[basic-https-conf] / apache-site

#!/bin/bash
# Copyright (C) 2016 Ian Kelling

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at

#     http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"

set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR

usage() {
    cat <<EOF
Usage: ${0##*/} [OPTIONS] [EXTRA_SETTINGS_FILE] DOMAIN
Setup apache virtualhost config with https using
ssl config provided by let's encrypt and my standard
location for storing certs.

EXTRA_SETTINGS_FILE can be - for stdin
-c CERT_DIR       In priority: this arg, $ACME_TINY_WRAPPER_CERT_DIR,
                  $HOME/webservercerts, if the other options aren't set.
-i                Insecure, no ssl
-p ADDR_PORT      Main address and port to listen on, default *:443
-r                DocumentRoot
-h|--help         Print help and exit

Note: Uses GNU getopt options parsing style
EOF
    exit $1
}

##### begin command line parsing ########

cert_dir="$ACME_TINY_WRAPPER_CERT_DIR"
if [[ ! $cert_dir ]]; then
    cert_dir=$HOME/webservercerts
fi
ssl=true
extra_settings=
addr_port="*:443"
temp=$(getopt -l help ic:p:r:h "$@") || usage 1
eval set -- "$temp"
while true; do
    case $1 in
        -i) ssl=false; shift ;;
        -c) cert_dir="$2"; shift 2 ;;
        -p) addr_port="$2"; shift 2 ;;
        -r) root="$2"; shift 2 ;;
        --) shift; break ;;
        -h|--help) usage ;;
        *) echo "$0: Internal error!" ; exit 1 ;;
    esac
done

if (( ${#@} == 2 )); then
    read -r extra_settings h <<<"${@}"
else
    read -r h <<<"${@}"
fi

if [[ ! $h ]]; then
    echo "$0: error: expected domain arg"
    usage 1
fi

if [[ ! $root ]]; then
    root=/var/www/$h/html
fi

port=${addr_port##*:}


##### end command line parsing ########

# taken from the let's encrypt generated site, using
# ./certbot-auto --apache (should use the test mode to check if there are updates)
# on 5/29/2016

# I could have also used the mozilla generator this, but it had some open issues
# with no response
# so I figured I would check out let's encrypt.
# It's a little more liberal, but still get's an A in ssl labs,
# so, meh, I'll use it.
# https://mozilla.github.io/server-side-tls/ssl-config-generator/


rm -f /etc/apache2/sites-enabled/000-default.conf

mkdir -p $root
vhost_file=/etc/apache2/sites-enabled/$h.conf
redir_file=/etc/apache2/sites-enabled/httpsredir.conf

# note, we exepct ServerRoot of /etc/apache2
cd /etc/apache2
conf_files=(apache2.conf)

# apache requires exactly 1 listen directive per port (when no ip is also given),
# so we have to parse the config to do it programatically.
listen_80=false
listen_port=false
while (( i=0; i < ${#conf_files[@]}; i++ )); do
    f="${conf_files[i]}"
    # note: globs are expanded here:
    conf_files+=( $(sed -rn "s,^\s*Include(Optional)?\s+(\S+).*,\2,p" "$f") )
    case $(readlink -f "$f") in
        $vhost_file|$redir_file) continue ;;
    esac
    for p in $(sed -rn "s,^\s*Listen\s+(\S+).*,\1,p" "$f"); do
        case $p in
            80) listen_80=true ;;
            $port) listen_port=true ;;
        esac
    done
done

if $ssl; then
    https_arg=" https"
fi


tee $vhost_file <<EOF
<VirtualHost $addr_port>
        ServerName $h
        ServerAlias www.$h
        DocumentRoot $root
EOF

if [[ $extra_settings ]]; then
    cat -- $extra_settings | tee -a $vhost_file
fi

# go faster!
if [[ -e /etc/apache2/mods-available/http2.load ]]; then
    # https://httpd.apache.org/docs/2.4/mod/mod_http2.html
    a2enmod http2
    tee -a $vhost_file <<EOF
        Protocols h2 http/1.1
EOF
fi

if $ssl; then
    certbot_ssl_conf=/etc/letsencrypt/options-ssl-apache.conf
    tee -a $vhost_file <<EOF
        SSLCertificateFile $cert_dir/$h-chained.pem
        SSLCertificateKeyFile $cert_dir/$h-domain.key
        Include $certbot_ssl_conf
EOF

    # if we are using a non-standard port, setup don't setup
    # irrelevant 443 redirect.
    if [[ $port == "443" ]]; then
        tee $redir_file <<'EOF'
# vhost_combined with %D (request time in microseconds)
# this file is just a convenient place to drop it.
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %D" vhost_time_combined
<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/httpsredir-access.log combined

RewriteEngine on
# ian: removed so it's for all sites
#RewriteCond %{SERVER_NAME} =certbot.iank.bid
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>
EOF
        if ! $listen_80; then
            tee -a $redir_file <<'EOF'
Listen 80
EOF
        fi
    fi

    mkdir -p /etc/letsencrypt

    # this is from cerbot, see below.
    cat >$certbot_ssl_conf <<'EOF'
# Baseline setting to Include for SSL sites

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder     on
SSLCompression          off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log

# Always ensure Cookies have "Secure" set (JAH 2012/1)
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
EOF

    upstream=https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
    if ! diff -c <(wget -q -O - $upstream) $certbot_ssl_conf; then
        cat <<EOF
WARNING!!!!!!!!!
WARNING!!!!!!!!!
WARNING!!!!!!!!!
WARNING!!!!!!!!!
WARNING!!!!!!!!!
upstream ssl settings differ from the snapshot we have taken!!!
We diffed with this command:
diff -c <(wget -q -O - $upstream) $certbot_ssl_conf
Update this script to take care this warning!!!!!
EOF
        sleep 1
    fi
fi
tee -a $vhost_file <<EOF
        ErrorLog \${APACHE_LOG_DIR}/error.log
        CustomLog \${APACHE_LOG_DIR}/access.log vhost_time_combined
</VirtualHost>
EOF

if ! $listen_port; then
    # reference: https://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen
    tee -a $vhost_file <<EOF
listen ${port}${https_arg}
EOF
fi


a2enmod ssl rewrite # rewrite needed for httpredir
service apache2 restart

# I rarely look at how much traffic I get, so let's keep that info
# around for longer than the default of 2 weeks.
sed -ri --follow-symlinks 's/^(\s*rotate\s).*/\1 365/' /etc/logrotate.d/apache2