2 # Copyright (C) 2016 Ian Kelling
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
16 [[ $EUID == 0 ]] ||
exec sudo
-E "$BASH_SOURCE" "$@"
19 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
24 Usage: ${0##*/} [OPTIONS] [EXTRA_SETTINGS_FILE] DOMAIN
25 Note: this is less tested and mature than the apache site script.
27 Setup nginx config with https using
28 ssl config provided by let's encrypt and my standard
29 location for storing certs.
31 EXTRA_SETTINGS_FILE can be - for stdin
32 -c CERT_DIR In priority: this arg, $ACME_TINY_WRAPPER_CERT_DIR,
33 $HOME/webservercerts, if the other options aren't set.
34 -p PORT Port to listen on, default 443
35 -f PORT Enable proxy to PORT on localhost
37 -h|--help Print help and exit
39 TODO: add https redir site.
41 Note: Uses GNU getopt options parsing style
46 ##### begin command line parsing ########
48 cert_dir
="$ACME_TINY_WRAPPER_CERT_DIR"
49 if [[ ! $cert_dir ]]; then
50 cert_dir
=$HOME/webservercerts
55 temp
=$
(getopt
-l help: c
:f
:p
:r
:h
"$@") || usage
1
59 -c) cert_dir
="$2"; shift 2 ;;
60 -p) port
="$2"; shift 2 ;;
61 -f) proxy_port
="$2"; shift 2 ;;
62 -r) root
="$2"; shift 2 ;;
65 *) echo "$0: Internal error!" ; exit 1 ;;
69 if (( ${#@} == 2 )); then
70 read -r extra_settings h
<<<"${@}"
76 echo "$0: error: expected domain arg"
80 if [[ ! $root ]]; then
85 ##### end command line parsing ########
87 rm -f /etc
/nginx
/sites-enabled
/default
89 if nginx
-V |
& grep -- '--with-http_v2_module\b' &>/dev
/null
; then
93 echo "$0: creating /etc/nginx/sites-enabled/$h.conf"
94 cat >/etc
/nginx
/sites-enabled
/$h.conf
<<EOF
95 # ssecurty settings taken from
96 # https://mozilla.github.io/server-side-tls/ssl-config-generator/
97 # using modern config. last checked 2017/2/20
99 server_name $h www.$h;
101 listen $port ssl $http2_arg;
102 listen [::]:$port ssl $http2_arg;
104 # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
105 ssl_certificate $cert_dir/$h-chained.pem;
106 ssl_certificate_key $cert_dir/$h-domain.key;
107 ssl_session_timeout 1d;
108 ssl_session_cache shared:SSL:50m;
109 ssl_session_tickets off;
111 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
112 ssl_dhparam $cert_dir/dh2048.pem;
114 # modern configuration. tweak to your needs.
115 ssl_protocols TLSv1.2;
116 ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
117 ssl_prefer_server_ciphers on;
119 # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
120 add_header Strict-Transport-Security max-age=15768000;
123 # fetch OCSP records from URL in ssl_certificate and cache them
125 ssl_stapling_verify on;
127 # ian: todo: something is missing here, stapling is not enabled
128 # per ssllabs.com test. need to put root cert in chain?.
129 # ssl labs still says we are A+.
130 # https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
131 ## verify chain of trust of OCSP response using Root CA and Intermediate certs
132 ssl_trusted_certificate $cert_dir/$h-chained.pem;
134 # ian: left commented out, our local dns is expected to work fine.
135 #resolver <IP DNS resolver>;
137 if [[ $extra_settings ]]; then
138 cat $extra_settings >>/etc
/nginx
/sites-enabled
/$h.conf
141 if [[ $proxy_port ]]; then
142 cat >>/etc
/nginx
/sites-enabled
/$h.conf
<<EOF
144 proxy_set_header Host \$host;
145 proxy_set_header X-Real-IP \$remote_addr;
146 proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
147 proxy_set_header X-Forwarded-Ssl on;
148 proxy_set_header X-Forwarded-Port $port;
149 proxy_pass http://127.0.0.1:$proxy_port;
155 cat >>/etc
/nginx
/sites-enabled
/$h.conf
<<EOF
158 mkdir
-p /var
/www
/$h/html
159 chown
-R ian
:ian
/var
/www
/$h
160 service nginx restart