web_nginx

#!/usr/bin/env bash
set -euo pipefail
# options:
quiet=1

varnish=0
[[ "${*}" =~ "-v" ]] && varnish=1

PHP_VER=$(dpkg -l 2>/dev/null | grep php | grep fpm | awk '{print $2}' | sort -n | tail -1 | sed "s/php//; s/-fpm//") || true
if [ -z "${PHP_VER:-}" ]; then
  PHP_VER=7.4
fi

function servicesReload {
  if [ "$1" != "-q" ]; then
    echo :: Reloading services:
    echo "   - service nginx reload"
    echo "   - service php${PHP_VER}-fpm reload"
  fi
  service nginx reload
  service php${PHP_VER}-fpm reload
}
function logger {
  if [ "$quiet" == "1" ]; then
    echo -n ''
  else
    echo -e "$1"
  fi
}

validate_inputs() {
  [[ "$1" =~ ^[a-zA-Z0-9._-]+\.[a-zA-Z]{2,}$ ]] || { echo "Invalid domain: $1"; exit 1; }
  [[ "$2" =~ ^[a-z_][a-z0-9_-]*$ ]]            || { echo "Invalid username: $2"; exit 1; }
}

if [ "${1:-}" == "-h" ] || [ "${1:-}" == "--help" ] || [ -z "${1:-}" ]; then
  cat <<EOF

USAGE
  web_nginx [OPTIONS] domain.com username [webroot]
  web_nginx -d domain.com username
  web_nginx -l
  web_nginx -h

DESCRIPTION
  Provisions a domain with an nginx vhost and a dedicated PHP-FPM pool.
  Creates a system user and group matching the given username, sets up
  webroot directories, and symlinks the nginx config into sites-enabled.

COMMANDS
  domain.com username [webroot]
      Create a new vhost + PHP-FPM pool for domain.com owned by username.
      If webroot is omitted, /home/username/www is created and used.
      A dev.domain.com vhost is also created pointing to /home/username/dev.

  -d domain.com username
      Delete the nginx config, PHP-FPM pool, and system user for the given
      domain/username pair. Services are reloaded automatically.
      The home directory is NOT removed; run:
        rm -rf /home/username

  -l  List all currently enabled vhosts (sites-enabled).

  -h, --help
      Show this help.

OPTIONS
  -v  Also write a Varnish VCL config (/etc/varnish/default.vcl).
      Requires varnishd to be installed.

FILES CREATED
  /etc/nginx/sites-available/domain.com.conf   nginx server blocks
  /etc/nginx/sites-enabled/domain.com.conf     symlink to the above
  /etc/php/<ver>/fpm/pool.d/username.conf      PHP-FPM pool
  /var/run/php-fpm_username.sock               FPM socket (runtime)
  /var/log/php-fpm_username.log                PHP error log
  /var/log/php-fpm_username_slow.log           PHP slow log (>10s)
  /var/log/nginx/domain.com_access.log         nginx access log
  /var/log/nginx/domain.com_error.log          nginx error log

SSL
  SSL is pre-wired in the config but commented out. To enable:
    1. Obtain certificates (e.g. via certbot) — place .pem and .key
       under /home/username/.
    2. Uncomment the listen 443 ssl / listen [::]:443 ssl lines and
       ssl_certificate directives in the nginx config.
    3. Uncomment add_header Strict-Transport-Security once SSL is stable.
    4. Run: nginx -t && service nginx reload

NOTES
  - Requires root / sudo.
  - Detected PHP-FPM version: ${PHP_VER}
  - To override, set PHP_VER before calling: PHP_VER=8.2 web_nginx ...

EOF
  exit 0
fi

if ! nginx -v 2>/dev/null; then echo -e "\n::: nginx missing, aborting\n\n"; exit 1; fi
if ! php-fpm${PHP_VER} -v 1>/dev/null; then echo -e "\n::: php missing, aborting\n\n"; exit 1; fi

if [ "${1:-}" == "-d" ]; then
  if [ "${3:-}" != "" ]; then
    user=$3
    logger "Disabling domain symlink in Nginx: ${2:-}"
    rm -rf /etc/nginx/sites-enabled/"${2:-}".conf
    rm -rf /etc/nginx/sites-available/"${2:-}".conf
    # Only remove user, group, and FPM pool if no other sites still use this user
    remaining=$(grep -rl "php-fpm_${user}\.sock" /etc/nginx/sites-enabled/ 2>/dev/null | wc -l)
    if [ "$remaining" -eq 0 ]; then
      logger "No remaining sites for '$user' — removing PHP-FPM pool and user"
      rm -rf /etc/php/${PHP_VER}/fpm/pool.d/"$user".conf
      servicesReload -q
      logger "Deleting user [and group]: $user"
      userdel -f "$user" 2>/dev/null || true
      groupdel "$user" 2>/dev/null || true
      echo ":: home folder can be purged via: rm -rf /home/$user"
    else
      servicesReload -q
      echo ":: User '$user' still has $remaining other site(s) — user, group, and FPM pool kept"
    fi
  else
    echo "Usage: $0 -d domain.com user"
  fi
elif [ "${1:-}" == "-l" ]; then
  ls /etc/nginx/sites-enabled/*.conf 2>/dev/null | sed 's|.*/||; s|\.conf||' || true
elif [ -n "${2:-}" ]; then
  validate_inputs "$1" "$2"
  currentpath=$(pwd)
  if [[ -f /etc/nginx/sites-available/"$1".conf ]]; then
    echo ":: Config already exists: /etc/nginx/sites-available/$1.conf"
    echo "   Use -d $1 $2 first, or edit the file manually."
    exit 1
  fi

  # Create user/group only if they don't already exist
  user_exists=0
  if id "$2" &>/dev/null; then
    user_exists=1
    echo ":: User '$2' already exists — reusing"
  else
    groupadd -f "$2"
    useradd -s /bin/false -d /home/"$2" -m -g "$2" "$2"
  fi

  if [ "${3:-}" != "" ]; then
    webroot=$3
    chown -R "$2":"$2" "$webroot"
  else
    # Domain-namespaced subdirectory so one user can host multiple domains
    webroot=/home/$2/websites/$1/www
    mkdir -p /home/"$2"/websites/"$1"/www
    mkdir -p /home/"$2"/websites/"$1"/dev
    touch /home/"$2"/websites/"$1"/www/index.php
    touch /home/"$2"/websites/"$1"/dev/index.php
    chmod 751 "$webroot" /home/"$2"/websites/"$1"/dev
    chown -R "$2":"$2" /home/"$2"/websites/"$1"
  fi
  chmod 751 "/home/$2"

  mkdir -p /etc/nginx/sites-enabled/; mkdir -p /etc/nginx/sites-available/
  logger "Creating Nginx config file: /etc/nginx/sites-available/$1.conf"
  echo "webroot: $webroot"
  cat > /etc/nginx/sites-available/"$1".conf <<ENDD
#limit_req_zone \$binary_remote_addr zone=one:10m rate=20r/m;
#limit_rate 300K; limit_conn_zone \$binary_remote_addr zone=two:4m;
server {
    server_name  www.$1;
    rewrite ^(.*) https://$1\$1 permanent;
  }
server {
    listen 80;
    listen [::]:80;
    server_name $1;
    #return 301 https://\$host\$request_uri;
    if (\$scheme != "https") { return 301 https://\$host\$request_uri; }
}
server {

  server_name $1;
  root $webroot;
  server_tokens off;
  client_max_body_size 64m;

  gzip on;
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;

     ## forcing SSL:
     # set \$check_ssl_prot "\${ssl_protocol}P";
     # if (\$check_ssl_prot = "P") { rewrite ^   https://\$server_name\$request_uri? permanent; }

#    listen 443 ssl;
#    listen [::]:443 ssl;
#    ### listen 443 quic reuseport; ### this line should be enabled only ONCE per ip:port, despite how many server {} are on that ip:port
#    http2 on;
#    add_header Alt-Svc 'h3=":\$server_port"; ma=86400'; ### this line should be enabled only ONCE per ip:port, despite how many server {} are on that ip:port
#    ssl_certificate /home/$2/$1.pem;
#    ssl_certificate_key /home/$2/$1.key;

#    ssl_session_cache shared:SSL:1m;
#    ssl_session_timeout  10m;
#    ssl_protocols TLSv1.2 TLSv1.3;
#    ssl_prefer_server_ciphers on;
#    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
#    ssl_ecdh_curve secp384r1;
#    ssl_session_tickets off;
#    #ssl_stapling on;
#    #ssl_stapling_verify on;
#    resolver 1.1.1.1 8.8.8.8 valid=300s;
#    resolver_timeout 5s;

  access_log /var/log/nginx/$1_access.log;
  error_log /var/log/nginx/$1_error.log;
  index index.php index.html;

# include include_cache.conf;
  include include_standard_errors.conf;

  if (\$request_method !~ ^(GET|HEAD|POST|PUT|PATCH|DELETE)$ ) { return 444;  }

#generated by https://www.cspisawesome.com/content_security_policies
add_header Content-Security-Policy "default-src 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval' https://*.googleapis.com https://www.google-analytics.com https://*.google.com; script-src 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval' https://*.$1 https://$1 https://*.googleapis.com https://google.com https://www.google-analytics.com https://*.google.com https://*.gstatic.com; style-src * 'self' data: 'unsafe-inline' 'unsafe-hashes' https://*.googleapis.com https://www.google-analytics.com https://*.google.com; img-src * 'self' data: https://*.googleapis.com https://www.google-analytics.com https://*.google.com; font-src * 'self' data:; media-src * 'self' https://*.googleapis.com https://www.google-analytics.com https://*.google.com; object-src 'self' data:; frame-src * data:; frame-ancestors 'self'; form-action *";
add_header X-Content-Security-Policy "default-src 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval' https://*.googleapis.com https://www.google-analytics.com https://*.google.com; script-src 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval' https://*.$1 https://$1 https://*.googleapis.com https://google.com https://www.google-analytics.com https://*.google.com https://*.gstatic.com; style-src * 'self' data: 'unsafe-inline' 'unsafe-hashes' https://*.googleapis.com https://www.google-analytics.com https://*.google.com; img-src * 'self' data: https://*.googleapis.com https://www.google-analytics.com https://*.google.com; font-src * 'self' data:; media-src * 'self' https://*.googleapis.com https://www.google-analytics.com https://*.google.com; object-src 'self' data:; frame-src * data:; frame-ancestors 'self'; form-action *";
add_header X-WebKit-CSP "default-src 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval' https://*.googleapis.com https://www.google-analytics.com https://*.google.com; script-src 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval' https://*.$1 https://$1 https://*.googleapis.com https://google.com https://www.google-analytics.com https://*.google.com https://*.gstatic.com; style-src * 'self' data: 'unsafe-inline' 'unsafe-hashes' https://*.googleapis.com https://www.google-analytics.com https://*.google.com; img-src * 'self' data: https://*.googleapis.com https://www.google-analytics.com https://*.google.com; font-src * 'self' data:; media-src * 'self' https://*.googleapis.com https://www.google-analytics.com https://*.google.com; object-src 'self' data:; frame-src * data:; frame-ancestors 'self'; form-action *";

#HSTS
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; # Uncomment once SSL is live

# https://infosec.mozilla.org/guidelines/web_security#x-content-type-options
add_header X-Content-Type-Options "nosniff";
# Block site from being framed with X-Frame-Options and CSP
#add_header Content-Security-Policy "frame-ancestors 'none'";
add_header 'X-Frame-Options' "SAMEORIGIN";
# Block pages from loading when they detect reflected XSS attacks
add_header X-XSS-Protection "1; mode=block";

## Enable below block for WP Security, and whitelist/allow your Management IPs
#   location ~* ^/(?:wp-json|xmlrpc.php|wp-login.php|wp-admin|readme.html|feed\\/).*$ {
#
#    allow 127.0.0.1/32;
#    allow 10.10.10.0/24;
#    deny all;
#
#    include fastcgi_params;
#    fastcgi_intercept_errors on;
#    fastcgi_param USER  $2;
#    fastcgi_pass   unix:/var/run/php-fpm_$2.sock;
#    fastcgi_index  index.php;
#    fastcgi_param  SCRIPT_FILENAME  \$document_root\$fastcgi_script_name;
#
#    #return 403;
#    root /home/$2/www;
#
#    index index.php index.html;
#    try_files \$uri \$uri/ /index.php\$is_args\$args;
#  }
#  # Deny access to any files with a .php extension in the uploads directory. Works in sub-directory installs and also in multisite network
#  location ~* ^/(?:uploads|files|wp-content|wp-includes)/.*\\.php\\$ { deny all; }
#
#  # Deny access to uploads that aren't images, videos, music, etc.
#  location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf|css)$ { deny all; }

    location = /favicon.ico { try_files /favicon.ico =204; access_log off; log_not_found off; expires max; }
    location = /favicon.png { try_files /favicon.png =204; access_log off; log_not_found off; expires max; }
    location ~* ^/(?:README|LICENSE[^.]*|LEGALNOTICE)(?:\\.txt)*$ {  return 444;  }
    location = /robots.txt { expires max; }
    location ~ /.well-known { allow all; }
    location ~ /\\. { deny  all; }

    location ~* \\.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2|bz2|tar|mid|midi|wav|bmp|rtf|zip)$ {

    # valid_referers server_names; # enable these two lines for hotlinking, but test as some resources will stop loading
    # if (\$invalid_referer)  { return 444; }

    add_header 'Cache-Control' "public, max-age=31536000";
    add_header 'X-Frame-Options' "SAMEORIGIN";
    add_header 'Access-Control-Allow-Origin' "*" always;
    expires    max;
    #access_log off;
    break;
    #try_files \$uri \$uri/ /index.php\$is_args\$args;
  }

  location ~* \\.(zip|gz|gzip|bz2|tar|csv|xml|mid|midi|wav|bmp|rtf)$ {
    add_header 'Cache-Control' "no-store";
    add_header 'Cache-Control' "max-age=0";
    add_header 'X-Frame-Options' "SAMEORIGIN";
    expires    off;
    break;
    #try_files \$uri \$uri/ /index.php\$is_args\$args;
  }

    location / {
    add_header 'Cache-Control' "public, max-age=31536000";
    add_header 'Access-Control-Allow-Origin' "*" always;
    if (\$args ~ "^author=\\d") { return 444; }
    index index.php index.html;
    #try_files \$uri \$uri/ /index.php?q=\$uri;
    try_files \$uri \$uri/ /index.php\$is_args\$args;

#   limit_req zone=one burst=5 nodelay;
#   limit_conn two 1;
}


  location ~ \.php$ {
  fastcgi_connect_timeout 60;
  fastcgi_send_timeout 180;
#  fastcgi_read_timeout 180;
#  fastcgi_cache_key \$host\$request_uri;
  fastcgi_buffer_size 128k;
  fastcgi_buffers 4 256k;
  fastcgi_busy_buffers_size 256k;
  fastcgi_temp_file_write_size 256k;
  fastcgi_intercept_errors on;
  fastcgi_pass   unix:/var/run/php-fpm_$2.sock;
  fastcgi_index  index.php;
  fastcgi_param  SCRIPT_FILENAME  \$document_root\$fastcgi_script_name;
#  fastcgi_param  SCRIPT_FILENAME  \$fastcgi_script_name;
  fastcgi_param  SCRIPT_NAME  \$fastcgi_script_name;
  include fastcgi_params;
  fastcgi_param USER  $2;
  fastcgi_read_timeout 1800;

#          limit_req zone=one burst=5 nodelay;
#          limit_conn two 1;
}
}

### Dev subdomain:
server {
    listen 80;
    listen [::]:80;
    server_name dev.$1;
    #return 301 https://\$host\$request_uri;
    if (\$scheme != "https") { return 301 https://\$host\$request_uri; }
}
server {
  server_name dev.$1;
  root /home/$2/websites/$1/dev;
  server_tokens off;
  client_max_body_size 64m;

     ## forcing SSL:
     # set \$check_ssl_prot "\${ssl_protocol}P";
     # if (\$check_ssl_prot = "P") { rewrite ^   https://\$server_name\$request_uri? permanent; }

     ## Enable SSL
#    listen 443 ssl;
#    listen [::]:443 ssl;
#    http2 on;
#    ssl_certificate /home/$2/dev.$1.pem;
#    ssl_certificate_key /home/$2/dev.$1.key;
#    ssl_session_cache shared:SSL:1m;
#    ssl_session_timeout  10m;
#    ssl_protocols TLSv1.2 TLSv1.3;
#    ssl_prefer_server_ciphers on;
#    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
#    ssl_ecdh_curve secp384r1;
#    ssl_session_tickets off;
#    ssl_stapling on;
#    ssl_stapling_verify on;
#    resolver 1.1.1.1 8.8.8.8 valid=300s;
#    resolver_timeout 5s;

  access_log /var/log/nginx/dev.$1_access.log;
  error_log /var/log/nginx/dev.$1_error.log;
  index index.php index.html;
  include include_standard_errors.conf;
  add_header X-Robots-Tag "noindex, nofollow";

  if (\$request_method !~ ^(GET|HEAD|POST|PUT|PATCH|DELETE)$ ) { return 444;  }

#generated by https://www.cspisawesome.com/content_security_policies
add_header Content-Security-Policy "default-src 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval' https://*.googleapis.com https://www.google-analytics.com https://*.google.com; script-src 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval' https://*.$1 https://$1 https://*.googleapis.com https://google.com https://www.google-analytics.com https://*.google.com https://*.gstatic.com; style-src * 'self' data: 'unsafe-inline' 'unsafe-hashes' https://*.googleapis.com https://www.google-analytics.com https://*.google.com; img-src * 'self' data: https://*.googleapis.com https://www.google-analytics.com https://*.google.com; font-src * 'self' data:; media-src * 'self' https://*.googleapis.com https://www.google-analytics.com https://*.google.com; object-src 'self' data:; frame-src * data:; frame-ancestors 'self'; form-action *";
add_header X-Content-Security-Policy "default-src 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval' https://*.googleapis.com https://www.google-analytics.com https://*.google.com; script-src 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval' https://*.$1 https://$1 https://*.googleapis.com https://google.com https://www.google-analytics.com https://*.google.com https://*.gstatic.com; style-src * 'self' data: 'unsafe-inline' 'unsafe-hashes' https://*.googleapis.com https://www.google-analytics.com https://*.google.com; img-src * 'self' data: https://*.googleapis.com https://www.google-analytics.com https://*.google.com; font-src * 'self' data:; media-src * 'self' https://*.googleapis.com https://www.google-analytics.com https://*.google.com; object-src 'self' data:; frame-src * data:; frame-ancestors 'self'; form-action *";
add_header X-WebKit-CSP "default-src 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval' https://*.googleapis.com https://www.google-analytics.com https://*.google.com; script-src 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval' https://*.$1 https://$1 https://*.googleapis.com https://google.com https://www.google-analytics.com https://*.google.com https://*.gstatic.com; style-src * 'self' data: 'unsafe-inline' 'unsafe-hashes' https://*.googleapis.com https://www.google-analytics.com https://*.google.com; img-src * 'self' data: https://*.googleapis.com https://www.google-analytics.com https://*.google.com; font-src * 'self' data:; media-src * 'self' https://*.googleapis.com https://www.google-analytics.com https://*.google.com; object-src 'self' data:; frame-src * data:; frame-ancestors 'self'; form-action *";

#HSTS
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; # Uncomment once SSL is live

# https://infosec.mozilla.org/guidelines/web_security#x-content-type-options
add_header X-Content-Type-Options "nosniff";
# Block site from being framed with X-Frame-Options and CSP
#add_header Content-Security-Policy "frame-ancestors 'none'";
add_header 'X-Frame-Options' "SAMEORIGIN";
# Block pages from loading when they detect reflected XSS attacks
add_header X-XSS-Protection "1; mode=block";

## Enable below block for WP Security, and whitelist/allow your Management IPs
#   location ~* ^/(?:wp-json|xmlrpc.php|wp-login.php|wp-admin|readme.html|wp-includes|feed\\/).*$ {
#
#    allow 127.0.0.1/32;
#    allow 10.10.10.0/24;
#    deny all;
#
#    include fastcgi_params;
#    fastcgi_intercept_errors on;
#    fastcgi_param USER  $2;
#    fastcgi_pass   unix:/var/run/php-fpm_$2.sock;
#    fastcgi_index  index.php;
#    fastcgi_param  SCRIPT_FILENAME  \$document_root\$fastcgi_script_name;
#
#    #return 403;
#    root /home/$2/www;
#
#    index index.php index.html;
#    try_files \$uri \$uri/ /index.php\$is_args\$args;
#  }
#  # Deny access to any files with a .php extension in the uploads directory. Works in sub-directory installs and also in multisite network
#  location ~* ^/(?:uploads|files|wp-content|wp-includes)/.*\\.php\\$ { deny all; }
#
#  # Deny access to uploads that aren't images, videos, music, etc.
#  location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf|css)$ { deny all; }

    location = /favicon.ico { try_files /favicon.ico =204; access_log off; log_not_found off; expires max; }
    location = /favicon.png { try_files /favicon.png =204; access_log off; log_not_found off; expires max; }
    location ~* ^/(?:README|LICENSE[^.]*|LEGALNOTICE)(?:\\.txt)*$ {  return 444;  }
    location = /robots.txt { expires max; }
    location ~ /.well-known { allow all; }
    location ~ /\\. { deny  all; }


    location ~* \\.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2|bz2|tar|mid|midi|wav|bmp|rtf|zip)$ {

    # valid_referers server_names; # enable these two lines for hotlinking, but test as some resources will stop loading
    # if (\$invalid_referer)  { return 444; }

    add_header 'Cache-Control' "public, max-age=31536000";
    add_header 'X-Frame-Options' "SAMEORIGIN";
    add_header 'Access-Control-Allow-Origin' "*" always;
    expires    max;
    #access_log off;
    break;
    #try_files \$uri \$uri/ /index.php\$is_args\$args;
  }

  location ~* \\.(zip|gz|gzip|bz2|tar|csv|xml|mid|midi|wav|bmp|rtf)$ {
    add_header 'Cache-Control' "no-store";
    add_header 'Cache-Control' "max-age=0";
    add_header 'X-Frame-Options' "SAMEORIGIN";
    expires    off;
    break;
    #try_files \$uri \$uri/ /index.php\$is_args\$args;
  }

  location / {
    add_header 'Cache-Control' "public, max-age=31536000";
    add_header 'Access-Control-Allow-Origin' "*" always;
    if (\$args ~ "^author=\\d") { return 444; }

    index index.php index.html;
    #try_files \$uri \$uri/ /index.php?q=\$uri;
    try_files \$uri \$uri/ /index.php\$is_args\$args;
  }

      location ~ \.php$ {
      fastcgi_cache_key \$host\$request_uri;
      fastcgi_pass   unix:/var/run/php-fpm_$2.sock;
      fastcgi_index  index.php;
      fastcgi_param  SCRIPT_FILENAME  \$document_root\$fastcgi_script_name;
    #  fastcgi_param  SCRIPT_FILENAME  \$fastcgi_script_name;
      fastcgi_param  SCRIPT_NAME  \$fastcgi_script_name;
      include fastcgi_params;
      fastcgi_param USER  $2;
      fastcgi_read_timeout 600;
    }
}

ENDD


if [[ $varnish -eq 1 ]]; then

  if varnishd -V 2>/dev/null; then

    cat > /etc/varnish/default.vcl <<ENDD
vcl 4.0;
backend default {
        .host = "localhost";
        .port = "8080";
      }
#Allow cache-purging requests only from localhost using the acl directive:
acl purger {
        "localhost";
#"203.0.113.100";
}

sub vcl_recv {
#Redirect HTTP requests to HTTPS for our SSL website:
#       if (client.ip != "127.0.0.1" && req.http.host ~ "test.digitalcopy.pro") { set req.http.x-redir = "https://test.digitalcopy.pro" + req.url; return(synth(850, "")); }

        if (req.method == "PURGE") {
                if (!client.ip ~ purger) {
                        return(synth(405, "This IP is not allowed to send PURGE requests."));
                      }
                return (purge);
              }

        if (req.restarts == 0) {
                if (req.http.X-Forwarded-For) {
                        set req.http.X-Forwarded-For = client.ip;
                      }
                  }
#Exclude POST requests or those with basic authentication from caching:
        if (req.http.Authorization || req.method == "POST") {
                return (pass);
              }
#Exclude RSS feeds from caching:
        if (req.url ~ "/feed") {
                return (pass);
              }
#Tell Varnish not to cache the WordPress admin and login pages:
        if (req.url ~ "wp-admin|wp-login") {
                return (pass);
              }
#WordPress sets many cookies that are safe to ignore. To remove them, add the following lines:
        set req.http.cookie = regsuball(req.http.cookie, "wp-settings-\d+=[^;]+(; )?", "");
        set req.http.cookie = regsuball(req.http.cookie, "wp-settings-time-\d+=[^;]+(; )?", "");
        if (req.http.cookie == "") {
                unset req.http.cookie;
              }

          }

#Redirect HTTP to HTTPS using the sub vcl_synth directive with the following settings:
sub vcl_synth {
        if (resp.status == 850) {
                set resp.http.Location = req.http.x-redir;
                set resp.status = 302;
                return (deliver);
              }
          }
#Cache-purging for a particular page must occur each time we make edits to that page
sub vcl_purge {
        set req.method = "GET";
        set req.http.X-Purger = "Purged";
        return (restart);
      }

#The sub vcl_backend_response directive is used to handle communication with the backend server, NGINX. We use it to set the amount of time the content remains in the cache. We can also set a grace period, which determines how Varnish will serve content from the cache even if the backend server is down. Time can be set in seconds (s), minutes (m), hours (h) or days (d). Here, we've set the caching time to 24 hours, and the grace period to 1 hour, but you can adjust these settings based on your needs:
sub vcl_backend_response {
        set beresp.ttl = 24h;
        set beresp.grace = 1h;
#allow cookies to be set only if you are on admin pages or WooCommerce-specific pages:
        if (bereq.url !~ "wp-admin|wp-login|product|cart|checkout|my-account|/?remove_item=") {
                unset beresp.http.set-cookie;
              }
          }
#Change the headers for purge requests by adding the sub vcl_deliver directive:
sub vcl_deliver {
        if (req.http.X-Purger) {
                set resp.http.X-Purger = req.http.X-Purger;
              }
          }

ENDD

  else
    logger "\n::: Varnish NOT installed\n"
  fi

fi

logger "Creating Nginx links"
cd /etc/nginx/sites-enabled/
ln -fs ../sites-available/"$1".conf "$1".conf
cd "$currentpath"
if [ "$user_exists" -eq 1 ] && [ -f "/etc/php/${PHP_VER}/fpm/pool.d/$2.conf" ]; then
  logger "PHP-FPM pool for '$2' already exists — reusing"
else
  logger "Adding pool to php-fpm"
  mkdir -p /etc/php/${PHP_VER}/fpm/pool.d/
  cat > /etc/php/${PHP_VER}/fpm/pool.d/"$2".conf <<ENDD
[$2]
listen.owner = $2
listen.group = $2
listen.mode = 0666
listen.backlog = 65535
listen = /var/run/php-fpm_$2.sock
user = $2
group = $2
pm = dynamic
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 2
pm.max_requests = 500
php_admin_value[cgi.fix_pathinfo] = 0
php_admin_value[error_log] = /var/log/php-fpm_$2.log
php_admin_flag[log_errors] = on
slowlog = /var/log/php-fpm_$2_slow.log
request_slowlog_timeout = 10s
ENDD
fi
if ! grep -q "SCRIPT_FILENAME" /etc/nginx/fastcgi_params; then
  sed -i '/SCRIPT_NAME/i fastcgi_param  SCRIPT_FILENAME    \$document_root\$fastcgi_script_name;' /etc/nginx/fastcgi_params
fi

servicesReload -q

else
  echo "Usage: $0 [-v] domain.com username [webroot]"
  echo "       $0 -d domain.com username"
  echo "       $0 -l | -h"
  exit 1
fi