-#!/bin/bash -l
+#!/bin/bash
# Copyright (C) 2016 Ian Kelling
# Licensed under the Apache License, Version 2.0 (the "License");
# See the License for the specific language governing permissions and
# limitations under the License.
+[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
+
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
location for storing certs.
EXTRA_SETTINGS_FILE can be - for stdin
--p PORT Proxy to PORT
--h|--help Print help and exit
+-c CERT_DIR In priority: this arg, $ACME_TINY_WRAPPER_CERT_DIR,
+ $HOME/webservercerts, if the other options aren't set.
+-p PORT Port to listen on, default 443
+-f PORT Enable proxy to PORT on localhost
+-r DocumentRoot
+-h|--help Print help and exit
TODO: add https redir site.
+
+Note: Uses GNU getopt options parsing style
EOF
exit $1
}
##### begin command line parsing ########
+cert_dir="$ACME_TINY_WRAPPER_CERT_DIR"
+if [[ ! $cert_dir ]]; then
+ cert_dir=$HOME/webservercerts
+fi
+port=443
proxy_port=
extra_settings=
-args=()
-while [[ $1 ]]; do
+temp=$(getopt -l help: c:f:p:r:h "$@") || usage 1
+eval set -- "$temp"
+while true; do
case $1 in
- -p) proxy_port="$2"; shift 2 ;;
+ -c) cert_dir="$2"; shift 2 ;;
+ -p) port="$2"; shift 2 ;;
+ -f) proxy_port="$2"; shift 2 ;;
+ -r) root="$2"; shift 2 ;;
--) shift; break ;;
- -?*|-h|--help) usage ;;
- *) args+=("$1"); shift ;;
+ -h|--help) usage ;;
+ *) echo "$0: Internal error!" ; exit 1 ;;
esac
done
-args+=("$@")
-if (( ${#args[@]} == 2 )); then
- read extra_settings h <<<"${args[@]}"
+if (( ${#@} == 2 )); then
+ read -r extra_settings h <<<"${@}"
else
- read h <<<"${args[@]}"
+ read -r h <<<"${@}"
fi
if [[ ! $h ]]; then
usage 1
fi
+if [[ ! $root ]]; then
+ root=/var/www/$h/html
+fi
+
##### end command line parsing ########
sudo rm -f /etc/nginx/sites-enabled/default
-cdir=/p/c/machine_specific/$HOSTNAME/webservercerts
+if nginx -V |& grep -- '--with-http_v2_module\b' &>/dev/null; then
+ http2_arg=http2
+fi
+
sudo dd of=/etc/nginx/sites-enabled/$h.conf <<EOF
+# ssecurty settings taken from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
+# using modern config. last checked 2017/2/20
server {
server_name $h www.$h;
- root /var/www/$h/html;
- listen 443 ssl;
- listen [::]:443 ssl;
+ root $root;
+ listen $port ssl $http2_arg;
+ listen [::]:$port ssl $http2_arg;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
- ssl_certificate $cdir/$h-chained.pem;
- ssl_certificate_key $cdir/$h-domain.key;
+ ssl_certificate $cert_dir/$h-chained.pem;
+ ssl_certificate_key $cert_dir/$h-domain.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
- ssl_dhparam $cdir/dh2048.pem;
+ ssl_dhparam $cert_dir/dh2048.pem;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_stapling on;
ssl_stapling_verify on;
+ # ian: todo: something is missing here, stapling is not enabled
+ # per ssllabs.com test. need to put root cert in chain?.
+ # ssl labs still says we are A+.
+ # https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
## verify chain of trust of OCSP response using Root CA and Intermediate certs
- #ssl_trusted_certificate $cdir/$h-fullchain.pem;
+ ssl_trusted_certificate $cert_dir/$h-chained.pem;
- # ian: also not needed, our local resolver works fine.
+ # ian: left commented out, our local dns is expected to work fine.
#resolver <IP DNS resolver>;
EOF
if [[ $extra_settings ]]; then
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
- proxy_set_header X-Forwarded-Port 443;
+ proxy_set_header X-Forwarded-Port $port;
proxy_pass http://127.0.0.1:$proxy_port;
}
EOF
+fi
sudo tee -a /etc/nginx/sites-enabled/$h.conf <<EOF
iankelling.org / git / basic-https-conf / commitdiff