iankelling.org Git - basic-https-conf/blob - nginx-site

   1 #!/bin/bash
   2 # Copyright (C) 2016 Ian Kelling
   3
   4 # Licensed under the Apache License, Version 2.0 (the "License");
   5 # you may not use this file except in compliance with the License.
   6 # You may obtain a copy of the License at
   7
   8 #     http://www.apache.org/licenses/LICENSE-2.0
   9
  10 # Unless required by applicable law or agreed to in writing, software
  11 # distributed under the License is distributed on an "AS IS" BASIS,
  12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13 # See the License for the specific language governing permissions and
  14 # limitations under the License.
  15
  16 [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
  17
  18 set -eE -o pipefail
  19 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
  20
  21
  22 usage() {
  23     cat <<EOF
  24 Usage: ${0##*/} [OPTIONS] [EXTRA_SETTINGS_FILE] DOMAIN
  25 Note: this is less tested and mature than the apache site script.
  26
  27 Setup nginx config with https using
  28 ssl config provided by let's encrypt and my standard
  29 location for storing certs.
  30
  31 EXTRA_SETTINGS_FILE can be - for stdin
  32 -c CERT_DIR       In priority: this arg, $ACME_TINY_WRAPPER_CERT_DIR,
  33                   $HOME/webservercerts, if the other options aren't set.
  34 -p PORT           Port to listen on, default 443
  35 -f PORT           Enable proxy to PORT on localhost
  36 -r                DocumentRoot
  37 -h|--help         Print help and exit
  38
  39 TODO: add https redir site.
  40
  41 Note: Uses GNU getopt options parsing style
  42 EOF
  43     exit $1
  44 }
  45
  46 ##### begin command line parsing ########
  47
  48 cert_dir="$ACME_TINY_WRAPPER_CERT_DIR"
  49 if [[ ! $cert_dir ]]; then
  50     cert_dir=$HOME/webservercerts
  51 fi
  52 port=443
  53 proxy_port=
  54 extra_settings=
  55 temp=$(getopt -l help: c:f:p:r:h "$@") || usage 1
  56 eval set -- "$temp"
  57 while true; do
  58     case $1 in
  59         -c) cert_dir="$2"; shift 2 ;;
  60         -p) port="$2"; shift 2 ;;
  61         -f) proxy_port="$2"; shift 2 ;;
  62         -r) root="$2"; shift 2 ;;
  63         --) shift; break ;;
  64         -h|--help) usage ;;
  65         *) echo "$0: Internal error!" ; exit 1 ;;
  66     esac
  67 done
  68
  69 if (( ${#@} == 2 )); then
  70     read -r extra_settings h <<<"${@}"
  71 else
  72     read -r h <<<"${@}"
  73 fi
  74
  75 if [[ ! $h ]]; then
  76     echo "$0: error: expected domain arg"
  77     usage 1
  78 fi
  79
  80 if [[ ! $root ]]; then
  81     root=/var/www/$h/html
  82 fi
  83
  84
  85 ##### end command line parsing ########
  86
  87 rm -f /etc/nginx/sites-enabled/default
  88
  89 if nginx -V |& grep -- '--with-http_v2_module\b' &>/dev/null; then
  90     http2_arg=http2
  91 fi
  92
  93 echo "$0: creating /etc/nginx/sites-enabled/$h.conf"
  94 cat >/etc/nginx/sites-enabled/$h.conf <<EOF
  95 # ssecurty settings taken from
  96 # https://mozilla.github.io/server-side-tls/ssl-config-generator/
  97 # using modern config. last checked 2017/2/20
  98 server {
  99     server_name $h www.$h;
 100     root $root;
 101     listen $port ssl $http2_arg;
 102     listen [::]:$port ssl $http2_arg;
 103
 104     # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
 105     ssl_certificate $cert_dir/$h-chained.pem;
 106     ssl_certificate_key $cert_dir/$h-domain.key;
 107     ssl_session_timeout 1d;
 108     ssl_session_cache shared:SSL:50m;
 109     ssl_session_tickets off;
 110
 111     # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
 112     ssl_dhparam $cert_dir/dh2048.pem;
 113
 114     # modern configuration. tweak to your needs.
 115     ssl_protocols TLSv1.2;
 116     ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
 117     ssl_prefer_server_ciphers on;
 118
 119     # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
 120     add_header Strict-Transport-Security max-age=15768000;
 121
 122     # OCSP Stapling ---
 123     # fetch OCSP records from URL in ssl_certificate and cache them
 124     ssl_stapling on;
 125     ssl_stapling_verify on;
 126
 127     # ian: todo: something is missing here, stapling is not enabled
 128     # per ssllabs.com test. need to put root cert in chain?.
 129     # ssl labs still says we are A+.
 130     # https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
 131     ## verify chain of trust of OCSP response using Root CA and Intermediate certs
 132     ssl_trusted_certificate $cert_dir/$h-chained.pem;
 133
 134     # ian: left commented out, our local dns is expected to work fine.
 135     #resolver <IP DNS resolver>;
 136 EOF
 137 if [[ $extra_settings ]]; then
 138     cat $extra_settings >>/etc/nginx/sites-enabled/$h.conf
 139 fi
 140
 141 if [[ $proxy_port ]]; then
 142     cat >>/etc/nginx/sites-enabled/$h.conf <<EOF
 143     location / {
 144         proxy_set_header Host \$host;
 145         proxy_set_header X-Real-IP \$remote_addr;
 146         proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 147         proxy_set_header X-Forwarded-Ssl on;
 148         proxy_set_header X-Forwarded-Port $port;
 149         proxy_pass http://127.0.0.1:$proxy_port;
 150     }
 151 EOF
 152 fi
 153
 154
 155 cat >>/etc/nginx/sites-enabled/$h.conf <<EOF
 156 }
 157 EOF
 158 mkdir -p /var/www/$h/html
 159 chown -R ian:ian /var/www/$h
 160 service nginx restart