From: Ian Kelling Date: Wed, 26 Apr 2017 14:59:02 +0000 (-0700) Subject: merge scripts, add lets encrypt X-Git-Url: https://iankelling.org/git/?a=commitdiff_plain;h=6761d31c8b47efb9361c0d8b69eda24da97769fa;p=basic-https-conf merge scripts, add lets encrypt --- diff --git a/README b/README index f4de843..21d18a7 100644 --- a/README +++ b/README @@ -1,8 +1,7 @@ -apache/nginx site automation +apache/nginx config & let's encrypt -Uses let's encrypt's https settings, plus a small bit of extra settings, -and accepts site specific settings in stdin. More focused on apache, -nginx is missing some features in the apache script. +The main documentation is availiable via --help and near the top of the +bash script file next to this file. Please email me if you have a patches, bugs, feedback, or republish this somewhere else: Ian Kelling . diff --git a/apache-site b/apache-site deleted file mode 100755 index 8ff08b8..0000000 --- a/apache-site +++ /dev/null @@ -1,277 +0,0 @@ -#!/bin/bash -# Copyright (C) 2016 Ian Kelling - -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@" - -set -eE -o pipefail -trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR - -shopt -s nullglob # used in apache config file expansion - -usage() { - cat <$vhost_file < - ServerName $h - ServerAlias www.$h - DocumentRoot $root -EOF - -if [[ $extra_settings ]]; then - cat -- $extra_settings >>$vhost_file -fi - -# go faster! -if [[ -e /etc/apache2/mods-available/http2.load ]]; then - # https://httpd.apache.org/docs/2.4/mod/mod_http2.html - a2enmod http2 - cat >>$vhost_file <>$vhost_file <>$vhost_file <$redir_file <<'EOF' -# vhost_combined with %D (request time in microseconds) -# this file is just a convenient place to drop it. -LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %D" vhost_time_combined - - ServerAdmin webmaster@localhost - DocumentRoot /var/www/html - - ErrorLog ${APACHE_LOG_DIR}/error.log - CustomLog ${APACHE_LOG_DIR}/httpsredir-access.log combined - -RewriteEngine on -# ian: removed so it's for all sites -#RewriteCond %{SERVER_NAME} =certbot.iank.bid -RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent] - -EOF - if ! $listen_80; then - cat >>$redir_file <<'EOF' -Listen 80 -EOF - fi - fi - - mkdir -p /etc/letsencrypt - - # this is from cerbot, see below. - echo "$0: creating $certbot_ssl_conf" - cat >$certbot_ssl_conf <<'EOF' -# Baseline setting to Include for SSL sites - -SSLEngine on - -# Intermediate configuration, tweak to your needs -SSLProtocol all -SSLv2 -SSLv3 -SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA -SSLHonorCipherOrder on -SSLCompression off - -SSLOptions +StrictRequire - -# Add vhost name to log entries: -LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined -LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common - -#CustomLog /var/log/apache2/access.log vhost_combined -#LogLevel warn -#ErrorLog /var/log/apache2/error.log - -# Always ensure Cookies have "Secure" set (JAH 2012/1) -#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4" -EOF - - upstream=https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf - if ! diff -c <(wget -q -O - $upstream) $certbot_ssl_conf; then - cat <>$vhost_file < -EOF - -if ! $listen_port; then - # reference: https://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen - cat >>$vhost_file <&2' ERR - - -usage() { - cat </dev/null; then - http2_arg=http2 -fi - -echo "$0: creating /etc/nginx/sites-enabled/$h.conf" -cat >/etc/nginx/sites-enabled/$h.conf <; -EOF -if [[ $extra_settings ]]; then - cat $extra_settings >>/etc/nginx/sites-enabled/$h.conf -fi - -if [[ $proxy ]]; then - cat >>/etc/nginx/sites-enabled/$h.conf <>/etc/nginx/sites-enabled/$h.conf <&2' ERR + +shopt -s nullglob # used in apache config file expansion + +usage() { + cat <$vhost_file < + ServerName $h + ServerAlias www.$h + DocumentRoot $root +EOF + + if [[ $extra_settings ]]; then + cat -- $extra_settings >>$vhost_file + fi + + # go faster! + if [[ -e /etc/apache2/mods-available/http2.load ]]; then + # https://httpd.apache.org/docs/2.4/mod/mod_http2.html + a2enmod http2 + cat >>$vhost_file <>$vhost_file <>$vhost_file </etc/apache2/conf-enabled/local-custom.conf <<'EOF' +# vhost_combined with %D (request time in microseconds) +# this file is just a convenient place to drop it. +LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %D" vhost_time_combined +SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000) +EOF + + echo "$0: creating $redir_file" + cat >$redir_file < + ServerName $h + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + + ErrorLog \${APACHE_LOG_DIR}/error.log + CustomLog \${APACHE_LOG_DIR}/access.log vhost_time_combined + + RewriteEngine on + RewriteCond %{SERVER_NAME} =$h + RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent] + +EOF + if ! $listen_80; then + cat >>$redir_file <<'EOF' +Listen 80 +EOF + fi + + # this is a copy of a file certbot, see below. + echo "$0: creating $common_ssl_conf" + cat >$common_ssl_conf <<'EOF' +# Baseline setting to Include for SSL sites + +SSLEngine on + +# Intermediate configuration, tweak to your needs +SSLProtocol all -SSLv2 -SSLv3 +SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA +SSLHonorCipherOrder on +SSLCompression off + +SSLOptions +StrictRequire + +# Add vhost name to log entries: +LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined +LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common + +#CustomLog /var/log/apache2/access.log vhost_combined +#LogLevel warn +#ErrorLog /var/log/apache2/error.log + +# Always ensure Cookies have "Secure" set (JAH 2012/1) +#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4" +EOF + + upstream=https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf + if ! diff -c <(wget -q -O - $upstream) $common_ssl_conf; then + cat <>$vhost_file <<'EOF' + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log vhost_time_combined + +EOF + + if ! $listen_port; then + # reference: https://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen + cat >>$vhost_file </dev/null; then + http2_arg=http2 + fi + + cat >$common_ssl_conf <<'EOF' +# let's encrypt gives us a bad nginx config, so use this: +# https://mozilla.github.io/server-side-tls/ssl-config-generator/ +# using modern config. last checked 2017/4/22 +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:50m; +ssl_session_tickets off; + +# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits +ssl_dhparam /etc/nginx/dh2048.pem; + +# modern configuration. tweak to your needs. +ssl_protocols TLSv1.2; +ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; +ssl_prefer_server_ciphers on; + +# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) +add_header Strict-Transport-Security max-age=15768000; + +# OCSP Stapling --- +# fetch OCSP records from URL in ssl_certificate and cache them +ssl_stapling on; +ssl_stapling_verify on; + +## verify chain of trust of OCSP response using Root CA and Intermediate certs +# ian: commented out, unnecessary for le certs or my nginx ver. +#ssl_trusted_certificate $cert_dir/fullchain.pem;; + +# ian: commented out, our local dns is expected to work fine. +#resolver ; +EOF + cat >$vhost_file <>$vhost_file + fi + + if [[ $proxy ]]; then + cat >>$vhost_file <>$vhost_file <$redir_file <