use gnu getopt for more flexible arg parsing

[basic-https-conf] / nginx-site

#!/bin/bash -l
# Copyright (C) 2016 Ian Kelling

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at

#     http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR


usage() {
    cat <<EOF
Usage: ${0##*/} [EXTRA_SETTINGS_FILE] DOMAIN
Setup nginx config with https using
ssl config provided by let's encrypt and my standard
location for storing certs.

EXTRA_SETTINGS_FILE can be - for stdin
-p PORT    Proxy to PORT
-h|--help  Print help and exit
--         Subsequent arguments are never treated as options

Note: options and non-options can be in any order.
TODO: add https redir site.
EOF
    exit $1
}

##### begin command line parsing ########

proxy_port=
extra_settings=
args=()
while [[ $1 ]]; do
    case $1 in
        -p) proxy_port="$2"; shift 2 ;;
        --) shift; break ;;
        -?*|-h|--help) usage ;;
        *) args+=("$1"); shift ;;
    esac
done
args+=("$@")

if (( ${#args[@]} == 2 )); then
    read extra_settings h <<<"${args[@]}"
else
    read h <<<"${args[@]}"
fi

if [[ ! $h ]]; then
    echo "$0: error: expected domain arg"
    usage 1
fi


##### end command line parsing ########

sudo rm -f /etc/nginx/sites-enabled/default

cdir=/p/c/machine_specific/$HOSTNAME/webservercerts
sudo dd of=/etc/nginx/sites-enabled/$h.conf <<EOF
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
server {
    server_name $h www.$h;
    root /var/www/$h/html;
    listen 443 ssl;
    listen [::]:443 ssl;

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate $cdir/$h-chained.pem;
    ssl_certificate_key $cdir/$h-domain.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam $cdir/dh2048.pem;

    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    #ssl_trusted_certificate $cdir/$h-fullchain.pem;

    # ian: also not needed, our local resolver works fine.
    #resolver <IP DNS resolver>;
EOF
if [[ $extra_settings ]]; then
    cat $extra_settings | sudo tee -a /etc/nginx/sites-enabled/$h.conf
fi

if [[ $proxy_port ]]; then
    sudo tee -a /etc/nginx/sites-enabled/$h.conf <<EOF
    location / {
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Ssl on;
        proxy_set_header X-Forwarded-Port 443;
        proxy_pass http://127.0.0.1:$proxy_port;
    }
EOF


sudo tee -a /etc/nginx/sites-enabled/$h.conf <<EOF
}
EOF
sudo mkdir -p /var/www/$h/html
sudo chown -R ian:ian /var/www/$h
sudo service nginx restart