X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=web-conf;h=fddb5375b45a53fe0301444234bf79ba764cd772;hb=ebb14a4931cb65b505add2e56c9f1c9e5c90ec4d;hp=08d1c047f2bd649da80745acc075af18359a10a2;hpb=43857c512f612e094ae9fe49c47892f0ba1abd30;p=basic-https-conf

diff --git a/web-conf b/web-conf
index 08d1c04..fddb537 100755
--- a/web-conf
+++ b/web-conf
@@ -25,7 +25,11 @@ usage() {
 Usage: ${0##*/} [OPTIONS] [EXTRA_SETTINGS_FILE] apache2|nginx DOMAIN
 apache/nginx config & let's encrypt
 
-If using tls then it expects certbot to be installed and in PATH.
+If using tls then it expects certbot to be installed and in PATH.  Also,
+certbot cronjob should be taken care of outside this script. In the
+debian package, it installs a systemd timer, which I (Ian Kelling) use
+and modify to email me on failure. You can see how I do this in my git
+repo distro-setup, and log-quiet.
 
 
 EXTRA_SETTINGS_FILE can be - for stdin
@@ -36,6 +40,7 @@ EXTRA_SETTINGS_FILE can be - for stdin
 -i                Insecure, no ssl.
 -p PORT           Main port to listen on, default 443. 80 implies -i.
 -r DIR            DocumentRoot
+-s                Allow symlinks from the doucmentroot
 -h|--help         Print help and exit
 
 Note: Uses GNU getopt options parsing style
@@ -45,10 +50,11 @@ EOF
 
 ##### begin command line parsing ########
 
+symlinkarg=-
 ssl=true
 extra_settings=
 port=443
-temp=$(getopt -l help e:i:f:p:r:h "$@") || usage 1
+temp=$(getopt -l help e:if:p:r:sh "$@") || usage 1
 eval set -- "$temp"
 while true; do
     case $1 in
@@ -57,12 +63,14 @@ while true; do
         -i) ssl=false; shift ;;
         -p) port="$2"; shift 2 ;;
         -r) root="$2"; shift 2 ;;
+        -s) symlinkarg=+; shift ;;
         --) shift; break ;;
         -h|--help) usage ;;
         *) echo "$0: Internal error!" ; exit 1 ;;
     esac
 done
 
+# t = type, h = host
 if (( ${#@} == 3 )); then
     read -r extra_settings t h <<<"${@}"
 else
@@ -110,12 +118,14 @@ fi
 
 if $ssl; then
     f=$cert_dir/fullchain.pem
-    if [[ ! -e $f ]] || openssl x509 -checkend 86400 -noout -in $f; then
+    threedays=259200 # in seconds
+    if [[ ! -e $f ]] || ! openssl x509 -checkend $threedays -noout -in $f >/dev/null; then
+        # cerbot needs an existing virtualhost.
         $0 -p 80 $t $h
         # when generating an example config, add all relevant security options:
-        # --hsts --staple-ocsp --uir
-        certbot certonly -n --must-staple --email $email --no-self-upgrade \
-                --agree-tos --$t -d $h
+        # --hsts --staple-ocsp --uir --must-staple
+        certbot certonly -n --email $email --no-self-upgrade \
+                --agree-tos --${t%2} -d $h
         rm $vhost_file
     fi
 fi
@@ -139,7 +149,6 @@ if [[ $t == apache2 ]]; then
         case $(readlink -f "$f") in
             $vhost_file|$redir_file) continue ;;
         esac
-        echo "$f"
         for p in $(sed -rn "s,^\s*listen\s+(\S+).*,\1,Ip" "$f"); do
             case $p in
                 80) listen_80=true ;;&
@@ -151,9 +160,12 @@ if [[ $t == apache2 ]]; then
 
     cat >$vhost_file <<EOF
 <VirtualHost *:$port>
-        ServerName $h
-        ServerAlias www.$h
-        DocumentRoot $root
+ServerName $h
+ServerAlias www.$h
+DocumentRoot $root
+<Directory $root>
+  Options -Indexes ${symlinkarg}FollowSymlinks
+</Directory>
 EOF
 
     if [[ $extra_settings ]]; then
@@ -163,58 +175,52 @@ EOF
     # go faster!
     if [[ -e /etc/apache2/mods-available/http2.load ]]; then
         # https://httpd.apache.org/docs/2.4/mod/mod_http2.html
-        a2enmod http2
+        a2enmod -q http2
         cat >>$vhost_file <<EOF
-        Protocols h2 http/1.1
+Protocols h2 http/1.1
 EOF
     fi
 
     if [[ $proxy ]]; then
-        a2enmod proxy proxy_http
+        a2enmod -q proxy proxy_http
         # fyi: trailing slash is important
         # reference: https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html
+        # retry=0: https://stackoverflow.com/questions/683052/why-am-i-getting-an-apache-proxy-503-error
         cat >>$vhost_file <<EOF
-        ProxyPass "/"  "http://$proxy/"
-        ProxyPassReverse "/"  "http://$proxy/"
+ProxyPass "/"  "http://$proxy/" retry=0
+ProxyPassReverse "/"  "http://$proxy/"
 EOF
     fi
 
 
-
     if $ssl; then
+        a2enmod -q headers
         https_arg=" https"
         common_ssl_conf=/etc/apache2/common-ssl.conf
         cat >>$vhost_file <<EOF
-        SSLCertificateFile $cert_dir/fullchain.pem
-        SSLCertificateKeyFile $cert_dir/privkey.pem
-        Include $common_ssl_conf
-        # From cerbot generated config example, taken 4/2017,
-        # should be rechecked once a year or so.
-        Header always set Strict-Transport-Security "max-age=31536000"
-        SSLUseStapling on
-        Header always set Content-Security-Policy upgrade-insecure-requests
-EOF
-
-        cat >/etc/apache2/conf-enabled/local-custom.conf <<'EOF'
-# vhost_combined with %D (request time in microseconds)
-# this file is just a convenient place to drop it.
-LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %D" vhost_time_combined
-SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
+SSLCertificateFile $cert_dir/fullchain.pem
+SSLCertificateKeyFile $cert_dir/privkey.pem
+Include $common_ssl_conf
+# From cerbot generated config example, taken 4/2017,
+# should be rechecked once a year or so.
+Header always set Strict-Transport-Security "max-age=31536000"
+SSLUseStapling on
+Header always set Content-Security-Policy upgrade-insecure-requests
 EOF
 
         echo "$0: creating $redir_file"
         cat >$redir_file <<EOF
 <VirtualHost *:80>
-        ServerName $h
-        ServerAdmin webmaster@localhost
-        DocumentRoot /var/www/html
+ServerName $h
+ServerAdmin webmaster@localhost
+DocumentRoot /var/www/html
 
-        ErrorLog \${APACHE_LOG_DIR}/error.log
-        CustomLog \${APACHE_LOG_DIR}/access.log vhost_time_combined
+ErrorLog \${APACHE_LOG_DIR}/error.log
+CustomLog \${APACHE_LOG_DIR}/access.log vhost_time_combined
 
-        RewriteEngine on
-        RewriteCond %{SERVER_NAME} =$h
-        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
+RewriteEngine on
+RewriteCond %{SERVER_NAME} =$h
+RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
 </VirtualHost>
 EOF
         if ! $listen_80; then
@@ -226,13 +232,17 @@ EOF
         # this is a copy of a file certbot, see below.
         echo "$0: creating $common_ssl_conf"
         cat >$common_ssl_conf <<'EOF'
-# Baseline setting to Include for SSL sites
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file.
 
 SSLEngine on
 
 # Intermediate configuration, tweak to your needs
 SSLProtocol             all -SSLv2 -SSLv3
-SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 SSLHonorCipherOrder     on
 SSLCompression          off
 
@@ -250,8 +260,8 @@ LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
 #Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
 EOF
 
-        upstream=https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
-        if ! diff -c <(wget -q -O - $upstream) $common_ssl_conf; then
+        upstream=https://raw.githubusercontent.com/certbot/certbot/master/certbot-apache/certbot_apache/options-ssl-apache.conf
+        if ! diff -u <(wget -q -O - $upstream) $common_ssl_conf; then
             cat <<EOF
 WARNING!!!!!!!!!
 WARNING!!!!!!!!!
@@ -268,8 +278,8 @@ EOF
     fi # end if $ssl
 
     cat >>$vhost_file <<'EOF'
-        ErrorLog ${APACHE_LOG_DIR}/error.log
-        CustomLog ${APACHE_LOG_DIR}/access.log vhost_time_combined
+ErrorLog ${APACHE_LOG_DIR}/error.log
+CustomLog ${APACHE_LOG_DIR}/access.log vhost_time_combined
 </VirtualHost>
 EOF
 
@@ -281,7 +291,7 @@ EOF
     fi
 
 
-    a2enmod ssl rewrite # rewrite needed for httpredir
+    a2enmod -q ssl rewrite # rewrite needed for httpredir
     service apache2 restart
 
     # I rarely look at how much traffic I get, so let's keep that info
@@ -337,25 +347,27 @@ ssl_stapling_verify on;
 EOF
     cat >$vhost_file <<EOF
 server {
-    server_name $h www.$h;
-    root $root;
-    listen $port $ssl_arg;
-    listen [::]:$port $ssl_arg;
-
+  server_name $h www.$h;
+  root $root;
+  listen $port $ssl_arg;
+  listen [::]:$port $ssl_arg;
+  location $root {
+    autoindex off;
+  }
 EOF
     if $ssl; then
         cat >>$vhost_file <<EOF
-    ssl_certificate $cert_dir/fullchain.pem;
-    ssl_certificate_key $cert_dir/privkey.pem;
-    include $common_ssl_conf;
+  ssl_certificate $cert_dir/fullchain.pem;
+  ssl_certificate_key $cert_dir/privkey.pem;
+  include $common_ssl_conf;
 EOF
 
         cat >$redir_file <<EOF
 server {
-    server_name $h www.$h;
-    listen 80 $http2_arg;
-    listen [::]:80 $http2_arg;
-    return 301 https://$server_name$request_uri;
+  server_name $h www.$h;
+  listen 80 $http2_arg;
+  listen [::]:80 $http2_arg;
+  return 301 https://$server_name$request_uri;
 }
 EOF
     fi # end if $ssl
@@ -366,14 +378,14 @@ EOF
 
     if [[ $proxy ]]; then
         cat >>$vhost_file <<EOF
-    location / {
-        proxy_set_header Host \$host;
-        proxy_set_header X-Real-IP \$remote_addr;
-        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Ssl on;
-        proxy_set_header X-Forwarded-Port $port;
-        proxy_pass http://$proxy;
-    }
+  location / {
+    proxy_set_header Host \$host;
+    proxy_set_header X-Real-IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Ssl on;
+    proxy_set_header X-Forwarded-Port $port;
+    proxy_pass http://$proxy;
+  }
 EOF
     fi
 
@@ -385,3 +397,10 @@ EOF
     service nginx restart
 
 fi ####### end if nginx
+
+cat >/etc/apache2/conf-enabled/local-custom.conf <<'EOF'
+# vhost_combined with %D (request time in microseconds)
+# this file is just a convenient place to drop it.
+LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %D" vhost_time_combined
+SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
+EOF