2 # Copyright (C) 2016 Ian Kelling
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
17 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
22 Usage: ${0##*/} [EXTRA_SETTINGS_FILE] DOMAIN
23 Note: this is less tested and mature than the apache site script.
25 Setup nginx config with https using
26 ssl config provided by let's encrypt and my standard
27 location for storing certs.
29 EXTRA_SETTINGS_FILE can be - for stdin
31 -h|--help Print help and exit
33 TODO: add https redir site.
38 ##### begin command line parsing ########
45 -p) proxy_port
="$2"; shift 2 ;;
47 -?
*|
-h|
--help) usage
;;
48 *) args
+=("$1"); shift ;;
53 if (( ${#args[@]} == 2 )); then
54 read extra_settings h
<<<"${args[@]}"
56 read h
<<<"${args[@]}"
60 echo "$0: error: expected domain arg"
65 ##### end command line parsing ########
67 sudo
rm -f /etc
/nginx
/sites-enabled
/default
69 cdir
=/p
/c
/machine_specific
/$HOSTNAME/webservercerts
70 sudo
dd of
=/etc
/nginx
/sites-enabled
/$h.conf
<<EOF
71 # https://mozilla.github.io/server-side-tls/ssl-config-generator/
73 server_name $h www.$h;
74 root /var/www/$h/html;
78 # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
79 ssl_certificate $cdir/$h-chained.pem;
80 ssl_certificate_key $cdir/$h-domain.key;
81 ssl_session_timeout 1d;
82 ssl_session_cache shared:SSL:50m;
83 ssl_session_tickets off;
85 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
86 ssl_dhparam $cdir/dh2048.pem;
88 # modern configuration. tweak to your needs.
89 ssl_protocols TLSv1.2;
90 ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
91 ssl_prefer_server_ciphers on;
93 # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
94 add_header Strict-Transport-Security max-age=15768000;
97 # fetch OCSP records from URL in ssl_certificate and cache them
99 ssl_stapling_verify on;
101 ## verify chain of trust of OCSP response using Root CA and Intermediate certs
102 #ssl_trusted_certificate $cdir/$h-fullchain.pem;
104 # ian: also not needed, our local resolver works fine.
105 #resolver <IP DNS resolver>;
107 if [[ $extra_settings ]]; then
108 cat $extra_settings | sudo
tee -a /etc
/nginx
/sites-enabled
/$h.conf
111 if [[ $proxy_port ]]; then
112 sudo
tee -a /etc
/nginx
/sites-enabled
/$h.conf
<<EOF
114 proxy_set_header Host \$host;
115 proxy_set_header X-Real-IP \$remote_addr;
116 proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
117 proxy_set_header X-Forwarded-Ssl on;
118 proxy_set_header X-Forwarded-Port 443;
119 proxy_pass http://127.0.0.1:$proxy_port;
124 sudo
tee -a /etc
/nginx
/sites-enabled
/$h.conf
<<EOF
127 sudo mkdir
-p /var
/www
/$h/html
128 sudo chown
-R ian
:ian
/var
/www
/$h
129 sudo service nginx restart