2 # Copyright (C) 2016 Ian Kelling
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
17 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
22 Usage: ${0##*/} [EXTRA_SETTINGS_FILE] DOMAIN
23 Setup nginx config with https using
24 ssl config provided by let's encrypt and my standard
25 location for storing certs.
27 EXTRA_SETTINGS_FILE can be - for stdin
29 -h|--help Print help and exit
30 -- Subsequent arguments are never treated as options
32 Note: options and non-options can be in any order.
33 TODO: add https redir site.
38 ##### begin command line parsing ########
45 -p) proxy_port
="$2"; shift 2 ;;
47 -?
*|
-h|
--help) usage
;;
48 *) args
+=("$1"); shift ;;
53 if (( ${#args[@]} == 2 )); then
54 read extra_settings h
<<<"${args[@]}"
56 read h
<<<"${args[@]}"
60 echo "$0: error: expected domain arg"
65 ##### end command line parsing ########
67 sudo
rm -f /etc
/nginx
/sites-enabled
/default
69 cdir
=/p
/c
/machine_specific
/$HOSTNAME/webservercerts
70 sudo
dd of
=/etc
/nginx
/sites-enabled
/$h.conf
<<EOF
71 # https://mozilla.github.io/server-side-tls/ssl-config-generator/
73 server_name $h www.$h;
74 root /var/www/$h/html;
78 # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
79 ssl_certificate $cdir/$h-chained.pem;
80 ssl_certificate_key $cdir/$h-domain.key;
81 ssl_session_timeout 1d;
82 ssl_session_cache shared:SSL:50m;
83 ssl_session_tickets off;
85 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
86 ssl_dhparam $cdir/dh2048.pem;
88 # modern configuration. tweak to your needs.
89 ssl_protocols TLSv1.2;
90 ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
91 ssl_prefer_server_ciphers on;
93 # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
94 add_header Strict-Transport-Security max-age=15768000;
97 # fetch OCSP records from URL in ssl_certificate and cache them
99 ssl_stapling_verify on;
101 ## verify chain of trust of OCSP response using Root CA and Intermediate certs
102 #ssl_trusted_certificate $cdir/$h-fullchain.pem;
104 # ian: also not needed, our local resolver works fine.
105 #resolver <IP DNS resolver>;
107 if [[ $extra_settings ]]; then
108 cat $extra_settings | sudo
tee -a /etc
/nginx
/sites-enabled
/$h.conf
111 if [[ $proxy_port ]]; then
112 sudo
tee -a /etc
/nginx
/sites-enabled
/$h.conf
<<EOF
114 proxy_set_header Host \$host;
115 proxy_set_header X-Real-IP \$remote_addr;
116 proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
117 proxy_set_header X-Forwarded-Ssl on;
118 proxy_set_header X-Forwarded-Port 443;
119 proxy_pass http://127.0.0.1:$proxy_port;
124 sudo
tee -a /etc
/nginx
/sites-enabled
/$h.conf
<<EOF
127 s mkdir
-p /var
/www
/$h/html
128 s chown
-R ian
:ian
/var
/www
/$h