small doc update

[basic-https-conf] / nginx-site

#!/bin/bash -l
# Copyright (C) 2016 Ian Kelling

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at

#     http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR


usage() {
    cat <<EOF
Usage: ${0##*/} [EXTRA_SETTINGS_FILE] DOMAIN
Note: this is less tested and mature than the apache site script.

Setup nginx config with https using
ssl config provided by let's encrypt and my standard
location for storing certs.

EXTRA_SETTINGS_FILE can be - for stdin
-p PORT    Proxy to PORT
-h|--help  Print help and exit

TODO: add https redir site.
EOF
    exit $1
}

##### begin command line parsing ########

proxy_port=
extra_settings=
args=()
while [[ $1 ]]; do
    case $1 in
        -p) proxy_port="$2"; shift 2 ;;
        --) shift; break ;;
        -?*|-h|--help) usage ;;
        *) args+=("$1"); shift ;;
    esac
done
args+=("$@")

if (( ${#args[@]} == 2 )); then
    read extra_settings h <<<"${args[@]}"
else
    read h <<<"${args[@]}"
fi

if [[ ! $h ]]; then
    echo "$0: error: expected domain arg"
    usage 1
fi


##### end command line parsing ########

sudo rm -f /etc/nginx/sites-enabled/default

cdir=/p/c/machine_specific/$HOSTNAME/webservercerts
sudo dd of=/etc/nginx/sites-enabled/$h.conf <<EOF
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
server {
    server_name $h www.$h;
    root /var/www/$h/html;
    listen 443 ssl;
    listen [::]:443 ssl;

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate $cdir/$h-chained.pem;
    ssl_certificate_key $cdir/$h-domain.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam $cdir/dh2048.pem;

    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    #ssl_trusted_certificate $cdir/$h-fullchain.pem;

    # ian: also not needed, our local resolver works fine.
    #resolver <IP DNS resolver>;
EOF
if [[ $extra_settings ]]; then
    cat $extra_settings | sudo tee -a /etc/nginx/sites-enabled/$h.conf
fi

if [[ $proxy_port ]]; then
    sudo tee -a /etc/nginx/sites-enabled/$h.conf <<EOF
    location / {
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Ssl on;
        proxy_set_header X-Forwarded-Port 443;
        proxy_pass http://127.0.0.1:$proxy_port;
    }
EOF


sudo tee -a /etc/nginx/sites-enabled/$h.conf <<EOF
}
EOF
sudo mkdir -p /var/www/$h/html
sudo chown -R ian:ian /var/www/$h
sudo service nginx restart