;
 esac
--- a/production/nginx/nginx.conf
+++ b/production/nginx/nginx.conf
@ -1,4 +1,4 @@
-user nobody;
+user __NGINX_USER__;
 pid /var/run/nginx.pid;
 worker_processes auto;
@ -10,11 +10,11 @@ events {
 }
 http {
-	# DNS servers for on-demand recursive resolver
+	# DNS servers for on-demand resolution, change if desired
 	resolver 8.8.8.8;
 	# include default mime types
-	include /usr/local/etc/nginx/mime.types;
+	include __NGINX_ETC_FOLDER__/mime.types;
 	default_type application/octet-stream;
 	# HTTP basic configuration
@ -32,9 +32,13 @@ http {
 	# MEMPOOL.NINJA
 	server {
 		# clearnet v4/v6
-		listen 443 ssl http2;
+		#listen 443 ssl http2;
-		listen [::]:443 ssl http2;
+		#listen [::]:443 ssl http2;
-		server_name mempool.ninja;
+		server_name _;
 		# tor v3
 		listen 127.0.0.1:81;
 		set $onion "__NGINX_MEMPOOL_ONION__";
 		# for services from mempool.space like contributors on about page
 		set $mempoolSpaceServices "https://mempool.space";
@ -52,30 +56,24 @@ http {
 		set $esploraTestnet "http://esplora-bitcoin-testnet";
 		set $esploraSignet "http://esplora-bitcoin-signet";
 		# tor v3
 		listen 127.0.0.1:81;
 		set $onion "mempoolhqx4isw62xs7abwphsq7ldayuidyx2v2oethdhhj6mlo2r6ad";
 		# filesystem paths
 		root /mempool/public_html/mainnet/;
 		access_log /var/log/nginx/mempool-access.log;
 		error_log /var/log/nginx/mempool-error.log;
 		# ssl configuration
 		ssl_certificate /usr/local/etc/letsencrypt/live/mempool.ninja/fullchain.pem;
 		ssl_certificate_key /usr/local/etc/letsencrypt/live/mempool.ninja/privkey.pem;
 		include /usr/local/etc/letsencrypt/options-ssl-nginx.conf;
 		ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem;
 		# site configuration
 		include mempool/production/nginx/server-mempool.conf;
 	}
 	# BISQ.NINJA
 	server {
 		# clearnet v4/v6
-		listen 443 ssl http2;
+		#listen 443 ssl http2;
-		listen [::]:443 ssl http2;
+		#listen [::]:443 ssl http2;
-		server_name bisq.ninja;
+		server_name _;
 		# tor v3
 		listen 127.0.0.1:82;
 		set $onion "__NGINX_BISQ_ONION__";
 		# for services from mempool.space like contributors on about page
 		set $mempoolSpaceServices "https://mempool.space";
@ -86,30 +84,24 @@ http {
 		# for blockstream/esplora daemon, see upstream-esplora.conf
 		set $esploraMainnet "http://esplora-bitcoin-mainnet";
 		# tor v3
 		listen 127.0.0.1:82;
 		set $onion "bisqmktse2cabavbr2xjq7xw3h6g5ottemo5rolfcwt6aly6tp5fdryd";
 		# filesystem paths
 		root /mempool/public_html/bisq/;
 		access_log /var/log/nginx/bisq-access.log;
 		error_log /var/log/nginx/bisq-error.log;
 		# ssl configuration
 		ssl_certificate /usr/local/etc/letsencrypt/live/bisq.ninja/fullchain.pem;
 		ssl_certificate_key /usr/local/etc/letsencrypt/live/bisq.ninja/privkey.pem;
 		include /usr/local/etc/letsencrypt/options-ssl-nginx.conf;
 		ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem;
 		# site configuration
 		include mempool/production/nginx/server-bisq.conf;
 	}
 	# LIQUID.PLACE
 	server {
 		# clearnet v4/v6
-		listen 443 ssl http2;
+		#listen 443 ssl http2;
-		listen [::]:443 ssl http2;
+		#listen [::]:443 ssl http2;
-		server_name liquid.place;
+		server_name _;
 		# tor v3
 		listen 127.0.0.1:83;
 		set $onion "__NGINX_LIQUID_ONION__";
 		# for services from mempool.space like contributors on about page
 		set $mempoolSpaceServices "https://mempool.space";
@ -122,36 +114,12 @@ http {
 		set $esploraMainnet "http://esplora-liquid-mainnet";
 		set $esploraTestnet "http://esplora-liquid-testnet";
 		# tor v3
 		listen 127.0.0.1:83;
 		set $onion "liquidmom47f6s3m53ebfxn47p76a6tlnxib3wp6deux7wuzotdr6cyd";
 		# filesystem paths
 		root /mempool/public_html/liquid/;
 		access_log /var/log/nginx/liquid-access.log;
 		error_log /var/log/nginx/liquid-error.log;
 		# ssl configuration
 		ssl_certificate /usr/local/etc/letsencrypt/live/liquid.place/fullchain.pem;
 		ssl_certificate_key /usr/local/etc/letsencrypt/live/liquid.place/privkey.pem;
 		include /usr/local/etc/letsencrypt/options-ssl-nginx.conf;
 		ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem;
 		# site configuration
 		include mempool/production/nginx/server-liquid.conf;
 	}
 	# HTTP to HTTPS redirect
 	server {
 		# clearnet v4/v6
 		listen 80;
 		listen [::]:80;
 		server_name _;
 		# only redirect for our hosted domains
 		if ($host ~ "^(mempool.ninja|bisq.ninja|liquid.place)$")
 		{
 			return 301 https://$host$request_uri;
 		}
 		return 503;
 	}
 }
--- a/production/torrc
+++ b/production/torrc
@ -3,21 +3,21 @@ SOCKSPort 9050
 ControlPort 9051
 Log notice syslog
-DataDirectory /var/db/tor
+DataDirectory __TOR_RESOURCES__
 DataDirectoryGroupReadable 1
 CookieAuthentication 1
-CookieAuthFile /var/db/tor/control_auth_cookie
+CookieAuthFile __TOR_RESOURCES__/control_auth_cookie
 CookieAuthFileGroupReadable 1
-HiddenServiceDir /var/db/tor/mempool
+HiddenServiceDir __TOR_RESOURCES__/mempool
 HiddenServicePort 80 127.0.0.1:81
 HiddenServiceVersion 3
-HiddenServiceDir /var/db/tor/bisq
+HiddenServiceDir __TOR_RESOURCES__/bisq
 HiddenServicePort 80 127.0.0.1:82
 HiddenServiceVersion 3
-HiddenServiceDir /var/db/tor/liquid
+HiddenServiceDir __TOR_RESOURCES__/liquid
 HiddenServicePort 80 127.0.0.1:83
 HiddenServiceVersion 3