[basic-https-conf] / apache-site

#!/bin/bash
# Copyright (C) 2016 Ian Kelling

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at

#     http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# run as root.
[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"

set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR

usage() {
    cat <<EOF
Usage: ${0##*/} [EXTRA_SETTINGS_FILE] DOMAIN
Setup apache virtualhost config with https using
ssl config provided by let's encrypt and my standard
location for storing certs.

EXTRA_SETTINGS_FILE can be - for stdin
-p PORT
-i          Insecure, no ssl
-c CERT_DIR Default is /p/c/machine_specific/\$HOSTNAME/webservercerts
-h|--help   Print help and exit
-r          DocumentRoot
--          Subsequent arguments are never treated as options

Note: options and non-options can be in any order.
EOF
    exit $1
}

##### begin command line parsing ########

cert_dir=/p/c/machine_specific/$HOSTNAME/webservercerts
ssl=true
extra_settings=
args=()
port="*:443"
while [[ $1 ]]; do
    case $1 in
        -i) ssl=false; shift ;; # i for insecure
        -c) cert_dir="$2"; shift 2 ;;
        -p) port="$2"; shift 2 ;;
        -r) root="$2"; shift 2 ;;
        --) shift; break ;;
        -?*|-h|--help) usage ;;
        *) args+=("$1"); shift ;;
    esac
done
args+=("$@")

if (( ${#args[@]} == 2 )); then
    read extra_settings h <<<"${args[@]}"
else
    read h <<<"${args[@]}"
fi

if [[ ! $h ]]; then
    echo "$0: error: expected domain arg"
    usage 1
fi

if [[ ! $root ]]; then
    root=/var/www/$h/html
fi


##### end command line parsing ########

# taken from the let's encrypt generated site, using
# ./certbot-auto --apache (should use the test mode to check if there are updates)
# on 5/29/2016

# I could have also used the mozilla generator this, but it had some open issues
# with no response
# so I figured I would check out let's encrypt.
# It's a little more liberal, but still get's an A in ssl labs,
# so, meh, I'll use it.
# https://mozilla.github.io/server-side-tls/ssl-config-generator/


rm -f /etc/apache2/sites-enabled/000-default.conf

mkdir -p $root
dd of=/etc/apache2/sites-enabled/$h.conf <<EOF
<VirtualHost $port>
        ServerName $h
        ServerAlias www.$h
        DocumentRoot $root
EOF

if [[ $extra_settings ]]; then
    cat -- $extra_settings | tee -a /etc/apache2/sites-enabled/$h.conf
fi

if $ssl; then
    tee -a /etc/apache2/sites-enabled/$h.conf <<EOF
        SSLCertificateFile $cert_dir/$h-chained.pem
        SSLCertificateKeyFile $cert_dir/$h-domain.key
        Include /etc/letsencrypt/options-ssl-apache.conf
EOF

    dd of=/etc/apache2/sites-enabled/httpsredir.conf <<'EOF'
<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/httpsredir-access.log combined

RewriteEngine on
# ian: removed so it's for all sites
#RewriteCond %{SERVER_NAME} =certbot.iank.bid
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>
EOF

    mkdir -p /etc/letsencrypt

    base_file=/etc/letsencrypt/options-ssl-apache.conf
    # this is from cerbot, see below.
    dd of=$base_file <<'EOF'
# Baseline setting to Include for SSL sites

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder     on
SSLCompression          off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log

# Always ensure Cookies have "Secure" set (JAH 2012/1)
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
EOF

    upstream=https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
    if ! diff -c <(wget -q -O - $upstream) $base_file; then
        cat <<EOF
WARNING!!!!!!!!!
WARNING!!!!!!!!!
WARNING!!!!!!!!!
WARNING!!!!!!!!!
WARNING!!!!!!!!!
upstream ssl settings differ from the snapshot we have taken!!!
We diffed with this command:
diff -c <(wget -q -O - $upstream) $base_file
Update this script to take care this warning!!!!!
EOF
        sleep 1
    fi
fi
tee -a /etc/apache2/sites-enabled/$h.conf <<EOF
        ErrorLog \${APACHE_LOG_DIR}/error.log
        CustomLog \${APACHE_LOG_DIR}/access.log vhost_combined
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
EOF

a2enmod ssl rewrite # rewrite needed for httpredir
service apache2 restart

# I rarely look at how much traffic I get, so let's keep that info
# around for longer than the default of 2 weeks.
sed -ri --follow-symlinks 's/^(\s*rotate\s).*/\1 365/' /etc/logrotate.d/apache2