From: Ian Kelling Date: Wed, 6 Nov 2019 04:17:33 +0000 (-0500) Subject: misc small updates X-Git-Url: https://iankelling.org/git/?a=commitdiff_plain;h=ebb14a4931cb65b505add2e56c9f1c9e5c90ec4d;p=basic-https-conf misc small updates * Add option for symlinks * Update ssl opttions from upstream * Less verbose output --- diff --git a/web-conf b/web-conf index 074fddd..fddb537 100755 --- a/web-conf +++ b/web-conf @@ -40,6 +40,7 @@ EXTRA_SETTINGS_FILE can be - for stdin -i Insecure, no ssl. -p PORT Main port to listen on, default 443. 80 implies -i. -r DIR DocumentRoot +-s Allow symlinks from the doucmentroot -h|--help Print help and exit Note: Uses GNU getopt options parsing style @@ -49,10 +50,11 @@ EOF ##### begin command line parsing ######## +symlinkarg=- ssl=true extra_settings= port=443 -temp=$(getopt -l help e:if:p:r:h "$@") || usage 1 +temp=$(getopt -l help e:if:p:r:sh "$@") || usage 1 eval set -- "$temp" while true; do case $1 in @@ -61,6 +63,7 @@ while true; do -i) ssl=false; shift ;; -p) port="$2"; shift 2 ;; -r) root="$2"; shift 2 ;; + -s) symlinkarg=+; shift ;; --) shift; break ;; -h|--help) usage ;; *) echo "$0: Internal error!" ; exit 1 ;; @@ -116,7 +119,7 @@ fi if $ssl; then f=$cert_dir/fullchain.pem threedays=259200 # in seconds - if [[ ! -e $f ]] || openssl x509 -checkend $threedays -noout -in $f; then + if [[ ! -e $f ]] || ! openssl x509 -checkend $threedays -noout -in $f >/dev/null; then # cerbot needs an existing virtualhost. $0 -p 80 $t $h # when generating an example config, add all relevant security options: @@ -146,7 +149,6 @@ if [[ $t == apache2 ]]; then case $(readlink -f "$f") in $vhost_file|$redir_file) continue ;; esac - echo "$f" for p in $(sed -rn "s,^\s*listen\s+(\S+).*,\1,Ip" "$f"); do case $p in 80) listen_80=true ;;& @@ -162,7 +164,7 @@ ServerName $h ServerAlias www.$h DocumentRoot $root - Options -Indexes -FollowSymlinks + Options -Indexes ${symlinkarg}FollowSymlinks EOF @@ -173,14 +175,14 @@ EOF # go faster! if [[ -e /etc/apache2/mods-available/http2.load ]]; then # https://httpd.apache.org/docs/2.4/mod/mod_http2.html - a2enmod http2 + a2enmod -q http2 cat >>$vhost_file <>$vhost_file <s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common + +#CustomLog /var/log/apache2/access.log vhost_combined +#LogLevel warn +#ErrorLog /var/log/apache2/error.log + +# Always ensure Cookies have "Secure" set (JAH 2012/1) +#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4" EOF upstream=https://raw.githubusercontent.com/certbot/certbot/master/certbot-apache/certbot_apache/options-ssl-apache.conf @@ -283,7 +291,7 @@ EOF fi - a2enmod ssl rewrite # rewrite needed for httpredir + a2enmod -q ssl rewrite # rewrite needed for httpredir service apache2 restart # I rarely look at how much traffic I get, so let's keep that info