@@ -3,6 +3,7 @@ const exec = util.promisify(require('node:child_process').exec);
33let fs = require ( 'fs' ) ;
44const os = require ( 'os' ) ;
55
6+ const conf = "/etc/nginx/nginx.conf"
67const available = "/etc/nginx/sites-available/"
78const enabled = "/etc/nginx/sites-enabled/"
89class CoCreateNginx {
@@ -27,8 +28,6 @@ class CoCreateNginx {
2728 console . log ( 'Nginx installed successfully' ) ;
2829 }
2930
30- await exec ( 'sudo chmod 777 /etc/nginx/nginx.conf' ) ;
31-
3231 let stream = `user www-data;
3332worker_processes auto;
3433pid /run/nginx.pid;
@@ -40,27 +39,68 @@ events {
4039}
4140
4241http {
42+ include /etc/nginx/mime.types;
43+ default_type application/octet-stream;
44+
45+ ssl_protocols TLSv1.2 TLSv1.3;
46+ ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256';
47+ ssl_prefer_server_ciphers on;
48+ ssl_session_cache shared:SSL:10m;
49+ ssl_session_timeout 10m;
50+
51+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
52+
53+ ssl_stapling on;
54+ ssl_stapling_verify on;
55+ # resolver [YOUR_DNS_RESOLVER_IP] valid=300s; # Replace with your DNS resolver IP
56+ resolver_timeout 5s;
57+
58+ add_header X-Frame-Options "SAMEORIGIN";
59+ add_header X-Content-Type-Options "nosniff";
60+ # add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'";
61+
62+ server_tokens off;
63+
64+ access_log /var/log/nginx/access.log;
65+ error_log /var/log/nginx/error.log;
66+
67+ gzip on;
68+ gzip_disable "msie6";
69+
4370 include /etc/nginx/conf.d/*.conf;
4471 include /etc/nginx/sites-enabled/*;
4572}
4673
4774stream {
75+ map $ssl_preread_server_name $upstream {
76+ default nodejs_ssl;
77+ }
78+
4879 server {
4980 listen 443;
50- proxy_pass 127.0.0.1:8443; # Node.js app listening on port 8443
81+ proxy_pass $upstream;
82+ ssl_preread on;
83+ }
84+
85+ upstream nginx_ssl {
86+ server 127.0.0.1:12345; # Nginx handles SSL
87+ }
88+
89+ upstream nodejs_ssl {
90+ server 127.0.0.1:8443; # Node.js SSL
5191 }
5292}
5393`
54- // fs.writeFileSync('/etc/nginx/nginx.conf', stream)
94+ await exec ( `sudo chmod 777 ${ conf } ` ) ;
95+ fs . writeFileSync ( conf , stream )
5596
56- await exec ( 'sudo chmod 777 /etc/nginx/sites-available' ) ;
57- await exec ( 'sudo chmod 777 /etc/nginx/sites-enabled' ) ;
58- if ( ! fs . existsSync ( `${ enabled } main` ) ) {
59- let main = `server {
97+ await exec ( `sudo chmod 777 ${ available } ` ) ;
98+ await exec ( `sudo chmod 777 ${ enabled } ` ) ;
99+ let main = `server {
60100 listen 80;
61101 listen [::]:80;
62102
63- location / {
103+ location /.well-known/acme-challenge/ {
64104 proxy_pass http://localhost:8080;
65105 proxy_set_header Host $host;
66106 proxy_set_header X-Real-IP $remote_addr;
@@ -73,25 +113,29 @@ stream {
73113 proxy_buffers 4 256k;
74114 proxy_busy_buffers_size 256k;
75115 }
116+
117+ location / {
118+ return 301 https://$host$request_uri;
119+ }
76120}
77121`
78-
79- fs . writeFileSync ( `${ available } main` , main )
80- await exec ( `sudo ln -s ${ available } main ${ enabled } ` ) ;
81-
82- if ( fs . existsSync ( ` ${ enabled } default` ) )
83- fs . unlinkSync ( ` ${ enabled } default` )
84- if ( fs . existsSync ( `${ available } default` ) )
85- fs . unlinkSync ( `${ available } default` )
86-
87- let test = await exec ( `sudo nginx -t` ) ;
88- if ( test . stderr . includes ( 'test is successful' ) ) {
89- await exec ( `sudo systemctl reload nginx` ) ;
90- console . log ( 'main test passed reloading nginx' )
91- } else {
92- console . log ( 'main test failed ' )
93- }
94-
122+ if ( fs . existsSync ( ` ${ enabled } main.txt` ) )
123+ fs . writeFileSync ( `${ available } main.txt ` , main )
124+ else {
125+ fs . writeFileSync ( ` ${ available } main.txt` , main )
126+ await exec ( `sudo ln -s ${ available } main.txt ${ enabled } ` ) ;
127+ }
128+ if ( fs . existsSync ( `${ enabled } default` ) )
129+ fs . unlinkSync ( `${ enabled } default` )
130+ if ( fs . existsSync ( ` ${ available } default` ) )
131+ fs . unlinkSync ( ` ${ available } default` )
132+
133+ let test = await exec ( `sudo nginx -t ` ) ;
134+ if ( test . stderr . includes ( ' test is successful' ) ) {
135+ await exec ( `sudo systemctl reload nginx` ) ;
136+ console . log ( 'main test passed reloading nginx ' )
137+ } else {
138+ console . log ( 'main test failed' )
95139 }
96140
97141 } else if ( platform === 'darwin' ) {
@@ -119,32 +163,35 @@ stream {
119163 const hostParts = host . split ( '.' )
120164 const domain = hostParts [ 0 ] ;
121165 const tld = hostParts [ 1 ] ;
166+ const stream = fs . readFileSync ( conf , 'utf8' ) ;
167+ const modifiedStream = stream . replace ( 'default nodejs_ssl;' , `\t\t${ host } nginx_ssl;\ndefault nodejs_ssl;` ) ;
168+ fs . writeFileSync ( conf , modifiedStream ) ;
169+
122170 const server = `
123171server {
124- server_name ~^(?<sub>.+)\.${ domain } \.${ tld } ${ host } ;
172+ listen 12345 ssl http2;
173+ server_name ~^(?<sub>.+)\.${ domain } \.${ tld } ${ host } ;
125174
126175 location / {
127- proxy_pass http://localhost:8080;
128- proxy_set_header Host $host;
129- proxy_set_header X-Real-IP $remote_addr;
130- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
131- proxy_set_header X-Forwarded-Proto $scheme;
132- proxy_set_header Upgrade $http_upgrade;
133- proxy_set_header Connection "Upgrade";
134-
135- fastcgi_buffers 16 16k;
136- fastcgi_buffer_size 32k;
137- proxy_buffer_size 128k;
138- proxy_buffers 4 256k;
139- proxy_busy_buffers_size 256k;
176+ proxy_pass http://localhost:8080;
177+ proxy_set_header Host $host;
178+ proxy_set_header X-Real-IP $remote_addr;
179+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
180+ proxy_set_header X-Forwarded-Proto $scheme;
181+ proxy_set_header Upgrade $http_upgrade;
182+ proxy_set_header Connection "Upgrade";
140183
184+ fastcgi_buffers 16 16k;
185+ fastcgi_buffer_size 32k;
186+ proxy_buffer_size 128k;
187+ proxy_buffers 4 256k;
188+ proxy_busy_buffers_size 256k;
141189 }
142190
143- listen 443 ssl http2;
144- ssl_certificate /etc/certificates/${ host } /fullchain.pem;
145- ssl_certificate_key /etc/certificates/${ host } /private-key.pem;
146- }
191+ ssl_certificate /etc/certificates/${ host } /fullchain.pem; # Adjust to your certificate path
192+ ssl_certificate_key /etc/certificates/${ host } /private-key.pem; # Adjust to your key path
147193
194+ }
148195` ;
149196
150197 fs . writeFileSync ( `${ available } ${ host } ` , server )
0 commit comments