kan weblocatie niet meer bereiken

Status
Niet open voor verdere reacties.

mariannevanh

Terugkerende gebruiker
Lid geworden
14 dec 2004
Berichten
2.085
Ik ben bezig met het opzetten van een Ubuntu Server 18.04 LTS met daarop Nextcloud. Bij het kopiëren van de data naar deze server maakte ik een fout die ik volgens mij het snelste zou kunnen verhelpen door opnieuw te beginnen met een kale server.
De afgelopen weken werkte ik steeds met een uitgewerkte "commando-lijst" waarvan ik een reeks commando's kopieerde en die in de terminal plakte om zo de server snel op te bouwen.
Ter afronding had ik tijdens de vorige sessie HSTS op de server ingesteld en ik vermoed dat dit mij nu gaat opbreken.

Bij het opnieuw opzetten van de server gebruik ik onderstaand "script" (lees: uitgewerkte commandolijst). Dit script is in hoofdlijnen afkomstig van https://decatec.de/home-server/next...-mariadb-php-lets-encrypt-redis-und-fail2ban/. Van de auteur heb ik ook de nodige support gekregen. Ik kies er echter voor om geen gebruik te maken van Let's Encrypt, maar van een regulier SSL-certificaat.
Na een verse installatie van Ubuntu Server kopieer ik mijn SSL-certificaat en bijbehorende bestanden naar /home/guido. Vanaf die locatie worden ze in de loop van het "script" verplaatst naar de uiteindelijke locatie.

Is de - in de vorige installatie - ingestelde HSTS inderdaad de oorzaak van het niet kunnen bereiken van de URL?
Wat kan ik doen om de server toch opnieuw op te bouwen?

Vriendelijke groet,
Guido

P.S. Het "script" is nog langer, maar dat is voor deze vraag niet relevant.

Code:
sudo su

apt -y update && apt -y upgrade -V && apt -y dist-upgrade && apt -y autoremove

wget -O - http://nginx.org/keys/nginx_signing.key | apt-key add -
echo '# Nginx (Mainline)' >> /etc/apt/sources.list.d/nginx.list
echo 'deb [arch=amd64] http://nginx.org/packages/mainline/ubuntu/ bionic nginx' >> /etc/apt/sources.list.d/nginx.list
echo 'deb-src [arch=amd64] http://nginx.org/packages/mainline/ubuntu/ bionic nginx' >> /etc/apt/sources.list.d/nginx.list
echo '# MariaDB 10.3 repository list' >> /etc/apt/sources.list.d/MariaDB.list
echo '# http://downloads.mariadb.org/mariadb/repositories/' >> /etc/apt/sources.list.d/MariaDB.list
echo 'deb [arch=amd64] http://ftp.hosteurope.de/mirror/mariadb.org/repo/10.3/ubuntu bionic main' >> /etc/apt/sources.list.d/MariaDB.list
echo 'deb-src http://ftp.hosteurope.de/mirror/mariadb.org/repo/10.3/ubuntu bionic main' >> /etc/apt/sources.list.d/MariaDB.list
apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8
apt -y upgrade && apt -y update && apt -y install nginx mariadb-server php-fpm php-gd php-mysql php-curl php-xml php-zip php-intl php-mbstring php-bz2 php-json php-apcu php-imagick fail2ban redis-server php-redis ufw locate libatomic1

echo "export EDITOR='/bin/nano'" >> ~/.bashrc
mysql_secure_installation

sed -i 's/user  nginx;/user www-data;/g' /etc/nginx/nginx.conf
sed -i 's/worker_processes  1;/worker_processes auto;/g' /etc/nginx/nginx.conf
sed -i 's/http {/http {\n    server_tokens off;/g' /etc/nginx/nginx.conf
mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf_disabled
sed -i 's/;env/env/g' /etc/php/7.2/fpm/pool.d/www.conf
sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php/7.2/fpm/php.ini
sed -i 's/;open_basedir =/open_basedir = \/var\/www\/:\/tmp\/:\/var\/nextcloud_data\//g' /etc/php/7.2/fpm/php.ini
sed -i 's/memory_limit = 128M/memory_limit = 512M/g' /etc/php/7.2/fpm/php.ini
sed -i 's/;opcache.enable=1/opcache.enable = 1/g' /etc/php/7.2/fpm/php.ini
sed -i 's/;opcache.enable_cli=0/opcache.enable_cli = 1/g' /etc/php/7.2/fpm/php.ini
sed -i 's/;opcache.memory_consumption/opcache.memory_consumption/g' /etc/php/7.2/fpm/php.ini
sed -i 's/;opcache.interned_strings_buffer/opcache.interned_strings_buffer/g' /etc/php/7.2/fpm/php.ini
sed -i 's/;opcache.max_accelerated_files/opcache.max_accelerated_files/g' /etc/php/7.2/fpm/php.ini
sed -i 's/;opcache.revalidate_freq=2/opcache.revalidate_freq = 1/g' /etc/php/7.2/fpm/php.ini
sed -i 's/;opcache.save_comments=1/opcache.save_comments = 1/g' /etc/php/7.2/fpm/php.ini
sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php/7.2/cli/php.ini
sed -i 's/;open_basedir =/open_basedir = \/var\/www\/:\/tmp\/:\/var\/nextcloud_data\//g' /etc/php/7.2/cli/php.ini
mkdir -p /var/www/nextcloud
mkdir -p /var/nextcloud_data
chown -R www-data:www-data /var/www
chown -R www-data:www-data /var/nextcloud_data
echo 'server {' > /etc/nginx/conf.d/sub.domein.nl.conf
echo '    listen 80 default_server;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    listen [::]:80 default_server;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    server_name sub.domein.nl;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    root /var/www;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    location ^~ /.well-known/acme-challenge {' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        proxy_pass http://127.0.0.1:81;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        proxy_redirect off;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    }' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '}' >> /etc/nginx/conf.d/sub.domein.nl.conf
service nginx restart
mkdir -p /etc/nginx/ssl
mv /home/guido/sub_domein_nl.crt /etc/ssl/private
mv /home/guido/USERTrust_RSA_Certification_Authority.crt /etc/ssl/certs
mv /home/guido/Sectigo_RSA_Domain_Validation_Secure_Server_CA.crt /etc/ssl/certs
mv /home/guido/sub_domein_nl.key /etc/ssl/private
mv /home/guido/sub_domein_nl.csr /etc/ssl/private
cat /etc/ssl/private/sub_domein_nl.crt /etc/ssl/certs/Sectigo_RSA_Domain_Validation_Secure_Server_CA.crt /etc/ssl/certs/USERTrust_RSA_Certification_Authority.crt > /etc/ssl/private/sub_domein_nl_bundel.crt
chmod 600 /etc/ssl/private/sub_domein_nl.crt
chmod 600 /etc/ssl/certs/USERTrust_RSA_Certification_Authority.crt
chmod 600 /etc/ssl/certs/Sectigo_RSA_Domain_Validation_Secure_Server_CA.crt
chmod 600 /etc/ssl/private/sub_domein_nl_bundel.crt
chmod 600 /etc/ssl/private/sub_domein_nl.key
chmod 600 /etc/ssl/private/sub_domein_nl.csr
openssl dhparam -out /etc/nginx/ssl/dhparams.pem 4096
echo 'upstream php-handler {' > /etc/nginx/conf.d/sub.domein.nl.conf
echo '    #server 127.0.0.1:9000;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    server unix:/var/run/php/php7.2-fpm.sock;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '}' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo 'server {' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    listen 80 default_server;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    listen [::]:80 default_server;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    server_name sub.domein.nl 192.168.2.100;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    root /var/www;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    ##location ^~ /.well-known/acme-challenge {' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    ##    proxy_pass http://127.0.0.1:81;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    ##    proxy_redirect off;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    ##}' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '}' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo 'server {' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    listen 443 ssl http2;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    listen [::]:443 ssl http2;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    server_name sub.domein.nl;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo 'ssl_certificate /etc/ssl/private/sub_domein_nl_bundel.crt;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo 'ssl_certificate_key /etc/ssl/private/sub_domein_nl.csr;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo "    # Use Mozilla's guidelines for SSL/TLS settings" >> /etc/nginx/conf.d/sub.domein.nl.conf
echo "    # https://mozilla.github.io/server-side-tls/ssl-config-generator/" >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # NOTE: some settings below might be redundant' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # ssl_certificate /etc/ssl/nginx/cloud.example.com.crt;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # ssl_certificate /etc/ssl/certs/' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # ssl_certificate_key /etc/ssl/certs/' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # Not using TLSv1 will break:' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    #    Android <= 4.4.40' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    #    IE <= 10' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    #    IE mobile <=10' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # Removing TLSv1.1 breaks nothing else!' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # TLSv1.3 is not supported by most clients, but it should be enabled.' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    ssl_protocols TLSv1.2 TLSv1.3;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # Cipher suite from https://cipherli.st/' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # Max. security, but lower compatibility' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo "    ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384';" >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # Cipher suite from https://wiki.mozilla.org/Security/Server_Side_TLS' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo "    #ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';" >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # (Modern) cipher suite from https://mozilla.github.io/server-side-tls/ssl-config-generator/' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo "    #ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';" >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    ssl_dhparam /etc/nginx/ssl/dhparams.pem;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # Use multiple curves.' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    ssl_ecdh_curve secp521r1:secp384r1;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # Server should determine the ciphers, not the client' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    ssl_prefer_server_ciphers on;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # OCSP Stapling' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # fetch OCSP records from URL in ssl_certificate and cache them' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    ssl_stapling on;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    ssl_stapling_verify on;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # This should be ca.pem' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # See here: https://certbot.eff.org/docs/using.html' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    ssl_trusted_certificate /etc/ssl/certs/USERTrust_RSA_Certification_Authority.crt;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # This is the local DNS server (e.g. the IP of the Router if it is used as DNS server in the local network)' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    resolver 192.168.2.254;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # SSL session handling' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    ssl_session_timeout 24h;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    ssl_session_cache shared:SSL:50m;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    ssl_session_tickets off;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # Add headers to serve security related headers' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # Before enabling Strict-Transport-Security headers please read into this' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # topic first.' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    #' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # WARNING: Only add the preload option once you read about' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # the consequences in https://hstspreload.org/. This option' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # will add the domain to a hardcoded list that is shipped' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # in all major browsers and getting removed from this list' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # could take several months.' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    add_header Referrer-Policy "no-referrer" always;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    add_header X-Content-Type-Options "nosniff" always;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    add_header X-Download-Options "noopen" always;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    add_header X-Frame-Options "SAMEORIGIN" always;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    add_header X-Permitted-Cross-Domain-Policies "none" always;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    add_header X-Robots-Tag "none" always;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    add_header X-XSS-Protection "1; mode=block" always;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # Remove X-Powered-By, which is an information leak' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    fastcgi_hide_header X-Powered-By;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # Path to the root of your installation' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    root /var/www/nextcloud;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    location = /robots.txt {' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        allow all;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        log_not_found off;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        access_log off;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    }' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # The following 2 rules are only needed for the user_webfinger app.' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo "    # Uncomment it if you're planning to use this app." >> /etc/nginx/conf.d/sub.domein.nl.conf
echo "    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;" >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # The following rule is only needed for the Social app.' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo "    # Uncomment it if you're planning to use this app." >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    location = /.well-known/carddav {' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '      return 301 $scheme://$host:$server_port/remote.php/dav;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    }' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    location = /.well-known/caldav {' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '      return 301 $scheme://$host:$server_port/remote.php/dav;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    }' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # set max upload size' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    client_max_body_size 512M;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    fastcgi_buffers 64 4K;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # Enable gzip but do not remove ETag headers' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    gzip on;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    gzip_vary on;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    gzip_comp_level 4;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    gzip_min_length 256;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # Uncomment if your server is build with the ngx_pagespeed module' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # This module is currently not supported.' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    #pagespeed off;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    location / {' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        rewrite ^ /index.php;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    }' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        deny all;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    }' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        deny all;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    }' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        set $path_info $fastcgi_path_info;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        try_files $fastcgi_script_name =404;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        include fastcgi_params;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        fastcgi_param PATH_INFO $path_info;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        fastcgi_param HTTPS on;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        # Avoid sending the security headers twice' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        fastcgi_param modHeadersAvailable true;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        # Enable pretty urls' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        fastcgi_param front_controller_active true;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        fastcgi_pass php-handler;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        fastcgi_intercept_errors on;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        fastcgi_request_buffering off;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    }' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        try_files $uri/ =404;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        index index.php;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    }' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # Adding the cache control header for js, css and map files' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    # Make sure it is BELOW the PHP block' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        try_files $uri /index.php$request_uri;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        add_header Cache-Control "public, max-age=15778463";' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        # Add headers to serve security related headers (It is intended to' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        # have those duplicated to the ones above)' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        # Before enabling Strict-Transport-Security headers please read into' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        # this topic first.' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        #' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        # WARNING: Only add the preload option once you read about' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        # the consequences in https://hstspreload.org/. This option' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        # will add the domain to a hardcoded list that is shipped' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        # in all major browsers and getting removed from this list' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        # could take several months.' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        add_header Referrer-Policy "no-referrer" always;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        add_header X-Content-Type-Options "nosniff" always;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        add_header X-Download-Options "noopen" always;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        add_header X-Frame-Options "SAMEORIGIN" always;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        add_header X-Permitted-Cross-Domain-Policies "none" always;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        add_header X-Robots-Tag "none" always;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        add_header X-XSS-Protection "1; mode=block" always;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo "        # Optional: Don't log access to assets" >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        access_log off;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    }' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        try_files $uri /index.php$request_uri;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo "        # Optional: Don't log access to other assets" >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '        access_log off;' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '    }' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo '}' >> /etc/nginx/conf.d/sub.domein.nl.conf
echo 'server {' > /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '    listen 127.0.0.1:82;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '    server_name 127.0.0.1;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '    # Path to the root of your installation' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '    root /var/www/;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '    location = /robots.txt {' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        allow all;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        log_not_found off;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        access_log off;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '    }' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '    location ^~ /nextcloud {' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        # set max upload size' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        client_max_body_size 10G;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        fastcgi_buffers 64 4K;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        # Enable gzip but do not remove ETag headers' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        gzip on;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        gzip_vary on;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        gzip_comp_level 4;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        gzip_min_length 256;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        # Uncomment if your server is build with the ngx_pagespeed module' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        # This module is currently not supported.' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        #pagespeed off;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        location /nextcloud {' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            rewrite ^ /nextcloud/index.php;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        }' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        location ~ ^\/nextcloud\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            deny all;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        }' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        location ~ ^\/nextcloud\/(?:\.|autotest|occ|issue|indie|db_|console) {' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            deny all;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        }' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        location ~ ^\/nextcloud\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            set $path_info $fastcgi_path_info;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            try_files $fastcgi_script_name =404;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            include fastcgi_params;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            fastcgi_param PATH_INFO $fastcgi_path_info;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            # Important: disable HTTPS, otherwise no log in will be possible!' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            #fastcgi_param HTTPS on;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            fastcgi_param front_controller_active true;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            fastcgi_pass php-handler;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            fastcgi_intercept_errors on;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            # Raise timeout values.' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            # This is especially important when the Nextcloud setup runs into timeouts (504 gateway errors)' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            fastcgi_read_timeout 6000;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            fastcgi_send_timeout 6000;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            fastcgi_connect_timeout 6000;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            fastcgi_request_buffering off;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            # Pass PHP variables directly to PHP.' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            # This is usually done in the php.ini. For more flexibility, these variables are configured in the nginx config.' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo "            # All the PHP parameters have to be set in one fastcgi_param. When using more 'fastcgi_param PHP_VALUE' directives, the last one will override all the others." >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            fastcgi_param PHP_VALUE "open_basedir=/var/www:/tmp/:/var/nextcloud_data:/dev/urandom:/proc/meminfo' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            upload_max_filesize = 10G' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            post_max_size = 10G' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            max_execution_time = 7200' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            max_input_time = 7200' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            output_buffering = off";' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            # Make sure that the real IP of the remote host is passed to PHP.' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            fastcgi_param REMOTE_ADDR $http_x_real_ip;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        }' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        location ~ ^\/nextcloud\/(?:updater|ocs-provider|ocm-provider)(?:$|\/) {' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            try_files $uri/ =404;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '            index index.php;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        }' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        # Adding the cache control header for js and css files' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        # Make sure it is BELOW the PHP block' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        location ~ ^\/nextcloud\/.+[^\/]\.(?:css|js|woff2?|svg|gif)$ {' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        try_files $uri /nextcloud/index.php$request_uri;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        proxy_set_header Cache-Control "public, max-age=15778463";' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        # Add headers to serve security related headers' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo "        # Use 'proxy_set_header' (not 'add_header') as the headers have to be passed through a proxy." >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        proxy_set_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;";' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        proxy_set_header X-Content-Type-Options nosniff;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        proxy_set_header X-XSS-Protection "1; mode=block";' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        proxy_set_header X-Robots-Tag none;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        proxy_set_header X-Download-Options noopen;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        proxy_set_header X-Permitted-Cross-Domain-Policies none;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        proxy_set_header Referrer-Policy no-referrer;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo "        # Optional: Don't log access to assets" >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        access_log off;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        }' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        location ~ ^\/nextcloud\/.+[^\/]\.(?:png|html|ttf|ico|jpg|jpeg)$ {' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        try_files $uri /nextcloud/index.php$request_uri;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo "        # Optional: Don't log access to other assets" >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        access_log off;' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '        }' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '    }' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
echo '}' >> /etc/nginx/conf.d/sub.domein.nl_nextcloud.conf
cd /home/guido
wget https://download.nextcloud.com/server/releases/nextcloud-17.0.2.tar.bz2 -O nextcloud-17-latest.tar.bz2
tar -xjf nextcloud-17-latest.tar.bz2 -C /var/www
rm nextcloud-17-latest.tar.bz2
chown -R www-data:www-data /var/www/nextcloud
chown -R www-data:www-data /var/nextcloud_data
mysql -u root -p

CREATE USER user@localhost IDENTIFIED BY 'password';
CREATE DATABASE database CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
GRANT ALL PRIVILEGES on database.* to user@localhost;
FLUSH privileges;
exit;

reboot
 
Laatst bewerkt:
Wat gebeurt er nu bij het uitvoeren?
 
Lijkt mij los te staan van SSL zaken. Anders kreeg je een certificaat foutmelding.
 
Het probleem zat 'm in één van de certificaten.
Het commando
Code:
cat /etc/ssl/private/sub_domein_nl.crt /etc/ssl/certs/Sectigo_RSA_Domain_Validation_Secure_Server_CA.crt /etc/ssl/certs/USERTrust_RSA_Certification_Authority.crt > /etc/ssl/private/sub_domein_nl_bundel.crt
werd niet goed uitgevoerd; in de overgang van het ene naar het andere certificaat ontbrak merkwaardig genoeg een CR/LF, zodat er stond:
Code:
-----EINDE CERTIFICAAT----------BEGIN certificaat-----
i.p.v.
Code:
-----EINDE CERTIFICAAT-----
-----BEGIN CERTIFICAAT-----

Merkwaardig genoeg eindigde het desbetreffende certificaat wel met een CR/LF

Probleem is opgelost.

Vriendelijke groet,
Guido
 
:thumb: goed gevonden!
 
Status
Niet open voor verdere reacties.
Terug
Bovenaan Onderaan