iankelling.org
/
git
/
basic-https-conf
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
bfb8196
)
fixes and new options
author
Ian Kelling
<iank@fsf.org>
Fri, 25 Mar 2022 06:22:26 +0000
(
02:22
-0400)
committer
Ian Kelling
<iank@fsf.org>
Fri, 25 Mar 2022 06:22:26 +0000
(
02:22
-0400)
web-conf
patch
|
blob
|
history
diff --git
a/web-conf
b/web-conf
index b27ec1a5bbd139d3f64024b88661bc104a1968a4..6b18b2e5c7ae2b63fb3f10d208cc4a4cec61af92 100755
(executable)
--- a/
web-conf
+++ b/
web-conf
@@
-41,6
+41,8
@@
distro-setup, and log-quiet.
EXTRA_SETTINGS_FILE can be - for stdin
EXTRA_SETTINGS_FILE can be - for stdin
+-a IPv4_ADDR IP address to listen on. Default all addresses.
+ ipv6 address support could be added to this script.
-e EMAIL Contact address for let's encrypt. Default is
root@\$(hostname --fqdn')
which is root@$(hostname --fqdn) on this host.
-e EMAIL Contact address for let's encrypt. Default is
root@\$(hostname --fqdn')
which is root@$(hostname --fqdn) on this host.
@@
-62,10
+64,15
@@
symlinkarg=-
ssl=true
extra_settings=
port=443
ssl=true
extra_settings=
port=443
-temp=$(getopt -l help e:if:p:r:sh "$@") || usage 1
+temp=$(getopt -l help a:e:if:p:r:sh "$@") || usage 1
+vhostip='*'
eval set -- "$temp"
while true; do
case $1 in
eval set -- "$temp"
while true; do
case $1 in
+ -a)
+ listenip="$2:"
+ vhostip="$2"
+ shift 2 ;;
-e) email="$2"; shift 2 ;;
-f) proxy="$2"; shift 2 ;;
-i) ssl=false; shift ;;
-e) email="$2"; shift 2 ;;
-f) proxy="$2"; shift 2 ;;
-i) ssl=false; shift ;;
@@
-114,7
+121,14
@@
se=/etc/$t/sites-enabled
cert_dir=/etc/letsencrypt/live/$h
mkdir -p $root
cert_dir=/etc/letsencrypt/live/$h
mkdir -p $root
-vhost_file=$se/$h.conf
+case $port in
+ 80|443)
+ vhost_file=$se/$h.conf
+ ;;
+ *)
+ vhost_file=$se/$h-$port.conf
+ ;;
+esac
redir_file=$se/$h-redir.conf
if [[ $port == 80 ]]; then
redir_file=$se/$h-redir.conf
if [[ $port == 80 ]]; then
@@
-137,10
+151,9
@@
if $ssl; then
# --hsts --staple-ocsp --uir --must-staple
certbot certonly -n --email $email --no-self-upgrade \
--agree-tos --${t%2} -d $h
# --hsts --staple-ocsp --uir --must-staple
certbot certonly -n --email $email --no-self-upgrade \
--agree-tos --${t%2} -d $h
- rm $vhost_file
+ # cleanup the call to ourselves a short bit ago
+ rm $se/$h.conf
fi
fi
-
-
fi
fi
@@
-170,9
+183,9
@@
if [[ $t == apache2 ]]; then
done
done
done
done
-
+ echo "$0: creating $vhost_file"
cat >$vhost_file <<EOF
cat >$vhost_file <<EOF
-<VirtualHost
*
:$port>
+<VirtualHost
$vhostip
:$port>
ServerName $h
ServerAlias www.$h
DocumentRoot $root
ServerName $h
ServerAlias www.$h
DocumentRoot $root
@@
-221,8
+234,9
@@
SSLUseStapling on
Header always set Content-Security-Policy upgrade-insecure-requests
EOF
Header always set Content-Security-Policy upgrade-insecure-requests
EOF
- echo "$0: creating $redir_file"
- cat >$redir_file <<EOF
+ if (( port == 443 )); then
+ echo "$0: creating $redir_file"
+ cat >$redir_file <<EOF
<VirtualHost *:80>
ServerName $h
ServerAdmin webmaster@localhost
<VirtualHost *:80>
ServerName $h
ServerAdmin webmaster@localhost
@@
-236,10
+250,11
@@
RewriteCond %{SERVER_NAME} =$h
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>
EOF
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>
EOF
- if ! $listen_80; then
- cat >>$redir_file <<'EOF'
+
if ! $listen_80; then
+
cat >>$redir_file <<'EOF'
Listen 80
EOF
Listen 80
EOF
+ fi
fi
# this is a copy of a file certbot, see below.
fi
# this is a copy of a file certbot, see below.
@@
-292,7
+307,7
@@
EOF
if ! $listen_port; then
# reference: https://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen
cat >>$vhost_file <<EOF
if ! $listen_port; then
# reference: https://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen
cat >>$vhost_file <<EOF
-listen ${port}${https_arg}
+listen ${
listenip}${
port}${https_arg}
EOF
fi
EOF
fi
@@
-355,8
+370,14
@@
EOF
server {
server_name $h www.$h;
root $root;
server {
server_name $h www.$h;
root $root;
- listen $port $ssl_arg;
+ listen $listenip$port $ssl_arg;
+EOF
+ if [[ ! $listenip ]]; then
+ cat >>$vhost_file <<EOF
listen [::]:$port $ssl_arg;
listen [::]:$port $ssl_arg;
+EOF
+ fi
+ cat >>$vhost_file <<EOF
location $root {
autoindex off;
}
location $root {
autoindex off;
}
@@
-368,7
+389,8
@@
EOF
include $common_ssl_conf;
EOF
include $common_ssl_conf;
EOF
- cat >$redir_file <<EOF
+ if (( port == 443 )); then
+ cat >$redir_file <<EOF
server {
server_name $h www.$h;
listen 80 $http2_arg;
server {
server_name $h www.$h;
listen 80 $http2_arg;
@@
-376,6
+398,7
@@
server {
return 301 https://$server_name$request_uri;
}
EOF
return 301 https://$server_name$request_uri;
}
EOF
+ fi
fi # end if $ssl
if [[ $extra_settings ]]; then
fi # end if $ssl
if [[ $extra_settings ]]; then