#!/bin/bash
: '
Copyright (C) 2022 - now HaoZi Technology Co., Ltd.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published
by the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
'
source <(curl -f -s --connect-timeout 10 --retry 3 https://dl.cdn.haozi.net/panel/public.sh)
if [ $? -ne 0 ]; then
echo "下载 public.sh 失败,请检查网络或稍后重试。"
echo "Download public.sh failed, please check the network or try again later."
exit 1
fi
channel=${1}
version=${2}
nginx_path="${setup_path}/server/nginx"
j=$(calculate_j)
# 安装依赖
if [ ${OS} == "rhel" ]; then
dnf makecache -y
dnf groupinstall "Development Tools" -y
dnf install cmake tar unzip gd gd-devel git-core flex perl oniguruma oniguruma-devel libsodium-devel libxml2-devel libxslt-devel bison yajl yajl-devel curl curl-devel ncurses-devel libevent-devel readline-devel libuuid-devel brotli-devel icu libicu libicu-devel openssl openssl-devel -y
elif [ ${OS} == "debian" ] || [ ${OS} == "ubuntu" ]; then
apt-get update
apt-get install build-essential cmake tar unzip libgd3 libgd-dev git flex perl libonig-dev libsodium-dev libxml2-dev libxslt1-dev bison libyajl-dev curl libcurl4-openssl-dev libncurses5-dev libevent-dev libreadline-dev uuid-dev libbrotli-dev icu-devtools libicu-dev openssl libssl-dev -y
else
error "不支持的操作系统"
fi
if [ "$?" != "0" ]; then
error "安装依赖软件失败"
fi
# 准备目录
rm -rf ${nginx_path}
mkdir -p ${nginx_path}
cd ${nginx_path}
# 下载源码
wget -T 120 -t 3 -O ${nginx_path}/openresty-${version}.tar.gz ${download_url}/nginx/openresty-${version}.tar.gz
wget -T 20 -t 3 -O ${nginx_path}/openresty-${version}.tar.gz.sha256 ${download_url}/nginx/openresty-${version}.tar.gz.sha256
if ! sha256sum --status -c openresty-${version}.tar.gz.sha256; then
rm -rf ${nginx_path}
error "nginx 校验失败"
fi
tar -zxvf openresty-${version}.tar.gz
rm -f openresty-${version}.tar.gz
rm -f openresty-${version}.tar.gz.sha256
mv openresty-${version} src
cd src
# tls library
wget -T 120 -t 3 -O quictls-1.1.1w.7z ${download_url}/tls/quictls-1.1.1w.7z
wget -T 20 -t 3 -O quictls-1.1.1w.7z.sha256 ${download_url}/tls/quictls-1.1.1w.7z.sha256
if ! sha256sum --status -c quictls-1.1.1w.7z.sha256; then
rm -rf ${nginx_path}
error "quictls 校验失败"
fi
7z x quictls-1.1.1w.7z
rm -f quictls-1.1.1w.7z
rm -f quictls-1.1.1w.7z.sha256
mv quictls-1.1.1w quictls
chmod -R 700 quictls
# patch tls library
cd quictls
wget -T 20 -t 3 -O openssl-1.1.1f-sess_set_get_cb_yield.patch ${download_url}/nginx/openssl/openssl-1.1.1f-sess_set_get_cb_yield.patch
wget -T 20 -t 3 -O openssl-1.1.1f-sess_set_get_cb_yield.patch.sha256 ${download_url}/nginx/openssl/openssl-1.1.1f-sess_set_get_cb_yield.patch.sha256
if ! sha256sum --status -c openssl-1.1.1f-sess_set_get_cb_yield.patch.sha256; then
rm -rf ${nginx_path}
error "补丁文件校验失败"
fi
patch -p1 <openssl-1.1.1f-sess_set_get_cb_yield.patch
rm -f openssl-1.1.1f-sess_set_get_cb_yield.patch
rm -f openssl-1.1.1f-sess_set_get_cb_yield.patch.sha256
cd ../
# pcre
wget -T 60 -t 3 -O pcre-8.45.7z ${download_url}/nginx/pcre/pcre-8.45.7z
wget -T 20 -t 3 -O pcre-8.45.7z.sha256 ${download_url}/nginx/pcre/pcre-8.45.7z.sha256
if ! sha256sum --status -c pcre-8.45.7z.sha256; then
rm -rf ${nginx_path}
error "pcre 校验失败"
fi
7z x pcre-8.45.7z
rm -f pcre-8.45.7z
rm -f pcre-8.45.7z.sha256
mv pcre-8.45 pcre
chmod -R 700 pcre
# ngx_cache_purge
wget -T 20 -t 3 -O ngx_cache_purge-2.3.tar.gz ${download_url}/nginx/modules/ngx_cache_purge-2.3.tar.gz
wget -T 20 -t 3 -O ngx_cache_purge-2.3.tar.gz.sha256 ${download_url}/nginx/modules/ngx_cache_purge-2.3.tar.gz.sha256
if ! sha256sum --status -c ngx_cache_purge-2.3.tar.gz.sha256; then
rm -rf ${nginx_path}
error "ngx_cache_purge 校验失败"
fi
tar -zxvf ngx_cache_purge-2.3.tar.gz
rm -f ngx_cache_purge-2.3.tar.gz
rm -f ngx_cache_purge-2.3.tar.gz.sha256
mv ngx_cache_purge-2.3 ngx_cache_purge
# nginx-sticky-module
wget -T 20 -t 3 -O nginx-sticky-module.zip ${download_url}/nginx/modules/nginx-sticky-module.zip
wget -T 20 -t 3 -O nginx-sticky-module.zip.sha256 ${download_url}/nginx/modules/nginx-sticky-module.zip.sha256
if ! sha256sum --status -c nginx-sticky-module.zip.sha256; then
rm -rf ${nginx_path}
error "nginx-sticky-module 校验失败"
fi
unzip -o nginx-sticky-module.zip
rm -f nginx-sticky-module.zip
rm -f nginx-sticky-module.zip.sha256
# nginx-dav-ext-module
wget -T 20 -t 3 -O nginx-dav-ext-module-3.0.0.tar.gz ${download_url}/nginx/modules/nginx-dav-ext-module-3.0.0.tar.gz
wget -T 20 -t 3 -O nginx-dav-ext-module-3.0.0.tar.gz.sha256 ${download_url}/nginx/modules/nginx-dav-ext-module-3.0.0.tar.gz.sha256
if ! sha256sum --status -c nginx-dav-ext-module-3.0.0.tar.gz.sha256; then
rm -rf ${nginx_path}
error "nginx-dav-ext-module 校验失败"
fi
tar -xvf nginx-dav-ext-module-3.0.0.tar.gz
rm -f nginx-dav-ext-module-3.0.0.tar.gz
rm -f nginx-dav-ext-module-3.0.0.tar.gz.sha256
mv nginx-dav-ext-module-3.0.0 nginx-dav-ext-module
# brotli
wget -T 20 -t 3 -O ngx_brotli-a71f931.zip ${download_url}/nginx/modules/ngx_brotli-a71f931.zip
wget -T 20 -t 3 -O ngx_brotli-a71f931.zip.sha256 ${download_url}/nginx/modules/ngx_brotli-a71f931.zip.sha256
if ! sha256sum --status -c ngx_brotli-a71f931.zip.sha256; then
rm -rf ${nginx_path}
error "ngx_brotli 校验失败"
fi
unzip -o ngx_brotli-a71f931.zip
mv ngx_brotli-a71f931 ngx_brotli
rm -f ngx_brotli-a71f931.zip
rm -f ngx_brotli-a71f931.zip.sha256
cd ngx_brotli/deps/brotli
mkdir out && cd out
cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF -DCMAKE_C_FLAGS="-Ofast -march=native -mtune=native -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_CXX_FLAGS="-Ofast -march=native -mtune=native -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_INSTALL_PREFIX=./installed ..
cmake --build . --config Release --target brotlienc
if [ "$?" != "0" ]; then
rm -rf ${nginx_path}/src
error "ngx_brotli 编译失败"
fi
cd ${nginx_path}/src
export LD_LIBRARY_PATH=/usr/local/lib/:$LD_LIBRARY_PATH
export LIB_UTHASH=${nginx_path}/src/uthash
./configure --user=www --group=www --prefix=${nginx_path} --with-luajit --add-module=${nginx_path}/src/ngx_cache_purge --add-module=${nginx_path}/src/nginx-sticky-module --with-openssl=${nginx_path}/src/quictls --with-pcre=${nginx_path}/src/pcre --with-pcre-jit --with-http_v2_module --with-http_v3_module --with-http_slice_module --with-stream --with-stream_ssl_module --with-stream_realip_module --with-stream_ssl_preread_module --with-http_stub_status_module --with-http_ssl_module --with-http_image_filter_module --with-http_gzip_static_module --with-http_gunzip_module --with-ipv6 --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_realip_module --with-http_mp4_module --with-http_auth_request_module --with-http_secure_link_module --with-http_random_index_module --with-ld-opt="-Wl,-s -Wl,-Bsymbolic -Wl,--gc-sections" --with-cc-opt="-DNGX_LUA_ABORT_AT_PANIC -march=native -mtune=native -Ofast -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" --with-luajit-xcflags="-DLUAJIT_NUMMODE=2 -DLUAJIT_ENABLE_LUA52COMPAT" --with-file-aio --with-threads --with-compat --with-http_dav_module --add-module=${nginx_path}/src/nginx-dav-ext-module --add-module=${nginx_path}/src/ngx_brotli
make "-j${j}"
if [ "$?" != "0" ]; then
rm -rf ${nginx_path}
error "编译失败"
fi
make install
if [ ! -f "${nginx_path}/nginx/sbin/nginx" ]; then
rm -rf ${nginx_path}
error "安装失败"
fi
cd ${nginx_path}
rm -rf src
# 设置软链接
ln -sf ${nginx_path}/nginx/html ${nginx_path}/html
ln -sf ${nginx_path}/nginx/conf ${nginx_path}/conf
ln -sf ${nginx_path}/nginx/logs ${nginx_path}/logs
ln -sf ${nginx_path}/nginx/sbin ${nginx_path}/sbin
ln -sf ${nginx_path}/nginx/sbin/nginx /usr/bin/nginx
# 创建配置目录
mkdir -p ${setup_path}/wwwroot/default
mkdir -p ${setup_path}/wwwlogs
mkdir -p ${setup_path}/server/vhost
mkdir -p ${setup_path}/server/vhost
mkdir -p ${setup_path}/server/vhost/rewrite
mkdir -p ${setup_path}/server/vhost/cert
mkdir -p ${setup_path}/server/vhost/acme
# 写入主配置文件
cat >${nginx_path}/conf/nginx.conf <<EOF
user www www;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 65535;
pcre_jit on;
quic_bpf on;
error_log ${setup_path}/wwwlogs/nginx-error.log crit;
pid ${setup_path}/server/nginx/nginx.pid;
stream {
log_format tcp_format '\$time_local|\$remote_addr|\$protocol|\$status|\$bytes_sent|\$bytes_received|\$session_time|\$upstream_addr|\$upstream_bytes_sent|\$upstream_bytes_received|\$upstream_connect_time';
access_log ${setup_path}/wwwlogs/tcp-access.log tcp_format;
error_log ${setup_path}/wwwlogs/tcp-error.log;
}
events {
use epoll;
worker_connections 65535;
multi_accept on;
}
http {
include mime.types;
include proxy.conf;
include default.conf;
default_type application/octet-stream;
keepalive_timeout 60;
server_names_hash_bucket_size 512;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 200m;
client_body_buffer_size 10M;
client_body_in_file_only off;
variables_hash_max_size 2048;
variables_hash_bucket_size 128;
http2 on;
http3 on;
quic_gso on;
aio threads;
aio_write on;
directio 512k;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 8 64k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_intercept_errors on;
gzip on;
gzip_min_length 1k;
gzip_buffers 32 4k;
gzip_http_version 1.1;
gzip_comp_level 6;
gzip_types *;
gzip_vary on;
gzip_proxied any;
gzip_disable "MSIE [1-6]\.";
brotli on;
brotli_comp_level 6;
brotli_min_length 10;
brotli_window 1m;
brotli_types *;
brotli_static on;
limit_conn_zone \$binary_remote_addr zone=perip:10m;
limit_conn_zone \$server_name zone=perserver:10m;
server_tokens off;
access_log off;
# 服务状态页
server {
listen 80;
server_name 127.0.0.1;
allow 127.0.0.1;
location /nginx_status {
stub_status on;
access_log off;
}
location ~ ^/phpfpm_status/(?<version>\d+)$ {
fastcgi_pass unix:/tmp/php-cgi-\$version.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME \$fastcgi_script_name;
}
}
include ${setup_path}/server/vhost/*.conf;
}
EOF
# 写入pathinfo配置文件
cat >${nginx_path}/conf/pathinfo.conf <<EOF
set \$real_script_name \$fastcgi_script_name;
if (\$fastcgi_script_name ~ "^(.+?\.php)(/.+)$") {
set \$real_script_name \$1;
set \$path_info \$2;
}
fastcgi_param SCRIPT_FILENAME \$document_root\$real_script_name;
fastcgi_param SCRIPT_NAME \$real_script_name;
fastcgi_param PATH_INFO \$path_info;
EOF
# 写入默认站点页
cat >${nginx_path}/html/index.html <<EOF
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>未找到网站 - 耗子面板</title>
<style>
body {
background-color: #f9f9f9;
margin: 0;
padding: 0;
}
.container {
max-width: 800px;
margin: 2em auto;
background-color: #ffffff;
padding: 20px;
border-radius: 12px;
box-shadow: 0 4px 8px rgba(0, 0, 0, 0.1);
}
h1 {
font-size: 2.5em;
margin-top: 0;
margin-bottom: 20px;
text-align: center;
color: #333;
border-bottom: 2px solid #ddd;
padding-bottom: 0.5em;
}
p {
color: #555;
line-height: 1.8;
text-align: center;
}
a {
text-decoration: none;
color: #007bff;
}
@media screen and (max-width: 768px) {
.container {
padding: 15px;
margin: 2em 15px;
}
h1 {
font-size: 1.8em;
}
}
</style>
</head>
<body>
<div class="container">
<h1>耗子面板</h1>
<p>这是耗子面板的默认页面!</p>
<p>您看到此页面是因为服务器上未能找到与该域名对应的网站。</p>
<p>由<a target="_blank" href="https://panel.haozi.net">耗子面板</a>强力驱动</p>
</div>
</body>
</html>
EOF
# 写入站点停止页
cat >${nginx_path}/html/stop.html <<EOF
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>网站已停止 - 耗子面板</title>
<style>
body {
background-color: #f9f9f9;
margin: 0;
padding: 0;
}
.container {
max-width: 800px;
margin: 2em auto;
background-color: #ffffff;
padding: 20px;
border-radius: 12px;
box-shadow: 0 4px 8px rgba(0, 0, 0, 0.1);
}
h1 {
font-size: 2.5em;
margin-top: 0;
margin-bottom: 20px;
text-align: center;
color: #333;
border-bottom: 2px solid #ddd;
padding-bottom: 0.5em;
}
p {
color: #555;
line-height: 1.8;
text-align: center;
}
a {
text-decoration: none;
color: #007bff;
}
@media screen and (max-width: 768px) {
.container {
padding: 15px;
margin: 2em 15px;
}
h1 {
font-size: 1.8em;
}
}
</style>
</head>
<body>
<div class="container">
<h1>耗子面板</h1>
<p>该网站已被管理员停止访问!</p>
<p>您看到此页面是因为该网站已被服务器管理员停止对外访问。</p>
<p>由<a target="_blank" href="https://panel.haozi.net">耗子面板</a>强力驱动</p>
</div>
</body>
</html>
EOF
# 写入无php配置文件
echo "" >${nginx_path}/conf/enable-php-0.conf
# 自动为所有PHP版本创建配置文件
if [ -d "${setup_path}/server/php" ]; then
cd ${setup_path}/server/php
phpList=$(ls -l | grep ^d | awk '{print $NF}')
for phpVersion in ${phpList}; do
if [ -d "${setup_path}/server/php/${phpVersion}" ]; then
# 写入PHP配置文件
cat >${nginx_path}/conf/enable-php-${phpVersion}.conf <<EOF
location ~ \.php$ {
try_files \$uri =404;
fastcgi_pass unix:/tmp/php-cgi-${phpVersion}.sock;
fastcgi_index index.php;
include fastcgi.conf;
include pathinfo.conf;
}
EOF
fi
done
fi
# 写入代理默认配置文件
cat >${nginx_path}/conf/proxy.conf <<EOF
proxy_temp_path ${nginx_path}/proxy_temp_dir;
proxy_cache_path ${nginx_path}/proxy_cache_dir levels=1:2 keys_zone=cache_one:20m inactive=1d max_size=5g;
proxy_connect_timeout 60;
proxy_read_timeout 60;
proxy_send_timeout 60;
proxy_buffer_size 32k;
proxy_buffers 4 64k;
proxy_busy_buffers_size 128k;
proxy_temp_file_write_size 128k;
proxy_next_upstream error timeout invalid_header http_500 http_503 http_404;
proxy_cache cache_one;
EOF
# 写入默认站点配置文件
cat >${nginx_path}/conf/default.conf <<EOF
server
{
listen 80 default_server reuseport;
listen [::]:80 default_server reuseport;
listen 443 ssl default_server reuseport;
listen [::]:443 ssl default_server reuseport;
server_name _;
index index.html;
root ${nginx_path}/html;
ssl_reject_handshake on;
}
EOF
# 处理文件权限
chmod -R 755 ${nginx_path}
chmod -R 644 ${setup_path}/server/vhost
# 写入服务文件
cat >/etc/systemd/system/nginx.service <<EOF
[Unit]
Description=The OpenResty Application Platform
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=${nginx_path}/nginx.pid
ExecStartPre=${nginx_path}/sbin/nginx -t -c ${nginx_path}/conf/nginx.conf
ExecStart=${nginx_path}/sbin/nginx -c ${nginx_path}/conf/nginx.conf
ExecReload=${nginx_path}/sbin/nginx -s reload
ExecStop=${nginx_path}/sbin/nginx -s quit
LimitNOFILE=500000
Restart=on-failure
RestartSec=5s
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable --now nginx
if [ "$?" != "0" ]; then
error "启动失败"
fi
panel-cli app write nginx ${channel} ${version}
echo -e $HR
echo "安装完成"
echo -e $HR