#!/bin/bash

#################################################################
###     bash <(curl -fsSL https://raw.lhy.life/nginx.sh)
#################################################################

## clean install
systemctl stop nginx
apt-get purge nginx* -y
apt-get autoremove -y

## install dependencies required
apt update && apt install curl gnupg2 ca-certificates lsb-release debian-archive-keyring -y

## add nginx repository
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/debian `lsb_release -cs` nginx" | tee /etc/apt/sources.list.d/nginx.list

## install nginx
apt update && apt install nginx

## create directory
mkdir -p /etc/nginx/proxy_cache_dir
mkdir -p /etc/nginx/proxy_temp_dir
mkdir -p /etc/nginx/logs
mkdir -p /etc/nginx/cert/
mkdir -p /etc/nginx/webroot/test

## create nginx configuration
cat << 'EOF' > /etc/nginx/nginx.conf
## https://github.com/denji/nginx-tuning
user root root;
worker_processes auto;
worker_rlimit_nofile 50000;
error_log /etc/nginx/logs/nginx_error.log error;
pid /var/run/nginx.pid;

events {
    worker_connections 4000;
    use epoll;
    multi_accept on;
}

http {
    include mime.types;
    default_type application/octet-stream;
    charset utf-8;

    client_max_body_size 0;
	client_body_timeout 300s;
    client_body_buffer_size 128k;

    server_names_hash_bucket_size 64;
    reset_timedout_connection on;

    sendfile on;
    sendfile_max_chunk 1m;
    tcp_nopush on;
    tcp_nodelay on;
    
    log_not_found off;

    gzip on;
    gzip_min_length 10k;
    gzip_buffers 64 8k;
    gzip_comp_level 2;
    gzip_vary on;
    gzip_disable msie6;
    gzip_proxied expired no-cache no-store private auth;
    gzip_types
        text/css
        text/javascript
        text/xml
        text/plain
        text/x-component
        application/javascript
        application/x-javascript
        application/json
        application/xml
        application/rss+xml
        application/atom+xml
        font/truetype
        font/opentype
        application/vnd.ms-fontobject
        image/svg+xml;

    proxy_cache_path /etc/nginx/proxy_cache_dir levels=1:2 keys_zone=my_cache:20m inactive=1d max_size=500m;
    proxy_cache my_cache;
    proxy_temp_path /etc/nginx/proxy_temp_dir;
    proxy_next_upstream error timeout invalid_header http_500 http_503 http_404;
    proxy_buffer_size 8k;
    proxy_buffers 4 64k;
    proxy_busy_buffers_size 128k;
    proxy_temp_file_write_size 128k;

    include /etc/nginx/conf.d/*.conf;
}
EOF

## create a test configuration
cat << 'EOF' > /etc/nginx/conf.d/test.conf
server {
    listen 8082;
    server_name 127.0.0.1;
    index index.html index.php;
    root /etc/nginx/webroot/test;

    location ~ ^/(\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md) {
        return 404;
    }

    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
        expires 5d;
        error_log off;
    }

    location ~ .*\.(js|css)?$ {
        expires 12h;
        error_log off;
    }

    location = /favicon.ico {
        access_log off;
        log_not_found off;
    }

    location = /robots.txt {
        access_log off;
        log_not_found off;
    }

    ## access_log /etc/nginx/logs/test.log;
    error_log /etc/nginx/logs/test.log;
}
EOF

## create a test site
cat << 'EOF' > /etc/nginx/webroot/test/index.html
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>test</title>
</head>
<body>
The test page is successfully accessed!
</body>
</html>
EOF

## 创建create an example configuration
cat << 'EOF' > /etc/nginx/conf.d/full.conf.example
server {
	listen 80;
	listen [::]:80;
	server_name www.exp.com;
	return 301 https://www.exp.com$request_uri;
}
server {
	listen 363 ssl http2 proxy_protocol;
	server_name www.exp.com;
	index index.php index.html index.htm default.php default.htm default.html;
	root /etc/nginx/webroot/www.exp.com;

	set_real_ip_from 127.0.0.1;
    real_ip_header proxy_protocol;
	
	ssl_certificate /etc/nginx/cert/www.exp.com/cert.pem;
	ssl_certificate_key /etc/nginx/cert/www.exp.com/key.pem;
	ssl_session_timeout 1d;
	ssl_session_cache shared:MozSSL:10m;
	ssl_session_tickets off;
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
	ssl_prefer_server_ciphers off;

	include enable-php.conf;

	location / {
		try_files $uri $uri/ =404;
		auth_basic "Only admin";
		auth_basic_user_file /etc/nginx/.htpswd;
	}

	location ~ ^/(\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md) {
		return 404;
	}

	location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
		expires 5d;
		error_log off;
	}

	location ~ .*\.(js|css)?$ {
		expires 12h;
		error_log off;
	}

	location = /favicon.ico {
		access_log off;
		log_not_found off;
	}

	location = /robots.txt {
		access_log off;
		log_not_found off;
	}

	## access_log /etc/nginx/logs/www.exp.com.log;
	error_log /etc/nginx/logs/www.exp.com.error.log;
}
EOF

## php support
cat << 'EOF' > /etc/nginx/enable-php.conf
## https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/
location ~ [^/]\.php(/|$) {
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    if (!-f $document_root$fastcgi_script_name) {
        return 404;
    }

    # Mitigate https://httpoxy.org/ vulnerabilities
    fastcgi_param HTTP_PROXY "";

    fastcgi_pass  unix:/run/php/php-fpm.sock;
    fastcgi_index index.php;

    # include the fastcgi_param setting
    include fastcgi_params;

    # SCRIPT_FILENAME parameter is used for PHP FPM determining
    #  the script name. If it is not set in fastcgi_params file,
    # i.e. /etc/nginx/fastcgi_params or in the parent contexts,
    # please comment off following line:
    fastcgi_param  SCRIPT_FILENAME   $document_root$fastcgi_script_name;

    ## 上传大文件等待时长
    fastcgi_send_timeout 1200s;
    fastcgi_read_timeout 1200s;

    ## https://gist.github.com/magnetikonline/11312172
    fastcgi_buffer_size 32k;
    fastcgi_buffers 16 16k;
    fastcgi_busy_buffers_size 64k;
    fastcgi_temp_file_write_size 32k;
}
EOF

## php test configuration
cat << 'EOF' > /etc/nginx/conf.d/test-php.conf.example
server {
    listen 8083;
    server_name 127.0.0.1;
    index index.html index.php;
    root /etc/nginx/webroot/test-php;

    include enable-php.conf;

    location ~ ^/(\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md) {
        return 404;
    }

    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
        expires 5d;
        error_log off;
    }

    location ~ .*\.(js|css)?$ {
        expires 12h;
        error_log off;
    }

    location = /favicon.ico {
        access_log off;
        log_not_found off;
    }

    location = /robots.txt {
        access_log off;
        log_not_found off;
    }

    ## access_log /etc/nginx/logs/test-php.log;
    error_log /etc/nginx/logs/test-php.log;
}
EOF

## php test site
mkdir -p /etc/nginx/webroot/test-php
cat << 'EOF' > /etc/nginx/webroot/test-php/index.php
<?php

phpinfo();
EOF

## other
mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.bak
rm -rf ./nginx_signing.key
ln -s /etc/nginx/ /root/nginx
ln -s /etc/nginx/ /nginx

nginx -t
systemctl enable --now nginx.service